Home Explore Help
Sign In
RISCI_ATOM
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Files Issues 14 Wiki
Browse Source

dtls13: enable hrr cookie by default

Marco Oliverio 1 year ago
parent
edd723cc84
commit
401cfbd8e4
3 changed files with 57 additions and 36 deletions
Split View Show Diff Stats
  1. 35 31
      CMakeLists.txt
  2. 7 1
      configure.ac
  3. 15 4
      src/internal.c

+ 35 - 31
CMakeLists.txt
View File 

@@ -275,6 +275,36 @@ if("${FIPS_VERSION}" STREQUAL "v1")
 
     override_cache(WOLFSSL_TLS13 "no")
 
 endif()
 
 
+# Post-handshake authentication
 
+add_option("WOLFSSL_POSTAUTH"
 
+    "Enable wolfSSL Post-handshake Authentication (default: disabled)"
 
+    "no" "yes;no")
 
+
 
+if(WOLFSSL_POSTAUTH)
 
+    if(NOT WOLFSSL_TLS13)
 
+        message(WARNING "TLS 1.3 is disabled - disabling Post-handshake Authentication")
 
+        override_cache(WOLFSSL_POSTAUTH "no")
 
+    else()
 
+        list(APPEND WOLFSSL_DEFINITIONS
 
+            "-DWOLFSSL_POST_HANDSHAKE_AUTH")
 
+    endif()
 
+endif()
 
+
 
+# Hello Retry Request Cookie
 
+add_option("WOLFSSL_HRR_COOKIE"
 
+    "Enable the server to send Cookie Extension in HRR with state (default: disabled)"
 
+    "undefined" "yes;no;undefined")
 
+
 
+if("${WOLFSSL_HRR_COOKIE}" STREQUAL "yes")
 
+    if(NOT WOLFSSL_TLS13)
 
+        message(WARNING "TLS 1.3 is disabled - disabling HRR Cookie")
 
+        override_cache(WOLFSSL_HRR_COOKIE "no")
 
+    else()
 
+        list(APPEND WOLFSSL_DEFINITIONS
 
+            "-DWOLFSSL_SEND_HRR_COOKIE")
 
+    endif()
 
+endif()
 
+
 
 # DTLS v1.3
 
 add_option("WOLFSSL_DTLS13"
 
     "Enable wolfSSL DTLS v1.3 (default: disabled)"
 
@@ -289,7 +319,11 @@ if(WOLFSSL_DTLS13)
 
     endif()
 
     list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS13")
 
     list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_W64_WRAPPER")
 
-
 
+    if ("${WOLFSSL_HRR_COOKIE}" STREQUAL "undefined")
 
+      message(WARNING "DTLS1.3 is enabled - enabling HRR Cookie")
 
+      override_cache(WOLFSSL_HRR_COOKIE "yes")
 
+      list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SEND_HRR_COOKIE")
 
+    endif()
 
     if (WOLFSSL_AES)
 
       list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_AES_DIRECT")
 
     endif()
 
@@ -307,36 +341,6 @@ if(WOLFSSL_DTLS_CID)
 
     list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS_CID")
 
 endif()
 
 
-# Post-handshake authentication
 
-add_option("WOLFSSL_POSTAUTH"
 
-    "Enable wolfSSL Post-handshake Authentication (default: disabled)"
 
-    "no" "yes;no")
 
-
 
-if(WOLFSSL_POSTAUTH)
 
-    if(NOT WOLFSSL_TLS13)
 
-        message(WARNING "TLS 1.3 is disabled - disabling Post-handshake Authentication")
 
-        override_cache(WOLFSSL_POSTAUTH "no")
 
-    else()
 
-        list(APPEND WOLFSSL_DEFINITIONS
 
-            "-DWOLFSSL_POST_HANDSHAKE_AUTH")
 
-    endif()
 
-endif()
 
-
 
-# Hello Retry Request Cookie
 
-add_option("WOLFSSL_HRR_COOKIE"
 
-    "Enable the server to send Cookie Extension in HRR with state (default: disabled)"
 
-    "no" "yes;no")
 
-
 
-if(WOLFSSL_HRR_COOKIE)
 
-    if(NOT WOLFSSL_TLS13)
 
-        message(WARNING "TLS 1.3 is disabled - disabling HRR Cookie")
 
-        override_cache(WOLFSSL_HRR_COOKIE "no")
 
-    else()
 
-        list(APPEND WOLFSSL_DEFINITIONS
 
-            "-DWOLFSSL_SEND_HRR_COOKIE")
 
-    endif()
 
-endif()
 
-
 
 # RNG
 
 add_option("WOLFSSL_RNG"
 
     "Enable compiling and using RNG (default: enabled)"

+ 7 - 1
configure.ac
View File 

@@ -1078,7 +1078,7 @@ fi
 
 AC_ARG_ENABLE([hrrcookie],
 
     [AS_HELP_STRING([--enable-hrrcookie],[Enable the server to send Cookie Extension in HRR with state (default: disabled)])],
 
     [ ENABLED_SEND_HRR_COOKIE=$enableval ],
 
-    [ ENABLED_SEND_HRR_COOKIE=no ]
 
+    [ ENABLED_SEND_HRR_COOKIE=undefined ]
 
     )
 
 if test "$ENABLED_SEND_HRR_COOKIE" = "yes"
 
 then
 
@@ -3753,6 +3753,12 @@ then
 
         then
 
                 AC_MSG_ERROR([You need to enable both DTLS and TLSv1.3 to use DTLSv1.3])
 
         fi
 
+        if test "x$ENABLED_SEND_HRR_COOKIE" == "xundefined"
 
+        then
 
+                AC_MSG_NOTICE([DTLSv1.3 is enabled, enabling HRR cookie])
 
+                AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SEND_HRR_COOKIE"
 
+                ENABLED_SEND_HRR_COOKIE="yes"
 
+        fi
 
   AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS13 -DWOLFSSL_W64_WRAPPER"
 
   if test "x$ENABLED_AES" = "xyes"
 
   then

+ 15 - 4
src/internal.c
View File 

@@ -6934,11 +6934,22 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
 
 
 #if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_SERVER)
 
     if (ssl->options.dtls && ssl->options.side == WOLFSSL_SERVER_END) {
 
-        ret = wolfSSL_DTLS_SetCookieSecret(ssl, NULL, 0);
 
-        if (ret != 0) {
 
-            WOLFSSL_MSG("DTLS Cookie Secret error");
 
-            return ret;
 
+        if (!IsAtLeastTLSv1_3(ssl->version)) {
 
+                ret = wolfSSL_DTLS_SetCookieSecret(ssl, NULL, 0);
 
+                if (ret != 0) {
 
+                    WOLFSSL_MSG("DTLS Cookie Secret error");
 
+                    return ret;
 
+                }
 
+        }
 
+#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
 
+        else {
 
+            ret = wolfSSL_send_hrr_cookie(ssl, NULL, 0);
 
+            if (ret != WOLFSSL_SUCCESS) {
 
+                WOLFSSL_MSG("DTLS1.3 Cookie secret error");
 
+                return ret;
 
+            }
 
         }
 
+#endif /* WOLFSSL_DTLS13 && WOLFSSL_SEND_HRR_COOKIE */
 
     }
 
 #endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */