Merge pull request #6528 from kareem-wolfssl/trustedCaKeys

Fix trusted_ca_keys, refactor MAX_X509_SIZE
wolfSSL · Jun 22, 2023 · fb35526 · fb35526
2 parents 8473275 + e6017dc
commit fb35526
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 11 deletions.
diff --git a/src/tls.c b/src/tls.c
@@ -13203,15 +13203,16 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType,
  #endif
 
 #ifdef WOLFSSL_TLS13
+ /* RFC 8446 4.2.4 states trusted_ca_keys is not used
+ in TLS 1.3. */
  if (IsAtLeastTLSv1_3(ssl->version)) {
- if (msgType != client_hello &&
- msgType != encrypted_extensions)
- return EXT_NOT_ALLOWED;
+ return EXT_NOT_ALLOWED;
  }
  else
 #endif
  {
- if (msgType != client_hello)
+ if (msgType != client_hello &&
+ msgType != server_hello)
  return EXT_NOT_ALLOWED;
  }
  ret = TCA_PARSE(ssl, input + offset, size, isRequest);

diff --git a/wolfssl/internal.h b/wolfssl/internal.h
@@ -1737,13 +1737,6 @@ enum Misc {
  MAX_WOLFSSL_FILE_SIZE = 1024UL * 1024UL * 4, /* 4 mb file size alloc limit */
 #endif
 
-#if defined(HAVE_PQC)
- MAX_X509_SIZE = 8*1024, /* max static x509 buffer size; dilithium is big */
-#elif defined(WOLFSSL_HAPROXY)
- MAX_X509_SIZE = 3072, /* max static x509 buffer size */
-#else
- MAX_X509_SIZE = 2048, /* max static x509 buffer size */
-#endif
  CERT_MIN_SIZE = 256, /* min PEM cert size with header/footer */
 
  NO_SNIFF = 0, /* not sniffing */
@@ -1876,6 +1869,15 @@ enum Misc {
 #define SESSIDX_IDX_MASK 0x0F
 #endif
 
+#ifndef MAX_X509_SIZE
+ #if defined(HAVE_PQC)
+ #define MAX_X509_SIZE (8*1024) /* max static x509 buffer size; dilithium is big */
+ #elif defined(WOLFSSL_HAPROXY)
+ #define MAX_X509_SIZE 3072 /* max static x509 buffer size */
+ #else
+ #define MAX_X509_SIZE 2048 /* max static x509 buffer size */
+ #endif
+#endif
 
 /* max cert chain peer depth */
 #ifndef MAX_CHAIN_DEPTH