sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-11-28 00:00:40 -05:00
Code Issues Projects Releases Wiki Activity

tls-crypto: Fix invalid signature algorithm list building

Browse Source 
List building also added an additional length field which is required by
client-side TLS extensions but not for server-side certificate request
extension. Now the method only returns a list of supported signature
algorithms and the implementation is responsible to add additional
length fields.

Fixes: 07f826af673d ("Fixed encoding of TLS extensions (elliptic_curves and signature_algorithms)")
This commit is contained in:
Pascal Knecht 2020-09-16 08:54:54 +02:00 committed by Tobias Brunner
parent f81c04e9e3
commit 6549adb608
2 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/libtls/tls_crypto.c
View File

@ -1474,7 +1474,6 @@ METHOD(tls_crypto_t, get_signature_algorithms, void,
} }
} }
supported->wrap16(supported);
writer->write_data16(writer, supported->get_buf(supported)); writer->write_data16(writer, supported->get_buf(supported));
supported->destroy(supported); supported->destroy(supported);
} }

16
src/libtls/tls_peer.c
View File

@ -49,7 +49,6 @@ typedef enum {
STATE_FINISHED_SENT_KEY_SWITCHED, STATE_FINISHED_SENT_KEY_SWITCHED,
STATE_KEY_UPDATE_REQUESTED, STATE_KEY_UPDATE_REQUESTED,
STATE_KEY_UPDATE_SENT, STATE_KEY_UPDATE_SENT,
} peer_state_t; } peer_state_t;
/** /**
@ -532,6 +531,7 @@ static status_t process_certificate(private_tls_peer_t *this,
return NEED_MORE; return NEED_MORE;
} }
} }
if (!reader->read_data24(reader, &data)) if (!reader->read_data24(reader, &data))
{ {
DBG1(DBG_TLS, "certificate message header invalid"); DBG1(DBG_TLS, "certificate message header invalid");
@ -1195,7 +1195,7 @@ static status_t send_client_hello(private_tls_peer_t *this,
bio_writer_t *writer) bio_writer_t *writer)
{ {
tls_cipher_suite_t *suites; tls_cipher_suite_t *suites;
bio_writer_t *extensions, *curves = NULL, *versions, *key_share; bio_writer_t *extensions, *curves = NULL, *versions, *key_share, *signatures;
tls_version_t version_max, version_min; tls_version_t version_max, version_min;
diffie_hellman_group_t group; diffie_hellman_group_t group;
tls_named_group_t curve, selected_curve = 0; tls_named_group_t curve, selected_curve = 0;
@ -1339,11 +1339,18 @@ static status_t send_client_hello(private_tls_peer_t *this,
DBG2(DBG_TLS, "sending extension: %N", DBG2(DBG_TLS, "sending extension: %N",
tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS); tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS);
extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS); extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
this->crypto->get_signature_algorithms(this->crypto, extensions, FALSE); signatures = bio_writer_create(32);
this->crypto->get_signature_algorithms(this->crypto, signatures, FALSE);
extensions->write_data16(extensions, signatures->get_buf(signatures));
signatures->destroy(signatures);
DBG2(DBG_TLS, "sending extension: %N", DBG2(DBG_TLS, "sending extension: %N",
tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS_CERT); tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS_CERT);
extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS_CERT); extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS_CERT);
this->crypto->get_signature_algorithms(this->crypto, extensions, TRUE); signatures = bio_writer_create(32);
this->crypto->get_signature_algorithms(this->crypto, signatures, TRUE);
extensions->write_data16(extensions, signatures->get_buf(signatures));
signatures->destroy(signatures);
if (this->dh) if (this->dh)
{ {
@ -1802,7 +1809,6 @@ METHOD(tls_handshake_t, cipherspec_changed, bool,
return FALSE; return FALSE;
} }
} }
} }
METHOD(tls_handshake_t, change_cipherspec, void, METHOD(tls_handshake_t, change_cipherspec, void,