wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 10:47:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow SetCipherList to operate on SSL without modifying on SSL_CTX

Browse Source
This commit is contained in:
Juliusz Sosinowicz
2023-12-20 16:14:27 +01:00
parent ac81d9d29c
commit b8b847bbcf
3 changed files with 49 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
src/internal.c
View File

@ -26198,7 +26198,8 @@ ciphersuites introduced through the "bulk" ciphersuites.
@return true on success, else false. @return true on success, else false.
*/ */
int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) int SetCipherList(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl, Suites* suites,
const char* list)
{ {
int ret = 0; int ret = 0;
int idx = 0; int idx = 0;
@ -26216,25 +26217,38 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
const int suiteSz = GetCipherNamesSize(); const int suiteSz = GetCipherNamesSize();
const char* next = list; const char* next = list;
if (suites == NULL || list == NULL) { ProtocolVersion version;
int privateKeySz = 0;
byte side;
#ifdef HAVE_ANON
byte haveAnon = 0;
#endif
if (suites == NULL || list == NULL || (ctx == NULL && ssl == NULL)) {
WOLFSSL_MSG("SetCipherList parameter error"); WOLFSSL_MSG("SetCipherList parameter error");
return 0; return 0;
} }
version = ctx != NULL ? ctx->method->version : ssl->version;
#ifndef NO_CERTS
privateKeySz = (int)(ctx != NULL ? ctx->privateKeySz : ssl->buffers.keySz);
#endif
side = (byte)(ctx != NULL ? ctx->method->side : ssl->options.side);
if (next[0] == 0 || XSTRCMP(next, "ALL") == 0 || if (next[0] == 0 || XSTRCMP(next, "ALL") == 0 ||
XSTRCMP(next, "DEFAULT") == 0 || XSTRCMP(next, "HIGH") == 0) { XSTRCMP(next, "DEFAULT") == 0 || XSTRCMP(next, "HIGH") == 0) {
/* Add all ciphersuites except anonymous and null ciphers. Prefer RSA */ /* Add all ciphersuites except anonymous and null ciphers. Prefer RSA */
#ifndef NO_RSA #ifndef NO_RSA
haveRSA = 1; haveRSA = 1;
#endif #endif
InitSuites(suites, ctx->method->version, InitSuites(suites, version,
#ifndef NO_CERTS #ifndef NO_CERTS
ctx->privateKeySz, privateKeySz,
#else #else
0, 0,
#endif #endif
haveRSA, 1, 1, !haveRSA, 1, haveRSA, !haveRSA, 1, 1, 0, 0, haveRSA, 1, 1, !haveRSA, 1, haveRSA, !haveRSA, 1, 1, 0, 0,
ctx->method->side); side);
return 1; /* wolfSSL default */ return 1; /* wolfSSL default */
} }
@ -26312,7 +26326,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
else else
haveSig &= ~SIG_ANON; haveSig &= ~SIG_ANON;
#ifdef HAVE_ANON #ifdef HAVE_ANON
ctx->haveAnon = (haveSig & SIG_ANON) == SIG_ANON; haveAnon = (haveSig & SIG_ANON) == SIG_ANON;
#endif #endif
haveRSA = 1; haveRSA = 1;
haveDH = 1; haveDH = 1;
@ -26337,7 +26351,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
/* Disable static, anonymous, and null ciphers */ /* Disable static, anonymous, and null ciphers */
haveSig &= ~SIG_ANON; haveSig &= ~SIG_ANON;
#ifdef HAVE_ANON #ifdef HAVE_ANON
ctx->haveAnon = 0; haveAnon = 0;
#endif #endif
haveRSA = 1; haveRSA = 1;
haveDH = 1; haveDH = 1;
@ -26359,7 +26373,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
