rust/rustls
rust
/
rustls
mirror of https://github.com/ctz/rustls
1
0
Fork 0
Code Issues Releases Wiki Activity

Move supported algorithms facts out of msgs module 

These didn't really belong here.
This commit is contained in:
Joseph Birr-Pixton 2019-01-27 17:28:36 +00:00
parent dc9fc45844
commit 974ec9eb1b
7 changed files with 56 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/client/hs.rs
View File

@ -5,9 +5,8 @@ use crate::msgs::base::{Payload, PayloadU8};
use crate::msgs::handshake::{HandshakePayload, HandshakeMessagePayload, ClientHelloPayload};
use crate::msgs::handshake::{SessionID, Random, ServerHelloPayload};
use crate::msgs::handshake::{ClientExtension, HasServerExtensions};
use crate::msgs::handshake::{SupportedSignatureSchemes, SupportedMandatedSignatureSchemes};
use crate::msgs::handshake::DecomposedSignatureScheme;
use crate::msgs::handshake::{NamedGroups, SupportedGroups, KeyShareEntry, EncryptedExtensions};
use crate::msgs::handshake::{KeyShareEntry, EncryptedExtensions};
use crate::msgs::handshake::{ECPointFormatList, SupportedPointFormats};
use crate::msgs::handshake::{ProtocolNameList, ConvertProtocolNameList};
use crate::msgs::handshake::{CertificatePayloadTLS13, CertificateEntry};
@ -26,6 +25,7 @@ use crate::cipher;
use crate::suites;
use crate::hash_hs;
use crate::verify;
use crate::sign;
use crate::rand;
use crate::ticketer;
#[cfg(feature = "logging")]
@ -317,8 +317,8 @@ fn emit_client_hello_for_retry(sess: &mut ClientSessionImpl,
exts.push(ClientExtension::make_sni(handshake.dns_name.as_ref()));
}
exts.push(ClientExtension::ECPointFormats(ECPointFormatList::supported()));
exts.push(ClientExtension::NamedGroups(NamedGroups::supported()));
exts.push(ClientExtension::SignatureAlgorithms(SupportedSignatureSchemes::supported_verify()));
exts.push(ClientExtension::NamedGroups(suites::KeyExchange::supported_groups()));
exts.push(ClientExtension::SignatureAlgorithms(verify::supported_verify_schemes()));
exts.push(ClientExtension::ExtendedMasterSecretRequest);
exts.push(ClientExtension::CertificateStatusRequest(CertificateStatusRequest::build_ocsp()));
@ -893,7 +893,7 @@ impl ExpectServerHelloOrHelloRetryRequest {
// Or asks for us to retry on an unsupported group.
if let Some(group) = req_group {
if !NamedGroups::supported().contains(&group) {
if !suites::KeyExchange::supported_groups().contains(&group) {
return Err(illegal_param(sess, "server requested hrr with bad group"));
}
}
@ -1635,7 +1635,7 @@ impl State for ExpectTLS13CertificateRequest {
return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
}
let tls13_sign_schemes = SupportedSignatureSchemes::supported_sign_tls13();
let tls13_sign_schemes = sign::supported_sign_tls13();
let no_sigschemes = Vec::new();
let compat_sigschemes = certreq.get_sigalgs_extension()
.unwrap_or(&no_sigschemes)

45
src/msgs/handshake.rs
View File

@ -210,16 +210,6 @@ impl SupportedPointFormats for ECPointFormatList {
declare_u16_vec!(NamedGroups, NamedGroup);
pub trait SupportedGroups {
fn supported() -> NamedGroups;
}
impl SupportedGroups for NamedGroups {
fn supported() -> NamedGroups {
vec![ NamedGroup::X25519, NamedGroup::secp384r1, NamedGroup::secp256r1 ]
}
}
declare_u16_vec!(SupportedSignatureSchemes, SignatureScheme);
pub trait DecomposedSignatureScheme {
@ -261,41 +251,6 @@ impl DecomposedSignatureScheme for SignatureScheme {
}
}
pub trait SupportedMandatedSignatureSchemes {
fn supported_verify() -> SupportedSignatureSchemes;
fn supported_sign_tls13() -> SupportedSignatureSchemes;
}
impl SupportedMandatedSignatureSchemes for SupportedSignatureSchemes {
/// Supported signature verification algorithms in decreasing order of expected security.
fn supported_verify() -> SupportedSignatureSchemes {
vec![
/* FIXME: ECDSA-P521-SHA512 */
SignatureScheme::ECDSA_NISTP384_SHA384,
SignatureScheme::ECDSA_NISTP256_SHA256,
SignatureScheme::RSA_PSS_SHA512,
SignatureScheme::RSA_PSS_SHA384,
SignatureScheme::RSA_PSS_SHA256,
SignatureScheme::RSA_PKCS1_SHA512,
SignatureScheme::RSA_PKCS1_SHA384,
SignatureScheme::RSA_PKCS1_SHA256,
]
}
fn supported_sign_tls13() -> SupportedSignatureSchemes {
vec![
SignatureScheme::ECDSA_NISTP384_SHA384,
SignatureScheme::ECDSA_NISTP256_SHA256,
SignatureScheme::RSA_PSS_SHA512,
SignatureScheme::RSA_PSS_SHA384,
SignatureScheme::RSA_PSS_SHA256,
]
}
}
#[derive(Clone, Debug)]
pub enum ServerNamePayload {
HostName(webpki::DNSName),

8
src/msgs/handshake_test.rs
View File

@ -358,8 +358,8 @@ fn get_sample_clienthellopayload() -> ClientHelloPayload {
compression_methods: vec![ Compression::Null ],
extensions: vec![
ClientExtension::ECPointFormats(ECPointFormatList::supported()),
ClientExtension::NamedGroups(NamedGroups::supported()),
ClientExtension::SignatureAlgorithms(SupportedSignatureSchemes::supported_verify()),
ClientExtension::NamedGroups(vec![ NamedGroup::X25519 ]),
ClientExtension::SignatureAlgorithms(vec![ SignatureScheme::ECDSA_NISTP256_SHA256 ]),
ClientExtension::make_sni(DNSNameRef::try_from_ascii_str("hello").unwrap()),
ClientExtension::SessionTicketRequest,
ClientExtension::SessionTicketOffer(Payload(vec![])),
@ -701,7 +701,7 @@ fn get_sample_serverkeyexchangepayload_unknown() -> ServerKeyExchangePayload {
fn get_sample_certificaterequestpayload() -> CertificateRequestPayload {
CertificateRequestPayload {
certtypes: vec![ ClientCertificateType::RSASign ],
sigschemes: SupportedSignatureSchemes::supported_verify(),
sigschemes: vec![ SignatureScheme::ECDSA_NISTP256_SHA256 ],
canames: vec![ PayloadU16(vec![ 1, 2, 3 ]) ]
}
}
@ -710,7 +710,7 @@ fn get_sample_certificaterequestpayloadtls13() -> CertificateRequestPayloadTLS13
CertificateRequestPayloadTLS13 {
context: PayloadU8(vec![ 1, 2, 3 ]),
extensions: vec![
CertReqExtension::SignatureAlgorithms(SupportedSignatureSchemes::supported_verify()),
CertReqExtension::SignatureAlgorithms(vec![ SignatureScheme::ECDSA_NISTP256_SHA256 ]),
CertReqExtension::AuthorityNames(vec![ PayloadU16(vec![ 1, 2, 3 ]) ]),
CertReqExtension::Unknown(UnknownExtension {
typ: ExtensionType::Unknown(12345),

16
src/server/hs.rs
View File

@ -8,7 +8,7 @@ use crate::msgs::handshake::{HandshakePayload, SupportedSignatureSchemes};
use crate::msgs::handshake::{HandshakeMessagePayload, ServerHelloPayload, Random};
use crate::msgs::handshake::{ClientHelloPayload, ServerExtension, SessionID};
use crate::msgs::handshake::{ConvertProtocolNameList, ConvertServerNameList};
use crate::msgs::handshake::{NamedGroups, SupportedGroups, ClientExtension};
use crate::msgs::handshake::ClientExtension;
use crate::msgs::handshake::{ECPointFormatList, SupportedPointFormats};
use crate::msgs::handshake::{ServerECDHParams, DigitallySignedStruct};
use crate::msgs::handshake::{ServerKeyExchangePayload, ECDHEServerKeyExchange};
@ -17,7 +17,7 @@ use crate::msgs::handshake::{CertificateRequestPayloadTLS13, NewSessionTicketPay
use crate::msgs::handshake::{HelloRetryRequest, HelloRetryExtension, KeyShareEntry};
use crate::msgs::handshake::{CertificatePayloadTLS13, CertificateEntry};
use crate::msgs::handshake::{CertificateStatus, CertificateExtension};
use crate::msgs::handshake::{CertReqExtension, SupportedMandatedSignatureSchemes};
use crate::msgs::handshake::CertReqExtension;
use crate::msgs::ccs::ChangeCipherSpecPayload;
use crate::msgs::codec::Codec;
use crate::msgs::persist;
@ -508,7 +508,7 @@ impl ExpectClientHello {
extensions: Vec::new(),
};
let schemes = SupportedSignatureSchemes::supported_verify();
let schemes = verify::supported_verify_schemes();
cr.extensions.push(CertReqExtension::SignatureAlgorithms(schemes));
let names = sess.config.verifier.client_auth_root_subjects();
@ -797,7 +797,7 @@ impl ExpectClientHello {
let cr = CertificateRequestPayload {
certtypes: vec![ ClientCertificateType::RSASign,
ClientCertificateType::ECDSASign ],
sigschemes: SupportedSignatureSchemes::supported_verify(),
sigschemes: verify::supported_verify_schemes(),
canames: names,
};
@ -902,7 +902,7 @@ impl ExpectClientHello {
.ok_or_else(|| incompatible(sess, "client didn't describe sigschemes"))?
.clone();
let tls13_schemes = SupportedSignatureSchemes::supported_sign_tls13();
let tls13_schemes = sign::supported_sign_tls13();
sigschemes_ext.retain(|scheme| tls13_schemes.contains(scheme));
let shares_ext = client_hello.get_keyshare_extension()
@ -916,11 +916,11 @@ impl ExpectClientHello {
.map(|share| share.group)
.collect();
let chosen_group = util::first_in_both(&NamedGroups::supported(), &share_groups);
let chosen_group = util::first_in_both(&suites::KeyExchange::supported_groups(), &share_groups);
if chosen_group.is_none() {
// We don't have a suitable key share. Choose a suitable group and
// send a HelloRetryRequest.
let retry_group_maybe = util::first_in_both(&NamedGroups::supported(), groups_ext);
let retry_group_maybe = util::first_in_both(&suites::KeyExchange::supported_groups(), groups_ext);
sess.common.hs_transcript.add_message(chm);
if let Some(group) = retry_group_maybe {
@ -1231,7 +1231,7 @@ impl State for ExpectClientHello {
return Err(incompatible(sess, "no supported sig scheme"));
}
let group = util::first_in_both(NamedGroups::supported().as_slice(),
let group = util::first_in_both(suites::KeyExchange::supported_groups().as_slice(),
groups_ext.as_slice())
.ok_or_else(|| incompatible(sess, "no supported group"))?;

14
src/sign.rs
View File

@ -297,3 +297,17 @@ impl Signer for SingleSchemeSigner {
self.scheme
}
}
/// The set of schemes we support for signatures and
/// that are allowed for TLS1.3.
pub fn supported_sign_tls13() -> Vec<SignatureScheme> {
vec![
SignatureScheme::ECDSA_NISTP384_SHA384,
SignatureScheme::ECDSA_NISTP256_SHA256,
SignatureScheme::RSA_PSS_SHA512,
SignatureScheme::RSA_PSS_SHA384,
SignatureScheme::RSA_PSS_SHA256,
]
}

9
src/suites.rs
View File

@ -49,6 +49,15 @@ impl KeyExchange {
}
}
pub fn supported_groups() -> Vec<NamedGroup> {
// in preference order
vec![
NamedGroup::X25519,
NamedGroup::secp384r1,
NamedGroup::secp256r1
]
}
pub fn client_ecdhe(kx_params: &[u8]) -> Option<KeyExchangeResult> {
let mut rd = Reader::init(kx_params);
let ecdh_params = ServerECDHParams::read(&mut rd)?;

15
src/verify.rs
View File

@ -404,3 +404,18 @@ pub fn verify_scts(cert: &Certificate,
Ok(())
}
pub fn supported_verify_schemes() -> Vec<SignatureScheme> {
vec![
SignatureScheme::ECDSA_NISTP384_SHA384,
SignatureScheme::ECDSA_NISTP256_SHA256,
SignatureScheme::RSA_PSS_SHA512,
SignatureScheme::RSA_PSS_SHA384,
SignatureScheme::RSA_PSS_SHA256,
SignatureScheme::RSA_PKCS1_SHA512,
SignatureScheme::RSA_PKCS1_SHA384,
SignatureScheme::RSA_PKCS1_SHA256,
]
}