From 6385999ae914f2bdbd6a16418a46cef1c79c7d47 Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Fri, 9 May 2025 13:47:51 -0400 Subject: [PATCH 1/4] Recalculate suites at ssl initialization. --- src/internal.c | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/src/internal.c b/src/internal.c index 0a48149a7..e9d764422 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6922,13 +6922,33 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) /* If we are setting the ctx on an already initialized SSL object * then we possibly already have a side defined. Don't overwrite unless * the context has a well defined role. */ - if (newSSL || ctx->method->side != WOLFSSL_NEITHER_END) - ssl->options.side = (word16)(ctx->method->side); - ssl->options.downgrade = (word16)(ctx->method->downgrade); - ssl->options.minDowngrade = ctx->minDowngrade; - + if (newSSL || ctx->method->side != WOLFSSL_NEITHER_END) { + ssl->options.side = (word16)(ctx->method->side); + } + ssl->options.downgrade = (word16)(ctx->method->downgrade); + ssl->options.minDowngrade = ctx->minDowngrade; ssl->options.haveRSA = ctx->haveRSA; ssl->options.haveDH = ctx->haveDH; + /* Its possible that algorithm parameters were set in the ctx (ie: DH), + * recalculate cipher suites. */ + if (ssl->options.haveDH) { + if (ssl->suites == NULL) { + if (AllocateSuites(ssl) != 0) { + return MEMORY_E; + } + } + InitSuites(ssl->suites, ssl->version, ssl->buffers.keySz, + ssl->options.haveRSA, +#ifdef NO_PSK + 0, +#else + ctx->havePSK, +#endif + ssl->options.haveDH, + ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, + ssl->options.haveStaticECC, ssl->options.useAnon, + TRUE, TRUE, TRUE, TRUE, ssl->options.side); + } ssl->options.haveECDSAsig = ctx->haveECDSAsig; ssl->options.haveECC = ctx->haveECC; ssl->options.haveStaticECC = ctx->haveStaticECC; From d45e42e2e60ed21b508052ff42f7616e419d7d69 Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Mon, 12 May 2025 11:27:03 -0400 Subject: [PATCH 2/4] keySz is only in Buffers if NO_CERTS not defined. --- src/internal.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/internal.c b/src/internal.c index e9d764422..25cbc6d96 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6929,6 +6929,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->options.minDowngrade = ctx->minDowngrade; ssl->options.haveRSA = ctx->haveRSA; ssl->options.haveDH = ctx->haveDH; +#ifndef NO_CERTS /* Its possible that algorithm parameters were set in the ctx (ie: DH), * recalculate cipher suites. */ if (ssl->options.haveDH) { @@ -6949,6 +6950,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->options.haveStaticECC, ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side); } +#endif /* ! NO_CERTS */ ssl->options.haveECDSAsig = ctx->haveECDSAsig; ssl->options.haveECC = ctx->haveECC; ssl->options.haveStaticECC = ctx->haveStaticECC; From 8c1298a1d87ad97f60f50c044c12abbba7cd9ebe Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Tue, 24 Jun 2025 09:59:12 -0400 Subject: [PATCH 3/4] Check if DH's P and G are set --- src/internal.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index 25cbc6d96..3826cb35c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6930,9 +6930,10 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->options.haveRSA = ctx->haveRSA; ssl->options.haveDH = ctx->haveDH; #ifndef NO_CERTS - /* Its possible that algorithm parameters were set in the ctx (ie: DH), - * recalculate cipher suites. */ - if (ssl->options.haveDH) { + /* Its possible that DH algorithm parameters were set in the ctx, recalc + * cipher suites. */ + if (ssl->options.haveDH && ctx->serverDH_P.buffer != NULL && + ctx->serverDH_G.buffer != NULL) { if (ssl->suites == NULL) { if (AllocateSuites(ssl) != 0) { return MEMORY_E; From 43df11c9c1cee1f61f8a7198c7d70f2cbbb71270 Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Tue, 24 Jun 2025 10:37:26 -0400 Subject: [PATCH 4/4] Add gate on having DH --- src/internal.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/internal.c b/src/internal.c index 3826cb35c..ed05df261 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6929,7 +6929,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->options.minDowngrade = ctx->minDowngrade; ssl->options.haveRSA = ctx->haveRSA; ssl->options.haveDH = ctx->haveDH; -#ifndef NO_CERTS +#if !defined(NO_CERTS) && !defined(NO_DH) /* Its possible that DH algorithm parameters were set in the ctx, recalc * cipher suites. */ if (ssl->options.haveDH && ctx->serverDH_P.buffer != NULL && @@ -6951,7 +6951,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->options.haveStaticECC, ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side); } -#endif /* ! NO_CERTS */ +#endif /* !NO_CERTS && !NO_DH */ ssl->options.haveECDSAsig = ctx->haveECDSAsig; ssl->options.haveECC = ctx->haveECC; ssl->options.haveStaticECC = ctx->haveStaticECC;