mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-07-31 19:24:42 +02:00
Remove authentication related logic from TLSX_ValidateSupportedCurves()
This commit is contained in:
Anthony Hu
60
src/tls.c
60
src/tls.c
@@ -4347,11 +4347,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
TLSX* extension = NULL;
|
TLSX* extension = NULL;
|
||||||
SupportedCurve* curve = NULL;
|
SupportedCurve* curve = NULL;
|
||||||
word32 oid = 0;
|
word32 oid = 0;
|
||||||
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_ED25519) || \
|
|
||||||
defined(HAVE_CURVE448) || defined(HAVE_ED448) || \
|
|
||||||
(!defined(NO_RSA) && defined(WOLFSSL_STATIC_DH))
|
|
||||||
word32 pkOid = 0;
|
|
||||||
#endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 || (!NO_RSA && STATIC_DH) */
|
|
||||||
word32 defOid = 0;
|
word32 defOid = 0;
|
||||||
word32 defSz = 80; /* Maximum known curve size is 66. */
|
word32 defSz = 80; /* Maximum known curve size is 66. */
|
||||||
word32 nextOid = 0;
|
word32 nextOid = 0;
|
||||||
@@ -4359,11 +4354,9 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
word32 currOid = ssl->ecdhCurveOID;
|
word32 currOid = ssl->ecdhCurveOID;
|
||||||
int ephmSuite = 0;
|
int ephmSuite = 0;
|
||||||
word16 octets = 0; /* according to 'ecc_set_type ecc_sets[];' */
|
word16 octets = 0; /* according to 'ecc_set_type ecc_sets[];' */
|
||||||
int sig = 0; /* validate signature */
|
|
||||||
int key = 0; /* validate key */
|
int key = 0; /* validate key */
|
||||||
|
|
||||||
(void)oid;
|
(void)oid;
|
||||||
(void)pkOid;
|
|
||||||
|
|
||||||
if (first == CHACHA_BYTE) {
|
if (first == CHACHA_BYTE) {
|
||||||
switch (second) {
|
switch (second) {
|
||||||
@@ -4384,7 +4377,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
return 1; /* no suite restriction */
|
return 1; /* no suite restriction */
|
||||||
|
|
||||||
for (curve = (SupportedCurve*)extension->data;
|
for (curve = (SupportedCurve*)extension->data;
|
||||||
curve && !(sig && key);
|
curve && !key;
|
||||||
curve = curve->next) {
|
curve = curve->next) {
|
||||||
|
|
||||||
#ifdef OPENSSL_EXTRA
|
#ifdef OPENSSL_EXTRA
|
||||||
@@ -4402,19 +4395,19 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160
|
#if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160
|
||||||
#ifndef NO_ECC_SECP
|
#ifndef NO_ECC_SECP
|
||||||
case WOLFSSL_ECC_SECP160R1:
|
case WOLFSSL_ECC_SECP160R1:
|
||||||
pkOid = oid = ECC_SECP160R1_OID;
|
oid = ECC_SECP160R1_OID;
|
||||||
octets = 20;
|
octets = 20;
|
||||||
break;
|
break;
|
||||||
#endif /* !NO_ECC_SECP */
|
#endif /* !NO_ECC_SECP */
|
||||||
#ifdef HAVE_ECC_SECPR2
|
#ifdef HAVE_ECC_SECPR2
|
||||||
case WOLFSSL_ECC_SECP160R2:
|
case WOLFSSL_ECC_SECP160R2:
|
||||||
pkOid = oid = ECC_SECP160R2_OID;
|
oid = ECC_SECP160R2_OID;
|
||||||
octets = 20;
|
octets = 20;
|
||||||
break;
|
break;
|
||||||
#endif /* HAVE_ECC_SECPR2 */
|
#endif /* HAVE_ECC_SECPR2 */
|
||||||
#ifdef HAVE_ECC_KOBLITZ
|
#ifdef HAVE_ECC_KOBLITZ
|
||||||
case WOLFSSL_ECC_SECP160K1:
|
case WOLFSSL_ECC_SECP160K1:
|
||||||
pkOid = oid = ECC_SECP160K1_OID;
|
oid = ECC_SECP160K1_OID;
|
||||||
octets = 20;
|
octets = 20;
|
||||||
break;
|
break;
|
||||||
#endif /* HAVE_ECC_KOBLITZ */
|
#endif /* HAVE_ECC_KOBLITZ */
|
||||||
