From cb623dc9eabfffcf7ce80e5a481e1e33c221ecf5 Mon Sep 17 00:00:00 2001 From: Kareem Date: Tue, 12 Aug 2025 16:35:38 -0700 Subject: [PATCH] Multiple fixes to wolfSSL_CIPHER_description to match documentation. Add "any" value for TLS 1.3 cipher suites. Fix key size comparison for enc bits. Output AEAD as MAC if cipher suite is using it, otherwise output hash MAC. --- src/keys.c | 36 ++++++++++++++++++------------------ src/ssl.c | 35 +++++++++++++++++++++++------------ wolfssl/internal.h | 4 +++- 3 files changed, 44 insertions(+), 31 deletions(-) diff --git a/src/keys.c b/src/keys.c index 10aad6f14..a3da542fa 100644 --- a/src/keys.c +++ b/src/keys.c @@ -1218,8 +1218,8 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->bulk_cipher_algorithm = wolfssl_cipher_null; specs->cipher_type = aead; specs->mac_algorithm = sha256_mac; - specs->kea = 0; - specs->sig_algo = 0; + specs->kea = any_kea; + specs->sig_algo = any_sa_algo; specs->hash_size = WC_SHA256_DIGEST_SIZE; specs->pad_size = PAD_SHA; specs->static_ecdh = 0; @@ -1236,8 +1236,8 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->bulk_cipher_algorithm = wolfssl_cipher_null; specs->cipher_type = aead; specs->mac_algorithm = sha384_mac; - specs->kea = 0; - specs->sig_algo = 0; + specs->kea = any_kea; + specs->sig_algo = any_sa_algo; specs->hash_size = WC_SHA384_DIGEST_SIZE; specs->pad_size = PAD_SHA; specs->static_ecdh = 0; @@ -1266,8 +1266,8 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->bulk_cipher_algorithm = wolfssl_aes_gcm; specs->cipher_type = aead; specs->mac_algorithm = sha256_mac; - specs->kea = 0; - specs->sig_algo = 0; + specs->kea = any_kea; + specs->sig_algo = any_sa_algo; specs->hash_size = WC_SHA256_DIGEST_SIZE; specs->pad_size = PAD_SHA; specs->static_ecdh = 0; @@ -1284,8 +1284,8 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->bulk_cipher_algorithm = wolfssl_aes_gcm; specs->cipher_type = aead; specs->mac_algorithm = sha384_mac; - specs->kea = 0; - specs->sig_algo = 0; + specs->kea = any_kea; + specs->sig_algo = any_sa_algo; specs->hash_size = WC_SHA384_DIGEST_SIZE; specs->pad_size = PAD_SHA; specs->static_ecdh = 0; @@ -1302,8 +1302,8 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->bulk_cipher_algorithm = wolfssl_chacha; specs->cipher_type = aead; specs->mac_algorithm = sha256_mac; - specs->kea = 0; - specs->sig_algo = 0; + specs->kea = any_kea; + specs->sig_algo = any_sa_algo; specs->hash_size = WC_SHA256_DIGEST_SIZE; specs->pad_size = PAD_SHA; specs->static_ecdh = 0; @@ -1322,8 +1322,8 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->bulk_cipher_algorithm = wolfssl_aes_ccm; specs->cipher_type = aead; specs->mac_algorithm = sha256_mac; - specs->kea = 0; - specs->sig_algo = 0; + specs->kea = any_kea; + specs->sig_algo = any_sa_algo; specs->hash_size = WC_SHA256_DIGEST_SIZE; specs->pad_size = PAD_SHA; specs->static_ecdh = 0; @@ -1340,8 +1340,8 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->bulk_cipher_algorithm = wolfssl_aes_ccm; specs->cipher_type = aead; specs->mac_algorithm = sha256_mac; - specs->kea = 0; - specs->sig_algo = 0; + specs->kea = any_kea; + specs->sig_algo = any_sa_algo; specs->hash_size = WC_SHA256_DIGEST_SIZE; specs->pad_size = PAD_SHA; specs->static_ecdh = 0; @@ -1466,8 +1466,8 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->bulk_cipher_algorithm = wolfssl_sm4_gcm; specs->cipher_type = aead; specs->mac_algorithm = sm3_mac; - specs->kea = 0; - specs->sig_algo = 0; + specs->kea = any_kea; + specs->sig_algo = any_sa_algo; specs->hash_size = WC_SM3_DIGEST_SIZE; specs->pad_size = PAD_SHA; specs->static_ecdh = 0; @@ -1484,8 +1484,8 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->bulk_cipher_algorithm = wolfssl_sm4_ccm; specs->cipher_type = aead; specs->mac_algorithm = sm3_mac; - specs->kea = 0; - specs->sig_algo = 0; + specs->kea = any_kea; + specs->sig_algo = any_sa_algo; specs->hash_size = WC_SM3_DIGEST_SIZE; specs->pad_size = PAD_SHA; specs->static_ecdh = 0; diff --git a/src/ssl.c b/src/ssl.c index 766ad47cd..ac4433d1c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -12371,6 +12371,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) *sigAlgo = SM2k; break; case invalid_sa_algo: + case any_sa_algo: default: *hashAlgo = WC_HASH_TYPE_NONE; *sigAlgo = 0; @@ -16166,6 +16167,9 @@ static WC_INLINE const char* wolfssl_kea_to_string(int kea) keaStr = "ECDH"; break; #endif + case any_kea: + keaStr = "any"; + break; default: keaStr = "unknown"; break; @@ -16217,6 +16221,9 @@ static WC_INLINE const char* wolfssl_sigalg_to_string(int sig_algo) authStr = "Ed448"; break; #endif + case any_sa_algo: + authStr = "any"; + break; default: authStr = "unknown"; break; @@ -16247,18 +16254,18 @@ static WC_INLINE const char* wolfssl_cipher_to_string(int cipher, int key_size) #endif #ifndef NO_AES case wolfssl_aes: - if (key_size == 128) + if (key_size == AES_128_KEY_SIZE) encStr = "AES(128)"; - else if (key_size == 256) + else if (key_size == AES_256_KEY_SIZE) encStr = "AES(256)"; else encStr = "AES(?)"; break; #ifdef HAVE_AESGCM case wolfssl_aes_gcm: - if (key_size == 128) + if (key_size == AES_128_KEY_SIZE) encStr = "AESGCM(128)"; - else if (key_size == 256) + else if (key_size == AES_256_KEY_SIZE) encStr = "AESGCM(256)"; else encStr = "AESGCM(?)"; @@ -16266,9 +16273,9 @@ static WC_INLINE const char* wolfssl_cipher_to_string(int cipher, int key_size) #endif #ifdef HAVE_AESCCM case wolfssl_aes_ccm: - if (key_size == 128) + if (key_size == AES_128_KEY_SIZE) encStr = "AESCCM(128)"; - else if (key_size == 256) + else if (key_size == AES_256_KEY_SIZE) encStr = "AESCCM(256)"; else encStr = "AESCCM(?)"; @@ -16282,11 +16289,11 @@ static WC_INLINE const char* wolfssl_cipher_to_string(int cipher, int key_size) #endif #ifdef HAVE_ARIA case wolfssl_aria_gcm: - if (key_size == 128) + if (key_size == ARIA_128_KEY_SIZE) encStr = "Aria(128)"; - else if (key_size == 192) + else if (key_size == ARIA_192_KEY_SIZE) encStr = "Aria(192)"; - else if (key_size == 256) + else if (key_size == ARIA_256_KEY_SIZE) encStr = "Aria(256)"; else encStr = "Aria(?)"; @@ -16294,9 +16301,9 @@ static WC_INLINE const char* wolfssl_cipher_to_string(int cipher, int key_size) #endif #ifdef HAVE_CAMELLIA case wolfssl_camellia: - if (key_size == 128) + if (key_size == CAMELLIA_128_KEY_SIZE) encStr = "Camellia(128)"; - else if (key_size == 256) + else if (key_size == CAMELLIA_256_KEY_SIZE) encStr = "Camellia(256)"; else encStr = "Camellia(?)"; @@ -16383,7 +16390,10 @@ char* wolfSSL_CIPHER_description(const WOLFSSL_CIPHER* cipher, char* in, authStr = wolfssl_sigalg_to_string(cipher->ssl->specs.sig_algo); encStr = wolfssl_cipher_to_string(cipher->ssl->specs.bulk_cipher_algorithm, cipher->ssl->specs.key_size); - macStr = wolfssl_mac_to_string(cipher->ssl->specs.mac_algorithm); + if (cipher->ssl->specs.cipher_type == aead) + macStr = "AEAD"; + else + macStr = wolfssl_mac_to_string(cipher->ssl->specs.mac_algorithm); /* Build up the string by copying onto the end. */ XSTRNCPY(in, wolfSSL_CIPHER_get_name(cipher), (size_t)len); @@ -19263,6 +19273,7 @@ static int SaToNid(byte sa, int* nid) *nid = WC_NID_sm2; break; case invalid_sa_algo: + case any_sa_algo: default: ret = WOLFSSL_FAILURE; break; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index c5beafa60..77865ed89 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4324,7 +4324,8 @@ enum KeyExchangeAlgorithm { dhe_psk_kea, ecdhe_psk_kea, ecc_diffie_hellman_kea, - ecc_static_diffie_hellman_kea /* for verify suite only */ + ecc_static_diffie_hellman_kea, /* for verify suite only */ + any_kea }; /* Used with InitSuitesHashSigAlgo */ @@ -4354,6 +4355,7 @@ enum SignatureAlgorithm { dilithium_level3_sa_algo = 15, dilithium_level5_sa_algo = 16, sm2_sa_algo = 17, + any_sa_algo = 18, invalid_sa_algo = 255 };