feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

added build option for leanPSK

Browse Source
This commit is contained in:
John Safranek
2012-10-29 15:39:42 -07:00
parent cf1f1f3ae7
commit 174618ebfb
17 changed files with 936 additions and 671 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
configure.ac
View File

@@ -206,6 +206,22 @@ then
AM_CFLAGS="$AM_CFLAGS -DLARGE_STATIC_BUFFERS -DCYASSL_CERT_GEN -DCYASSL_KEY_GEN -DHUGE_SESSION_CACHE -DOPENSSL_EXTRA -DFP_MAX_BITS=8192 -DCYASSL_DER_LOAD -DCYASSL_ALT_NAMES -DCYASSL_TEST_CERT"
fi
# lean psk build
AC_ARG_ENABLE(leanpsk,
[ --enable-leanpsk Enable Lean PSK build (default: disabled)],
[ ENABLED_LEANPSK=$enableval ],
[ ENABLED_LEANPSK=no ]
)
if test "$ENABLED_LEANPSK" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DCYASSL_LEANPSK -DHAVE_NULL_CIPHER -DNO_AES -DNO_FILESYSTEM -DNO_RSA -DNO_DSA -DNO_DH"
fi
AM_CONDITIONAL([BUILD_LEANPSK], [test "x$ENABLED_LEANPSK" = "xyes"])
# fastmath
AC_ARG_ENABLE(fastmath,
[ --enable-fastmath Enable fast math for BigInts (default: disabled)],
@@ -485,7 +501,7 @@ AC_ARG_ENABLE(psk,
[ ENABLED_PSK=no ]
)
if test "$ENABLED_PSK" = "no"
if test "$ENABLED_PSK" = "no" && test "$ENABLED_LEANPSK" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_PSK"
fi
@@ -758,6 +774,7 @@ echo " * certgen: $ENABLED_CERTGEN"
echo " * HC-128: $ENABLED_HC128"
echo " * RABBIT: $ENABLED_RABBIT"
echo " * PSK: $ENABLED_PSK"
echo " * LEANPSK: $ENABLED_LEANPSK"
echo " * ECC: $ENABLED_ECC"
echo " * OCSP: $ENABLED_OCSP"
echo " * CRL: $ENABLED_CRL"

11
ctaocrypt/benchmark/benchmark.c
View File

@@ -112,13 +112,15 @@ int main(int argc, char** argv)
printf("\n");
#ifndef NO_RSA
bench_rsa();
#endif
#ifndef NO_DH
bench_dh();
#endif
#ifdef CYASSL_KEY_GEN
#if defined(CYASSL_KEY_GEN) && !defined(NO_RSA)
bench_rsaKeyGen();
#endif
@@ -411,8 +413,12 @@ void bench_ripemd(void)
#endif
#if !defined(NO_RSA) || !defined(NO_DH) \
|| defined(CYASSL_KEYGEN) || defined(HAVE_ECC)
RNG rng;
#endif
#ifndef NO_RSA
void bench_rsa(void)
{
int i;
@@ -467,6 +473,7 @@ void bench_rsa(void)
fclose(file);
FreeRsaKey(&rsaKey);
}
#endif
#ifndef NO_DH
@@ -527,7 +534,7 @@ void bench_dh(void)
}
#endif
#ifdef CYASSL_KEY_GEN
#if defined(CYASSL_KEY_GEN) && !defined(NO_RSA)
void bench_rsaKeyGen(void)
{
RsaKey genKey;

