Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add check to s2n_signature_scheme_valid_to_accept #3728

Merged
merged 15 commits into from
Jan 5, 2023
Merged

Add check to s2n_signature_scheme_valid_to_accept #3728

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
2413076
Add s2n_signature_schemes_init
uwaces Dec 21, 2022
6f0614f
Add return 0
uwaces Dec 21, 2022
38a97a3
Move the test to s2n_signature_scheme_valid_to_accept.
uwaces Dec 23, 2022
c049bd2
Merge branch 'main' into issue-1686-v2
uwaces Dec 23, 2022
c2950b3
Merge branch 'main' into issue-1686-v2
harrisonkaiser Dec 29, 2022
3777491
Merge branch 'main' into issue-1686-v2
harrisonkaiser Jan 3, 2023
270df7a
Merge branch 'main' into issue-1686-v2
harrisonkaiser Jan 3, 2023
4a3f00d
Simplify checks
uwaces Jan 4, 2023
f44c31c
Merge branch 'main' into issue-1686-v2
uwaces Jan 4, 2023
619d4aa
Remove extra import
uwaces Jan 4, 2023
b5649c6
Move to an else branch
uwaces Jan 4, 2023
b839caa
Remove redundant assignment of actual_protocol_version
uwaces Jan 4, 2023
8f125db
Group Posix Ensure with if statement
uwaces Jan 5, 2023
4a71d0d
Merge branch 'main' into issue-1686-v2
harrisonkaiser Jan 5, 2023
de0361e
Merge branch 'main' into issue-1686-v2
harrisonkaiser Jan 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions tests/unit/s2n_tls13_cert_verify_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif

struct s2n_connection *verifying_conn = NULL, *sending_conn = NULL;
EXPECT_NOT_NULL(verifying_conn = s2n_connection_new(verifier_mode));
verifying_conn->actual_protocol_version = S2N_TLS13;
EXPECT_NOT_NULL(sending_conn = s2n_connection_new(verifier_mode == S2N_CLIENT ? S2N_SERVER : S2N_CLIENT));

EXPECT_SUCCESS(s2n_stuffer_alloc(&certificate_in, S2N_MAX_TEST_PEM_SIZE));
Expand Down Expand Up @@ -154,6 +155,7 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif

struct s2n_connection *verifying_conn = NULL;
EXPECT_NOT_NULL(verifying_conn = s2n_connection_new(verifier_mode));
verifying_conn->actual_protocol_version = S2N_TLS13;
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, cert_chain));
EXPECT_SUCCESS(s2n_connection_set_config(verifying_conn, config));
verifying_conn->handshake_params.our_chain_and_key = cert_chain;
Expand Down Expand Up @@ -222,6 +224,7 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif

struct s2n_connection *verifying_conn = NULL;
EXPECT_NOT_NULL(verifying_conn = s2n_connection_new(verifier_mode));
verifying_conn->actual_protocol_version = S2N_TLS13;
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, cert_chain));
EXPECT_SUCCESS(s2n_connection_set_config(verifying_conn, config));
verifying_conn->handshake_params.our_chain_and_key = cert_chain;
Expand Down
12 changes: 12 additions & 0 deletions tls/s2n_signature_algorithms.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@

static int s2n_signature_scheme_valid_to_offer(struct s2n_connection *conn, const struct s2n_signature_scheme *scheme)
{
POSIX_ENSURE_REF(conn);

/* We don't know what protocol version we will eventually negotiate, but we know that it won't be any higher. */
POSIX_ENSURE_GTE(conn->actual_protocol_version, scheme->minimum_protocol_version);

Expand All @@ -50,13 +52,23 @@ static int s2n_signature_scheme_valid_to_offer(struct s2n_connection *conn, cons
static int s2n_signature_scheme_valid_to_accept(struct s2n_connection *conn, const struct s2n_signature_scheme *scheme)
{
POSIX_ENSURE_REF(scheme);
POSIX_ENSURE_REF(conn);

POSIX_GUARD(s2n_signature_scheme_valid_to_offer(conn, scheme));

if (scheme->maximum_protocol_version != S2N_UNKNOWN_PROTOCOL_VERSION) {
POSIX_ENSURE_LTE(conn->actual_protocol_version, scheme->maximum_protocol_version);
}

POSIX_ENSURE_NE(conn->actual_protocol_version, S2N_UNKNOWN_PROTOCOL_VERSION);

if (conn->actual_protocol_version >= S2N_TLS13) {
POSIX_ENSURE_NE(scheme->hash_alg, S2N_HASH_SHA1);
POSIX_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA);
} else {
POSIX_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA_PSS_PSS);
}

return 0;
}

Expand Down