Allow SetCipherList to operate on SSL without modifying on SSL_CTX
This commit is contained in:
Juliusz Sosinowicz
parent
ac81d9d29c
commit
b8b847bbcf
@ -26198,7 +26198,8 @@ ciphersuites introduced through the "bulk" ciphersuites.
|
||||
|
||||
@return true on success, else false.
|
||||
*/
|
||||
int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
|
||||
int SetCipherList(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl, Suites* suites,
|
||||
const char* list)
|
||||
{
|
||||
int ret = 0;
|
||||
int idx = 0;
|
||||
@ -26216,25 +26217,38 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
|
||||
const int suiteSz = GetCipherNamesSize();
|
||||
const char* next = list;
|
||||
|
||||
if (suites == NULL || list == NULL) {
|
||||
ProtocolVersion version;
|
||||
int privateKeySz = 0;
|
||||
byte side;
|
||||
#ifdef HAVE_ANON
|
||||
byte haveAnon = 0;
|
||||
#endif
|
||||
|
||||
if (suites == NULL || list == NULL || (ctx == NULL && ssl == NULL)) {
|
||||
WOLFSSL_MSG("SetCipherList parameter error");
|
||||
return 0;
|
||||
}
|
||||
|
||||
version = ctx != NULL ? ctx->method->version : ssl->version;
|
||||
#ifndef NO_CERTS
|
||||
privateKeySz = (int)(ctx != NULL ? ctx->privateKeySz : ssl->buffers.keySz);
|
||||
#endif
|
||||
side = (byte)(ctx != NULL ? ctx->method->side : ssl->options.side);
|
||||
|
||||
if (next[0] == 0 || XSTRCMP(next, "ALL") == 0 ||
|
||||
XSTRCMP(next, "DEFAULT") == 0 || XSTRCMP(next, "HIGH") == 0) {
|
||||
/* Add all ciphersuites except anonymous and null ciphers. Prefer RSA */
|
||||
#ifndef NO_RSA
|
||||
haveRSA = 1;
|
||||
#endif
|
||||
InitSuites(suites, ctx->method->version,
|
||||
InitSuites(suites, version,
|
||||
#ifndef NO_CERTS
|
||||
ctx->privateKeySz,
|
||||
privateKeySz,
|
||||
#else
|
||||
0,
|
||||
#endif
|
||||
haveRSA, 1, 1, !haveRSA, 1, haveRSA, !haveRSA, 1, 1, 0, 0,
|
||||
ctx->method->side);
|
||||
side);
|
||||
return 1; /* wolfSSL default */
|
||||
}
|
||||
|
||||
@ -26312,7 +26326,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
|
||||
else
|
||||
haveSig &= ~SIG_ANON;
|
||||
#ifdef HAVE_ANON
|
||||
ctx->haveAnon = (haveSig & SIG_ANON) == SIG_ANON;
|
||||
haveAnon = (haveSig & SIG_ANON) == SIG_ANON;
|
||||
#endif
|
||||
haveRSA = 1;
|
||||
haveDH = 1;
|
||||
@ -26337,7 +26351,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
|
||||
/* Disable static, anonymous, and null ciphers */
|
||||
haveSig &= ~SIG_ANON;
|
||||
#ifdef HAVE_ANON
|
||||
ctx->haveAnon = 0;
|
||||
haveAnon = 0;
|
||||
#endif
|
||||
haveRSA = 1;
|
||||
haveDH = 1;
|
||||
@ -26359,7 +26373,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
|
||||
else
|
||||
haveSig &= ~SIG_ANON;
|
||||
#ifdef HAVE_ANON
|
||||
ctx->haveAnon = allowing;
|
||||
haveAnon = allowing;
|
||||
#endif
|
||||
if (allowing) {
|
||||
/* Allow RSA by default. */
|
||||
@ -26474,7 +26488,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
|
||||
|
||||
#ifdef WOLFSSL_DTLS
|
||||
/* don't allow stream ciphers with DTLS */
|
||||
