From 898be38517286c5df4dd827bbad278246282e768 Mon Sep 17 00:00:00 2001
From: Michiel Visser <opensource@webmichiel.nl>
Date: Fri, 18 Feb 2022 10:58:56 +0100
Subject: LibTLS: Add signature verification for DHE and ECDHE key exchange

This will verify that the signature of the ephemeral key used in the
DHE and ECDHE key exchanges is actually generated by the server.

This verification is done using the first certificate provided by the
server, however the validity of this certificate is not checked here.
Instead this code expects the validity to be checked earlier by
`TLSv12::handle_certificate`.
---
 Userland/Libraries/LibTLS/Handshake.cpp | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'Userland/Libraries/LibTLS/Handshake.cpp')

diff --git a/Userland/Libraries/LibTLS/Handshake.cpp b/Userland/Libraries/LibTLS/Handshake.cpp
index 51fab9ddee..6a7c160546 100644
--- a/Userland/Libraries/LibTLS/Handshake.cpp
+++ b/Userland/Libraries/LibTLS/Handshake.cpp
@@ -489,6 +489,11 @@ ssize_t TLSv12::handle_handshake_payload(ReadonlyBytes vbuffer)
                 write_packet(packet);
                 break;
             }
+            case Error::NotSafe: {
+                auto packet = build_alert(true, (u8)AlertDescription::DecryptError);
+                write_packet(packet);
+                break;
+            }
             case Error::NeedMoreData:
                 // Ignore this, as it's not an "error"
                 dbgln_if(TLS_DEBUG, "More data needed");
-- 
cgit v1.2.3