mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-07-31 19:24:42 +02:00
Expand SetCipherList()
- support disabling ciphersuites starting from the default list
This commit is contained in:
Juliusz Sosinowicz
306
src/internal.c
306
src/internal.c
@@ -2917,8 +2917,9 @@ void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig,
|
|||||||
|
|
||||||
void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
||||||
word16 havePSK, word16 haveDH, word16 haveECDSAsig,
|
word16 havePSK, word16 haveDH, word16 haveECDSAsig,
|
||||||
word16 haveECC, word16 haveStaticECC, word16 haveFalconSig,
|
word16 haveECC, word16 haveStaticRSA, word16 haveStaticECC,
|
||||||
word16 haveAnon, int side)
|
word16 haveFalconSig, word16 haveAnon, word16 haveNull,
|
||||||
|
int side)
|
||||||
{
|
{
|
||||||
word16 idx = 0;
|
word16 idx = 0;
|
||||||
int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR;
|
int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR;
|
||||||
@@ -2941,12 +2942,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
(void)dtls;
|
(void)dtls;
|
||||||
(void)haveDH;
|
(void)haveDH;
|
||||||
(void)havePSK;
|
(void)havePSK;
|
||||||
|
(void)haveStaticRSA;
|
||||||
(void)haveStaticECC;
|
(void)haveStaticECC;
|
||||||
(void)haveECC;
|
(void)haveECC;
|
||||||
(void)side;
|
(void)side;
|
||||||
(void)haveRSA; /* some builds won't read */
|
(void)haveRSA; /* some builds won't read */
|
||||||
(void)haveRSAsig; /* non ecc builds won't read */
|
(void)haveRSAsig; /* non ecc builds won't read */
|
||||||
(void)haveAnon; /* anon ciphers optional */
|
(void)haveAnon; /* anon ciphers optional */
|
||||||
|
(void)haveNull;
|
||||||
(void)haveFalconSig;
|
(void)haveFalconSig;
|
||||||
|
|
||||||
if (suites == NULL) {
|
if (suites == NULL) {
|
||||||
@@ -2995,14 +2998,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
|
|
||||||
#ifdef HAVE_NULL_CIPHER
|
#ifdef HAVE_NULL_CIPHER
|
||||||
#ifdef BUILD_TLS_SHA256_SHA256
|
#ifdef BUILD_TLS_SHA256_SHA256
|
||||||
if (tls1_3) {
|
if (tls1_3 && haveNull) {
|
||||||
suites->suites[idx++] = ECC_BYTE;
|
suites->suites[idx++] = ECC_BYTE;
|
||||||
suites->suites[idx++] = TLS_SHA256_SHA256;
|
suites->suites[idx++] = TLS_SHA256_SHA256;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_TLS_SHA384_SHA384
|
#ifdef BUILD_TLS_SHA384_SHA384
|
||||||
if (tls1_3) {
|
if (tls1_3 && haveNull) {
|
||||||
suites->suites[idx++] = ECC_BYTE;
|
suites->suites[idx++] = ECC_BYTE;
|
||||||
suites->suites[idx++] = TLS_SHA384_SHA384;
|
suites->suites[idx++] = TLS_SHA384_SHA384;
|
||||||
}
|
}
|
||||||
@@ -3083,14 +3086,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384
|
#ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||||
if (tls1_2 && haveRSA) {
|
if (tls1_2 && haveRSA && haveStaticRSA) {
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
suites->suites[idx++] = TLS_RSA_WITH_AES_256_GCM_SHA384;
|
suites->suites[idx++] = TLS_RSA_WITH_AES_256_GCM_SHA384;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
|
#ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||||
if (tls1_2 && haveRSA) {
|
if (tls1_2 && haveRSA && haveStaticRSA) {
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
suites->suites[idx++] = TLS_RSA_WITH_AES_128_GCM_SHA256;
|
suites->suites[idx++] = TLS_RSA_WITH_AES_128_GCM_SHA256;
|
||||||
}
|
}
|
||||||
@@ -3387,14 +3390,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8
|
#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8
|
||||||
if (tls1_2 && haveRSA) {
|
if (tls1_2 && haveRSA && haveStaticRSA) {
|
||||||
suites->suites[idx++] = ECC_BYTE;
|
suites->suites[idx++] = ECC_BYTE;
|
||||||
suites->suites[idx++] = TLS_RSA_WITH_AES_128_CCM_8;
|
suites->suites[idx++] = TLS_RSA_WITH_AES_128_CCM_8;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8
|
#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8
|
||||||
if (tls1_2 && haveRSA) {
|
if (tls1_2 && haveRSA && haveStaticRSA) {
|
||||||
suites->suites[idx++] = ECC_BYTE;
|
suites->suites[idx++] = ECC_BYTE;
|
||||||
suites->suites[idx++] = TLS_RSA_WITH_AES_256_CCM_8;
|
suites->suites[idx++] = TLS_RSA_WITH_AES_256_CCM_8;
|
||||||
}
|
}
|
||||||
@@ -3450,9 +3453,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
|
|
||||||
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256
|
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256
|
||||||
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
||||||
if (tls1_2 && haveRSA)
|
if (tls1_2 && haveRSA && haveStaticRSA)
|
||||||
#else
|
#else
|
||||||
if (tls && haveRSA)
|
if (tls && haveRSA && haveStaticRSA)
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
@@ -3462,9 +3465,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
|
|
||||||
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
|
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
|
||||||
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
||||||
if (tls1_2 && haveRSA)
|
if (tls1_2 && haveRSA && haveStaticRSA)
|
||||||
#else
|
#else
|
||||||
if (tls && haveRSA)
|
if (tls && haveRSA && haveStaticRSA)
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
@@ -3473,14 +3476,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
|
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
|
||||||
if (tls && haveRSA) {
|
if (tls && haveRSA && haveStaticRSA) {
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_SHA;
