mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #7084 from julek-wolfssl/set-cipher-ssl

Browse Source 
Allow SetCipherList to operate on SSL without modifying on SSL_CTX
This commit is contained in:
Sean Parkinson 2024-01-22 07:31:22 +10:00 committed by GitHub
commit b0d64b419d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 83 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
src/internal.c
View File

@ -1254,7 +1254,7 @@ static int ExportOptions(WOLFSSL* ssl, byte* exp, word32 len, byte ver,
exp[idx++] = 0;
#endif
#ifdef HAVE_ANON
exp[idx++] = options->haveAnon;
exp[idx++] = options->useAnon;
#else
exp[idx++] = 0;
#endif
@ -1459,7 +1459,7 @@ static int ImportOptions(WOLFSSL* ssl, const byte* exp, word32 len, byte ver,
idx++;
#endif
#ifdef HAVE_ANON
options->haveAnon = exp[idx++]; /* User wants to allow Anon suites */
options->useAnon = exp[idx++]; /* User wants to allow Anon suites */
#else
idx++;
#endif
@ -6409,7 +6409,7 @@ void InitSSL_CTX_Suites(WOLFSSL_CTX* ctx)
havePSK = ctx->havePSK;
#endif /* NO_PSK */
#ifdef HAVE_ANON
haveAnon = ctx->haveAnon;
haveAnon = ctx->useAnon;
#endif /* HAVE_ANON*/
#ifndef NO_CERTS
keySz = ctx->privateKeySz;
@ -6442,7 +6442,7 @@ int InitSSL_Suites(WOLFSSL* ssl)
#endif /* NO_PSK */
#if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT)
#ifdef HAVE_ANON
haveAnon = (byte)ssl->options.haveAnon;
haveAnon = (byte)ssl->options.useAnon;
#endif /* HAVE_ANON*/
#ifdef WOLFSSL_MULTICAST
haveMcast = (byte)ssl->options.haveMcast;
@ -6472,7 +6472,7 @@ int InitSSL_Suites(WOLFSSL* ssl)
havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
ssl->options.haveAnon, ssl->options.side);
ssl->options.useAnon, ssl->options.side);
}
#if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT)
@ -6692,7 +6692,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
#endif
#ifdef HAVE_ANON
ssl->options.haveAnon = ctx->haveAnon;
ssl->options.useAnon = ctx->useAnon;
#endif
#ifndef NO_DH
ssl->options.minDhKeySz = ctx->minDhKeySz;
@ -26198,7 +26198,8 @@ ciphersuites introduced through the "bulk" ciphersuites.
@return true on success, else false.
*/
int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
static int ParseCipherList(Suites* suites,
const char* list, ProtocolVersion version, int privateKeySz, byte side)
{
int ret = 0;
int idx = 0;
@ -26227,14 +26228,14 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
#ifndef NO_RSA
haveRSA = 1;
#endif
InitSuites(suites, ctx->method->version,
InitSuites(suites, version,
#ifndef NO_CERTS
ctx->privateKeySz,
privateKeySz,
#else
0,
#endif
haveRSA, 1, 1, !haveRSA, 1, haveRSA, !haveRSA, 1, 1, 0, 0,
ctx->method->side);
side);
return 1; /* wolfSSL default */
}
@ -26311,9 +26312,6 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
haveSig |= SIG_ANON;
else
haveSig &= ~SIG_ANON;
#ifdef HAVE_ANON
ctx->haveAnon = (haveSig & SIG_ANON) == SIG_ANON;
#endif
haveRSA = 1;
haveDH = 1;
haveECC = 1;
@ -26336,9 +26334,6 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
if (XSTRCMP(name, "HIGH") == 0 && allowing) {
/* Disable static, anonymous, and null ciphers */
haveSig &= ~SIG_ANON;
#ifdef HAVE_ANON
ctx->haveAnon = 0;
#endif
haveRSA = 1;
haveDH = 1;
haveECC = 1;
@ -26358,9 +26353,6 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
haveSig |= SIG_ANON;
else
haveSig &= ~SIG_ANON;
