mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 14:00:48 +02:00
harden SSL config and session
This commit is contained in:
@@ -10069,11 +10069,21 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out,
|
||||
#ifdef WOLFSSL_DTLS
|
||||
ssl->options.dtlsStateful = 0;
|
||||
#endif
|
||||
#ifdef WOLFSSL_TLS13
|
||||
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
||||
ssl->options.noPskDheKe = 0;
|
||||
#ifdef HAVE_SUPPORTED_CURVES
|
||||
ssl->options.onlyPskDheKe = 0;
|
||||
#endif
|
||||
if (ssl->ctx != NULL) {
|
||||
ssl->options.noPskDheKe = ssl->ctx->noPskDheKe;
|
||||
#ifdef HAVE_SUPPORTED_CURVES
|
||||
ssl->options.onlyPskDheKe = ssl->ctx->onlyPskDheKe;
|
||||
#endif
|
||||
}
|
||||
else {
|
||||
ssl->options.noPskDheKe = 0;
|
||||
#ifdef HAVE_SUPPORTED_CURVES
|
||||
ssl->options.onlyPskDheKe = 0;
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
#ifdef WOLFSSL_TLS13
|
||||
|
||||
+7
-4
@@ -5513,10 +5513,13 @@ int wolfSSL_CTX_set_default_verify_paths(WOLFSSL_CTX* ctx)
|
||||
ret = 1;
|
||||
}
|
||||
#else
|
||||
/* OpenSSL's implementation of this API does not require loading the
|
||||
* system CA cert directory. Allow skipping this without erroring out.
|
||||
*/
|
||||
ret = 1;
|
||||
/* No source available: SSL_CERT_DIR/SSL_CERT_FILE not set and
|
||||
* WOLFSSL_SYS_CA_CERTS not compiled in. Returning success would be
|
||||
* fail-open since no trust anchors were loaded. */
|
||||
WOLFSSL_MSG("wolfSSL_CTX_set_default_verify_paths: no CA source "
|
||||
"available (build without WOLFSSL_SYS_CA_CERTS and no "
|
||||
"SSL_CERT_DIR/SSL_CERT_FILE env)");
|
||||
ret = WOLFSSL_FAILURE;
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
@@ -1598,8 +1598,12 @@ int wolfSSL_SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session)
|
||||
#if !defined(OPENSSL_EXTRA) || !defined(WOLFSSL_ERROR_CODE_OPENSSL)
|
||||
return WOLFSSL_FAILURE; /* session timed out */
|
||||
#else /* defined(OPENSSL_EXTRA) && defined(WOLFSSL_ERROR_CODE_OPENSSL) */
|
||||
/* Return success for OpenSSL compatibility but do not carry the
|
||||
* expired session's version/cipher into ssl state, which would
|
||||
* otherwise pin the ClientHello to stale values. */
|
||||
WOLFSSL_MSG("Session is expired but return success for "
|
||||
"OpenSSL compatibility");
|
||||
return WOLFSSL_SUCCESS;
|
||||
#endif
|
||||
}
|
||||
ssl->options.resuming = 1;
|
||||
|
||||
Reference in New Issue
Block a user