|
suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_SHA;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
|
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
|
||||||
if (tls && haveRSA) {
|
if (tls && haveRSA && haveStaticRSA) {
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_SHA;
|
suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_SHA;
|
||||||
}
|
}
|
||||||
@@ -3509,21 +3512,21 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA
|
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA
|
||||||
if (tls && haveECC) {
|
if (tls && haveECC && haveNull) {
|
||||||
suites->suites[idx++] = ECC_BYTE;
|
suites->suites[idx++] = ECC_BYTE;
|
||||||
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_NULL_SHA;
|
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_NULL_SHA;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_TLS_RSA_WITH_NULL_MD5
|
#ifdef BUILD_TLS_RSA_WITH_NULL_MD5
|
||||||
if (tls && haveRSA) {
|
if (tls && haveRSA && haveNull && haveStaticRSA) {
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
suites->suites[idx++] = TLS_RSA_WITH_NULL_MD5;
|
suites->suites[idx++] = TLS_RSA_WITH_NULL_MD5;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_TLS_RSA_WITH_NULL_SHA
|
#ifdef BUILD_TLS_RSA_WITH_NULL_SHA
|
||||||
if (tls && haveRSA) {
|
if (tls && haveRSA && haveNull && haveStaticRSA) {
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA;
|
suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA;
|
||||||
}
|
}
|
||||||
@@ -3531,9 +3534,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
|
|
||||||
#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256
|
#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256
|
||||||
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
||||||
if (tls1_2 && haveRSA)
|
if (tls1_2 && haveRSA && haveNull && haveStaticRSA)
|
||||||
#else
|
#else
|
||||||
if (tls && haveRSA)
|
if (tls && haveRSA && haveNull && haveStaticRSA)
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
@@ -3709,7 +3712,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
||||||
if (tls1_2 && haveDH && havePSK)
|
if (tls1_2 && haveDH && havePSK)
|
||||||
#else
|
#else
|
||||||
if (tls && haveDH && havePSK)
|
if (tls && haveDH && havePSK && haveNull)
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
@@ -3719,9 +3722,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
|
|
||||||
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA384
|
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA384
|
||||||
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
||||||
if (tls1_2 && havePSK)
|
if (tls1_2 && havePSK && haveNull)
|
||||||
#else
|
#else
|
||||||
if (tls && havePSK)
|
if (tls && havePSK && haveNull)
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
@@ -3731,9 +3734,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
|
|
||||||
#ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256
|
#ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256
|
||||||
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
||||||
if (tls1_2 && havePSK)
|
if (tls1_2 && havePSK && haveNull)
|
||||||
#else
|
#else
|
||||||
if (tls && havePSK)
|
if (tls && havePSK && haveNull)
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
suites->suites[idx++] = ECC_BYTE;
|
suites->suites[idx++] = ECC_BYTE;
|
||||||
@@ -3743,9 +3746,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
|
|
||||||
#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256
|
#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256
|
||||||
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
||||||
if (tls1_2 && haveDH && havePSK)
|
if (tls1_2 && haveDH && havePSK && haveNull)
|
||||||
#else
|
#else
|
||||||
if (tls && haveDH && havePSK)
|
if (tls && haveDH && havePSK && haveNull)
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
@@ -3755,9 +3758,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
|
|
||||||
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256
|
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256
|
||||||
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
||||||
if (tls1_2 && havePSK)
|
if (tls1_2 && havePSK && haveNull)
|
||||||
#else
|
#else
|
||||||
if (tls && havePSK)
|
if (tls && havePSK && haveNull)
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
@@ -3766,56 +3769,56 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA
|
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA
|
||||||
if (tls && havePSK) {
|
if (tls && havePSK && haveNull) {
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA;
|
suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
|
#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
|
||||||
if (!dtls && haveRSA) {
|
if (!dtls && haveRSA && haveStaticRSA) {
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
suites->suites[idx++] = SSL_RSA_WITH_RC4_128_SHA;
|
suites->suites[idx++] = SSL_RSA_WITH_RC4_128_SHA;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
|
#ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
|
||||||
if (!dtls && haveRSA) {
|
if (!dtls && haveRSA && haveStaticRSA) {
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
suites->suites[idx++] = SSL_RSA_WITH_RC4_128_MD5;
|
suites->suites[idx++] = SSL_RSA_WITH_RC4_128_MD5;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
|
#ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
|
||||||
if (haveRSA ) {
|
if (haveRSA && haveStaticRSA) {
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
suites->suites[idx++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA;
|
suites->suites[idx++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||||
if (tls && haveRSA) {
|
if (tls && haveRSA && haveStaticRSA) {
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_128_CBC_SHA;
|
suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_128_CBC_SHA;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||||
if (tls && haveDH && haveRSA) {
|
if (tls && haveDH && haveRSA && haveStaticRSA) {
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA;
|
suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||||||
if (tls && haveRSA) {
|
if (tls && haveRSA && haveStaticRSA) {
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_256_CBC_SHA;
|
suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_256_CBC_SHA;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||||||
if (tls && haveDH && haveRSA) {
|
if (tls && haveDH && haveRSA && haveStaticRSA) {
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA;
|
suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA;
|
||||||
}
|
}
|
||||||
@@ -3823,9 +3826,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
|
|
||||||
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||||
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
||||||
if (tls1_2 && haveRSA)
|
if (tls1_2 && haveRSA && haveStaticRSA)
|
||||||
#else
|
#else
|
||||||
if (tls && haveRSA)
|
if (tls && haveRSA && haveStaticRSA)
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
@@ -3835,9 +3838,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
|
|
||||||
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||||
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
||||||
if (tls1_2 && haveDH && haveRSA)
|
if (tls1_2 && haveDH && haveRSA && haveStaticRSA)
|
||||||
#else
|
#else
|
||||||
if (tls && haveDH && haveRSA)
|
if (tls && haveDH && haveRSA && haveStaticRSA)
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
@@ -3847,9 +3850,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
|
|
||||||
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
|
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
|
||||||
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
||||||
if (tls1_2 && haveRSA)
|
if (tls1_2 && haveRSA && haveStaticRSA)
|
||||||
#else
|
#else
|
||||||
if (tls && haveRSA)
|
if (tls && haveRSA && haveStaticRSA)
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
@@ -3859,9 +3862,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
|
|||||||
|
|
||||||
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
|
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
|
||||||
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
|
||||||
if (tls1_2 && haveDH && haveRSA)
|
if (tls1_2 && haveDH && haveRSA && haveStaticRSA)
|
||||||
#else
|
#else
|
||||||
if (tls && haveDH && haveRSA)
|
if (tls && haveDH && haveRSA && haveStaticRSA)
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
suites->suites[idx++] = CIPHER_BYTE;
|
suites->suites[idx++] = CIPHER_BYTE;
|
||||||
@@ -5876,15 +5879,15 @@ int InitSSL_Suites(WOLFSSL* ssl)
|
|||||||
if (ssl->options.side == WOLFSSL_SERVER_END) {
|
if (ssl->options.side == WOLFSSL_SERVER_END) {
|
||||||
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
|
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
|
||||||
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
||||||
ssl->options.haveECC, ssl->options.haveStaticECC,
|
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
|
||||||
ssl->options.haveFalconSig, ssl->options.haveAnon,
|
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
|
||||||
ssl->options.side);
|
ssl->options.side);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, TRUE,
|
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, TRUE,
|
||||||
ssl->options.haveECDSAsig, ssl->options.haveECC,
|
ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE,
|
||||||
ssl->options.haveStaticECC, ssl->options.haveFalconSig,
|
ssl->options.haveStaticECC, ssl->options.haveFalconSig,
|
||||||
ssl->options.haveAnon, ssl->options.side);
|
ssl->options.haveAnon, TRUE, ssl->options.side);
|
||||||
}
|
}
|
||||||
|
|
||||||
#if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT)
|
#if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT)
|
||||||
@@ -23157,6 +23160,11 @@ int GetCipherSuiteFromName(const char* name, byte* cipherSuite0,
|
|||||||
/**
|
/**
|
||||||
Set the enabled cipher suites.
|
Set the enabled cipher suites.
|
||||||
|
|
||||||
|
With OPENSSL_EXTRA we attempt to understand some of the available "bulk"
|
||||||
|
ciphersuites. We can not perfectly filter ciphersuites based on the "bulk"
|
||||||
|
names but we do what we can. Ciphersuites named explicitly take precedence to
|
||||||
|
ciphersuites introduced through the "bulk" ciphersuites.
|
||||||
|
|
||||||
@param [out] suites Suites structure.
|
@param [out] suites Suites structure.
|
||||||
@param [in] list List of cipher suites, only supports full name from
|
@param [in] list List of cipher suites, only supports full name from
|
||||||
cipher_names[] delimited by ':'.
|
cipher_names[] delimited by ':'.
