wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Properly check for signature_algorithms from the client in a TLS 1.3 server.

Browse Source 
The server was checking ssl->extensions which will always have an entry for TLSX_SIGNATURE_ALGORITHMS
as it is unconditionally added by TLSX_PopulateExtensions earlier in the DoTls13ClientHello function.
Instead, check args->clSuites->hashSigAlgoSz which is only set if signature_algorithms is found and parsed by TLSX_Parse.
This commit is contained in:
Kareem
2025-01-13 16:22:28 -07:00
parent e037e0875d
commit 9f5c89ab4b
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/tls13.c
View File

@ -7053,7 +7053,9 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
WOLFSSL_MSG("Client did not send a KeyShare extension"); WOLFSSL_MSG("Client did not send a KeyShare extension");
ERROR_OUT(INCOMPLETE_DATA, exit_dch); ERROR_OUT(INCOMPLETE_DATA, exit_dch);
} }
if (TLSX_Find(ssl->extensions, TLSX_SIGNATURE_ALGORITHMS) == NULL) { /* Can't check ssl->extensions here as SigAlgs are unconditionally
set by TLSX_PopulateExtensions */
if (args->clSuites->hashSigAlgoSz == 0) {
WOLFSSL_MSG("Client did not send a SignatureAlgorithms extension"); WOLFSSL_MSG("Client did not send a SignatureAlgorithms extension");
ERROR_OUT(INCOMPLETE_DATA, exit_dch); ERROR_OUT(INCOMPLETE_DATA, exit_dch);
} }