wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-29 18:27:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Expand SetCipherList()

Browse Source 
- support disabling ciphersuites starting from the default list
This commit is contained in:
Juliusz Sosinowicz
2022-07-22 13:24:00 +02:00
parent 6f2889c07d
commit e7cd1562b4
5 changed files with 307 additions and 199 deletions
Download Patch File Download Diff File Expand all files Collapse all files

306
src/internal.c
View File

@ -2917,8 +2917,9 @@ void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig,
void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
word16 havePSK, word16 haveDH, word16 haveECDSAsig,
word16 haveECC, word16 haveStaticECC, word16 haveFalconSig,
word16 haveAnon, int side)
word16 haveECC, word16 haveStaticRSA, word16 haveStaticECC,
word16 haveFalconSig, word16 haveAnon, word16 haveNull,
int side)
{
word16 idx = 0;
int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR;
@ -2941,12 +2942,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
(void)dtls;
(void)haveDH;
(void)havePSK;
(void)haveStaticRSA;
(void)haveStaticECC;
(void)haveECC;
(void)side;
(void)haveRSA; /* some builds won't read */
(void)haveRSAsig; /* non ecc builds won't read */
(void)haveAnon; /* anon ciphers optional */
(void)haveNull;
(void)haveFalconSig;
if (suites == NULL) {
@ -2995,14 +2998,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#ifdef HAVE_NULL_CIPHER
#ifdef BUILD_TLS_SHA256_SHA256
if (tls1_3) {
if (tls1_3 && haveNull) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_SHA256_SHA256;
}
#endif
#ifdef BUILD_TLS_SHA384_SHA384
if (tls1_3) {
if (tls1_3 && haveNull) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_SHA384_SHA384;
}
@ -3083,14 +3086,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#endif
#ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384
if (tls1_2 && haveRSA) {
if (tls1_2 && haveRSA && haveStaticRSA) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = TLS_RSA_WITH_AES_256_GCM_SHA384;
}
#endif
#ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
if (tls1_2 && haveRSA) {
if (tls1_2 && haveRSA && haveStaticRSA) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = TLS_RSA_WITH_AES_128_GCM_SHA256;
}
@ -3387,14 +3390,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#endif
#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8
if (tls1_2 && haveRSA) {
if (tls1_2 && haveRSA && haveStaticRSA) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_RSA_WITH_AES_128_CCM_8;
}
#endif
#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8
if (tls1_2 && haveRSA) {
if (tls1_2 && haveRSA && haveStaticRSA) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_RSA_WITH_AES_256_CCM_8;
}
@ -3450,9 +3453,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
if (tls1_2 && haveRSA)
if (tls1_2 && haveRSA && haveStaticRSA)
#else
if (tls && haveRSA)
if (tls && haveRSA && haveStaticRSA)
#endif
{
suites->suites[idx++] = CIPHER_BYTE;
@ -3462,9 +3465,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
if (tls1_2 && haveRSA)
if (tls1_2 && haveRSA && haveStaticRSA)
#else
if (tls && haveRSA)
if (tls && haveRSA && haveStaticRSA)
#endif
{
suites->suites[idx++] = CIPHER_BYTE;
@ -3473,14 +3476,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#endif
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
if (tls && haveRSA) {
if (tls && haveRSA && haveStaticRSA) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_SHA;
}
#endif
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
if (tls && haveRSA) {
if (tls && haveRSA && haveStaticRSA) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_SHA;
}
@ -3509,21 +3512,21 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA
if (tls && haveECC) {
if (tls && haveECC && haveNull) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_NULL_SHA;
}
#endif
#ifdef BUILD_TLS_RSA_WITH_NULL_MD5
if (tls && haveRSA) {
if (tls && haveRSA && haveNull && haveStaticRSA) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = TLS_RSA_WITH_NULL_MD5;
}
#endif
#ifdef BUILD_TLS_RSA_WITH_NULL_SHA
if (tls && haveRSA) {
if (tls && haveRSA && haveNull && haveStaticRSA) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA;
}
@ -3531,9 +3534,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
if (tls1_2 && haveRSA)
if (tls1_2 && haveRSA && haveNull && haveStaticRSA)
#else
if (tls && haveRSA)
if (tls && haveRSA && haveNull && haveStaticRSA)
#endif
{
suites->suites[idx++] = CIPHER_BYTE;
@ -3709,7 +3712,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
if (tls1_2 && haveDH && havePSK)
#else
if (tls && haveDH && havePSK)
if (tls && haveDH && havePSK && haveNull)
#endif
{
suites->suites[idx++] = CIPHER_BYTE;
@ -3719,9 +3722,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA384
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
if (tls1_2 && havePSK)
if (tls1_2 && havePSK && haveNull)
#else
if (tls && havePSK)
if (tls && havePSK && haveNull)
#endif
{
suites->suites[idx++] = CIPHER_BYTE;
@ -3731,9 +3734,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
if (tls1_2 && havePSK)
if (tls1_2 && havePSK && haveNull)
#else
if (tls && havePSK)
if (tls && havePSK && haveNull)
#endif
{
suites->suites[idx++] = ECC_BYTE;
@ -3743,9 +3746,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
if (tls1_2 && haveDH && havePSK)
if (tls1_2 && haveDH && havePSK && haveNull)
#else
if (tls && haveDH && havePSK)
if (tls && haveDH && havePSK && haveNull)
#endif
{
suites->suites[idx++] = CIPHER_BYTE;
@ -3755,9 +3758,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
if (tls1_2 && havePSK)
if (tls1_2 && havePSK && haveNull)
#else
if (tls && havePSK)
if (tls && havePSK && haveNull)
#endif
{
suites->suites[idx++] = CIPHER_BYTE;
@ -3766,56 +3769,56 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#endif
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA
if (tls && havePSK) {
if (tls && havePSK && haveNull) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA;
}
#endif
#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
if (!dtls && haveRSA) {
if (!dtls && haveRSA && haveStaticRSA) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = SSL_RSA_WITH_RC4_128_SHA;
}
#endif
#ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
if (!dtls && haveRSA) {
if (!dtls && haveRSA && haveStaticRSA) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = SSL_RSA_WITH_RC4_128_MD5;
}
#endif
#ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
if (haveRSA ) {
if (haveRSA && haveStaticRSA) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA;
}
#endif
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
if (tls && haveRSA) {
if (tls && haveRSA && haveStaticRSA) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_128_CBC_SHA;
}
#endif
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
if (tls && haveDH && haveRSA) {
if (tls && haveDH && haveRSA && haveStaticRSA) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA;
}
#endif
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
if (tls && haveRSA) {
if (tls && haveRSA && haveStaticRSA) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_256_CBC_SHA;
}
#endif
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
if (tls && haveDH && haveRSA) {
if (tls && haveDH && haveRSA && haveStaticRSA) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA;
}
@ -3823,9 +3826,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
if (tls1_2 && haveRSA)
if (tls1_2 && haveRSA && haveStaticRSA)
#else
if (tls && haveRSA)
if (tls && haveRSA && haveStaticRSA)
#endif
{
suites->suites[idx++] = CIPHER_BYTE;
@ -3835,9 +3838,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
if (tls1_2 && haveDH && haveRSA)
if (tls1_2 && haveDH && haveRSA && haveStaticRSA)
#else
if (tls && haveDH && haveRSA)
if (tls && haveDH && haveRSA && haveStaticRSA)
#endif
{
suites->suites[idx++] = CIPHER_BYTE;
@ -3847,9 +3850,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
if (tls1_2 && haveRSA)
if (tls1_2 && haveRSA && haveStaticRSA)
#else
if (tls && haveRSA)
if (tls && haveRSA && haveStaticRSA)
#endif
{
suites->suites[idx++] = CIPHER_BYTE;
@ -3859,9 +3862,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
if (tls1_2 && haveDH && haveRSA)
if (tls1_2 && haveDH && haveRSA && haveStaticRSA)
#else
if (tls && haveDH && haveRSA)
if (tls && haveDH && haveRSA && haveStaticRSA)
#endif
{
suites->suites[idx++] = CIPHER_BYTE;
@ -5876,15 +5879,15 @@ int InitSSL_Suites(WOLFSSL* ssl)
if (ssl->options.side == WOLFSSL_SERVER_END) {
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
ssl->options.side);
}
else {
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, TRUE,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE,
ssl->options.haveStaticECC, ssl->options.haveFalconSig,
ssl->options.haveAnon, ssl->options.side);
ssl->options.haveAnon, TRUE, ssl->options.side);
}
#if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT)
@ -23157,6 +23160,11 @@ int GetCipherSuiteFromName(const char* name, byte* cipherSuite0,
/**
Set the enabled cipher suites.
With OPENSSL_EXTRA we attempt to understand some of the available "bulk"
ciphersuites. We can not perfectly filter ciphersuites based on the "bulk"
names but we do what we can. Ciphersuites named explicitly take precedence to
ciphersuites introduced through the "bulk" ciphersuites.
@param [out] suites Suites structure.
@param [in] list List of cipher suites, only supports full name from
cipher_names[] delimited by ':'.
@ -23171,6 +23179,16 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
int haveECDSAsig = 0;
int haveFalconSig = 0;
int haveAnon = 0;
#ifdef OPENSSL_EXTRA
int haveRSA = 0;
int haveDH = 0;
int haveECC = 0;
int haveStaticRSA = 1; /* allowed by default if compiled in */
int haveStaticECC = 0;
int haveNull = 1; /* allowed by default if compiled in */
int callInitSuites = 0;
int havePSK = 0;
#endif
const int suiteSz = GetCipherNamesSize();
const char* next = list;
@ -23188,6 +23206,9 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
char name[MAX_SUITE_NAME + 1];
int i;
word32 length;
#ifdef OPENSSL_EXTRA
int allowing = 1;
#endif
next = XSTRSTR(next, ":");
length = MAX_SUITE_NAME;
@ -23198,9 +23219,159 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
}
}
#ifdef OPENSSL_EXTRA
if (length > 1) {
if (*current == '!') {
allowing = 0;
current++;
length--;
}
}
#endif
XSTRNCPY(name, current, length);
name[(length == sizeof(name)) ? length - 1 : length] = 0;
#ifdef OPENSSL_EXTRA
if (XSTRCMP(name, "DEFAULT") == 0 || XSTRCMP(name, "ALL") == 0) {
if (XSTRCMP(name, "ALL") == 0)
haveAnon = 1;
else
haveAnon = 0;
#ifdef HAVE_ANON
ctx->haveAnon = haveAnon;
#endif
haveRSA = 1;
haveDH = 1;
haveECDSAsig = 1;
haveECC = 1;
haveStaticECC = 1;
haveStaticRSA = 1;
haveRSAsig = 1;
haveECDSAsig = 1;
havePSK = 1;
haveNull = 0;
callInitSuites = 1;
ret = 1;
continue;
}
/* We don't have a way to disallow high bit sizes. Only disable unsafe
* ciphersuites. */
if (XSTRCMP(name, "HIGH") == 0 && allowing) {
/* Disable static, anonymous, and null ciphers */
haveAnon = 0;
#ifdef HAVE_ANON
ctx->haveAnon = 0;
#endif
haveRSA = 1;
haveDH = 1;
haveECDSAsig = 1;
haveECC = 1;
haveStaticECC = 0;
haveStaticRSA = 0;
haveRSAsig = 1;
haveECDSAsig = 1;
havePSK = 1;
haveNull = 0;
callInitSuites = 1;
ret = 1;
continue;
}
if (XSTRCMP(name, "aNULL") == 0) {
haveAnon = allowing;
#ifdef HAVE_ANON
ctx->haveAnon = allowing;
#endif
if (allowing) {
/* Allow RSA by default. */
if (!haveECC)
haveRSA = 1;
if (!haveECDSAsig)
haveRSAsig = 1;
callInitSuites = 1;
ret = 1;
}
continue;
}
if (XSTRCMP(name, "eNULL") == 0 || XSTRCMP(name, "NULL") == 0) {
haveNull = allowing;
if (allowing) {
/* Allow RSA by default. */
if (!haveECC)
haveRSA = 1;
if (!haveECDSAsig)
haveRSAsig = 1;
callInitSuites = 1;
ret = 1;
}
continue;
}
if (XSTRCMP(name, "kDH") == 0) {
haveStaticECC = allowing;
if (allowing) {
haveECC = 1;
haveECDSAsig = 1;
callInitSuites = 1;
ret = 1;
}
continue;
}
if (XSTRCMP(name, "kRSA") == 0 || XSTRCMP(name, "RSA") == 0) {
haveStaticRSA = allowing;
if (allowing) {
haveRSA = 1;
haveRSAsig = 1;
callInitSuites = 1;
ret = 1;
}
continue;
}
if (XSTRCMP(name, "PSK") == 0) {
havePSK = allowing;
haveRSAsig = 1;
if (allowing) {
/* Allow RSA by default. */
if (!haveECC)
haveRSA = 1;
if (!haveECDSAsig)
haveRSAsig = 1;
callInitSuites = 1;
ret = 1;
}
continue;
}
if (XSTRCMP(name, "LOW") == 0 || XSTRCMP(name, "MEDIUM") == 0) {
/* No way to limit or allow low bit sizes */
if (allowing) {
/* Allow RSA by default */
haveRSA = 1;
haveRSAsig = 1;
callInitSuites = 1;
ret = 1;
}
continue;
}
if (XSTRCMP(name, "DSS") == 0) {
/* No support for DSA ciphersuites */
continue;
}
if (XSTRCMP(name, "EXP") == 0 || XSTRCMP(name, "EXPORT") == 0) {
/* wolfSSL doesn't support "export" ciphers. We can skip this */
continue;
}
#endif /* OPENSSL_EXTRA */
for (i = 0; i < suiteSz; i++) {
if (XSTRNCMP(name, cipher_names[i].name, sizeof(name)) == 0
#ifndef NO_ERROR_STRINGS
@ -23277,10 +23448,31 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
#ifndef NO_CERTS
keySz = ctx->privateKeySz;
#endif
#ifdef OPENSSL_EXTRA
if (callInitSuites) {
byte tmp[WOLFSSL_MAX_SUITE_SZ];
XMEMCPY(tmp, suites->suites, idx); /* Store copy */
suites->setSuites = 0; /* Force InitSuites */
suites->hashSigAlgoSz = 0; /* Force InitSuitesHashSigAlgo call
* inside InitSuites */
InitSuites(suites, ctx->method->version, keySz, (word16)haveRSA,
(word16)havePSK, (word16)haveDH, (word16)haveECDSAsig,
(word16)haveECC, (word16)haveStaticRSA,
(word16)haveStaticECC, (word16)haveFalconSig,
(word16)haveAnon, (word16)haveNull, ctx->method->side);
/* Restore user ciphers ahead of defaults */
XMEMMOVE(suites->suites + idx, suites->suites,
min(suites->suiteSz, WOLFSSL_MAX_SUITE_SZ-idx));
suites->suiteSz += (word16)idx;
}
else
#endif
{
suites->suiteSz = (word16)idx;
InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig,
haveFalconSig, haveAnon, 1, keySz);
}
suites->setSuites = 1;
suites->suiteSz = (word16)idx;
InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig, haveFalconSig,
haveAnon, 1, keySz);
}
(void)ctx;
@ -30898,8 +31090,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
ssl->options.side);
}
@ -31292,8 +31484,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
ssl->options.side);
}
@ -31363,8 +31555,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
/* reset cipher suites to account for TLS version change */
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
ssl->options.side);
}
}

174
src/ssl.c
View File

@ -2167,8 +2167,8 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz,
#endif
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
ssl->options.side);
}
@ -4691,8 +4691,8 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version)
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
ssl->options.side);
return WOLFSSL_SUCCESS;
@ -6735,8 +6735,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
/* let's reset suites */
InitSuites(ssl->suites, ssl->version, keySz, haveRSA,
havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
ssl->options.side);
}
@ -11016,45 +11016,6 @@ int CM_GetCertCacheMemSize(WOLFSSL_CERT_MANAGER* cm)
#ifdef OPENSSL_EXTRA
/* removes all cipher suites from the list that contain "toRemove"
* returns the new list size on success
*/
static int wolfSSL_remove_ciphers(char* list, int sz, const char* toRemove)
{
int idx = 0;
char* next = (char*)list;
int totalSz = sz;
if (list == NULL) {
return 0;
}
do {
char* current = next;
char name[MAX_SUITE_NAME + 1];
word32 length;
next = XSTRSTR(next, ":");
length = min(sizeof(name), !next ? (word32)XSTRLEN(current) /* last */
: (word32)(next - current));
XSTRNCPY(name, current, length);
name[(length == sizeof(name)) ? length - 1 : length] = 0;
if (XSTRSTR(name, toRemove)) {
XMEMMOVE(list + idx, list + idx + length, totalSz - (idx + length));
totalSz -= length;
list[totalSz] = '\0';
next = current;
}
else {
idx += length;
}
} while (next++); /* ++ needed to skip ':' */
return totalSz;
}
/*
* build enabled cipher list w/ TLS13 or w/o TLS13 suites
* @param ctx a pointer to WOLFSSL_CTX structure
@ -11240,11 +11201,6 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
const char* list)
{
int ret = 0;
const int suiteSz = GetCipherNamesSize();
char* next = (char*)list;
const CipherSuiteInfo* names = GetCipherNames();
char* localList = NULL;
int sz = 0;
int listattribute = 0;
char* buildcipherList = NULL;
int tls13Only = 0;
@ -11254,90 +11210,40 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
return WOLFSSL_FAILURE;
}
/* does list contain eNULL or aNULL? */
if (XSTRSTR(list, "aNULL") || XSTRSTR(list, "eNULL")) {
do {
char* current = next;
char name[MAX_SUITE_NAME + 1];
int i;
word32 length = MAX_SUITE_NAME;
word32 current_length;
listattribute = CheckcipherList(list);
next = XSTRSTR(next, ":");
if (listattribute == 0) {
/* list has mixed(pre-TLSv13 and TLSv13) suites
* update cipher suites the same as before
*/
return (SetCipherList(ctx, suites, list)) ? WOLFSSL_SUCCESS :
WOLFSSL_FAILURE;
}
else if (listattribute == 1) {
/* list has only pre-TLSv13 suites.
* Only update before TLSv13 suites.
*/
tls13Only = 1;
}
else if (listattribute == 2) {
/* list has only TLSv13 suites. Only update TLv13 suites
* simulate set_ciphersuites() compatibility layer API
*/
tls13Only = 0;
}
current_length = (!next) ? (word32)XSTRLEN(current)
: (word32)(next - current);
buildcipherList = buildEnabledCipherList(ctx, ctx->suites,
tls13Only, list);
if (current_length < length) {
length = current_length;
}
XMEMCPY(name, current, length);
name[length] = 0;
/* check for "not" case */
if (name[0] == '!' && suiteSz > 0) {
/* populate list with all suites if not already created */
if (localList == NULL) {
for (i = 0; i < suiteSz; i++) {
sz += (int)XSTRLEN(names[i].name) + 2;
}
localList = (char*)XMALLOC(sz, ctx->heap,
DYNAMIC_TYPE_TMP_BUFFER);
if (localList == NULL) {
return WOLFSSL_FAILURE;
}
wolfSSL_get_ciphers(localList, sz);
sz = (int)XSTRLEN(localList);
}
if (XSTRSTR(name, "eNULL")) {
wolfSSL_remove_ciphers(localList, sz, "-NULL");
}
}
}
while (next++); /* ++ needed to skip ':' */
ret = SetCipherList(ctx, suites, localList);
XFREE(localList, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
return (ret)? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
if (buildcipherList) {
ret = SetCipherList(ctx, suites, buildcipherList);
XFREE(buildcipherList, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
}
else {
listattribute = CheckcipherList(list);
if (listattribute == 0) {
/* list has mixed(pre-TLSv13 and TLSv13) suites
* update cipher suites the same as before
*/
return (SetCipherList(ctx, suites, list)) ? WOLFSSL_SUCCESS :
WOLFSSL_FAILURE;
}
else if (listattribute == 1) {
/* list has only pre-TLSv13 suites.
* Only update before TLSv13 suites.
*/
tls13Only = 1;
}
else if (listattribute == 2) {
/* list has only TLSv13 suites. Only update TLv13 suites
* simulate set_ciphersuites() compatibility layer API
*/
tls13Only = 0;
}
buildcipherList = buildEnabledCipherList(ctx, ctx->suites,
tls13Only, list);
if (buildcipherList) {
ret = SetCipherList(ctx, suites, buildcipherList);
XFREE(buildcipherList, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
}
else {
ret = SetCipherList(ctx, suites, list);
}
return ret;
ret = SetCipherList(ctx, suites, list);
}
return ret;
}
#endif
@ -14614,8 +14520,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
#endif
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
ssl->options.side);
}
#ifdef OPENSSL_EXTRA
@ -14667,8 +14573,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
#endif
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
ssl->options.side);
}
@ -22647,8 +22553,8 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
if (ssl->suites != NULL && ssl->options.side != WOLFSSL_NEITHER_END)
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
ssl->options.side);
return ssl->options.mask;

12
src/tls13.c
View File

@ -10604,8 +10604,8 @@ void wolfSSL_set_psk_client_cs_callback(WOLFSSL* ssl,
#endif
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
ssl->options.side);
}
@ -10655,8 +10655,8 @@ void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl,
#endif
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
ssl->options.side);
}
@ -10703,8 +10703,8 @@ void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl,
#endif
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveECDSAsig,
ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon,
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
ssl->options.side);
}

9
tests/api.c
View File

@ -703,6 +703,12 @@ static void test_for_double_Free(void)
"CHA20-POLY1305:EDH-RSA-DES-CBC3-SHA:TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-S"
"HA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-CCM-SHA256:TLS13-AES128-CCM-"
"8-SHA256:TLS13-SHA256-SHA256:TLS13-SHA384-SHA384";
/* OpenVPN uses a "blacklist" method to specify which ciphers NOT to use */
#ifdef OPENSSL_EXTRA
char openvpnCiphers[] = "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:"
"!SRP:!kRSA:!aNULL:!eNULL";
#endif
#ifndef NO_RSA
testCertFile = svrCertFile;
testKeyFile = svrKeyFile;
@ -767,6 +773,9 @@ static void test_for_double_Free(void)
defined(WOLFSSL_AES_128) && !defined(NO_RSA)
/* only update pre-TLSv13 suites */
AssertTrue(wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-GCM-SHA256"));
#endif
#ifdef OPENSSL_EXTRA
AssertTrue(wolfSSL_CTX_set_cipher_list(ctx, openvpnCiphers));
#endif
AssertNotNull(ssl = wolfSSL_new(ctx));
wolfSSL_CTX_free(ctx);

5
wolfssl/internal.h
View File

@ -1956,8 +1956,9 @@ WOLFSSL_LOCAL void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig,
WOLFSSL_LOCAL void InitSuites(Suites* suites, ProtocolVersion pv, int keySz,
word16 haveRSA, word16 havePSK, word16 haveDH,
word16 haveECDSAsig, word16 haveECC,
word16 haveStaticECC, word16 haveFalconSig,
word16 haveAnon, int side);
word16 haveStaticRSA, word16 haveStaticECC,
word16 haveFalconSig, word16 haveAnon,
word16 haveNull, int side);
WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites);
WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites,