WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Adding `disabledCurves` as a member of WOLFSSL in the OPENSSL_EXTRA case. 

- inheriting from WOLFSSL_CTX on creation
- enabling on WOLFSSL only when wolfSSL_set1_curves_list() is called
pull/5473/head
Stefan Eissing 2022-08-19 11:03:23 +02:00
parent a66516d3a5
commit 6cb0caa0a0
3 changed files with 32 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/internal.c
View File

@ -6797,6 +6797,8 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
if (ctx->protoMsgCb != NULL) { if (ctx->protoMsgCb != NULL) {
ssl->toInfoOn = 1; ssl->toInfoOn = 1;
} }
ssl->disabledCurves = ctx->disabledCurves;
#endif #endif
InitCiphers(ssl); InitCiphers(ssl);

53
src/ssl.c
View File

@ -33905,36 +33905,25 @@ void wolfSSL_get0_next_proto_negotiated(const WOLFSSL *s, const unsigned char **
#endif /* WOLFSSL_NGINX / WOLFSSL_HAPROXY */ #endif /* WOLFSSL_NGINX / WOLFSSL_HAPROXY */
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
int wolfSSL_CTX_curve_is_disabled(WOLFSSL_CTX* ctx, word16 curve_id)
{
return (curve_id <= WOLFSSL_ECC_MAX &&
ctx->disabledCurves &&
ctx->disabledCurves & (1 << curve_id));
}
int wolfSSL_curve_is_disabled(WOLFSSL* ssl, word16 curve_id) int wolfSSL_curve_is_disabled(WOLFSSL* ssl, word16 curve_id)
{ {
/* FIXME: see wolfSSL_set1_curves_list() below on why return (curve_id <= WOLFSSL_ECC_MAX &&
* this dependency on ssl->ctx alone is insufficient. */ ssl->disabledCurves &&
return wolfSSL_CTX_curve_is_disabled(ssl->ctx, curve_id); ssl->disabledCurves & (1 << curve_id));
} }
#endif #endif
#if defined(OPENSSL_EXTRA) && (defined(HAVE_ECC) || \ #if defined(OPENSSL_EXTRA) && (defined(HAVE_ECC) || \
defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)) defined(HAVE_CURVE25519) || defined(HAVE_CURVE448))
int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names) static int set_curves_list(WOLFSSL* ssl, WOLFSSL_CTX *ctx, const char* names)
{ {
int idx, start = 0, len; int idx, start = 0, len;
word16 curve; word16 curve;
word32 disabled;
char name[MAX_CURVE_NAME_SZ]; char name[MAX_CURVE_NAME_SZ];
if (ctx == NULL || names == NULL) {
WOLFSSL_MSG("ctx or names was NULL");
return WOLFSSL_FAILURE;
}
/* Disable all curves so that only the ones the user wants are enabled. */ /* Disable all curves so that only the ones the user wants are enabled. */
ctx->disabledCurves = 0xFFFFFFFFUL; disabled = 0xFFFFFFFFUL;
for (idx = 1; names[idx-1] != '\0'; idx++) { for (idx = 1; names[idx-1] != '\0'; idx++) {
if (names[idx] != ':' && names[idx] != '\0') if (names[idx] != ':' && names[idx] != '\0')
continue; continue;
@ -34008,28 +33997,44 @@ int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names)
#if defined(HAVE_SUPPORTED_CURVES) && !defined(NO_WOLFSSL_CLIENT) #if defined(HAVE_SUPPORTED_CURVES) && !defined(NO_WOLFSSL_CLIENT)
/* set the supported curve so client TLS extension contains only the /* set the supported curve so client TLS extension contains only the
* desired curves */ * desired curves */
if (wolfSSL_CTX_UseSupportedCurve(ctx, curve) != WOLFSSL_SUCCESS) { if ((ssl
&& wolfSSL_UseSupportedCurve(ssl, curve) != WOLFSSL_SUCCESS)
|| (ctx
&& wolfSSL_CTX_UseSupportedCurve(ctx, curve) != WOLFSSL_SUCCESS)) {
WOLFSSL_MSG("Unable to set supported curve"); WOLFSSL_MSG("Unable to set supported curve");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
#endif #endif
/* Switch the bit to off and therefore is enabled. */ /* Switch the bit to off and therefore is enabled. */
ctx->disabledCurves &= ~(1U << curve); disabled &= ~(1U << curve);
start = idx + 1; start = idx + 1;
} }
if (ssl)
ssl->disabledCurves = disabled;
else
ctx->disabledCurves = disabled;
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
} }
int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names) int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names)
{ {
if (ssl == NULL) { if (ctx == NULL || names == NULL) {
WOLFSSL_MSG("ctx or names was NULL");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
/* FIXME: this manipulates the context from a WOLFSSL* and return set_curves_list(NULL, ctx, names);
* will lead to surprises for some. */ }
return wolfSSL_CTX_set1_curves_list(ssl->ctx, names);
int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names)
{
if (ssl == NULL || names == NULL) {
WOLFSSL_MSG("ssl or names was NULL");
return WOLFSSL_FAILURE;
}
return set_curves_list(ssl, NULL, names);
} }
#endif /* OPENSSL_EXTRA && (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) */ #endif /* OPENSSL_EXTRA && (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) */

3
wolfssl/internal.h
View File

@ -4668,6 +4668,7 @@ struct WOLFSSL {
WOLFSSL_BIO* biowr; /* socket bio write to free/close */ WOLFSSL_BIO* biowr; /* socket bio write to free/close */
byte sessionCtx[ID_LEN]; /* app session context ID */ byte sessionCtx[ID_LEN]; /* app session context ID */
WOLFSSL_X509_VERIFY_PARAM* param; /* verification parameters*/ WOLFSSL_X509_VERIFY_PARAM* param; /* verification parameters*/
word32 disabledCurves; /* curves disabled by user */
#endif #endif
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
unsigned long peerVerifyRet; unsigned long peerVerifyRet;
@ -5251,10 +5252,8 @@ WOLFSSL_LOCAL int SetECKeyExternal(WOLFSSL_EC_KEY* eckey);
#endif #endif
#if defined(OPENSSL_EXTRA) #if defined(OPENSSL_EXTRA)
WOLFSSL_LOCAL int wolfSSL_CTX_curve_is_disabled(WOLFSSL_CTX* ctx, word16 named_curve);
WOLFSSL_LOCAL int wolfSSL_curve_is_disabled(WOLFSSL* ssl, word16 named_curve); WOLFSSL_LOCAL int wolfSSL_curve_is_disabled(WOLFSSL* ssl, word16 named_curve);
#else #else
#define wolfSSL_CTX_curve_is_disabled(ctx, c) ((void)(ctx), (void)(c), 0)
#define wolfSSL_curve_is_disabled(ssl, c) ((void)(ssl), (void)(c), 0) #define wolfSSL_curve_is_disabled(ssl, c) ((void)(ssl), (void)(c), 0)
#endif #endif