forked from wolfSSL/wolfssl
Merge pull request #2176 from miyazakh/no_signature_algo
Add macro definition to disable signature algorithms extension
This commit is contained in:
Chris Conlon
GitHub
38
src/tls.c
38
src/tls.c
@ -6007,7 +6007,7 @@ int TLSX_Cookie_Use(WOLFSSL* ssl, byte* data, word16 len, byte* mac,
|
|||||||
#define CKE_PARSE(a, b, c, d) 0
|
#define CKE_PARSE(a, b, c, d) 0
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
#if !defined(WOLFSSL_NO_SIGALG)
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
/* Signature Algorithms */
|
/* Signature Algorithms */
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
@ -6017,6 +6017,7 @@ int TLSX_Cookie_Use(WOLFSSL* ssl, byte* data, word16 len, byte* mac,
|
|||||||
* data Unused
|
* data Unused
|
||||||
* returns the length of data that will be in the extension.
|
* returns the length of data that will be in the extension.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
static word16 TLSX_SignatureAlgorithms_GetSize(void* data)
|
static word16 TLSX_SignatureAlgorithms_GetSize(void* data)
|
||||||
{
|
{
|
||||||
WOLFSSL* ssl = (WOLFSSL*)data;
|
WOLFSSL* ssl = (WOLFSSL*)data;
|
||||||
@ -6127,7 +6128,7 @@ static int TLSX_SetSignatureAlgorithms(TLSX** extensions, const void* data,
|
|||||||
#define SA_GET_SIZE TLSX_SignatureAlgorithms_GetSize
|
#define SA_GET_SIZE TLSX_SignatureAlgorithms_GetSize
|
||||||
#define SA_WRITE TLSX_SignatureAlgorithms_Write
|
#define SA_WRITE TLSX_SignatureAlgorithms_Write
|
||||||
#define SA_PARSE TLSX_SignatureAlgorithms_Parse
|
#define SA_PARSE TLSX_SignatureAlgorithms_Parse
|
||||||
|
#endif
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
/* Signature Algorithms Certificate */
|
/* Signature Algorithms Certificate */
|
||||||
/******************************************************************************/
|
/******************************************************************************/
|
||||||
@ -8621,10 +8622,10 @@ void TLSX_FreeAll(TLSX* list, void* heap)
|
|||||||
case TLSX_APPLICATION_LAYER_PROTOCOL:
|
case TLSX_APPLICATION_LAYER_PROTOCOL:
|
||||||
ALPN_FREE_ALL((ALPN*)extension->data, heap);
|
ALPN_FREE_ALL((ALPN*)extension->data, heap);
|
||||||
break;
|
break;
|
||||||
|
#if !defined(WOLFSSL_NO_SIGALG)
|
||||||
case TLSX_SIGNATURE_ALGORITHMS:
|
case TLSX_SIGNATURE_ALGORITHMS:
|
||||||
break;
|
break;
|
||||||
|
#endif
|
||||||
#ifdef WOLFSSL_TLS13
|
#ifdef WOLFSSL_TLS13
|
||||||
case TLSX_SUPPORTED_VERSIONS:
|
case TLSX_SUPPORTED_VERSIONS:
|
||||||
break;
|
break;
|
||||||
@ -8756,11 +8757,11 @@ static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType, word16* pLeng
|
|||||||
case TLSX_APPLICATION_LAYER_PROTOCOL:
|
case TLSX_APPLICATION_LAYER_PROTOCOL:
|
||||||
length += ALPN_GET_SIZE((ALPN*)extension->data);
|
length += ALPN_GET_SIZE((ALPN*)extension->data);
|
||||||
break;
|
break;
|
||||||
|
#if !defined(WOLFSSL_NO_SIGALG)
|
||||||
case TLSX_SIGNATURE_ALGORITHMS:
|
case TLSX_SIGNATURE_ALGORITHMS:
|
||||||
length += SA_GET_SIZE(extension->data);
|
