fix: Increase received signature scheme limit

error/s2n_errno.c

@@ -201,7 +201,7 @@ static const char *no_such_error = "Internal s2n error";
     ERR_ENTRY(S2N_ERR_CLIENT_MODE, "Operation not allowed in client mode") \
     ERR_ENTRY(S2N_ERR_CLIENT_MODE_DISABLED, "client connections not allowed") \
     ERR_ENTRY(S2N_ERR_TOO_MANY_CERTIFICATES, "only 1 certificate is supported in client mode") \
-    ERR_ENTRY(S2N_ERR_TOO_MANY_SIGNATURE_SCHEMES, "Max supported length of SignatureAlgorithms/SignatureSchemes list is 32") \
+    ERR_ENTRY(S2N_ERR_TOO_MANY_SIGNATURE_SCHEMES, "Max supported length of SignatureAlgorithms/SignatureSchemes list is 128") \
     ERR_ENTRY(S2N_ERR_CLIENT_AUTH_NOT_SUPPORTED_IN_FIPS_MODE, "Client Auth is not supported when in FIPS mode") \
     ERR_ENTRY(S2N_ERR_INVALID_BASE64, "invalid base64 encountered") \
     ERR_ENTRY(S2N_ERR_INVALID_HEX, "invalid HEX encountered") \

tests/unit/s2n_connection_size_test.c

@@ -45,7 +45,7 @@ int main(int argc, char **argv)
     }
 
     /* Carefully consider any increases to this number. */
-    const uint16_t max_connection_size = 4350;
+    const uint16_t max_connection_size = 4478;
     const uint16_t min_connection_size = max_connection_size * 0.9;
 
     size_t connection_size = sizeof(struct s2n_connection);

tests/unit/s2n_signature_algorithms_test.c

@@ -1056,6 +1056,30 @@ int main(int argc, char **argv)
         };
     };
 
+    /* Test: Ensure that the maximum number of permitted signature schemes can be received. */
+    const uint16_t max_sig_schemes = TLS_SIGNATURE_SCHEME_LIST_MAX_LEN;
+    for (uint16_t count = max_sig_schemes - 1; count <= max_sig_schemes + 1; count++) {
+        DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT),
+                s2n_connection_ptr_free);
+        EXPECT_NOT_NULL(conn);
+
+        DEFER_CLEANUP(struct s2n_stuffer input = { 0 }, s2n_stuffer_free);
+        EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&input, 0));
+
+        uint16_t sig_scheme_list_size = count * TLS_SIGNATURE_SCHEME_LEN;
+        EXPECT_SUCCESS(s2n_stuffer_write_uint16(&input, sig_scheme_list_size));
+        for (size_t i = 0; i < count; i++) {
+            EXPECT_SUCCESS(s2n_stuffer_write_uint16(&input, s2n_rsa_pkcs1_sha256.iana_value));
+        }
+
+        int ret = s2n_recv_supported_sig_scheme_list(&input, &conn->handshake_params.server_sig_hash_algs);
+        if (count <= max_sig_schemes) {
+            EXPECT_SUCCESS(ret);
+        } else {
+            EXPECT_FAILURE_WITH_ERRNO(ret, S2N_ERR_TOO_MANY_SIGNATURE_SCHEMES);
+        }
+    }
+
     /* Test: send and receive default signature preferences */
     for (size_t i = S2N_TLS10; i < S2N_TLS13; i++) {
         DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT),

tls/s2n_tls_parameters.h

@@ -157,7 +157,7 @@
 #define TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA512  0x080B
 
 #define TLS_SIGNATURE_SCHEME_LEN          2
-#define TLS_SIGNATURE_SCHEME_LIST_MAX_LEN 64
+#define TLS_SIGNATURE_SCHEME_LIST_MAX_LEN 128
 
 /* The TLS record types we support */
 #define SSLv2_CLIENT_HELLO     1