diff --git a/src/internal.c b/src/internal.c index 9122c43d2..9cf1023fe 100644 --- a/src/internal.c +++ b/src/internal.c @@ -19059,6 +19059,11 @@ const char* GetCipherKeaStr(char n[][MAX_SEGMENT_SZ]) { n3 = n[3]; n4 = n[4]; +#ifdef HAVE_NTRU + if (XSTRNCMP(n0,"NTRU",4) == 0) + return "NTRU"; +#endif + if (XSTRNCMP(n0,"ECDHE",5) == 0 && XSTRNCMP(n1,"PSK",3) == 0) keaStr = "ECDHEPSK"; else if (XSTRNCMP(n0,"ECDH",4) == 0) @@ -19094,6 +19099,11 @@ const char* GetCipherAuthStr(char n[][MAX_SEGMENT_SZ]) { n1 = n[1]; n2 = n[2]; +#ifdef HAVE_NTRU + if (XSTRNCMP(n0,"NTRU",4) == 0) + return "NTRU"; +#endif + if ((XSTRNCMP(n0,"AES128",6) == 0) || (XSTRNCMP(n0,"AES256",6) == 0) || ((XSTRNCMP(n0,"TLS13",5) == 0) && ((XSTRNCMP(n1,"AES128",6) == 0) || (XSTRNCMP(n1,"AES256",6) == 0) || (XSTRNCMP(n1,"CHACHA20",8) == 0))) || @@ -19158,10 +19168,13 @@ const char* GetCipherEncStr(char n[][MAX_SEGMENT_SZ]) { else if ((XSTRNCMP(n0,"CAMELLIA128",11) == 0) || (XSTRNCMP(n2,"CAMELLIA128",11) == 0)) encStr = "CAMELLIA(128)"; - else if ((XSTRNCMP(n0,"RC4",3) == 0) || (XSTRNCMP(n2,"RC4",3) == 0)) + else if ((XSTRNCMP(n0,"RC4",3) == 0) || (XSTRNCMP(n1,"RC4",3) == 0) || + (XSTRNCMP(n2,"RC4",3) == 0)) encStr = "RC4"; - else if (((XSTRNCMP(n0,"DES",3) == 0) || (XSTRNCMP(n2,"DES",3) == 0)) && - ((XSTRNCMP(n1,"CBC3",4) == 0) || (XSTRNCMP(n3,"CBC3",4) == 0))) + else if (((XSTRNCMP(n0,"DES",3) == 0) || (XSTRNCMP(n1,"DES",3) == 0) || + (XSTRNCMP(n2,"DES",3) == 0)) && + ((XSTRNCMP(n1,"CBC3",4) == 0) || (XSTRNCMP(n2,"CBC3",4) == 0) || + (XSTRNCMP(n3,"CBC3",4) == 0))) encStr = "3DES"; else if ((XSTRNCMP(n1,"CHACHA20",8) == 0 && XSTRNCMP(n2,"POLY1305",8) == 0) || (XSTRNCMP(n2,"CHACHA20",8) == 0 && XSTRNCMP(n3,"POLY1305",8) == 0)) diff --git a/src/ssl.c b/src/ssl.c index 70574db35..1403acbbc 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -43501,6 +43501,25 @@ unsigned long wolfSSL_ERR_peek_error_line_data(const char **file, int *line, #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) + +/* Is the specified cipher suite a fake one used an an extension proxy? */ +static WC_INLINE int SCSV_Check(byte suite0, byte suite) +{ + (void)suite0; + (void)suite; +#ifdef HAVE_RENEGOTIATION_INDICATION + if (suite0 == CIPHER_BYTE && suite == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) + return 1; +#endif +#ifdef BUILD_TLS_QSH + /* This isn't defined as a SCSV, but it acts like one. */ + if (suite0 == QSH_BYTE && suite == TLS_QSH) + return 1; +#endif + return 0; +} + + /* returns a pointer to internal cipher suite list. Should not be free'd by * caller. */ @@ -43532,7 +43551,15 @@ WOLF_STACK_OF(WOLFSSL_CIPHER) *wolfSSL_get_ciphers_compat(const WOLFSSL *ssl) int j; #endif for (i = 0; i < suites->suiteSz; i+=2) { - WOLFSSL_STACK* add = wolfSSL_sk_new_node(ssl->heap); + WOLFSSL_STACK* add; + + /* A couple of suites are placeholders for special options, + * skip those. */ + if (SCSV_Check(suites->suites[i], suites->suites[i+1])) { + continue; + } + + add = wolfSSL_sk_new_node(ssl->heap); if (add != NULL) { add->type = STACK_TYPE_CIPHER; add->data.cipher.cipherSuite0 = suites->suites[i]; diff --git a/tests/api.c b/tests/api.c index 866000ecb..6a7c75474 100644 --- a/tests/api.c +++ b/tests/api.c @@ -33329,8 +33329,7 @@ static void test_wolfSSL_X509V3_EXT_print(void) }; int* n; - printf(testingFmt, "wolfSSL_X509V3_EXT_print"); - AssertNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); + AssertNotNull(bio = BIO_new_fp(stdout, BIO_NOCLOSE)); AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFileExt, WOLFSSL_FILETYPE_PEM)); diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 8a81754e9..fee483566 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -11087,7 +11087,7 @@ static int decodedCertCache_test(void) /* load cert.der */ file = XFOPEN(certDerFile, "rb"); if (file != NULL) { - derSz = XFREAD(der, 1, FOURK_BUF, file); + derSz = (word32)XFREAD(der, 1, FOURK_BUF, file); XFCLOSE(file); } else