diff --git a/src/tls.c b/src/tls.c index 06c66344f..d03540e01 100644 --- a/src/tls.c +++ b/src/tls.c @@ -4092,8 +4092,11 @@ static int TLSX_SupportedCurve_Parse(WOLFSSL* ssl, const byte* input, ato16(input + offset, &name); ret = TLSX_UseSupportedCurve(&ssl->extensions, name, ssl->heap); - if (ret != WOLFSSL_SUCCESS) - return ret; /* throw error */ + /* If it is BAD_FUNC_ARG then it is a group we do not support, but + * that is fine. */ + if (ret != WOLFSSL_SUCCESS && ret != BAD_FUNC_ARG) { + return ret; + } } return 0; @@ -4344,11 +4347,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { TLSX* extension = NULL; SupportedCurve* curve = NULL; word32 oid = 0; -#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_ED25519) || \ - defined(HAVE_CURVE448) || defined(HAVE_ED448) || \ - (!defined(NO_RSA) && defined(WOLFSSL_STATIC_DH)) - word32 pkOid = 0; -#endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 || (!NO_RSA && STATIC_DH) */ word32 defOid = 0; word32 defSz = 80; /* Maximum known curve size is 66. */ word32 nextOid = 0; @@ -4356,11 +4354,9 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { word32 currOid = ssl->ecdhCurveOID; int ephmSuite = 0; word16 octets = 0; /* according to 'ecc_set_type ecc_sets[];' */ - int sig = 0; /* validate signature */ int key = 0; /* validate key */ (void)oid; - (void)pkOid; if (first == CHACHA_BYTE) { switch (second) { @@ -4381,7 +4377,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { return 1; /* no suite restriction */ for (curve = (SupportedCurve*)extension->data; - curve && !(sig && key); + curve && !key; curve = curve->next) { #ifdef OPENSSL_EXTRA @@ -4399,19 +4395,19 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160 #ifndef NO_ECC_SECP case WOLFSSL_ECC_SECP160R1: - pkOid = oid = ECC_SECP160R1_OID; + oid = ECC_SECP160R1_OID; octets = 20; break; #endif /* !NO_ECC_SECP */ #ifdef HAVE_ECC_SECPR2 case WOLFSSL_ECC_SECP160R2: - pkOid = oid = ECC_SECP160R2_OID; + oid = ECC_SECP160R2_OID; octets = 20; break; #endif /* HAVE_ECC_SECPR2 */ #ifdef HAVE_ECC_KOBLITZ case WOLFSSL_ECC_SECP160K1: - pkOid = oid = ECC_SECP160K1_OID; + oid = ECC_SECP160K1_OID; octets = 20; break; #endif /* HAVE_ECC_KOBLITZ */ @@ -4419,13 +4415,13 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192 #ifndef NO_ECC_SECP case WOLFSSL_ECC_SECP192R1: - pkOid = oid = ECC_SECP192R1_OID; + oid = ECC_SECP192R1_OID; octets = 24; break; #endif /* !NO_ECC_SECP */ #ifdef HAVE_ECC_KOBLITZ case WOLFSSL_ECC_SECP192K1: - pkOid = oid = ECC_SECP192K1_OID; + oid = ECC_SECP192K1_OID; octets = 24; break; #endif /* HAVE_ECC_KOBLITZ */ @@ -4433,13 +4429,13 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224 #ifndef NO_ECC_SECP case WOLFSSL_ECC_SECP224R1: - pkOid = oid = ECC_SECP224R1_OID; + oid = ECC_SECP224R1_OID; octets = 28; break; #endif /* !NO_ECC_SECP */ #ifdef HAVE_ECC_KOBLITZ case WOLFSSL_ECC_SECP224K1: - pkOid = oid = ECC_SECP224K1_OID; + oid = ECC_SECP224K1_OID; octets = 28; break; #endif /* HAVE_ECC_KOBLITZ */ @@ -4447,7 +4443,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 #ifndef NO_ECC_SECP case WOLFSSL_ECC_SECP256R1: - pkOid = oid = ECC_SECP256R1_OID; + oid = ECC_SECP256R1_OID; octets = 32; break; #endif /* !NO_ECC_SECP */ @@ -4456,11 +4452,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { #if (defined(HAVE_CURVE25519) || defined(HAVE_ED25519)) && ECC_MIN_KEY_SZ <= 256 case WOLFSSL_ECC_X25519: oid = ECC_X25519_OID; - #ifdef HAVE_ED25519 - pkOid = ECC_ED25519_OID; - #else - pkOid = ECC_X25519_OID; - #endif octets = 32; break; #endif /* HAVE_CURVE25519 */ @@ -4468,13 +4459,13 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 #ifdef HAVE_ECC_KOBLITZ case WOLFSSL_ECC_SECP256K1: - pkOid = oid = ECC_SECP256K1_OID; + oid = ECC_SECP256K1_OID; octets = 32; break; #endif /* HAVE_ECC_KOBLITZ */ #ifdef HAVE_ECC_BRAINPOOL case WOLFSSL_ECC_BRAINPOOLP256R1: - pkOid = oid = ECC_BRAINPOOLP256R1_OID; + oid = ECC_BRAINPOOLP256R1_OID; octets = 32; break; #endif /* HAVE_ECC_BRAINPOOL */ @@ -4482,13 +4473,13 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384 #ifndef NO_ECC_SECP case WOLFSSL_ECC_SECP384R1: - pkOid = oid = ECC_SECP384R1_OID; + oid = ECC_SECP384R1_OID; octets = 48; break; #endif /* !NO_ECC_SECP */ #ifdef HAVE_ECC_BRAINPOOL case WOLFSSL_ECC_BRAINPOOLP384R1: - pkOid = oid = ECC_BRAINPOOLP384R1_OID; + oid = ECC_BRAINPOOLP384R1_OID; octets = 48; break; #endif /* HAVE_ECC_BRAINPOOL */ @@ -4497,11 +4488,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { #if (defined(HAVE_CURVE448) || defined(HAVE_ED448)) && ECC_MIN_KEY_SZ <= 448 case WOLFSSL_ECC_X448: oid = ECC_X448_OID; - #ifdef HAVE_ED448 - pkOid = ECC_ED448_OID; - #else - pkOid = ECC_X448_OID; - #endif octets = 57; break; #endif /* HAVE_CURVE448 */ @@ -4509,7 +4495,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512 #ifdef HAVE_ECC_BRAINPOOL case WOLFSSL_ECC_BRAINPOOLP512R1: - pkOid = oid = ECC_BRAINPOOLP512R1_OID; + oid = ECC_BRAINPOOLP512R1_OID; octets = 64; break; #endif /* HAVE_ECC_BRAINPOOL */ @@ -4517,7 +4503,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521 #ifndef NO_ECC_SECP case WOLFSSL_ECC_SECP521R1: - pkOid = oid = ECC_SECP521R1_OID; + oid = ECC_SECP521R1_OID; octets = 66; break; #endif /* !NO_ECC_SECP */ @@ -4568,7 +4554,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8: - sig |= ssl->pkCurveOID == pkOid; key |= ssl->ecdhCurveOID == oid; ephmSuite = 1; break; @@ -4591,7 +4576,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { defOid = 0; defSz = 80; } - sig |= ssl->pkCurveOID == pkOid; key |= ssl->pkCurveOID == oid; break; #endif /* WOLFSSL_STATIC_DH */ @@ -4606,7 +4590,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - sig = 1; key |= ssl->ecdhCurveOID == oid; ephmSuite = 1; break; @@ -4629,8 +4612,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { defOid = 0; defSz = 80; } - sig = 1; - key |= ssl->pkCurveOID == pkOid; break; #endif /* HAVE_ECC && WOLFSSL_STATIC_DH */ #endif @@ -4643,9 +4624,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { defOid = 0; defSz = 80; } - if (oid != ECC_X25519_OID && oid != ECC_X448_OID) { - sig = 1; - } key = 1; break; } @@ -4658,7 +4636,6 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { /* ECDHE_ECDSA */ case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 : case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - sig |= ssl->pkCurveOID == pkOid; key |= ssl->ecdhCurveOID == oid; ephmSuite = 1; break; @@ -4667,13 +4644,11 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { /* ECDHE_RSA */ case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - sig = 1; key |= ssl->ecdhCurveOID == oid; ephmSuite = 1; break; #endif default: - sig = 1; key = 1; break; } @@ -4705,7 +4680,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { if (ssl->ecdhCurveOID == 0 && ephmSuite) key = 