|
||||||
@@ -23171,6 +23179,16 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
|
|||||||
int haveECDSAsig = 0;
|
int haveECDSAsig = 0;
|
||||||
int haveFalconSig = 0;
|
int haveFalconSig = 0;
|
||||||
int haveAnon = 0;
|
int haveAnon = 0;
|
||||||
|
#ifdef OPENSSL_EXTRA
|
||||||
|
int haveRSA = 0;
|
||||||
|
int haveDH = 0;
|
||||||
|
int haveECC = 0;
|
||||||
|
int haveStaticRSA = 1; /* allowed by default if compiled in */
|
||||||
|
int haveStaticECC = 0;
|
||||||
|
int haveNull = 1; /* allowed by default if compiled in */
|
||||||
|
int callInitSuites = 0;
|
||||||
|
int havePSK = 0;
|
||||||
|
#endif
|
||||||
const int suiteSz = GetCipherNamesSize();
|
const int suiteSz = GetCipherNamesSize();
|
||||||
const char* next = list;
|
const char* next = list;
|
||||||
|
|
||||||
@@ -23188,6 +23206,9 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
|
|||||||
char name[MAX_SUITE_NAME + 1];
|
char name[MAX_SUITE_NAME + 1];
|
||||||
int i;
|
int i;
|
||||||
word32 length;
|
word32 length;
|
||||||
|
#ifdef OPENSSL_EXTRA
|
||||||
|
int allowing = 1;
|
||||||
|
#endif
|
||||||
|
|
||||||
next = XSTRSTR(next, ":");
|
next = XSTRSTR(next, ":");
|
||||||
length = MAX_SUITE_NAME;
|
length = MAX_SUITE_NAME;
|
||||||
@@ -23198,9 +23219,159 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef OPENSSL_EXTRA
|
||||||
|
if (length > 1) {
|
||||||
|
if (*current == '!') {
|
||||||
|
allowing = 0;
|
||||||
|
current++;
|
||||||
|
length--;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
XSTRNCPY(name, current, length);
|
XSTRNCPY(name, current, length);
|
||||||
name[(length == sizeof(name)) ? length - 1 : length] = 0;
|
name[(length == sizeof(name)) ? length - 1 : length] = 0;
|
||||||
|
|
||||||
|
#ifdef OPENSSL_EXTRA
|
||||||
|
if (XSTRCMP(name, "DEFAULT") == 0 || XSTRCMP(name, "ALL") == 0) {
|
||||||
|
if (XSTRCMP(name, "ALL") == 0)
|
||||||
|
haveAnon = 1;
|
||||||
|
else
|
||||||
|
haveAnon = 0;
|
||||||
|
#ifdef HAVE_ANON
|
||||||
|
ctx->haveAnon = haveAnon;
|
||||||
|
#endif
|
||||||
|
haveRSA = 1;
|
||||||
|
haveDH = 1;
|
||||||
|
haveECDSAsig = 1;
|
||||||
|
haveECC = 1;
|
||||||
|
haveStaticECC = 1;
|
||||||
|
haveStaticRSA = 1;
|
||||||
|
haveRSAsig = 1;
|
||||||
|
haveECDSAsig = 1;
|
||||||
|
havePSK = 1;
|
||||||
|
haveNull = 0;
|
||||||
|
|
||||||
|
callInitSuites = 1;
|
||||||
|
ret = 1;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* We don't have a way to disallow high bit sizes. Only disable unsafe
|
||||||
|
* ciphersuites. */
|
||||||
|
if (XSTRCMP(name, "HIGH") == 0 && allowing) {
|
||||||
|
/* Disable static, anonymous, and null ciphers */
|
||||||
|
haveAnon = 0;
|
||||||
|
#ifdef HAVE_ANON
|
||||||
|
ctx->haveAnon = 0;
|
||||||
|
#endif
|
||||||
|
haveRSA = 1;
|
||||||
|
haveDH = 1;
|
||||||
|
haveECDSAsig = 1;
|
||||||
|
haveECC = 1;
|
||||||
|
haveStaticECC = 0;
|
||||||
|
haveStaticRSA = 0;
|
||||||
|
haveRSAsig = 1;
|
||||||
|
haveECDSAsig = 1;
|
||||||
|
havePSK = 1;
|
||||||
|
haveNull = 0;
|
||||||
|
|
||||||
|
callInitSuites = 1;
|
||||||
|
ret = 1;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (XSTRCMP(name, "aNULL") == 0) {
|
||||||
|
haveAnon = allowing;
|
||||||
|
#ifdef HAVE_ANON
|
||||||
|
ctx->haveAnon = allowing;
|
||||||
|
#endif
|
||||||
|
if (allowing) {
|
||||||
|
/* Allow RSA by default. */
|
||||||
|
if (!haveECC)
|
||||||
|
haveRSA = 1;
|
||||||
|
if (!haveECDSAsig)
|
||||||
|
haveRSAsig = 1;
|
||||||
|
callInitSuites = 1;
|
||||||
|
ret = 1;
|
||||||
|
}
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (XSTRCMP(name, "eNULL") == 0 || XSTRCMP(name, "NULL") == 0) {
|
||||||
|
haveNull = allowing;
|
||||||
|
if (allowing) {
|
||||||
|
/* Allow RSA by default. */
|
||||||
|
if (!haveECC)
|
||||||
|
haveRSA = 1;
|
||||||
|
if (!haveECDSAsig)
|
||||||
|
haveRSAsig = 1;
|
||||||
|
callInitSuites = 1;
|
||||||
|
ret = 1;
|
||||||
|
}
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (XSTRCMP(name, "kDH") == 0) {
|
||||||
|
haveStaticECC = allowing;
|
||||||
|
if (allowing) {
|
||||||
|
haveECC = 1;
|
||||||
|
haveECDSAsig = 1;
|
||||||
|
callInitSuites = 1;
|
||||||
|
ret = 1;
|
||||||
|
}
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (XSTRCMP(name, "kRSA") == 0 || XSTRCMP(name, "RSA") == 0) {
|
||||||
|
haveStaticRSA = allowing;
|
||||||
|
if (allowing) {
|
||||||
|
haveRSA = 1;
|
||||||
|
haveRSAsig = 1;
|
||||||
|
callInitSuites = 1;
|
||||||
|
ret = 1;
|
||||||
|
}
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (XSTRCMP(name, "PSK") == 0) {
|
||||||
|
havePSK = allowing;
|
||||||
|
haveRSAsig = 1;
|
||||||
|
if (allowing) {
|
||||||
|
/* Allow RSA by default. */
|
||||||
|
if (!haveECC)
|
||||||
|
haveRSA = 1;
|
||||||
|
if (!haveECDSAsig)
|
||||||
|
haveRSAsig = 1;
|
||||||
|
callInitSuites = 1;
|
||||||
|
ret = 1;
|
||||||
|
}
