wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 11:17:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Re-order the default supported curve groups by strength. Some TLS servers pick the top choice instead of the strongest.

Browse Source
This commit is contained in:
David Garske
2018-09-21 08:54:32 -07:00
parent 427c62e04a
commit 39019c2418
1 changed files with 98 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

193
src/tls.c
View File

@ -8762,6 +8762,7 @@ static byte* TLSX_QSHKeyFind_Pub(QSHKey* qsh, word16* pubLen, word16 name)
((defined(HAVE_ECC) || defined(HAVE_CURVE25519)) && \ ((defined(HAVE_ECC) || defined(HAVE_CURVE25519)) && \
defined(HAVE_SUPPORTED_CURVES)) defined(HAVE_SUPPORTED_CURVES))
/* Populates the default supported groups / curves */
static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions) static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
{ {
int ret = WOLFSSL_SUCCESS; int ret = WOLFSSL_SUCCESS;
@ -8786,7 +8787,87 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
#endif /* WOLFSSL_TLS13 */ #endif /* WOLFSSL_TLS13 */
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES) #if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
/* list in order by strength, since not all servers choose by stength */
#if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP521R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
#ifdef HAVE_ECC_BRAINPOOL
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_BRAINPOOLP512R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP384R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_BRAINPOOL
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_BRAINPOOLP384R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP256R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_KOBLITZ
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP256K1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_BRAINPOOL
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_BRAINPOOLP256R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#endif /* HAVE_ECC && HAVE_SUPPORTED_CURVES */
#ifndef HAVE_FIPS #ifndef HAVE_FIPS
#if defined(HAVE_CURVE25519)
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_X25519, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif /* HAVE_FIPS */
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP224R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_KOBLITZ
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP224K1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#ifndef HAVE_FIPS
#if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP192R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_KOBLITZ
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP192K1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES) #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP #ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions, ret = TLSX_UseSupportedCurve(extensions,
@ -8804,107 +8885,15 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
if (ret != WOLFSSL_SUCCESS) return ret; if (ret != WOLFSSL_SUCCESS) return ret;
#endif #endif
#endif #endif
#if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP192R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_KOBLITZ
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP192K1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#endif
#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP224R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_KOBLITZ
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP224K1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP256R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#endif /* HAVE_ECC && HAVE_SUPPORTED_CURVES */
#ifndef HAVE_FIPS
#if defined(HAVE_CURVE25519)
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_X25519, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif /* HAVE_FIPS */ #endif /* HAVE_FIPS */
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
#ifdef HAVE_ECC_KOBLITZ
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP256K1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_BRAINPOOL
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_BRAINPOOLP256R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP384R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_BRAINPOOL
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_BRAINPOOLP384R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
#ifdef HAVE_ECC_BRAINPOOL
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_BRAINPOOLP512R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_ECC_SECP521R1, ssl->heap);
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#endif /* HAVE_ECC && HAVE_SUPPORTED_CURVES */ #endif /* HAVE_ECC && HAVE_SUPPORTED_CURVES */
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version)) { if (IsAtLeastTLSv1_3(ssl->version)) {
/* Add FFDHE supported groups. */ /* Add FFDHE supported groups. */
#ifdef HAVE_FFDHE_2048 #ifdef HAVE_FFDHE_8192
ret = TLSX_UseSupportedCurve(extensions, ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_FFDHE_2048, ssl->heap); WOLFSSL_FFDHE_8192, ssl->heap);
if (ret != WOLFSSL_SUCCESS)
return ret;
#endif
#ifdef HAVE_FFDHE_3072
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_FFDHE_3072, ssl->heap);
if (ret != WOLFSSL_SUCCESS)
return ret;
#endif
#ifdef HAVE_FFDHE_4096
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_FFDHE_4096, ssl->heap);
if (ret != WOLFSSL_SUCCESS) if (ret != WOLFSSL_SUCCESS)
return ret; return ret;
#endif #endif
@ -8914,9 +8903,21 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
if (ret != WOLFSSL_SUCCESS) if (ret != WOLFSSL_SUCCESS)
return ret; return ret;
#endif #endif
#ifdef HAVE_FFDHE_8192 #ifdef HAVE_FFDHE_4096
ret = TLSX_UseSupportedCurve(extensions, ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_FFDHE_8192, ssl->heap); WOLFSSL_FFDHE_4096, ssl->heap);
if (ret != WOLFSSL_SUCCESS)
return ret;
#endif
#ifdef HAVE_FFDHE_3072
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_FFDHE_3072, ssl->heap);
if (ret != WOLFSSL_SUCCESS)
return ret;
#endif
#ifdef HAVE_FFDHE_2048
ret = TLSX_UseSupportedCurve(extensions,
WOLFSSL_FFDHE_2048, ssl->heap);
if (ret != WOLFSSL_SUCCESS) if (ret != WOLFSSL_SUCCESS)
return ret; return ret;
#endif #endif