Cyclic0007/wolfssl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support TLS 1.3 ECC Brainpool authentication

Browse Source 
This also fixes TLS 1.2 authentication to only succeed in case the
brainpool curve was present in the supported_groups extension.
This commit is contained in:
Tobias Frauenschläger
2026-01-19 18:42:17 +01:00
parent a462398387
commit eb8ba6124e
7 changed files with 196 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
tests/api.c
View File

@@ -16091,7 +16091,7 @@ static int test_wolfSSL_sigalg_info(void)
word16 idx = 0;
int allSigAlgs = SIG_ECDSA | SIG_RSA | SIG_SM2 | SIG_FALCON | SIG_DILITHIUM;
InitSuitesHashSigAlgo(hashSigAlgo, allSigAlgs, 1, 0xFFFFFFFF, &len);
InitSuitesHashSigAlgo(hashSigAlgo, allSigAlgs, 1, 1, 0xFFFFFFFF, &len);
for (idx = 0; idx < len; idx += 2) {
int hashAlgo = 0;
int sigAlgo = 0;
@@ -16103,7 +16103,7 @@ static int test_wolfSSL_sigalg_info(void)
ExpectIntNE(sigAlgo, 0);
}
InitSuitesHashSigAlgo(hashSigAlgo, allSigAlgs | SIG_ANON, 1,
InitSuitesHashSigAlgo(hashSigAlgo, allSigAlgs | SIG_ANON, 1, 1,
0xFFFFFFFF, &len);
for (idx = 0; idx < len; idx += 2) {
int hashAlgo = 0;
@@ -29192,7 +29192,13 @@ static int test_certreq_sighash_algos(void)
maxIdx = idx + (int)len;
for (; idx < maxIdx && EXPECT_SUCCESS(); idx += OPAQUE16_LEN) {
if (test_ctx.c_buff[idx+1] == ED25519_SA_MINOR ||
test_ctx.c_buff[idx+1] == ED448_SA_MINOR)
test_ctx.c_buff[idx+1] == ED448_SA_MINOR ||
test_ctx.c_buff[idx+1] ==
ECDSA_BRAINPOOLP256R1TLS13_SHA256_MINOR ||
test_ctx.c_buff[idx+1] ==
ECDSA_BRAINPOOLP384R1TLS13_SHA384_MINOR ||
test_ctx.c_buff[idx+1] ==
ECDSA_BRAINPOOLP512R1TLS13_SHA512_MINOR)
ExpectIntEQ(test_ctx.c_buff[idx], NEW_SA_MAJOR);
else
ExpectIntEQ(test_ctx.c_buff[idx+1], ecc_dsa_sa_algo);

17
tests/test-ecc-cust-curves.conf
View File

@@ -49,7 +49,7 @@
-A ./certs/ecc/client-secp256k1-cert.pem
-V
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutal auth)
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutual auth)
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/ecc/client-secp256k1-cert.pem
@@ -65,7 +65,7 @@
-A ./certs/ecc/client-secp256k1-cert.pem
-V
# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutal auth)
# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutual auth)
-v 3
-l ECDH-ECDSA-AES128-GCM-SHA256
-c ./certs/ecc/client-secp256k1-cert.pem
@@ -73,7 +73,7 @@
-A ./certs/ecc/server-secp256k1-cert.pem
-C
# server TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth)
# server TLSv1.3 TLS13-AES128-GCM-SHA256 (mutual auth)
-v 4
-l TLS13-AES128-GCM-SHA256
-c ./certs/ecc/server-secp256k1-cert.pem
@@ -81,7 +81,7 @@
-A ./certs/ecc/client-secp256k1-cert.pem
-V
# client TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth)
# client TLSv1.3 TLS13-AES128-GCM-SHA256 (mutual auth)
-v 4
-l TLS13-AES128-GCM-SHA256
-c ./certs/ecc/client-secp256k1-cert.pem
@@ -140,7 +140,7 @@
-A ./certs/ecc/client-bp256r1-cert.pem
-V
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutal auth)
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (mutual auth)
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/ecc/client-bp256r1-cert.pem
@@ -156,7 +156,7 @@
-A ./certs/ecc/client-bp256r1-cert.pem
-V
# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutal auth)
# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 (static - mutual auth)
-v 3
-l ECDH-ECDSA-AES128-GCM-SHA256
-c ./certs/ecc/client-bp256r1-cert.pem
@@ -164,7 +164,7 @@
-A ./certs/ecc/server-bp256r1-cert.pem
-C
# server TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth)
# server TLSv1.3 TLS13-AES128-GCM-SHA256 (mutual auth)
-v 4
-l TLS13-AES128-GCM-SHA256
-c ./certs/ecc/server-bp256r1-cert.pem
@@ -172,7 +172,7 @@
-A ./certs/ecc/client-bp256r1-cert.pem
-V
# client TLSv1.3 TLS13-AES128-GCM-SHA256 (mutal auth)
# client TLSv1.3 TLS13-AES128-GCM-SHA256 (mutual auth)
-v 4
-l TLS13-AES128-GCM-SHA256
-c ./certs/ecc/client-bp256r1-cert.pem
@@ -211,7 +211,6 @@
--bpKs
-7 3
# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256