forked from wolfSSL/wolfssl
Send BUFFER_ERROR if size does not meet minimum reqs for the extension
This commit is contained in:
night1rider
160
src/tls.c
160
src/tls.c
@ -14366,6 +14366,143 @@ int TLSX_ParseVersion(WOLFSSL* ssl, const byte* input, word16 length,
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
/* Jump Table to check minimum size values for client case in TLSX_Parse */
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
static word16 TLSX_GetMinSize_Client(word16* type)
|
||||
{
|
||||
switch (*type) {
|
||||
case TLSXT_SERVER_NAME:
|
||||
return WOLFSSL_SNI_MIN_SIZE_CLIENT;
|
||||
case TLSXT_EARLY_DATA:
|
||||
return WOLFSSL_EDI_MIN_SIZE_CLIENT;
|
||||
case TLSXT_MAX_FRAGMENT_LENGTH:
|
||||
return WOLFSSL_MFL_MIN_SIZE_CLIENT;
|
||||
case TLSXT_TRUSTED_CA_KEYS:
|
||||
return WOLFSSL_TCA_MIN_SIZE_CLIENT;
|
||||
case TLSXT_TRUNCATED_HMAC:
|
||||
return WOLFSSL_THM_MIN_SIZE_CLIENT;
|
||||
case TLSXT_STATUS_REQUEST:
|
||||
return WOLFSSL_CSR_MIN_SIZE_CLIENT;
|
||||
case TLSXT_SUPPORTED_GROUPS:
|
||||
return WOLFSSL_EC_MIN_SIZE_CLIENT;
|
||||
case TLSXT_EC_POINT_FORMATS:
|
||||
return WOLFSSL_PF_MIN_SIZE_CLIENT;
|
||||
case TLSXT_SIGNATURE_ALGORITHMS:
|
||||
return WOLFSSL_SA_MIN_SIZE_CLIENT;
|
||||
case TLSXT_USE_SRTP:
|
||||
return WOLFSSL_SRTP_MIN_SIZE_CLIENT;
|
||||
case TLSXT_APPLICATION_LAYER_PROTOCOL:
|
||||
return WOLFSSL_ALPN_MIN_SIZE_CLIENT;
|
||||
case TLSXT_STATUS_REQUEST_V2:
|
||||
return WOLFSSL_CSR2_MIN_SIZE_CLIENT;
|
||||
case TLSXT_CLIENT_CERTIFICATE:
|
||||
return WOLFSSL_CCT_MIN_SIZE_CLIENT;
|
||||
case TLSXT_SERVER_CERTIFICATE:
|
||||
return WOLFSSL_SCT_MIN_SIZE_CLIENT;
|
||||
case TLSXT_ENCRYPT_THEN_MAC:
|
||||
return WOLFSSL_ETM_MIN_SIZE_CLIENT;
|
||||
case TLSXT_SESSION_TICKET:
|
||||
return WOLFSSL_STK_MIN_SIZE_CLIENT;
|
||||
case TLSXT_PRE_SHARED_KEY:
|
||||
return WOLFSSL_PSK_MIN_SIZE_CLIENT;
|
||||
case TLSXT_COOKIE:
|
||||
return WOLFSSL_CKE_MIN_SIZE_CLIENT;
|
||||
case TLSXT_PSK_KEY_EXCHANGE_MODES:
|
||||
return WOLFSSL_PKM_MIN_SIZE_CLIENT;
|
||||
case TLSXT_CERTIFICATE_AUTHORITIES:
|
||||
return WOLFSSL_CAN_MIN_SIZE_CLIENT;
|
||||
case TLSXT_POST_HANDSHAKE_AUTH:
|
||||
return WOLFSSL_PHA_MIN_SIZE_CLIENT;
|
||||
case TLSXT_SIGNATURE_ALGORITHMS_CERT:
|
||||
return WOLFSSL_SA_MIN_SIZE_CLIENT;
|
||||
case TLSXT_KEY_SHARE:
|
||||
return WOLFSSL_KS_MIN_SIZE_CLIENT;
|
||||
case TLSXT_CONNECTION_ID:
|
||||
return WOLFSSL_CID_MIN_SIZE_CLIENT;
|
||||
case TLSXT_RENEGOTIATION_INFO:
|
||||
return WOLFSSL_SCR_MIN_SIZE_CLIENT;
|
||||
case TLSXT_KEY_QUIC_TP_PARAMS_DRAFT:
|
||||
return WOLFSSL_QTP_MIN_SIZE_CLIENT;
|
||||
case TLSXT_ECH:
|
||||
return WOLFSSL_ECH_MIN_SIZE_CLIENT;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
#define TLSX_GET_MIN_SIZE_CLIENT TLSX_GetMinSize_Client
|
||||
#else
|
||||
#define TLSX_GET_MIN_SIZE_CLIENT(...) 0
|
||||
#endif
|
||||
|
||||
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
/* Jump Table to check minimum size values for server case in TLSX_Parse */
|
||||
static word16 TLSX_GetMinSize_Server(const word16 *type)
