From 6fd5a9777acb720e1ac872478151e8b12636e17b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 2 Oct 2024 14:00:56 +0200 Subject: [PATCH] wolfssl: convert malloc + memcpys to dynbuf for cipher string Closes #15124 --- lib/vtls/wolfssl.c | 81 +++++++++++++++++++--------------------------- 1 file changed, 34 insertions(+), 47 deletions(-) diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c index 3d2a708137..dca57604d8 100644 --- a/lib/vtls/wolfssl.c +++ b/lib/vtls/wolfssl.c @@ -631,32 +631,23 @@ CURLcode Curl_wssl_setup_x509_store(struct Curl_cfilter *cf, } #ifdef WOLFSSL_TLS13 -static size_t -wssl_get_default_ciphers(bool tls13, char *buf, size_t size) +static CURLcode +wssl_add_default_ciphers(bool tls13, struct dynbuf *buf) { - size_t len = 0; - char *term = buf; int i; char *str; - size_t n; for(i = 0; (str = wolfSSL_get_cipher_list(i)); i++) { + size_t n; if((strncmp(str, "TLS13", 5) == 0) != tls13) continue; n = strlen(str); - if(buf && len + n + 1 <= size) { - memcpy(buf + len, str, n); - term = buf + len + n; - *term = ':'; - } - len += n + 1; + if(Curl_dyn_addn(buf, str, n) || Curl_dyn_addn(buf, ":", 1)) + return CURLE_OUT_OF_MEMORY; } - if(buf) - *term = '\0'; - - return len > 0 ? len - 1 : 0; + return CURLE_OK; } #endif @@ -707,7 +698,7 @@ static CURLcode wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) { int res; - char *ciphers, *curves; + char *curves; struct ssl_connect_data *connssl = cf->ctx; struct wolfssl_ctx *backend = (struct wolfssl_ctx *)connssl->backend; @@ -798,50 +789,46 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) } #ifndef WOLFSSL_TLS13 - ciphers = conn_config->cipher_list; - if(ciphers) { - if(!SSL_CTX_set_cipher_list(backend->ctx, ciphers)) { - failf(data, "failed setting cipher list: %s", ciphers); - return CURLE_SSL_CIPHER; + { + char *ciphers = conn_config->cipher_list; + if(ciphers) { + if(!SSL_CTX_set_cipher_list(backend->ctx, ciphers)) { + failf(data, "failed setting cipher list: %s", ciphers); + return CURLE_SSL_CIPHER; + } + infof(data, "Cipher selection: %s", ciphers); } - infof(data, "Cipher selection: %s", ciphers); } #else +#define MAX_CIPHER_LEN 1024 if(conn_config->cipher_list || conn_config->cipher_list13) { const char *ciphers12 = conn_config->cipher_list; const char *ciphers13 = conn_config->cipher_list13; - - /* Set ciphers to a combination of ciphers_list and ciphers_list13. - * If cipher_list is not set use the default TLSv1.2 (1.1, 1.0) ciphers. - * If cipher_list13 is not set use the default TLSv1.3 ciphers. */ - size_t len13 = ciphers13 ? strlen(ciphers13) - : wssl_get_default_ciphers(true, NULL, 0); - size_t len12 = ciphers12 ? strlen(ciphers12) - : wssl_get_default_ciphers(false, NULL, 0); - - ciphers = malloc(len13 + 1 + len12 + 1); - if(!ciphers) - return CURLE_OUT_OF_MEMORY; + struct dynbuf c; + CURLcode result; + Curl_dyn_init(&c, MAX_CIPHER_LEN); if(ciphers13) - memcpy(ciphers, ciphers13, len13); + result = Curl_dyn_add(&c, ciphers13); else - wssl_get_default_ciphers(true, ciphers, len13 + 1); - ciphers[len13] = ':'; + result = wssl_add_default_ciphers(TRUE, &c); - if(ciphers12) - memcpy(ciphers + len13 + 1, ciphers12, len12); - else - wssl_get_default_ciphers(false, ciphers + len13 + 1, len12 + 1); - ciphers[len13 + 1 + len12] = '\0'; + if(!result) { + if(ciphers12) + result = Curl_dyn_add(&c, ciphers12); + else + result = wssl_add_default_ciphers(FALSE, &c); + } + if(result) + return result; - if(!SSL_CTX_set_cipher_list(backend->ctx, ciphers)) { - failf(data, "failed setting cipher list: %s", ciphers); - free(ciphers); + if(!SSL_CTX_set_cipher_list(backend->ctx, Curl_dyn_ptr(&c))) { + failf(data, "failed setting cipher list: %s", Curl_dyn_ptr(&c)); + Curl_dyn_free(&c); return CURLE_SSL_CIPHER; } - infof(data, "Cipher selection: %s", ciphers); - free(ciphers); + infof(data, "Cipher selection: %s", Curl_dyn_ptr(&c)); + Curl_dyn_free(&c); } #endif -- 2.47.2