From 6ed45a23d9063a3597a8e9402ed113ada64776b9 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 5 Nov 2020 18:27:37 +0100 Subject: [PATCH] Fix getting cipher suites in compat layer --- src/internal.c | 2 +- src/ssl.c | 50 +++++++++++++++++++++++++++++++++++++++++--------- wolfssl/ssl.h | 2 +- 3 files changed, 43 insertions(+), 11 deletions(-) diff --git a/src/internal.c b/src/internal.c index dd63fdd36..5f521452c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5341,7 +5341,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) #endif #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) - if (wolfSSL_set_options(ssl, ctx->mask) == 0) { + if (ctx->mask != 0 && wolfSSL_set_options(ssl, ctx->mask) == 0) { WOLFSSL_MSG("wolfSSL_set_options error"); return BAD_FUNC_ARG; } diff --git a/src/ssl.c b/src/ssl.c index aec840450..fd95f80ca 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -28207,16 +28207,11 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str, } #endif /* !NO_FILESYSTEM && !NO_WOLFSSL_DIR */ -#ifndef NO_WOLFSSL_STUB -/*** TBD ***/ -WOLFSSL_API WOLFSSL_CIPHER* wolfSSL_sk_SSL_CIPHER_value(void *ciphers, int idx) +WOLFSSL_API WOLFSSL_CIPHER* wolfSSL_sk_SSL_CIPHER_value(WOLFSSL_STACK* sk, int i) { - (void)ciphers; - (void)idx; - WOLFSSL_STUB("wolfSSL_sk_SSL_CIPHER_value"); - return NULL; + WOLFSSL_ENTER("wolfSSL_sk_SSL_CIPHER_value"); + return wolfSSL_sk_value(sk, i); } -#endif WOLFSSL_API void ERR_load_SSL_strings(void) { @@ -46601,6 +46596,36 @@ static WC_INLINE int SCSV_Check(byte suite0, byte suite) return 0; } +static WC_INLINE int sslCipherMinMaxCheck(const WOLFSSL *ssl, byte suite0, + byte suite) +{ + const CipherSuiteInfo* cipher_names = GetCipherNames(); + int cipherSz = GetCipherNamesSize(); + int i; + for (i = 0; i < cipherSz; i++) + if (cipher_names[i].cipherSuite0 == suite0 && + cipher_names[i].cipherSuite == suite) + break; + if (i == cipherSz) + return 1; + if (cipher_names[i].minor < ssl->options.minDowngrade) + return 1; + switch (cipher_names[i].minor) { + case SSLv3_MINOR : + return ssl->options.mask & WOLFSSL_OP_NO_SSLv3; + case TLSv1_MINOR : + return ssl->options.mask & WOLFSSL_OP_NO_TLSv1; + case TLSv1_1_MINOR : + return ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1; + case TLSv1_2_MINOR : + return ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2; + case TLSv1_3_MINOR : + return ssl->options.mask & WOLFSSL_OP_NO_TLSv1_3; + default: + WOLFSSL_MSG("Unrecognized minor version"); + return 1; + } +} /* returns a pointer to internal cipher suite list. Should not be free'd by * caller. @@ -46620,6 +46645,11 @@ WOLF_STACK_OF(WOLFSSL_CIPHER) *wolfSSL_get_ciphers_compat(const WOLFSSL *ssl) } if (ssl->suites != NULL) { + if (ssl->suites->suiteSz == 0 && + InitSSL_Suites((WOLFSSL*)ssl) != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Suite initialization failure"); + return NULL; + } suites = ssl->suites; } else { @@ -46637,7 +46667,9 @@ WOLF_STACK_OF(WOLFSSL_CIPHER) *wolfSSL_get_ciphers_compat(const WOLFSSL *ssl) /* A couple of suites are placeholders for special options, * skip those. */ - if (SCSV_Check(suites->suites[i], suites->suites[i+1])) { + if (SCSV_Check(suites->suites[i], suites->suites[i+1]) + || sslCipherMinMaxCheck(ssl, suites->suites[i], + suites->suites[i+1])) { continue; } diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 19fa46d3c..1487897f8 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -4046,7 +4046,7 @@ WOLFSSL_API int wolfSSL_sk_SSL_CIPHER_find( WOLFSSL_API void wolfSSL_sk_SSL_CIPHER_free(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk); WOLFSSL_API int wolfSSL_sk_SSL_COMP_zero(WOLFSSL_STACK* st); WOLFSSL_API int wolfSSL_sk_SSL_COMP_num(WOLF_STACK_OF(WOLFSSL_COMP)* sk); -WOLFSSL_API WOLFSSL_CIPHER* wolfSSL_sk_SSL_CIPHER_value(void *ciphers, int idx); +WOLFSSL_API WOLFSSL_CIPHER* wolfSSL_sk_SSL_CIPHER_value(WOLFSSL_STACK* sk, int i); WOLFSSL_API void ERR_load_SSL_strings(void); WOLFSSL_API void wolfSSL_EC_POINT_dump(const char *msg, const WOLFSSL_EC_POINT *p);