Skip signature_algorithms ext if PSK only

This commit is contained in:
Manuel Pégourié-Gonnard 2014-12-02 11:57:29 +01:00
parent d3b90f797d
commit d94232389e
4 changed files with 33 additions and 8 deletions

View file

@ -33,6 +33,8 @@ Changes
* ssl_set_own_cert() now returns an error on key-certificate mismatch. * ssl_set_own_cert() now returns an error on key-certificate mismatch.
* Forbid repeated extensions in X.509 certificates. * Forbid repeated extensions in X.509 certificates.
* debug_print_buf() now prints a text view in addition to hexadecimal. * debug_print_buf() now prints a text view in addition to hexadecimal.
* Skip writing and parsing signature_algorithm extension if none of the
key exchanges enabled needs certificates.
= PolarSSL 1.3.9 released 2014-10-20 = PolarSSL 1.3.9 released 2014-10-20
Security Security

View file

@ -233,7 +233,9 @@ extern "C" {
#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE /**< TLS 1.2 */ #define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE /**< TLS 1.2 */
#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF /**< TLS 1.2 */ #define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF /**< TLS 1.2 */
/* Reminder: update _ssl_premaster_secret when adding a new key exchange */ /* Reminder: update _ssl_premaster_secret when adding a new key exchange.
* Reminder: update POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED below.
*/
typedef enum { typedef enum {
POLARSSL_KEY_EXCHANGE_NONE = 0, POLARSSL_KEY_EXCHANGE_NONE = 0,
POLARSSL_KEY_EXCHANGE_RSA, POLARSSL_KEY_EXCHANGE_RSA,
@ -248,6 +250,17 @@ typedef enum {
POLARSSL_KEY_EXCHANGE_ECDH_ECDSA, POLARSSL_KEY_EXCHANGE_ECDH_ECDSA,
} key_exchange_type_t; } key_exchange_type_t;
#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
#define POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED
#endif
typedef struct _ssl_ciphersuite_t ssl_ciphersuite_t; typedef struct _ssl_ciphersuite_t ssl_ciphersuite_t;
#define POLARSSL_CIPHERSUITE_WEAK 0x01 /**< Weak ciphersuite flag */ #define POLARSSL_CIPHERSUITE_WEAK 0x01 /**< Weak ciphersuite flag */

View file

@ -142,7 +142,11 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
*olen = 5 + ssl->verify_data_len; *olen = 5 + ssl->verify_data_len;
} }
#if defined(POLARSSL_SSL_PROTO_TLS1_2) /*
* Only if we handle at least one key exchange that needs signatures.
*/
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
static void ssl_write_signature_algorithms_ext( ssl_context *ssl, static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
unsigned char *buf, unsigned char *buf,
size_t *olen ) size_t *olen )
@ -236,7 +240,8 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
*olen = 6 + sig_alg_len; *olen = 6 + sig_alg_len;
} }
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */ #endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl, static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
@ -628,7 +633,8 @@ static int ssl_write_client_hello( ssl_context *ssl )
ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen; ext_len += olen;
#if defined(POLARSSL_SSL_PROTO_TLS1_2) #if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen; ext_len += olen;
#endif #endif

View file

@ -465,7 +465,8 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl,
return( 0 ); return( 0 );
} }
#if defined(POLARSSL_SSL_PROTO_TLS1_2) #if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
static int ssl_parse_signature_algorithms_ext( ssl_context *ssl, static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
const unsigned char *buf, const unsigned char *buf,
size_t len ) size_t len )
@ -509,7 +510,8 @@ have_sig_alg:
return( 0 ); return( 0 );
} }
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */ #endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
static int ssl_parse_supported_elliptic_curves( ssl_context *ssl, static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
@ -1402,7 +1404,8 @@ static int ssl_parse_client_hello( ssl_context *ssl )
return( ret ); return( ret );
break; break;
#if defined(POLARSSL_SSL_PROTO_TLS1_2) #if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
case TLS_EXT_SIG_ALG: case TLS_EXT_SIG_ALG:
SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
if( ssl->renegotiation == SSL_RENEGOTIATION ) if( ssl->renegotiation == SSL_RENEGOTIATION )
@ -1412,7 +1415,8 @@ static int ssl_parse_client_hello( ssl_context *ssl )
if( ret != 0 ) if( ret != 0 )
return( ret ); return( ret );
break; break;
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */ #endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C) #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: