Skip to content

Commit f8814fb

Browse files
aidangarskeaidangarske
committed
InitSuites changes to order making BUILD_TLS_AES_256_GCM_SHA384 be prioritized over BUILD_TLS_AES_128_GCM_SHA256 to match TLS 1.2.
1 parent 475ec7b commit f8814fb

5 files changed

Lines changed: 47 additions & 34 deletions

File tree

src/internal.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3304,17 +3304,17 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
33043304
return; /* trust user settings, don't override */
33053305

33063306
#ifdef WOLFSSL_TLS13
3307-
#ifdef BUILD_TLS_AES_128_GCM_SHA256
3307+
#ifdef BUILD_TLS_AES_256_GCM_SHA384
33083308
if (tls1_3) {
33093309
suites->suites[idx++] = TLS13_BYTE;
3310-
suites->suites[idx++] = TLS_AES_128_GCM_SHA256;
3310+
suites->suites[idx++] = TLS_AES_256_GCM_SHA384;
33113311
}
33123312
#endif
33133313

3314-
#ifdef BUILD_TLS_AES_256_GCM_SHA384
3314+
#ifdef BUILD_TLS_AES_128_GCM_SHA256
33153315
if (tls1_3) {
33163316
suites->suites[idx++] = TLS13_BYTE;
3317-
suites->suites[idx++] = TLS_AES_256_GCM_SHA384;
3317+
suites->suites[idx++] = TLS_AES_128_GCM_SHA256;
33183318
}
33193319
#endif
33203320

src/ssl.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19632,10 +19632,10 @@ long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt)
1963219632
if ((ctrl_opt & WOLFSSL_OP_CIPHER_SERVER_PREFERENCE)
1963319633
== WOLFSSL_OP_CIPHER_SERVER_PREFERENCE) {
1963419634
WOLFSSL_MSG("Using Server's Cipher Preference.");
19635-
ctx->useClientOrder = FALSE;
19635+
ctx->useClientOrder = 0;
1963619636
} else {
1963719637
WOLFSSL_MSG("Using Client's Cipher Preference.");
19638-
ctx->useClientOrder = TRUE;
19638+
ctx->useClientOrder = 1;
1963919639
}
1964019640
#endif /* WOLFSSL_QT */
1964119641

tests/api.c

Lines changed: 18 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -6495,15 +6495,10 @@ static int test_wolfSSL_EVP_CIPHER_CTX(void)
64956495
#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) || \
64966496
defined(HAVE_IO_TESTS_DEPENDENCIES)
64976497
#ifdef WOLFSSL_HAVE_TLS_UNIQUE
6498-
#ifdef WC_SHA512_DIGEST_SIZE
6499-
#define MD_MAX_SIZE WC_SHA512_DIGEST_SIZE
6500-
#else
6501-
#define MD_MAX_SIZE WC_SHA256_DIGEST_SIZE
6502-
#endif
6503-
byte server_side_msg1[MD_MAX_SIZE] = {0};/* msg sent by server */
6504-
byte server_side_msg2[MD_MAX_SIZE] = {0};/* msg received from client */
6505-
byte client_side_msg1[MD_MAX_SIZE] = {0};/* msg sent by client */
6506-
byte client_side_msg2[MD_MAX_SIZE] = {0};/* msg received from server */
6498+
byte server_side_msg1[WC_MAX_DIGEST_SIZE] = {0};/* msg sent by server */
6499+
byte server_side_msg2[WC_MAX_DIGEST_SIZE] = {0};/* msg received from client */
6500+
byte client_side_msg1[WC_MAX_DIGEST_SIZE] = {0};/* msg sent by client */
6501+
byte client_side_msg2[WC_MAX_DIGEST_SIZE] = {0};/* msg received from server */
65076502
#endif /* WOLFSSL_HAVE_TLS_UNIQUE */
65086503