0; - return sig && key; + return key; } #endif @@ -4717,8 +4692,15 @@ int TLSX_UseSupportedCurve(TLSX** extensions, word16 name, void* heap) SupportedCurve* curve = NULL; int ret; - if (extensions == NULL) + if (extensions == NULL) { return BAD_FUNC_ARG; + } + +#ifdef WOLFSSL_TLS13 + if (! TLSX_KeyShare_IsSupported(name)) { + return BAD_FUNC_ARG; + } +#endif extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS); @@ -8379,10 +8361,18 @@ static int TLSX_KeyShare_IsSupported(int namedGroup) break; #endif #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 + #ifdef HAVE_ECC_KOBLITZ + case WOLFSSL_ECC_SECP256K1: + break; + #endif #ifndef NO_ECC_SECP case WOLFSSL_ECC_SECP256R1: break; #endif /* !NO_ECC_SECP */ + #ifdef HAVE_ECC_BRAINPOOL + case WOLFSSL_ECC_BRAINPOOLP256R1: + break; + #endif #endif #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256 case WOLFSSL_ECC_X25519: @@ -8397,6 +8387,10 @@ static int TLSX_KeyShare_IsSupported(int namedGroup) case WOLFSSL_ECC_SECP384R1: break; #endif /* !NO_ECC_SECP */ + #ifdef HAVE_ECC_BRAINPOOL + case WOLFSSL_ECC_BRAINPOOLP384R1: + break; + #endif #endif #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521 #ifndef NO_ECC_SECP @@ -8404,6 +8398,46 @@ static int TLSX_KeyShare_IsSupported(int namedGroup) break; #endif /* !NO_ECC_SECP */ #endif + #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160 + #ifdef HAVE_ECC_KOBLITZ + case WOLFSSL_ECC_SECP160K1: + break; + #endif + #ifndef NO_ECC_SECP + case WOLFSSL_ECC_SECP160R1: + break; + #endif + #ifdef HAVE_ECC_SECPR2 + case WOLFSSL_ECC_SECP160R2: + break; + #endif + #endif + #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192 + #ifdef HAVE_ECC_KOBLITZ + case WOLFSSL_ECC_SECP192K1: + break; + #endif + #ifndef NO_ECC_SECP + case WOLFSSL_ECC_SECP192R1: + break; + #endif + #endif + #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224 + #ifdef HAVE_ECC_KOBLITZ + case WOLFSSL_ECC_SECP224K1: + break; + #endif + #ifndef NO_ECC_SECP + case WOLFSSL_ECC_SECP224R1: + break; + #endif + #endif + #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512 + #ifdef HAVE_ECC_BRAINPOOL + case WOLFSSL_ECC_BRAINPOOLP512R1: + break; + #endif + #endif #ifdef HAVE_LIBOQS case WOLFSSL_KYBER512: case WOLFSSL_KYBER768: @@ -8418,6 +8452,9 @@ static int TLSX_KeyShare_IsSupported(int namedGroup) case WOLFSSL_KYBER90S512: case WOLFSSL_KYBER90S768: case WOLFSSL_KYBER90S1024: + if (! OQS_KEM_alg_is_enabled(OQS_ID2name(namedGroup))) { + return 0; + } break; #endif default: @@ -8485,21 +8522,36 @@ static int TLSX_KeyShare_GroupRank(WOLFSSL* ssl, int group) #ifdef HAVE_FFDHE_8192 ssl->group[ssl->numGroups++] = WOLFSSL_FFDHE_8192; #endif - #ifdef HAVE_LIBOQS - ssl->group[ssl->numGroups++] = WOLFSSL_KYBER512; - ssl->group[ssl->numGroups++] = WOLFSSL_KYBER768; - ssl->group[ssl->numGroups++] = WOLFSSL_KYBER1024; - ssl->group[ssl->numGroups++] = WOLFSSL_NTRU_HPS2048509; - ssl->group[ssl->numGroups++] = WOLFSSL_NTRU_HPS2048677; - ssl->group[ssl->numGroups++] = WOLFSSL_NTRU_HPS4096821; - ssl->group[ssl->numGroups++] = WOLFSSL_NTRU_HRSS701; - ssl->group[ssl->numGroups++] = WOLFSSL_LIGHTSABER; - ssl->group[ssl->numGroups++] = WOLFSSL_SABER; - ssl->group[ssl->numGroups++] = WOLFSSL_FIRESABER; - ssl->group[ssl->numGroups++] = WOLFSSL_KYBER90S512; - ssl->group[ssl->numGroups++] = WOLFSSL_KYBER90S768; - ssl->group[ssl->numGroups++] = WOLFSSL_KYBER90S1024; + /* For the liboqs