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (XSTRCMP(name, "LOW") == 0 || XSTRCMP(name, "MEDIUM") == 0) {
|
||||||
|
/* No way to limit or allow low bit sizes */
|
||||||
|
if (allowing) {
|
||||||
|
/* Allow RSA by default */
|
||||||
|
haveRSA = 1;
|
||||||
|
haveRSAsig = 1;
|
||||||
|
callInitSuites = 1;
|
||||||
|
ret = 1;
|
||||||
|
}
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (XSTRCMP(name, "DSS") == 0) {
|
||||||
|
/* No support for DSA ciphersuites */
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (XSTRCMP(name, "EXP") == 0 || XSTRCMP(name, "EXPORT") == 0) {
|
||||||
|
/* wolfSSL doesn't support "export" ciphers. We can skip this */
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
#endif /* OPENSSL_EXTRA */
|
||||||
|
|
||||||
for (i = 0; i < suiteSz; i++) {
|
for (i = 0; i < suiteSz; i++) {
|
||||||
if (XSTRNCMP(name, cipher_names[i].name, sizeof(name)) == 0
|
if (XSTRNCMP(name, cipher_names[i].name, sizeof(name)) == 0
|
||||||
#ifndef NO_ERROR_STRINGS
|
#ifndef NO_ERROR_STRINGS
|
||||||
@@ -23277,10 +23448,31 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
|
|||||||
#ifndef NO_CERTS
|
#ifndef NO_CERTS
|
||||||
keySz = ctx->privateKeySz;
|
keySz = ctx->privateKeySz;
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef OPENSSL_EXTRA
|
||||||
|
if (callInitSuites) {
|
||||||
|
byte tmp[WOLFSSL_MAX_SUITE_SZ];
|
||||||
|
XMEMCPY(tmp, suites->suites, idx); /* Store copy */
|
||||||
|
suites->setSuites = 0; /* Force InitSuites */
|
||||||
|
suites->hashSigAlgoSz = 0; /* Force InitSuitesHashSigAlgo call
|
||||||
|
* inside InitSuites */
|
||||||
|
InitSuites(suites, ctx->method->version, keySz, (word16)haveRSA,
|
||||||
|
(word16)havePSK, (word16)haveDH, (word16)haveECDSAsig,
|
||||||
|
(word16)haveECC, (word16)haveStaticRSA,
|
||||||
|
(word16)haveStaticECC, (word16)haveFalconSig,
|
||||||
|
(word16)haveAnon, (word16)haveNull, ctx->method->side);
|
||||||
|
/* Restore user ciphers ahead of defaults */
|
||||||
|
XMEMMOVE(suites->suites + idx, suites->suites,
|
||||||
|
min(suites->suiteSz, WOLFSSL_MAX_SUITE_SZ-idx));
|
||||||
|
suites->suiteSz += (word16)idx;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
#endif
|
||||||
|
{
|
||||||
|
suites->suiteSz = (word16)idx;
|
||||||
|
InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig,
|
||||||
|
haveFalconSig, haveAnon, 1, keySz);
|
||||||
|
}
|
||||||
suites->setSuites = 1;
|
suites->setSuites = 1;
|
||||||
suites->suiteSz = (word16)idx;
|
|
||||||
InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig, haveFalconSig,
|
|
||||||
haveAnon, 1, keySz);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
(void)ctx;
|
(void)ctx;
|
||||||
@@ -30898,8 +31090,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
|||||||
|
|
||||||
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
|
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
|
||||||
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
||||||
ssl->options.haveECC, ssl->options.haveStaticECC,
|
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
|
||||||
ssl->options.haveFalconSig, ssl->options.haveAnon,
|
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
|
||||||
ssl->options.side);
|
ssl->options.side);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -31292,8 +31484,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
|||||||
#endif
|
#endif
|
||||||
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
|
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
|
||||||
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
||||||
ssl->options.haveECC, ssl->options.haveStaticECC,
|
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
|
||||||
ssl->options.haveFalconSig, ssl->options.haveAnon,
|
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
|
||||||
ssl->options.side);
|
ssl->options.side);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -31363,8 +31555,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
|||||||
/* reset cipher suites to account for TLS version change */
|
/* reset cipher suites to account for TLS version change */
|
||||||
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
|
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
|
||||||
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
||||||
ssl->options.haveECC, ssl->options.haveStaticECC,
|
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
|
||||||
ssl->options.haveFalconSig, ssl->options.haveAnon,
|
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
|
||||||
ssl->options.side);
|
ssl->options.side);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
174
src/ssl.c
174
src/ssl.c
@@ -2167,8 +2167,8 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz,
|
|||||||
#endif
|
#endif
|
||||||
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
|
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
|
||||||
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
