tls-server: Fix invalid signature algorithm and supported groups parsing
authorPascal Knecht <pascal.knecht@hsr.ch>
Fri, 9 Oct 2020 17:14:11 +0000 (19:14 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 12 Feb 2021 13:35:23 +0000 (14:35 +0100)
The extension's content length field was wrongly added to the content data.

Fixes: 06109c4717 ("Implemented "signature algorithm" hello extension")

src/libtls/tls_server.c

index 3d114d5..07a1ca3 100644 (file)
@@ -357,10 +357,28 @@ static status_t process_client_hello(private_tls_server_t *this,
                switch (extension_type)
                {
                        case TLS_EXT_SIGNATURE_ALGORITHMS:
+                               if (!extension->read_data16(extension, &extension_data))
+                               {
+                                       DBG1(DBG_TLS, "invalid %N extension",
+                                                tls_extension_names, extension_type);
+                                       this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+                                       extensions->destroy(extensions);
+                                       extension->destroy(extension);
+                                       return NEED_MORE;
+                               }
                                chunk_free(&this->hashsig);
                                this->hashsig = chunk_clone(extension_data);
                                break;
                        case TLS_EXT_SUPPORTED_GROUPS:
+                               if (!extension->read_data16(extension, &extension_data))
+                               {
+                                       DBG1(DBG_TLS, "invalid %N extension",
+                                                tls_extension_names, extension_type);
+                                       this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+                                       extensions->destroy(extensions);
+                                       extension->destroy(extension);
+                                       return NEED_MORE;
+                               }
                                chunk_free(&this->curves);
                                this->curves_received = TRUE;
                                this->curves = chunk_clone(extension_data);
@@ -370,8 +388,7 @@ static status_t process_client_hello(private_tls_server_t *this,
                                {
                                        DBG1(DBG_TLS, "invalid %N extension",
                                                 tls_extension_names, extension_type);
-                                       this->alert->add(this->alert, TLS_FATAL,
-                                                                        TLS_DECODE_ERROR);
+                                       this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
                                        extensions->destroy(extensions);
                                        extension->destroy(extension);
                                        return NEED_MORE;