125
ctaocrypt/src/asn.c
View File

@@ -23,11 +23,14 @@
#include <config.h>
#endif
#ifndef NO_ASN
#ifdef THREADX
#include "os.h" /* dc_rtc_api needs */
#include "dc_rtc_api.h" /* to get current time */
#endif
#include <cyassl/ctaocrypt/integer.h>
#include <cyassl/ctaocrypt/asn.h>
#include <cyassl/ctaocrypt/coding.h>
#include <cyassl/ctaocrypt/sha.h>
@@ -515,6 +518,7 @@ static int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
return 0;
}
#ifndef NO_RSA
int RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
word32 inSz)
@@ -541,6 +545,7 @@ int RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
return 0;
}
#endif /* NO_RSA */
/* Remove PKCS8 header, move beginning of traditional to beginning of input */
int ToTraditional(byte* input, word32 sz)
@@ -841,6 +846,7 @@ int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz)
#endif /* NO_PWDBASED */
#ifndef NO_RSA
int RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
word32 inSz)
@@ -906,6 +912,7 @@ int RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
return 0;
}
#endif
#ifndef NO_DH
@@ -1159,7 +1166,7 @@ static int GetCertHeader(DecodedCert* cert)
return ret;
}
#if !defined(NO_RSA)
/* Store Rsa Key, may save later, Dsa could use in future */
static int StoreRsaKey(DecodedCert* cert)
{
@@ -1181,6 +1188,7 @@ static int StoreRsaKey(DecodedCert* cert)
return 0;
}
#endif
#ifdef HAVE_ECC
@@ -1211,7 +1219,13 @@ static int GetKey(DecodedCert* cert)
if (GetAlgoId(cert->source, &cert->srcIdx, &cert->keyOID, cert->maxIdx) < 0)
return ASN_PARSE_E;
if (cert->keyOID == RSAk) {
switch (cert->keyOID) {
case DSAk:
/* do nothing */
break;
#ifndef NO_RSA
case RSAk:
{
byte b = cert->source[cert->srcIdx++];
if (b != ASN_BIT_STRING)
return ASN_BITSTR_E;
@@ -1221,11 +1235,14 @@ static int GetKey(DecodedCert* cert)
b = cert->source[cert->srcIdx++];
if (b != 0x00)
return ASN_EXPECT_0_E;
return StoreRsaKey(cert);
}
else if (cert->keyOID == DSAk )
; /* do nothing */
break;
#endif /* NO_RSA */
#ifdef HAVE_NTRU
else if (cert->keyOID == NTRUk ) {
case NTRUk:
{
const byte* key = &cert->source[tmpIdx];
byte* next = (byte*)key;
word16 keyLen;
@@ -1257,9 +1274,11 @@ static int GetKey(DecodedCert* cert)
cert->pubKeyStored = 1;
cert->pubKeySize = keyLen;
}
break;
#endif /* HAVE_NTRU */
#ifdef HAVE_ECC
else if (cert->keyOID == ECDSAk ) {
case ECDSAk:
{
word32 oid = 0;
int oidSz = 0;
byte b = cert->source[cert->srcIdx++];
@@ -1299,12 +1318,12 @@ static int GetKey(DecodedCert* cert)
cert->srcIdx += length;
}
break;
#endif /* HAVE_ECC */
else
default:
return ASN_UNKNOWN_OID_E;
}
if (cert->keyOID == RSAk)
return StoreRsaKey(cert);
return 0;
}
@@ -1833,20 +1852,27 @@ static word32 SetAlgoID(int algoOID, byte* output, int type)
0x02, 0x05, 0x05, 0x00 };
static const byte md2AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x02, 0x02, 0x05, 0x00};
/* sigTypes */
static const byte md5wRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x01, 0x04, 0x05, 0x00};
static const byte shawRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x01, 0x05, 0x05, 0x00};
#ifndef NO_RSA
static const byte md5wRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x01, 0x04, 0x05, 0x00};
static const byte shawRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x01, 0x05, 0x05, 0x00};
static const byte sha256wRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00};
static const byte sha384wRSA_AlgoID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00};
static const byte sha512wRSA_AlgoID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00};
#endif /* NO_RSA */
/* keyTypes */
#ifndef NO_RSA
static const byte RSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x01, 0x01, 0x05, 0x00};
#endif /* NO_RSA */
int algoSz = 0;
word32 idSz, seqSz;
const byte* algoName = 0;
@@ -1892,6 +1918,7 @@ static word32 SetAlgoID(int algoOID, byte* output, int type)
}
else if (type == sigType) { /* sigType */
switch (algoOID) {
#ifndef NO_RSA
case CTC_MD5wRSA:
algoSz = sizeof(md5wRSA_AlgoID);
algoName = md5wRSA_AlgoID;
@@ -1916,7 +1943,7 @@ static word32 SetAlgoID(int algoOID, byte* output, int type)
algoSz = sizeof(sha512wRSA_AlgoID);
algoName = sha512wRSA_AlgoID;
break;
#endif /* NO_RSA */
default:
CYASSL_MSG("Unknown Signature Algo");
return 0;
@@ -1924,11 +1951,12 @@ static word32 SetAlgoID(int algoOID, byte* output, int type)
}
else if (type == keyType) { /* keyType */
switch (algoOID) {
#ifndef NO_RSA
case RSAk:
algoSz = sizeof(RSA_AlgoID);
algoName = RSA_AlgoID;
break;
#endif /* NO_RSA */
default:
CYASSL_MSG("Unknown Key Algo");
return 0;
@@ -1984,9 +2012,17 @@ static int ConfirmSignature(const byte* buf, word32 bufSz,
#else
byte digest[SHA_DIGEST_SIZE]; /* max size */
#endif
int typeH, digestSz, ret;
int typeH, digestSz, ret = 0;
if (sigOID == CTC_MD5wRSA) {
(void)key;
(void)keySz;
(void)sig;
(void)sigSz;
(void)heap;
switch (sigOID) {
case CTC_MD5wRSA:
{
Md5 md5;
InitMd5(&md5);
Md5Update(&md5, buf, bufSz);
@@ -1994,8 +2030,10 @@ static int ConfirmSignature(const byte* buf, word32 bufSz,
typeH = MD5h;
digestSz = MD5_DIGEST_SIZE;
}
#ifdef CYASSL_MD2
else if (sigOID == CTC_MD2wRSA) {
break;
#if defined(CYASSL_MD2)
case CTC_MD2wRSA:
{
Md2 md2;
InitMd2(&md2);
Md2Update(&md2, buf, bufSz);
@@ -2003,10 +2041,12 @@ static int ConfirmSignature(const byte* buf, word32 bufSz,
typeH = MD2h;
digestSz = MD2_DIGEST_SIZE;
}
break;
#endif
else if (sigOID == CTC_SHAwRSA ||
sigOID == CTC_SHAwDSA ||
sigOID == CTC_SHAwECDSA) {
case CTC_SHAwRSA:
case CTC_SHAwDSA:
case CTC_SHAwECDSA:
{
Sha sha;
InitSha(&sha);
ShaUpdate(&sha, buf, bufSz);
@@ -2014,9 +2054,11 @@ static int ConfirmSignature(const byte* buf, word32 bufSz,
typeH = SHAh;
digestSz = SHA_DIGEST_SIZE;
}
break;
#ifndef NO_SHA256
else if (sigOID == CTC_SHA256wRSA ||
sigOID == CTC_SHA256wECDSA) {
case CTC_SHA256wRSA:
case CTC_SHA256wECDSA:
{
Sha256 sha256;
InitSha256(&sha256);
Sha256Update(&sha256, buf, bufSz);
@@ -2026,8 +2068,9 @@ static int ConfirmSignature(const byte* buf, word32 bufSz,
}
#endif
#ifdef CYASSL_SHA512
else if (sigOID == CTC_SHA512wRSA ||
sigOID == CTC_SHA512wECDSA) {
case CTC_SHA512wRSA:
case CTC_SHA512wECDSA:
{
Sha512 sha512;
InitSha512(&sha512);
Sha512Update(&sha512, buf, bufSz);
@@ -2037,8 +2080,9 @@ static int ConfirmSignature(const byte* buf, word32 bufSz,
}
#endif
#ifdef CYASSL_SHA384
else if (sigOID == CTC_SHA384wRSA ||
sigOID == CTC_SHA384wECDSA) {
case CTC_SHA384wRSA:
case CTC_SHA384wECDSA:
{
Sha384 sha384;
InitSha384(&sha384);
Sha384Update(&sha384, buf, bufSz);
@@ -2047,12 +2091,15 @@ static int ConfirmSignature(const byte* buf, word32 bufSz,
digestSz = SHA384_DIGEST_SIZE;
}
#endif
else {
default:
CYASSL_MSG("Verify Signautre has unsupported type");
return 0;
}
if (keyOID == RSAk) {
switch (keyOID) {
#ifndef NO_RSA
case RSAk:
{
RsaKey pubKey;
byte encodedSig[MAX_ENCODED_SIG_SZ];
byte plain[MAX_ENCODED_SIG_SZ];
@@ -2113,8 +2160,11 @@ static int ConfirmSignature(const byte* buf, word32 bufSz,
FreeRsaKey(&pubKey);
return ret;
}
break;
#endif /* NO_RSA */
#ifdef HAVE_ECC
else if (keyOID == ECDSAk) {
case ECDSAk:
{
ecc_key pubKey;
int verify = 0;
@@ -2132,10 +2182,11 @@ static int ConfirmSignature(const byte* buf, word32 bufSz,
return 0;
}
#endif /* HAVE_ECC */
else {
default:
CYASSL_MSG("Verify Key type unknown");
return 0;
}
return ret;
}
@@ -2895,7 +2946,7 @@ int DerToPem(const byte* der, word32 derSz, byte* output, word32 outSz,
#endif /* CYASSL_KEY_GEN || CYASSL_CERT_GEN */
#ifdef CYASSL_KEY_GEN
#if defined(CYASSL_KEY_GEN) && !defined(NO_RSA)
static mp_int* GetRsaInt(RsaKey* key, int idx)
@@ -2982,10 +3033,10 @@ int RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
return outLen;
}
#endif /* CYASSL_KEY_GEN */
#endif /* CYASSL_KEY_GEN && !NO_RSA */
#ifdef CYASSL_CERT_GEN
#if defined(CYASSL_CERT_GEN) && !defined(NO_RSA)
#ifndef min
@@ -3918,7 +3969,7 @@ static int SetDatesFromCert(Cert* cert, const byte* der, int derSz)
}
#endif /* CYASSL_ALT_NAMES */
#endif /* CYASSL_ALT_NAMES && !NO_RSA */
/* Set cn name from der buffer, return 0 on success */
@@ -5164,3 +5215,5 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz, void* cm)
}
#endif /* HAVE_CRL */
#endif