length += SA_GET_SIZE(extension->data);
|
||||||
break;
|
break;
|
||||||
|
#endif
|
||||||
#ifdef WOLFSSL_TLS13
|
#ifdef WOLFSSL_TLS13
|
||||||
case TLSX_SUPPORTED_VERSIONS:
|
case TLSX_SUPPORTED_VERSIONS:
|
||||||
ret = SV_GET_SIZE(extension->data, msgType, &length);
|
ret = SV_GET_SIZE(extension->data, msgType, &length);
|
||||||
@ -8917,12 +8918,12 @@ static int TLSX_Write(TLSX* list, byte* output, byte* semaphore,
|
|||||||
WOLFSSL_MSG("ALPN extension to write");
|
WOLFSSL_MSG("ALPN extension to write");
|
||||||
offset += ALPN_WRITE((ALPN*)extension->data, output + offset);
|
offset += ALPN_WRITE((ALPN*)extension->data, output + offset);
|
||||||
break;
|
break;
|
||||||
|
#if !defined(WOLFSSL_NO_SIGALG)
|
||||||
case TLSX_SIGNATURE_ALGORITHMS:
|
case TLSX_SIGNATURE_ALGORITHMS:
|
||||||
WOLFSSL_MSG("Signature Algorithms extension to write");
|
WOLFSSL_MSG("Signature Algorithms extension to write");
|
||||||
offset += SA_WRITE(extension->data, output + offset);
|
offset += SA_WRITE(extension->data, output + offset);
|
||||||
break;
|
break;
|
||||||
|
#endif
|
||||||
#ifdef WOLFSSL_TLS13
|
#ifdef WOLFSSL_TLS13
|
||||||
case TLSX_SUPPORTED_VERSIONS:
|
case TLSX_SUPPORTED_VERSIONS:
|
||||||
WOLFSSL_MSG("Supported Versions extension to write");
|
WOLFSSL_MSG("Supported Versions extension to write");
|
||||||
@ -9481,12 +9482,15 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
|
|||||||
#endif /* (HAVE_ECC || HAVE_CURVE25519) && HAVE_SUPPORTED_CURVES */
|
#endif /* (HAVE_ECC || HAVE_CURVE25519) && HAVE_SUPPORTED_CURVES */
|
||||||
} /* is not server */
|
} /* is not server */
|
||||||
|
|
||||||
|
#if !defined(WOLFSSL_NO_SIGALG)
|
||||||
WOLFSSL_MSG("Adding signature algorithms extension");
|
WOLFSSL_MSG("Adding signature algorithms extension");
|
||||||
if ((ret = TLSX_SetSignatureAlgorithms(&ssl->extensions, ssl, ssl->heap))
|
if ((ret = TLSX_SetSignatureAlgorithms(&ssl->extensions, ssl, ssl->heap))
|
||||||
!= 0) {
|
!= 0) {
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
#else
|
||||||
|
ret = 0;
|
||||||
|
#endif
|
||||||
#ifdef WOLFSSL_TLS13
|
#ifdef WOLFSSL_TLS13
|
||||||
if (!isServer && IsAtLeastTLSv1_3(ssl->version)) {
|
if (!isServer && IsAtLeastTLSv1_3(ssl->version)) {
|
||||||
/* Add mandatory TLS v1.3 extension: supported version */
|
/* Add mandatory TLS v1.3 extension: supported version */
|
||||||
@ -9668,8 +9672,10 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength)
|
|||||||
PF_VALIDATE_REQUEST(ssl, semaphore);
|
PF_VALIDATE_REQUEST(ssl, semaphore);
|
||||||
QSH_VALIDATE_REQUEST(ssl, semaphore);
|
QSH_VALIDATE_REQUEST(ssl, semaphore);
|
||||||
WOLF_STK_VALIDATE_REQUEST(ssl);
|
WOLF_STK_VALIDATE_REQUEST(ssl);
|
||||||
|
#if !defined(WOLFSSL_NO_SIGALG)
|
||||||
if (ssl->suites->hashSigAlgoSz == 0)
|
if (ssl->suites->hashSigAlgoSz == 0)
|
||||||
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
|
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
|
||||||
|
#endif
|
||||||
#if defined(WOLFSSL_TLS13)
|
#if defined(WOLFSSL_TLS13)
|