groups we need to do a runtime check because + * liboqs could be compiled to make an algorithm unavailable. + */ + if (TLSX_KeyShare_IsSupported(WOLFSSL_KYBER512)) + ssl->group[ssl->numGroups++] = WOLFSSL_KYBER512; + if (TLSX_KeyShare_IsSupported(WOLFSSL_KYBER768)) + ssl->group[ssl->numGroups++] = WOLFSSL_KYBER768; + if (TLSX_KeyShare_IsSupported(WOLFSSL_KYBER1024)) + ssl->group[ssl->numGroups++] = WOLFSSL_KYBER1024; + if (TLSX_KeyShare_IsSupported(WOLFSSL_NTRU_HPS2048509)) + ssl->group[ssl->numGroups++] = WOLFSSL_NTRU_HPS2048509; + if (TLSX_KeyShare_IsSupported(WOLFSSL_NTRU_HPS2048677)) + ssl->group[ssl->numGroups++] = WOLFSSL_NTRU_HPS2048677; + if (TLSX_KeyShare_IsSupported(WOLFSSL_NTRU_HPS4096821)) + ssl->group[ssl->numGroups++] = WOLFSSL_NTRU_HPS4096821; + if (TLSX_KeyShare_IsSupported(WOLFSSL_NTRU_HRSS701)) + ssl->group[ssl->numGroups++] = WOLFSSL_NTRU_HRSS701; + if (TLSX_KeyShare_IsSupported(WOLFSSL_LIGHTSABER)) + ssl->group[ssl->numGroups++] = WOLFSSL_LIGHTSABER; + if (TLSX_KeyShare_IsSupported(WOLFSSL_SABER)) + ssl->group[ssl->numGroups++] = WOLFSSL_SABER; + if (TLSX_KeyShare_IsSupported(WOLFSSL_FIRESABER)) + ssl->group[ssl->numGroups++] = WOLFSSL_FIRESABER; + if (TLSX_KeyShare_IsSupported(WOLFSSL_KYBER90S512)) + ssl->group[ssl->numGroups++] = WOLFSSL_KYBER90S512; + if (TLSX_KeyShare_IsSupported(WOLFSSL_KYBER90S768)) + ssl->group[ssl->numGroups++] = WOLFSSL_KYBER90S768; + if (TLSX_KeyShare_IsSupported(WOLFSSL_KYBER90S1024)) + ssl->group[ssl->numGroups++] = WOLFSSL_KYBER90S1024; #endif } @@ -8621,7 +8673,7 @@ int TLSX_KeyShare_Establish(WOLFSSL *ssl, int* doHelloRetry) /* Check consistency now - extensions in any order. */ if (!TLSX_SupportedGroups_Find(ssl, clientKSE->group)) - return BAD_KEY_SHARE_DATA; + continue; if ((clientKSE->group & NAMED_DH_MASK) == 0) { /* Check max value supported. */ diff --git a/tests/api.c b/tests/api.c index c6b0f5b73..eafb6dd27 100644 --- a/tests/api.c +++ b/tests/api.c @@ -44072,7 +44072,8 @@ static int test_tls13_apis(void) int outSz; #endif #if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES) - int groups[2] = { WOLFSSL_ECC_X25519, WOLFSSL_ECC_X448 }; + int groups[2] = { WOLFSSL_ECC_SECP256R1, WOLFSSL_ECC_SECP256R1 }; + int bad_groups[2] = { 0xDEAD, 0xBEEF }; int numGroups = 2; #endif #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) @@ -44338,10 +44339,14 @@ static int test_tls13_apis(void) BAD_FUNC_ARG); AssertIntEQ(wolfSSL_CTX_set_groups(clientCtx, groups, numGroups), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_set_groups(clientCtx, bad_groups, numGroups), + BAD_FUNC_ARG); #endif #ifndef NO_WOLFSSL_SERVER AssertIntEQ(wolfSSL_CTX_set_groups(serverCtx, groups, numGroups), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_set_groups(serverCtx, bad_groups, numGroups), + BAD_FUNC_ARG); #endif AssertIntEQ(wolfSSL_set_groups(NULL, NULL, 0), BAD_FUNC_ARG); @@ -44358,10 +44363,14 @@ static int test_tls13_apis(void) WOLFSSL_MAX_GROUP_COUNT + 1), BAD_FUNC_ARG); AssertIntEQ(wolfSSL_set_groups(clientSsl, groups, numGroups), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_set_groups(clientSsl, bad_groups, numGroups), + BAD_FUNC_ARG); #endif #ifndef NO_WOLFSSL_SERVER AssertIntEQ(wolfSSL_set_groups(serverSsl, groups, numGroups), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_set_groups(serverSsl, bad_groups, numGroups), + BAD_FUNC_ARG); #endif #ifdef OPENSSL_EXTRA