54 lines
2.2 KiB
Diff
54 lines
2.2 KiB
Diff
From fad1e67677bf7797b6bd6e1f21a513c289d963a7 Mon Sep 17 00:00:00 2001
|
|
From: Sean Parkinson <sean@wolfssl.com>
|
|
Date: Thu, 21 Jan 2021 08:24:38 +1000
|
|
Subject: [PATCH] TLS 1.3: ensure key for signature in CertificateVerify
|
|
|
|
---
|
|
src/tls13.c | 18 +++++++++++++-----
|
|
1 file changed, 13 insertions(+), 5 deletions(-)
|
|
|
|
--- a/src/tls13.c
|
|
+++ b/src/tls13.c
|
|
@@ -5624,28 +5624,36 @@ static int DoTls13CertificateVerify(WOLF
|
|
#ifdef HAVE_ED25519
|
|
if (args->sigAlgo == ed25519_sa_algo &&
|
|
!ssl->peerEd25519KeyPresent) {
|
|
- WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify");
|
|
+ WOLFSSL_MSG("Peer sent ED22519 sig but not ED22519 cert");
|
|
+ ret = SIG_VERIFY_E;
|
|
+ goto exit_dcv;
|
|
}
|
|
#endif
|
|
#ifdef HAVE_ED448
|
|
if (args->sigAlgo == ed448_sa_algo && !ssl->peerEd448KeyPresent) {
|
|
- WOLFSSL_MSG("Oops, peer sent ED448 key but not in verify");
|
|
+ WOLFSSL_MSG("Peer sent ED448 sig but not ED448 cert");
|
|
+ ret = SIG_VERIFY_E;
|
|
+ goto exit_dcv;
|
|
}
|
|
#endif
|
|
#ifdef HAVE_ECC
|
|
if (args->sigAlgo == ecc_dsa_sa_algo &&
|
|
!ssl->peerEccDsaKeyPresent) {
|
|
- WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
|
|
+ WOLFSSL_MSG("Peer sent ECC sig but not ECC cert");
|
|
+ ret = SIG_VERIFY_E;
|
|
+ goto exit_dcv;
|
|
}
|
|
#endif
|
|
#ifndef NO_RSA
|
|
if (args->sigAlgo == rsa_sa_algo) {
|
|
- WOLFSSL_MSG("Oops, peer sent PKCS#1.5 signature");
|
|
+ WOLFSSL_MSG("Peer sent PKCS#1.5 algo but not in certificate");
|
|
ERROR_OUT(INVALID_PARAMETER, exit_dcv);
|
|
}
|
|
if (args->sigAlgo == rsa_pss_sa_algo &&
|
|
(ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) {
|
|
- WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
|
|
+ WOLFSSL_MSG("Peer sent RSA sig but not RSA cert");
|
|
+ ret = SIG_VERIFY_E;
|
|
+ goto exit_dcv;
|
|
}
|
|
#endif
|
|
|