-
Notifications
You must be signed in to change notification settings - Fork 876
Add API to choose dynamic certs based on client ciphers/sigalgs #6963
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add API to choose dynamic certs based on client ciphers/sigalgs #6963
Conversation
e9e543e
to
e879362
Compare
PR wolfSSL/wolfssl#6963 implements primitives to extract ciphers and algorithm signatures. This allows us to chose a certificate depending on what the client wants (RSA or ECDSA).
Retest this please. |
ccf5c6b
to
1514e97
Compare
PR wolfSSL/wolfssl#6963 implements primitives to extract ciphers and algorithm signatures. It allows to chose a certificate depending on the sigals and ciphers presented by the client (RSA or ECDSA). Since WolfSSL does not implement the clienthello callback, the patch uses the certificate callback (SSL_CTX_set_cert_cb()) The callback is inspired by our clienthello callback, however the extraction of client ciphers and sigalgs is simpler, wolfSSL_get_sigalg_info() and wolfSSL_get_ciphersuite_info() are used. This is not enabled by default yet as the PR was not merged.
PR wolfSSL/wolfssl#6963 implements primitives to extract ciphers and algorithm signatures. It allows to chose a certificate depending on the sigals and ciphers presented by the client (RSA or ECDSA). Since WolfSSL does not implement the clienthello callback, the patch uses the certificate callback (SSL_CTX_set_cert_cb()) The callback is inspired by our clienthello callback, however the extraction of client ciphers and sigalgs is simpler, wolfSSL_get_sigalg_info() and wolfSSL_get_ciphersuite_info() are used. This is not enabled by default yet as the PR was not merged.
Retest this please. |
4779f98
to
f86525d
Compare
f86525d
to
3edfcfe
Compare
Retest this please |
1 similar comment
Retest this please |
@@ -2352,7 +2352,8 @@ WOLFSSL_LOCAL void InitSuitesHashSigAlgo_ex(byte* hashSigAlgo, int haveECDSAsig, | |||
int haveRSAsig, int haveFalconSig, | |||
int haveDilithiumSig, int haveAnon, | |||
int tls1_2, int keySz, word16* len); | |||
WOLFSSL_LOCAL void InitSuitesHashSigAlgo_ex2(byte* hashSigAlgo, int have, | |||
/* use wolfSSL_API visibility to be able to test in tests/api.c */ | |||
WOLFSSL_API void InitSuitesHashSigAlgo_ex2(byte* hashSigAlgo, int have, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
public API should not be in internal.h, They should also have our library prefix on them i.e wolfSSL_* or wc_*
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is only marked public to allow for use inside api.c
. It is not a real public API. I'm happy to explore other ways to export it to api.c
if you have ideas.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As soon as WOLFSSL_API gets added it shows up in the compiled library and we are signaling that it can be used by applications linking to wolfSSL. In the test case is it being used to more quickly setup the hash sig algo state rather than setting up a TLS connection?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We do this for other API in internal.h
. It is used to test the new API directly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, was unaware that pattern was in place....I can understand that it helps with hitting those API in test cases. Looks like the precedent for the pattern was this PR (#5503) version 5.5.1 of wolfSSL and on and then it was built upon.
No description provided.