5
ctaocrypt/src/rsa.c
View File

@@ -24,6 +24,8 @@
#include <config.h>
#endif
#ifndef NO_RSA
#include <cyassl/ctaocrypt/rsa.h>
#include <cyassl/ctaocrypt/random.h>
#include <cyassl/ctaocrypt/error.h>
@@ -553,5 +555,6 @@ int MakeRsaKey(RsaKey* key, int size, long e, RNG* rng)
}
#endif /* CYASLS_KEY_GEN */
#endif /* CYASSL_KEY_GEN */
#endif /* NO_RSA */

28
ctaocrypt/test/test.c
View File

@@ -264,10 +264,12 @@ void ctaocrypt_test(void* args)
else
printf( "RANDOM test passed!\n");
#ifndef NO_RSA
if ( (ret = rsa_test()) )
err_sys("RSA test failed!\n", ret);
else
printf( "RSA test passed!\n");
#endif
#ifndef NO_DH
if ( (ret = dh_test()) )
@@ -1360,14 +1362,6 @@ int random_test(void)
}
static const char* clientKey = "./certs/client-key.der";
static const char* clientCert = "./certs/client-cert.der";
#ifdef CYASSL_CERT_GEN
static const char* caKeyFile = "./certs/ca-key.der";
static const char* caCertFile = "./certs/ca-cert.pem";
#endif
#ifdef HAVE_NTRU
static byte GetEntropy(ENTROPY_CMD cmd, byte* out)
@@ -1400,6 +1394,16 @@ static byte GetEntropy(ENTROPY_CMD cmd, byte* out)
#endif /* HAVE_NTRU */
#ifndef NO_RSA
static const char* clientKey = "./certs/client-key.der";
static const char* clientCert = "./certs/client-cert.der";
#ifdef CYASSL_CERT_GEN
static const char* caKeyFile = "./certs/ca-key.der";
static const char* caCertFile = "./certs/ca-cert.pem";
#endif
int rsa_test(void)
{
byte tmp[2048], tmp2[2048];
@@ -1764,11 +1768,13 @@ int rsa_test(void)
return 0;
}
#endif
static const char* dhKey = "./certs/dh2048.der";
#ifndef NO_DH
static const char* dhKey = "./certs/dh2048.der";
int dh_test(void)
{
int ret;
@@ -1829,10 +1835,10 @@ int dh_test(void)
#endif /* NO_DH */
static const char* dsaKey = "./certs/dsa2048.der";
#ifndef NO_DSA
static const char* dsaKey = "./certs/dsa2048.der";
int dsa_test(void)
{
int ret, answer;

2
cyassl/ctaocrypt/asn.h
View File

@@ -19,6 +19,7 @@
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
*/
//#ifndef NO_ASN
#ifndef CTAO_CRYPT_ASN_H
#define CTAO_CRYPT_ASN_H
@@ -483,3 +484,4 @@ CYASSL_LOCAL void FreeDecodedCRL(DecodedCRL*);
#endif /* CTAO_CRYPT_ASN_H */
//#endif /* NO_ASN */

2
cyassl/ctaocrypt/rsa.h
View File

@@ -19,6 +19,7 @@
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
*/
#ifndef NO_RSA
#ifndef CTAO_CRYPT_RSA_H
#define CTAO_CRYPT_RSA_H
@@ -79,3 +80,4 @@ CYASSL_API int RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey*,
#endif /* CTAO_CRYPT_RSA_H */
#endif /* NO_RSA */

32
cyassl/internal.h
View File

@@ -24,9 +24,9 @@
#define CYASSL_INT_H
#include <cyassl/ctaocrypt/types.h>
#include <cyassl/ssl.h>
#include <cyassl/crl.h>
#include <cyassl/ctaocrypt/types.h>
#include <cyassl/ctaocrypt/random.h>
#include <cyassl/ctaocrypt/des3.h>
#include <cyassl/ctaocrypt/hc128.h>
@@ -124,7 +124,7 @@ void c32to24(word32 in, word24 out);
When adding cipher suites, add name to cipher_names, idx to cipher_name_idx
*/
#ifndef NO_RC4
#if !defined(NO_RSA) && !defined(NO_RC4)
#define BUILD_SSL_RSA_WITH_RC4_128_SHA
#define BUILD_SSL_RSA_WITH_RC4_128_MD5
#if !defined(NO_TLS) && defined(HAVE_NTRU)
@@ -132,20 +132,16 @@ void c32to24(word32 in, word24 out);
#endif
#endif
#ifndef NO_DES3
#if !defined(NO_RSA) && !defined(NO_DES3)
#define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
#if !defined(NO_TLS) && defined(HAVE_NTRU)
#define BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA
#endif
#endif
#if !defined(NO_AES) && !defined(NO_TLS)
#if !defined(NO_RSA) && !defined(NO_AES) && !defined(NO_TLS)
#define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
#if !defined (NO_PSK)
#define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
#define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
#endif
#if defined(HAVE_NTRU)
#define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA
@@ -160,24 +156,31 @@ void c32to24(word32 in, word24 out);
#endif
#endif
#if !defined(NO_PSK) && !defined(NO_AES) && !defined(NO_TLS)
#define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
#define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
#endif
#if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER)
#if !defined(NO_RSA)
#define BUILD_TLS_RSA_WITH_NULL_SHA
#define BUILD_TLS_RSA_WITH_NULL_SHA256
#endif
#if !defined(NO_PSK)
#define BUILD_TLS_PSK_WITH_NULL_SHA
#endif
#endif
#if !defined(NO_HC128) && !defined(NO_TLS)
#if !defined(NO_HC128) && !defined(NO_RSA) && !defined(NO_TLS)
#define BUILD_TLS_RSA_WITH_HC_128_CBC_MD5
#define BUILD_TLS_RSA_WITH_HC_128_CBC_SHA
#endif
#if !defined(NO_RABBIT) && !defined(NO_TLS)
#if !defined(NO_RABBIT) && !defined(NO_TLS) && !defined(NO_RSA)
#define BUILD_TLS_RSA_WITH_RABBIT_CBC_SHA
#endif
#if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && defined(OPENSSL_EXTRA)
#if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && !defined(NO_RSA) && defined(OPENSSL_EXTRA)
#define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
#if !defined (NO_SHA256)
@@ -661,7 +664,8 @@ typedef struct Suites {
CYASSL_LOCAL
void InitSuites(Suites*, ProtocolVersion, byte, byte, byte, byte, byte, int);
void InitSuites(Suites*, ProtocolVersion,
byte, byte, byte, byte, byte, byte, int);
CYASSL_LOCAL
int SetCipherList(Suites*, const char* list);
@@ -836,6 +840,7 @@ struct CYASSL_CTX {
byte sessionCacheOff;
byte sessionCacheFlushOff;
byte sendVerify; /* for client side */
byte haveRSA; /* RSA available */
byte haveDH; /* server DH parms set by user */
byte haveNTRU; /* server private NTRU key loaded */
byte haveECDSAsig; /* server cert signed w/ ECDSA */
@@ -1174,6 +1179,7 @@ typedef struct Options {
byte connectState; /* nonblocking resume */
byte acceptState; /* nonblocking resume */
byte usingCompression; /* are we using compression */
byte haveRSA; /* RSA available */
byte haveDH; /* server DH parms set by user */
byte haveNTRU; /* server NTRU private key loaded */
byte haveECDSAsig; /* server ECDSA signed cert */
@@ -1294,8 +1300,10 @@ struct CYASSL {
Arrays* arrays;
CYASSL_SESSION session;
VerifyCallback verifyCallback; /* cert verification callback */
#ifndef NO_RSA
RsaKey* peerRsaKey;
byte peerRsaKeyPresent;
#endif
#ifdef HAVE_NTRU
word16 peerNtruKeyLen;
byte peerNtruKey[MAX_NTRU_PUB_KEY_SZ];

