From afd0e5af4e8ca5a29b1d93269c31a277de73f97a Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 5 Jan 2024 14:03:14 +0100 Subject: [PATCH] Refactor haveAnon into useAnon (ctx->|ssl->options.)useAnon means that the user has signalled that they want anonymous ciphersuites --- src/internal.c | 39 +++++++++------------------------------ src/ssl.c | 18 +++++++++--------- src/tls13.c | 6 +++--- wolfssl/internal.h | 6 +++--- 4 files changed, 24 insertions(+), 45 deletions(-) diff --git a/src/internal.c b/src/internal.c index f9bff6a17..8c7b1950f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1254,7 +1254,7 @@ static int ExportOptions(WOLFSSL* ssl, byte* exp, word32 len, byte ver, exp[idx++] = 0; #endif #ifdef HAVE_ANON - exp[idx++] = options->haveAnon; + exp[idx++] = options->useAnon; #else exp[idx++] = 0; #endif @@ -1459,7 +1459,7 @@ static int ImportOptions(WOLFSSL* ssl, const byte* exp, word32 len, byte ver, idx++; #endif #ifdef HAVE_ANON - options->haveAnon = exp[idx++]; /* User wants to allow Anon suites */ + options->useAnon = exp[idx++]; /* User wants to allow Anon suites */ #else idx++; #endif @@ -6409,7 +6409,7 @@ void InitSSL_CTX_Suites(WOLFSSL_CTX* ctx) havePSK = ctx->havePSK; #endif /* NO_PSK */ #ifdef HAVE_ANON - haveAnon = ctx->haveAnon; + haveAnon = ctx->useAnon; #endif /* HAVE_ANON*/ #ifndef NO_CERTS keySz = ctx->privateKeySz; @@ -6442,7 +6442,7 @@ int InitSSL_Suites(WOLFSSL* ssl) #endif /* NO_PSK */ #if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT) #ifdef HAVE_ANON - haveAnon = (byte)ssl->options.haveAnon; + haveAnon = (byte)ssl->options.useAnon; #endif /* HAVE_ANON*/ #ifdef WOLFSSL_MULTICAST haveMcast = (byte)ssl->options.haveMcast; @@ -6472,7 +6472,7 @@ int InitSSL_Suites(WOLFSSL* ssl) havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, ssl->options.side); + ssl->options.useAnon, ssl->options.side); } #if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT) @@ -6692,7 +6692,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) #endif #ifdef HAVE_ANON - ssl->options.haveAnon = ctx->haveAnon; + ssl->options.useAnon = ctx->useAnon; #endif #ifndef NO_DH ssl->options.minDhKeySz = ctx->minDhKeySz; @@ -26220,9 +26220,6 @@ int SetCipherList(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl, Suites* suites, ProtocolVersion version; int privateKeySz = 0; byte side; -#ifdef HAVE_ANON - byte haveAnon = 0; -#endif if (suites == NULL || list == NULL || (ctx == NULL && ssl == NULL)) { WOLFSSL_MSG("SetCipherList parameter error"); @@ -26325,9 +26322,6 @@ int SetCipherList(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl, Suites* suites, haveSig |= SIG_ANON; else haveSig &= ~SIG_ANON; - #ifdef HAVE_ANON - haveAnon = (haveSig & SIG_ANON) == SIG_ANON; - #endif haveRSA = 1; haveDH = 1; haveECC = 1; @@ -26350,9 +26344,6 @@ int SetCipherList(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl, Suites* suites, if (XSTRCMP(name, "HIGH") == 0 && allowing) { /* Disable static, anonymous, and null ciphers */ haveSig &= ~SIG_ANON; - #ifdef HAVE_ANON - haveAnon = 0; - #endif haveRSA = 1; haveDH = 1; haveECC = 1; @@ -26372,9 +26363,6 @@ int SetCipherList(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl, Suites* suites, haveSig |= SIG_ANON; else haveSig &= ~SIG_ANON; - #ifdef HAVE_ANON - haveAnon = allowing; - #endif if (allowing) { /* Allow RSA by default. */ if (!haveECC) @@ -26649,15 +26637,6 @@ int SetCipherList(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl, Suites* suites, suites->setSuites = 1; } -#ifdef HAVE_ANON - if (ret == 1) { - if (ctx != NULL) - ((WOLFSSL_CTX*)ctx)->haveAnon = haveAnon || haveSig | SIG_ANON; - else - ((WOLFSSL*)ssl)->options.haveAnon = haveAnon || haveSig | SIG_ANON; - } -#endif - return ret; } @@ -35344,7 +35323,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, - ssl->options.haveDilithiumSig, ssl->options.haveAnon, + ssl->options.haveDilithiumSig, ssl->options.useAnon, TRUE, ssl->options.side); } @@ -35735,7 +35714,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, - ssl->options.haveDilithiumSig, ssl->options.haveAnon, + ssl->options.haveDilithiumSig, ssl->options.useAnon, TRUE, ssl->options.side); } @@ -35813,7 +35792,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, - ssl->options.haveDilithiumSig, ssl->options.haveAnon, + ssl->options.haveDilithiumSig, ssl->options.useAnon, TRUE, ssl->options.side); } } diff --git a/src/ssl.c b/src/ssl.c index f87729eb8..8a1c5eb26 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3069,7 +3069,7 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0); @@ -5330,7 +5330,7 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version) ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); return WOLFSSL_SUCCESS; } #endif /* !leanpsk */ @@ -7951,7 +7951,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } else if (ctx && resetSuites) { word16 havePSK = 0; @@ -7975,7 +7975,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, ctx->haveECC, TRUE, ctx->haveStaticECC, ctx->haveFalconSig, ctx->haveDilithiumSig, #ifdef HAVE_ANON - ctx->haveAnon, + ctx->useAnon, #else FALSE, #endif @@ -13107,7 +13107,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, (void)havePSK; #ifdef HAVE_ANON - haveAnon = ssl->options.haveAnon; + haveAnon = ssl->options.useAnon; #endif (void)haveAnon; @@ -15706,7 +15706,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } #ifdef OPENSSL_EXTRA /** @@ -15763,7 +15763,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } const char* wolfSSL_get_psk_identity_hint(const WOLFSSL* ssl) @@ -15854,7 +15854,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) if (ctx == NULL) return WOLFSSL_FAILURE; - ctx->haveAnon = 1; + ctx->useAnon = 1; return WOLFSSL_SUCCESS; } @@ -21971,7 +21971,7 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op) ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } return ssl->options.mask; diff --git a/src/tls13.c b/src/tls13.c index 20f066f58..2195249f5 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -13486,7 +13486,7 @@ void wolfSSL_set_psk_client_cs_callback(WOLFSSL* ssl, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } /* Set the PSK callback that returns the cipher suite for a client to use @@ -13539,7 +13539,7 @@ void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } /* Set the PSK callback that returns the cipher suite for a server to use @@ -13589,7 +13589,7 @@ void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } /* Get name of first supported cipher suite that uses the hash indicated. diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 3e791ed45..05941408a 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2339,7 +2339,7 @@ struct Suites { word16 hashSigAlgoSz; /* SigAlgo extension length in bytes */ byte suites[WOLFSSL_MAX_SUITE_SZ]; byte hashSigAlgo[WOLFSSL_MAX_SIGALGO]; /* sig/algo to offer */ - byte setSuites; /* user set suites from default */ + byte setSuites:1; /* user set suites from default */ }; typedef struct CipherSuite { @@ -3762,7 +3762,7 @@ struct WOLFSSL_CTX { word32 maxEarlyDataSz; #endif #ifdef HAVE_ANON - byte haveAnon; /* User wants to allow Anon suites */ + byte useAnon; /* User wants to allow Anon suites */ #endif /* HAVE_ANON */ #ifdef WOLFSSL_ENCRYPTED_KEYS wc_pem_password_cb* passwd_cb; @@ -4698,7 +4698,7 @@ struct Options { #ifdef HAVE_POLY1305 word16 oldPoly:1; /* set when to use old rfc way of poly*/ #endif - word16 haveAnon:1; /* User wants to allow Anon suites */ + word16 useAnon:1; /* User wants to allow Anon suites */ #ifdef HAVE_SESSION_TICKET word16 createTicket:1; /* Server to create new Ticket */ word16 useTicket:1; /* Use Ticket not session cache */