forked from wolfSSL/wolfssl
always trust user override cipher suites
This commit is contained in:
Todd A Ouska
@@ -369,6 +369,7 @@ void InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method)
|
|||||||
ctx->haveECDSA = 1; /* always on cliet side */
|
ctx->haveECDSA = 1; /* always on cliet side */
|
||||||
/* server can turn on by loading key */
|
/* server can turn on by loading key */
|
||||||
#endif
|
#endif
|
||||||
|
ctx->suites.setSuites = 0; /* user hasn't set yet */
|
||||||
/* remove DH later if server didn't set, add psk later */
|
/* remove DH later if server didn't set, add psk later */
|
||||||
InitSuites(&ctx->suites, method->version, TRUE, FALSE, ctx->haveNTRU,
|
InitSuites(&ctx->suites, method->version, TRUE, FALSE, ctx->haveNTRU,
|
||||||
ctx->haveECDSA, method->side);
|
ctx->haveECDSA, method->side);
|
||||||
@@ -416,6 +417,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK,
|
|||||||
(void)havePSK;
|
(void)havePSK;
|
||||||
(void)haveNTRU;
|
(void)haveNTRU;
|
||||||
|
|
||||||
|
if (suites->setSuites)
|
||||||
|
return; /* trust user settings, don't override */
|
||||||
|
|
||||||
if (side == SERVER_END && haveECDSA)
|
if (side == SERVER_END && haveECDSA)
|
||||||
haveRSA = 0; /* can't do RSA with ECDSA cert */
|
haveRSA = 0; /* can't do RSA with ECDSA cert */
|
||||||
|
|
||||||
@@ -424,8 +428,6 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK,
|
|||||||
tls = 1;
|
tls = 1;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
suites->setSuites = 0; /* user hasn't set yet */
|
|
||||||
|
|
||||||
#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA
|
#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA
|
||||||
if (tls && haveNTRU && haveRSA) {
|
if (tls && haveNTRU && haveRSA) {
|
||||||
suites->suites[idx++] = 0;
|
suites->suites[idx++] = 0;
|
||||||
@@ -778,7 +780,6 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* make sure server has DH parms, and add PSK if there, add NTRU too */
|
/* make sure server has DH parms, and add PSK if there, add NTRU too */
|
||||||
if (!ssl->ctx->suites.setSuites) { /* trust user override */
|
|
||||||
if (ssl->options.side == SERVER_END)
|
if (ssl->options.side == SERVER_END)
|
||||||
InitSuites(&ssl->suites, ssl->version,ssl->options.haveDH, havePSK,
|
InitSuites(&ssl->suites, ssl->version,ssl->options.haveDH, havePSK,
|
||||||
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
||||||
@@ -787,7 +788,6 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
|
|||||||
InitSuites(&ssl->suites, ssl->version, TRUE, havePSK,
|
InitSuites(&ssl->suites, ssl->version, TRUE, havePSK,
|
||||||
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
||||||
ssl->ctx->method->side);
|
ssl->ctx->method->side);
|
||||||
}
|
|
||||||
|
|
||||||
ssl->rfd = -1; /* set to invalid descriptor */
|
ssl->rfd = -1; /* set to invalid descriptor */
|
||||||
ssl->wfd = -1;
|
ssl->wfd = -1;
|
||||||
|
|||||||
Reference in New Issue
Block a user