feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Disable TLS v1.3 if none of these are available "ECC, CURVE25519, CURVE448 or DH".

Browse Source
This commit is contained in:
David Garske
2020-06-02 14:41:19 -07:00
parent 93be04f380
commit 66fdc2c536
3 changed files with 24 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
configure.ac
View File

@@ -326,7 +326,7 @@ AC_ARG_ENABLE([tls13-draft18],
# TLS v1.3 # TLS v1.3
AC_ARG_ENABLE([tls13], AC_ARG_ENABLE([tls13],
[AS_HELP_STRING([--enable-tls13],[Enable wolfSSL TLS v1.3 (default: disabled)])], [AS_HELP_STRING([--enable-tls13],[Enable wolfSSL TLS v1.3 (default: enabled)])],
[ ENABLED_TLS13=$enableval ], [ ENABLED_TLS13=$enableval ],
[ ENABLED_TLS13=yes ] [ ENABLED_TLS13=yes ]
) )
@@ -334,11 +334,6 @@ if test "x$FIPS_VERSION" = "xv1"
then then
ENABLED_TLS13="no" ENABLED_TLS13="no"
fi fi
if test "$ENABLED_TLS13" = "yes" || test "$ENABLED_TLS13_DRAFT18" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES $AM_CFLAGS"
fi
# Post-handshake Authentication # Post-handshake Authentication
AC_ARG_ENABLE([postauth], AC_ARG_ENABLE([postauth],
@@ -3142,6 +3137,19 @@ then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_REQUIRE_FFDHE" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_REQUIRE_FFDHE"
fi fi
# TLS 1.3 Requires either ECC, CURVE25519, CURVE448 or DH
if test "x$ENABLED_ECC" = "xno" && test "x$ENABLED_CURVE25519" = "xno" && test "x$ENABLED_CURVE448" = "xno" && test "x$ENABLED_DH" = "xno"
then
# disable TLS 1.3
ENABLED_TLS13=no
ENABLED_TLS13_DRAFT18=no
fi
if test "$ENABLED_TLS13" = "yes" || test "$ENABLED_TLS13_DRAFT18" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES $AM_CFLAGS"
fi
# Session Ticket Extension # Session Ticket Extension
AC_ARG_ENABLE([session-ticket], AC_ARG_ENABLE([session-ticket],
[AS_HELP_STRING([--enable-session-ticket],[Enable Session Ticket (default: disabled)])], [AS_HELP_STRING([--enable-session-ticket],[Enable Session Ticket (default: disabled)])],

16
src/tls.c
View File

@@ -3744,7 +3744,7 @@ int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type,
&& !defined(HAVE_FFDHE) && !defined(HAVE_FFDHE)
#error Elliptic Curves Extension requires Elliptic Curve Cryptography. \ #error Elliptic Curves Extension requires Elliptic Curve Cryptography. \
Use --enable-ecc in the configure script or define HAVE_ECC. \ Use --enable-ecc in the configure script or define HAVE_ECC. \
Alternatively use FFDHE for DH ciperhsuites. Alternatively use FFDHE for DH ciphersuites.
#endif #endif
static int TLSX_SupportedCurve_New(SupportedCurve** curve, word16 name, static int TLSX_SupportedCurve_New(SupportedCurve** curve, word16 name,
@@ -3901,7 +3901,7 @@ static void TLSX_PointFormat_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS)); TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
} }
#endif #endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */
#ifndef NO_WOLFSSL_SERVER #ifndef NO_WOLFSSL_SERVER
@@ -3933,7 +3933,8 @@ static void TLSX_PointFormat_ValidateResponse(WOLFSSL* ssl, byte* semaphore)
#endif #endif
} }
#endif #endif /* !NO_WOLFSSL_SERVER */
#ifndef NO_WOLFSSL_CLIENT #ifndef NO_WOLFSSL_CLIENT
static word16 TLSX_SupportedCurve_GetSize(SupportedCurve* list) static word16 TLSX_SupportedCurve_GetSize(SupportedCurve* list)
@@ -4117,7 +4118,7 @@ int TLSX_SupportedCurve_CheckPriority(WOLFSSL* ssl)
return 0; return 0;
} }
#endif #endif /* WOLFSSL_TLS13 && !WOLFSSL_NO_SERVER_GROUPS_EXT */
#if defined(HAVE_FFDHE) && !defined(WOLFSSL_NO_TLS12) #if defined(HAVE_FFDHE) && !defined(WOLFSSL_NO_TLS12)
/* Set the highest priority common FFDHE group on the server as compared to /* Set the highest priority common FFDHE group on the server as compared to
@@ -4267,7 +4268,7 @@ int TLSX_SupportedCurve_Preferred(WOLFSSL* ssl, int checkSupported)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
#endif #endif /* HAVE_SUPPORTED_CURVES */
#ifndef NO_WOLFSSL_SERVER #ifndef NO_WOLFSSL_SERVER
@@ -9756,8 +9757,6 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
{ {
int ret = WOLFSSL_SUCCESS; int ret = WOLFSSL_SUCCESS;
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
int i;
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (ssl->options.resuming && ssl->session.namedGroup != 0) { if (ssl->options.resuming && ssl->session.namedGroup != 0) {
return TLSX_UseSupportedCurve(extensions, ssl->session.namedGroup, return TLSX_UseSupportedCurve(extensions, ssl->session.namedGroup,
@@ -9765,7 +9764,9 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
} }
#endif #endif
#ifdef HAVE_SUPPORTED_CURVES
if (ssl->numGroups != 0) { if (ssl->numGroups != 0) {
int i;
for (i = 0; i < ssl->numGroups; i++) { for (i = 0; i < ssl->numGroups; i++) {
ret = TLSX_UseSupportedCurve(extensions, ssl->group[i], ssl->heap); ret = TLSX_UseSupportedCurve(extensions, ssl->group[i], ssl->heap);
if (ret != WOLFSSL_SUCCESS) if (ret != WOLFSSL_SUCCESS)
@@ -9773,6 +9774,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
} }
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
} }
#endif /* HAVE_SUPPORTED_CURVES */
#endif /* WOLFSSL_TLS13 */ #endif /* WOLFSSL_TLS13 */
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES) #if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)

2
src/tls13.c
View File

@@ -4198,7 +4198,7 @@ static int SendTls13EncryptedExtensions(WOLFSSL* ssl)
ssl->keys.encryptionOn = 1; ssl->keys.encryptionOn = 1;
#ifndef WOLFSSL_NO_SERVER_GROUPS_EXT #if defined(HAVE_SUPPORTED_CURVES) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)
if ((ret = TLSX_SupportedCurve_CheckPriority(ssl)) != 0) if ((ret = TLSX_SupportedCurve_CheckPriority(ssl)) != 0)
return ret; return ret;
#endif #endif