||||||
if (!IsAtLeastTLSv1_2(ssl))
|
if (!IsAtLeastTLSv1_2(ssl))
|
||||||
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
|
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
|
||||||
@ -9709,11 +9715,14 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef WOLFSSL_TLS13
|
#ifdef WOLFSSL_TLS13
|
||||||
#ifndef NO_CERTS
|
#ifndef NO_CERTS
|
||||||
else if (msgType == certificate_request) {
|
else if (msgType == certificate_request) {
|
||||||
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
|
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
|
||||||
|
#if !defined(WOLFSSL_NO_SIGALG)
|
||||||
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
|
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
|
||||||
|
#endif
|
||||||
/* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,
|
/* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,
|
||||||
* TLSX_CERTIFICATE_AUTHORITIES, OID_FILTERS
|
* TLSX_CERTIFICATE_AUTHORITIES, OID_FILTERS
|
||||||
* TLSX_STATUS_REQUEST
|
* TLSX_STATUS_REQUEST
|
||||||
@ -9721,7 +9730,6 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (ssl->extensions)
|
if (ssl->extensions)
|
||||||
ret = TLSX_GetSize(ssl->extensions, semaphore, msgType, &length);
|
ret = TLSX_GetSize(ssl->extensions, semaphore, msgType, &length);
|
||||||
if (ssl->ctx && ssl->ctx->extensions)
|
if (ssl->ctx && ssl->ctx->extensions)
|
||||||
@ -9759,8 +9767,10 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset)
|
|||||||
PF_VALIDATE_REQUEST(ssl, semaphore);
|
PF_VALIDATE_REQUEST(ssl, semaphore);
|
||||||
WOLF_STK_VALIDATE_REQUEST(ssl);
|
WOLF_STK_VALIDATE_REQUEST(ssl);
|
||||||
QSH_VALIDATE_REQUEST(ssl, semaphore);
|
QSH_VALIDATE_REQUEST(ssl, semaphore);
|
||||||
|
#if !defined(WOLFSSL_NO_SIGALG)
|
||||||
if (ssl->suites->hashSigAlgoSz == 0)
|
if (ssl->suites->hashSigAlgoSz == 0)
|
||||||
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
|
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
|
||||||
|
#endif
|
||||||
#ifdef WOLFSSL_TLS13
|
#ifdef WOLFSSL_TLS13
|
||||||
if (!IsAtLeastTLSv1_2(ssl))
|
if (!IsAtLeastTLSv1_2(ssl))
|
||||||
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
|
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
|
||||||
@ -9810,7 +9820,9 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset)
|
|||||||
#ifndef NO_CERTS
|
#ifndef NO_CERTS
|
||||||
else if (msgType == certificate_request) {
|
else if (msgType == certificate_request) {
|
||||||
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
|
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
|
||||||
|
#if !defined(WOLFSSL_NO_SIGALG)
|
||||||
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
|
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
|
||||||
|
#endif
|
||||||
/* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,
|
/* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,
|
||||||
* TLSX_CERTIFICATE_AUTHORITIES, TLSX_OID_FILTERS
|
* TLSX_CERTIFICATE_AUTHORITIES, TLSX_OID_FILTERS
|
||||||
* TLSX_STATUS_REQUEST
|
* TLSX_STATUS_REQUEST