8
examples/client/client.c
View File

@@ -300,7 +300,8 @@ void client_test(void* args)
#ifdef VERIFY_CALLBACK
CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify);
#endif
#ifndef NO_FILESYSTEM
if (!usePsk){
if (CyaSSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load client cert file, check file and run from"
@@ -313,8 +314,9 @@ void client_test(void* args)
if (CyaSSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from CyaSSL home dir");
if (doPeerCheck == 0)
}
#endif
if (!usePsk && doPeerCheck == 0)
CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
if (benchmark) {

11
examples/server/server.c
View File

@@ -242,11 +242,14 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
if (SSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS)
err_sys("can't set cipher list");
#ifndef NO_FILESYSTEM
if (!usePsk) {
if (SSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server cert file, check file and run from"
" CyaSSL home dir");
}
#endif
#ifdef HAVE_NTRU
if (useNtruKey) {
@@ -257,12 +260,14 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
}
#endif
if (!useNtruKey) {
#ifndef NO_FILESYSTEM
if (!useNtruKey && !usePsk) {
if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server cert file, check file and run from"
" CyaSSL home dir");
}
#endif
#ifndef NO_PSK
if (usePsk) {
@@ -274,6 +279,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
}
#endif
#ifndef NO_FILESYSTEM
/* if not using PSK, verify peer with certs */
if (doCliCertCheck && usePsk == 0) {
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
@@ -281,6 +287,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from CyaSSL home dir");
}
#endif
#ifdef OPENSSL_EXTRA
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);

11
src/include.am
View File

@@ -16,12 +16,8 @@ src_libcyassl_la_SOURCES = \
ctaocrypt/src/md5.c \
ctaocrypt/src/md4.c \
ctaocrypt/src/random.c \
ctaocrypt/src/rsa.c \
ctaocrypt/src/sha.c \
ctaocrypt/src/aes.c \
ctaocrypt/src/sha256.c \
ctaocrypt/src/dh.c \
ctaocrypt/src/dsa.c \
ctaocrypt/src/arc4.c \
ctaocrypt/src/pwdbased.c \
ctaocrypt/src/logging.c \
@@ -31,6 +27,13 @@ src_libcyassl_la_LIBADD = $(LIBM)
src_libcyassl_la_CFLAGS = -DBUILDING_CYASSL $(AM_CFLAGS)
src_libcyassl_la_CPPFLAGS = -DBUILDING_CYASSL $(AM_CPPFLAGS)
if !BUILD_LEANPSK
src_libcyassl_la_SOURCES += ctaocrypt/src/rsa.c \
ctaocrypt/src/dh.c \
ctaocrypt/src/dsa.c \
ctaocrypt/src/aes.c
endif
if BUILD_AESNI
src_libcyassl_la_SOURCES += ctaocrypt/src/aes_asm.s
endif

