feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

refactor clSuites internal use, and check return values with setting PARAMS

Browse Source
This commit is contained in:
JacobBarthelmeh
2025-01-23 16:19:22 -07:00
parent 86ed94f2e3
commit 8ca979f892
3 changed files with 59 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
src/internal.c
View File

@@ -7787,9 +7787,13 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
XMEMSET(ssl->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); XMEMSET(ssl->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM));
/* pass on PARAM flags value from ctx to ssl */ /* pass on PARAM flags value from ctx to ssl */
wolfSSL_X509_VERIFY_PARAM_set_flags(wolfSSL_get0_param(ssl), if (wolfSSL_X509_VERIFY_PARAM_set_flags(wolfSSL_get0_param(ssl),
(unsigned long)wolfSSL_X509_VERIFY_PARAM_get_flags( (unsigned long)wolfSSL_X509_VERIFY_PARAM_get_flags(
wolfSSL_CTX_get0_param(ctx))); wolfSSL_CTX_get0_param(ctx))) != WOLFSSL_SUCCESS) {
XFREE(ssl->param, ssl->heap, DYNAMIC_TYPE_OPENSSL);
return WOLFSSL_FAILURE;
}
#endif #endif
if (ctx->suites == NULL) { if (ctx->suites == NULL) {
@@ -15015,18 +15019,18 @@ static int ProcessPeerCertsChainCRLCheck(WOLFSSL* ssl, ProcPeerCertArgs* args)
/* account for verify params flag set */ /* account for verify params flag set */
static int AdjustCMForParams(WOLFSSL* ssl) static int AdjustCMForParams(WOLFSSL* ssl)
{ {
int flags, ret = WOLFSSL_SUCCESS; int flags;
WOLFSSL_X509_VERIFY_PARAM* param; WOLFSSL_X509_VERIFY_PARAM* param;
param = wolfSSL_get0_param(ssl);
param = wolfSSL_get0_param(ssl);
flags = wolfSSL_X509_VERIFY_PARAM_get_flags(param); flags = wolfSSL_X509_VERIFY_PARAM_get_flags(param);
if ((flags & WOLFSSL_CRL_CHECK) == WOLFSSL_CRL_CHECK || /* For now there is a possible contradiction of PARAM flags and store flags.
(flags & WOLFSSL_CRL_CHECKALL) == WOLFSSL_CRL_CHECKALL) { * Do not disable CRL support if it has already been enabled with store. */
ret = wolfSSL_CertManagerEnableCRL(SSL_CM(ssl), flags & if (flags == 0) {
(WOLFSSL_CRL_CHECK | WOLFSSL_CRL_CHECKALL)); return WOLFSSL_SUCCESS;
} }
return ret; return wolfSSL_X509_STORE_set_flags(SSL_STORE(ssl), flags);
} }
#endif #endif
@@ -15100,7 +15104,10 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
/* account for verify params flag set */ /* account for verify params flag set */
AdjustCMForParams(ssl); if (AdjustCMForParams(ssl) != WOLFSSL_SUCCESS) {
WOLFSSL_MSG("Issue with updating store flags from PARAMS set");
ERROR_OUT(WOLFSSL_FAILURE, exit_ppc);
}
#endif #endif
switch (ssl->options.asyncState) switch (ssl->options.asyncState)
@@ -37593,11 +37600,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
{ {
byte b; byte b;
ProtocolVersion pv; ProtocolVersion pv;
#if defined(WOLFSSL_SMALL_STACK) || defined(OPENSSL_EXTRA)
Suites* clSuites = NULL;
#else
Suites clSuites[1];
#endif
word32 i = *inOutIdx; word32 i = *inOutIdx;
word32 begin = i; word32 begin = i;
int ret = 0; int ret = 0;