|
||||
{
|
||||
switch (*type) {
|
||||
case TLSXT_SERVER_NAME:
|
||||
return WOLFSSL_SNI_MIN_SIZE_SERVER;
|
||||
case TLSXT_EARLY_DATA:
|
||||
return WOLFSSL_EDI_MIN_SIZE_SERVER;
|
||||
case TLSXT_MAX_FRAGMENT_LENGTH:
|
||||
return WOLFSSL_MFL_MIN_SIZE_SERVER;
|
||||
case TLSXT_TRUSTED_CA_KEYS:
|
||||
return WOLFSSL_TCA_MIN_SIZE_SERVER;
|
||||
case TLSXT_TRUNCATED_HMAC:
|
||||
return WOLFSSL_THM_MIN_SIZE_SERVER;
|
||||
case TLSXT_STATUS_REQUEST:
|
||||
return WOLFSSL_CSR_MIN_SIZE_SERVER;
|
||||
case TLSXT_SUPPORTED_GROUPS:
|
||||
return WOLFSSL_EC_MIN_SIZE_SERVER;
|
||||
case TLSXT_EC_POINT_FORMATS:
|
||||
return WOLFSSL_PF_MIN_SIZE_SERVER;
|
||||
case TLSXT_SIGNATURE_ALGORITHMS:
|
||||
return WOLFSSL_SA_MIN_SIZE_SERVER;
|
||||
case TLSXT_USE_SRTP:
|
||||
return WOLFSSL_SRTP_MIN_SIZE_SERVER;
|
||||
case TLSXT_APPLICATION_LAYER_PROTOCOL:
|
||||
return WOLFSSL_ALPN_MIN_SIZE_SERVER;
|
||||
case TLSXT_STATUS_REQUEST_V2:
|
||||
return WOLFSSL_CSR2_MIN_SIZE_SERVER;
|
||||
case TLSXT_CLIENT_CERTIFICATE:
|
||||
return WOLFSSL_CCT_MIN_SIZE_SERVER;
|
||||
case TLSXT_SERVER_CERTIFICATE:
|
||||
return WOLFSSL_SCT_MIN_SIZE_SERVER;
|
||||
case TLSXT_ENCRYPT_THEN_MAC:
|
||||
return WOLFSSL_ETM_MIN_SIZE_SERVER;
|
||||
case TLSXT_SESSION_TICKET:
|
||||
return WOLFSSL_STK_MIN_SIZE_SERVER;
|
||||
case TLSXT_PRE_SHARED_KEY:
|
||||
return WOLFSSL_PSK_MIN_SIZE_SERVER;
|
||||
case TLSXT_COOKIE:
|
||||
return WOLFSSL_CKE_MIN_SIZE_SERVER;
|
||||
case TLSXT_PSK_KEY_EXCHANGE_MODES:
|
||||
return WOLFSSL_PKM_MIN_SIZE_SERVER;
|
||||
case TLSXT_CERTIFICATE_AUTHORITIES:
|
||||
return WOLFSSL_CAN_MIN_SIZE_SERVER;
|
||||
case TLSXT_POST_HANDSHAKE_AUTH:
|
||||
return WOLFSSL_PHA_MIN_SIZE_SERVER;
|
||||
case TLSXT_SIGNATURE_ALGORITHMS_CERT:
|
||||
return WOLFSSL_SA_MIN_SIZE_SERVER;
|
||||
case TLSXT_KEY_SHARE:
|
||||
return WOLFSSL_KS_MIN_SIZE_SERVER;
|
||||
case TLSXT_CONNECTION_ID:
|
||||
return WOLFSSL_CID_MIN_SIZE_SERVER;
|
||||
case TLSXT_RENEGOTIATION_INFO:
|
||||
return WOLFSSL_SCR_MIN_SIZE_SERVER;
|
||||
case TLSXT_KEY_QUIC_TP_PARAMS_DRAFT:
|
||||
return WOLFSSL_QTP_MIN_SIZE_SERVER;
|
||||
case TLSXT_ECH:
|
||||
return WOLFSSL_ECH_MIN_SIZE_SERVER;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
#define TLSX_GET_MIN_SIZE_SERVER TLSX_GetMinSize_Server
|
||||
#else
|
||||
#define TLSX_GET_MIN_SIZE_SERVER(...) 0
|
||||
#endif
|
||||
|
||||
|
||||
/** Parses a buffer of TLS extensions. */
|
||||
int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType,
|
||||
@ -14429,6 +14566,29 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType,
|
||||
if (length - offset < size)
|
||||
return BUFFER_ERROR;
|
||||
|
||||
/* Check minimum size required for TLSX, even if disabled */
|
||||
switch (msgType) {
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
case client_hello:
|
||||
if (size < TLSX_GET_MIN_SIZE_CLIENT(&type)){
|
||||
WOLFSSL_MSG("Minimum TLSX Size Requirement not Satisfied");
|
||||
return BUFFER_ERROR;
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
case server_hello:
|
||||
