mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixes for TLS 1.3 without ECC or RSA. Fix for building without ECC where HAVE_SUPPORTED_CURVES was getting defined because of ENABLED_TLSX.

Browse Source
This commit is contained in:
David Garske 2017-06-13 09:44:14 -07:00
parent a18e9a220f
commit adf819458c
4 changed files with 77 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
configure.ac
View File

@ -2639,7 +2639,12 @@ then
if test "x$ENABLED_TLSX" = "xno"
then
ENABLED_TLSX="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_SUPPORTED_CURVES"
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC"
# Check the ECC supported curves prereq
AS_IF([test "x$ENABLED_ECC" = "xyes"],
[ENABLED_SUPPORTED_CURVES=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_SUPPORTED_CURVES"])
fi
# Requires ecc make sure on

12
examples/client/client.c
View File

@ -197,7 +197,7 @@ static int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
else if (useX25519) {
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519)
!= SSL_SUCCESS) {
err_sys("unable to use curve secp256r1");
err_sys("unable to use curve x25519");
}
}
#endif
@ -281,7 +281,7 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port,
if (useX25519) {
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519)
!= SSL_SUCCESS) {
err_sys("unable to use curve secp256r1");
err_sys("unable to use curve x25519");
}
}
#endif
@ -1551,10 +1551,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
if (useX25519) {
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519)
!= SSL_SUCCESS) {
err_sys("unable to use curve secp256r1");
err_sys("unable to use curve x25519");
}
}
#endif
#ifdef HAVE_ECC
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_SECP256R1)
!= SSL_SUCCESS) {
err_sys("unable to use curve secp256r1");
@ -1563,6 +1564,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
!= SSL_SUCCESS) {
err_sys("unable to use curve secp384r1");
}
#endif
}
if (onlyKeyShare == 0 || onlyKeyShare == 1) {
#ifdef HAVE_FFDHE_2048
@ -1983,10 +1985,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#ifdef HAVE_CURVE25519
if (useX25519) {
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519) != SSL_SUCCESS) {
err_sys("unable to use curve secp256r1");
err_sys("unable to use curve x25519");
}
}
#endif
#ifdef HAVE_ECC
if (wolfSSL_UseKeyShare(sslResume,
WOLFSSL_ECC_SECP256R1) != SSL_SUCCESS) {
err_sys("unable to use curve secp256r1");
@ -1995,6 +1998,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
WOLFSSL_ECC_SECP384R1) != SSL_SUCCESS) {
err_sys("unable to use curve secp384r1");
}
#endif
#ifdef HAVE_FFDHE_2048
if (wolfSSL_UseKeyShare(sslResume, WOLFSSL_FFDHE_2048) != SSL_SUCCESS) {
err_sys("unable to use DH 2048-bit parameters");