||||||
ssl->options.haveECC, ssl->options.haveStaticECC,
|
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
|
||||||
ssl->options.haveFalconSig, ssl->options.haveAnon,
|
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
|
||||||
ssl->options.side);
|
ssl->options.side);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -4691,8 +4691,8 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version)
|
|||||||
|
|
||||||
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
|
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
|
||||||
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
||||||
ssl->options.haveECC, ssl->options.haveStaticECC,
|
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
|
||||||
ssl->options.haveFalconSig, ssl->options.haveAnon,
|
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
|
||||||
ssl->options.side);
|
ssl->options.side);
|
||||||
|
|
||||||
return WOLFSSL_SUCCESS;
|
return WOLFSSL_SUCCESS;
|
||||||
@@ -6735,8 +6735,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
|
|||||||
/* let's reset suites */
|
/* let's reset suites */
|
||||||
InitSuites(ssl->suites, ssl->version, keySz, haveRSA,
|
InitSuites(ssl->suites, ssl->version, keySz, haveRSA,
|
||||||
havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig,
|
havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig,
|
||||||
ssl->options.haveECC, ssl->options.haveStaticECC,
|
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
|
||||||
ssl->options.haveFalconSig, ssl->options.haveAnon,
|
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
|
||||||
ssl->options.side);
|
ssl->options.side);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -11016,45 +11016,6 @@ int CM_GetCertCacheMemSize(WOLFSSL_CERT_MANAGER* cm)
|
|||||||
|
|
||||||
#ifdef OPENSSL_EXTRA
|
#ifdef OPENSSL_EXTRA
|
||||||
|
|
||||||
|
|
||||||
/* removes all cipher suites from the list that contain "toRemove"
|
|
||||||
* returns the new list size on success
|
|
||||||
*/
|
|
||||||
static int wolfSSL_remove_ciphers(char* list, int sz, const char* toRemove)
|
|
||||||
{
|
|
||||||
int idx = 0;
|
|
||||||
char* next = (char*)list;
|
|
||||||
int totalSz = sz;
|
|
||||||
|
|
||||||
if (list == NULL) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
do {
|
|
||||||
char* current = next;
|
|
||||||
char name[MAX_SUITE_NAME + 1];
|
|
||||||
word32 length;
|
|
||||||
|
|
||||||
next = XSTRSTR(next, ":");
|
|
||||||
length = min(sizeof(name), !next ? (word32)XSTRLEN(current) /* last */
|
|
||||||
: (word32)(next - current));
|
|
||||||
|
|
||||||
XSTRNCPY(name, current, length);
|
|
||||||
name[(length == sizeof(name)) ? length - 1 : length] = 0;
|
|
||||||
|
|
||||||
if (XSTRSTR(name, toRemove)) {
|
|
||||||
XMEMMOVE(list + idx, list + idx + length, totalSz - (idx + length));
|
|
||||||
totalSz -= length;
|
|
||||||
list[totalSz] = '\0';
|
|
||||||
next = current;
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
idx += length;
|
|
||||||
}
|
|
||||||
} while (next++); /* ++ needed to skip ':' */
|
|
||||||
|
|
||||||
return totalSz;
|
|
||||||
}
|
|
||||||
/*
|
/*
|
||||||
* build enabled cipher list w/ TLS13 or w/o TLS13 suites
|
* build enabled cipher list w/ TLS13 or w/o TLS13 suites
|
||||||
* @param ctx a pointer to WOLFSSL_CTX structure
|
* @param ctx a pointer to WOLFSSL_CTX structure
|
||||||
@@ -11240,11 +11201,6 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
|
|||||||
const char* list)
|
const char* list)
|
||||||
{
|
{
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
const int suiteSz = GetCipherNamesSize();
|
|
||||||
char* next = (char*)list;
|
|
||||||
const CipherSuiteInfo* names = GetCipherNames();
|
|
||||||
char* localList = NULL;
|
|
||||||
int sz = 0;
|
|
||||||
int listattribute = 0;
|
int listattribute = 0;
|
||||||
char* buildcipherList = NULL;
|
char* buildcipherList = NULL;
|
||||||
int tls13Only = 0;
|
int tls13Only = 0;
|
||||||
@@ -11254,90 +11210,40 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
|
|||||||
return WOLFSSL_FAILURE;
|
return WOLFSSL_FAILURE;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* does list contain eNULL or aNULL? */
|
listattribute = CheckcipherList(list);
|
||||||
if (XSTRSTR(list, "aNULL") || XSTRSTR(list, "eNULL")) {
|
|
||||||
do {
|
|
||||||
char* current = next;
|
|
||||||
char name[MAX_SUITE_NAME + 1];
|
|
||||||
int i;
|
|
||||||
word32 length = MAX_SUITE_NAME;
|
|
||||||
word32 current_length;
|
|
||||||
|
|
||||||
next = XSTRSTR(next, ":");
|
if (listattribute == 0) {
|
||||||
|
/* list has mixed(pre-TLSv13 and TLSv13) suites
|
||||||
|
* update cipher suites the same as before
|
||||||
|
*/
|
||||||
|
return (SetCipherList(ctx, suites, list)) ? WOLFSSL_SUCCESS :
|
||||||
|
WOLFSSL_FAILURE;
|
||||||
|
}
|
||||||
|
else if (listattribute == 1) {
|
||||||
|
/* list has only pre-TLSv13 suites.