192
src/internal.c
View File

@@ -64,8 +64,10 @@
#ifndef NO_CYASSL_SERVER
static int DoClientHello(CYASSL* ssl, const byte* input, word32*, word32,
word32);
static int DoCertificateVerify(CYASSL* ssl, byte*, word32*, word32);
static int DoClientKeyExchange(CYASSL* ssl, byte* input, word32*);
#if !defined(NO_RSA) || defined(HAVE_ECC)
static int DoCertificateVerify(CYASSL* ssl, byte*, word32*, word32);
#endif
#endif
typedef enum {
@@ -373,7 +375,7 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method)
#endif
ctx->suites.setSuites = 0; /* user hasn't set yet */
/* remove DH later if server didn't set, add psk later */
InitSuites(&ctx->suites, method->version, TRUE, FALSE, ctx->haveNTRU,
InitSuites(&ctx->suites, method->version, TRUE, FALSE, TRUE, ctx->haveNTRU,
ctx->haveECDSAsig, ctx->haveStaticECC, method->side);
ctx->verifyPeer = 0;
ctx->verifyNone = 0;
@@ -513,13 +515,13 @@ void InitCipherSpecs(CipherSpecs* cs)
}
void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK,
byte haveNTRU, byte haveECDSAsig, byte haveStaticECC, int side)
void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK,
byte haveDH, byte haveNTRU, byte haveECDSAsig,
byte haveStaticECC, int side)
{
word16 idx = 0;
int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR;
int tls1_2 = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_2_MINOR;
int haveRSA = 1;
int haveRSAsig = 1;
(void)tls; /* shut up compiler */
@@ -916,6 +918,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK,
int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
{
int ret;
byte haveRSA = 0;
byte havePSK = 0;
ssl->ctx = ctx; /* only for passing to calls, options could change */
@@ -925,6 +928,9 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
#ifdef HAVE_LIBZ
ssl->didStreamInit = 0;
#endif
#ifndef NO_RSA
haveRSA = 1;
#endif
ssl->buffers.certificate.buffer = 0;
ssl->buffers.key.buffer = 0;
@@ -986,10 +992,11 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
#ifdef CYASSL_SHA384
InitSha384(&ssl->hashSha384);
#endif
#ifndef NO_RSA
ssl->peerRsaKey = NULL;
ssl->verifyCallback = ctx->verifyCallback;
ssl->peerRsaKeyPresent = 0;
#endif
ssl->verifyCallback = ctx->verifyCallback;
ssl->options.side = ctx->method->side;
ssl->options.downgrade = ctx->method->downgrade;
ssl->error = 0;
@@ -1159,6 +1166,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
*ssl->suites = ctx->suites;
/* peer key */
#ifndef NO_RSA
ssl->peerRsaKey = (RsaKey*)XMALLOC(sizeof(RsaKey), ssl->heap,
DYNAMIC_TYPE_RSA);
if (ssl->peerRsaKey == NULL) {
@@ -1166,7 +1174,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
return MEMORY_E;
}
InitRsaKey(ssl->peerRsaKey, ctx->heap);
#endif
/* make sure server has cert and key unless using PSK */
if (ssl->options.side == SERVER_END && !havePSK)
if (!ssl->buffers.certificate.buffer || !ssl->buffers.key.buffer) {
@@ -1176,11 +1184,12 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
/* make sure server has DH parms, and add PSK if there, add NTRU too */
if (ssl->options.side == SERVER_END)
InitSuites(ssl->suites, ssl->version,ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC,
ssl->options.side);
else
InitSuites(ssl->suites, ssl->version, TRUE, havePSK,
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, TRUE,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
@@ -1222,10 +1231,12 @@ void SSL_ResourceFree(CYASSL* ssl)
if (ssl->buffers.weOwnKey)
XFREE(ssl->buffers.key.buffer, ssl->heap, DYNAMIC_TYPE_KEY);
#ifndef NO_RSA
if (ssl->peerRsaKey) {
FreeRsaKey(ssl->peerRsaKey);
XFREE(ssl->peerRsaKey, ssl->heap, DYNAMIC_TYPE_RSA);
}
#endif
if (ssl->buffers.inputBuffer.dynamicFlag)
ShrinkInputBuffer(ssl, FORCED_FREE);
if (ssl->buffers.outputBuffer.dynamicFlag)
@@ -1290,12 +1301,14 @@ void FreeHandshakeResources(CYASSL* ssl)
if (ssl->options.saveArrays)
FreeArrays(ssl, 1);
#ifndef NO_RSA
/* peerRsaKey */
if (ssl->peerRsaKey) {
FreeRsaKey(ssl->peerRsaKey);
XFREE(ssl->peerRsaKey, ssl->heap, DYNAMIC_TYPE_RSA);
ssl->peerRsaKey = NULL;
}
#endif
}
@@ -2293,7 +2306,10 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
}
/* decode peer key */
if (dCert.keyOID == RSAk) {
switch (dCert.keyOID) {
#ifndef NO_RSA
case RSAk:
{
word32 idx = 0;
if (RsaPublicKeyDecode(dCert.publicKey, &idx,
ssl->peerRsaKey, dCert.pubKeySize) != 0) {
@@ -2302,8 +2318,11 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
else
ssl->peerRsaKeyPresent = 1;
}
break;
#endif /* NO_RSA */
#ifdef HAVE_NTRU
else if (dCert.keyOID == NTRUk) {
case NTRUk:
{
if (dCert.pubKeySize > sizeof(ssl->peerNtruKey)) {
ret = PEER_KEY_ERROR;
}
@@ -2313,9 +2332,11 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
ssl->peerNtruKeyPresent = 1;
}
}
break;
#endif /* HAVE_NTRU */
#ifdef HAVE_ECC
else if (dCert.keyOID == ECDSAk) {
case ECDSAk:
{
if (ecc_import_x963(dCert.publicKey, dCert.pubKeySize,
&ssl->peerEccDsaKey) != 0) {
ret = PEER_KEY_ERROR;
@@ -2323,7 +2344,11 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
else
ssl->peerEccDsaKeyPresent = 1;
}
break;
#endif /* HAVE_ECC */
default:
break;
}
FreeDecodedCert(&dCert);
}
@@ -2593,12 +2618,14 @@ static int DoHandShakeMsgType(CYASSL* ssl, byte* input, word32* inOutIdx,
ret = DoClientKeyExchange(ssl, input, inOutIdx);
break;
#if !defined(NO_RSA) || defined(HAVE_ECC)
case certificate_verify:
CYASSL_MSG("processing certificate verify");
ret = DoCertificateVerify(ssl, input, inOutIdx, totalSz);
break;
#endif /* !NO_RSA || HAVE_ECC */
#endif
#endif /* !NO_CYASSL_SERVER */
default:
CYASSL_MSG("Unknown handshake message type");
@@ -2736,6 +2763,10 @@ static INLINE word32 GetSEQIncrement(CYASSL* ssl, int verify)
static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz)
{
(void)out;
(void)input;
(void)sz;
if (ssl->encrypt.setup == 0) {
CYASSL_MSG("Encrypt ciphers not setup");
return ENCRYPT_ERROR;
@@ -2830,6 +2861,10 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz)
static INLINE int Decrypt(CYASSL* ssl, byte* plain, const byte* input,
word32 sz)
{
(void)plain;
(void)input;
(void)sz;
if (ssl->decrypt.setup == 0) {
CYASSL_MSG("Decrypt ciphers not setup");
return DECRYPT_ERROR;
@@ -5604,7 +5639,9 @@ int SetCipherList(Suites* s, const char* list)
word32 idx = 0;
int ret = 0;
if (ssl->specs.kea == rsa_kea) {
switch (ssl->specs.kea) {
#ifndef NO_RSA
case rsa_kea:
RNG_GenerateBlock(ssl->rng, ssl->arrays->preMasterSecret,
SECRET_LEN);
ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
@@ -5621,8 +5658,11 @@ int SetCipherList(Suites* s, const char* list)
encSz = ret;
ret = 0; /* set success to 0 */
}
break;
#endif
#ifdef OPENSSL_EXTRA
} else if (ssl->specs.kea == diffie_hellman_kea) {
case diffie_hellman_kea:
{
buffer serverP = ssl->buffers.serverDH_P;
buffer serverG = ssl->buffers.serverDH_G;
buffer serverPub = ssl->buffers.serverDH_Pub;
@@ -5646,9 +5686,12 @@ int SetCipherList(Suites* s, const char* list)
&ssl->arrays->preMasterSz, priv, privSz,
serverPub.buffer, serverPub.length);
FreeDhKey(&key);
}
break;
#endif /* OPENSSL_EXTRA */
#ifndef NO_PSK
} else if (ssl->specs.kea == psk_kea) {
case psk_kea:
{
byte* pms = ssl->arrays->preMasterSecret;
ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
@@ -5671,9 +5714,12 @@ int SetCipherList(Suites* s, const char* list)
pms += 2;
XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz);
ssl->arrays->preMasterSz = ssl->arrays->psk_keySz * 2 + 4;
}
break;
#endif /* NO_PSK */
#ifdef HAVE_NTRU
} else if (ssl->specs.kea == ntru_kea) {
case ntru_kea:
{
word32 rc;
word16 cipherLen = sizeof(encSecret);
DRBG_HANDLE drbg;
@@ -5689,11 +5735,13 @@ int SetCipherList(Suites* s, const char* list)
return NO_PEER_KEY;
rc = crypto_drbg_instantiate(MAX_NTRU_BITS, cyasslStr,
sizeof(cyasslStr), GetEntropy, &drbg);
sizeof(cyasslStr), GetEntropy,
&drbg);
if (rc != DRBG_OK)
return NTRU_DRBG_ERROR;
rc = crypto_ntru_encrypt(drbg, ssl->peerNtruKeyLen,ssl->peerNtruKey,
rc = crypto_ntru_encrypt(drbg, ssl->peerNtruKeyLen,
ssl->peerNtruKey,
ssl->arrays->preMasterSz,
ssl->arrays->preMasterSecret,
&cipherLen, encSecret);
@@ -5703,9 +5751,12 @@ int SetCipherList(Suites* s, const char* list)
encSz = cipherLen;
ret = 0;
}
break;
#endif /* HAVE_NTRU */
#ifdef HAVE_ECC
} else if (ssl->specs.kea == ecc_diffie_hellman_kea) {
case ecc_diffie_hellman_kea:
{
ecc_key myKey;
ecc_key* peerKey = &myKey;
word32 size = sizeof(encSecret);
@@ -5744,9 +5795,12 @@ int SetCipherList(Suites* s, const char* list)
ssl->arrays->preMasterSz = size;
ecc_free(&myKey);
}
break;
#endif /* HAVE_ECC */
} else
default:
return ALGO_ID_E; /* unsupported kea */
}
if (ret == 0) {
byte *output;
@@ -5820,6 +5874,7 @@ int SetCipherList(Suites* s, const char* list)
return ret;
}
#ifndef NO_RSA
int SendCertificateVerify(CYASSL* ssl)
{
byte *output;
@@ -5959,7 +6014,7 @@ int SetCipherList(Suites* s, const char* list)
else
return ret;
}
#endif /* NO_RSA */
#endif /* NO_CYASSL_CLIENT */
@@ -6996,6 +7051,7 @@ int SetCipherList(Suites* s, const char* list)
ssl->chVersion = pv; /* store */
if (ssl->version.minor > pv.minor) {
byte haveRSA = 0;
byte havePSK = 0;
if (!ssl->options.downgrade) {
CYASSL_MSG("Client trying to connect with lesser version");
@@ -7018,13 +7074,17 @@ int SetCipherList(Suites* s, const char* list)
CYASSL_MSG(" downgrading to TLSv1.1");
ssl->version.minor = TLSv1_1_MINOR;
}
#ifndef NO_RSA
haveRSA = 1;
#endif
#ifndef NO_PSK
havePSK = ssl->options.havePSK;
#endif
InitSuites(ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC,
ssl->options.side);
}
/* suite size */
@@ -7128,6 +7188,7 @@ int SetCipherList(Suites* s, const char* list)
ssl->chVersion = pv; /* store */
i += (word32)sizeof(pv);
if (ssl->version.minor > pv.minor) {
byte haveRSA = 0;
byte havePSK = 0;
if (!ssl->options.downgrade) {
CYASSL_MSG("Client trying to connect with lesser version");
@@ -7150,12 +7211,16 @@ int SetCipherList(Suites* s, const char* list)
CYASSL_MSG(" downgrading to TLSv1.1");
ssl->version.minor = TLSv1_1_MINOR;
}
#ifndef NO_RSA
haveRSA = 1;
#endif
#ifndef NO_PSK
havePSK = ssl->options.havePSK;
#endif
InitSuites(ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC,
ssl->options.side);
}
/* random */
XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN);
@@ -7269,7 +7334,7 @@ int SetCipherList(Suites* s, const char* list)
return MatchSuite(ssl, &clSuites);
}
#if !defined(NO_RSA) || defined(HAVE_ECC)
static int DoCertificateVerify(CYASSL* ssl, byte* input, word32* inOutsz,
word32 totalSz)
{
@@ -7304,6 +7369,7 @@ int SetCipherList(Suites* s, const char* list)
*inOutsz = i + sz;
/* RSA */
#ifndef NO_RSA
if (ssl->peerRsaKeyPresent != 0) {
CYASSL_MSG("Doing RSA peer cert verify");
@@ -7333,8 +7399,9 @@ int SetCipherList(Suites* s, const char* list)
ret = 0; /* verified */
}
}
#endif
#ifdef HAVE_ECC
else if (ssl->peerEccDsaKeyPresent) {
if (ssl->peerEccDsaKeyPresent) {
int verify = 0;
int err = -1;
@@ -7349,7 +7416,7 @@ int SetCipherList(Suites* s, const char* list)
#endif
return ret;
}
#endif /* !NO_RSA || HAVE_ECC */
int SendServerHelloDone(CYASSL* ssl)
{
@@ -7442,6 +7509,11 @@ int SetCipherList(Suites* s, const char* list)
word32 length = 0;
byte* out;
(void)length; /* shut up compiler warnings */
(void)out;
(void)input;
(void)inOutIdx;
if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
CYASSL_MSG("Client sending keyexchange at wrong time");
return OUT_OF_ORDER_E;
@@ -7459,7 +7531,11 @@ int SetCipherList(Suites* s, const char* list)
if (ssl->toInfoOn)
AddLateName("ClientKeyExchange", &ssl->timeoutInfo);
#endif
if (ssl->specs.kea == rsa_kea) {
switch (ssl->specs.kea) {
#ifndef NO_RSA
case rsa_kea:
{
word32 idx = 0;
RsaKey key;
byte* tmp = 0;
@@ -7467,8 +7543,8 @@ int SetCipherList(Suites* s, const char* list)
InitRsaKey(&key, ssl->heap);
if (ssl->buffers.key.buffer)
ret = RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx, &key,
ssl->buffers.key.length);
ret = RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx,
&key, ssl->buffers.key.length);
else
return NO_PRIVATE_KEY;
@@ -7484,10 +7560,10 @@ int SetCipherList(Suites* s, const char* list)
if (RsaPrivateDecryptInline(tmp, length, &out, &key) ==
SECRET_LEN) {
XMEMCPY(ssl->arrays->preMasterSecret, out, SECRET_LEN);
if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major
||
ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor)
if (ssl->arrays->preMasterSecret[0] !=
ssl->chVersion.major
|| ssl->arrays->preMasterSecret[1] !=
ssl->chVersion.minor)
ret = PMS_VERSION_ERROR;
else
ret = MakeMasterSecret(ssl);
@@ -7497,8 +7573,12 @@ int SetCipherList(Suites* s, const char* list)
}
FreeRsaKey(&key);
}
break;
#endif
#ifndef NO_PSK
} else if (ssl->specs.kea == psk_kea) {
case psk_kea:
{
byte* pms = ssl->arrays->preMasterSecret;
word16 ci_sz;
@@ -7514,7 +7594,8 @@ int SetCipherList(Suites* s, const char* list)
ssl->arrays->client_identity, ssl->arrays->psk_key,
MAX_PSK_KEY_LEN);
if (ssl->arrays->psk_keySz == 0 ||
ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) return PSK_KEY_ERROR;
ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN)
return PSK_KEY_ERROR;
/* make psk pre master secret */
/* length of key + length 0s + length of key + key */
@@ -7528,9 +7609,12 @@ int SetCipherList(Suites* s, const char* list)
ssl->arrays->preMasterSz = ssl->arrays->psk_keySz * 2 + 4;
ret = MakeMasterSecret(ssl);
}
break;
#endif /* NO_PSK */
#ifdef HAVE_NTRU
} else if (ssl->specs.kea == ntru_kea) {
case ntru_kea:
{
word32 rc;
word16 cipherLen;
word16 plainLen = sizeof(ssl->arrays->preMasterSecret);
@@ -7555,9 +7639,12 @@ int SetCipherList(Suites* s, const char* list)
ssl->arrays->preMasterSz = plainLen;
ret = MakeMasterSecret(ssl);
}
break;
#endif /* HAVE_NTRU */
#ifdef HAVE_ECC
} else if (ssl->specs.kea == ecc_diffie_hellman_kea) {
case ecc_diffie_hellman_kea:
{
word32 size;
word32 bLength = input[*inOutIdx]; /* one byte length */
*inOutIdx += 1;
@@ -7588,9 +7675,12 @@ int SetCipherList(Suites* s, const char* list)
return ECC_SHARED_ERROR;
ssl->arrays->preMasterSz = size;
ret = MakeMasterSecret(ssl);
}
break;
#endif /* HAVE_ECC */
#ifdef OPENSSL_EXTRA
} else if (ssl->specs.kea == diffie_hellman_kea) {
case diffie_hellman_kea:
{
byte* clientPub;
word16 clientPubSz;
DhKey dhKey;
@@ -7615,11 +7705,15 @@ int SetCipherList(Suites* s, const char* list)
FreeDhKey(&dhKey);
if (ret == 0)
ret = MakeMasterSecret(ssl);
#endif /* OPENSSL_EXTRA */
}
else {
break;
#endif /* OPENSSL_EXTRA */
default:
{
CYASSL_MSG("Bad kea type");
return BAD_KEA_TYPE_E;
ret = BAD_KEA_TYPE_E;
}
break;
}
if (ret == 0) {

