diff options
| -rw-r--r-- | src/libtls/tls_peer.c | 8 | ||||
| -rw-r--r-- | src/libtls/tls_server.c | 38 |
2 files changed, 45 insertions, 1 deletions
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c index 3ee77d501..eb32651a8 100644 --- a/src/libtls/tls_peer.c +++ b/src/libtls/tls_peer.c @@ -445,6 +445,7 @@ static status_t send_client_hello(private_tls_peer_t *this, tls_handshake_type_t *type, tls_writer_t *writer) { tls_cipher_suite_t *suites; + tls_writer_t *extensions; tls_version_t version; int count, i; rng_t *rng; @@ -480,6 +481,13 @@ static status_t send_client_hello(private_tls_peer_t *this, writer->write_uint8(writer, 1); writer->write_uint8(writer, 0); + /* signature algorithms extension */ + extensions = tls_writer_create(32); + extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS); + this->crypto->get_signature_algorithms(this->crypto, extensions); + writer->write_data16(writer, extensions->get_buf(extensions)); + extensions->destroy(extensions); + *type = TLS_CLIENT_HELLO; this->state = STATE_HELLO_SENT; this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer)); diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c index 9b38c7f7d..ab0d80630 100644 --- a/src/libtls/tls_server.c +++ b/src/libtls/tls_server.c @@ -113,6 +113,11 @@ struct private_tls_server_t { * Offered TLS version of the client */ tls_version_t client_version; + + /** + * Hash and signature algorithms supported by peer + */ + chunk_t hashsig; }; /** @@ -121,8 +126,9 @@ struct private_tls_server_t { static status_t process_client_hello(private_tls_server_t *this, tls_reader_t *reader) { - u_int16_t version; + u_int16_t version, extension; chunk_t random, session, ciphers, compression, ext = chunk_empty; + tls_reader_t *extensions; tls_cipher_suite_t *suites; int count, i; @@ -141,6 +147,35 @@ static status_t process_client_hello(private_tls_server_t *this, return NEED_MORE; } + if (ext.len) + { + extensions = tls_reader_create(ext); + while (extensions->remaining(extensions)) + { + if (!extensions->read_uint16(extensions, &extension)) + { + DBG1(DBG_TLS, "received invalid ClientHello Extensions"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); + extensions->destroy(extensions); + return NEED_MORE; + } + DBG1(DBG_TLS, "recieved TLS %N extension", + tls_extension_names, extension); + switch (extension) + { + case TLS_EXT_SIGNATURE_ALGORITHMS: + if (extensions->read_data16(extensions, &ext)) + { + this->hashsig = chunk_clone(ext); + } + break; + default: + break; + } + } + extensions->destroy(extensions); + } + memcpy(this->client_random, random.ptr, sizeof(this->client_random)); if (!this->tls->set_version(this->tls, version)) @@ -677,6 +712,7 @@ METHOD(tls_handshake_t, destroy, void, DESTROY_IF(this->private); this->peer_auth->destroy(this->peer_auth); this->server_auth->destroy(this->server_auth); + free(this->hashsig.ptr); free(this); } |