Allow SetCipherList to operate on SSL without modifying on SSL_CTX

julek-wolfssl · julek-wolfssl · commit b8b847bbcfed · 2024-01-19T14:53:28.000+01:00
diff --git a/src/internal.c b/src/internal.c
@@ -26198,7 +26198,8 @@ ciphersuites introduced through the "bulk" ciphersuites.
 
 @return true on success, else false.
 */
-int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
+int SetCipherList(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl, Suites* suites,
+        const char* list)
 {
     int       ret              = 0;
     int       idx              = 0;
@@ -26216,25 +26217,38 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
     const int suiteSz       = GetCipherNamesSize();
     const char* next        = list;
 
-    if (suites == NULL || list == NULL) {
+    ProtocolVersion version;
+    int privateKeySz = 0;
+    byte side;
+#ifdef HAVE_ANON
+    byte haveAnon = 0;
+#endif
+
+    if (suites == NULL || list == NULL || (ctx == NULL && ssl == NULL)) {
         WOLFSSL_MSG("SetCipherList parameter error");
         return 0;
     }
 
+    version = ctx != NULL ? ctx->method->version : ssl->version;
+#ifndef NO_CERTS
+    privateKeySz = (int)(ctx != NULL ? ctx->privateKeySz : ssl->buffers.keySz);
+#endif
+    side = (byte)(ctx != NULL ? ctx->method->side : ssl->options.side);
+
     if (next[0] == 0 || XSTRCMP(next, "ALL") == 0 ||
         XSTRCMP(next, "DEFAULT") == 0 || XSTRCMP(next, "HIGH") == 0) {
         /* Add all ciphersuites except anonymous and null ciphers. Prefer RSA */
 #ifndef NO_RSA
         haveRSA = 1;
 #endif
-        InitSuites(suites, ctx->method->version,
+        InitSuites(suites, version,
 #ifndef NO_CERTS
-                ctx->privateKeySz,
+                privateKeySz,
 #else
                 0,
 #endif
                 haveRSA, 1, 1, !haveRSA, 1, haveRSA, !haveRSA, 1, 1, 0, 0,
-                ctx->method->side);
+                side);
         return 1; /* wolfSSL default */
     }
 
@@ -26312,7 +26326,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
             else
                 haveSig &= ~SIG_ANON;
         #ifdef HAVE_ANON
-            ctx->haveAnon = (haveSig & SIG_ANON) == SIG_ANON;
+            haveAnon = (haveSig & SIG_ANON) == SIG_ANON;
         #endif
             haveRSA = 1;
             haveDH = 1;
@@ -26337,7 +26351,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
             /* Disable static, anonymous, and null ciphers */
             haveSig &= ~SIG_ANON;
         #ifdef HAVE_ANON
-            ctx->haveAnon = 0;
+            haveAnon = 0;
         #endif
             haveRSA = 1;
             haveDH = 1;
@@ -26359,7 +26373,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
             else
                 haveSig &= ~SIG_ANON;
         #ifdef HAVE_ANON
-            ctx->haveAnon = allowing;
+            haveAnon = allowing;
         #endif
             if (allowing) {
                 /* Allow RSA by default. */
@@ -26474,7 +26488,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
 
             #ifdef WOLFSSL_DTLS
                 /* don't allow stream ciphers with DTLS */
-                if (ctx->method->version.major == DTLS_MAJOR) {
+                if (version.major == DTLS_MAJOR) {
                     if (XSTRSTR(name, "RC4"))
                     {
                         WOLFSSL_MSG("Stream ciphers not supported with DTLS");
@@ -26591,22 +26605,22 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
     if (ret) {
         int keySz = 0;
     #ifndef NO_CERTS
-        keySz = ctx->privateKeySz;
+        keySz = privateKeySz;
     #endif
     #ifdef OPENSSL_EXTRA
         if (callInitSuites) {
             suites->setSuites = 0; /* Force InitSuites */
             suites->hashSigAlgoSz = 0; /* Force InitSuitesHashSigAlgo call
                                         * inside InitSuites */
-            InitSuites(suites, ctx->method->version, keySz, (word16)haveRSA,
+            InitSuites(suites, version, keySz, (word16)haveRSA,
                        (word16)havePSK, (word16)haveDH,
                        (word16)((haveSig & SIG_ECDSA) != 0),
                        (word16)haveECC, (word16)haveStaticRSA,
                        (word16)haveStaticECC,
                        (word16)((haveSig & SIG_FALCON) != 0),
                        (word16)((haveSig & SIG_DILITHIUM) != 0),
                        (word16)((haveSig & SIG_ANON) != 0),
-                       (word16)haveNull, ctx->method->side);
+                       (word16)haveNull, side);
             /* Restore user ciphers ahead of defaults */
             XMEMMOVE(suites->suites + idx, suites->suites,
                     min(suites->suiteSz, WOLFSSL_MAX_SUITE_SZ-idx));
@@ -26621,7 +26635,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
         }
 
 #ifdef HAVE_RENEGOTIATION_INDICATION
-        if (ctx->method->side == WOLFSSL_CLIENT_END) {
+        if (side == WOLFSSL_CLIENT_END) {
             if (suites->suiteSz > WOLFSSL_MAX_SUITE_SZ - 2) {
                 WOLFSSL_MSG("Too many ciphersuites");
                 return 0;
@@ -26635,7 +26649,14 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
         suites->setSuites = 1;
     }
 
