s2n-tls icon indicating copy to clipboard operation
s2n-tls copied to clipboard

Published 20 hours ago verified publisher icon aws

Avoid storing signature schemes in a separate buffer

Open goatgoose opened this issue 9 months ago • 1 comments

Problem:

Currently the peer's signature schemes are read into the iana_list buffer. This limits the number of possible signature schemes the peer is allowed to send, since the buffer has a fixed size. If too many signature schemes are received, the connection fails.

Solution:

Rather than copy the signature schemes into a separate buffer, the signature schemes should instead be read straight from the client hello/certificate request.

goatgoose avatar May 06 '24 17:05 goatgoose

In case it helps: I started on but I guess never finished this last year https://github.com/aws/s2n-tls/commit/e088cb7079a39825f3aeddfab90cd014a0a44340 I'm not sure why I thought skipping extensions was necessary there though, we should just be able to have a separate "process" method we call after receiving the extension, like we do to calculate the PSK binders.

lrstewart avatar May 06 '24 19:05 lrstewart