Add API to choose dynamic certs based on client ciphers/sigalgs #6963
Conversation
e9e543e to
e879362
Compare
PR wolfSSL/wolfssl#6963 implements primitives to extract ciphers and algorithm signatures. This allows us to chose a certificate depending on what the client wants (RSA or ECDSA).
|
Retest this please. |
ccf5c6b to
1514e97
Compare
PR wolfSSL/wolfssl#6963 implements primitives to extract ciphers and algorithm signatures. It allows to chose a certificate depending on the sigals and ciphers presented by the client (RSA or ECDSA). Since WolfSSL does not implement the clienthello callback, the patch uses the certificate callback (SSL_CTX_set_cert_cb()) The callback is inspired by our clienthello callback, however the extraction of client ciphers and sigalgs is simpler, wolfSSL_get_sigalg_info() and wolfSSL_get_ciphersuite_info() are used. This is not enabled by default yet as the PR was not merged.
PR wolfSSL/wolfssl#6963 implements primitives to extract ciphers and algorithm signatures. It allows to chose a certificate depending on the sigals and ciphers presented by the client (RSA or ECDSA). Since WolfSSL does not implement the clienthello callback, the patch uses the certificate callback (SSL_CTX_set_cert_cb()) The callback is inspired by our clienthello callback, however the extraction of client ciphers and sigalgs is simpler, wolfSSL_get_sigalg_info() and wolfSSL_get_ciphersuite_info() are used. This is not enabled by default yet as the PR was not merged.
|
Retest this please. |
4779f98 to
f86525d
Compare
f86525d to
3edfcfe
Compare
|
Retest this please |
1 similar comment
|
Retest this please |
| @@ -2352,7 +2352,8 @@ WOLFSSL_LOCAL void InitSuitesHashSigAlgo_ex(byte* hashSigAlgo, int haveECDSAsig, | |||
| int haveRSAsig, int haveFalconSig, | |||
| int haveDilithiumSig, int haveAnon, | |||
| int tls1_2, int keySz, word16* len); | |||
| WOLFSSL_LOCAL void InitSuitesHashSigAlgo_ex2(byte* hashSigAlgo, int have, | |||
| /* use wolfSSL_API visibility to be able to test in tests/api.c */ | |||
| WOLFSSL_API void InitSuitesHashSigAlgo_ex2(byte* hashSigAlgo, int have, | |||
There was a problem hiding this comment.
public API should not be in internal.h, They should also have our library prefix on them i.e wolfSSL_* or wc_*
There was a problem hiding this comment.
This is only marked public to allow for use inside api.c. It is not a real public API. I'm happy to explore other ways to export it to api.c if you have ideas.
There was a problem hiding this comment.
As soon as WOLFSSL_API gets added it shows up in the compiled library and we are signaling that it can be used by applications linking to wolfSSL. In the test case is it being used to more quickly setup the hash sig algo state rather than setting up a TLS connection?
There was a problem hiding this comment.
We do this for other API in internal.h. It is used to test the new API directly.
There was a problem hiding this comment.
I see, was unaware that pattern was in place....I can understand that it helps with hitting those API in test cases. Looks like the precedent for the pattern was this PR (#5503) version 5.5.1 of wolfSSL and on and then it was built upon.
No description provided.