65096504
/* TODO: Expand and enable this when EVP_chacha20_poly1305 is supported */
@@ -7049,14 +7044,14 @@ int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb,
70497044
TEST_SUCCESS);
70507045
}
70517046
#ifdef WOLFSSL_HAVE_TLS_UNIQUE
7052-
XMEMSET(server_side_msg2, 0, MD_MAX_SIZE);
7047+
XMEMSET(server_side_msg2, 0, WC_MAX_DIGEST_SIZE);
70537048
msg_len = wolfSSL_get_peer_finished(test_ctx.s_ssl, server_side_msg2,
7054-
MD_MAX_SIZE);
7049+
WC_MAX_DIGEST_SIZE);
70557050
ExpectIntGE(msg_len, 0);
70567051

7057-
XMEMSET(server_side_msg1, 0, MD_MAX_SIZE);
7052+
XMEMSET(server_side_msg1, 0, WC_MAX_DIGEST_SIZE);
70587053
msg_len = wolfSSL_get_finished(test_ctx.s_ssl, server_side_msg1,
7059-
MD_MAX_SIZE);
7054+
WC_MAX_DIGEST_SIZE);
70607055
ExpectIntGE(msg_len, 0);
70617056
#endif /* WOLFSSL_HAVE_TLS_UNIQUE */
70627057

@@ -7420,12 +7415,12 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
74207415
}
74217416

74227417
#ifdef WOLFSSL_HAVE_TLS_UNIQUE
7423-
XMEMSET(server_side_msg2, 0, MD_MAX_SIZE);
7424-
msg_len = wolfSSL_get_peer_finished(ssl, server_side_msg2, MD_MAX_SIZE);
7418+
XMEMSET(server_side_msg2, 0, WC_MAX_DIGEST_SIZE);
7419+
msg_len = wolfSSL_get_peer_finished(ssl, server_side_msg2, WC_MAX_DIGEST_SIZE);
74257420
AssertIntGE(msg_len, 0);
74267421

7427-
XMEMSET(server_side_msg1, 0, MD_MAX_SIZE);
7428-
msg_len = wolfSSL_get_finished(ssl, server_side_msg1, MD_MAX_SIZE);
7422+
XMEMSET(server_side_msg1, 0, WC_MAX_DIGEST_SIZE);
7423+
msg_len = wolfSSL_get_finished(ssl, server_side_msg1, WC_MAX_DIGEST_SIZE);
74297424
AssertIntGE(msg_len, 0);
74307425
#endif /* WOLFSSL_HAVE_TLS_UNIQUE */
74317426

@@ -9044,12 +9039,12 @@ static int test_wolfSSL_get_finished_client_on_handshake(WOLFSSL_CTX* ctx,
90449039

90459040
/* get_finished test */
90469041
/* 1. get own sent message */
9047-
XMEMSET(client_side_msg1, 0, MD_MAX_SIZE);
9048-
msg_len = wolfSSL_get_finished(ssl, client_side_msg1, MD_MAX_SIZE);
9042+
XMEMSET(client_side_msg1, 0, WC_MAX_DIGEST_SIZE);
9043+
msg_len = wolfSSL_get_finished(ssl, client_side_msg1, WC_MAX_DIGEST_SIZE);
90499044
ExpectIntGE(msg_len, 0);
90509045
/* 2. get peer message */
9051-
XMEMSET(client_side_msg2, 0, MD_MAX_SIZE);
9052-
msg_len = wolfSSL_get_peer_finished(ssl, client_side_msg2, MD_MAX_SIZE);
9046+
XMEMSET(client_side_msg2, 0, WC_MAX_DIGEST_SIZE);
9047+
msg_len = wolfSSL_get_peer_finished(ssl, client_side_msg2, WC_MAX_DIGEST_SIZE);
90539048
ExpectIntGE(msg_len, 0);
90549049

90559050
return EXPECT_RESULT();
@@ -9072,8 +9067,8 @@ static int test_wolfSSL_get_finished(void)
90729067
TEST_SUCCESS);
90739068