if (ctx->method->version.major == DTLS_MAJOR) {
|
||||
if (version.major == DTLS_MAJOR) {
|
||||
if (XSTRSTR(name, "RC4"))
|
||||
{
|
||||
WOLFSSL_MSG("Stream ciphers not supported with DTLS");
|
||||
@ -26591,14 +26605,14 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
|
||||
if (ret) {
|
||||
int keySz = 0;
|
||||
#ifndef NO_CERTS
|
||||
keySz = ctx->privateKeySz;
|
||||
keySz = privateKeySz;
|
||||
#endif
|
||||
#ifdef OPENSSL_EXTRA
|
||||
if (callInitSuites) {
|
||||
suites->setSuites = 0; /* Force InitSuites */
|
||||
suites->hashSigAlgoSz = 0; /* Force InitSuitesHashSigAlgo call
|
||||
* inside InitSuites */
|
||||
InitSuites(suites, ctx->method->version, keySz, (word16)haveRSA,
|
||||
InitSuites(suites, version, keySz, (word16)haveRSA,
|
||||
(word16)havePSK, (word16)haveDH,
|
||||
(word16)((haveSig & SIG_ECDSA) != 0),
|
||||
(word16)haveECC, (word16)haveStaticRSA,
|
||||
@ -26606,7 +26620,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
|
||||
(word16)((haveSig & SIG_FALCON) != 0),
|
||||
(word16)((haveSig & SIG_DILITHIUM) != 0),
|
||||
(word16)((haveSig & SIG_ANON) != 0),
|
||||
(word16)haveNull, ctx->method->side);
|
||||
(word16)haveNull, side);
|
||||
/* Restore user ciphers ahead of defaults */
|
||||
XMEMMOVE(suites->suites + idx, suites->suites,
|
||||
min(suites->suiteSz, WOLFSSL_MAX_SUITE_SZ-idx));
|
||||
@ -26621,7 +26635,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
|
||||
}
|
||||
|
||||
#ifdef HAVE_RENEGOTIATION_INDICATION
|
||||
if (ctx->method->side == WOLFSSL_CLIENT_END) {
|
||||
if (side == WOLFSSL_CLIENT_END) {
|
||||
if (suites->suiteSz > WOLFSSL_MAX_SUITE_SZ - 2) {
|
||||
WOLFSSL_MSG("Too many ciphersuites");
|
||||
return 0;
|
||||
@ -26635,7 +26649,14 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
|
||||
suites->setSuites = 1;
|
||||
}
|
||||
|
||||
(void)ctx;
|
||||
#ifdef HAVE_ANON
|
||||
if (ret == 1) {
|
||||
if (ctx != NULL)
|
||||
((WOLFSSL_CTX*)ctx)->haveAnon = haveAnon || haveSig | SIG_ANON;
|
||||
else
|
||||
((WOLFSSL*)ssl)->options.haveAnon = haveAnon || haveSig | SIG_ANON;
|
||||
}
|
||||
#endif
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
22
src/ssl.c
22
src/ssl.c
@ -1478,11 +1478,12 @@ WOLFSSL* wolfSSL_new(WOLFSSL_CTX* ctx)
|
||||
return ssl;
|
||||
|
||||
ssl = (WOLFSSL*) XMALLOC(sizeof(WOLFSSL), ctx->heap, DYNAMIC_TYPE_SSL);
|
||||
if (ssl)
|
||||
if (ssl) {
|
||||
if ( (ret = InitSSL(ssl, ctx, 0)) < 0) {
|
||||
FreeSSL(ssl, ctx->heap);
|
||||
ssl = 0;
|
||||
}
|
||||
}
|
||||
|
||||
WOLFSSL_LEAVE("wolfSSL_new", ret);
|
||||
(void)ret;
|
||||
@ -11837,8 +11838,8 @@ static int CheckcipherList(const char* list)
|
||||
*
|
||||
* returns WOLFSSL_SUCCESS on success and sets the cipher suite list
|
||||
*/
|
||||
static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
|
||||
const char* list)
|
||||
static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
|
||||
Suites* suites, const char* list)
|
||||
{
|
||||
int ret = 0;
|
||||
int listattribute = 0;
|
||||
