feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #2984 from julek-wolfssl/dtls-scr

Browse Source 
Add secure renegotiation to DTLS 1.2
This commit is contained in:
toddouska
2020-06-12 11:22:55 -07:00
committed by GitHub
parent 6166902f66 cab8dd3731
commit 1e07563411
15 changed files with 4374 additions and 432 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
examples/client/client.c
View File

@@ -3050,28 +3050,58 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
} else { } else {
if (!resumeScr) { if (!resumeScr) {
printf("Beginning secure rengotiation.\n"); printf("Beginning secure rengotiation.\n");
if (wolfSSL_Rehandshake(ssl) != WOLFSSL_SUCCESS) { if ((ret = wolfSSL_Rehandshake(ssl)) != WOLFSSL_SUCCESS) {
err = wolfSSL_get_error(ssl, 0); err = wolfSSL_get_error(ssl, 0);
#ifdef WOLFSSL_ASYNC_CRYPT
while (err == WC_PENDING_E) {
err = 0;
ret = wolfSSL_negotiate(ssl);
if (ret != WOLFSSL_SUCCESS) {
err = wolfSSL_get_error(ssl, 0);
if (err == WC_PENDING_E) {
ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW);
if (ret < 0) break;
}
}
}
#endif
if (ret != WOLFSSL_SUCCESS) {
printf("err = %d, %s\n", err, printf("err = %d, %s\n", err,
wolfSSL_ERR_error_string(err, buffer)); wolfSSL_ERR_error_string(err, buffer));
wolfSSL_free(ssl); ssl = NULL; wolfSSL_free(ssl); ssl = NULL;
wolfSSL_CTX_free(ctx); ctx = NULL; wolfSSL_CTX_free(ctx); ctx = NULL;
err_sys("wolfSSL_Rehandshake failed"); err_sys("wolfSSL_Rehandshake failed");
} }
}
else { else {
printf("RENEGOTIATION SUCCESSFUL\n"); printf("RENEGOTIATION SUCCESSFUL\n");
} }
} }
else { else {
printf("Beginning secure resumption.\n"); printf("Beginning secure resumption.\n");
if (wolfSSL_SecureResume(ssl) != WOLFSSL_SUCCESS) { if ((ret = wolfSSL_SecureResume(ssl)) != WOLFSSL_SUCCESS) {
err = wolfSSL_get_error(ssl, 0); err = wolfSSL_get_error(ssl, 0);
#ifdef WOLFSSL_ASYNC_CRYPT
while (err == WC_PENDING_E) {
err = 0;
ret = wolfSSL_negotiate(ssl);
if (ret != WOLFSSL_SUCCESS) {
err = wolfSSL_get_error(ssl, 0);
if (err == WC_PENDING_E) {
ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW);
if (ret < 0) break;
}
}
}
#endif
if (ret != WOLFSSL_SUCCESS) {
printf("err = %d, %s\n", err, printf("err = %d, %s\n", err,
wolfSSL_ERR_error_string(err, buffer)); wolfSSL_ERR_error_string(err, buffer));
wolfSSL_free(ssl); ssl = NULL; wolfSSL_free(ssl); ssl = NULL;
wolfSSL_CTX_free(ctx); ctx = NULL; wolfSSL_CTX_free(ctx); ctx = NULL;
err_sys("wolfSSL_SecureResume failed"); err_sys("wolfSSL_SecureResume failed");
} }
}
else { else {
printf("SECURE RESUMPTION SUCCESSFUL\n"); printf("SECURE RESUMPTION SUCCESSFUL\n");
} }

17
examples/server/server.c
View File

@@ -2385,7 +2385,22 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
printf("not doing secure renegotiation on example with" printf("not doing secure renegotiation on example with"
" nonblocking yet\n"); " nonblocking yet\n");
} else { } else {
if (wolfSSL_Rehandshake(ssl) != WOLFSSL_SUCCESS) { if ((ret = wolfSSL_Rehandshake(ssl)) != WOLFSSL_SUCCESS) {
#ifdef WOLFSSL_ASYNC_CRYPT
err = wolfSSL_get_error(ssl, 0);
while (err == WC_PENDING_E) {
err = 0;
ret = wolfSSL_negotiate(ssl);
if (ret != WOLFSSL_SUCCESS) {
err = wolfSSL_get_error(ssl, 0);
if (err == WC_PENDING_E) {
ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW);
if (ret < 0) break;
}
}
}
if (ret != WOLFSSL_SUCCESS)
#endif
printf("not doing secure renegotiation\n"); printf("not doing secure renegotiation\n");
} }
else { else {