@@ -4422,13 +4415,13 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192
|
#if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192
|
||||||
#ifndef NO_ECC_SECP
|
#ifndef NO_ECC_SECP
|
||||||
case WOLFSSL_ECC_SECP192R1:
|
case WOLFSSL_ECC_SECP192R1:
|
||||||
pkOid = oid = ECC_SECP192R1_OID;
|
oid = ECC_SECP192R1_OID;
|
||||||
octets = 24;
|
octets = 24;
|
||||||
break;
|
break;
|
||||||
#endif /* !NO_ECC_SECP */
|
#endif /* !NO_ECC_SECP */
|
||||||
#ifdef HAVE_ECC_KOBLITZ
|
#ifdef HAVE_ECC_KOBLITZ
|
||||||
case WOLFSSL_ECC_SECP192K1:
|
case WOLFSSL_ECC_SECP192K1:
|
||||||
pkOid = oid = ECC_SECP192K1_OID;
|
oid = ECC_SECP192K1_OID;
|
||||||
octets = 24;
|
octets = 24;
|
||||||
break;
|
break;
|
||||||
#endif /* HAVE_ECC_KOBLITZ */
|
#endif /* HAVE_ECC_KOBLITZ */
|
||||||
@@ -4436,13 +4429,13 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
#if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224
|
#if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224
|
||||||
#ifndef NO_ECC_SECP
|
#ifndef NO_ECC_SECP
|
||||||
case WOLFSSL_ECC_SECP224R1:
|
case WOLFSSL_ECC_SECP224R1:
|
||||||
pkOid = oid = ECC_SECP224R1_OID;
|
oid = ECC_SECP224R1_OID;
|
||||||
octets = 28;
|
octets = 28;
|
||||||
break;
|
break;
|
||||||
#endif /* !NO_ECC_SECP */
|
#endif /* !NO_ECC_SECP */
|
||||||
#ifdef HAVE_ECC_KOBLITZ
|
#ifdef HAVE_ECC_KOBLITZ
|
||||||
case WOLFSSL_ECC_SECP224K1:
|
case WOLFSSL_ECC_SECP224K1:
|
||||||
pkOid = oid = ECC_SECP224K1_OID;
|
oid = ECC_SECP224K1_OID;
|
||||||
octets = 28;
|
octets = 28;
|
||||||
break;
|
break;
|
||||||
#endif /* HAVE_ECC_KOBLITZ */
|
#endif /* HAVE_ECC_KOBLITZ */
|
||||||
@@ -4450,7 +4443,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
|
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
|
||||||
#ifndef NO_ECC_SECP
|
#ifndef NO_ECC_SECP
|
||||||
case WOLFSSL_ECC_SECP256R1:
|
case WOLFSSL_ECC_SECP256R1:
|
||||||
pkOid = oid = ECC_SECP256R1_OID;
|
oid = ECC_SECP256R1_OID;
|
||||||
octets = 32;
|
octets = 32;
|
||||||
break;
|
break;
|
||||||
#endif /* !NO_ECC_SECP */
|
#endif /* !NO_ECC_SECP */
|
||||||
@@ -4459,11 +4452,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
#if (defined(HAVE_CURVE25519) || defined(HAVE_ED25519)) && ECC_MIN_KEY_SZ <= 256
|
#if (defined(HAVE_CURVE25519) || defined(HAVE_ED25519)) && ECC_MIN_KEY_SZ <= 256
|
||||||
case WOLFSSL_ECC_X25519:
|
case WOLFSSL_ECC_X25519:
|
||||||
oid = ECC_X25519_OID;
|
oid = ECC_X25519_OID;
|
||||||
#ifdef HAVE_ED25519
|
|
||||||
pkOid = ECC_ED25519_OID;
|
|
||||||
#else
|
|
||||||
pkOid = ECC_X25519_OID;
|
|
||||||
#endif
|
|
||||||
octets = 32;
|
octets = 32;
|
||||||
break;
|
break;
|
||||||
#endif /* HAVE_CURVE25519 */
|
#endif /* HAVE_CURVE25519 */
|
||||||
@@ -4471,13 +4459,13 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
|
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
|
||||||
#ifdef HAVE_ECC_KOBLITZ
|
#ifdef HAVE_ECC_KOBLITZ
|
||||||
case WOLFSSL_ECC_SECP256K1:
|
case WOLFSSL_ECC_SECP256K1:
|
||||||
pkOid = oid = ECC_SECP256K1_OID;
|
oid = ECC_SECP256K1_OID;
|
||||||
octets = 32;
|
octets = 32;
|
||||||
break;
|
break;
|
||||||
#endif /* HAVE_ECC_KOBLITZ */
|
#endif /* HAVE_ECC_KOBLITZ */
|
||||||
#ifdef HAVE_ECC_BRAINPOOL
|
#ifdef HAVE_ECC_BRAINPOOL
|
||||||
case WOLFSSL_ECC_BRAINPOOLP256R1:
