From 89fd0b375befd9b28c7b6a4065353fd30e36f405 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 20 Jan 2021 12:34:15 +0100 Subject: [PATCH] Correctly read anon cipher run-time options --- src/internal.c | 22 ++++++++++++++-------- src/ssl.c | 22 ++++++++++++++-------- src/tls13.c | 6 ++++-- wolfssl/internal.h | 4 +--- 4 files changed, 33 insertions(+), 21 deletions(-) diff --git a/src/internal.c b/src/internal.c index 366b442c7..178452af1 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2427,7 +2427,7 @@ void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig, void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, word16 havePSK, word16 haveDH, word16 haveNTRU, word16 haveECDSAsig, word16 haveECC, - word16 haveStaticECC, int side) + word16 haveStaticECC, word16 haveAnon, int side) { word16 idx = 0; int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR; @@ -2449,6 +2449,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, (void)side; (void)haveRSA; /* some builds won't read */ (void)haveRSAsig; /* non ecc builds won't read */ + (void)haveAnon; /* anon ciphers optional */ if (suites == NULL) { WOLFSSL_MSG("InitSuites pointer error"); @@ -2668,14 +2669,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, #endif #ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA - if (tls1_2 && haveDH) { + if (tls1_2 && haveDH && haveAnon) { suites->suites[idx++] = CIPHER_BYTE; suites->suites[idx++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; } #endif #ifdef BUILD_TLS_DH_anon_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveDH) { + if (tls1_2 && haveDH && haveAnon) { suites->suites[idx++] = CIPHER_BYTE; suites->suites[idx++] = TLS_DH_anon_WITH_AES_256_GCM_SHA384; } @@ -5339,13 +5340,15 @@ int InitSSL_Suites(WOLFSSL* ssl) InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } else { InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, TRUE, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } #if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT) @@ -27656,7 +27659,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } /* suite size */ @@ -27986,7 +27990,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } #ifdef OPENSSL_EXTRA @@ -28048,7 +28053,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } } #endif diff --git a/src/ssl.c b/src/ssl.c index 93b1f81eb..f8a86bcd5 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1792,7 +1792,8 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0); @@ -4252,7 +4253,8 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version) InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); return WOLFSSL_SUCCESS; } @@ -5931,7 +5933,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } return WOLFSSL_SUCCESS; @@ -14482,7 +14485,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } void wolfSSL_CTX_set_psk_server_callback(WOLFSSL_CTX* ctx, @@ -14516,7 +14520,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } const char* wolfSSL_get_psk_identity_hint(const WOLFSSL* ssl) @@ -27593,9 +27598,10 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op) if (ssl->suites != NULL && ssl->options.side != WOLFSSL_NEITHER_END) InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveDH, ssl->options.haveNTRU, + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); return ssl->options.mask; } diff --git a/src/tls13.c b/src/tls13.c index b2fd50f2f..f7a9e2c47 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8197,7 +8197,8 @@ void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } @@ -8234,7 +8235,8 @@ void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } #endif diff --git a/wolfssl/internal.h b/wolfssl/internal.h index a2e6f2f96..5269bbd00 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1873,7 +1873,7 @@ WOLFSSL_LOCAL void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig, int haveAnon, int tls1_2, int keySz); WOLFSSL_LOCAL void InitSuites(Suites*, ProtocolVersion, int, word16, word16, - word16, word16, word16, word16, word16, int); + word16, word16, word16, word16, word16, word16, int); WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites); WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX*, Suites*, const char* list); @@ -3539,9 +3539,7 @@ typedef struct Options { #ifdef HAVE_POLY1305 word16 oldPoly:1; /* set when to use old rfc way of poly*/ #endif -#ifdef HAVE_ANON word16 haveAnon:1; /* User wants to allow Anon suites */ -#endif #ifdef HAVE_SESSION_TICKET word16 createTicket:1; /* Server to create new Ticket */ word16 useTicket:1; /* Use Ticket not session cache */