1129
src/internal.c
View File

File diff suppressed because it is too large Load Diff

101
src/keys.c
View File

@@ -3066,6 +3066,10 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side)
#ifdef HAVE_SECURE_RENEGOTIATION #ifdef HAVE_SECURE_RENEGOTIATION
if (ssl->secure_renegotiation && ssl->secure_renegotiation->cache_status) { if (ssl->secure_renegotiation && ssl->secure_renegotiation->cache_status) {
keys = &ssl->secure_renegotiation->tmp_keys; keys = &ssl->secure_renegotiation->tmp_keys;
#ifdef WOLFSSL_DTLS
/* For DTLS, copy is done in StoreKeys */
if (!ssl->options.dtls)
#endif
copy = 1; copy = 1;
} }
#endif /* HAVE_SECURE_RENEGOTIATION */ #endif /* HAVE_SECURE_RENEGOTIATION */
@@ -3141,6 +3145,15 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side)
ssl->heap, ssl->devId, ssl->rng, ssl->options.tls1_3); ssl->heap, ssl->devId, ssl->rng, ssl->options.tls1_3);
#ifdef HAVE_SECURE_RENEGOTIATION #ifdef HAVE_SECURE_RENEGOTIATION
#ifdef WOLFSSL_DTLS
if (ret == 0 && ssl->options.dtls) {
if (wc_encrypt)
wc_encrypt->src = keys == &ssl->keys ? KEYS : SCR;
if (wc_decrypt)
wc_decrypt->src = keys == &ssl->keys ? KEYS : SCR;
}
#endif
if (copy) { if (copy) {
int clientCopy = 0; int clientCopy = 0;
@@ -3217,11 +3230,26 @@ int StoreKeys(WOLFSSL* ssl, const byte* keyData, int side)
{ {
int sz, i = 0; int sz, i = 0;
Keys* keys = &ssl->keys; Keys* keys = &ssl->keys;
#ifdef WOLFSSL_DTLS
/* In case of DTLS, ssl->keys is updated here */
int scr_copy = 0;
#endif
#ifdef HAVE_SECURE_RENEGOTIATION #ifdef HAVE_SECURE_RENEGOTIATION
if (ssl->secure_renegotiation && ssl->secure_renegotiation->cache_status == if (ssl->secure_renegotiation &&
SCR_CACHE_NEEDED) { ssl->secure_renegotiation->cache_status == SCR_CACHE_NEEDED) {
keys = &ssl->secure_renegotiation->tmp_keys; keys = &ssl->secure_renegotiation->tmp_keys;
#ifdef WOLFSSL_DTLS
if (ssl->options.dtls) {
/* epoch is incremented after StoreKeys is called */
ssl->secure_renegotiation->tmp_keys.dtls_epoch = ssl->keys.dtls_epoch + 1;
/* we only need to copy keys on second and future renegotiations */
if (ssl->keys.dtls_epoch > 1)
scr_copy = 1;
ssl->encrypt.src = KEYS_NOT_SET;
ssl->decrypt.src = KEYS_NOT_SET;
}
#endif
CacheStatusPP(ssl->secure_renegotiation); CacheStatusPP(ssl->secure_renegotiation);
} }
#endif /* HAVE_SECURE_RENEGOTIATION */ #endif /* HAVE_SECURE_RENEGOTIATION */
@@ -3232,23 +3260,54 @@ int StoreKeys(WOLFSSL* ssl, const byte* keyData, int side)
if (ssl->specs.cipher_type != aead) { if (ssl->specs.cipher_type != aead) {
sz = ssl->specs.hash_size; sz = ssl->specs.hash_size;
#ifndef WOLFSSL_AEAD_ONLY #ifndef WOLFSSL_AEAD_ONLY
#ifdef WOLFSSL_DTLS
if (scr_copy) {
XMEMCPY(ssl->keys.client_write_MAC_secret,
keys->client_write_MAC_secret, sz);
XMEMCPY(ssl->keys.server_write_MAC_secret,
keys->server_write_MAC_secret, sz);
}
#endif
XMEMCPY(keys->client_write_MAC_secret,&keyData[i], sz); XMEMCPY(keys->client_write_MAC_secret,&keyData[i], sz);
XMEMCPY(keys->server_write_MAC_secret,&keyData[i], sz); XMEMCPY(keys->server_write_MAC_secret,&keyData[i], sz);
#endif #endif
i += sz; i += sz;
} }
sz = ssl->specs.key_size; sz = ssl->specs.key_size;
#ifdef WOLFSSL_DTLS
if (scr_copy) {
XMEMCPY(ssl->keys.client_write_key,
keys->client_write_key, sz);
XMEMCPY(ssl->keys.server_write_key,
keys->server_write_key, sz);
}
#endif
XMEMCPY(keys->client_write_key, &keyData[i], sz); XMEMCPY(keys->client_write_key, &keyData[i], sz);
XMEMCPY(keys->server_write_key, &keyData[i], sz); XMEMCPY(keys->server_write_key, &keyData[i], sz);
i += sz; i += sz;
