feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Correctly read anon cipher run-time options

Browse Source
This commit is contained in:
Juliusz Sosinowicz
2021-01-20 12:34:15 +01:00
parent 9265c3f71f
commit 89fd0b375b
4 changed files with 33 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/internal.c
View File

@@ -2427,7 +2427,7 @@ void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig,
void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
word16 havePSK, word16 haveDH, word16 haveNTRU, word16 havePSK, word16 haveDH, word16 haveNTRU,
word16 haveECDSAsig, word16 haveECC, word16 haveECDSAsig, word16 haveECC,
word16 haveStaticECC, int side) word16 haveStaticECC, word16 haveAnon, int side)
{ {
word16 idx = 0; word16 idx = 0;
int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR; int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR;
@@ -2449,6 +2449,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
(void)side; (void)side;
(void)haveRSA; /* some builds won't read */ (void)haveRSA; /* some builds won't read */
(void)haveRSAsig; /* non ecc builds won't read */ (void)haveRSAsig; /* non ecc builds won't read */
(void)haveAnon; /* anon ciphers optional */
if (suites == NULL) { if (suites == NULL) {
WOLFSSL_MSG("InitSuites pointer error"); WOLFSSL_MSG("InitSuites pointer error");
@@ -2668,14 +2669,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#endif #endif
#ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA #ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA
if (tls1_2 && haveDH) { if (tls1_2 && haveDH && haveAnon) {
suites->suites[idx++] = CIPHER_BYTE; suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; suites->suites[idx++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;
} }
#endif #endif
#ifdef BUILD_TLS_DH_anon_WITH_AES_256_GCM_SHA384 #ifdef BUILD_TLS_DH_anon_WITH_AES_256_GCM_SHA384
if (tls1_2 && haveDH) { if (tls1_2 && haveDH && haveAnon) {
suites->suites[idx++] = CIPHER_BYTE; suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = TLS_DH_anon_WITH_AES_256_GCM_SHA384; suites->suites[idx++] = TLS_DH_anon_WITH_AES_256_GCM_SHA384;
} }
@@ -5339,13 +5340,15 @@ int InitSSL_Suites(WOLFSSL* ssl)
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
} }
else { else {
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
TRUE, ssl->options.haveNTRU, TRUE, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
} }
#if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT) #if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT)
@@ -27656,7 +27659,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
} }
/* suite size */ /* suite size */
@@ -27986,7 +27990,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
} }
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
@@ -28048,7 +28053,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
} }
} }
#endif #endif

22
src/ssl.c
View File

@@ -1792,7 +1792,8 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz,
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
} }
WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0); WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0);
@@ -4252,7 +4253,8 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version)
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
} }
@@ -5931,7 +5933,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, InitSuites(ssl->suites, ssl->version, keySz, haveRSA,
havePSK, ssl->options.haveDH, ssl->options.haveNTRU, havePSK, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
} }
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
@@ -14482,7 +14485,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
} }
void wolfSSL_CTX_set_psk_server_callback(WOLFSSL_CTX* ctx, void wolfSSL_CTX_set_psk_server_callback(WOLFSSL_CTX* ctx,
@@ -14516,7 +14520,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
} }
const char* wolfSSL_get_psk_identity_hint(const WOLFSSL* ssl) const char* wolfSSL_get_psk_identity_hint(const WOLFSSL* ssl)
@@ -27593,9 +27598,10 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
if (ssl->suites != NULL && ssl->options.side != WOLFSSL_NEITHER_END) if (ssl->suites != NULL && ssl->options.side != WOLFSSL_NEITHER_END)
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
return ssl->options.mask; return ssl->options.mask;
} }

6
src/tls13.c
View File

@@ -8197,7 +8197,8 @@ void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl,
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
} }
@@ -8234,7 +8235,8 @@ void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl,
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
} }
#endif #endif

4
wolfssl/internal.h
View File

@@ -1873,7 +1873,7 @@ WOLFSSL_LOCAL void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig,
int haveRSAsig, int haveAnon, int haveRSAsig, int haveAnon,
int tls1_2, int keySz); int tls1_2, int keySz);
WOLFSSL_LOCAL void InitSuites(Suites*, ProtocolVersion, int, word16, word16, WOLFSSL_LOCAL void InitSuites(Suites*, ProtocolVersion, int, word16, word16,
word16, word16, word16, word16, word16, int); word16, word16, word16, word16, word16, word16, int);
WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites); WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites);
WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX*, Suites*, const char* list); WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX*, Suites*, const char* list);
@@ -3539,9 +3539,7 @@ typedef struct Options {
#ifdef HAVE_POLY1305 #ifdef HAVE_POLY1305
word16 oldPoly:1; /* set when to use old rfc way of poly*/ word16 oldPoly:1; /* set when to use old rfc way of poly*/
#endif #endif
#ifdef HAVE_ANON
word16 haveAnon:1; /* User wants to allow Anon suites */ word16 haveAnon:1; /* User wants to allow Anon suites */
#endif
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
word16 createTicket:1; /* Server to create new Ticket */ word16 createTicket:1; /* Server to create new Ticket */
word16 useTicket:1; /* Use Ticket not session cache */ word16 useTicket:1; /* Use Ticket not session cache */