|
||||||
@ -9818,7 +9830,6 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (ssl->extensions) {
|
if (ssl->extensions) {
|
||||||
ret = TLSX_Write(ssl->extensions, output + offset, semaphore,
|
ret = TLSX_Write(ssl->extensions, output + offset, semaphore,
|
||||||
msgType, &offset);
|
msgType, &offset);
|
||||||
@ -10351,13 +10362,12 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
|
|||||||
#endif
|
#endif
|
||||||
ret = ALPN_PARSE(ssl, input + offset, size, isRequest);
|
ret = ALPN_PARSE(ssl, input + offset, size, isRequest);
|
||||||
break;
|
break;
|
||||||
|
#if !defined(WOLFSSL_NO_SIGALG)
|
||||||
case TLSX_SIGNATURE_ALGORITHMS:
|
case TLSX_SIGNATURE_ALGORITHMS:
|
||||||
WOLFSSL_MSG("Signature Algorithms extension received");
|
WOLFSSL_MSG("Signature Algorithms extension received");
|
||||||
|
|
||||||
if (!IsAtLeastTLSv1_2(ssl))
|
if (!IsAtLeastTLSv1_2(ssl))
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#ifdef WOLFSSL_TLS13
|
#ifdef WOLFSSL_TLS13
|
||||||
if (IsAtLeastTLSv1_3(ssl->version) &&
|
if (IsAtLeastTLSv1_3(ssl->version) &&
|
||||||
msgType != client_hello &&
|
msgType != client_hello &&
|
||||||
@ -10367,7 +10377,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
|
|||||||
#endif
|
#endif
|
||||||
ret = SA_PARSE(ssl, input + offset, size, isRequest, suites);
|
ret = SA_PARSE(ssl, input + offset, size, isRequest, suites);
|
||||||
break;
|
break;
|
||||||
|
#endif
|
||||||
#ifdef WOLFSSL_TLS13
|
#ifdef WOLFSSL_TLS13
|
||||||
case TLSX_SUPPORTED_VERSIONS:
|
case TLSX_SUPPORTED_VERSIONS:
|
||||||
WOLFSSL_MSG("Skipping Supported Versions - already processed");
|
WOLFSSL_MSG("Skipping Supported Versions - already processed");
|
||||||
|
|||||||
@ -2045,7 +2045,9 @@ typedef enum {
|
|||||||
TLSX_STATUS_REQUEST = 0x0005, /* a.k.a. OCSP stapling */
|
TLSX_STATUS_REQUEST = 0x0005, /* a.k.a. OCSP stapling */
|
||||||
TLSX_SUPPORTED_GROUPS = 0x000a, /* a.k.a. Supported Curves */
|
TLSX_SUPPORTED_GROUPS = 0x000a, /* a.k.a. Supported Curves */
|
||||||
TLSX_EC_POINT_FORMATS = 0x000b,
|
TLSX_EC_POINT_FORMATS = 0x000b,
|
||||||
|
#if !defined(WOLFSSL_NO_SIGALG)
|
||||||
TLSX_SIGNATURE_ALGORITHMS = 0x000d,
|
TLSX_SIGNATURE_ALGORITHMS = 0x000d,
|
||||||
|
#endif
|
||||||
TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */
|
TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */
|
||||||
TLSX_STATUS_REQUEST_V2 = 0x0011, /* a.k.a. OCSP stapling v2 */
|
TLSX_STATUS_REQUEST_V2 = 0x0011, /* a.k.a. OCSP stapling v2 */
|
||||||
TLSX_QUANTUM_SAFE_HYBRID = 0x0018, /* a.k.a. QSH */
|
TLSX_QUANTUM_SAFE_HYBRID = 0x0018, /* a.k.a. QSH */
|
||||||
|
|||||||
@ -1989,6 +1989,9 @@ extern void uITRON4_free(void *p) ;
|
|||||||
#define WOLF_CRYPTO_CB
|
#define WOLF_CRYPTO_CB
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_NO_SIGALG)
|
||||||
|
#error TLS 1.3 requires the Signature Algorithms extension to be enabled
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
} /* extern "C" */
|
} /* extern "C" */
|
||||||
|
|||||||
Reference in New Issue
Block a user