sz = ssl->specs.iv_size; sz = ssl->specs.iv_size;
#ifdef WOLFSSL_DTLS
if (scr_copy) {
XMEMCPY(ssl->keys.client_write_IV,
keys->client_write_IV, sz);
XMEMCPY(ssl->keys.server_write_IV,
keys->server_write_IV, sz);
}
#endif
XMEMCPY(keys->client_write_IV, &keyData[i], sz); XMEMCPY(keys->client_write_IV, &keyData[i], sz);
XMEMCPY(keys->server_write_IV, &keyData[i], sz); XMEMCPY(keys->server_write_IV, &keyData[i], sz);
#ifdef HAVE_AEAD #ifdef HAVE_AEAD
if (ssl->specs.cipher_type == aead) { if (ssl->specs.cipher_type == aead) {
/* Initialize the AES-GCM/CCM explicit IV to a zero. */ /* Initialize the AES-GCM/CCM explicit IV to a zero. */
#ifdef WOLFSSL_DTLS
if (scr_copy) {
XMEMCPY(ssl->keys.aead_exp_IV,
keys->aead_exp_IV, AEAD_MAX_EXP_SZ);
}
#endif
XMEMSET(keys->aead_exp_IV, 0, AEAD_MAX_EXP_SZ); XMEMSET(keys->aead_exp_IV, 0, AEAD_MAX_EXP_SZ);
} }
#endif /* HAVE_AEAD */ #endif /* HAVE_AEAD */
@@ -3261,12 +3320,22 @@ int StoreKeys(WOLFSSL* ssl, const byte* keyData, int side)
sz = ssl->specs.hash_size; sz = ssl->specs.hash_size;
if (side & PROVISION_CLIENT) { if (side & PROVISION_CLIENT) {
#ifndef WOLFSSL_AEAD_ONLY #ifndef WOLFSSL_AEAD_ONLY
#ifdef WOLFSSL_DTLS
if (scr_copy)
XMEMCPY(ssl->keys.client_write_MAC_secret,
keys->client_write_MAC_secret, sz);
#endif
XMEMCPY(keys->client_write_MAC_secret,&keyData[i], sz); XMEMCPY(keys->client_write_MAC_secret,&keyData[i], sz);
#endif #endif
i += sz; i += sz;
} }
if (side & PROVISION_SERVER) { if (side & PROVISION_SERVER) {
#ifndef WOLFSSL_AEAD_ONLY #ifndef WOLFSSL_AEAD_ONLY
#ifdef WOLFSSL_DTLS
if (scr_copy)
XMEMCPY(ssl->keys.server_write_MAC_secret,
keys->server_write_MAC_secret, sz);
#endif
XMEMCPY(keys->server_write_MAC_secret,&keyData[i], sz); XMEMCPY(keys->server_write_MAC_secret,&keyData[i], sz);
#endif #endif
i += sz; i += sz;
@@ -3274,25 +3343,51 @@ int StoreKeys(WOLFSSL* ssl, const byte* keyData, int side)
} }
sz = ssl->specs.key_size; sz = ssl->specs.key_size;
if (side & PROVISION_CLIENT) { if (side & PROVISION_CLIENT) {
#ifdef WOLFSSL_DTLS
if (scr_copy)
XMEMCPY(ssl->keys.client_write_key,
keys->client_write_key, sz);
#endif
XMEMCPY(keys->client_write_key, &keyData[i], sz); XMEMCPY(keys->client_write_key, &keyData[i], sz);
i += sz; i += sz;
} }
if (side & PROVISION_SERVER) { if (side & PROVISION_SERVER) {
#ifdef WOLFSSL_DTLS
if (scr_copy)
XMEMCPY(ssl->keys.server_write_key,
keys->server_write_key, sz);
#endif
XMEMCPY(keys->server_write_key, &keyData[i], sz); XMEMCPY(keys->server_write_key, &keyData[i], sz);
i += sz; i += sz;
} }
sz = ssl->specs.iv_size; sz = ssl->specs.iv_size;
if (side & PROVISION_CLIENT) { if (side & PROVISION_CLIENT) {
#ifdef WOLFSSL_DTLS
if (scr_copy)
XMEMCPY(ssl->keys.client_write_IV,
keys->client_write_IV, sz);
#endif
XMEMCPY(keys->client_write_IV, &keyData[i], sz); XMEMCPY(keys->client_write_IV, &keyData[i], sz);
i += sz; i += sz;
} }
if (side & PROVISION_SERVER) if (side & PROVISION_SERVER) {
#ifdef WOLFSSL_DTLS
if (scr_copy)
XMEMCPY(ssl->keys.server_write_IV,
keys->server_write_IV, sz);
#endif
XMEMCPY(keys->server_write_IV, &keyData[i], sz); XMEMCPY(keys->server_write_IV, &keyData[i], sz);
}
#ifdef HAVE_AEAD #ifdef HAVE_AEAD
if (ssl->specs.cipher_type == aead) { if (ssl->specs.cipher_type == aead) {
/* Initialize the AES-GCM/CCM explicit IV to a zero. */ /* Initialize the AES-GCM/CCM explicit IV to a zero. */
#ifdef WOLFSSL_DTLS
if (scr_copy)
XMEMCPY(ssl->keys.aead_exp_IV,
keys->aead_exp_IV, AEAD_MAX_EXP_SZ);
#endif
XMEMSET(keys->aead_exp_IV, 0, AEAD_MAX_EXP_SZ); XMEMSET(keys->aead_exp_IV, 0, AEAD_MAX_EXP_SZ);
} }
#endif #endif

70
src/ssl.c
View File

@@ -1647,7 +1647,7 @@ int wolfSSL_GetOutputSize(WOLFSSL* ssl, int inSz)
if (inSz > maxSize) if (inSz > maxSize)
return INPUT_SIZE_E; return INPUT_SIZE_E;
return BuildMessage(ssl, NULL, 0, NULL, inSz, application_data, 0, 1, 0); return BuildMessage(ssl, NULL, 0, NULL, inSz, application_data, 0, 1, 0, CUR_ORDER);
} }
@@ -2706,6 +2706,7 @@ static int _Rehandshake(WOLFSSL* ssl)
} }
} }
ret = wolfSSL_negotiate(ssl); ret = wolfSSL_negotiate(ssl);
if (ret == WOLFSSL_SUCCESS)
ssl->secure_rene_count++; ssl->secure_rene_count++;
return ret; return ret;
} }
@@ -3228,6 +3229,57 @@ int wolfSSL_UseClientSuites(WOLFSSL* ssl)
return 0; return 0;
} }
#ifdef WOLFSSL_DTLS
const byte* wolfSSL_GetDtlsMacSecret(WOLFSSL* ssl, int verify, int epochOrder)
{
#ifndef WOLFSSL_AEAD_ONLY
Keys* keys = NULL;
(void)epochOrder;
if (ssl == NULL)
return NULL;
#ifdef HAVE_SECURE_RENEGOTIATION
switch (epochOrder) {
case PEER_ORDER:
if (IsDtlsMsgSCRKeys(ssl))
keys = &ssl->secure_renegotiation->tmp_keys;
else
keys = &ssl->keys;
break;
case PREV_ORDER:
keys = &ssl->keys;
break;
case CUR_ORDER:
if (DtlsUseSCRKeys(ssl))
keys = &ssl->secure_renegotiation->tmp_keys;
else
keys = &ssl->keys;
break;
default:
WOLFSSL_MSG("Unknown epoch order");
return NULL;
}
#else
keys = &ssl->keys;
#endif
if ( (ssl->options.side == WOLFSSL_CLIENT_END && !verify) ||
(ssl->options.side == WOLFSSL_SERVER_END && verify) )
return keys->client_write_MAC_secret;
else
return keys->server_write_MAC_secret;
#else
(void)ssl;
(void)verify;
(void)epochOrder;
return NULL;
#endif
}
#endif /* WOLFSSL_DTLS */
const byte* wolfSSL_GetMacSecret(WOLFSSL* ssl, int verify) const byte* wolfSSL_GetMacSecret(WOLFSSL* ssl, int verify)
{ {
#ifndef WOLFSSL_AEAD_ONLY #ifndef WOLFSSL_AEAD_ONLY
@@ -11713,6 +11765,14 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
} }
#endif /* WOLFSSL_DTLS */ #endif /* WOLFSSL_DTLS */
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(HAVE_SECURE_RENEGOTIATION)
/* This may be necessary in async so that we don't try to
* renegotiate again */
if (ssl->secure_renegotiation && ssl->secure_renegotiation->startScr) {
ssl->secure_renegotiation->startScr = 0;
}
#endif /* WOLFSSL_ASYNC_CRYPT && HAVE_SECURE_RENEGOTIATION */
WOLFSSL_LEAVE("SSL_connect()", WOLFSSL_SUCCESS); WOLFSSL_LEAVE("SSL_connect()", WOLFSSL_SUCCESS);
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
@@ -12094,6 +12154,14 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
} }
#endif /* WOLFSSL_DTLS */ #endif /* WOLFSSL_DTLS */
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(HAVE_SECURE_RENEGOTIATION)
/* This may be necessary in async so that we don't try to
* renegotiate again */
if (ssl->secure_renegotiation && ssl->secure_renegotiation->startScr) {
ssl->secure_renegotiation->startScr = 0;
}
#endif /* WOLFSSL_ASYNC_CRYPT && HAVE_SECURE_RENEGOTIATION */
#ifdef WOLFSSL_SESSION_EXPORT #ifdef WOLFSSL_SESSION_EXPORT
if (ssl->dtls_export) { if (ssl->dtls_export) {
if ((ssl->error = wolfSSL_send_session(ssl)) != 0) { if ((ssl->error = wolfSSL_send_session(ssl)) != 0) {

