wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-01 03:34:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #815 from toddouska/switchcerts

Browse Source 
better handling of TLS layer switching out CTX layer keys/certs
This commit is contained in:
JacobBarthelmeh
2017-03-27 15:57:58 -06:00
committed by GitHub
parent d8261796a6 a7c131c0a1
commit 9c8574111e
2 changed files with 59 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/internal.c
View File

@@ -1961,7 +1961,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
#endif #endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
if (tls1_2 && haveRSAsig) { if (tls1_2 && haveRSA) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256; suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256;
} }
@@ -1989,7 +1989,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
#endif #endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
if (tls1_2 && haveRSAsig) { if (tls1_2 && haveRSA) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384; suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384;
} }
@@ -5911,8 +5911,6 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 :
if (requirement == REQUIRES_RSA) if (requirement == REQUIRES_RSA)
return 1; return 1;
if (requirement == REQUIRES_RSA_SIG)
return 1;
break; break;
case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 : case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 :

72
src/ssl.c
View File

@@ -4114,6 +4114,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
int ret = 0; int ret = 0;
int eccKey = 0; int eccKey = 0;
int rsaKey = 0; int rsaKey = 0;
int resetSuites = 0;
void* heap = ctx ? ctx->heap : ((ssl) ? ssl->heap : NULL); void* heap = ctx ? ctx->heap : ((ssl) ? ssl->heap : NULL);
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
EncryptedInfo* info = NULL; EncryptedInfo* info = NULL;
@@ -4338,6 +4339,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
} else { } else {
/* check that the size of the RSA key is enough */ /* check that the size of the RSA key is enough */
int RsaSz = wc_RsaEncryptSize((RsaKey*)key); int RsaSz = wc_RsaEncryptSize((RsaKey*)key);
if (ssl) { if (ssl) {
if (RsaSz < ssl->options.minRsaKeySz) { if (RsaSz < ssl->options.minRsaKeySz) {
ret = RSA_KEY_SIZE_E; ret = RSA_KEY_SIZE_E;
@@ -4352,6 +4354,11 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
} }
rsaKey = 1; rsaKey = 1;
(void)rsaKey; /* for no ecc builds */ (void)rsaKey; /* for no ecc builds */
if (ssl && ssl->options.side == WOLFSSL_SERVER_END) {
ssl->options.haveStaticECC = 0;
resetSuites = 1;
}
} }
} }
@@ -4396,10 +4403,16 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
wc_ecc_free(&key); wc_ecc_free(&key);
eccKey = 1; eccKey = 1;
if (ctx) if (ssl) {
ctx->haveStaticECC = 1;
if (ssl)
ssl->options.haveStaticECC = 1; ssl->options.haveStaticECC = 1;
}
else if (ctx) {
ctx->haveStaticECC = 1;
}
if (ssl && ssl->options.side == WOLFSSL_SERVER_END) {
resetSuites = 1;
}
} }
#endif /* HAVE_ECC */ #endif /* HAVE_ECC */
} }
@@ -4428,16 +4441,25 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#endif #endif
return SSL_BAD_FILE; return SSL_BAD_FILE;
} }
if (ssl && ssl->options.side == WOLFSSL_SERVER_END) {
resetSuites = 1;
}
if (ssl && ssl->ctx->haveECDSAsig) {
WOLFSSL_MSG("SSL layer setting cert, CTX had ECDSA, turning off");
ssl->options.haveECDSAsig = 0; /* may turn back on next */
}
switch (cert->signatureOID) { switch (cert->signatureOID) {
case CTC_SHAwECDSA: case CTC_SHAwECDSA:
case CTC_SHA256wECDSA: case CTC_SHA256wECDSA:
case CTC_SHA384wECDSA: case CTC_SHA384wECDSA:
case CTC_SHA512wECDSA: case CTC_SHA512wECDSA:
WOLFSSL_MSG("ECDSA cert signature"); WOLFSSL_MSG("ECDSA cert signature");
if (ctx)
ctx->haveECDSAsig = 1;
if (ssl) if (ssl)
ssl->options.haveECDSAsig = 1; ssl->options.haveECDSAsig = 1;
else if (ctx)
ctx->haveECDSAsig = 1;
break; break;
default: default:
WOLFSSL_MSG("Not ECDSA cert signature"); WOLFSSL_MSG("Not ECDSA cert signature");
@@ -4445,16 +4467,6 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
} }
#ifdef HAVE_ECC #ifdef HAVE_ECC
if (ctx) {
ctx->pkCurveOID = cert->pkCurveOID;
#ifndef WC_STRICT_SIG
if (cert->keyOID == ECDSAk) {
ctx->haveECC = 1;
}
#else
ctx->haveECC = ctx->haveECDSAsig;
#endif
}
if (ssl) { if (ssl) {
ssl->pkCurveOID = cert->pkCurveOID; ssl->pkCurveOID = cert->pkCurveOID;
#ifndef WC_STRICT_SIG #ifndef WC_STRICT_SIG
@@ -4465,6 +4477,16 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
ssl->options.haveECC = ssl->options.haveECDSAsig; ssl->options.haveECC = ssl->options.haveECDSAsig;
#endif #endif
} }
else if (ctx) {
ctx->pkCurveOID = cert->pkCurveOID;
#ifndef WC_STRICT_SIG
if (cert->keyOID == ECDSAk) {
ctx->haveECC = 1;
}
#else
ctx->haveECC = ctx->haveECDSAsig;
#endif
}
#endif #endif
/* check key size of cert unless specified not to */ /* check key size of cert unless specified not to */
@@ -4521,6 +4543,26 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
} }
} }
if (ssl && resetSuites) {
word16 havePSK = 0;
word16 haveRSA = 0;
#ifndef NO_PSK
if (ssl->options.havePSK) {
havePSK = 1;
}
#endif
#ifndef NO_RSA
haveRSA = 1;
#endif
/* let's reset suites */
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
}
return SSL_SUCCESS; return SSL_SUCCESS;
} }