wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-01 19:54:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2404 from dgarske/strict_cipher

Browse Source 
Added strict cipher suite check on client server_hello processing
This commit is contained in:
toddouska
2019-08-23 12:42:57 -07:00
committed by GitHub
parent 681de3e41a eb68ad162b
commit 1bad2bed3c
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/internal.c
View File

@@ -18270,6 +18270,24 @@ exit_dpk:
ssl->options.cipherSuite = cs1; ssl->options.cipherSuite = cs1;
compression = input[i++]; compression = input[i++];
#ifndef WOLFSSL_NO_STRICT_CIPHER_SUITE
{
word32 idx, found = 0;
/* confirm server_hello cipher suite is one sent in client_hello */
for (idx = 0; idx < ssl->suites->suiteSz; idx += 2) {
if (ssl->suites->suites[idx] == cs0 &&
ssl->suites->suites[idx+1] == cs1) {
found = 1;
break;
}
}
if (!found) {
WOLFSSL_MSG("ServerHello did not use cipher suite from ClientHello");
return MATCH_SUITE_ERROR;
}
}
#endif /* !WOLFSSL_NO_STRICT_CIPHER_SUITE */
if (compression != NO_COMPRESSION && !ssl->options.usingCompression) { if (compression != NO_COMPRESSION && !ssl->options.usingCompression) {
WOLFSSL_MSG("Server forcing compression w/o support"); WOLFSSL_MSG("Server forcing compression w/o support");
return COMPRESSION_ERROR; return COMPRESSION_ERROR;