|
case WOLFSSL_ECC_BRAINPOOLP256R1:
|
||||||
pkOid = oid = ECC_BRAINPOOLP256R1_OID;
|
oid = ECC_BRAINPOOLP256R1_OID;
|
||||||
octets = 32;
|
octets = 32;
|
||||||
break;
|
break;
|
||||||
#endif /* HAVE_ECC_BRAINPOOL */
|
#endif /* HAVE_ECC_BRAINPOOL */
|
||||||
@@ -4485,13 +4473,13 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
#if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
|
#if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
|
||||||
#ifndef NO_ECC_SECP
|
#ifndef NO_ECC_SECP
|
||||||
case WOLFSSL_ECC_SECP384R1:
|
case WOLFSSL_ECC_SECP384R1:
|
||||||
pkOid = oid = ECC_SECP384R1_OID;
|
oid = ECC_SECP384R1_OID;
|
||||||
octets = 48;
|
octets = 48;
|
||||||
break;
|
break;
|
||||||
#endif /* !NO_ECC_SECP */
|
#endif /* !NO_ECC_SECP */
|
||||||
#ifdef HAVE_ECC_BRAINPOOL
|
#ifdef HAVE_ECC_BRAINPOOL
|
||||||
case WOLFSSL_ECC_BRAINPOOLP384R1:
|
case WOLFSSL_ECC_BRAINPOOLP384R1:
|
||||||
pkOid = oid = ECC_BRAINPOOLP384R1_OID;
|
oid = ECC_BRAINPOOLP384R1_OID;
|
||||||
octets = 48;
|
octets = 48;
|
||||||
break;
|
break;
|
||||||
#endif /* HAVE_ECC_BRAINPOOL */
|
#endif /* HAVE_ECC_BRAINPOOL */
|
||||||
@@ -4500,11 +4488,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
#if (defined(HAVE_CURVE448) || defined(HAVE_ED448)) && ECC_MIN_KEY_SZ <= 448
|
#if (defined(HAVE_CURVE448) || defined(HAVE_ED448)) && ECC_MIN_KEY_SZ <= 448
|
||||||
case WOLFSSL_ECC_X448:
|
case WOLFSSL_ECC_X448:
|
||||||
oid = ECC_X448_OID;
|
oid = ECC_X448_OID;
|
||||||
#ifdef HAVE_ED448
|
|
||||||
pkOid = ECC_ED448_OID;
|
|
||||||
#else
|
|
||||||
pkOid = ECC_X448_OID;
|
|
||||||
#endif
|
|
||||||
octets = 57;
|
octets = 57;
|
||||||
break;
|
break;
|
||||||
#endif /* HAVE_CURVE448 */
|
#endif /* HAVE_CURVE448 */
|
||||||
@@ -4512,7 +4495,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
#if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
|
#if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
|
||||||
#ifdef HAVE_ECC_BRAINPOOL
|
#ifdef HAVE_ECC_BRAINPOOL
|
||||||
case WOLFSSL_ECC_BRAINPOOLP512R1:
|
case WOLFSSL_ECC_BRAINPOOLP512R1:
|
||||||
pkOid = oid = ECC_BRAINPOOLP512R1_OID;
|
oid = ECC_BRAINPOOLP512R1_OID;
|
||||||
octets = 64;
|
octets = 64;
|
||||||
break;
|
break;
|
||||||
#endif /* HAVE_ECC_BRAINPOOL */
|
#endif /* HAVE_ECC_BRAINPOOL */
|
||||||
@@ -4520,7 +4503,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
|
#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
|
||||||
#ifndef NO_ECC_SECP
|
#ifndef NO_ECC_SECP
|
||||||
case WOLFSSL_ECC_SECP521R1:
|
case WOLFSSL_ECC_SECP521R1:
|
||||||
pkOid = oid = ECC_SECP521R1_OID;
|
oid = ECC_SECP521R1_OID;
|
||||||
octets = 66;
|
octets = 66;
|
||||||
break;
|
break;
|
||||||
#endif /* !NO_ECC_SECP */
|
#endif /* !NO_ECC_SECP */
|
||||||
@@ -4571,7 +4554,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
|
case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
|
||||||
case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
|
case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
|
||||||
case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8:
|
case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8:
|
||||||
sig |= ssl->pkCurveOID == pkOid;
|
|
||||||
key |= ssl->ecdhCurveOID == oid;
|
key |= ssl->ecdhCurveOID == oid;
|
||||||
ephmSuite = 1;
|
ephmSuite = 1;
|
||||||
break;
|
break;
|
||||||
@@ -4594,7 +4576,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
defOid = 0;
|
defOid = 0;
|
||||||
defSz = 80;
|
defSz = 80;
|
||||||
}
|
}
|
||||||
sig |= ssl->pkCurveOID == pkOid;
|
|
||||||
key |= ssl->pkCurveOID == oid;
|
key |= ssl->pkCurveOID == oid;
|
||||||
break;
|
break;
|
||||||
#endif /* WOLFSSL_STATIC_DH */
|
#endif /* WOLFSSL_STATIC_DH */
|
||||||
@@ -4609,7 +4590,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
|
case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
|
||||||
case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
|
case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
|
||||||
case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
|
case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
|
||||||
sig = 1;
|
|
||||||
key |= ssl->ecdhCurveOID == oid;
|
key |= ssl->ecdhCurveOID == oid;
|
||||||
ephmSuite = 1;
|
ephmSuite = 1;
|
||||||
break;
|
break;
|
||||||
@@ -4632,8 +4612,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
defOid = 0;
|
defOid = 0;
|
||||||
defSz = 80;
|
defSz = 80;
|
||||||
}
|
}
|
||||||
sig = 1;
|
|
||||||
key |= ssl->pkCurveOID == pkOid;
|
|
||||||
break;
|
break;
|
||||||
#endif /* HAVE_ECC && WOLFSSL_STATIC_DH */
|
#endif /* HAVE_ECC && WOLFSSL_STATIC_DH */
|
||||||
#endif
|
#endif
|
||||||
@@ -4646,9 +4624,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
defOid = 0;
|
defOid = 0;
|
||||||
defSz = 80;
|
defSz = 80;
|
||||||
}
|
}
|
||||||
if (oid != ECC_X25519_OID && oid != ECC_X448_OID) {
|
|
||||||
sig = 1;
|
|
||||||
}
|
|
||||||
key = 1;
|
key = 1;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@@ -4661,7 +4636,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
/* ECDHE_ECDSA */
|
/* ECDHE_ECDSA */
|
||||||
case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :
|
case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :
|
||||||
case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
|
case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
|
||||||
sig |= ssl->pkCurveOID == pkOid;
|
|
||||||
key |= ssl->ecdhCurveOID == oid;
|
key |= ssl->ecdhCurveOID == oid;
|
||||||
ephmSuite = 1;
|
ephmSuite = 1;
|
||||||
break;
|
break;
|
||||||
@@ -4670,13 +4644,11 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
/* ECDHE_RSA */
|
/* ECDHE_RSA */
|
||||||
case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :
|
case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :
|
||||||
case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
|
case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
|
||||||
sig = 1;
|
|
||||||
key |= ssl->ecdhCurveOID == oid;
|
key |= ssl->ecdhCurveOID == oid;
|
||||||
ephmSuite = 1;
|
ephmSuite = 1;
|
||||||
break;
|
break;
|
||||||
#endif
|
#endif
|
||||||
default:
|
default:
|
||||||
sig = 1;
|
|
||||||
key = 1;
|
key = 1;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@@ -4708,7 +4680,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
|
|||||||
if (ssl->ecdhCurveOID == 0 && ephmSuite)
|
if (ssl->ecdhCurveOID == 0 && ephmSuite)
|
||||||
key = 0;
|
key = 0;
|
||||||
|
|
||||||
return sig && key;
|
return key;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user