Skip signature_algorithms ext if PSK only
This commit is contained in:
parent
d3b90f797d
commit
d94232389e
4 changed files with 33 additions and 8 deletions
|
@ -33,6 +33,8 @@ Changes
|
|||
* ssl_set_own_cert() now returns an error on key-certificate mismatch.
|
||||
* Forbid repeated extensions in X.509 certificates.
|
||||
* debug_print_buf() now prints a text view in addition to hexadecimal.
|
||||
* Skip writing and parsing signature_algorithm extension if none of the
|
||||
key exchanges enabled needs certificates.
|
||||
|
||||
= PolarSSL 1.3.9 released 2014-10-20
|
||||
Security
|
||||
|
|
|
@ -233,7 +233,9 @@ extern "C" {
|
|||
#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE /**< TLS 1.2 */
|
||||
#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF /**< TLS 1.2 */
|
||||
|
||||
/* Reminder: update _ssl_premaster_secret when adding a new key exchange */
|
||||
/* Reminder: update _ssl_premaster_secret when adding a new key exchange.
|
||||
* Reminder: update POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED below.
|
||||
*/
|
||||
typedef enum {
|
||||
POLARSSL_KEY_EXCHANGE_NONE = 0,
|
||||
POLARSSL_KEY_EXCHANGE_RSA,
|
||||
|
@ -248,6 +250,17 @@ typedef enum {
|
|||
POLARSSL_KEY_EXCHANGE_ECDH_ECDSA,
|
||||
} key_exchange_type_t;
|
||||
|
||||
#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||
defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
|
||||
defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
#define POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED
|
||||
#endif
|
||||
|
||||
typedef struct _ssl_ciphersuite_t ssl_ciphersuite_t;
|
||||
|
||||
#define POLARSSL_CIPHERSUITE_WEAK 0x01 /**< Weak ciphersuite flag */
|
||||
|
|
|
@ -142,7 +142,11 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
|
|||
*olen = 5 + ssl->verify_data_len;
|
||||
}
|
||||
|
||||
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
|
||||
/*
|
||||
* Only if we handle at least one key exchange that needs signatures.
|
||||
*/
|
||||
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
|
||||
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||
static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
|
||||
unsigned char *buf,
|
||||
size_t *olen )
|
||||
|
@ -236,7 +240,8 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
|
|||
|
||||
*olen = 6 + sig_alg_len;
|
||||
}
|
||||
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
|
||||
#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
|
||||
POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
||||
|
||||
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
|
||||
static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
|
||||
|
@ -628,7 +633,8 @@ static int ssl_write_client_hello( ssl_context *ssl )
|
|||
ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
|
||||
ext_len += olen;
|
||||
|
||||
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
|
||||
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
|
||||
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||
ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
|
||||
ext_len += olen;
|
||||
#endif
|
||||
|
|
|
@ -465,7 +465,8 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl,
|
|||
return( 0 );
|
||||
}
|
||||
|
||||
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
|
||||
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
|
||||
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||
static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
size_t len )
|
||||
|
@ -509,7 +510,8 @@ have_sig_alg:
|
|||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
|
||||
#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
|
||||
POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
||||
|
||||
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
|
||||
static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
|
||||
|
@ -1402,7 +1404,8 @@ static int ssl_parse_client_hello( ssl_context *ssl )
|
|||
return( ret );
|
||||
break;
|
||||
|
||||
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
|
||||
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
|
||||
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||
case TLS_EXT_SIG_ALG:
|
||||
SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
|
||||
if( ssl->renegotiation == SSL_RENEGOTIATION )
|
||||
|
@ -1412,7 +1415,8 @@ static int ssl_parse_client_hello( ssl_context *ssl )
|
|||
if( ret != 0 )
|
||||
return( ret );
|
||||
break;
|
||||
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
|
||||
#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
|
||||
POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
||||
|
||||
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
|
||||
case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
|
||||
|
|
Loading…
Reference in a new issue