wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-28 11:22:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9113 from SparkiDev/tls13_certvfy_sigalg_check

Browse Source 
TLS 1.3: CertificateVerify - check sig alg was sent
This commit is contained in:
David Garske
2025-08-20 06:44:03 -07:00
committed by GitHub
parent 9cdbc03a23 2810656242
commit 596e211a97
1 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/tls13.c
View File

@@ -10118,12 +10118,26 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
case TLS_ASYNC_BUILD:
{
int validSigAlgo;
const Suites* suites = WOLFSSL_SUITES(ssl);
word16 i;
/* Signature algorithm. */
if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > totalSz) {
ERROR_OUT(BUFFER_ERROR, exit_dcv);
}
validSigAlgo = 0;
for (i = 0; i < suites->hashSigAlgoSz; i += 2) {
if ((suites->hashSigAlgo[i + 0] == input[args->idx + 0]) &&
(suites->hashSigAlgo[i + 1] == input[args->idx + 1])) {
validSigAlgo = 1;
break;
}
}
if (!validSigAlgo) {
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
}
#ifdef WOLFSSL_DUAL_ALG_CERTS
if (ssl->peerSigSpec == NULL) {
/* The peer did not respond. We didn't send CKS or they don't