detect unknown ciphers when parsing TLS session

1 files changed, 9 insertions, 1 deletions

diff --git a/src/lib/tls/tls_session.cpp b/src/lib/tls/tls_session.cpp
index 28ee8e9ab..8eb03712b 100644
--- a/src/lib/tls/tls_session.cpp
+++ b/src/lib/tls/tls_session.cpp
@@ -69,6 +69,7 @@ Session::Session(const uint8_t ber[], size_t ber_len)
    size_t srtp_profile = 0;
    size_t fragment_size = 0;
    size_t compression_method = 0;
+   uint16_t ciphersuite_code = 0;
 
    BER_Decoder(ber, ber_len)
       .start_sequence()
@@ -79,7 +80,7 @@ Session::Session(const uint8_t ber[], size_t ber_len)
         .decode_integer_type(minor_version)
         .decode(m_identifier, ASN1_Type::OctetString)
         .decode(m_session_ticket, ASN1_Type::OctetString)
-        .decode_integer_type(m_ciphersuite)
+        .decode_integer_type(ciphersuite_code)
         .decode_integer_type(compression_method)
         .decode_integer_type(side_code)
         .decode_integer_type(fragment_size)
@@ -113,6 +114,13 @@ Session::Session(const uint8_t ber[], size_t ber_len)
                            " no longer supported");
       }
 
+   if(!Ciphersuite::by_id(ciphersuite_code))
+      {
+      throw Decoding_Error("Serialized TLS session contains unknown cipher suite "
+                           "(" + std::to_string(ciphersuite_code) + ")");
+      }
+
+   m_ciphersuite = ciphersuite_code;
    m_version = Protocol_Version(major_version, minor_version);
    m_start_time = std::chrono::system_clock::from_time_t(start_time);
    m_connection_side = static_cast<Connection_Side>(side_code);