mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixes for TLS 1.3 without ECC or RSA. Fix for building without ECC where HAVE_SUPPORTED_CURVES was getting defined because of ENABLED_TLSX.

Browse Source
This commit is contained in:
David Garske 2017-06-13 09:44:14 -07:00
parent a18e9a220f
commit adf819458c
4 changed files with 77 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
configure.ac
View File

@ -2639,7 +2639,12 @@ then
if test "x$ENABLED_TLSX" = "xno" if test "x$ENABLED_TLSX" = "xno"
then then
ENABLED_TLSX="yes" ENABLED_TLSX="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_SUPPORTED_CURVES" AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC"
# Check the ECC supported curves prereq
AS_IF([test "x$ENABLED_ECC" = "xyes"],
[ENABLED_SUPPORTED_CURVES=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_SUPPORTED_CURVES"])
fi fi
# Requires ecc make sure on # Requires ecc make sure on

12
examples/client/client.c
View File

@ -197,7 +197,7 @@ static int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
else if (useX25519) { else if (useX25519) {
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519) if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519)
!= SSL_SUCCESS) { != SSL_SUCCESS) {
err_sys("unable to use curve secp256r1"); err_sys("unable to use curve x25519");
} }
} }
#endif #endif
@ -281,7 +281,7 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port,
if (useX25519) { if (useX25519) {
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519) if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519)
!= SSL_SUCCESS) { != SSL_SUCCESS) {
err_sys("unable to use curve secp256r1"); err_sys("unable to use curve x25519");
} }
} }
#endif #endif
@ -1551,10 +1551,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
if (useX25519) { if (useX25519) {
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519) if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519)
!= SSL_SUCCESS) { != SSL_SUCCESS) {
err_sys("unable to use curve secp256r1"); err_sys("unable to use curve x25519");
} }
} }
#endif #endif
#ifdef HAVE_ECC
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_SECP256R1) if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_SECP256R1)
!= SSL_SUCCESS) { != SSL_SUCCESS) {
err_sys("unable to use curve secp256r1"); err_sys("unable to use curve secp256r1");
@ -1563,6 +1564,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
!= SSL_SUCCESS) { != SSL_SUCCESS) {
err_sys("unable to use curve secp384r1"); err_sys("unable to use curve secp384r1");
} }
#endif
} }
if (onlyKeyShare == 0 || onlyKeyShare == 1) { if (onlyKeyShare == 0 || onlyKeyShare == 1) {
#ifdef HAVE_FFDHE_2048 #ifdef HAVE_FFDHE_2048
@ -1983,10 +1985,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#ifdef HAVE_CURVE25519 #ifdef HAVE_CURVE25519
if (useX25519) { if (useX25519) {
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519) != SSL_SUCCESS) { if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519) != SSL_SUCCESS) {
err_sys("unable to use curve secp256r1"); err_sys("unable to use curve x25519");
} }
} }
#endif #endif
#ifdef HAVE_ECC
if (wolfSSL_UseKeyShare(sslResume, if (wolfSSL_UseKeyShare(sslResume,
WOLFSSL_ECC_SECP256R1) != SSL_SUCCESS) { WOLFSSL_ECC_SECP256R1) != SSL_SUCCESS) {
err_sys("unable to use curve secp256r1"); err_sys("unable to use curve secp256r1");
@ -1995,6 +1998,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
WOLFSSL_ECC_SECP384R1) != SSL_SUCCESS) { WOLFSSL_ECC_SECP384R1) != SSL_SUCCESS) {
err_sys("unable to use curve secp384r1"); err_sys("unable to use curve secp384r1");
} }
#endif
#ifdef HAVE_FFDHE_2048 #ifdef HAVE_FFDHE_2048
if (wolfSSL_UseKeyShare(sslResume, WOLFSSL_FFDHE_2048) != SSL_SUCCESS) { if (wolfSSL_UseKeyShare(sslResume, WOLFSSL_FFDHE_2048) != SSL_SUCCESS) {
err_sys("unable to use DH 2048-bit parameters"); err_sys("unable to use DH 2048-bit parameters");

