diff --git a/src/internal.c b/src/internal.c index 2c3e9a52f..f9bff6a17 100644 --- a/src/internal.c +++ b/src/internal.c @@ -26198,7 +26198,8 @@ ciphersuites introduced through the "bulk" ciphersuites. @return true on success, else false. */ -int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) +int SetCipherList(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl, Suites* suites, + const char* list) { int ret = 0; int idx = 0; @@ -26216,25 +26217,38 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) const int suiteSz = GetCipherNamesSize(); const char* next = list; - if (suites == NULL || list == NULL) { + ProtocolVersion version; + int privateKeySz = 0; + byte side; +#ifdef HAVE_ANON + byte haveAnon = 0; +#endif + + if (suites == NULL || list == NULL || (ctx == NULL && ssl == NULL)) { WOLFSSL_MSG("SetCipherList parameter error"); return 0; } + version = ctx != NULL ? ctx->method->version : ssl->version; +#ifndef NO_CERTS + privateKeySz = (int)(ctx != NULL ? ctx->privateKeySz : ssl->buffers.keySz); +#endif + side = (byte)(ctx != NULL ? ctx->method->side : ssl->options.side); + if (next[0] == 0 || XSTRCMP(next, "ALL") == 0 || XSTRCMP(next, "DEFAULT") == 0 || XSTRCMP(next, "HIGH") == 0) { /* Add all ciphersuites except anonymous and null ciphers. Prefer RSA */ #ifndef NO_RSA haveRSA = 1; #endif - InitSuites(suites, ctx->method->version, + InitSuites(suites, version, #ifndef NO_CERTS - ctx->privateKeySz, + privateKeySz, #else 0, #endif haveRSA, 1, 1, !haveRSA, 1, haveRSA, !haveRSA, 1, 1, 0, 0, - ctx->method->side); + side); return 1; /* wolfSSL default */ } @@ -26312,7 +26326,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) else haveSig &= ~SIG_ANON; #ifdef HAVE_ANON - ctx->haveAnon = (haveSig & SIG_ANON) == SIG_ANON; + haveAnon = (haveSig & SIG_ANON) == SIG_ANON; #endif haveRSA = 1; haveDH = 1; @@ -26337,7 +26351,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) /* Disable static, anonymous, and null ciphers */ haveSig &= ~SIG_ANON; #ifdef HAVE_ANON - ctx->haveAnon = 0; + haveAnon = 0; #endif haveRSA = 1; haveDH = 1; @@ -26359,7 +26373,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) else haveSig &= ~SIG_ANON; #ifdef HAVE_ANON - ctx->haveAnon = allowing; + haveAnon = allowing; #endif if (allowing) { /* Allow RSA by default. */ @@ -26474,7 +26488,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) #ifdef WOLFSSL_DTLS /* don't allow stream ciphers with DTLS */ - if (ctx->method->version.major == DTLS_MAJOR) { + if (version.major == DTLS_MAJOR) { if (XSTRSTR(name, "RC4")) { WOLFSSL_MSG("Stream ciphers not supported with DTLS"); @@ -26591,14 +26605,14 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) if (ret) { int keySz = 0; #ifndef NO_CERTS - keySz = ctx->privateKeySz; + keySz = privateKeySz; #endif #ifdef OPENSSL_EXTRA if (callInitSuites) { suites->setSuites = 0; /* Force InitSuites */ suites->hashSigAlgoSz = 0; /* Force InitSuitesHashSigAlgo call * inside InitSuites */ - InitSuites(suites, ctx->method->version, keySz, (word16)haveRSA, + InitSuites(suites, version, keySz, (word16)haveRSA, (word16)havePSK, (word16)haveDH, (word16)((haveSig & SIG_ECDSA) != 0), (word16)haveECC, (word16)haveStaticRSA, @@ -26606,7 +26620,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) (word16)((haveSig & SIG_FALCON) != 0), (word16)((haveSig & SIG_DILITHIUM) != 0), (word16)((haveSig & SIG_ANON) != 0), - (word16)haveNull, ctx->method->side); + (word16)haveNull, side); /* Restore user ciphers ahead of defaults */ XMEMMOVE(suites->suites + idx, suites->suites, min(suites->suiteSz, WOLFSSL_MAX_SUITE_SZ-idx)); @@ -26621,7 +26635,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) } #ifdef HAVE_RENEGOTIATION_INDICATION - if (ctx->method->side == WOLFSSL_CLIENT_END) { + if (side == WOLFSSL_CLIENT_END) { if (suites->suiteSz > WOLFSSL_MAX_SUITE_SZ - 2) { WOLFSSL_MSG("Too many ciphersuites"); return 