From 3c5b402740fdcfdf0044bb6d23074ce46e030b97 Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Wed, 6 Dec 2023 14:08:53 -0500 Subject: [PATCH 1/2] Make sure to send SCSV when application sets ciphersuites --- src/internal.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/src/internal.c b/src/internal.c index 81bc5376d..dd671afbb 100644 --- a/src/internal.c +++ b/src/internal.c @@ -26104,8 +26104,6 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) #endif #ifdef OPENSSL_EXTRA if (callInitSuites) { - byte tmp[WOLFSSL_MAX_SUITE_SZ]; - XMEMCPY(tmp, suites->suites, idx); /* Store copy */ suites->setSuites = 0; /* Force InitSuites */ suites->hashSigAlgoSz = 0; /* Force InitSuitesHashSigAlgo call * inside InitSuites */ @@ -26130,6 +26128,16 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) InitSuitesHashSigAlgo_ex2(suites->hashSigAlgo, haveSig, 1, keySz, &suites->hashSigAlgoSz); } + +#ifdef HAVE_RENEGOTIATION_INDICATION + if (suites->suiteSz > WOLFSSL_MAX_SUITE_SZ - 2) { + WOLFSSL_MSG("Too many ciphersuites"); + return 0; + } + suites->suites[suites->suiteSz] = CIPHER_BYTE; + suites->suites[suites->suiteSz+1] = TLS_EMPTY_RENEGOTIATION_INFO_SCSV; + suites->suiteSz += 2; +#endif suites->setSuites = 1; } @@ -26265,6 +26273,15 @@ int SetCipherListFromBytes(WOLFSSL_CTX* ctx, Suites* suites, const byte* list, haveSig |= haveAnon ? SIG_ANON : 0; InitSuitesHashSigAlgo_ex2(suites->hashSigAlgo, haveSig, 1, keySz, &suites->hashSigAlgoSz); +#ifdef HAVE_RENEGOTIATION_INDICATION + if (suites->suiteSz > WOLFSSL_MAX_SUITE_SZ - 2) { + WOLFSSL_MSG("Too many ciphersuites"); + return 0; + } + suites->suites[suites->suiteSz] = CIPHER_BYTE; + suites->suites[suites->suiteSz+1] = TLS_EMPTY_RENEGOTIATION_INFO_SCSV; + suites->suiteSz += 2; +#endif suites->setSuites = 1; } From 9fda21748ac50145a2a2c0597237f1b471fd47c3 Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Thu, 7 Dec 2023 14:05:33 -0500 Subject: [PATCH 2/2] for clients only --- src/internal.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/src/internal.c b/src/internal.c index dd671afbb..1d2f8eb92 100644 --- a/src/internal.c +++ b/src/internal.c @@ -26130,13 +26130,16 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) } #ifdef HAVE_RENEGOTIATION_INDICATION - if (suites->suiteSz > WOLFSSL_MAX_SUITE_SZ - 2) { - WOLFSSL_MSG("Too many ciphersuites"); - return 0; + if (ctx->method->side == WOLFSSL_CLIENT_END) { + if (suites->suiteSz > WOLFSSL_MAX_SUITE_SZ - 2) { + WOLFSSL_MSG("Too many ciphersuites"); + return 0; + } + suites->suites[suites->suiteSz] = CIPHER_BYTE; + suites->suites[suites->suiteSz+1] = + TLS_EMPTY_RENEGOTIATION_INFO_SCSV; + suites->suiteSz += 2; } - suites->suites[suites->suiteSz] = CIPHER_BYTE; - suites->suites[suites->suiteSz+1] = TLS_EMPTY_RENEGOTIATION_INFO_SCSV; - suites->suiteSz += 2; #endif suites->setSuites = 1; } @@ -26274,13 +26277,16 @@ int SetCipherListFromBytes(WOLFSSL_CTX* ctx, Suites* suites, const byte* list, InitSuitesHashSigAlgo_ex2(suites->hashSigAlgo, haveSig, 1, keySz, &suites->hashSigAlgoSz); #ifdef HAVE_RENEGOTIATION_INDICATION - if (suites->suiteSz > WOLFSSL_MAX_SUITE_SZ - 2) { - WOLFSSL_MSG("Too many ciphersuites"); - return 0; + if (ctx->method->side == WOLFSSL_CLIENT_END) { + if (suites->suiteSz > WOLFSSL_MAX_SUITE_SZ - 2) { + WOLFSSL_MSG("Too many ciphersuites"); + return 0; + } + suites->suites[suites->suiteSz] = CIPHER_BYTE; + suites->suites[suites->suiteSz+1] = + TLS_EMPTY_RENEGOTIATION_INFO_SCSV; + suites->suiteSz += 2; } - suites->suites[suites->suiteSz] = CIPHER_BYTE; - suites->suites[suites->suiteSz+1] = TLS_EMPTY_RENEGOTIATION_INFO_SCSV; - suites->suiteSz += 2; #endif suites->setSuites = 1; }