90749069
/* test received msg vs sent msg */
9075-
ExpectIntEQ(0, XMEMCMP(client_side_msg1, server_side_msg2, MD_MAX_SIZE));
9076-
ExpectIntEQ(0, XMEMCMP(client_side_msg2, server_side_msg1, MD_MAX_SIZE));
9070+
ExpectIntEQ(0, XMEMCMP(client_side_msg1, server_side_msg2, WC_MAX_DIGEST_SIZE));
9071+
ExpectIntEQ(0, XMEMCMP(client_side_msg2, server_side_msg1, WC_MAX_DIGEST_SIZE));
90779072
#endif /* HAVE_SSL_MEMIO_TESTS_DEPENDENCIES && WOLFSSL_HAVE_TLS_UNIQUE */
90789073

90799074
return EXPECT_RESULT();

tests/quic.c

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,11 @@
4141
#include <wolfssl/error-ssl.h>
4242
#include <wolfssl/internal.h>
4343

44+
#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256)
45+
#define DEFAULT_TLS_DIGEST_SZ WC_SHA384_DIGEST_SIZE
46+
#else
47+
#define DEFAULT_TLS_DIGEST_SZ WC_SHA256_DIGEST_SIZE
48+
#endif
4449

4550
#define testingFmt " %s:"
4651
#define resultFmt " %s\n"
@@ -1126,13 +1131,16 @@ static int test_quic_server_hello(int verbose) {
11261131
QuicConversation_step(&conv, 0);
11271132
/* check established/missing secrets */
11281133
check_secrets(&tserver, wolfssl_encryption_initial, 0, 0);
1129-
check_secrets(&tserver, wolfssl_encryption_handshake, 32, 32);
1130-
check_secrets(&tserver, wolfssl_encryption_application, 32, 32);
1134+
check_secrets(&tserver, wolfssl_encryption_handshake,
1135+
DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
1136+
check_secrets(&tserver, wolfssl_encryption_application,
1137+
DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
11311138
check_secrets(&tclient, wolfssl_encryption_handshake, 0, 0);
11321139
/* feed the server data to the client */
11331140
QuicConversation_step(&conv, 0);
11341141
/* client has generated handshake secret */
1135-
check_secrets(&tclient, wolfssl_encryption_handshake, 32, 32);
1142+
check_secrets(&tclient, wolfssl_encryption_handshake,
1143+
DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
11361144
/* continue the handshake till done */
11371145
conv.started = 1;
11381146
/* run till end */
@@ -1155,8 +1163,10 @@ static int test_quic_server_hello(int verbose) {
11551163
/* the last client write (FINISHED) was at handshake level */
11561164
AssertTrue(tclient.output.level == wolfssl_encryption_handshake);
11571165
/* we have the app secrets */
1158-
check_secrets(&tclient, wolfssl_encryption_application, 32, 32);
1159-
check_secrets(&tserver, wolfssl_encryption_application, 32, 32);
1166+
check_secrets(&tclient, wolfssl_encryption_application,
1167+
DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
1168+
check_secrets(&tserver, wolfssl_encryption_application,
1169+
DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ);
11601170
/* verify client and server have the same secrets established */
11611171
assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_handshake);
11621172
assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_application);

wolfssl/test.h

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1947,7 +1947,11 @@ static WC_INLINE unsigned int my_psk_client_tls13_cb(WOLFSSL* ssl,
19471947
key[i] = (unsigned char) b;
19481948
}
19491949

1950+
#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256)
1951+
*ciphersuite = userCipher ? userCipher : "TLS13-AES256-GCM-SHA384";
1952+
#else
19501953
*ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256";
1954+
#endif
19511955

19521956
ret = 32; /* length of key in octets or 0 for error */
19531957

@@ -1986,7 +1990,11 @@ static WC_INLINE unsigned int my_psk_server_tls13_cb(WOLFSSL* ssl,
19861990
key[i] = (unsigned char) b;
19871991
}
19881992

1993+
#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256)
1994+
*ciphersuite = userCipher ? userCipher : "TLS13-AES256-GCM-SHA384";
1995+
#else
19891996
*ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256";
1997+
#endif
19901998

19911999
ret = 32; /* length of key in octets or 0 for error */
19922000

0 commit comments

Comments
 (0)