86
src/tls.c
View File

@ -2956,29 +2956,6 @@ static int TLSX_EllipticCurve_Parse(WOLFSSL* ssl, byte* input, word16 length,
return 0; return 0;
} }
#ifdef WOLFSSL_TLS13
/* Searches the supported groups extension for the specified named group.
*
* ssl The SSL/TLS object.
* name The group name to match.
* returns 1 when the extension has the group name and 0 otherwise.
*/
static int TLSX_SupportedGroups_Find(WOLFSSL* ssl, word16 name)
{
TLSX* extension;
EllipticCurve* curve = NULL;
if ((extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)) == NULL)
return 0;
for (curve = (EllipticCurve*)extension->data; curve; curve = curve->next) {
if (curve->name == name)
return 1;
}
return 0;
}
#endif /* WOLFSSL_TLS13 */
int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) { int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
TLSX* extension = (first == ECC_BYTE || first == CHACHA_BYTE) TLSX* extension = (first == ECC_BYTE || first == CHACHA_BYTE)
? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS) ? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)
@ -4685,7 +4662,7 @@ end:
} }
#endif #endif
#ifndef NO_ECC #ifdef HAVE_ECC
/* Create a key share entry using named elliptic curve parameters group. /* Create a key share entry using named elliptic curve parameters group.
* Generates a key pair. * Generates a key pair.
* *
@ -4846,7 +4823,7 @@ end:
} }
return ret; return ret;
} }
#endif /* !NO_ECC */ #endif /* HAVE_ECC */
/* Generate a secret/key using the key share entry. /* Generate a secret/key using the key share entry.
* *
@ -4855,10 +4832,16 @@ end:
*/ */
static int TLSX_KeyShare_GenKey(WOLFSSL *ssl, KeyShareEntry *kse) static int TLSX_KeyShare_GenKey(WOLFSSL *ssl, KeyShareEntry *kse)
{ {
#ifndef NO_DH
/* Named FFHE groups have a bit set to identify them. */ /* Named FFHE groups have a bit set to identify them. */
if ((kse->group & NAMED_DH_MASK) == NAMED_DH_MASK) if ((kse->group & NAMED_DH_MASK) == NAMED_DH_MASK)
return TLSX_KeyShare_GenDhKey(ssl, kse); return TLSX_KeyShare_GenDhKey(ssl, kse);
#endif
#ifdef HAVE_ECC
return TLSX_KeyShare_GenEccKey(ssl, kse); return TLSX_KeyShare_GenEccKey(ssl, kse);
#else
return NOT_COMPILED_IN;
#endif
} }
/* Free the key share dynamic data. /* Free the key share dynamic data.
@ -5070,8 +5053,9 @@ static int TLSX_KeyShare_ProcessDh(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
*/ */
static int TLSX_KeyShare_ProcessEcc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry) static int TLSX_KeyShare_ProcessEcc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
{ {
#ifndef NO_ECC
int ret; int ret;
#ifdef HAVE_ECC
int curveId; int curveId;
ecc_key* keyShareKey = (ecc_key*)keyShareEntry->key; ecc_key* keyShareKey = (ecc_key*)keyShareEntry->key;
@ -5197,10 +5181,15 @@ static int TLSX_KeyShare_ProcessEcc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
); );
#endif #endif
return ret;
#else #else
return PEER_KEY_ERROR; (void)ssl;
#endif (void)keyShareEntry;
ret = PEER_KEY_ERROR;
#endif /* HAVE_ECC */
return ret;
} }
/* Process the key share extension on the client side. /* Process the key share extension on the client side.
@ -5300,6 +5289,35 @@ static int TLSX_KeyShare_Find(WOLFSSL* ssl, word16 group)
return 0; return 0;
} }
/* Searches the supported groups extension for the specified named group.
*
* ssl The SSL/TLS object.
* name The group name to match.
* returns 1 when the extension has the group name and 0 otherwise.
*/
static int TLSX_SupportedGroups_Find(WOLFSSL* ssl, word16 name)
{
#ifdef HAVE_SUPPORTED_CURVES
TLSX* extension;
EllipticCurve* curve = NULL;
if ((extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)) == NULL)
return 0;
for (curve = (EllipticCurve*)extension->data; curve; curve = curve->next) {
if (curve->name == name)
return 1;
}
#endif
(void)ssl;
(void)name;
return 0;
}
/* Parse the KeyShare extension. /* Parse the KeyShare extension.
* Different formats in different messages. * Different formats in different messages.
* *
@ -5572,6 +5590,7 @@ static int TLSX_KeyShare_IsSupported(int namedGroup)
static int TLSX_KeyShare_SetSupported(WOLFSSL* ssl) static int TLSX_KeyShare_SetSupported(WOLFSSL* ssl)
{ {
int ret; int ret;
#ifdef HAVE_SUPPORTED_CURVES
TLSX* extension; TLSX* extension;
EllipticCurve* curve = NULL; EllipticCurve* curve = NULL;
@ -5603,8 +5622,13 @@ static int TLSX_KeyShare_SetSupported(WOLFSSL* ssl)
/* Set extension to be in reponse. */ /* Set extension to be in reponse. */
extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
extension->resp = 1; extension->resp = 1;
#else
return 0; (void)ssl;
ret = NOT_COMPILED_IN;
#endif
return ret;
} }
/* Establish the secret based on the key shares received from the client. /* Establish the secret based on the key shares received from the client.
@ -7034,6 +7058,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
ssl->heap)) != 0) ssl->heap)) != 0)
return ret; return ret;
#ifdef HAVE_SUPPORTED_CURVES
if (!ssl->options.userCurves && !ssl->ctx->userCurves) { if (!ssl->options.userCurves && !ssl->ctx->userCurves) {
/* Add FFDHE supported groups. */ /* Add FFDHE supported groups. */
#ifdef HAVE_FFDHE_2048 #ifdef HAVE_FFDHE_2048
@ -7068,6 +7093,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
#endif #endif
ret = 0; ret = 0;
} }
#endif
if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) { if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) {
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \

9
src/tls13.c
View File

@ -3588,6 +3588,7 @@ static int CreateRSAEncodedSig(byte* sig, byte* sigData, int sigDataSz,
return wc_EncodeSignature(sig, hash, hashSz, hashOid); return wc_EncodeSignature(sig, hash, hashSz, hashOid);
} }
} }
#endif /* !NO_RSA */
#ifdef HAVE_ECC #ifdef HAVE_ECC
/* Encode the ECC signature. /* Encode the ECC signature.
@ -3648,9 +3649,9 @@ static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo)
return hashSz; return hashSz;
} }
#endif #endif /* HAVE_ECC */
#ifndef NO_RSA
/* Check that the decrypted signature matches the encoded signature /* Check that the decrypted signature matches the encoded signature
* based on the digest of the signature data. * based on the digest of the signature data.
* *
@ -4467,15 +4468,19 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify"); WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify");
} }
#endif #endif
#ifdef HAVE_ECC
if (args->sigAlgo == ecc_dsa_sa_algo && if (args->sigAlgo == ecc_dsa_sa_algo &&
!ssl->peerEccDsaKeyPresent) { !ssl->peerEccDsaKeyPresent) {
WOLFSSL_MSG("Oops, peer sent ECC key but not in verify"); WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
} }
#endif
#ifndef NO_RSA
if ((args->sigAlgo == rsa_sa_algo || if ((args->sigAlgo == rsa_sa_algo ||
args->sigAlgo == rsa_pss_sa_algo) && args->sigAlgo == rsa_pss_sa_algo) &&
(ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) { (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) {
WOLFSSL_MSG("Oops, peer sent RSA key but not in verify"); WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
} }
#endif
sig->buffer = (byte*)XMALLOC(args->sz, ssl->heap, sig->buffer = (byte*)XMALLOC(args->sz, ssl->heap,
DYNAMIC_TYPE_TMP_BUFFER); DYNAMIC_TYPE_TMP_BUFFER);