Skip to content

Add API to choose dynamic certs based on client ciphers/sigalgs #6963

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Dec 7, 2023

Conversation

julek-wolfssl
Copy link
Member

No description provided.

@julek-wolfssl julek-wolfssl self-assigned this Nov 10, 2023
@julek-wolfssl julek-wolfssl force-pushed the dynamic-certs-n-ciphers branch 5 times, most recently from e9e543e to e879362 Compare November 13, 2023 19:11
@julek-wolfssl julek-wolfssl linked an issue Nov 14, 2023 that may be closed by this pull request
haproxy-mirror pushed a commit to haproxy/haproxy that referenced this pull request Nov 16, 2023
PR wolfSSL/wolfssl#6963 implements primitives to
extract ciphers and algorithm signatures.

This allows us to chose a certificate depending on what the client wants
(RSA or ECDSA).
@julek-wolfssl
Copy link
Member Author

Retest this please.

@julek-wolfssl julek-wolfssl force-pushed the dynamic-certs-n-ciphers branch 6 times, most recently from ccf5c6b to 1514e97 Compare November 23, 2023 12:16
haproxy-mirror pushed a commit to haproxy/haproxy that referenced this pull request Nov 24, 2023
PR wolfSSL/wolfssl#6963 implements primitives to
extract ciphers and algorithm signatures.

It allows to chose a certificate depending on the sigals and
ciphers presented by the client (RSA or ECDSA).

Since WolfSSL does not implement the clienthello callback, the patch
uses the certificate callback (SSL_CTX_set_cert_cb())

The callback is inspired by our clienthello callback, however the
extraction of client ciphers and sigalgs is simpler,
wolfSSL_get_sigalg_info() and wolfSSL_get_ciphersuite_info() are used.

This is not enabled by default yet as the PR was not merged.
haproxy-mirror pushed a commit to haproxy/haproxy that referenced this pull request Nov 24, 2023
PR wolfSSL/wolfssl#6963 implements primitives to
extract ciphers and algorithm signatures.

It allows to chose a certificate depending on the sigals and
ciphers presented by the client (RSA or ECDSA).

Since WolfSSL does not implement the clienthello callback, the patch
uses the certificate callback (SSL_CTX_set_cert_cb())

The callback is inspired by our clienthello callback, however the
extraction of client ciphers and sigalgs is simpler,
wolfSSL_get_sigalg_info() and wolfSSL_get_ciphersuite_info() are used.

This is not enabled by default yet as the PR was not merged.
@julek-wolfssl
Copy link
Member Author

Retest this please.

@julek-wolfssl julek-wolfssl force-pushed the dynamic-certs-n-ciphers branch from 4779f98 to f86525d Compare November 29, 2023 18:00
@julek-wolfssl julek-wolfssl force-pushed the dynamic-certs-n-ciphers branch from f86525d to 3edfcfe Compare November 29, 2023 22:17
@julek-wolfssl
Copy link
Member Author

Retest this please

1 similar comment
@julek-wolfssl
Copy link
Member Author

Retest this please

@@ -2352,7 +2352,8 @@ WOLFSSL_LOCAL void InitSuitesHashSigAlgo_ex(byte* hashSigAlgo, int haveECDSAsig,
int haveRSAsig, int haveFalconSig,
int haveDilithiumSig, int haveAnon,
int tls1_2, int keySz, word16* len);
WOLFSSL_LOCAL void InitSuitesHashSigAlgo_ex2(byte* hashSigAlgo, int have,
/* use wolfSSL_API visibility to be able to test in tests/api.c */
WOLFSSL_API void InitSuitesHashSigAlgo_ex2(byte* hashSigAlgo, int have,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

public API should not be in internal.h, They should also have our library prefix on them i.e wolfSSL_* or wc_*

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is only marked public to allow for use inside api.c. It is not a real public API. I'm happy to explore other ways to export it to api.c if you have ideas.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As soon as WOLFSSL_API gets added it shows up in the compiled library and we are signaling that it can be used by applications linking to wolfSSL. In the test case is it being used to more quickly setup the hash sig algo state rather than setting up a TLS connection?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do this for other API in internal.h. It is used to test the new API directly.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, was unaware that pattern was in place....I can understand that it helps with hitting those API in test cases. Looks like the precedent for the pattern was this PR (#5503) version 5.5.1 of wolfSSL and on and then it was built upon.

@SparkiDev SparkiDev merged commit 6c8bf7b into wolfSSL:master Dec 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug]: haproxy: can't chose between an ECDSA or RSA certificate
4 participants