-    (void)ctx;
+#ifdef HAVE_ANON
+    if (ret == 1) {
+        if (ctx != NULL)
+            ((WOLFSSL_CTX*)ctx)->haveAnon = haveAnon || haveSig | SIG_ANON;
+        else
+            ((WOLFSSL*)ssl)->options.haveAnon = haveAnon || haveSig | SIG_ANON;
+    }
+#endif
 
     return ret;
 }
diff --git a/src/ssl.c b/src/ssl.c
@@ -1478,11 +1478,12 @@ WOLFSSL* wolfSSL_new(WOLFSSL_CTX* ctx)
         return ssl;
 
     ssl = (WOLFSSL*) XMALLOC(sizeof(WOLFSSL), ctx->heap, DYNAMIC_TYPE_SSL);
-    if (ssl)
+    if (ssl) {
         if ( (ret = InitSSL(ssl, ctx, 0)) < 0) {
             FreeSSL(ssl, ctx->heap);
             ssl = 0;
         }
+    }
 
     WOLFSSL_LEAVE("wolfSSL_new", ret);
     (void)ret;
@@ -11837,8 +11838,8 @@ static int CheckcipherList(const char* list)
  *
  * returns WOLFSSL_SUCCESS on success and sets the cipher suite list
  */
-static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
-        const char* list)
+static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
+        Suites* suites, const char* list)
 {
     int     ret = 0;
     int     listattribute = 0;
@@ -11863,7 +11864,7 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
        /* list has mixed(pre-TLSv13 and TLSv13) suites
         * update cipher suites the same as before
         */
-        return (SetCipherList(ctx, suites, list)) ? WOLFSSL_SUCCESS :
+        return (SetCipherList(ctx, ssl, suites, list)) ? WOLFSSL_SUCCESS :
         WOLFSSL_FAILURE;
     }
     else if (listattribute == 1) {
@@ -11877,7 +11878,8 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
         * simulate set_ciphersuites() compatibility layer API
         */
         tls13Only = 1;
-        if (!IsAtLeastTLSv1_3(ctx->method->version)) {
+        if ((ctx != NULL && !IsAtLeastTLSv1_3(ctx->method->version)) ||
+                (ssl != NULL && !IsAtLeastTLSv1_3(ssl->version))) {
             /* Silently ignore TLS 1.3 ciphers if we don't support it. */
             return WOLFSSL_SUCCESS;
         }
@@ -11903,7 +11905,7 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites,
         XMEMCPY(suitesCpy, suites->suites, suites->suiteSz);
     suitesCpySz = suites->suiteSz;
 
-    ret = SetCipherList(ctx, suites, list);
+    ret = SetCipherList(ctx, ssl, suites, list);
     if (ret != 1) {
 #ifdef WOLFSSL_SMALL_STACK
         XFREE(suitesCpy, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -11967,9 +11969,9 @@ int wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list)
         return WOLFSSL_FAILURE;
 
 #ifdef OPENSSL_EXTRA
-    return wolfSSL_parse_cipher_list(ctx, ctx->suites, list);
+    return wolfSSL_parse_cipher_list(ctx, NULL, ctx->suites, list);
 #else
-    return (SetCipherList(ctx, ctx->suites, list)) ?
+    return (SetCipherList(ctx, NULL, ctx->suites, list)) ?
         WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
 #endif
 }
@@ -12003,9 +12005,9 @@ int wolfSSL_set_cipher_list(WOLFSSL* ssl, const char* list)
         return WOLFSSL_FAILURE;
 
 #ifdef OPENSSL_EXTRA
-    return wolfSSL_parse_cipher_list(ssl->ctx, ssl->suites, list);
+    return wolfSSL_parse_cipher_list(NULL, ssl, ssl->suites, list);
 #else
-    return (SetCipherList(ssl->ctx, ssl->suites, list)) ?
+    return (SetCipherList(NULL, ssl, ssl->suites, list)) ?
         WOLFSSL_SUCCESS :
         WOLFSSL_FAILURE;
 #endif
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
@@ -2377,8 +2377,8 @@ typedef struct TLSX TLSX;
 WOLFSSL_LOCAL int MatchSuite_ex(const WOLFSSL* ssl, Suites* peerSuites,
                                 CipherSuite* cs, TLSX* extensions);
 WOLFSSL_LOCAL int  MatchSuite(WOLFSSL* ssl, Suites* peerSuites);
-WOLFSSL_LOCAL int  SetCipherList(WOLFSSL_CTX* ctx, Suites* suites,
-                                 const char* list);
+WOLFSSL_LOCAL int  SetCipherList(const WOLFSSL_CTX* ctx, const WOLFSSL* ssl,
+        Suites* suites, const char* list);
 WOLFSSL_LOCAL int  SetCipherListFromBytes(WOLFSSL_CTX* ctx, Suites* suites,
                                           const byte* list, const int listSz);
 WOLFSSL_LOCAL int  SetSuitesHashSigAlgo(Suites* suites, const char* list);