86
src/tls.c
View File

@ -2956,29 +2956,6 @@ static int TLSX_EllipticCurve_Parse(WOLFSSL* ssl, byte* input, word16 length,
return 0;
}
#ifdef WOLFSSL_TLS13
/* Searches the supported groups extension for the specified named group.
*
* ssl The SSL/TLS object.
* name The group name to match.
* returns 1 when the extension has the group name and 0 otherwise.
*/
static int TLSX_SupportedGroups_Find(WOLFSSL* ssl, word16 name)
{
TLSX* extension;
EllipticCurve* curve = NULL;
if ((extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)) == NULL)
return 0;
for (curve = (EllipticCurve*)extension->data; curve; curve = curve->next) {
if (curve->name == name)
return 1;
}
return 0;
}
#endif /* WOLFSSL_TLS13 */
int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
TLSX* extension = (first == ECC_BYTE || first == CHACHA_BYTE)
? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)
@ -4685,7 +4662,7 @@ end:
}
#endif
#ifndef NO_ECC
#ifdef HAVE_ECC
/* Create a key share entry using named elliptic curve parameters group.
* Generates a key pair.
*
@ -4846,7 +4823,7 @@ end:
}
return ret;
}
#endif /* !NO_ECC */
#endif /* HAVE_ECC */
/* Generate a secret/key using the key share entry.
*
@ -4855,10 +4832,16 @@ end:
*/
static int TLSX_KeyShare_GenKey(WOLFSSL *ssl, KeyShareEntry *kse)
{
#ifndef NO_DH
/* Named FFHE groups have a bit set to identify them. */
if ((kse->group & NAMED_DH_MASK) == NAMED_DH_MASK)
return TLSX_KeyShare_GenDhKey(ssl, kse);
#endif
#ifdef HAVE_ECC
return TLSX_KeyShare_GenEccKey(ssl, kse);
#else
return NOT_COMPILED_IN;
#endif
}
/* Free the key share dynamic data.
@ -5070,8 +5053,9 @@ static int TLSX_KeyShare_ProcessDh(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
*/
static int TLSX_KeyShare_ProcessEcc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
{
#ifndef NO_ECC
int ret;
#ifdef HAVE_ECC
int curveId;
ecc_key* keyShareKey = (ecc_key*)keyShareEntry->key;
@ -5197,10 +5181,15 @@ static int TLSX_KeyShare_ProcessEcc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
);
#endif
return ret;
#else
return PEER_KEY_ERROR;
#endif
(void)ssl;
(void)keyShareEntry;
ret = PEER_KEY_ERROR;
#endif /* HAVE_ECC */
return ret;
}
/* Process the key share extension on the client side.
@ -5300,6 +5289,35 @@ static int TLSX_KeyShare_Find(WOLFSSL* ssl, word16 group)
return 0;
}
/* Searches the supported groups extension for the specified named group.
*
* ssl The SSL/TLS object.
* name The group name to match.
* returns 1 when the extension has the group name and 0 otherwise.
*/
static int TLSX_SupportedGroups_Find(WOLFSSL* ssl, word16 name)
{
#ifdef HAVE_SUPPORTED_CURVES
TLSX* extension;
EllipticCurve* curve = NULL;
if ((extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)) == NULL)
return 0;
for (curve = (EllipticCurve*)extension->data; curve; curve = curve->next) {
if (curve->name == name)
return 1;
}
#endif
(void)ssl;
(void)name;
return 0;
}
/* Parse the KeyShare extension.
* Different formats in different messages.
*
@ -5572,6 +5590,7 @@ static int TLSX_KeyShare_IsSupported(int namedGroup)
static int TLSX_KeyShare_SetSupported(WOLFSSL* ssl)
{
int ret;
#ifdef HAVE_SUPPORTED_CURVES
TLSX* extension;
EllipticCurve* curve = NULL;
@ -5603,8 +5622,13 @@ static int TLSX_KeyShare_SetSupported(WOLFSSL* ssl)
/* Set extension to be in reponse. */
extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
extension->resp = 1;
#else
return 0;
(void)ssl;
ret = NOT_COMPILED_IN;
#endif
return ret;
}
/* Establish the secret based on the key shares received from the client.
@ -7034,6 +7058,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
ssl->heap)) != 0)
return ret;
#ifdef HAVE_SUPPORTED_CURVES
if (!ssl->options.userCurves && !ssl->ctx->userCurves) {
/* Add FFDHE supported groups. */
#ifdef HAVE_FFDHE_2048
@ -7068,6 +7093,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
#endif
ret = 0;
}
#endif
if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) {
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \

9
src/tls13.c
View File

@ -3588,6 +3588,7 @@ static int CreateRSAEncodedSig(byte* sig, byte* sigData, int sigDataSz,
return wc_EncodeSignature(sig, hash, hashSz, hashOid);
}
}
#endif /* !NO_RSA */
#ifdef HAVE_ECC
/* Encode the ECC signature.
@ -3648,9 +3649,9 @@ static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo)
return hashSz;
}
#endif
#endif /* HAVE_ECC */
#ifndef NO_RSA
/* Check that the decrypted signature matches the encoded signature
* based on the digest of the signature data.
*
@ -4467,15 +4468,19 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify");
}
#endif
#ifdef HAVE_ECC
if (args->sigAlgo == ecc_dsa_sa_algo &&
!ssl->peerEccDsaKeyPresent) {
WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
}
#endif
#ifndef NO_RSA
if ((args->sigAlgo == rsa_sa_algo ||
args->sigAlgo == rsa_pss_sa_algo) &&
(ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) {
WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
}
#endif
sig->buffer = (byte*)XMALLOC(args->sz, ssl->heap,
DYNAMIC_TYPE_TMP_BUFFER);