Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

InitSuites changes to order making BUILD_TLS_AES_256_GCM_SHA384 be prioritized over BUILD_TLS_AES_128_GCM_SHA256 #7771

Merged
merged 7 commits into from
Nov 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions src/internal.c
Original file line number Diff line number Diff line change
Expand Up @@ -3304,17 +3304,17 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
return; /* trust user settings, don't override */

#ifdef WOLFSSL_TLS13
#ifdef BUILD_TLS_AES_128_GCM_SHA256
#ifdef BUILD_TLS_AES_256_GCM_SHA384
if (tls1_3) {
suites->suites[idx++] = TLS13_BYTE;
suites->suites[idx++] = TLS_AES_128_GCM_SHA256;
suites->suites[idx++] = TLS_AES_256_GCM_SHA384;
}
#endif

#ifdef BUILD_TLS_AES_256_GCM_SHA384
#ifdef BUILD_TLS_AES_128_GCM_SHA256
if (tls1_3) {
suites->suites[idx++] = TLS13_BYTE;
suites->suites[idx++] = TLS_AES_256_GCM_SHA384;
suites->suites[idx++] = TLS_AES_128_GCM_SHA256;
}
#endif

Expand Down
4 changes: 2 additions & 2 deletions src/ssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -19911,10 +19911,10 @@ long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt)
if ((ctrl_opt & WOLFSSL_OP_CIPHER_SERVER_PREFERENCE)
== WOLFSSL_OP_CIPHER_SERVER_PREFERENCE) {
WOLFSSL_MSG("Using Server's Cipher Preference.");
ctx->useClientOrder = FALSE;
ctx->useClientOrder = 0;
} else {
WOLFSSL_MSG("Using Client's Cipher Preference.");
ctx->useClientOrder = TRUE;
ctx->useClientOrder = 1;
}
#endif /* WOLFSSL_QT */

Expand Down
41 changes: 18 additions & 23 deletions tests/api.c
Original file line number Diff line number Diff line change
Expand Up @@ -7121,15 +7121,10 @@ static int test_wolfSSL_EVP_CIPHER_CTX(void)
#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) || \
defined(HAVE_IO_TESTS_DEPENDENCIES)
#ifdef WOLFSSL_HAVE_TLS_UNIQUE
#ifdef WC_SHA512_DIGEST_SIZE
#define MD_MAX_SIZE WC_SHA512_DIGEST_SIZE
#else
#define MD_MAX_SIZE WC_SHA256_DIGEST_SIZE
#endif
byte server_side_msg1[MD_MAX_SIZE] = {0};/* msg sent by server */
byte server_side_msg2[MD_MAX_SIZE] = {0};/* msg received from client */
byte client_side_msg1[MD_MAX_SIZE] = {0};/* msg sent by client */
byte client_side_msg2[MD_MAX_SIZE] = {0};/* msg received from server */
byte server_side_msg1[WC_MAX_DIGEST_SIZE]; /* msg sent by server */
byte server_side_msg2[WC_MAX_DIGEST_SIZE]; /* msg received from client */
byte client_side_msg1[WC_MAX_DIGEST_SIZE]; /* msg sent by client */
byte client_side_msg2[WC_MAX_DIGEST_SIZE]; /* msg received from server */
#endif /* WOLFSSL_HAVE_TLS_UNIQUE */

/* TODO: Expand and enable this when EVP_chacha20_poly1305 is supported */
Expand Down Expand Up @@ -7682,14 +7677,14 @@ int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb,
TEST_SUCCESS);
}
#ifdef WOLFSSL_HAVE_TLS_UNIQUE
XMEMSET(server_side_msg2, 0, MD_MAX_SIZE);
XMEMSET(server_side_msg2, 0, WC_MAX_DIGEST_SIZE);
msg_len = wolfSSL_get_peer_finished(test_ctx.s_ssl, server_side_msg2,
MD_MAX_SIZE);
WC_MAX_DIGEST_SIZE);
ExpectIntGE(msg_len, 0);

XMEMSET(server_side_msg1, 0, MD_MAX_SIZE);
XMEMSET(server_side_msg1, 0, WC_MAX_DIGEST_SIZE);
msg_len = wolfSSL_get_finished(test_ctx.s_ssl, server_side_msg1,
MD_MAX_SIZE);
WC_MAX_DIGEST_SIZE);
ExpectIntGE(msg_len, 0);
#endif /* WOLFSSL_HAVE_TLS_UNIQUE */

Expand Down Expand Up @@ -8053,12 +8048,12 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
}

#ifdef WOLFSSL_HAVE_TLS_UNIQUE
XMEMSET(server_side_msg2, 0, MD_MAX_SIZE);
msg_len = wolfSSL_get_peer_finished(ssl, server_side_msg2, MD_MAX_SIZE);
XMEMSET(server_side_msg2, 0, WC_MAX_DIGEST_SIZE);
msg_len = wolfSSL_get_peer_finished(ssl, server_side_msg2, WC_MAX_DIGEST_SIZE);
AssertIntGE(msg_len, 0);

XMEMSET(server_side_msg1, 0, MD_MAX_SIZE);
msg_len = wolfSSL_get_finished(ssl, server_side_msg1, MD_MAX_SIZE);
XMEMSET(server_side_msg1, 0, WC_MAX_DIGEST_SIZE);
msg_len = wolfSSL_get_finished(ssl, server_side_msg1, WC_MAX_DIGEST_SIZE);
AssertIntGE(msg_len, 0);
#endif /* WOLFSSL_HAVE_TLS_UNIQUE */