case hello_retry_request:
|
||||
if (size < TLSX_GET_MIN_SIZE_SERVER(&type)){
|
||||
WOLFSSL_MSG("Minimum TLSX Size Requirement not Satisfied");
|
||||
return BUFFER_ERROR;
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
switch (type) {
|
||||
#ifdef HAVE_SNI
|
||||
case TLSX_SERVER_NAME:
|
||||
|
||||
@ -2820,74 +2820,108 @@ typedef struct Options Options;
|
||||
/** TLS Extensions - RFC 6066 */
|
||||
#ifdef HAVE_TLS_EXTENSIONS
|
||||
|
||||
#define TLSXT_SERVER_NAME 0x0000 /* a.k.a. SNI */
|
||||
#define TLSXT_MAX_FRAGMENT_LENGTH 0x0001
|
||||
#define TLSXT_TRUSTED_CA_KEYS 0x0003
|
||||
#define TLSXT_TRUNCATED_HMAC 0x0004
|
||||
#define TLSXT_STATUS_REQUEST 0x0005 /* a.k.a. OCSP stapling */
|
||||
#define TLSXT_SUPPORTED_GROUPS 0x000a /* a.k.a. Supported Curves */
|
||||
#define TLSXT_EC_POINT_FORMATS 0x000b
|
||||
#define TLSXT_SIGNATURE_ALGORITHMS 0x000d /* HELLO_EXT_SIG_ALGO */
|
||||
#define TLSXT_USE_SRTP 0x000e /* 14 */
|
||||
#define TLSXT_APPLICATION_LAYER_PROTOCOL 0x0010 /* a.k.a. ALPN */
|
||||
#define TLSXT_STATUS_REQUEST_V2 0x0011 /* a.k.a. OCSP stapling v2 */
|
||||
#define TLSXT_CLIENT_CERTIFICATE 0x0013 /* RFC8446 */
|
||||
#define TLSXT_SERVER_CERTIFICATE 0x0014 /* RFC8446 */
|
||||
#define TLSXT_ENCRYPT_THEN_MAC 0x0016 /* RFC 7366 */
|
||||
#define TLSXT_EXTENDED_MASTER_SECRET 0x0017 /* HELLO_EXT_EXTMS */
|
||||
#define TLSXT_SESSION_TICKET 0x0023
|
||||
#define TLSXT_PRE_SHARED_KEY 0x0029
|
||||
#define TLSXT_EARLY_DATA 0x002a
|
||||
#define TLSXT_SUPPORTED_VERSIONS 0x002b
|
||||
#define TLSXT_COOKIE 0x002c
|
||||
#define TLSXT_PSK_KEY_EXCHANGE_MODES 0x002d
|
||||
#define TLSXT_CERTIFICATE_AUTHORITIES 0x002f
|
||||
#define TLSXT_POST_HANDSHAKE_AUTH 0x0031
|
||||
#define TLSXT_SIGNATURE_ALGORITHMS_CERT 0x0032
|
||||
#define TLSXT_KEY_SHARE 0x0033
|
||||
#define TLSXT_CONNECTION_ID 0x0036
|
||||
#define TLSXT_KEY_QUIC_TP_PARAMS 0x0039 /* RFC 9001, ch. 8.2 */
|
||||
#define TLSXT_ECH 0xfe0d /* from */
|
||||
/* draft-ietf-tls-esni-13 */
|
||||
/* The 0xFF section is experimental/custom/personal use */
|
||||
#define TLSXT_CKS 0xff92 /* X9.146 */
|
||||
#define TLSXT_RENEGOTIATION_INFO 0xff01
|
||||
#define TLSXT_KEY_QUIC_TP_PARAMS_DRAFT 0xffa5 /* from */
|
||||
/* draft-ietf-quic-tls-27 */
|
||||
|
||||
typedef enum {
|
||||
#ifdef HAVE_SNI
|
||||
TLSX_SERVER_NAME = 0x0000, /* a.k.a. SNI */
|
||||
TLSX_SERVER_NAME = TLSXT_SERVER_NAME,
|
||||
#endif
|
||||
TLSX_MAX_FRAGMENT_LENGTH = 0x0001,
|
||||
TLSX_TRUSTED_CA_KEYS = 0x0003,
|
||||
TLSX_TRUNCATED_HMAC = 0x0004,
|
||||
TLSX_STATUS_REQUEST = 0x0005, /* a.k.a. OCSP stapling */
|
||||
TLSX_SUPPORTED_GROUPS = 0x000a, /* a.k.a. Supported Curves */
|
||||
TLSX_EC_POINT_FORMATS = 0x000b,
|
||||
TLSX_MAX_FRAGMENT_LENGTH = TLSXT_MAX_FRAGMENT_LENGTH,
|
||||
TLSX_TRUSTED_CA_KEYS = TLSXT_TRUSTED_CA_KEYS,
|
||||
TLSX_TRUNCATED_HMAC = TLSXT_TRUNCATED_HMAC,
|
||||
TLSX_STATUS_REQUEST = TLSXT_STATUS_REQUEST,
|
||||
TLSX_SUPPORTED_GROUPS = TLSXT_SUPPORTED_GROUPS,
|
||||
TLSX_EC_POINT_FORMATS = TLSXT_EC_POINT_FORMATS,
|
||||
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
|
||||
TLSX_SIGNATURE_ALGORITHMS = 0x000d, /* HELLO_EXT_SIG_ALGO */
|
||||
TLSX_SIGNATURE_ALGORITHMS = TLSXT_SIGNATURE_ALGORITHMS,
|
||||
#endif
|
||||
#ifdef WOLFSSL_SRTP
|
||||
TLSX_USE_SRTP = 0x000e, /* 14 */
|
||||
TLSX_USE_SRTP = TLSXT_USE_SRTP,
|
||||
#endif
|
||||
TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */
|
||||
TLSX_STATUS_REQUEST_V2 = 0x0011, /* a.k.a. OCSP stapling v2 */
|
||||
TLSX_APPLICATION_LAYER_PROTOCOL = TLSXT_APPLICATION_LAYER_PROTOCOL,
|
||||
TLSX_STATUS_REQUEST_V2 = TLSXT_STATUS_REQUEST_V2,
|
||||
#ifdef HAVE_RPK
|
||||
TLSX_CLIENT_CERTIFICATE_TYPE = 0x0013, /* RFC8446 */
|
||||
TLSX_SERVER_CERTIFICATE_TYPE = 0x0014, /* RFC8446 */
|
||||
TLSX_CLIENT_CERTIFICATE_TYPE = TLSXT_CLIENT_CERTIFICATE,
|
||||
TLSX_SERVER_CERTIFICATE_TYPE = TLSXT_SERVER_CERTIFICATE,
|
||||
#endif
|
||||
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
|
||||
TLSX_ENCRYPT_THEN_MAC = 0x0016, /* RFC 7366 */
|
||||
TLSX_ENCRYPT_THEN_MAC = TLSXT_ENCRYPT_THEN_MAC,
|
||||
#endif
|
||||
TLSX_EXTENDED_MASTER_SECRET = 0x0017, /* HELLO_EXT_EXTMS */
|
||||
TLSX_SESSION_TICKET = 0x0023,
|
||||
TLSX_EXTENDED_MASTER_SECRET = TLSXT_EXTENDED_MASTER_SECRET,
|
||||
TLSX_SESSION_TICKET = TLSXT_SESSION_TICKET,
|
||||
#ifdef WOLFSSL_TLS13
|
||||
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
||||
TLSX_PRE_SHARED_KEY = 0x0029,
|
||||
TLSX_PRE_SHARED_KEY = TLSXT_PRE_SHARED_KEY,
|
||||
#endif
|
||||
#ifdef WOLFSSL_EARLY_DATA
|
||||
TLSX_EARLY_DATA = 0x002a,
|
||||
TLSX_EARLY_DATA = TLSXT_EARLY_DATA,
|
||||
#endif
|
||||
TLSX_SUPPORTED_VERSIONS = 0x002b,
|
||||
TLSX_SUPPORTED_VERSIONS = TLSXT_SUPPORTED_VERSIONS,
|
||||
#ifdef WOLFSSL_SEND_HRR_COOKIE
|
||||
TLSX_COOKIE = 0x002c,
|
||||
TLSX_COOKIE = TLSXT_COOKIE,
|
||||
#endif
|
||||
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
||||
TLSX_PSK_KEY_EXCHANGE_MODES = 0x002d,
|
||||
TLSX_PSK_KEY_EXCHANGE_MODES = TLSXT_PSK_KEY_EXCHANGE_MODES,
|
||||
#endif
|
||||
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
|
||||
TLSX_CERTIFICATE_AUTHORITIES = 0x002f,
|
||||
TLSX_CERTIFICATE_AUTHORITIES = TLSXT_CERTIFICATE_AUTHORITIES,
|
||||
#endif
|
||||
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
|
||||
TLSX_POST_HANDSHAKE_AUTH = 0x0031,
|
||||
TLSX_POST_HANDSHAKE_AUTH = TLSXT_POST_HANDSHAKE_AUTH,
|
||||
#endif
|
||||
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
|
||||
TLSX_SIGNATURE_ALGORITHMS_CERT = 0x0032,
|
||||
TLSX_SIGNATURE_ALGORITHMS_CERT = TLSXT_SIGNATURE_ALGORITHMS_CERT,
|
||||
#endif
|
||||
TLSX_KEY_SHARE = 0x0033,
|
||||
TLSX_KEY_SHARE = TLSXT_KEY_SHARE,
|
||||
#if defined(WOLFSSL_DTLS_CID)
|
||||
TLSX_CONNECTION_ID = 0x0036,
|
||||
TLSX_CONNECTION_ID = TLSXT_CONNECTION_ID,
|
||||
#endif /* defined(WOLFSSL_DTLS_CID) */
|
||||
#ifdef WOLFSSL_QUIC
|
||||
TLSX_KEY_QUIC_TP_PARAMS = 0x0039, /* RFC 9001, ch. 8.2 */
|
||||
TLSX_KEY_QUIC_TP_PARAMS = TLSXT_KEY_QUIC_TP_PARAMS,
|
||||
#endif
|
||||
#ifdef WOLFSSL_DUAL_ALG_CERTS
|
||||
TLSX_CKS = 0xff92, /* X9.146; ff indicates personal
|
||||
* use and 92 is hex for 146. */
|
||||
#ifdef HAVE_ECH
|
||||
TLSX_ECH = TLSXT_ECH,
|
||||
#endif
|
||||
#endif
|
||||
TLSX_RENEGOTIATION_INFO = 0xff01,
|
||||
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS)
|
||||
TLSX_CKS = TLSXT_CKS,
|
||||
#endif
|
||||
TLSX_RENEGOTIATION_INFO = TLSXT_RENEGOTIATION_INFO,
|
||||
#ifdef WOLFSSL_QUIC
|
||||
TLSX_KEY_QUIC_TP_PARAMS_DRAFT = 0xffa5, /* from draft-ietf-quic-tls-27 */
|
||||
#endif
|
||||
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
|
||||
TLSX_ECH = 0xfe0d, /* from draft-ietf-tls-esni-13 */
|
||||
TLSX_KEY_QUIC_TP_PARAMS_DRAFT = TLSXT_KEY_QUIC_TP_PARAMS_DRAFT,
|
||||
#endif
|
||||
} TLSX_Type;
|
||||
|
||||
|
||||
@ -1530,7 +1530,8 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE;
|
||||
#define OPENSSL_STRING WOLFSSL_STRING
|
||||
#define OPENSSL_CSTRING WOLFSSL_STRING
|
||||
|
||||
#define TLSEXT_TYPE_application_layer_protocol_negotiation 16
|
||||
#define TLSEXT_TYPE_application_layer_protocol_negotiation \
|
||||
TLSXT_APPLICATION_LAYER_PROTOCOL
|
||||
|
||||
#define OPENSSL_NPN_UNSUPPORTED 0
|
||||
#define OPENSSL_NPN_NEGOTIATED 1
|
||||
|
||||
@ -45,8 +45,10 @@
|
||||
|
||||
#ifdef WOLFSSL_QUIC
|
||||
/* from rfc9001 */
|
||||
#define TLSEXT_TYPE_quic_transport_parameters_draft 0xffa5
|
||||
#define TLSEXT_TYPE_quic_transport_parameters 0x0039
|
||||
#define TLSEXT_TYPE_quic_transport_parameters_draft \
|
||||
TLSXT_KEY_QUIC_TP_PARAMS_DRAFT
|
||||
#define TLSEXT_TYPE_quic_transport_parameters \
|
||||
TLSXT_KEY_QUIC_TP_PARAMS
|
||||
#endif
|
||||
|
||||
#endif /* WOLFSSL_OPENSSL_TLS1_H_ */
|
||||
|
||||
241
wolfssl/ssl.h
241
wolfssl/ssl.h
@ -5371,6 +5371,247 @@ WOLFSSL_API int wolfSSL_dtls_cid_get_tx(WOLFSSL* ssl, unsigned char* buffer,
|
||||
#define DTLS1_2_VERSION 0xFEFD
|
||||
#define DTLS1_3_VERSION 0xFEFC
|
||||
|
||||
/* These minimums where determined whilst referencing their RFC specs. The
|
||||
* values represent the minimum sizes of the data types in the required struct
|
||||
* for the `extension_data` field. A length of 0 was assumed when necassary.
|
||||
*
|
||||
* Documents Used for the respective extension:
|
||||
* - https://datatracker.ietf.org/doc/html/rfc6066
|
||||
* - Server Name Indication (SNI)
|
||||
* - Maximum Fragment Length Negotiation (MFL)
|
||||
* - Trusted CA Indication (TCA)
|
||||
* - Certificate Status Request (CSR)
|
||||
* - Truncate HMAC (THM)
|
||||
* - https://datatracker.ietf.org/doc/html/rfc8446
|
||||
* - Early Data Indication (EDI)
|
||||
* - Pre-Shared Key (PSK)
|
||||
* - Pre-Shared Key Exchange Modes (PKM)
|
||||
* - Key Share (KS)
|
||||
* - Post-Handshake Authentication (PHA)
|
||||
* - Signature Algorithms (SA)
|
||||
* - Signature Algorithms Certificate (SAC)
|
||||
* - Support Groups (EC)
|
||||
* - Cookie (CKE)
|
||||
* - Supported Versions (SV)
|
||||
* - Certificate Authorities (CAN)
|
||||
* - https://datatracker.ietf.org/doc/html/rfc6961
|
||||
* - Certificate Status Request v2 (CSR2)
|
||||
* - https://datatracker.ietf.org/doc/rfc9146/
|
||||
* - Connection Identifier (CID)
|
||||
* - https://datatracker.ietf.org/doc/rfc7301/
|
||||
* - Application-Layer Protocol Negotiation (ALPN)
|
||||
* - https://datatracker.ietf.org/doc/html/rfc3711
|
||||
* - Secure Real-time Transport Protocol (SRTP)
|
||||
* - https://datatracker.ietf.org/doc/html/rfc7366
|
||||
* - Encrypt Then Mac (ETM)
|
||||
* - https://datatracker.ietf.org/doc/html/rfc7250
|
||||
* - Client Certificate Type (CCT)
|
||||
* - Server Certificate Type (SCT)
|
||||
* - https://datatracker.ietf.org/doc/draft-ietf-tls-esni/
|
||||
* - Encrypted Client Hello (ECH)
|
||||
* - https://datatracker.ietf.org/doc/html/rfc5746
|
||||
* - Secure Renegotiation (SCR)
|
||||
* - https://datatracker.ietf.org/doc/rfc4492/
|
||||
* - Point Frame (PF)
|
||||
* - https://datatracker.ietf.org/doc/rfc9000/
|
||||
* - QUIC (QTP)
|
||||
* - https://datatracker.ietf.org/doc/html/rfc5077
|
||||
* - Session Ticket (STK)
|
||||
* Example:
|
||||
* For `WOLFSSL_CSR_MIN_SIZE_CLIENT = 5`, 5 was determined by looking at the
|
||||
* struct below defined in its respective RFC.
|
||||
* The below struct for `CertificateStatusRequest` is made up of the types:
|
||||
* `CertificateStatusType` is an enum with a max value of 255, thus its
|
||||
* length is 1 byte.
|
||||
* `OCSPStatusRequest` is a struct of the following:
|
||||
* - `responder_id_list`: which is 2 bytes
|
||||
* - `request_extensions`: which is 2 bytes
|
||||
* This then gives the minimum size/length of 5 bytes for this extension
|
||||
* for the client
|
||||
* struct {
|
||||
* CertificateStatusType status_type;
|
||||
* select (status_type) {
|
||||
* case ocsp: OCSPStatusRequest;
|
||||
* } request;
|
||||
* } CertificateStatusRequest;
|
||||
* enum { ocsp(1), (255) } CertificateStatusType;
|
||||
* struct {
|
||||
* ResponderID responder_id_list<0..2^16-1>;
|
||||
* Extensions request_extensions;
|
||||
* } OCSPStatusRequest;
|
||||
* opaque ResponderID<1..2^16-1>;
|
||||
* opaque Extensions<0..2^16-1>;
|
||||
*/
|
||||
|
||||
#ifndef WOLFSSL_SNI_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_SNI_MIN_SIZE_CLIENT 4
|
||||
#endif
|
||||
#ifndef WOLFSSL_SNI_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_SNI_MIN_SIZE_SERVER 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_EDI_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_EDI_MIN_SIZE_CLIENT 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_EDI_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_EDI_MIN_SIZE_SERVER 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_TCA_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_TCA_MIN_SIZE_CLIENT 2
|
||||
#endif
|
||||
#ifndef WOLFSSL_TCA_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_TCA_MIN_SIZE_SERVER 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_CSR_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_CSR_MIN_SIZE_CLIENT 5
|
||||
#endif
|
||||
#ifndef WOLFSSL_CSR_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_CSR_MIN_SIZE_SERVER 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_PKM_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_PKM_MIN_SIZE_CLIENT 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_PKM_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_PKM_MIN_SIZE_SERVER 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_CSR2_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_CSR2_MIN_SIZE_CLIENT 7
|
||||
#endif
|
||||
#ifndef WOLFSSL_CSR2_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_CSR2_MIN_SIZE_SERVER 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_CID_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_CID_MIN_SIZE_CLIENT 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_CID_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_CID_MIN_SIZE_SERVER 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_ALPN_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_ALPN_MIN_SIZE_CLIENT 2
|
||||
#endif
|
||||
#ifndef WOLFSSL_ALPN_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_ALPN_MIN_SIZE_SERVER 2
|
||||
#endif
|
||||
#ifndef WOLFSSL_SRTP_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_SRTP_MIN_SIZE_CLIENT 3
|
||||
#endif
|
||||
#ifndef WOLFSSL_SRTP_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_SRTP_MIN_SIZE_SERVER 3
|
||||
#endif
|
||||
#ifndef WOLFSSL_KS_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_KS_MIN_SIZE_CLIENT 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_KS_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_KS_MIN_SIZE_SERVER 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_ETM_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_ETM_MIN_SIZE_CLIENT 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_ETM_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_ETM_MIN_SIZE_SERVER 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_PSK_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_PSK_MIN_SIZE_CLIENT 2
|
||||
#endif
|
||||
#ifndef WOLFSSL_PSK_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_PSK_MIN_SIZE_SERVER 2
|
||||
#endif
|
||||
#ifndef WOLFSSL_CCT_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_CCT_MIN_SIZE_CLIENT 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_CCT_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_CCT_MIN_SIZE_SERVER 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_SCT_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_SCT_MIN_SIZE_CLIENT 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_SCT_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_SCT_MIN_SIZE_SERVER 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_PHA_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_PHA_MIN_SIZE_CLIENT 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_PHA_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_PHA_MIN_SIZE_SERVER 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_THM_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_THM_MIN_SIZE_CLIENT 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_THM_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_THM_MIN_SIZE_SERVER 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_SA_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_SA_MIN_SIZE_CLIENT 2
|
||||
#endif
|
||||
#ifndef WOLFSSL_SA_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_SA_MIN_SIZE_SERVER 2
|
||||
#endif
|
||||
#ifndef WOLFSSL_SAC_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_SAC_MIN_SIZE_CLIENT 2
|
||||
#endif
|
||||
#ifndef WOLFSSL_SAC_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_SAC_MIN_SIZE_SERVER 2
|
||||
#endif
|
||||
#ifndef WOLFSSL_EC_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_EC_MIN_SIZE_CLIENT 2
|
||||
#endif
|
||||
#ifndef WOLFSSL_EC_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_EC_MIN_SIZE_SERVER 2
|
||||
#endif
|
||||
#ifndef WOLFSSL_ECH_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_ECH_MIN_SIZE_CLIENT 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_ECH_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_ECH_MIN_SIZE_SERVER 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_MFL_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_MFL_MIN_SIZE_CLIENT 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_MFL_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_MFL_MIN_SIZE_SERVER 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_CKE_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_CKE_MIN_SIZE_CLIENT 3
|
||||
#endif
|
||||
#ifndef WOLFSSL_CKE_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_CKE_MIN_SIZE_SERVER 3
|
||||
#endif
|
||||
#ifndef WOLFSSL_SV_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_SV_MIN_SIZE_CLIENT 2
|
||||
#endif
|
||||
#ifndef WOLFSSL_SV_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_SV_MIN_SIZE_SERVER 2
|
||||
#endif
|
||||
#ifndef WOLFSSL_SCR_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_SCR_MIN_SIZE_CLIENT 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_SCR_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_SCR_MIN_SIZE_SERVER 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_PF_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_PF_MIN_SIZE_CLIENT 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_PF_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_PF_MIN_SIZE_SERVER 1
|
||||
#endif
|
||||
#ifndef WOLFSSL_CAN_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_CAN_MIN_SIZE_CLIENT 3
|
||||
#endif
|
||||
#ifndef WOLFSSL_CAN_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_CAN_MIN_SIZE_SERVER 3
|
||||
#endif
|
||||
#ifndef WOLFSSL_QTP_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_QTP_MIN_SIZE_CLIENT 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_QTP_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_QTP_MIN_SIZE_SERVER 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_STK_MIN_SIZE_CLIENT
|
||||
#define WOLFSSL_STK_MIN_SIZE_CLIENT 0
|
||||
#endif
|
||||
#ifndef WOLFSSL_STK_MIN_SIZE_SERVER
|
||||
#define WOLFSSL_STK_MIN_SIZE_SERVER 0
|
||||
#endif
|
||||
|
||||
#ifdef __cplusplus
|
||||
} /* extern "C" */
|
||||
#endif
|
||||
|
||||
Reference in New Issue
Block a user