Merge pull request #7771 from aidangarske/InitSuites_Orderadj

`InitSuites` changes to order making `BUILD_TLS_AES_256_GCM_SHA384` be prioritized over `BUILD_TLS_AES_128_GCM_SHA256`
wolfSSL · Nov 22, 2024 · 6dd00ab · 6dd00ab
2 parents c5d7dc3 + 43cea3e
commit 6dd00ab
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 34 deletions.
diff --git a/src/internal.c b/src/internal.c
@@ -3273,17 +3273,17 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
         return;      /* trust user settings, don't override */
 
 #ifdef WOLFSSL_TLS13
-#ifdef BUILD_TLS_AES_128_GCM_SHA256
+#ifdef BUILD_TLS_AES_256_GCM_SHA384
     if (tls1_3) {
         suites->suites[idx++] = TLS13_BYTE;
-        suites->suites[idx++] = TLS_AES_128_GCM_SHA256;
+        suites->suites[idx++] = TLS_AES_256_GCM_SHA384;
     }
 #endif
 
-#ifdef BUILD_TLS_AES_256_GCM_SHA384
+#ifdef BUILD_TLS_AES_128_GCM_SHA256
     if (tls1_3) {
         suites->suites[idx++] = TLS13_BYTE;
-        suites->suites[idx++] = TLS_AES_256_GCM_SHA384;
+        suites->suites[idx++] = TLS_AES_128_GCM_SHA256;
     }
 #endif
 

diff --git a/src/ssl.c b/src/ssl.c
@@ -20145,10 +20145,10 @@ long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt)
         if ((ctrl_opt & WOLFSSL_OP_CIPHER_SERVER_PREFERENCE)
                      == WOLFSSL_OP_CIPHER_SERVER_PREFERENCE) {
             WOLFSSL_MSG("Using Server's Cipher Preference.");
-            ctx->useClientOrder = FALSE;
+            ctx->useClientOrder = 0;
         } else {
             WOLFSSL_MSG("Using Client's Cipher Preference.");
-            ctx->useClientOrder = TRUE;
+            ctx->useClientOrder = 1;
         }
         #endif /* WOLFSSL_QT */
 

diff --git a/tests/api.c b/tests/api.c
@@ -7172,15 +7172,10 @@ static int test_wolfSSL_EVP_CIPHER_CTX(void)
 #if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) || \
     defined(HAVE_IO_TESTS_DEPENDENCIES)
 #ifdef WOLFSSL_HAVE_TLS_UNIQUE
-    #ifdef WC_SHA512_DIGEST_SIZE
-        #define MD_MAX_SIZE WC_SHA512_DIGEST_SIZE
-    #else
-        #define MD_MAX_SIZE WC_SHA256_DIGEST_SIZE
-    #endif
-    byte server_side_msg1[MD_MAX_SIZE] = {0};/* msg sent by server */
-    byte server_side_msg2[MD_MAX_SIZE] = {0};/* msg received from client */
-    byte client_side_msg1[MD_MAX_SIZE] = {0};/* msg sent by client */
-    byte client_side_msg2[MD_MAX_SIZE] = {0};/* msg received from server */
+    byte server_side_msg1[WC_MAX_DIGEST_SIZE]; /* msg sent by server */
+    byte server_side_msg2[WC_MAX_DIGEST_SIZE]; /* msg received from client */
+    byte client_side_msg1[WC_MAX_DIGEST_SIZE]; /* msg sent by client */
+    byte client_side_msg2[WC_MAX_DIGEST_SIZE]; /* msg received from server */
 #endif /* WOLFSSL_HAVE_TLS_UNIQUE */
 
 /* TODO: Expand and enable this when EVP_chacha20_poly1305 is supported */
@@ -7733,14 +7728,14 @@ int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb,
             TEST_SUCCESS);
     }
 #ifdef WOLFSSL_HAVE_TLS_UNIQUE
-    XMEMSET(server_side_msg2, 0, MD_MAX_SIZE);
+    XMEMSET(server_side_msg2, 0, WC_MAX_DIGEST_SIZE);
     msg_len = wolfSSL_get_peer_finished(test_ctx.s_ssl, server_side_msg2,
-        MD_MAX_SIZE);
+        WC_MAX_DIGEST_SIZE);
     ExpectIntGE(msg_len, 0);
 
-    XMEMSET(server_side_msg1, 0, MD_MAX_SIZE);
+    XMEMSET(server_side_msg1, 0, WC_MAX_DIGEST_SIZE);
     msg_len = wolfSSL_get_finished(test_ctx.s_ssl, server_side_msg1,
-        MD_MAX_SIZE);
+        WC_MAX_DIGEST_SIZE);
     ExpectIntGE(msg_len, 0);
 #endif /* WOLFSSL_HAVE_TLS_UNIQUE */
 
@@ -8104,12 +8099,12 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
     }
 
 #ifdef WOLFSSL_HAVE_TLS_UNIQUE
-    XMEMSET(server_side_msg2, 0, MD_MAX_SIZE);
-    msg_len = wolfSSL_get_peer_finished(ssl, server_side_msg2, MD_MAX_SIZE);
+    XMEMSET(server_side_msg2, 0, WC_MAX_DIGEST_SIZE);
+    msg_len = wolfSSL_get_peer_finished(ssl, server_side_msg2, WC_MAX_DIGEST_SIZE);
     AssertIntGE(msg_len, 0);
 
-    XMEMSET(server_side_msg1, 0, MD_MAX_SIZE);
-    msg_len = wolfSSL_get_finished(ssl, server_side_msg1, MD_MAX_SIZE);
+    XMEMSET(server_side_msg1, 0, WC_MAX_DIGEST_SIZE);
+    msg_len = wolfSSL_get_finished(ssl, server_side_msg1, WC_MAX_DIGEST_SIZE);
     AssertIntGE(msg_len, 0);
 #endif /* WOLFSSL_HAVE_TLS_UNIQUE */
 
@@ -9728,12 +9723,12 @@ static int test_wolfSSL_get_finished_client_on_handshake(WOLFSSL_CTX* ctx,
 
     /* get_finished test */
     /* 1. get own sent message */
-    XMEMSET(client_side_msg1, 0, MD_MAX_SIZE);
-    msg_len = wolfSSL_get_finished(ssl, client_side_msg1, MD_MAX_SIZE);
+    XMEMSET(client_side_msg1, 0, WC_MAX_DIGEST_SIZE);
+    msg_len = wolfSSL_get_finished(ssl, client_side_msg1, WC_MAX_DIGEST_SIZE);
     ExpectIntGE(msg_len, 0);
     /* 2. get peer message */
-    XMEMSET(client_side_msg2, 0, MD_MAX_SIZE);
-    msg_len = wolfSSL_get_peer_finished(ssl, client_side_msg2, MD_MAX_SIZE);
+    XMEMSET(client_side_msg2, 0, WC_MAX_DIGEST_SIZE);
+    msg_len = wolfSSL_get_peer_finished(ssl, client_side_msg2, WC_MAX_DIGEST_SIZE);
     ExpectIntGE(msg_len, 0);
 
     return EXPECT_RESULT();
@@ -9756,8 +9751,8 @@ static int test_wolfSSL_get_finished(void)
         TEST_SUCCESS);
 
     /* test received msg vs sent msg */
-    ExpectIntEQ(0, XMEMCMP(client_side_msg1, server_side_msg2, MD_MAX_SIZE));
-    ExpectIntEQ(0, XMEMCMP(client_side_msg2, server_side_msg1, MD_MAX_SIZE));
+    ExpectIntEQ(0, XMEMCMP(client_side_msg1, server_side_msg2, WC_MAX_DIGEST_SIZE));
+    ExpectIntEQ(0, XMEMCMP(client_side_msg2, server_side_msg1, WC_MAX_DIGEST_SIZE));
 #endif /* HAVE_SSL_MEMIO_TESTS_DEPENDENCIES && WOLFSSL_HAVE_TLS_UNIQUE */
 
     return EXPECT_RESULT();

diff --git a/tests/quic.c b/tests/quic.c
@@ -42,6 +42,11 @@
 #include <wolfssl/error-ssl.h>
 #include <wolfssl/internal.h>
 
+#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256)
+    #define DEFAULT_TLS_DIGEST_SZ WC_SHA384_DIGEST_SIZE
+#else
+    #define DEFAULT_TLS_DIGEST_SZ WC_SHA256_DIGEST_SIZE
+#endif
 
 #define testingFmt "   %s:"
 #define resultFmt  " %s\n"
@@ -1127,13 +1132,16 @@ static int test_quic_server_hello(int verbose) {
     QuicConversation_step(&conv, 0);
     /* check established/missing secrets */
     check_secrets(&tserver, wolfssl_encryption_initial, 0, 0);
-    check_secrets(&tserver, wolfssl_encryption_handshake, 32, 32);
-    check_secrets(&tserver, wolfssl_encryption_application, 32, 32);
+    check_secrets(&tserver, wolfssl_encryption_handshake,
+        DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
+    check_secrets(&tserver, wolfssl_encryption_application,
+        DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
     check_secrets(&tclient, wolfssl_encryption_handshake, 0, 0);
     /* feed the server data to the client */
     QuicConversation_step(&conv, 0);
     /* client has generated handshake secret */
-    check_secrets(&tclient, wolfssl_encryption_handshake, 32, 32);
+    check_secrets(&tclient, wolfssl_encryption_handshake,
+        DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
     /* continue the handshake till done */
     conv.started = 1;
     /* run till end */
@@ -1156,8 +1164,10 @@ static int test_quic_server_hello(int verbose) {
     /* the last client write (FINISHED) was at handshake level */
     AssertTrue(tclient.output.level == wolfssl_encryption_handshake);
     /* we have the app secrets */
-    check_secrets(&tclient, wolfssl_encryption_application, 32, 32);
-    check_secrets(&tserver, wolfssl_encryption_application, 32, 32);
+    check_secrets(&tclient, wolfssl_encryption_application,
+        DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
+    check_secrets(&tserver, wolfssl_encryption_application,
+        DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
     /* verify client and server have the same secrets established */
     assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_handshake);
     assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_application);

diff --git a/wolfssl/test.h b/wolfssl/test.h
@@ -1958,7 +1958,11 @@ static WC_INLINE unsigned int my_psk_client_tls13_cb(WOLFSSL* ssl,
         key[i] = (unsigned char) b;
     }
 
+#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256)
+    *ciphersuite = userCipher ? userCipher : "TLS13-AES256-GCM-SHA384";
+#else
     *ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256";
+#endif
 
     ret = 32;   /* length of key in octets or 0 for error */
 
@@ -1997,7 +2001,11 @@ static WC_INLINE unsigned int my_psk_server_tls13_cb(WOLFSSL* ssl,
         key[i] = (unsigned char) b;
     }
 
+#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256)
+    *ciphersuite = userCipher ? userCipher : "TLS13-AES256-GCM-SHA384";
+#else
     *ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256";
+#endif
 
     ret = 32;   /* length of key in octets or 0 for error */