Expand Down Expand Up @@ -9677,12 +9672,12 @@ static int test_wolfSSL_get_finished_client_on_handshake(WOLFSSL_CTX* ctx,

/* get_finished test */
/* 1. get own sent message */
XMEMSET(client_side_msg1, 0, MD_MAX_SIZE);
msg_len = wolfSSL_get_finished(ssl, client_side_msg1, MD_MAX_SIZE);
XMEMSET(client_side_msg1, 0, WC_MAX_DIGEST_SIZE);
msg_len = wolfSSL_get_finished(ssl, client_side_msg1, WC_MAX_DIGEST_SIZE);
ExpectIntGE(msg_len, 0);
/* 2. get peer message */
XMEMSET(client_side_msg2, 0, MD_MAX_SIZE);
msg_len = wolfSSL_get_peer_finished(ssl, client_side_msg2, MD_MAX_SIZE);
XMEMSET(client_side_msg2, 0, WC_MAX_DIGEST_SIZE);
msg_len = wolfSSL_get_peer_finished(ssl, client_side_msg2, WC_MAX_DIGEST_SIZE);
ExpectIntGE(msg_len, 0);

return EXPECT_RESULT();
Expand All @@ -9705,8 +9700,8 @@ static int test_wolfSSL_get_finished(void)
TEST_SUCCESS);

/* test received msg vs sent msg */
ExpectIntEQ(0, XMEMCMP(client_side_msg1, server_side_msg2, MD_MAX_SIZE));
ExpectIntEQ(0, XMEMCMP(client_side_msg2, server_side_msg1, MD_MAX_SIZE));
ExpectIntEQ(0, XMEMCMP(client_side_msg1, server_side_msg2, WC_MAX_DIGEST_SIZE));
ExpectIntEQ(0, XMEMCMP(client_side_msg2, server_side_msg1, WC_MAX_DIGEST_SIZE));
#endif /* HAVE_SSL_MEMIO_TESTS_DEPENDENCIES && WOLFSSL_HAVE_TLS_UNIQUE */

return EXPECT_RESULT();
Expand Down
20 changes: 15 additions & 5 deletions tests/quic.c
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,11 @@
#include <wolfssl/error-ssl.h>
#include <wolfssl/internal.h>

#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256)
#define DEFAULT_TLS_DIGEST_SZ WC_SHA384_DIGEST_SIZE
#else
#define DEFAULT_TLS_DIGEST_SZ WC_SHA256_DIGEST_SIZE
#endif

#define testingFmt " %s:"
#define resultFmt " %s\n"
Expand Down Expand Up @@ -1126,13 +1131,16 @@ static int test_quic_server_hello(int verbose) {
QuicConversation_step(&conv, 0);
/* check established/missing secrets */
check_secrets(&tserver, wolfssl_encryption_initial, 0, 0);
check_secrets(&tserver, wolfssl_encryption_handshake, 32, 32);
check_secrets(&tserver, wolfssl_encryption_application, 32, 32);
check_secrets(&tserver, wolfssl_encryption_handshake,
DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
check_secrets(&tserver, wolfssl_encryption_application,
DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
check_secrets(&tclient, wolfssl_encryption_handshake, 0, 0);
/* feed the server data to the client */
QuicConversation_step(&conv, 0);
/* client has generated handshake secret */
check_secrets(&tclient, wolfssl_encryption_handshake, 32, 32);
check_secrets(&tclient, wolfssl_encryption_handshake,
DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
/* continue the handshake till done */
conv.started = 1;
/* run till end */
Expand All @@ -1155,8 +1163,10 @@ static int test_quic_server_hello(int verbose) {
/* the last client write (FINISHED) was at handshake level */
AssertTrue(tclient.output.level == wolfssl_encryption_handshake);
/* we have the app secrets */
check_secrets(&tclient, wolfssl_encryption_application, 32, 32);
check_secrets(&tserver, wolfssl_encryption_application, 32, 32);
check_secrets(&tclient, wolfssl_encryption_application,
DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
check_secrets(&tserver, wolfssl_encryption_application,
DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
/* verify client and server have the same secrets established */
assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_handshake);
assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_application);
Expand Down
8 changes: 8 additions & 0 deletions wolfssl/test.h
Original file line number Diff line number Diff line change
Expand Up @@ -1948,7 +1948,11 @@ static WC_INLINE unsigned int my_psk_client_tls13_cb(WOLFSSL* ssl,
key[i] = (unsigned char) b;
}

#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256)
*ciphersuite = userCipher ? userCipher : "TLS13-AES256-GCM-SHA384";
#else
*ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256";
#endif

ret = 32; /* length of key in octets or 0 for error */

Expand Down Expand Up @@ -1987,7 +1991,11 @@ static WC_INLINE unsigned int my_psk_server_tls13_cb(WOLFSSL* ssl,
key[i] = (unsigned char) b;
}

#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256)
*ciphersuite = userCipher ? userCipher : "TLS13-AES256-GCM-SHA384";
#else
*ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256";
#endif

ret = 32; /* length of key in octets or 0 for error */

Expand Down
Loading