diff --git a/src/tls.c b/src/tls.c index 541871d6d..721c45b4f 100644 --- a/src/tls.c +++ b/src/tls.c @@ -6007,7 +6007,7 @@ int TLSX_Cookie_Use(WOLFSSL* ssl, byte* data, word16 len, byte* mac, #define CKE_PARSE(a, b, c, d) 0 #endif - +#if !defined(WOLFSSL_NO_SIGALG) /******************************************************************************/ /* Signature Algorithms */ /******************************************************************************/ @@ -6017,6 +6017,7 @@ int TLSX_Cookie_Use(WOLFSSL* ssl, byte* data, word16 len, byte* mac, * data Unused * returns the length of data that will be in the extension. */ + static word16 TLSX_SignatureAlgorithms_GetSize(void* data) { WOLFSSL* ssl = (WOLFSSL*)data; @@ -6127,7 +6128,7 @@ static int TLSX_SetSignatureAlgorithms(TLSX** extensions, const void* data, #define SA_GET_SIZE TLSX_SignatureAlgorithms_GetSize #define SA_WRITE TLSX_SignatureAlgorithms_Write #define SA_PARSE TLSX_SignatureAlgorithms_Parse - +#endif /******************************************************************************/ /* Signature Algorithms Certificate */ /******************************************************************************/ @@ -8621,10 +8622,10 @@ void TLSX_FreeAll(TLSX* list, void* heap) case TLSX_APPLICATION_LAYER_PROTOCOL: ALPN_FREE_ALL((ALPN*)extension->data, heap); break; - +#if !defined(WOLFSSL_NO_SIGALG) case TLSX_SIGNATURE_ALGORITHMS: break; - +#endif #ifdef WOLFSSL_TLS13 case TLSX_SUPPORTED_VERSIONS: break; @@ -8756,11 +8757,11 @@ static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType, word16* pLeng case TLSX_APPLICATION_LAYER_PROTOCOL: length += ALPN_GET_SIZE((ALPN*)extension->data); break; - +#if !defined(WOLFSSL_NO_SIGALG) case TLSX_SIGNATURE_ALGORITHMS: length += SA_GET_SIZE(extension->data); break; - +#endif #ifdef WOLFSSL_TLS13 case TLSX_SUPPORTED_VERSIONS: ret = SV_GET_SIZE(extension->data, msgType, &length); @@ -8917,12 +8918,12 @@ static int TLSX_Write(TLSX* list, byte* output, byte* semaphore, WOLFSSL_MSG("ALPN extension to write"); offset += ALPN_WRITE((ALPN*)extension->data, output + offset); break; - +#if !defined(WOLFSSL_NO_SIGALG) case TLSX_SIGNATURE_ALGORITHMS: WOLFSSL_MSG("Signature Algorithms extension to write"); offset += SA_WRITE(extension->data, output + offset); break; - +#endif #ifdef WOLFSSL_TLS13 case TLSX_SUPPORTED_VERSIONS: WOLFSSL_MSG("Supported Versions extension to write"); @@ -9481,12 +9482,15 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) #endif /* (HAVE_ECC || HAVE_CURVE25519) && HAVE_SUPPORTED_CURVES */ } /* is not server */ +#if !defined(WOLFSSL_NO_SIGALG) WOLFSSL_MSG("Adding signature algorithms extension"); if ((ret = TLSX_SetSignatureAlgorithms(&ssl->extensions, ssl, ssl->heap)) != 0) { return ret; } - +#else + ret = 0; +#endif #ifdef WOLFSSL_TLS13 if (!isServer && IsAtLeastTLSv1_3(ssl->version)) { /* Add mandatory TLS v1.3 extension: supported version */ @@ -9668,8 +9672,10 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength) PF_VALIDATE_REQUEST(ssl, semaphore); QSH_VALIDATE_REQUEST(ssl, semaphore); WOLF_STK_VALIDATE_REQUEST(ssl); +#if !defined(WOLFSSL_NO_SIGALG) if (ssl->suites->hashSigAlgoSz == 0) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); +#endif #if defined(WOLFSSL_TLS13) if (!IsAtLeastTLSv1_2(ssl)) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); @@ -9709,11 +9715,14 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength) } #endif } + #ifdef WOLFSSL_TLS13 #ifndef NO_CERTS else if (msgType == certificate_request) { XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); +#if !defined(WOLFSSL_NO_SIGALG) TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); +#endif /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP, * TLSX_CERTIFICATE_AUTHORITIES, OID_FILTERS * TLSX_STATUS_REQUEST @@ -9721,7 +9730,6 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength) } #endif #endif - if (ssl->extensions) ret = TLSX_GetSize(ssl->extensions, semaphore, msgType, &length); if (ssl->ctx && ssl->ctx->extensions) @@ -9759,8 +9767,10 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset) PF_VALIDATE_REQUEST(ssl, semaphore); WOLF_STK_VALIDATE_REQUEST(ssl); QSH_VALIDATE_REQUEST(ssl, semaphore); +#if !defined(WOLFSSL_NO_SIGALG) if (ssl->suites->hashSigAlgoSz == 0) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); +#endif #ifdef WOLFSSL_TLS13 if (!IsAtLeastTLSv1_2(ssl)) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); @@ -9810,7 +9820,9 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset) #ifndef NO_CERTS else if (msgType == certificate_request) { XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); +#if !defined(WOLFSSL_NO_SIGALG) TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); +#endif /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP, * TLSX_CERTIFICATE_AUTHORITIES, TLSX_OID_FILTERS * TLSX_STATUS_REQUEST @@ -9818,7 +9830,6 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset) } #endif #endif - if (ssl->extensions) { ret = TLSX_Write(ssl->extensions, output + offset, semaphore, msgType, &offset); @@ -10351,13 +10362,12 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType, #endif ret = ALPN_PARSE(ssl, input + offset, size, isRequest); break; - +#if !defined(WOLFSSL_NO_SIGALG) case TLSX_SIGNATURE_ALGORITHMS: WOLFSSL_MSG("Signature Algorithms extension received"); if (!IsAtLeastTLSv1_2(ssl)) break; - #ifdef WOLFSSL_TLS13 if (IsAtLeastTLSv1_3(ssl->version) && msgType != client_hello && @@ -10367,7 +10377,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType, #endif ret = SA_PARSE(ssl, input + offset, size, isRequest, suites); break; - +#endif #ifdef WOLFSSL_TLS13 case TLSX_SUPPORTED_VERSIONS: WOLFSSL_MSG("Skipping Supported Versions - already processed"); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index f5bb60dd3..ea9c68b3c 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2045,7 +2045,9 @@ typedef enum { TLSX_STATUS_REQUEST = 0x0005, /* a.k.a. OCSP stapling */ TLSX_SUPPORTED_GROUPS = 0x000a, /* a.k.a. Supported Curves */ TLSX_EC_POINT_FORMATS = 0x000b, +#if !defined(WOLFSSL_NO_SIGALG) TLSX_SIGNATURE_ALGORITHMS = 0x000d, +#endif TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */ TLSX_STATUS_REQUEST_V2 = 0x0011, /* a.k.a. OCSP stapling v2 */ TLSX_QUANTUM_SAFE_HYBRID = 0x0018, /* a.k.a. QSH */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index fb9d0a5db..71f811d21 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -1989,6 +1989,9 @@ extern void uITRON4_free(void *p) ; #define WOLF_CRYPTO_CB #endif +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_NO_SIGALG) + #error TLS 1.3 requires the Signature Algorithms extension to be enabled +#endif #ifdef __cplusplus } /* extern "C" */