wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

dtls13: enable hrr cookie by default

Browse Source
This commit is contained in:
Marco Oliverio
2022-08-26 12:25:54 +02:00
parent edd723cc84
commit 401cfbd8e4
3 changed files with 60 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
CMakeLists.txt
View File

@@ -275,38 +275,6 @@ if("${FIPS_VERSION}" STREQUAL "v1")
override_cache(WOLFSSL_TLS13 "no") override_cache(WOLFSSL_TLS13 "no")
endif() endif()
# DTLS v1.3
add_option("WOLFSSL_DTLS13"
"Enable wolfSSL DTLS v1.3 (default: disabled)"
"no" "yes;no")
if(WOLFSSL_DTLS13)
if (NOT WOLFSSL_DTLS)
message(FATAL_ERROR "DTLS13 requires DTLS")
endif()
if (NOT WOLFSSL_TLS13)
message(FATAL_ERROR "DTLS13 requires TLS13")
endif()
list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS13")
list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_W64_WRAPPER")
if (WOLFSSL_AES)
list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_AES_DIRECT")
endif()
endif()
# DTLS ConnectionID support
add_option("WOLFSSL_DTLS_CID"
"Enables wolfSSL DTLS CID (default: disabled)"
"no" "yes;no")
if(WOLFSSL_DTLS_CID)
if(NOT WOLFSSL_DTLS13)
message(FATAL_ERROR "CID are supported only for DTLSv1.3")
endif()
list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS_CID")
endif()
# Post-handshake authentication # Post-handshake authentication
add_option("WOLFSSL_POSTAUTH" add_option("WOLFSSL_POSTAUTH"
"Enable wolfSSL Post-handshake Authentication (default: disabled)" "Enable wolfSSL Post-handshake Authentication (default: disabled)"
@@ -325,9 +293,9 @@ endif()
# Hello Retry Request Cookie # Hello Retry Request Cookie
add_option("WOLFSSL_HRR_COOKIE" add_option("WOLFSSL_HRR_COOKIE"
"Enable the server to send Cookie Extension in HRR with state (default: disabled)" "Enable the server to send Cookie Extension in HRR with state (default: disabled)"
"no" "yes;no") "undefined" "yes;no;undefined")
if(WOLFSSL_HRR_COOKIE) if("${WOLFSSL_HRR_COOKIE}" STREQUAL "yes")
if(NOT WOLFSSL_TLS13) if(NOT WOLFSSL_TLS13)
message(WARNING "TLS 1.3 is disabled - disabling HRR Cookie") message(WARNING "TLS 1.3 is disabled - disabling HRR Cookie")
override_cache(WOLFSSL_HRR_COOKIE "no") override_cache(WOLFSSL_HRR_COOKIE "no")
@@ -337,6 +305,42 @@ if(WOLFSSL_HRR_COOKIE)
endif() endif()
endif() endif()
# DTLS v1.3
add_option("WOLFSSL_DTLS13"
"Enable wolfSSL DTLS v1.3 (default: disabled)"
"no" "yes;no")
if(WOLFSSL_DTLS13)
if (NOT WOLFSSL_DTLS)
message(FATAL_ERROR "DTLS13 requires DTLS")
endif()
if (NOT WOLFSSL_TLS13)
message(FATAL_ERROR "DTLS13 requires TLS13")
endif()
list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS13")
list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_W64_WRAPPER")
if ("${WOLFSSL_HRR_COOKIE}" STREQUAL "undefined")
message(WARNING "DTLS1.3 is enabled - enabling HRR Cookie")
override_cache(WOLFSSL_HRR_COOKIE "yes")
list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SEND_HRR_COOKIE")
endif()
if (WOLFSSL_AES)
list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_AES_DIRECT")
endif()
endif()
# DTLS ConnectionID support
add_option("WOLFSSL_DTLS_CID"
"Enables wolfSSL DTLS CID (default: disabled)"
"no" "yes;no")
if(WOLFSSL_DTLS_CID)
if(NOT WOLFSSL_DTLS13)
message(FATAL_ERROR "CID are supported only for DTLSv1.3")
endif()
list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS_CID")
endif()
# RNG # RNG
add_option("WOLFSSL_RNG" add_option("WOLFSSL_RNG"
"Enable compiling and using RNG (default: enabled)" "Enable compiling and using RNG (default: enabled)"

8
configure.ac
View File

@@ -1078,7 +1078,7 @@ fi
AC_ARG_ENABLE([hrrcookie], AC_ARG_ENABLE([hrrcookie],
[AS_HELP_STRING([--enable-hrrcookie],[Enable the server to send Cookie Extension in HRR with state (default: disabled)])], [AS_HELP_STRING([--enable-hrrcookie],[Enable the server to send Cookie Extension in HRR with state (default: disabled)])],
[ ENABLED_SEND_HRR_COOKIE=$enableval ], [ ENABLED_SEND_HRR_COOKIE=$enableval ],
[ ENABLED_SEND_HRR_COOKIE=no ] [ ENABLED_SEND_HRR_COOKIE=undefined ]
) )
if test "$ENABLED_SEND_HRR_COOKIE" = "yes" if test "$ENABLED_SEND_HRR_COOKIE" = "yes"
then then
@@ -3753,6 +3753,12 @@ then
then then
AC_MSG_ERROR([You need to enable both DTLS and TLSv1.3 to use DTLSv1.3]) AC_MSG_ERROR([You need to enable both DTLS and TLSv1.3 to use DTLSv1.3])
fi fi
if test "x$ENABLED_SEND_HRR_COOKIE" == "xundefined"
then
AC_MSG_NOTICE([DTLSv1.3 is enabled, enabling HRR cookie])
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SEND_HRR_COOKIE"
ENABLED_SEND_HRR_COOKIE="yes"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS13 -DWOLFSSL_W64_WRAPPER" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS13 -DWOLFSSL_W64_WRAPPER"
if test "x$ENABLED_AES" = "xyes" if test "x$ENABLED_AES" = "xyes"
then then

11
src/internal.c
View File

@@ -6934,12 +6934,23 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
#if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_SERVER) #if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_SERVER)
if (ssl->options.dtls && ssl->options.side == WOLFSSL_SERVER_END) { if (ssl->options.dtls && ssl->options.side == WOLFSSL_SERVER_END) {
if (!IsAtLeastTLSv1_3(ssl->version)) {
ret = wolfSSL_DTLS_SetCookieSecret(ssl, NULL, 0); ret = wolfSSL_DTLS_SetCookieSecret(ssl, NULL, 0);
if (ret != 0) { if (ret != 0) {
WOLFSSL_MSG("DTLS Cookie Secret error"); WOLFSSL_MSG("DTLS Cookie Secret error");
return ret; return ret;
} }
} }
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
else {
ret = wolfSSL_send_hrr_cookie(ssl, NULL, 0);
if (ret != WOLFSSL_SUCCESS) {
WOLFSSL_MSG("DTLS1.3 Cookie secret error");
return ret;
}
}
#endif /* WOLFSSL_DTLS13 && WOLFSSL_SEND_HRR_COOKIE */
}
#endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */ #endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */
#ifdef HAVE_SECRET_CALLBACK #ifdef HAVE_SECRET_CALLBACK