|
||||||
|
* Only update before TLSv13 suites.
|
||||||
|
*/
|
||||||
|
tls13Only = 1;
|
||||||
|
}
|
||||||
|
else if (listattribute == 2) {
|
||||||
|
/* list has only TLSv13 suites. Only update TLv13 suites
|
||||||
|
* simulate set_ciphersuites() compatibility layer API
|
||||||
|
*/
|
||||||
|
tls13Only = 0;
|
||||||
|
}
|
||||||
|
|
||||||
current_length = (!next) ? (word32)XSTRLEN(current)
|
buildcipherList = buildEnabledCipherList(ctx, ctx->suites,
|
||||||
: (word32)(next - current);
|
tls13Only, list);
|
||||||
|
|
||||||
if (current_length < length) {
|
if (buildcipherList) {
|
||||||
length = current_length;
|
ret = SetCipherList(ctx, suites, buildcipherList);
|
||||||
}
|
XFREE(buildcipherList, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
XMEMCPY(name, current, length);
|
|
||||||
name[length] = 0;
|
|
||||||
|
|
||||||
/* check for "not" case */
|
|
||||||
if (name[0] == '!' && suiteSz > 0) {
|
|
||||||
/* populate list with all suites if not already created */
|
|
||||||
if (localList == NULL) {
|
|
||||||
for (i = 0; i < suiteSz; i++) {
|
|
||||||
sz += (int)XSTRLEN(names[i].name) + 2;
|
|
||||||
}
|
|
||||||
localList = (char*)XMALLOC(sz, ctx->heap,
|
|
||||||
DYNAMIC_TYPE_TMP_BUFFER);
|
|
||||||
if (localList == NULL) {
|
|
||||||
return WOLFSSL_FAILURE;
|
|
||||||
}
|
|
||||||
wolfSSL_get_ciphers(localList, sz);
|
|
||||||
sz = (int)XSTRLEN(localList);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (XSTRSTR(name, "eNULL")) {
|
|
||||||
wolfSSL_remove_ciphers(localList, sz, "-NULL");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
while (next++); /* ++ needed to skip ':' */
|
|
||||||
|
|
||||||
ret = SetCipherList(ctx, suites, localList);
|
|
||||||
XFREE(localList, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
||||||
return (ret)? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
|
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
|
ret = SetCipherList(ctx, suites, list);
|
||||||
listattribute = CheckcipherList(list);
|
|
||||||
|
|
||||||
if (listattribute == 0) {
|
|
||||||
/* list has mixed(pre-TLSv13 and TLSv13) suites
|
|
||||||
* update cipher suites the same as before
|
|
||||||
*/
|
|
||||||
return (SetCipherList(ctx, suites, list)) ? WOLFSSL_SUCCESS :
|
|
||||||
WOLFSSL_FAILURE;
|
|
||||||
}
|
|
||||||
else if (listattribute == 1) {
|
|
||||||
/* list has only pre-TLSv13 suites.
|
|
||||||
* Only update before TLSv13 suites.
|
|
||||||
*/
|
|
||||||
tls13Only = 1;
|
|
||||||
}
|
|
||||||
else if (listattribute == 2) {
|
|
||||||
/* list has only TLSv13 suites. Only update TLv13 suites
|
|
||||||
* simulate set_ciphersuites() compatibility layer API
|
|
||||||
*/
|
|
||||||
tls13Only = 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
buildcipherList = buildEnabledCipherList(ctx, ctx->suites,
|
|
||||||
tls13Only, list);
|
|
||||||
|
|
||||||
if (buildcipherList) {
|
|
||||||
ret = SetCipherList(ctx, suites, buildcipherList);
|
|
||||||
XFREE(buildcipherList, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
ret = SetCipherList(ctx, suites, list);
|
|
||||||
}
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
@@ -14614,8 +14520,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
|||||||
#endif
|
#endif
|
||||||
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
|
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
|
||||||
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
||||||
ssl->options.haveECC, ssl->options.haveStaticECC,
|
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
|
||||||
ssl->options.haveFalconSig, ssl->options.haveAnon,
|
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
|
||||||
ssl->options.side);
|
ssl->options.side);
|
||||||
}
|
}
|
||||||
#ifdef OPENSSL_EXTRA
|
#ifdef OPENSSL_EXTRA
|
||||||
@@ -14667,8 +14573,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
|||||||
#endif
|
#endif
|
||||||
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
|
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
|
||||||
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
||||||
ssl->options.haveECC, ssl->options.haveStaticECC,
|
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
|
||||||
ssl->options.haveFalconSig, ssl->options.haveAnon,
|
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
|
||||||
ssl->options.side);
|
ssl->options.side);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -22647,8 +22553,8 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
|
|||||||
if (ssl->suites != NULL && ssl->options.side != WOLFSSL_NEITHER_END)
|
if (ssl->suites != NULL && ssl->options.side != WOLFSSL_NEITHER_END)
|
||||||
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
|
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
|
||||||
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
||||||
ssl->options.haveECC, ssl->options.haveStaticECC,
|
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
|
||||||
ssl->options.haveFalconSig, ssl->options.haveAnon,
|
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
|
||||||
ssl->options.side);
|
ssl->options.side);
|
||||||
|
|
||||||
return ssl->options.mask;
|
return ssl->options.mask;
|
||||||
|
|||||||
12
src/tls13.c
12
src/tls13.c
@@ -10604,8 +10604,8 @@ void wolfSSL_set_psk_client_cs_callback(WOLFSSL* ssl,
|
|||||||
#endif
|
#endif
|
||||||
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
|
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
|
||||||
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
||||||
ssl->options.haveECC, ssl->options.haveStaticECC,
|
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
|
||||||
ssl->options.haveFalconSig, ssl->options.haveAnon,
|
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
|
||||||
ssl->options.side);
|
ssl->options.side);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -10655,8 +10655,8 @@ void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl,
|
|||||||
#endif
|
#endif
|
||||||
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
|
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
|
||||||
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
||||||
ssl->options.haveECC, ssl->options.haveStaticECC,
|
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
|
||||||
ssl->options.haveFalconSig, ssl->options.haveAnon,
|
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
|
||||||
ssl->options.side);
|
ssl->options.side);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -10703,8 +10703,8 @@ void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl,
|
|||||||
#endif
|
#endif
|
||||||
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
|
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
|
||||||
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
ssl->options.haveDH, ssl->options.haveECDSAsig,
|
||||||
ssl->options.haveECC, ssl->options.haveStaticECC,
|
ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
|
||||||
ssl->options.haveFalconSig, ssl->options.haveAnon,
|
ssl->options.haveFalconSig, ssl->options.haveAnon, TRUE,
|
||||||
ssl->options.side);
|
ssl->options.side);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -703,6 +703,12 @@ static void test_for_double_Free(void)
|
|||||||
"CHA20-POLY1305:EDH-RSA-DES-CBC3-SHA:TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-S"
|
"CHA20-POLY1305:EDH-RSA-DES-CBC3-SHA:TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-S"
|
||||||
"HA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-CCM-SHA256:TLS13-AES128-CCM-"
|
"HA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-CCM-SHA256:TLS13-AES128-CCM-"
|
||||||
"8-SHA256:TLS13-SHA256-SHA256:TLS13-SHA384-SHA384";
|
"8-SHA256:TLS13-SHA256-SHA256:TLS13-SHA384-SHA384";
|
||||||
|
/* OpenVPN uses a "blacklist" method to specify which ciphers NOT to use */
|
||||||
|
#ifdef OPENSSL_EXTRA
|
||||||
|
char openvpnCiphers[] = "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:"
|
||||||
|
"!SRP:!kRSA:!aNULL:!eNULL";
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifndef NO_RSA
|
#ifndef NO_RSA
|
||||||
testCertFile = svrCertFile;
|
testCertFile = svrCertFile;
|
||||||
testKeyFile = svrKeyFile;
|
testKeyFile = svrKeyFile;
|
||||||
@@ -767,6 +773,9 @@ static void test_for_double_Free(void)
|
|||||||
defined(WOLFSSL_AES_128) && !defined(NO_RSA)
|
defined(WOLFSSL_AES_128) && !defined(NO_RSA)
|
||||||
/* only update pre-TLSv13 suites */
|
/* only update pre-TLSv13 suites */
|
||||||
AssertTrue(wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-GCM-SHA256"));
|
AssertTrue(wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-GCM-SHA256"));
|
||||||
|
#endif
|
||||||
|
#ifdef OPENSSL_EXTRA
|
||||||
|
AssertTrue(wolfSSL_CTX_set_cipher_list(ctx, openvpnCiphers));
|
||||||
#endif
|
#endif
|
||||||
AssertNotNull(ssl = wolfSSL_new(ctx));
|
AssertNotNull(ssl = wolfSSL_new(ctx));
|
||||||
wolfSSL_CTX_free(ctx);
|
wolfSSL_CTX_free(ctx);
|
||||||
|
|||||||
@@ -1956,8 +1956,9 @@ WOLFSSL_LOCAL void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig,
|
|||||||
WOLFSSL_LOCAL void InitSuites(Suites* suites, ProtocolVersion pv, int keySz,
|
WOLFSSL_LOCAL void InitSuites(Suites* suites, ProtocolVersion pv, int keySz,
|
||||||
word16 haveRSA, word16 havePSK, word16 haveDH,
|
word16 haveRSA, word16 havePSK, word16 haveDH,
|
||||||
word16 haveECDSAsig, word16 haveECC,
|
word16 haveECDSAsig, word16 haveECC,
|
||||||
word16 haveStaticECC, word16 haveFalconSig,
|
word16 haveStaticRSA, word16 haveStaticECC,
|
||||||
word16 haveAnon, int side);
|
word16 haveFalconSig, word16 haveAnon,
|
||||||
|
word16 haveNull, int side);
|
||||||
|
|
||||||
WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites);
|
WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites);
|
||||||
WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites,
|
WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites,
|
||||||
|
|||||||
Reference in New Issue
Block a user