else else
haveSig &= ~SIG_ANON; haveSig &= ~SIG_ANON;
#ifdef HAVE_ANON #ifdef HAVE_ANON
ctx->haveAnon = allowing; haveAnon = allowing;
#endif #endif
if (allowing) { if (allowing) {
/* Allow RSA by default. */ /* Allow RSA by default. */
@ -26474,7 +26488,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
#ifdef WOLFSSL_DTLS #ifdef WOLFSSL_DTLS
/* don't allow stream ciphers with DTLS */ /* don't allow stream ciphers with DTLS */
if (ctx->method->version.major == DTLS_MAJOR) { if (version.major == DTLS_MAJOR) {
if (XSTRSTR(name, "RC4")) if (XSTRSTR(name, "RC4"))
{ {
WOLFSSL_MSG("Stream ciphers not supported with DTLS"); WOLFSSL_MSG("Stream ciphers not supported with DTLS");
@ -26591,14 +26605,14 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
if (ret) { if (ret) {
int keySz = 0; int keySz = 0;
#ifndef NO_CERTS #ifndef NO_CERTS
keySz = ctx->privateKeySz; keySz = privateKeySz;
#endif #endif
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
if (callInitSuites) { if (callInitSuites) {
suites->setSuites = 0; /* Force InitSuites */ suites->setSuites = 0; /* Force InitSuites */
suites->hashSigAlgoSz = 0; /* Force InitSuitesHashSigAlgo call suites->hashSigAlgoSz = 0; /* Force InitSuitesHashSigAlgo call
* inside InitSuites */ * inside InitSuites */
InitSuites(suites, ctx->method->version, keySz, (word16)haveRSA, InitSuites(suites, version, keySz, (word16)haveRSA,
(word16)havePSK, (word16)haveDH, (word16)havePSK, (word16)haveDH,
(word16)((haveSig & SIG_ECDSA) != 0), (word16)((haveSig & SIG_ECDSA) != 0),
(word16)haveECC, (word16)haveStaticRSA, (word16)haveECC, (word16)haveStaticRSA,
@ -26606,7 +26620,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
(word16)((haveSig & SIG_FALCON) != 0), (word16)((haveSig & SIG_FALCON) != 0),
(word16)((haveSig & SIG_DILITHIUM) != 0), (word16)((haveSig & SIG_DILITHIUM) != 0),
(word16)((haveSig & SIG_ANON) != 0), (word16)((haveSig & SIG_ANON) != 0),
(word16)haveNull, ctx->method->side); (word16)haveNull, side);
/* Restore user ciphers ahead of defaults */ /* Restore user ciphers ahead of defaults */
XMEMMOVE(suites->suites + idx, suites->suites, XMEMMOVE(suites->suites + idx, suites->suites,
min(suites->suiteSz, WOLFSSL_MAX_SUITE_SZ-idx)); min(suites->suiteSz, WOLFSSL_MAX_SUITE_SZ-idx));
@ -26621,7 +26635,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
} }
#ifdef HAVE_RENEGOTIATION_INDICATION #ifdef HAVE_RENEGOTIATION_INDICATION
if (ctx->method->side == WOLFSSL_CLIENT_END) { if (side == WOLFSSL_CLIENT_END) {
if (suites->suiteSz > WOLFSSL_MAX_SUITE_SZ - 2) { if (suites->suiteSz > WOLFSSL_MAX_SUITE_SZ - 2) {
WOLFSSL_MSG("Too many ciphersuites"); WOLFSSL_MSG("Too many ciphersuites");
return 0; return 0;
@ -26635,7 +26649,14 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
suites->setSuites = 1; suites->setSuites = 1;
} }
(void)ctx; #ifdef HAVE_ANON
if (ret == 1) {
if (ctx != NULL)
((WOLFSSL_CTX*)ctx)->haveAnon = haveAnon || haveSig | SIG_ANON;
else
((WOLFSSL*)ssl)->options.haveAnon = haveAnon || haveSig | SIG_ANON;
}
#endif
return ret; return ret;
} }

22
src/ssl.c
View File

@ -1478,11 +1478,12 @@ WOLFSSL* wolfSSL_new(WOLFSSL_CTX* ctx)
return ssl; return ssl;
ssl = (WOLFSSL*) XMALLOC(sizeof(WOLFSSL), ctx->heap, DYNAMIC_TYPE_SSL); ssl = (WOLFSSL*) XMALLOC(sizeof(WOLFSSL), ctx->heap, DYNAMIC_TYPE_SSL);
if (ssl) if (ssl) {
if ( (ret = InitSSL(ssl, ctx, 0)) < 0) { if ( (ret = InitSSL(ssl, ctx, 0)) < 0) {
FreeSSL(ssl, ctx->heap); FreeSSL(ssl, ctx->heap);
ssl = 0; ssl = 0;
} }
}
WOLFSSL_LEAVE("wolfSSL_new", ret); WOLFSSL_LEAVE("wolfSSL_new", ret);
(void)ret; (void)ret;
@ -11837,8 +11838,8 @@ static int CheckcipherList(const char* list)
* *
* returns WOLFSSL_SUCCESS on success and sets the cipher suite list * returns WOLFSSL_SUCCESS on success and sets the cipher suite list
*/ */
static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites, static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
const char* list) Suites* suites, const char* list)
{ {
int ret = 0; int ret = 0;
int listattribute = 0; int listattribute = 0;
@ -11863,7 +11864,7 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
/* list has mixed(pre-TLSv13 and TLSv13) suites /* list has mixed(pre-TLSv13 and TLSv13) suites
* update cipher suites the same as before * update cipher suites the same as before
*/ */
return (SetCipherList(ctx, suites, list)) ? WOLFSSL_SUCCESS : return (SetCipherList(ctx, ssl, suites, list)) ? WOLFSSL_SUCCESS :
WOLFSSL_FAILURE; WOLFSSL_FAILURE;
} }
else if (listattribute == 1) { else if (listattribute == 1) {
@ -11877,7 +11878,8 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
* simulate set_ciphersuites() compatibility layer API * simulate set_ciphersuites() compatibility layer API
*/ */
tls13Only = 1; tls13Only = 1;
if (!IsAtLeastTLSv1_3(ctx->method->version)) { if ((ctx != NULL && !IsAtLeastTLSv1_3(ctx->method->version)) ||
(ssl != NULL && !IsAtLeastTLSv1_3(ssl->version))) {
/* Silently ignore TLS 1.3 ciphers if we don't support it. */ /* Silently ignore TLS 1.3 ciphers if we don't support it. */
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
} }
@ -11903,7 +11905,7 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
XMEMCPY(suitesCpy, suites->suites, suites->suiteSz); XMEMCPY(suitesCpy, suites->suites, suites->suiteSz);
suitesCpySz = suites->suiteSz; suitesCpySz = suites->suiteSz;
ret = SetCipherList(ctx, suites, list); ret = SetCipherList(ctx, ssl, suites, list);
if (ret != 1) { if (ret != 1) {
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(suitesCpy, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(suitesCpy, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@ -11967,9 +11969,9 @@ int wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list)
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
return wolfSSL_parse_cipher_list(ctx, ctx->suites, list); return wolfSSL_parse_cipher_list(ctx, NULL, ctx->suites, list);
#else #else
return (SetCipherList(ctx, ctx->suites, list)) ? return (SetCipherList(ctx, NULL, ctx->suites, list)) ?
WOLFSSL_SUCCESS : WOLFSSL_FAILURE; WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
#endif #endif
} }
@ -12003,9 +12005,9 @@ int wolfSSL_set_cipher_list(WOLFSSL* ssl, const char* list)
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
return wolfSSL_parse_cipher_list(ssl->ctx, ssl->suites, list); return wolfSSL_parse_cipher_list(NULL, ssl, ssl->suites, list);
#else #else
return (SetCipherList(ssl->ctx, ssl->suites, list)) ? return (SetCipherList(NULL, ssl, ssl->suites, list)) ?
WOLFSSL_SUCCESS : WOLFSSL_SUCCESS :
WOLFSSL_FAILURE; WOLFSSL_FAILURE;
#endif #endif

4
wolfssl/internal.h
View File

@ -2377,8 +2377,8 @@ typedef struct TLSX TLSX;
WOLFSSL_LOCAL int MatchSuite_ex(const WOLFSSL* ssl, Suites* peerSuites, WOLFSSL_LOCAL int MatchSuite_ex(const WOLFSSL* ssl, Suites* peerSuites,
CipherSuite* cs, TLSX* extensions); CipherSuite* cs, TLSX* extensions);
WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites); WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites);
WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, WOLFSSL_LOCAL int SetCipherList(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl,
const char* list); Suites* suites, const char* list);
WOLFSSL_LOCAL int SetCipherListFromBytes(WOLFSSL_CTX* ctx, Suites* suites, WOLFSSL_LOCAL int SetCipherListFromBytes(WOLFSSL_CTX* ctx, Suites* suites,
const byte* list, const int listSz); const byte* list, const int listSz);
WOLFSSL_LOCAL int SetSuitesHashSigAlgo(Suites* suites, const char* list); WOLFSSL_LOCAL int SetSuitesHashSigAlgo(Suites* suites, const char* list);