0; @@ -26635,7 +26649,14 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) suites->setSuites = 1; } - (void)ctx; +#ifdef HAVE_ANON + if (ret == 1) { + if (ctx != NULL) + ((WOLFSSL_CTX*)ctx)->haveAnon = haveAnon || haveSig | SIG_ANON; + else + ((WOLFSSL*)ssl)->options.haveAnon = haveAnon || haveSig | SIG_ANON; + } +#endif return ret; } diff --git a/src/ssl.c b/src/ssl.c index 61fca152c..f87729eb8 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1478,11 +1478,12 @@ WOLFSSL* wolfSSL_new(WOLFSSL_CTX* ctx) return ssl; ssl = (WOLFSSL*) XMALLOC(sizeof(WOLFSSL), ctx->heap, DYNAMIC_TYPE_SSL); - if (ssl) + if (ssl) { if ( (ret = InitSSL(ssl, ctx, 0)) < 0) { FreeSSL(ssl, ctx->heap); ssl = 0; } + } WOLFSSL_LEAVE("wolfSSL_new", ret); (void)ret; @@ -11837,8 +11838,8 @@ static int CheckcipherList(const char* list) * * returns WOLFSSL_SUCCESS on success and sets the cipher suite list */ -static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites, - const char* list) +static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, WOLFSSL* ssl, + Suites* suites, const char* list) { int ret = 0; int listattribute = 0; @@ -11863,7 +11864,7 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites, /* list has mixed(pre-TLSv13 and TLSv13) suites * update cipher suites the same as before */ - return (SetCipherList(ctx, suites, list)) ? WOLFSSL_SUCCESS : + return (SetCipherList(ctx, ssl, suites, list)) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; } else if (listattribute == 1) { @@ -11877,7 +11878,8 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites, * simulate set_ciphersuites() compatibility layer API */ tls13Only = 1; - if (!IsAtLeastTLSv1_3(ctx->method->version)) { + if ((ctx != NULL && !IsAtLeastTLSv1_3(ctx->method->version)) || + (ssl != NULL && !IsAtLeastTLSv1_3(ssl->version))) { /* Silently ignore TLS 1.3 ciphers if we don't support it. */ return WOLFSSL_SUCCESS; } @@ -11903,7 +11905,7 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites, XMEMCPY(suitesCpy, suites->suites, suites->suiteSz); suitesCpySz = suites->suiteSz; - ret = SetCipherList(ctx, suites, list); + ret = SetCipherList(ctx, ssl, suites, list); if (ret != 1) { #ifdef WOLFSSL_SMALL_STACK XFREE(suitesCpy, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -11967,9 +11969,9 @@ int wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list) return WOLFSSL_FAILURE; #ifdef OPENSSL_EXTRA - return wolfSSL_parse_cipher_list(ctx, ctx->suites, list); + return wolfSSL_parse_cipher_list(ctx, NULL, ctx->suites, list); #else - return (SetCipherList(ctx, ctx->suites, list)) ? + return (SetCipherList(ctx, NULL, ctx->suites, list)) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; #endif } @@ -12003,9 +12005,9 @@ int wolfSSL_set_cipher_list(WOLFSSL* ssl, const char* list) return WOLFSSL_FAILURE; #ifdef OPENSSL_EXTRA - return wolfSSL_parse_cipher_list(ssl->ctx, ssl->suites, list); + return wolfSSL_parse_cipher_list(NULL, ssl, ssl->suites, list); #else - return (SetCipherList(ssl->ctx, ssl->suites, list)) ? + return (SetCipherList(NULL, ssl, ssl->suites, list)) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; #endif diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 7e418b996..3e791ed45 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2377,8 +2377,8 @@ typedef struct TLSX TLSX; WOLFSSL_LOCAL int MatchSuite_ex(const WOLFSSL* ssl, Suites* peerSuites, CipherSuite* cs, TLSX* extensions); WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites); -WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, - const char* list); +WOLFSSL_LOCAL int SetCipherList(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl, + Suites* suites, const char* list); WOLFSSL_LOCAL int SetCipherListFromBytes(WOLFSSL_CTX* ctx, Suites* suites, const byte* list, const int listSz); WOLFSSL_LOCAL int SetSuitesHashSigAlgo(Suites* suites, const char* list);