feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Filter cipher list on TLS version change

Browse Source
This commit is contained in:
Juliusz Sosinowicz
2024-04-02 18:19:28 +02:00
parent 06798ab8bf
commit 77a7297c42
3 changed files with 88 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
src/internal.c
View File

@@ -33507,6 +33507,24 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
}
}
/* search suites for specific one, idx on success, negative on error */
int FindSuite(const Suites* suites, byte first, byte second)
{
int i;
if (suites == NULL || suites->suiteSz == 0) {
WOLFSSL_MSG("Suites pointer error or suiteSz 0");
return SUITES_ERROR;
}
for (i = 0; i < suites->suiteSz-1; i += SUITE_LEN) {
if (suites->suites[i] == first &&
suites->suites[i+1] == second )
return i;
}
return MATCH_SUITE_ERROR;
}
#ifndef NO_WOLFSSL_SERVER
@@ -35426,30 +35444,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
return ret;
}
#if defined(HAVE_SERVER_RENEGOTIATION_INFO) || defined(HAVE_FALLBACK_SCSV) || \
defined(OPENSSL_ALL)
/* search suites for specific one, idx on success, negative on error */
static int FindSuite(Suites* suites, byte first, byte second)
{
int i;
if (suites == NULL || suites->suiteSz == 0) {
WOLFSSL_MSG("Suites pointer error or suiteSz 0");
return SUITES_ERROR;
}
for (i = 0; i < suites->suiteSz-1; i += SUITE_LEN) {
if (suites->suites[i] == first &&
suites->suites[i+1] == second )
return i;
}
return MATCH_SUITE_ERROR;
}
#endif
#endif /* !WOLFSSL_NO_TLS12 */
/* Make sure server cert/key are valid for this suite, true on success

74
src/ssl.c
View File

@@ -15688,6 +15688,24 @@ static long wolf_set_options(long old_op, long op)
return old_op | op;
}
static int FindHashSig(const Suites* suites, byte first, byte second)
{
word16 i;
if (suites == NULL || suites->hashSigAlgoSz == 0) {
WOLFSSL_MSG("Suites pointer error or suiteSz 0");
return SUITES_ERROR;
}
for (i = 0; i < suites->hashSigAlgoSz-1; i += 2) {
if (suites->hashSigAlgo[i] == first &&
suites->hashSigAlgo[i+1] == second )
return i;
}
return MATCH_SUITE_ERROR;
}
long wolfSSL_set_options(WOLFSSL* ssl, long op)
{
word16 haveRSA = 1;
@@ -15703,21 +15721,25 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
ssl->options.mask = wolf_set_options(ssl->options.mask, op);
if ((ssl->options.mask & WOLFSSL_OP_NO_TLSv1_3) == WOLFSSL_OP_NO_TLSv1_3) {
WOLFSSL_MSG("Disabling TLS 1.3");
if (ssl->version.minor == TLSv1_3_MINOR)
ssl->version.minor = TLSv1_2_MINOR;
}
if ((ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2) {
WOLFSSL_MSG("Disabling TLS 1.2");
if (ssl->version.minor == TLSv1_2_MINOR)
ssl->version.minor = TLSv1_1_MINOR;
}
if ((ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) == WOLFSSL_OP_NO_TLSv1_1) {
WOLFSSL_MSG("Disabling TLS 1.1");
if (ssl->version.minor == TLSv1_1_MINOR)
ssl->version.minor = TLSv1_MINOR;
}
if ((ssl->options.mask & WOLFSSL_OP_NO_TLSv1) == WOLFSSL_OP_NO_TLSv1) {
WOLFSSL_MSG("Disabling TLS 1.0");
if (ssl->version.minor == TLSv1_MINOR)
ssl->version.minor = SSLv3_MINOR;
}
@@ -15751,11 +15773,53 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
if (ssl->options.side != WOLFSSL_NEITHER_END) {
if (AllocateSuites(ssl) != 0)
return 0;
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
ssl->options.useAnon, TRUE, ssl->options.side);
if (!ssl->suites->setSuites) {
InitSuites(ssl->suites, ssl->version, keySz, haveRSA,
havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig,
ssl->options.haveDilithiumSig, ssl->options.useAnon,
TRUE, ssl->options.side);
}
else {
/* Only preserve overlapping suites */
Suites tmpSuites;
word16 in, out, haveECDSAsig = 0;
word16 haveStaticECC = ssl->options.haveStaticECC;
#ifdef NO_RSA
haveECDSAsig = 1;
haveStaticECC = 1;
#endif
XMEMSET(&tmpSuites, 0, sizeof(Suites));
/* Get all possible ciphers and sigalgs for the version. Following
* options limit the allowed ciphers so let's try to get as many as
* possible.
* - haveStaticECC turns off haveRSA
* - haveECDSAsig turns off haveRSAsig */
InitSuites(&tmpSuites, ssl->version, 0, 1, 1, 1, haveECDSAsig, 1, 1,
haveStaticECC, 1, 1, 1, 1, ssl->options.side);
for (in = 0, out = 0; in < ssl->suites->suiteSz; in += SUITE_LEN) {
if (FindSuite(&tmpSuites, ssl->suites->suites[in],
ssl->suites->suites[in+1]) >= 0) {
ssl->suites->suites[out] = ssl->suites->suites[in];
ssl->suites->suites[out+1] = ssl->suites->suites[in+1];
out += SUITE_LEN;
}
}
ssl->suites->suiteSz = out;
for (in = 0, out = 0; in < ssl->suites->hashSigAlgoSz; in += 2) {
if (FindHashSig(&tmpSuites, ssl->suites->hashSigAlgo[in],
ssl->suites->hashSigAlgo[in+1]) >= 0) {
ssl->suites->hashSigAlgo[out] =
ssl->suites->hashSigAlgo[in];
ssl->suites->hashSigAlgo[out+1] =
ssl->suites->hashSigAlgo[in+1];
out += 2;
}
}
ssl->suites->hashSigAlgoSz = out;
}
}
return ssl->options.mask;

1
wolfssl/internal.h
View File

@@ -6419,6 +6419,7 @@ WOLFSSL_LOCAL int cipherExtraData(WOLFSSL* ssl);
WOLFSSL_LOCAL word32 LowResTimer(void);
WOLFSSL_LOCAL int FindSuiteSSL(const WOLFSSL* ssl, byte* suite);
WOLFSSL_LOCAL int FindSuite(const Suites* suites, byte first, byte second);
WOLFSSL_LOCAL void DecodeSigAlg(const byte* input, byte* hashAlgo,
byte* hsType);