feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Enable strict cipher suite checking by default. Changed to enable by default and can be disabled using WOLFSSL_NO_STRICT_CIPHER_SUITE.

Browse Source
This commit is contained in:
David Garske
2019-08-16 10:20:25 -07:00
parent e75417fde1
commit eb68ad162b
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/internal.c
View File

@ -18172,14 +18172,15 @@ exit_dpk:
ssl->options.cipherSuite = cs1; ssl->options.cipherSuite = cs1;
compression = input[i++]; compression = input[i++];
#ifdef WOLFSSL_STRICT_CIPHER_SUITE #ifndef WOLFSSL_NO_STRICT_CIPHER_SUITE
{ {
word32 idx, found = 0; word32 idx, found = 0;
/* confirm server_hello cipher suite is one sent in client_hello */ /* confirm server_hello cipher suite is one sent in client_hello */
for (idx = 0; idx < ssl->suites->suiteSz; idx += 2) { for (idx = 0; idx < ssl->suites->suiteSz; idx += 2) {
if (ssl->suites->suites[idx] == cs0 && if (ssl->suites->suites[idx] == cs0 &&
ssl->suites->suites[idx+1] == cs1) { ssl->suites->suites[idx+1] == cs1) {
found = idx; found = 1;
break;
} }
} }
if (!found) { if (!found) {
@ -18187,7 +18188,7 @@ exit_dpk:
return MATCH_SUITE_ERROR; return MATCH_SUITE_ERROR;
} }
} }
#endif #endif /* !WOLFSSL_NO_STRICT_CIPHER_SUITE */
if (compression != NO_COMPRESSION && !ssl->options.usingCompression) { if (compression != NO_COMPRESSION && !ssl->options.usingCompression) {
WOLFSSL_MSG("Server forcing compression w/o support"); WOLFSSL_MSG("Server forcing compression w/o support");