LibTLS: Add signature verification for DHE and ECDHE key exchange

This will verify that the signature of the ephemeral key used in the DHE and ECDHE key exchanges is actually generated by the server. This verification is done using the first certificate provided by the server, however the validity of this certificate is not checked here. Instead this code expects the validity to be checked earlier by `TLSv12::handle_certificate`.
Author: https://github.com/msvisser Commit: 898be38517 Pull-request: https://github.com/SerenityOS/serenity/pull/12629 Reviewed-by: https://github.com/alimpfard
2025-09-25 18:58:56 +00:00 · 2022-02-18 10:58:56 +01:00 · 2022-02-18 10:58:56 +01:00 · 898be38517 · 2024-07-17 18:22:16 +09:00
commit 898be38517
parent be138474c5
5 changed files with 108 additions and 9 deletions
--- a/Userland/Libraries/LibTLS/Handshake.cpp
+++ b/Userland/Libraries/LibTLS/Handshake.cpp
@ -489,6 +489,11 @@ ssize_t TLSv12::handle_handshake_payload(ReadonlyBytes vbuffer)
                write_packet(packet);
                break;
            }
+            case Error::NotSafe: {
+                auto packet = build_alert(true, (u8)AlertDescription::DecryptError);
+                write_packet(packet);
+                break;
+            }
            case Error::NeedMoreData:
                // Ignore this, as it's not an "error"
                dbgln_if(TLS_DEBUG, "More data needed");