Skip signature_algorithms ext if PSK only
This commit is contained in:
parent
d3b90f797d
commit
d94232389e
4 changed files with 33 additions and 8 deletions
|
@ -33,6 +33,8 @@ Changes
|
||||||
* ssl_set_own_cert() now returns an error on key-certificate mismatch.
|
* ssl_set_own_cert() now returns an error on key-certificate mismatch.
|
||||||
* Forbid repeated extensions in X.509 certificates.
|
* Forbid repeated extensions in X.509 certificates.
|
||||||
* debug_print_buf() now prints a text view in addition to hexadecimal.
|
* debug_print_buf() now prints a text view in addition to hexadecimal.
|
||||||
|
* Skip writing and parsing signature_algorithm extension if none of the
|
||||||
|
key exchanges enabled needs certificates.
|
||||||
|
|
||||||
= PolarSSL 1.3.9 released 2014-10-20
|
= PolarSSL 1.3.9 released 2014-10-20
|
||||||
Security
|
Security
|
||||||
|
|
|
@ -233,7 +233,9 @@ extern "C" {
|
||||||
#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE /**< TLS 1.2 */
|
#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE /**< TLS 1.2 */
|
||||||
#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF /**< TLS 1.2 */
|
#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF /**< TLS 1.2 */
|
||||||
|
|
||||||
/* Reminder: update _ssl_premaster_secret when adding a new key exchange */
|
/* Reminder: update _ssl_premaster_secret when adding a new key exchange.
|
||||||
|
* Reminder: update POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED below.
|
||||||
|
*/
|
||||||
typedef enum {
|
typedef enum {
|
||||||
POLARSSL_KEY_EXCHANGE_NONE = 0,
|
POLARSSL_KEY_EXCHANGE_NONE = 0,
|
||||||
POLARSSL_KEY_EXCHANGE_RSA,
|
POLARSSL_KEY_EXCHANGE_RSA,
|
||||||
|
@ -248,6 +250,17 @@ typedef enum {
|
||||||
POLARSSL_KEY_EXCHANGE_ECDH_ECDSA,
|
POLARSSL_KEY_EXCHANGE_ECDH_ECDSA,
|
||||||
} key_exchange_type_t;
|
} key_exchange_type_t;
|
||||||
|
|
||||||
|
#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||||
|
defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||||
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||||
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||||
|
defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||||
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
|
||||||
|
defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||||
|
defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||||
|
#define POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED
|
||||||
|
#endif
|
||||||
|
|
||||||
typedef struct _ssl_ciphersuite_t ssl_ciphersuite_t;
|
typedef struct _ssl_ciphersuite_t ssl_ciphersuite_t;
|
||||||
|
|
||||||
#define POLARSSL_CIPHERSUITE_WEAK 0x01 /**< Weak ciphersuite flag */
|
#define POLARSSL_CIPHERSUITE_WEAK 0x01 /**< Weak ciphersuite flag */
|
||||||
|
|
|
@ -142,7 +142,11 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
|
||||||
*olen = 5 + ssl->verify_data_len;
|
*olen = 5 + ssl->verify_data_len;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
|
/*
|
||||||
|
* Only if we handle at least one key exchange that needs signatures.
|
||||||
|
*/
|
||||||
|
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
|
||||||
|
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||||
static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
|
static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
|
||||||
unsigned char *buf,
|
unsigned char *buf,
|
||||||
size_t *olen )
|
size_t *olen )
|
||||||
|
@ -236,7 +240,8 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
|
||||||
|
|
||||||
*olen = 6 + sig_alg_len;
|
*olen = 6 + sig_alg_len;
|
||||||
}
|
}
|
||||||
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
|
#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
|
||||||
|
POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
||||||
|
|
||||||
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
|
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
|
||||||
static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
|
static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
|
||||||
|
@ -628,7 +633,8 @@ static int ssl_write_client_hello( ssl_context *ssl )
|
||||||
ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
|
ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
|
||||||
ext_len += olen;
|
ext_len += olen;
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
|
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
|
||||||
|
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||||
ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
|
ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
|
||||||
ext_len += olen;
|
ext_len += olen;
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -465,7 +465,8 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl,
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
|
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
|
||||||
|
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||||
static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
|
static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
|
||||||
const unsigned char *buf,
|
const unsigned char *buf,
|
||||||
size_t len )
|
size_t len )
|
||||||
|
@ -509,7 +510,8 @@ have_sig_alg:
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
|
#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
|
||||||
|
POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
||||||
|
|
||||||
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
|
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
|
||||||
static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
|
static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
|
||||||
|
@ -1402,7 +1404,8 @@ static int ssl_parse_client_hello( ssl_context *ssl )
|
||||||
return( ret );
|
return( ret );
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
|
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
|
||||||
|
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||||
case TLS_EXT_SIG_ALG:
|
case TLS_EXT_SIG_ALG:
|
||||||
SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
|
SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
|
||||||
if( ssl->renegotiation == SSL_RENEGOTIATION )
|
if( ssl->renegotiation == SSL_RENEGOTIATION )
|
||||||
|
@ -1412,7 +1415,8 @@ static int ssl_parse_client_hello( ssl_context *ssl )
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
return( ret );
|
return( ret );
|
||||||
break;
|
break;
|
||||||
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
|
#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
|
||||||
|
POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
||||||
|
|
||||||
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
|
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
|
||||||
case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
|
case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
|
||||||
|
|
Loading…
Reference in a new issue