#ifdef HAVE_ANON
ctx->haveAnon = allowing;
#endif
if (allowing) {
/* Allow RSA by default. */
if (!haveECC)
@ -26474,7 +26466,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
#ifdef WOLFSSL_DTLS
/* don't allow stream ciphers with DTLS */
if (ctx->method->version.major == DTLS_MAJOR) {
if (version.major == DTLS_MAJOR) {
if (XSTRSTR(name, "RC4"))
{
WOLFSSL_MSG("Stream ciphers not supported with DTLS");
@ -26591,14 +26583,14 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
if (ret) {
int keySz = 0;
#ifndef NO_CERTS
keySz = ctx->privateKeySz;
keySz = privateKeySz;
#endif
#ifdef OPENSSL_EXTRA
if (callInitSuites) {
suites->setSuites = 0; /* Force InitSuites */
suites->hashSigAlgoSz = 0; /* Force InitSuitesHashSigAlgo call
* inside InitSuites */
InitSuites(suites, ctx->method->version, keySz, (word16)haveRSA,
InitSuites(suites, version, keySz, (word16)haveRSA,
(word16)havePSK, (word16)haveDH,
(word16)((haveSig & SIG_ECDSA) != 0),
(word16)haveECC, (word16)haveStaticRSA,
@ -26606,7 +26598,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
(word16)((haveSig & SIG_FALCON) != 0),
(word16)((haveSig & SIG_DILITHIUM) != 0),
(word16)((haveSig & SIG_ANON) != 0),
(word16)haveNull, ctx->method->side);
(word16)haveNull, side);
/* Restore user ciphers ahead of defaults */
XMEMMOVE(suites->suites + idx, suites->suites,
min(suites->suiteSz, WOLFSSL_MAX_SUITE_SZ-idx));
@ -26621,7 +26613,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
}
#ifdef HAVE_RENEGOTIATION_INDICATION
if (ctx->method->side == WOLFSSL_CLIENT_END) {
if (side == WOLFSSL_CLIENT_END) {
if (suites->suiteSz > WOLFSSL_MAX_SUITE_SZ - 2) {
WOLFSSL_MSG("Too many ciphersuites");
return 0;
@ -26635,11 +26627,44 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
suites->setSuites = 1;
}
(void)ctx;
return ret;
}
int SetCipherList_ex(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl,
Suites* suites, const char* list)
{
ProtocolVersion version;
int privateKeySz = 0;
byte side;
if (ctx != NULL) {
version = ctx->method->version;
#ifndef NO_CERTS
privateKeySz = ctx->privateKeySz;
#endif
side = ctx->method->side;
}
else if (ssl != NULL) {
version = ssl->version;
#ifndef NO_CERTS
privateKeySz = ssl->buffers.keySz;
#endif
side = (byte)ssl->options.side;
}
else {
WOLFSSL_MSG("SetCipherList_ex parameter error");
return 0;
}
return ParseCipherList(suites, list, version, privateKeySz, side);
}
int SetCipherList(const WOLFSSL_CTX* ctx, Suites* suites,
const char* list)
{
return SetCipherList_ex(ctx, NULL, suites, list);
}
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_SET_CIPHER_BYTES)
int SetCipherListFromBytes(WOLFSSL_CTX* ctx, Suites* suites, const byte* list,
const int listSz)
@ -35323,7 +35348,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig,
ssl->options.haveDilithiumSig, ssl->options.haveAnon,
ssl->options.haveDilithiumSig, ssl->options.useAnon,
TRUE, ssl->options.side);
}
@ -35714,7 +35739,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig,
ssl->options.haveDilithiumSig, ssl->options.haveAnon,
ssl->options.haveDilithiumSig, ssl->options.useAnon,
TRUE, ssl->options.side);
}
@ -35792,7 +35817,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig,
ssl->options.haveDilithiumSig, ssl->options.haveAnon,
ssl->options.haveDilithiumSig, ssl->options.useAnon,
TRUE, ssl->options.side);
}
}

