fix: alert illegal_extension is added due to rfc, when uncompressed f…

…ormat is not found; alert decode_error is added when the list of ecc extenison is empty fix: message alert description
tlsfuzzer · Nov 5, 2024 · 7814a60 · 7814a60
1 parent 317cca7
commit 7814a60
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/tlslite/keyexchange.py b/tlslite/keyexchange.py
@@ -714,7 +714,8 @@ def makeServerKeyExchange(self, sigHash=None):
         ext_s = self.serverHello.getExtension(ExtensionType.ec_point_formats)
         if ext_c:
             if ext_c.formats == []:
-                raise TLSDecodeError("The compression list is empty.")
+                raise TLSIllegalParameterException("Point formats \
+                                                   extension is empty.")
             elif ECPointFormat.uncompressed not in ext_c.formats:
                 raise TLSIllegalParameterException(
                     "The client does not advertise "
@@ -1109,10 +1110,9 @@ def calc_shared_key(self, private, peer_share,
         :returns: shared key
 
         :raises TLSIllegalParameterException
-            when the paramentrs for point are invalid
+            when the paramentrs for point are invalid;
+            when the the valid_point_formats is empty.
 
-        :raises TLSDecodeError
-            when the the valid_point_formats is empty
         """
         if self.group in self._x_groups:
             fun, _, size = self._get_fun_gen_size()
@@ -1135,7 +1135,7 @@ def calc_shared_key(self, private, peer_share,
         except AssertionError:
             raise TLSIllegalParameterException("Invalid ECC point")
         except DecodeError:
-            raise TLSDecodeError("Empty point format extension")
+            raise TLSIllegalParameterException("Empty point format extension")
         if isinstance(private, ecdsa.keys.SigningKey):
             ecdh = ecdsa.ecdh.ECDH(curve=curve, private_key=private)
             ecdh.load_received_public_key_bytes(peer_share,

diff --git a/tlslite/tlsconnection.py b/tlslite/tlsconnection.py
@@ -4409,6 +4409,12 @@ def _serverCertKeyExchange(self, clientHello, serverHello, sigHashAlg,
                     AlertDescription.insufficient_security,
                     str(alert)):
                 yield result
+        except TLSIllegalParameterException as alert:
+            alert = Alert().create(AlertDescription.illegal_parameter,
+                                           AlertLevel.fatal)
+            for result in self._sendError(alert):
+                yield result
+            raise
         if serverKeyExchange is not None:
             msgs.append(serverKeyExchange)
         if reqCert: