diff --git a/cyassl/internal.h b/cyassl/internal.h index a2ee9e048..711ed864b 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -2066,6 +2066,8 @@ CYASSL_LOCAL int IsAtLeastTLSv1_2(const CYASSL* ssl); CYASSL_LOCAL void FreeHandshakeResources(CYASSL* ssl); CYASSL_LOCAL void ShrinkInputBuffer(CYASSL* ssl, int forcedFree); CYASSL_LOCAL void ShrinkOutputBuffer(CYASSL* ssl); + +CYASSL_LOCAL int VerifyClientSuite(CYASSL* ssl); #ifndef NO_CERTS CYASSL_LOCAL Signer* GetCA(void* cm, byte* hash); #ifndef NO_SKID diff --git a/src/internal.c b/src/internal.c index 4f2ab78ac..c83a3090d 100644 --- a/src/internal.c +++ b/src/internal.c @@ -9945,18 +9945,40 @@ static void PickHashSigAlgo(CYASSL* ssl, } + /* Make sure client setup is valid for this suite, true on success */ + int VerifyClientSuite(CYASSL* ssl) + { + int havePSK = 0; + byte first = ssl->options.cipherSuite0; + byte second = ssl->options.cipherSuite; + + CYASSL_ENTER("VerifyClientSuite"); + + #ifndef NO_PSK + havePSK = ssl->options.havePSK; + #endif + + if (CipherRequires(first, second, REQUIRES_PSK)) { + CYASSL_MSG("Requires PSK"); + if (havePSK == 0) { + CYASSL_MSG("Don't have PSK"); + return 0; + } + } + + return 1; /* success */ + } - - /* Make sure cert/key are valid for this suite, true on success */ - static int VerifySuite(CYASSL* ssl, word16 idx) + /* Make sure server cert/key are valid for this suite, true on success */ + static int VerifyServerSuite(CYASSL* ssl, word16 idx) { int haveRSA = !ssl->options.haveStaticECC; int havePSK = 0; byte first; byte second; - CYASSL_ENTER("VerifySuite"); + CYASSL_ENTER("VerifyServerSuite"); if (ssl->suites == NULL) { CYASSL_MSG("Suites pointer error"); @@ -10061,7 +10083,7 @@ static void PickHashSigAlgo(CYASSL* ssl, if (ssl->suites->suites[i] == peerSuites->suites[j] && ssl->suites->suites[i+1] == peerSuites->suites[j+1] ) { - if (VerifySuite(ssl, i)) { + if (VerifyServerSuite(ssl, i)) { int result; CYASSL_MSG("Verified suite validity"); ssl->options.cipherSuite0 = ssl->suites->suites[i]; diff --git a/src/keys.c b/src/keys.c index af0ef5b19..c14d40bd1 100644 --- a/src/keys.c +++ b/src/keys.c @@ -39,6 +39,13 @@ int SetCipherSpecs(CYASSL* ssl) { + if (ssl->options.side == CYASSL_CLIENT_END) { + /* server side verified before SetCipherSpecs call */ + if (VerifyClientSuite(ssl) != 1) { + CYASSL_MSG("SetCipherSpecs() client has an unusuable suite"); + return UNSUPPORTED_SUITE; + } + } /* ECC extensions, or AES-CCM */ if (ssl->options.cipherSuite0 == ECC_BYTE) {