Skip to content

Commit

Permalink
Merge pull request wolfSSL#7771 from aidangarske/InitSuites_Orderadj
Browse files Browse the repository at this point in the history
`InitSuites` changes to order making `BUILD_TLS_AES_256_GCM_SHA384` be prioritized over `BUILD_TLS_AES_128_GCM_SHA256`
  • Loading branch information
JacobBarthelmeh authored Nov 22, 2024
2 parents c5d7dc3 + 43cea3e commit 6dd00ab
Show file tree
Hide file tree
Showing 5 changed files with 47 additions and 34 deletions.
8 changes: 4 additions & 4 deletions src/internal.c
Original file line number Diff line number Diff line change
Expand Up @@ -3273,17 +3273,17 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
return; /* trust user settings, don't override */

#ifdef WOLFSSL_TLS13
#ifdef BUILD_TLS_AES_128_GCM_SHA256
#ifdef BUILD_TLS_AES_256_GCM_SHA384
if (tls1_3) {
suites->suites[idx++] = TLS13_BYTE;
suites->suites[idx++] = TLS_AES_128_GCM_SHA256;
suites->suites[idx++] = TLS_AES_256_GCM_SHA384;
}
#endif

#ifdef BUILD_TLS_AES_256_GCM_SHA384
#ifdef BUILD_TLS_AES_128_GCM_SHA256
if (tls1_3) {
suites->suites[idx++] = TLS13_BYTE;
suites->suites[idx++] = TLS_AES_256_GCM_SHA384;
suites->suites[idx++] = TLS_AES_128_GCM_SHA256;
}
#endif

Expand Down
4 changes: 2 additions & 2 deletions src/ssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -20145,10 +20145,10 @@ long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt)
if ((ctrl_opt & WOLFSSL_OP_CIPHER_SERVER_PREFERENCE)
== WOLFSSL_OP_CIPHER_SERVER_PREFERENCE) {
WOLFSSL_MSG("Using Server's Cipher Preference.");
ctx->useClientOrder = FALSE;
ctx->useClientOrder = 0;
} else {
WOLFSSL_MSG("Using Client's Cipher Preference.");
ctx->useClientOrder = TRUE;
ctx->useClientOrder = 1;
}
#endif /* WOLFSSL_QT */

Expand Down
41 changes: 18 additions & 23 deletions tests/api.c
Original file line number Diff line number Diff line change
Expand Up @@ -7172,15 +7172,10 @@ static int test_wolfSSL_EVP_CIPHER_CTX(void)
#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) || \
defined(HAVE_IO_TESTS_DEPENDENCIES)
#ifdef WOLFSSL_HAVE_TLS_UNIQUE
#ifdef WC_SHA512_DIGEST_SIZE
#define MD_MAX_SIZE WC_SHA512_DIGEST_SIZE
#else
#define MD_MAX_SIZE WC_SHA256_DIGEST_SIZE
#endif
byte server_side_msg1[MD_MAX_SIZE] = {0};/* msg sent by server */
byte server_side_msg2[MD_MAX_SIZE] = {0};/* msg received from client */
byte client_side_msg1[MD_MAX_SIZE] = {0};/* msg sent by client */
byte client_side_msg2[MD_MAX_SIZE] = {0};/* msg received from server */
byte server_side_msg1[WC_MAX_DIGEST_SIZE]; /* msg sent by server */
byte server_side_msg2[WC_MAX_DIGEST_SIZE]; /* msg received from client */
byte client_side_msg1[WC_MAX_DIGEST_SIZE]; /* msg sent by client */
byte client_side_msg2[WC_MAX_DIGEST_SIZE]; /* msg received from server */
#endif /* WOLFSSL_HAVE_TLS_UNIQUE */

/* TODO: Expand and enable this when EVP_chacha20_poly1305 is supported */
Expand Down Expand Up @@ -7733,14 +7728,14 @@ int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb,
TEST_SUCCESS);
}
#ifdef WOLFSSL_HAVE_TLS_UNIQUE
XMEMSET(server_side_msg2, 0, MD_MAX_SIZE);
XMEMSET(server_side_msg2, 0, WC_MAX_DIGEST_SIZE);
msg_len = wolfSSL_get_peer_finished(test_ctx.s_ssl, server_side_msg2,
MD_MAX_SIZE);
WC_MAX_DIGEST_SIZE);
ExpectIntGE(msg_len, 0);

XMEMSET(server_side_msg1, 0, MD_MAX_SIZE);
XMEMSET(server_side_msg1, 0, WC_MAX_DIGEST_SIZE);
msg_len = wolfSSL_get_finished(test_ctx.s_ssl, server_side_msg1,
MD_MAX_SIZE);
WC_MAX_DIGEST_SIZE);
ExpectIntGE(msg_len, 0);
#endif /* WOLFSSL_HAVE_TLS_UNIQUE */

Expand Down Expand Up @@ -8104,12 +8099,12 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
}

#ifdef WOLFSSL_HAVE_TLS_UNIQUE
XMEMSET(server_side_msg2, 0, MD_MAX_SIZE);
msg_len = wolfSSL_get_peer_finished(ssl, server_side_msg2, MD_MAX_SIZE);
XMEMSET(server_side_msg2, 0, WC_MAX_DIGEST_SIZE);
msg_len = wolfSSL_get_peer_finished(ssl, server_side_msg2, WC_MAX_DIGEST_SIZE);
AssertIntGE(msg_len, 0);