38
src/ssl.c
View File

@ -1478,11 +1478,12 @@ WOLFSSL* wolfSSL_new(WOLFSSL_CTX* ctx)
return ssl;
ssl = (WOLFSSL*) XMALLOC(sizeof(WOLFSSL), ctx->heap, DYNAMIC_TYPE_SSL);
if (ssl)
if (ssl) {
if ( (ret = InitSSL(ssl, ctx, 0)) < 0) {
FreeSSL(ssl, ctx->heap);
ssl = 0;
}
}
WOLFSSL_LEAVE("wolfSSL_new", ret);
(void)ret;
@ -3068,7 +3069,7 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
ssl->options.haveAnon, TRUE, ssl->options.side);
ssl->options.useAnon, TRUE, ssl->options.side);
}
WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0);
@ -5329,7 +5330,7 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version)
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
ssl->options.haveAnon, TRUE, ssl->options.side);
ssl->options.useAnon, TRUE, ssl->options.side);
return WOLFSSL_SUCCESS;
}
#endif /* !leanpsk */
@ -7950,7 +7951,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
ssl->options.haveAnon, TRUE, ssl->options.side);
ssl->options.useAnon, TRUE, ssl->options.side);
}
else if (ctx && resetSuites) {
word16 havePSK = 0;
@ -7974,7 +7975,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
ctx->haveECC, TRUE, ctx->haveStaticECC,
ctx->haveFalconSig, ctx->haveDilithiumSig,
#ifdef HAVE_ANON
ctx->haveAnon,
ctx->useAnon,
#else
FALSE,
#endif
@ -11837,8 +11838,8 @@ static int CheckcipherList(const char* list)
*
* returns WOLFSSL_SUCCESS on success and sets the cipher suite list
*/
static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
const char* list)
static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
Suites* suites, const char* list)
{
int ret = 0;
int listattribute = 0;
@ -11863,7 +11864,7 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
/* list has mixed(pre-TLSv13 and TLSv13) suites
* update cipher suites the same as before
*/
return (SetCipherList(ctx, suites, list)) ? WOLFSSL_SUCCESS :
return (SetCipherList_ex(ctx, ssl, suites, list)) ? WOLFSSL_SUCCESS :
WOLFSSL_FAILURE;
}
else if (listattribute == 1) {
@ -11877,7 +11878,8 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
* simulate set_ciphersuites() compatibility layer API
*/
tls13Only = 1;
if (!IsAtLeastTLSv1_3(ctx->method->version)) {
if ((ctx != NULL && !IsAtLeastTLSv1_3(ctx->method->version)) ||
(ssl != NULL && !IsAtLeastTLSv1_3(ssl->version))) {
/* Silently ignore TLS 1.3 ciphers if we don't support it. */
return WOLFSSL_SUCCESS;
}
@ -11903,7 +11905,7 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
XMEMCPY(suitesCpy, suites->suites, suites->suiteSz);
suitesCpySz = suites->suiteSz;
ret = SetCipherList(ctx, suites, list);
ret = SetCipherList_ex(ctx, ssl, suites, list);
if (ret != 1) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(suitesCpy, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@ -11967,7 +11969,7 @@ int wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list)
return WOLFSSL_FAILURE;
#ifdef OPENSSL_EXTRA
return wolfSSL_parse_cipher_list(ctx, ctx->suites, list);
return wolfSSL_parse_cipher_list(ctx, NULL, ctx->suites, list);
#else
return (SetCipherList(ctx, ctx->suites, list)) ?
WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
@ -12003,9 +12005,9 @@ int wolfSSL_set_cipher_list(WOLFSSL* ssl, const char* list)
return WOLFSSL_FAILURE;
#ifdef OPENSSL_EXTRA
return wolfSSL_parse_cipher_list(ssl->ctx, ssl->suites, list);
return wolfSSL_parse_cipher_list(NULL, ssl, ssl->suites, list);
#else
return (SetCipherList(ssl->ctx, ssl->suites, list)) ?
return (SetCipherList_ex(NULL, ssl, ssl->suites, list)) ?
WOLFSSL_SUCCESS :
WOLFSSL_FAILURE;
#endif
@ -13105,7 +13107,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
(void)havePSK;
#ifdef HAVE_ANON
haveAnon = ssl->options.haveAnon;
haveAnon = ssl->options.useAnon;
#endif
(void)haveAnon;
@ -15704,7 +15706,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
ssl->options.haveAnon, TRUE, ssl->options.side);
ssl->options.useAnon, TRUE, ssl->options.side);
}
#ifdef OPENSSL_EXTRA
/**
@ -15761,7 +15763,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
ssl->options.haveAnon, TRUE, ssl->options.side);
ssl->options.useAnon, TRUE, ssl->options.side);
}
const char* wolfSSL_get_psk_identity_hint(const WOLFSSL* ssl)
@ -15852,7 +15854,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
if (ctx == NULL)
return WOLFSSL_FAILURE;
ctx->haveAnon = 1;
ctx->useAnon = 1;
return WOLFSSL_SUCCESS;
}
@ -21971,7 +21973,7 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
ssl->options.haveAnon, TRUE, ssl->options.side);
ssl->options.useAnon, TRUE, ssl->options.side);
}
return ssl->options.mask;

6
src/tls13.c
View File

@ -13486,7 +13486,7 @@ void wolfSSL_set_psk_client_cs_callback(WOLFSSL* ssl,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
ssl->options.haveAnon, TRUE, ssl->options.side);
ssl->options.useAnon, TRUE, ssl->options.side);
}
/* Set the PSK callback that returns the cipher suite for a client to use
@ -13539,7 +13539,7 @@ void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
ssl->options.haveAnon, TRUE, ssl->options.side);
ssl->options.useAnon, TRUE, ssl->options.side);
}
/* Set the PSK callback that returns the cipher suite for a server to use
@ -13589,7 +13589,7 @@ void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
ssl->options.haveAnon, TRUE, ssl->options.side);
ssl->options.useAnon, TRUE, ssl->options.side);
}
/* Get name of first supported cipher suite that uses the hash indicated.

10
wolfssl/internal.h
View File

@ -2339,7 +2339,7 @@ struct Suites {
word16 hashSigAlgoSz; /* SigAlgo extension length in bytes */
byte suites[WOLFSSL_MAX_SUITE_SZ];
byte hashSigAlgo[WOLFSSL_MAX_SIGALGO]; /* sig/algo to offer */
byte setSuites; /* user set suites from default */
byte setSuites:1; /* user set suites from default */
};
typedef struct CipherSuite {
@ -2377,7 +2377,9 @@ typedef struct TLSX TLSX;
WOLFSSL_LOCAL int MatchSuite_ex(const WOLFSSL* ssl, Suites* peerSuites,
CipherSuite* cs, TLSX* extensions);
WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites);
WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites,
WOLFSSL_LOCAL int SetCipherList_ex(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl,
Suites* suites, const char* list);
WOLFSSL_LOCAL int SetCipherList(const WOLFSSL_CTX* ctx, Suites* suites,
const char* list);
WOLFSSL_LOCAL int SetCipherListFromBytes(WOLFSSL_CTX* ctx, Suites* suites,
const byte* list, const int listSz);
@ -3762,7 +3764,7 @@ struct WOLFSSL_CTX {
word32 maxEarlyDataSz;
#endif
#ifdef HAVE_ANON
byte haveAnon; /* User wants to allow Anon suites */
byte useAnon; /* User wants to allow Anon suites */
#endif /* HAVE_ANON */
#ifdef WOLFSSL_ENCRYPTED_KEYS
wc_pem_password_cb* passwd_cb;
@ -4698,7 +4700,7 @@ struct Options {
#ifdef HAVE_POLY1305
word16 oldPoly:1; /* set when to use old rfc way of poly*/
#endif
word16 haveAnon:1; /* User wants to allow Anon suites */
word16 useAnon:1; /* User wants to allow Anon suites */
#ifdef HAVE_SESSION_TICKET
word16 createTicket:1; /* Server to create new Ticket */
word16 useTicket:1; /* Use Ticket not session cache */