mirror of https://github.com/wolfSSL/wolfssl.git
Adding `disabledCurves` as a member of WOLFSSL in the OPENSSL_EXTRA case.
- inheriting from WOLFSSL_CTX on creation - enabling on WOLFSSL only when wolfSSL_set1_curves_list() is calledpull/5473/head
Stefan Eissing
parent
a66516d3a5
commit
6cb0caa0a0
|
|
@ -6797,6 +6797,8 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
|
|||
if (ctx->protoMsgCb != NULL) {
|
||||
ssl->toInfoOn = 1;
|
||||
}
|
||||
|
||||
ssl->disabledCurves = ctx->disabledCurves;
|
||||
#endif
|
||||
|
||||
InitCiphers(ssl);
|
||||
|
|
|
|||
53
src/ssl.c
53
src/ssl.c
|
|
@ -33905,36 +33905,25 @@ void wolfSSL_get0_next_proto_negotiated(const WOLFSSL *s, const unsigned char **
|
|||
#endif /* WOLFSSL_NGINX / WOLFSSL_HAPROXY */
|
||||
|
||||
#ifdef OPENSSL_EXTRA
|
||||
int wolfSSL_CTX_curve_is_disabled(WOLFSSL_CTX* ctx, word16 curve_id)
|
||||
{
|
||||
return (curve_id <= WOLFSSL_ECC_MAX &&
|
||||
ctx->disabledCurves &&
|
||||
ctx->disabledCurves & (1 << curve_id));
|
||||
}
|
||||
|
||||
int wolfSSL_curve_is_disabled(WOLFSSL* ssl, word16 curve_id)
|
||||
{
|
||||
/* FIXME: see wolfSSL_set1_curves_list() below on why
|
||||
* this dependency on ssl->ctx alone is insufficient. */
|
||||
return wolfSSL_CTX_curve_is_disabled(ssl->ctx, curve_id);
|
||||
return (curve_id <= WOLFSSL_ECC_MAX &&
|
||||
ssl->disabledCurves &&
|
||||
ssl->disabledCurves & (1 << curve_id));
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(OPENSSL_EXTRA) && (defined(HAVE_ECC) || \
|
||||
defined(HAVE_CURVE25519) || defined(HAVE_CURVE448))
|
||||
int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names)
|
||||
static int set_curves_list(WOLFSSL* ssl, WOLFSSL_CTX *ctx, const char* names)
|
||||
{
|
||||
int idx, start = 0, len;
|
||||
word16 curve;
|
||||
word32 disabled;
|
||||
char name[MAX_CURVE_NAME_SZ];
|
||||
|
||||
if (ctx == NULL || names == NULL) {
|
||||
WOLFSSL_MSG("ctx or names was NULL");
|
||||
return WOLFSSL_FAILURE;
|
||||
}
|
||||
|
||||
/* Disable all curves so that only the ones the user wants are enabled. */
|
||||
ctx->disabledCurves = 0xFFFFFFFFUL;
|
||||
disabled = 0xFFFFFFFFUL;
|
||||
for (idx = 1; names[idx-1] != '\0'; idx++) {
|
||||
if (names[idx] != ':' && names[idx] != '\0')
|
||||
continue;
|
||||
|
|
@ -34008,28 +33997,44 @@ int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names)
|
|||
#if defined(HAVE_SUPPORTED_CURVES) && !defined(NO_WOLFSSL_CLIENT)
|
||||
/* set the supported curve so client TLS extension contains only the
|
||||
* desired curves */
|
||||
if (wolfSSL_CTX_UseSupportedCurve(ctx, curve) != WOLFSSL_SUCCESS) {
|
||||
if ((ssl
|
||||
&& wolfSSL_UseSupportedCurve(ssl, curve) != WOLFSSL_SUCCESS)
|
||||
|| (ctx
|
||||
&& wolfSSL_CTX_UseSupportedCurve(ctx, curve) != WOLFSSL_SUCCESS)) {
|
||||
WOLFSSL_MSG("Unable to set supported curve");
|
||||
return WOLFSSL_FAILURE;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Switch the bit to off and therefore is enabled. */
|
||||
ctx->disabledCurves &= ~(1U << curve);
|
||||
disabled &= ~(1U << curve);
|
||||
start = idx + 1;
|
||||
}
|
||||
|
||||
if (ssl)
|
||||
ssl->disabledCurves = disabled;
|
||||
else
|
||||
ctx->disabledCurves = disabled;
|
||||
|
||||
return WOLFSSL_SUCCESS;
|
||||
}
|
||||
|
||||
int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names)
|
||||
int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names)
|
||||
{
|
||||
if (ssl == NULL) {
|
||||
if (ctx == NULL || names == NULL) {
|
||||
WOLFSSL_MSG("ctx or names was NULL");
|
||||
return WOLFSSL_FAILURE;
|
||||
}
|
||||
/* FIXME: this manipulates the context from a WOLFSSL* and
|
||||
* will lead to surprises for some. */
|
||||
return wolfSSL_CTX_set1_curves_list(ssl->ctx, names);
|
||||
return set_curves_list(NULL, ctx, names);
|
||||
}
|
||||
|
||||
int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names)
|
||||
{
|
||||
if (ssl == NULL || names == NULL) {
|
||||
WOLFSSL_MSG("ssl or names was NULL");
|
||||
return WOLFSSL_FAILURE;
|
||||
}
|
||||
return set_curves_list(ssl, NULL, names);
|
||||
}
|
||||
#endif /* OPENSSL_EXTRA && (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) */
|
||||
|
||||
|
|
|
|||
|
|
@ -4668,6 +4668,7 @@ struct WOLFSSL {
|
|||
WOLFSSL_BIO* biowr; /* socket bio write to free/close */
|
||||
byte sessionCtx[ID_LEN]; /* app session context ID */
|
||||
WOLFSSL_X509_VERIFY_PARAM* param; /* verification parameters*/
|
||||
word32 disabledCurves; /* curves disabled by user */
|
||||
#endif
|
||||
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
|
||||
unsigned long peerVerifyRet;
|
||||
|
|
@ -5251,10 +5252,8 @@ WOLFSSL_LOCAL int SetECKeyExternal(WOLFSSL_EC_KEY* eckey);
|
|||
#endif
|
||||
|
||||
#if defined(OPENSSL_EXTRA)
|
||||
WOLFSSL_LOCAL int wolfSSL_CTX_curve_is_disabled(WOLFSSL_CTX* ctx, word16 named_curve);
|
||||
WOLFSSL_LOCAL int wolfSSL_curve_is_disabled(WOLFSSL* ssl, word16 named_curve);
|
||||
#else
|
||||
#define wolfSSL_CTX_curve_is_disabled(ctx, c) ((void)(ctx), (void)(c), 0)
|
||||
#define wolfSSL_curve_is_disabled(ssl, c) ((void)(ssl), (void)(c), 0)
|
||||
#endif
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue