diff --git a/src/internal.c b/src/internal.c index 2c3e9a52f..757e5c750 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1254,7 +1254,7 @@ static int ExportOptions(WOLFSSL* ssl, byte* exp, word32 len, byte ver, exp[idx++] = 0; #endif #ifdef HAVE_ANON - exp[idx++] = options->haveAnon; + exp[idx++] = options->useAnon; #else exp[idx++] = 0; #endif @@ -1459,7 +1459,7 @@ static int ImportOptions(WOLFSSL* ssl, const byte* exp, word32 len, byte ver, idx++; #endif #ifdef HAVE_ANON - options->haveAnon = exp[idx++]; /* User wants to allow Anon suites */ + options->useAnon = exp[idx++]; /* User wants to allow Anon suites */ #else idx++; #endif @@ -6409,7 +6409,7 @@ void InitSSL_CTX_Suites(WOLFSSL_CTX* ctx) havePSK = ctx->havePSK; #endif /* NO_PSK */ #ifdef HAVE_ANON - haveAnon = ctx->haveAnon; + haveAnon = ctx->useAnon; #endif /* HAVE_ANON*/ #ifndef NO_CERTS keySz = ctx->privateKeySz; @@ -6442,7 +6442,7 @@ int InitSSL_Suites(WOLFSSL* ssl) #endif /* NO_PSK */ #if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT) #ifdef HAVE_ANON - haveAnon = (byte)ssl->options.haveAnon; + haveAnon = (byte)ssl->options.useAnon; #endif /* HAVE_ANON*/ #ifdef WOLFSSL_MULTICAST haveMcast = (byte)ssl->options.haveMcast; @@ -6472,7 +6472,7 @@ int InitSSL_Suites(WOLFSSL* ssl) havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, ssl->options.side); + ssl->options.useAnon, ssl->options.side); } #if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT) @@ -6692,7 +6692,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) #endif #ifdef HAVE_ANON - ssl->options.haveAnon = ctx->haveAnon; + ssl->options.useAnon = ctx->useAnon; #endif #ifndef NO_DH ssl->options.minDhKeySz = ctx->minDhKeySz; @@ -26198,7 +26198,8 @@ ciphersuites introduced through the "bulk" ciphersuites. @return true on success, else false. */ -int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) +static int ParseCipherList(Suites* suites, + const char* list, ProtocolVersion version, int privateKeySz, byte side) { int ret = 0; int idx = 0; @@ -26227,14 +26228,14 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) #ifndef NO_RSA haveRSA = 1; #endif - InitSuites(suites, ctx->method->version, + InitSuites(suites, version, #ifndef NO_CERTS - ctx->privateKeySz, + privateKeySz, #else 0, #endif haveRSA, 1, 1, !haveRSA, 1, haveRSA, !haveRSA, 1, 1, 0, 0, - ctx->method->side); + side); return 1; /* wolfSSL default */ } @@ -26311,9 +26312,6 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) haveSig |= SIG_ANON; else haveSig &= ~SIG_ANON; - #ifdef HAVE_ANON - ctx->haveAnon = (haveSig & SIG_ANON) == SIG_ANON; - #endif haveRSA = 1; haveDH = 1; haveECC = 1; @@ -26336,9 +26334,6 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) if (XSTRCMP(name, "HIGH") == 0 && allowing) { /* Disable static, anonymous, and null ciphers */ haveSig &= ~SIG_ANON; - #ifdef HAVE_ANON - ctx->haveAnon = 0; - #endif haveRSA = 1; haveDH = 1; haveECC = 1; @@ -26358,9 +26353,6 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) haveSig |= SIG_ANON; else haveSig &= ~SIG_ANON; - #ifdef HAVE_ANON - ctx->haveAnon = allowing; - #endif if (allowing) { /* Allow RSA by default. */ if (!haveECC) @@ -26474,7 +26466,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) #ifdef WOLFSSL_DTLS /* don't allow stream ciphers with DTLS */ - if (ctx->method->version.major == DTLS_MAJOR) { + if (version.major == DTLS_MAJOR) { if (XSTRSTR(name, "RC4")) { WOLFSSL_MSG("Stream ciphers not supported with DTLS"); @@ -26591,14 +26583,14 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) if (ret) { int keySz = 0; #ifndef NO_CERTS - keySz = ctx->privateKeySz; + keySz = privateKeySz; #endif #ifdef OPENSSL_EXTRA if (callInitSuites) { suites->setSuites = 0; /* Force InitSuites */ suites->hashSigAlgoSz = 0; /* Force InitSuitesHashSigAlgo call * inside InitSuites */ - InitSuites(suites, ctx->method->version, keySz, (word16)haveRSA, + InitSuites(suites, version, keySz, (word16)haveRSA, (word16)havePSK, (word16)haveDH, (word16)((haveSig & SIG_ECDSA) != 0), (word16)haveECC, (word16)haveStaticRSA, @@ -26606,7 +26598,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) (word16)((haveSig & SIG_FALCON) != 0), (word16)((haveSig & SIG_DILITHIUM) != 0), (word16)((haveSig & SIG_ANON) != 0), - (word16)haveNull, ctx->method->side); + (word16)haveNull, side); /* Restore user ciphers ahead of defaults */ XMEMMOVE(suites->suites + idx, suites->suites, min(suites->suiteSz, WOLFSSL_MAX_SUITE_SZ-idx)); @@ -26621,7 +26613,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) } #ifdef HAVE_RENEGOTIATION_INDICATION - if (ctx->method->side == WOLFSSL_CLIENT_END) { + if (side == WOLFSSL_CLIENT_END) { if (suites->suiteSz > WOLFSSL_MAX_SUITE_SZ - 2) { WOLFSSL_MSG("Too many ciphersuites"); return 0; @@ -26635,11 +26627,44 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) suites->setSuites = 1; } - (void)ctx; - return ret; } +int SetCipherList_ex(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl, + Suites* suites, const char* list) +{ + ProtocolVersion version; + int privateKeySz = 0; + byte side; + + if (ctx != NULL) { + version = ctx->method->version; +#ifndef NO_CERTS + privateKeySz = ctx->privateKeySz; +#endif + side = ctx->method->side; + } + else if (ssl != NULL) { + version = ssl->version; +#ifndef NO_CERTS + privateKeySz = ssl->buffers.keySz; +#endif + side = (byte)ssl->options.side; + } + else { + WOLFSSL_MSG("SetCipherList_ex parameter error"); + return 0; + } + + return ParseCipherList(suites, list, version, privateKeySz, side); +} + +int SetCipherList(const WOLFSSL_CTX* ctx, Suites* suites, + const char* list) +{ + return SetCipherList_ex(ctx, NULL, suites, list); +} + #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_SET_CIPHER_BYTES) int SetCipherListFromBytes(WOLFSSL_CTX* ctx, Suites* suites, const byte* list, const int listSz) @@ -35323,7 +35348,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, - ssl->options.haveDilithiumSig, ssl->options.haveAnon, + ssl->options.haveDilithiumSig, ssl->options.useAnon, TRUE, ssl->options.side); } @@ -35714,7 +35739,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, - ssl->options.haveDilithiumSig, ssl->options.haveAnon, + ssl->options.haveDilithiumSig, ssl->options.useAnon, TRUE, ssl->options.side); } @@ -35792,7 +35817,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, - ssl->options.haveDilithiumSig, ssl->options.haveAnon, + ssl->options.haveDilithiumSig, ssl->options.useAnon, TRUE, ssl->options.side); } } diff --git a/src/ssl.c b/src/ssl.c index 74c6b0edc..4f42c5359 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1478,11 +1478,12 @@ WOLFSSL* wolfSSL_new(WOLFSSL_CTX* ctx) return ssl; ssl = (WOLFSSL*) XMALLOC(sizeof(WOLFSSL), ctx->heap, DYNAMIC_TYPE_SSL); - if (ssl) + if (ssl) { if ( (ret = InitSSL(ssl, ctx, 0)) < 0) { FreeSSL(ssl, ctx->heap); ssl = 0; } + } WOLFSSL_LEAVE("wolfSSL_new", ret); (void)ret; @@ -3068,7 +3069,7 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0); @@ -5329,7 +5330,7 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version) ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); return WOLFSSL_SUCCESS; } #endif /* !leanpsk */ @@ -7950,7 +7951,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } else if (ctx && resetSuites) { word16 havePSK = 0; @@ -7974,7 +7975,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, ctx->haveECC, TRUE, ctx->haveStaticECC, ctx->haveFalconSig, ctx->haveDilithiumSig, #ifdef HAVE_ANON - ctx->haveAnon, + ctx->useAnon, #else FALSE, #endif @@ -11837,8 +11838,8 @@ static int CheckcipherList(const char* list) * * returns WOLFSSL_SUCCESS on success and sets the cipher suite list */ -static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites, - const char* list) +static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, WOLFSSL* ssl, + Suites* suites, const char* list) { int ret = 0; int listattribute = 0; @@ -11863,7 +11864,7 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites, /* list has mixed(pre-TLSv13 and TLSv13) suites * update cipher suites the same as before */ - return (SetCipherList(ctx, suites, list)) ? WOLFSSL_SUCCESS : + return (SetCipherList_ex(ctx, ssl, suites, list)) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; } else if (listattribute == 1) { @@ -11877,7 +11878,8 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites, * simulate set_ciphersuites() compatibility layer API */ tls13Only = 1; - if (!IsAtLeastTLSv1_3(ctx->method->version)) { + if ((ctx != NULL && !IsAtLeastTLSv1_3(ctx->method->version)) || + (ssl != NULL && !IsAtLeastTLSv1_3(ssl->version))) { /* Silently ignore TLS 1.3 ciphers if we don't support it. */ return WOLFSSL_SUCCESS; } @@ -11903,7 +11905,7 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites, XMEMCPY(suitesCpy, suites->suites, suites->suiteSz); suitesCpySz = suites->suiteSz; - ret = SetCipherList(ctx, suites, list); + ret = SetCipherList_ex(ctx, ssl, suites, list); if (ret != 1) { #ifdef WOLFSSL_SMALL_STACK XFREE(suitesCpy, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -11967,7 +11969,7 @@ int wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list) return WOLFSSL_FAILURE; #ifdef OPENSSL_EXTRA - return wolfSSL_parse_cipher_list(ctx, ctx->suites, list); + return wolfSSL_parse_cipher_list(ctx, NULL, ctx->suites, list); #else return (SetCipherList(ctx, ctx->suites, list)) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; @@ -12003,9 +12005,9 @@ int wolfSSL_set_cipher_list(WOLFSSL* ssl, const char* list) return WOLFSSL_FAILURE; #ifdef OPENSSL_EXTRA - return wolfSSL_parse_cipher_list(ssl->ctx, ssl->suites, list); + return wolfSSL_parse_cipher_list(NULL, ssl, ssl->suites, list); #else - return (SetCipherList(ssl->ctx, ssl->suites, list)) ? + return (SetCipherList_ex(NULL, ssl, ssl->suites, list)) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; #endif @@ -13105,7 +13107,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, (void)havePSK; #ifdef HAVE_ANON - haveAnon = ssl->options.haveAnon; + haveAnon = ssl->options.useAnon; #endif (void)haveAnon; @@ -15704,7 +15706,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } #ifdef OPENSSL_EXTRA /** @@ -15761,7 +15763,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } const char* wolfSSL_get_psk_identity_hint(const WOLFSSL* ssl) @@ -15852,7 +15854,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) if (ctx == NULL) return WOLFSSL_FAILURE; - ctx->haveAnon = 1; + ctx->useAnon = 1; return WOLFSSL_SUCCESS; } @@ -21971,7 +21973,7 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op) ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } return ssl->options.mask; diff --git a/src/tls13.c b/src/tls13.c index 20f066f58..2195249f5 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -13486,7 +13486,7 @@ void wolfSSL_set_psk_client_cs_callback(WOLFSSL* ssl, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } /* Set the PSK callback that returns the cipher suite for a client to use @@ -13539,7 +13539,7 @@ void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } /* Set the PSK callback that returns the cipher suite for a server to use @@ -13589,7 +13589,7 @@ void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl, ssl->options.haveDH, ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.haveAnon, TRUE, ssl->options.side); + ssl->options.useAnon, TRUE, ssl->options.side); } /* Get name of first supported cipher suite that uses the hash indicated. diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 7e418b996..5baeb93b0 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2339,7 +2339,7 @@ struct Suites { word16 hashSigAlgoSz; /* SigAlgo extension length in bytes */ byte suites[WOLFSSL_MAX_SUITE_SZ]; byte hashSigAlgo[WOLFSSL_MAX_SIGALGO]; /* sig/algo to offer */ - byte setSuites; /* user set suites from default */ + byte setSuites:1; /* user set suites from default */ }; typedef struct CipherSuite { @@ -2377,7 +2377,9 @@ typedef struct TLSX TLSX; WOLFSSL_LOCAL int MatchSuite_ex(const WOLFSSL* ssl, Suites* peerSuites, CipherSuite* cs, TLSX* extensions); WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites); -WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, +WOLFSSL_LOCAL int SetCipherList_ex(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl, + Suites* suites, const char* list); +WOLFSSL_LOCAL int SetCipherList(const WOLFSSL_CTX* ctx, Suites* suites, const char* list); WOLFSSL_LOCAL int SetCipherListFromBytes(WOLFSSL_CTX* ctx, Suites* suites, const byte* list, const int listSz); @@ -3762,7 +3764,7 @@ struct WOLFSSL_CTX { word32 maxEarlyDataSz; #endif #ifdef HAVE_ANON - byte haveAnon; /* User wants to allow Anon suites */ + byte useAnon; /* User wants to allow Anon suites */ #endif /* HAVE_ANON */ #ifdef WOLFSSL_ENCRYPTED_KEYS wc_pem_password_cb* passwd_cb; @@ -4698,7 +4700,7 @@ struct Options { #ifdef HAVE_POLY1305 word16 oldPoly:1; /* set when to use old rfc way of poly*/ #endif - word16 haveAnon:1; /* User wants to allow Anon suites */ + word16 useAnon:1; /* User wants to allow Anon suites */ #ifdef HAVE_SESSION_TICKET word16 createTicket:1; /* Server to create new Ticket */ word16 useTicket:1; /* Use Ticket not session cache */