@@ -37895,44 +37897,39 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
goto out; goto out;
} }
#if defined(WOLFSSL_SMALL_STACK) || defined(OPENSSL_EXTRA) XFREE(ssl->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);
clSuites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap, ssl->clSuites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap,
DYNAMIC_TYPE_SUITES); DYNAMIC_TYPE_SUITES);
if (clSuites == NULL) { if (ssl->clSuites == NULL) {
ret = MEMORY_E; ret = MEMORY_E;
goto out; goto out;
} }
#if defined(OPENSSL_EXTRA) XMEMSET(ssl->clSuites, 0, sizeof(Suites));
XFREE(ssl->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES); ato16(&input[i], &ssl->clSuites->suiteSz);
ssl->clSuites = clSuites;
#endif
#endif
XMEMSET(clSuites, 0, sizeof(Suites));
ato16(&input[i], &clSuites->suiteSz);
i += OPAQUE16_LEN; i += OPAQUE16_LEN;
/* Cipher suite lists are always multiples of two in length. */ /* Cipher suite lists are always multiples of two in length. */
if (clSuites->suiteSz % 2 != 0) { if (ssl->clSuites->suiteSz % 2 != 0) {
ret = BUFFER_ERROR; ret = BUFFER_ERROR;
goto out; goto out;
} }
/* suites and compression length check */ /* suites and compression length check */
if ((i - begin) + clSuites->suiteSz + OPAQUE8_LEN > helloSz) { if ((i - begin) + ssl->clSuites->suiteSz + OPAQUE8_LEN > helloSz) {
ret = BUFFER_ERROR; ret = BUFFER_ERROR;
goto out; goto out;
} }
if (clSuites->suiteSz > WOLFSSL_MAX_SUITE_SZ) { if (ssl->clSuites->suiteSz > WOLFSSL_MAX_SUITE_SZ) {
ret = BUFFER_ERROR; ret = BUFFER_ERROR;
goto out; goto out;
} }
XMEMCPY(clSuites->suites, input + i, clSuites->suiteSz); XMEMCPY(ssl->clSuites->suites, input + i, ssl->clSuites->suiteSz);
#ifdef HAVE_SERVER_RENEGOTIATION_INFO #ifdef HAVE_SERVER_RENEGOTIATION_INFO
/* check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV suite */ /* check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV suite */
if (FindSuite(clSuites, 0, TLS_EMPTY_RENEGOTIATION_INFO_SCSV) >= 0) { if (FindSuite(ssl->clSuites, 0, TLS_EMPTY_RENEGOTIATION_INFO_SCSV) >= 0) {
TLSX* extension; TLSX* extension;
/* check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV suite */ /* check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV suite */
@@ -37954,7 +37951,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif /* HAVE_SERVER_RENEGOTIATION_INFO */ #endif /* HAVE_SERVER_RENEGOTIATION_INFO */
#if defined(HAVE_FALLBACK_SCSV) || defined(OPENSSL_ALL) #if defined(HAVE_FALLBACK_SCSV) || defined(OPENSSL_ALL)
/* check for TLS_FALLBACK_SCSV suite */ /* check for TLS_FALLBACK_SCSV suite */
if (FindSuite(clSuites, TLS_FALLBACK_SCSV, 0) >= 0) { if (FindSuite(ssl->clSuites, TLS_FALLBACK_SCSV, 0) >= 0) {
WOLFSSL_MSG("Found Fallback SCSV"); WOLFSSL_MSG("Found Fallback SCSV");
if (ssl->ctx->method->version.minor > pv.minor) { if (ssl->ctx->method->version.minor > pv.minor) {
WOLFSSL_MSG("Client trying to connect with lesser version"); WOLFSSL_MSG("Client trying to connect with lesser version");
@@ -37965,8 +37962,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
} }
#endif #endif
i += clSuites->suiteSz; i += ssl->clSuites->suiteSz;
clSuites->hashSigAlgoSz = 0; ssl->clSuites->hashSigAlgoSz = 0;
/* compression length */ /* compression length */
b = input[i++]; b = input[i++];
@@ -38053,7 +38050,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#ifdef HAVE_TLS_EXTENSIONS #ifdef HAVE_TLS_EXTENSIONS
/* tls extensions */ /* tls extensions */
if ((ret = TLSX_Parse(ssl, input + i, totalExtSz, client_hello, if ((ret = TLSX_Parse(ssl, input + i, totalExtSz, client_hello,
clSuites))) ssl->clSuites)))
goto out; goto out;
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (TLSX_Find(ssl->extensions, if (TLSX_Find(ssl->extensions,
@@ -38109,15 +38106,16 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
goto out; goto out;
} }
clSuites->hashSigAlgoSz = hashSigAlgoSz; ssl->clSuites->hashSigAlgoSz = hashSigAlgoSz;
if (clSuites->hashSigAlgoSz > WOLFSSL_MAX_SIGALGO) { if (ssl->clSuites->hashSigAlgoSz >
WOLFSSL_MAX_SIGALGO) {
WOLFSSL_MSG("ClientHello SigAlgo list exceeds max, " WOLFSSL_MSG("ClientHello SigAlgo list exceeds max, "
"truncating"); "truncating");
clSuites->hashSigAlgoSz = WOLFSSL_MAX_SIGALGO; ssl->clSuites->hashSigAlgoSz = WOLFSSL_MAX_SIGALGO;
} }
XMEMCPY(clSuites->hashSigAlgo, &input[i], XMEMCPY(ssl->clSuites->hashSigAlgo, &input[i],
clSuites->hashSigAlgoSz); ssl->clSuites->hashSigAlgoSz);
i += hashSigAlgoSz; i += hashSigAlgoSz;
} }
@@ -38148,7 +38146,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
/* ProcessOld uses same resume code */ /* ProcessOld uses same resume code */
WOLFSSL_MSG_EX("ssl->options.resuming %d", ssl->options.resuming); WOLFSSL_MSG_EX("ssl->options.resuming %d", ssl->options.resuming);
if (ssl->options.resuming) { if (ssl->options.resuming) {
ret = HandleTlsResumption(ssl, clSuites); ret = HandleTlsResumption(ssl, ssl->clSuites);
if (ret != 0) if (ret != 0)
goto out; goto out;
@@ -38189,7 +38187,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ret = CertSetupCbWrapper(ssl); ret = CertSetupCbWrapper(ssl);
#endif #endif
if (ret == 0) if (ret == 0)
ret = MatchSuite(ssl, clSuites); ret = MatchSuite(ssl, ssl->clSuites);
#if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_ENCRYPT_THEN_MAC) && \ #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_ENCRYPT_THEN_MAC) && \
!defined(WOLFSSL_AEAD_ONLY) !defined(WOLFSSL_AEAD_ONLY)
@@ -38207,8 +38205,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif #endif
out: out:
#if defined(WOLFSSL_SMALL_STACK) && !defined(OPENSSL_EXTRA) #if !defined(OPENSSL_EXTRA)
XFREE(clSuites, ssl->heap, DYNAMIC_TYPE_SUITES); XFREE(ssl->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);
ssl->clSuites = NULL;
#endif #endif
WOLFSSL_LEAVE("DoClientHello", ret); WOLFSSL_LEAVE("DoClientHello", ret);
WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO); WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO);

