From: Pascal Knecht <pascal.knecht@hsr.ch>
Date: Fri, 16 Oct 2020 07:28:49 +0000 (+0200)
Subject: tls-server: Check if peer sent hash and signature algorithms
X-Git-Tag: 5.9.2rc1~23^2~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7313962808c0cf8c2a21386d7e5fe2c7f4bbe7e;p=thirdparty%2Fstrongswan.git

tls-server: Check if peer sent hash and signature algorithms

It is mandatory to receive the `signature_algorithms` extension when a
server is authenticating with a certificate, which is always the case.
---

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 07a1ca3268..4957cba898 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -412,6 +412,14 @@ static status_t process_client_hello(private_tls_server_t *this,
 	}
 	extensions->destroy(extensions);
 
+	if (this->tls->get_version_max(this->tls) >= TLS_1_3 && !this->hashsig.len)
+	{
+		DBG1(DBG_TLS, "no %N extension received", tls_extension_names,
+			 TLS_MISSING_EXTENSION);
+		this->alert->add(this->alert, TLS_FATAL, TLS_MISSING_EXTENSION);
+		return NEED_MORE;
+	}
+
 	memcpy(this->client_random, random.ptr, sizeof(this->client_random));
 
 	htoun32(&this->server_random, time(NULL));