diff options
| author | Jack Lloyd <[email protected]> | 2018-04-08 20:34:59 -0400 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2018-04-08 20:34:59 -0400 |
| commit | 9fd92ffb4e3edd3e52b10409f90f87e0dd023d05 (patch) | |
| tree | 08e3f4a2bc1401d541ae64dc619dfb1fc5038411 /src/lib | |
| parent | e2202e1ee495053827266a00fe5870a1987ae141 (diff) | |
Fix interop bug in TLS server
The connection would fail if the client advertised any signature
algorithm we did not support (eg RSA/SHA-224)
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/tls/tls_algos.cpp | 29 | ||||
| -rw-r--r-- | src/lib/tls/tls_algos.h | 1 | ||||
| -rw-r--r-- | src/lib/tls/tls_server.cpp | 3 |
3 files changed, 33 insertions, 0 deletions
diff --git a/src/lib/tls/tls_algos.cpp b/src/lib/tls/tls_algos.cpp index db75bf14e..9c3c2d9f8 100644 --- a/src/lib/tls/tls_algos.cpp +++ b/src/lib/tls/tls_algos.cpp @@ -259,6 +259,35 @@ const std::vector<Signature_Scheme>& all_signature_schemes() return all_schemes; } +bool signature_scheme_is_known(Signature_Scheme scheme) + { + switch(scheme) + { + case Signature_Scheme::RSA_PKCS1_SHA1: + case Signature_Scheme::RSA_PKCS1_SHA256: + case Signature_Scheme::RSA_PKCS1_SHA384: + case Signature_Scheme::RSA_PKCS1_SHA512: + case Signature_Scheme::RSA_PSS_SHA256: + case Signature_Scheme::RSA_PSS_SHA384: + case Signature_Scheme::RSA_PSS_SHA512: + + case Signature_Scheme::DSA_SHA1: + case Signature_Scheme::DSA_SHA256: + case Signature_Scheme::DSA_SHA384: + case Signature_Scheme::DSA_SHA512: + + case Signature_Scheme::ECDSA_SHA1: + case Signature_Scheme::ECDSA_SHA256: + case Signature_Scheme::ECDSA_SHA384: + case Signature_Scheme::ECDSA_SHA512: + return true; + + default: + return false; + } + + } + std::string signature_algorithm_of_scheme(Signature_Scheme scheme) { switch(scheme) diff --git a/src/lib/tls/tls_algos.h b/src/lib/tls/tls_algos.h index e0b2dabc2..19612be2e 100644 --- a/src/lib/tls/tls_algos.h +++ b/src/lib/tls/tls_algos.h @@ -109,6 +109,7 @@ enum class Signature_Scheme : uint16_t { BOTAN_UNSTABLE_API const std::vector<Signature_Scheme>& all_signature_schemes(); +bool signature_scheme_is_known(Signature_Scheme scheme); std::string BOTAN_UNSTABLE_API sig_scheme_to_string(Signature_Scheme scheme); std::string hash_function_of_scheme(Signature_Scheme scheme); std::string padding_string_for_scheme(Signature_Scheme scheme); diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp index b4e74c775..786932a1d 100644 --- a/src/lib/tls/tls_server.cpp +++ b/src/lib/tls/tls_server.cpp @@ -225,6 +225,9 @@ uint16_t choose_ciphersuite( for(Signature_Scheme scheme : client_sig_methods) { + if(signature_scheme_is_known(scheme) == false) + continue; + if(signature_algorithm_of_scheme(scheme) == suite.sig_algo() && policy.allowed_signature_hash(hash_function_of_scheme(scheme))) { |