40
src/tls13.c
View File

@@ -6674,7 +6674,6 @@ static int DoTls13SupportedVersions(WOLFSSL* ssl, const byte* input, word32 i,
typedef struct Dch13Args { typedef struct Dch13Args {
ProtocolVersion pv; ProtocolVersion pv;
Suites* clSuites;
word32 idx; word32 idx;
word32 begin; word32 begin;
int usingPSK; int usingPSK;
@@ -6685,11 +6684,9 @@ static void FreeDch13Args(WOLFSSL* ssl, void* pArgs)
/* openssl compat builds hang on to the client suites until WOLFSSL object /* openssl compat builds hang on to the client suites until WOLFSSL object
* is destroyed */ * is destroyed */
#ifndef OPENSSL_EXTRA #ifndef OPENSSL_EXTRA
Dch13Args* args = (Dch13Args*)pArgs; if (ssl->clSuites) {
XFREE(ssl->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);
if (args && args->clSuites) { ssl->clSuites = NULL;
XFREE(args->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);
args->clSuites = NULL;
} }
#endif #endif
(void)ssl; (void)ssl;
@@ -6904,34 +6901,29 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
} }
#endif /* WOLFSSL_DTLS13 */ #endif /* WOLFSSL_DTLS13 */
args->clSuites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap, XFREE(ssl->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);
ssl->clSuites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap,
DYNAMIC_TYPE_SUITES); DYNAMIC_TYPE_SUITES);
if (args->clSuites == NULL) { if (ssl->clSuites == NULL) {
ERROR_OUT(MEMORY_E, exit_dch); ERROR_OUT(MEMORY_E, exit_dch);
} }
#ifdef OPENSSL_EXTRA
/* hang on to client suites found and free the struct when WOLFSSL object
* is free'd */
XFREE(ssl->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);
ssl->clSuites = args->clSuites;
#endif
/* Cipher suites */ /* Cipher suites */
if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz) if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz)
ERROR_OUT(BUFFER_ERROR, exit_dch); ERROR_OUT(BUFFER_ERROR, exit_dch);
ato16(&input[args->idx], &args->clSuites->suiteSz); ato16(&input[args->idx], &ssl->clSuites->suiteSz);
args->idx += OPAQUE16_LEN; args->idx += OPAQUE16_LEN;
if ((args->clSuites->suiteSz % 2) != 0) { if ((ssl->clSuites->suiteSz % 2) != 0) {
ERROR_OUT(INVALID_PARAMETER, exit_dch); ERROR_OUT(INVALID_PARAMETER, exit_dch);
} }
/* suites and compression length check */ /* suites and compression length check */
if ((args->idx - args->begin) + args->clSuites->suiteSz + OPAQUE8_LEN > helloSz) if ((args->idx - args->begin) + ssl->clSuites->suiteSz + OPAQUE8_LEN > helloSz)
ERROR_OUT(BUFFER_ERROR, exit_dch); ERROR_OUT(BUFFER_ERROR, exit_dch);
if (args->clSuites->suiteSz > WOLFSSL_MAX_SUITE_SZ) if (ssl->clSuites->suiteSz > WOLFSSL_MAX_SUITE_SZ)
ERROR_OUT(BUFFER_ERROR, exit_dch); ERROR_OUT(BUFFER_ERROR, exit_dch);
XMEMCPY(args->clSuites->suites, input + args->idx, args->clSuites->suiteSz); XMEMCPY(ssl->clSuites->suites, input + args->idx, ssl->clSuites->suiteSz);
args->idx += args->clSuites->suiteSz; args->idx += ssl->clSuites->suiteSz;
args->clSuites->hashSigAlgoSz = 0; ssl->clSuites->hashSigAlgoSz = 0;
/* Compression */ /* Compression */
b = input[args->idx++]; b = input[args->idx++];
@@ -6977,7 +6969,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
/* Parse extensions */ /* Parse extensions */
if ((ret = TLSX_Parse(ssl, input + args->idx, totalExtSz, client_hello, if ((ret = TLSX_Parse(ssl, input + args->idx, totalExtSz, client_hello,
args->clSuites))) { ssl->clSuites))) {
goto exit_dch; goto exit_dch;
} }
@@ -7037,7 +7029,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \ #if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \
defined(HAVE_TLS_EXTENSIONS) defined(HAVE_TLS_EXTENSIONS)
ret = CheckPreSharedKeys(ssl, input + args->begin, helloSz, args->clSuites, ret = CheckPreSharedKeys(ssl, input + args->begin, helloSz, ssl->clSuites,
&args->usingPSK); &args->usingPSK);
if (ret != 0) if (ret != 0)
goto exit_dch; goto exit_dch;
@@ -7094,7 +7086,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif #endif
#ifndef NO_CERTS #ifndef NO_CERTS
if (!args->usingPSK) { if (!args->usingPSK) {
if ((ret = MatchSuite(ssl, args->clSuites)) < 0) { if ((ret = MatchSuite(ssl, ssl->clSuites)) < 0) {
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
if (ret != WC_NO_ERR_TRACE(WC_PENDING_E)) if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
#endif #endif

4
wolfssl/internal.h
View File

@@ -5785,9 +5785,7 @@ struct WOLFSSL {
* reusing the context's object. When WOLFSSL * reusing the context's object. When WOLFSSL
* object needs separate instance of suites use * object needs separate instance of suites use
* AllocateSuites(). */ * AllocateSuites(). */
#ifdef OPENSSL_EXTRA Suites* clSuites;
Suites* clSuites;
#endif
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
WOLF_STACK_OF(WOLFSSL_CIPHER)* suitesStack; /* stack of available cipher WOLF_STACK_OF(WOLFSSL_CIPHER)* suitesStack; /* stack of available cipher