XMEMSET(server_side_msg1, 0, MD_MAX_SIZE);
msg_len = wolfSSL_get_finished(ssl, server_side_msg1, MD_MAX_SIZE);
XMEMSET(server_side_msg1, 0, WC_MAX_DIGEST_SIZE);
msg_len = wolfSSL_get_finished(ssl, server_side_msg1, WC_MAX_DIGEST_SIZE);
AssertIntGE(msg_len, 0);
#endif /* WOLFSSL_HAVE_TLS_UNIQUE */

Expand Down Expand Up @@ -9728,12 +9723,12 @@ static int test_wolfSSL_get_finished_client_on_handshake(WOLFSSL_CTX* ctx,

/* get_finished test */
/* 1. get own sent message */
XMEMSET(client_side_msg1, 0, MD_MAX_SIZE);
msg_len = wolfSSL_get_finished(ssl, client_side_msg1, MD_MAX_SIZE);
XMEMSET(client_side_msg1, 0, WC_MAX_DIGEST_SIZE);
msg_len = wolfSSL_get_finished(ssl, client_side_msg1, WC_MAX_DIGEST_SIZE);
ExpectIntGE(msg_len, 0);
/* 2. get peer message */
XMEMSET(client_side_msg2, 0, MD_MAX_SIZE);
msg_len = wolfSSL_get_peer_finished(ssl, client_side_msg2, MD_MAX_SIZE);
XMEMSET(client_side_msg2, 0, WC_MAX_DIGEST_SIZE);
msg_len = wolfSSL_get_peer_finished(ssl, client_side_msg2, WC_MAX_DIGEST_SIZE);
ExpectIntGE(msg_len, 0);

return EXPECT_RESULT();
Expand All @@ -9756,8 +9751,8 @@ static int test_wolfSSL_get_finished(void)
TEST_SUCCESS);

/* test received msg vs sent msg */
ExpectIntEQ(0, XMEMCMP(client_side_msg1, server_side_msg2, MD_MAX_SIZE));
ExpectIntEQ(0, XMEMCMP(client_side_msg2, server_side_msg1, MD_MAX_SIZE));
ExpectIntEQ(0, XMEMCMP(client_side_msg1, server_side_msg2, WC_MAX_DIGEST_SIZE));
ExpectIntEQ(0, XMEMCMP(client_side_msg2, server_side_msg1, WC_MAX_DIGEST_SIZE));
#endif /* HAVE_SSL_MEMIO_TESTS_DEPENDENCIES && WOLFSSL_HAVE_TLS_UNIQUE */

return EXPECT_RESULT();
Expand Down
20 changes: 15 additions & 5 deletions tests/quic.c
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,11 @@
#include <wolfssl/error-ssl.h>
#include <wolfssl/internal.h>

#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256)
#define DEFAULT_TLS_DIGEST_SZ WC_SHA384_DIGEST_SIZE
#else
#define DEFAULT_TLS_DIGEST_SZ WC_SHA256_DIGEST_SIZE
#endif

#define testingFmt " %s:"
#define resultFmt " %s\n"
Expand Down Expand Up @@ -1127,13 +1132,16 @@ static int test_quic_server_hello(int verbose) {
QuicConversation_step(&conv, 0);
/* check established/missing secrets */
check_secrets(&tserver, wolfssl_encryption_initial, 0, 0);
check_secrets(&tserver, wolfssl_encryption_handshake, 32, 32);
check_secrets(&tserver, wolfssl_encryption_application, 32, 32);
check_secrets(&tserver, wolfssl_encryption_handshake,
DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
check_secrets(&tserver, wolfssl_encryption_application,
DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
check_secrets(&tclient, wolfssl_encryption_handshake, 0, 0);
/* feed the server data to the client */
QuicConversation_step(&conv, 0);
/* client has generated handshake secret */
check_secrets(&tclient, wolfssl_encryption_handshake, 32, 32);
check_secrets(&tclient, wolfssl_encryption_handshake,
DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
/* continue the handshake till done */
conv.started = 1;
/* run till end */
Expand All @@ -1156,8 +1164,10 @@ static int test_quic_server_hello(int verbose) {
/* the last client write (FINISHED) was at handshake level */
AssertTrue(tclient.output.level == wolfssl_encryption_handshake);
/* we have the app secrets */
check_secrets(&tclient, wolfssl_encryption_application, 32, 32);
check_secrets(&tserver, wolfssl_encryption_application, 32, 32);
check_secrets(&tclient, wolfssl_encryption_application,
DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
check_secrets(&tserver, wolfssl_encryption_application,
DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
/* verify client and server have the same secrets established */
assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_handshake);
assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_application);
Expand Down
8 changes: 8 additions & 0 deletions wolfssl/test.h
Original file line number Diff line number Diff line change
Expand Up @@ -1958,7 +1958,11 @@ static WC_INLINE unsigned int my_psk_client_tls13_cb(WOLFSSL* ssl,
key[i] = (unsigned char) b;
}

#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256)
*ciphersuite = userCipher ? userCipher : "TLS13-AES256-GCM-SHA384";
#else
*ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256";
#endif

ret = 32; /* length of key in octets or 0 for error */

Expand Down Expand Up @@ -1997,7 +2001,11 @@ static WC_INLINE unsigned int my_psk_server_tls13_cb(WOLFSSL* ssl,
key[i] = (unsigned char) b;
}

#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256)
*ciphersuite = userCipher ? userCipher : "TLS13-AES256-GCM-SHA384";
#else
*ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256";
#endif

ret = 32; /* length of key in octets or 0 for error */

Expand Down

0 comments on commit 6dd00ab

Please sign in to comment.