@ -11863,7 +11864,7 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
|
||||
/* list has mixed(pre-TLSv13 and TLSv13) suites
|
||||
* update cipher suites the same as before
|
||||
*/
|
||||
return (SetCipherList(ctx, suites, list)) ? WOLFSSL_SUCCESS :
|
||||
return (SetCipherList(ctx, ssl, suites, list)) ? WOLFSSL_SUCCESS :
|
||||
WOLFSSL_FAILURE;
|
||||
}
|
||||
else if (listattribute == 1) {
|
||||
@ -11877,7 +11878,8 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
|
||||
* simulate set_ciphersuites() compatibility layer API
|
||||
*/
|
||||
tls13Only = 1;
|
||||
if (!IsAtLeastTLSv1_3(ctx->method->version)) {
|
||||
if ((ctx != NULL && !IsAtLeastTLSv1_3(ctx->method->version)) ||
|
||||
(ssl != NULL && !IsAtLeastTLSv1_3(ssl->version))) {
|
||||
/* Silently ignore TLS 1.3 ciphers if we don't support it. */
|
||||
return WOLFSSL_SUCCESS;
|
||||
}
|
||||
@ -11903,7 +11905,7 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
|
||||
XMEMCPY(suitesCpy, suites->suites, suites->suiteSz);
|
||||
suitesCpySz = suites->suiteSz;
|
||||
|
||||
ret = SetCipherList(ctx, suites, list);
|
||||
ret = SetCipherList(ctx, ssl, suites, list);
|
||||
if (ret != 1) {
|
||||
#ifdef WOLFSSL_SMALL_STACK
|
||||
XFREE(suitesCpy, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
@ -11967,9 +11969,9 @@ int wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list)
|
||||
return WOLFSSL_FAILURE;
|
||||
|
||||
#ifdef OPENSSL_EXTRA
|
||||
return wolfSSL_parse_cipher_list(ctx, ctx->suites, list);
|
||||
return wolfSSL_parse_cipher_list(ctx, NULL, ctx->suites, list);
|
||||
#else
|
||||
return (SetCipherList(ctx, ctx->suites, list)) ?
|
||||
return (SetCipherList(ctx, NULL, ctx->suites, list)) ?
|
||||
WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
|
||||
#endif
|
||||
}
|
||||
@ -12003,9 +12005,9 @@ int wolfSSL_set_cipher_list(WOLFSSL* ssl, const char* list)
|
||||
return WOLFSSL_FAILURE;
|
||||
|
||||
#ifdef OPENSSL_EXTRA
|
||||
return wolfSSL_parse_cipher_list(ssl->ctx, ssl->suites, list);
|
||||
return wolfSSL_parse_cipher_list(NULL, ssl, ssl->suites, list);
|
||||
#else
|
||||
return (SetCipherList(ssl->ctx, ssl->suites, list)) ?
|
||||
return (SetCipherList(NULL, ssl, ssl->suites, list)) ?
|
||||
WOLFSSL_SUCCESS :
|
||||
WOLFSSL_FAILURE;
|
||||
#endif
|
||||
|
||||
@ -2377,8 +2377,8 @@ typedef struct TLSX TLSX;
|
||||
WOLFSSL_LOCAL int MatchSuite_ex(const WOLFSSL* ssl, Suites* peerSuites,
|
||||
CipherSuite* cs, TLSX* extensions);
|
||||
WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites);
|
||||
WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites,
|
||||
const char* list);
|
||||
WOLFSSL_LOCAL int SetCipherList(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl,
|
||||
Suites* suites, const char* list);
|
||||
WOLFSSL_LOCAL int SetCipherListFromBytes(WOLFSSL_CTX* ctx, Suites* suites,
|
||||
const byte* list, const int listSz);
|
||||
WOLFSSL_LOCAL int SetSuitesHashSigAlgo(Suites* suites, const char* list);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user