5
src/keys.c
View File

@@ -1137,6 +1137,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
keys->peer_sequence_number = 0;
keys->encryptionOn = 0;
(void)rng;
(void)side;
(void)heap;
(void)enc;
(void)dec;
(void)specs;
return 0;
}

61
src/ssl.c
View File

@@ -309,6 +309,7 @@ int CyaSSL_SetTmpDH(CYASSL* ssl, const unsigned char* p, int pSz,
const unsigned char* g, int gSz)
{
byte havePSK = 0;
byte haveRSA = 1;
CYASSL_ENTER("CyaSSL_SetTmpDH");
if (ssl == NULL || p == NULL || g == NULL) return BAD_FUNC_ARG;
@@ -344,8 +345,11 @@ int CyaSSL_SetTmpDH(CYASSL* ssl, const unsigned char* p, int pSz,
#ifndef NO_PSK
havePSK = ssl->options.havePSK;
#endif
InitSuites(ssl->suites, ssl->version, ssl->options.haveDH,
havePSK, ssl->options.haveNTRU, ssl->options.haveECDSAsig,
#ifdef NO_RSA
haveRSA = 0;
#endif
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
CYASSL_LEAVE("CyaSSL_SetTmpDH", 0);
@@ -645,6 +649,7 @@ int CyaSSL_set_group_messages(CYASSL* ssl)
int CyaSSL_SetVersion(CYASSL* ssl, int version)
{
byte haveRSA = 1;
byte havePSK = 0;
CYASSL_ENTER("CyaSSL_SetVersion");
@@ -678,11 +683,14 @@ int CyaSSL_SetVersion(CYASSL* ssl, int version)
return BAD_FUNC_ARG;
}
#ifdef NO_RSA
haveRSA = 0;
#endif
#ifndef NO_PSK
havePSK = ssl->options.havePSK;
#endif
InitSuites(ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
@@ -1256,6 +1264,7 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
}
if (type == PRIVATEKEY_TYPE && format != SSL_FILETYPE_RAW) {
#ifndef NO_RSA
if (!eccKey) {
/* make sure RSA key can be used */
RsaKey key;
@@ -1274,6 +1283,7 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
}
FreeRsaKey(&key);
}
#endif
#ifdef HAVE_ECC
if (eccKey ) {
/* make sure ECC key can be used */
@@ -2316,15 +2326,20 @@ int CyaSSL_set_cipher_list(CYASSL* ssl, const char* list)
{
CYASSL_ENTER("CyaSSL_set_cipher_list");
if (SetCipherList(ssl->suites, list)) {
byte haveRSA = 1;
byte havePSK = 0;
#ifdef NO_RSA
haveRSA = 0;
#endif
#ifndef NO_PSK
havePSK = ssl->options.havePSK;
#endif
InitSuites(ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC,
ssl->options.side);
return SSL_SUCCESS;
}
@@ -2537,11 +2552,13 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl)
CYASSL_MSG("connect state: FIRST_REPLY_SECOND");
case FIRST_REPLY_SECOND :
#ifndef NO_RSA
if (ssl->options.sendVerify)
if ( (ssl->error = SendCertificateVerify(ssl)) != 0) {
CYASSL_ERROR(ssl->error);
return SSL_FATAL_ERROR;
}
#endif
ssl->options.connectState = FIRST_REPLY_THIRD;
CYASSL_MSG("connect state: FIRST_REPLY_THIRD");
@@ -3387,11 +3404,17 @@ int CyaSSL_set_compression(CYASSL* ssl)
void CyaSSL_set_psk_client_callback(CYASSL* ssl, psk_client_callback cb)
{
byte haveRSA = 1;
CYASSL_ENTER("SSL_set_psk_client_callback");
ssl->options.havePSK = 1;
ssl->options.client_psk_cb = cb;
InitSuites(ssl->suites, ssl->version,TRUE,TRUE, ssl->options.haveNTRU,
#ifdef NO_RSA
haveRSA = 0;
#endif
InitSuites(ssl->suites, ssl->version, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC,
ssl->options.side);
}
@@ -3408,13 +3431,19 @@ int CyaSSL_set_compression(CYASSL* ssl)
void CyaSSL_set_psk_server_callback(CYASSL* ssl, psk_server_callback cb)
{
byte haveRSA = 1;
CYASSL_ENTER("SSL_set_psk_server_callback");
ssl->options.havePSK = 1;
ssl->options.server_psk_cb = cb;
InitSuites(ssl->suites, ssl->version, ssl->options.haveDH, TRUE,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
#ifdef NO_RSA
haveRSA = 0;
#endif
InitSuites(ssl->suites, ssl->version, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC,
ssl->options.side);
}
@@ -3641,17 +3670,23 @@ int CyaSSL_set_compression(CYASSL* ssl)
void CyaSSL_set_accept_state(CYASSL* ssl)
{
byte haveRSA = 1;
byte havePSK = 0;
CYASSL_ENTER("SSL_set_accept_state");
ssl->options.side = SERVER_END;
/* reset suites in case user switched */
#ifdef NO_RSA
haveRSA = 0;
#endif
#ifndef NO_PSK
havePSK = ssl->options.havePSK;
#endif
InitSuites(ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC,
ssl->options.side);
}

25
tests/api.c
View File

@@ -39,10 +39,12 @@ static int test_CyaSSL_CTX_new(CYASSL_METHOD *method);
static int test_CyaSSL_CTX_use_certificate_file(void);
static int test_CyaSSL_CTX_use_PrivateKey_file(void);
static int test_CyaSSL_CTX_load_verify_locations(void);
#ifndef NO_RSA
static int test_server_CyaSSL_new(void);
static int test_client_CyaSSL_new(void);
static int test_CyaSSL_read_write(void);
#endif
#endif /* NO_RSA */
#endif /* NO_FILESYSTEM */
/* test function helpers */
static int test_method(CYASSL_METHOD *method, const char *name);
@@ -59,9 +61,9 @@ static int test_lvl(CYASSL_CTX *ctx, const char* file, const char* path,
THREAD_RETURN CYASSL_THREAD test_server_nofail(void*);
void test_client_nofail(void*);
static const char* bogusFile = "/dev/null";
#endif
static const char* bogusFile = "/dev/null";
#define testingFmt " %s:"
#define resultFmt " %s\n"
static const char* passed = "passed";
@@ -81,10 +83,12 @@ int ApiTest(void)
test_CyaSSL_CTX_use_certificate_file();
test_CyaSSL_CTX_use_PrivateKey_file();
test_CyaSSL_CTX_load_verify_locations();
#ifndef NO_RSA
test_server_CyaSSL_new();
test_client_CyaSSL_new();
test_CyaSSL_read_write();
#endif
#endif /* NO_RSA */
#endif /* NO_FILESYSTEM */
test_CyaSSL_Cleanup();
printf(" End API Tests\n");
@@ -245,6 +249,8 @@ int test_CyaSSL_CTX_use_certificate_file(void)
failure */
/* Then set the parameters to legit values but set each item to
bogus and call again. Finish with a successful success. */
/* If the build is configured to not have RSA, loading the
certificate files will fail. */
test_ucf(NULL, NULL, 9999, SSL_FAILURE,
"CyaSSL_CTX_use_certificate_file(NULL, NULL, 9999)");
@@ -254,8 +260,13 @@ int test_CyaSSL_CTX_use_certificate_file(void)
"CyaSSL_CTX_use_certificate_file(ctx, bogusFile, SSL_FILETYPE_PEM)");
test_ucf(ctx, svrCert, 9999, SSL_FAILURE,
"CyaSSL_CTX_use_certificate_file(ctx, svrCert, 9999)");
#ifndef NO_RSA
test_ucf(ctx, svrCert, SSL_FILETYPE_PEM, SSL_SUCCESS,
"CyaSSL_CTX_use_certificate_file(ctx, svrCert, SSL_FILETYPE_PEM)");
#else
test_ucf(ctx, svrCert, SSL_FILETYPE_PEM, SSL_FAILURE,
"NO_RSA: CyaSSL_CTX_use_certificate_file(ctx, svrCert, SSL_FILETYPE_PEM)");
#endif
CyaSSL_CTX_free(ctx);
return TEST_SUCCESS;
@@ -366,13 +377,20 @@ int test_CyaSSL_CTX_load_verify_locations(void)
/* Add a test for the certs directory path loading. */
/* There is a leak here. If you load a second cert, the first one
is lost. */
#ifndef NO_RSA
test_lvl(ctx, caCert, 0, SSL_SUCCESS,
"CyaSSL_CTX_load_verify_locations(ctx, caCert, 0)");
#else
test_lvl(ctx, caCert, 0, SSL_FAILURE,
"NO_RSA: CyaSSL_CTX_load_verify_locations(ctx, caCert, 0)");
#endif
CyaSSL_CTX_free(ctx);
return TEST_SUCCESS;
}
#ifndef NO_RSA
int test_server_CyaSSL_new(void)
{
int result;
@@ -564,6 +582,7 @@ static int test_CyaSSL_read_write(void)
return test_result;
};
#endif
THREAD_RETURN CYASSL_THREAD test_server_nofail(void* args)
{

12
tests/suites.c
View File

@@ -103,7 +103,6 @@ static void test_harness(void* vargs)
char* comment;
const char* fname = "tests/test.conf";
if (args->argc == 1) {
printf("notice: using default file %s\n", fname);
}
@@ -227,6 +226,7 @@ int SuiteTest(void)
args.argv = myArgv;
strcpy(argv0[0], "SuiteTest");
#if !defined(NO_RSA)
/* default case */
args.argc = 1;
printf("starting default cipher suite tests\n");
@@ -235,6 +235,7 @@ int SuiteTest(void)
printf("error from script %d\n", args.return_code);
exit(EXIT_FAILURE);
}
#endif
/* any extra cases will need another argument */
args.argc = 2;
@@ -250,7 +251,7 @@ int SuiteTest(void)
}
#endif
#ifdef HAVE_NULL_CIPHER
#if !defined(NO_RSA) && defined(HAVE_NULL_CIPHER)
/* add rsa null cipher suites */
strcpy(argv0[1], "tests/test-null.conf");
printf("starting null cipher suite tests\n");
@@ -283,7 +284,7 @@ int SuiteTest(void)
}
#endif
#ifndef NO_PSK
#if !defined(NO_PSK) && !defined(NO_AES)
/* add psk extra suites */
strcpy(argv0[1], "tests/test-psk.conf");
printf("starting psk extra cipher suite tests\n");
@@ -292,7 +293,9 @@ int SuiteTest(void)
printf("error from script %d\n", args.return_code);
exit(EXIT_FAILURE);
}
#ifdef HAVE_NULL_CIPHER
#endif
#if !defined(NO_PSK) && defined(HAVE_NULL_CIPHER)
strcpy(argv0[1], "tests/test-psk-null.conf");
printf("starting psk extra null cipher suite tests\n");
test_harness(&args);
@@ -301,7 +304,6 @@ int SuiteTest(void)
exit(EXIT_FAILURE);
}
#endif
#endif
#ifdef HAVE_NTRU
/* add ntru extra suites */

2
tests/unit.c
View File

@@ -17,7 +17,7 @@ int main(int argc, char** argv)
(void)argc;
(void)argv;
printf("staring unit tests...\n");
printf("starting unit tests...\n");
if ( (ret = ApiTest()) != 0) {
printf("api test failed with %d\n", ret);