From 6c0989ba4d538a61c56519ac422860f7575641cc Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Mon, 25 Feb 2019 16:44:12 +0900 Subject: [PATCH 1/3] no_signature_algo --- src/tls.c | 37 +++++++++++++++++++++++-------------- wolfssl/internal.h | 2 ++ 2 files changed, 25 insertions(+), 14 deletions(-) diff --git a/src/tls.c b/src/tls.c index b0d44d23a..7cfbe1e92 100644 --- a/src/tls.c +++ b/src/tls.c @@ -6005,7 +6005,7 @@ int TLSX_Cookie_Use(WOLFSSL* ssl, byte* data, word16 len, byte* mac, #define CKE_PARSE(a, b, c, d) 0 #endif - +#if !defined(WOLFSSL_NO_SIGALG) /******************************************************************************/ /* Signature Algorithms */ /******************************************************************************/ @@ -6015,6 +6015,7 @@ int TLSX_Cookie_Use(WOLFSSL* ssl, byte* data, word16 len, byte* mac, * data Unused * returns the length of data that will be in the extension. */ + static word16 TLSX_SignatureAlgorithms_GetSize(void* data) { WOLFSSL* ssl = (WOLFSSL*)data; @@ -6125,7 +6126,7 @@ static int TLSX_SetSignatureAlgorithms(TLSX** extensions, const void* data, #define SA_GET_SIZE TLSX_SignatureAlgorithms_GetSize #define SA_WRITE TLSX_SignatureAlgorithms_Write #define SA_PARSE TLSX_SignatureAlgorithms_Parse - +#endif /******************************************************************************/ /* Signature Algorithms Certificate */ /******************************************************************************/ @@ -8619,10 +8620,10 @@ void TLSX_FreeAll(TLSX* list, void* heap) case TLSX_APPLICATION_LAYER_PROTOCOL: ALPN_FREE_ALL((ALPN*)extension->data, heap); break; - +#if !defined(WOLFSSL_NO_SIGALG) case TLSX_SIGNATURE_ALGORITHMS: break; - +#endif #ifdef WOLFSSL_TLS13 case TLSX_SUPPORTED_VERSIONS: break; @@ -8754,11 +8755,11 @@ static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType, word16* pLeng case TLSX_APPLICATION_LAYER_PROTOCOL: length += ALPN_GET_SIZE((ALPN*)extension->data); break; - +#if !defined(WOLFSSL_NO_SIGALG) case TLSX_SIGNATURE_ALGORITHMS: length += SA_GET_SIZE(extension->data); break; - +#endif #ifdef WOLFSSL_TLS13 case TLSX_SUPPORTED_VERSIONS: ret = SV_GET_SIZE(extension->data, msgType, &length); @@ -8915,12 +8916,12 @@ static int TLSX_Write(TLSX* list, byte* output, byte* semaphore, WOLFSSL_MSG("ALPN extension to write"); offset += ALPN_WRITE((ALPN*)extension->data, output + offset); break; - +#if !defined(WOLFSSL_NO_SIGALG) case TLSX_SIGNATURE_ALGORITHMS: WOLFSSL_MSG("Signature Algorithms extension to write"); offset += SA_WRITE(extension->data, output + offset); break; - +#endif #ifdef WOLFSSL_TLS13 case TLSX_SUPPORTED_VERSIONS: WOLFSSL_MSG("Supported Versions extension to write"); @@ -9479,12 +9480,15 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) #endif /* (HAVE_ECC || HAVE_CURVE25519) && HAVE_SUPPORTED_CURVES */ } /* is not server */ +#if !defined(WOLFSSL_NO_SIGALG) WOLFSSL_MSG("Adding signature algorithms extension"); if ((ret = TLSX_SetSignatureAlgorithms(&ssl->extensions, ssl, ssl->heap)) != 0) { return ret; } - +#else + ret = 0; +#endif #ifdef WOLFSSL_TLS13 if (!isServer && IsAtLeastTLSv1_3(ssl->version)) { /* Add mandatory TLS v1.3 extension: supported version */ @@ -9667,7 +9671,9 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength) QSH_VALIDATE_REQUEST(ssl, semaphore); WOLF_STK_VALIDATE_REQUEST(ssl); if (ssl->suites->hashSigAlgoSz == 0) +#if !defined(WOLFSSL_NO_SIGALG) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); +#endif #if defined(WOLFSSL_TLS13) if (!IsAtLeastTLSv1_2(ssl)) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); @@ -9707,6 +9713,7 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength) } #endif } +#if !defined(WOLFSSL_NO_SIGALG) #ifdef WOLFSSL_TLS13 #ifndef NO_CERTS else if (msgType == certificate_request) { @@ -9719,7 +9726,7 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength) } #endif #endif - +#endif if (ssl->extensions) ret = TLSX_GetSize(ssl->extensions, semaphore, msgType, &length); if (ssl->ctx && ssl->ctx->extensions) @@ -9758,7 +9765,9 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset) WOLF_STK_VALIDATE_REQUEST(ssl); QSH_VALIDATE_REQUEST(ssl, semaphore); if (ssl->suites->hashSigAlgoSz == 0) +#if !defined(WOLFSSL_NO_SIGALG) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); +#endif #ifdef WOLFSSL_TLS13 if (!IsAtLeastTLSv1_2(ssl)) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); @@ -9804,6 +9813,7 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset) } #endif } +#if !defined(WOLFSSL_NO_SIGALG) #ifdef WOLFSSL_TLS13 #ifndef NO_CERTS else if (msgType == certificate_request) { @@ -9816,7 +9826,7 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset) } #endif #endif - +#endif if (ssl->extensions) { ret = TLSX_Write(ssl->extensions, output + offset, semaphore, msgType, &offset); @@ -10349,13 +10359,12 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType, #endif ret = ALPN_PARSE(ssl, input + offset, size, isRequest); break; - +#if !defined(WOLFSSL_NO_SIGALG) case TLSX_SIGNATURE_ALGORITHMS: WOLFSSL_MSG("Signature Algorithms extension received"); if (!IsAtLeastTLSv1_2(ssl)) break; - #ifdef WOLFSSL_TLS13 if (IsAtLeastTLSv1_3(ssl->version) && msgType != client_hello && @@ -10365,7 +10374,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType, #endif ret = SA_PARSE(ssl, input + offset, size, isRequest, suites); break; - +#endif #ifdef WOLFSSL_TLS13 case TLSX_SUPPORTED_VERSIONS: WOLFSSL_MSG("Skipping Supported Versions - already processed"); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index b374a25c3..d0b9b7d35 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2060,7 +2060,9 @@ typedef enum { TLSX_STATUS_REQUEST = 0x0005, /* a.k.a. OCSP stapling */ TLSX_SUPPORTED_GROUPS = 0x000a, /* a.k.a. Supported Curves */ TLSX_EC_POINT_FORMATS = 0x000b, +#if !defined(WOLFSSL_NO_SIGALG) TLSX_SIGNATURE_ALGORITHMS = 0x000d, +#endif TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */ TLSX_STATUS_REQUEST_V2 = 0x0011, /* a.k.a. OCSP stapling v2 */ TLSX_QUANTUM_SAFE_HYBRID = 0x0018, /* a.k.a. QSH */ From 817eaa6da43b9882e5fb51213b4d8afd7550a6be Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Sat, 30 Mar 2019 10:36:49 +0900 Subject: [PATCH 2/3] protect compiling while enabling both WOLFSSL_TLS13 and WOLFSSL_NO_SIGALG --- wolfssl/wolfcrypt/settings.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index fb9d0a5db..71f811d21 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -1989,6 +1989,9 @@ extern void uITRON4_free(void *p) ; #define WOLF_CRYPTO_CB #endif +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_NO_SIGALG) + #error TLS 1.3 requires the Signature Algorithms extension to be enabled +#endif #ifdef __cplusplus } /* extern "C" */ From f81446bf6958a448dd3f7f4ed0c00110ea9bd3d4 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 4 Apr 2019 10:04:09 +0900 Subject: [PATCH 3/3] Fixed compiling error while enabling opensslextra --- src/tls.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/tls.c b/src/tls.c index 7cfbe1e92..22b37bbfa 100644 --- a/src/tls.c +++ b/src/tls.c @@ -9670,8 +9670,8 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength) PF_VALIDATE_REQUEST(ssl, semaphore); QSH_VALIDATE_REQUEST(ssl, semaphore); WOLF_STK_VALIDATE_REQUEST(ssl); - if (ssl->suites->hashSigAlgoSz == 0) #if !defined(WOLFSSL_NO_SIGALG) + if (ssl->suites->hashSigAlgoSz == 0) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); #endif #if defined(WOLFSSL_TLS13) @@ -9713,19 +9713,20 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength) } #endif } -#if !defined(WOLFSSL_NO_SIGALG) + #ifdef WOLFSSL_TLS13 #ifndef NO_CERTS else if (msgType == certificate_request) { XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); +#if !defined(WOLFSSL_NO_SIGALG) TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); +#endif /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP, * TLSX_CERTIFICATE_AUTHORITIES, OID_FILTERS * TLSX_STATUS_REQUEST */ } #endif -#endif #endif if (ssl->extensions) ret = TLSX_GetSize(ssl->extensions, semaphore, msgType, &length); @@ -9764,8 +9765,8 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset) PF_VALIDATE_REQUEST(ssl, semaphore); WOLF_STK_VALIDATE_REQUEST(ssl); QSH_VALIDATE_REQUEST(ssl, semaphore); - if (ssl->suites->hashSigAlgoSz == 0) #if !defined(WOLFSSL_NO_SIGALG) + if (ssl->suites->hashSigAlgoSz == 0) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); #endif #ifdef WOLFSSL_TLS13 @@ -9813,19 +9814,19 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset) } #endif } -#if !defined(WOLFSSL_NO_SIGALG) #ifdef WOLFSSL_TLS13 #ifndef NO_CERTS else if (msgType == certificate_request) { XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); +#if !defined(WOLFSSL_NO_SIGALG) TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); +#endif /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP, * TLSX_CERTIFICATE_AUTHORITIES, TLSX_OID_FILTERS * TLSX_STATUS_REQUEST */ } #endif -#endif #endif if (ssl->extensions) { ret = TLSX_Write(ssl->extensions, output + offset, semaphore,