83
src/tls.c
View File

@@ -643,71 +643,6 @@ int wolfSSL_make_eap_keys(WOLFSSL* ssl, void* msk, unsigned int len,
} }
static WC_INLINE void GetSEQIncrement(WOLFSSL* ssl, int verify, word32 seq[2])
{
if (verify) {
seq[0] = ssl->keys.peer_sequence_number_hi;
seq[1] = ssl->keys.peer_sequence_number_lo++;
if (seq[1] > ssl->keys.peer_sequence_number_lo) {
/* handle rollover */
ssl->keys.peer_sequence_number_hi++;
}
}
else {
seq[0] = ssl->keys.sequence_number_hi;
seq[1] = ssl->keys.sequence_number_lo++;
if (seq[1] > ssl->keys.sequence_number_lo) {
/* handle rollover */
ssl->keys.sequence_number_hi++;
}
}
}
#ifdef WOLFSSL_DTLS
static WC_INLINE void DtlsGetSEQ(WOLFSSL* ssl, int order, word32 seq[2])
{
if (order == PREV_ORDER) {
/* Previous epoch case */
seq[0] = (((word32)ssl->keys.dtls_epoch - 1) << 16) |
(ssl->keys.dtls_prev_sequence_number_hi & 0xFFFF);
seq[1] = ssl->keys.dtls_prev_sequence_number_lo;
}
else if (order == PEER_ORDER) {
seq[0] = ((word32)ssl->keys.curEpoch << 16) |
(ssl->keys.curSeq_hi & 0xFFFF);
seq[1] = ssl->keys.curSeq_lo; /* explicit from peer */
}
else {
seq[0] = ((word32)ssl->keys.dtls_epoch << 16) |
(ssl->keys.dtls_sequence_number_hi & 0xFFFF);
seq[1] = ssl->keys.dtls_sequence_number_lo;
}
}
#endif /* WOLFSSL_DTLS */
static WC_INLINE void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out)
{
word32 seq[2] = {0, 0};
if (!ssl->options.dtls) {
GetSEQIncrement(ssl, verifyOrder, seq);
}
else {
#ifdef WOLFSSL_DTLS
DtlsGetSEQ(ssl, verifyOrder, seq);
#endif
}
c32toa(seq[0], out);
c32toa(seq[1], out + OPAQUE32_LEN);
}
/*** end copy ***/
/* return HMAC digest type in wolfSSL format */ /* return HMAC digest type in wolfSSL format */
int wolfSSL_GetHmacType(WOLFSSL* ssl) int wolfSSL_GetHmacType(WOLFSSL* ssl)
{ {
@@ -1169,11 +1104,12 @@ static int Hmac_UpdateFinal(Hmac* hmac, byte* digest, const byte* in,
#endif #endif
int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, int padSz, int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, int padSz,
int content, int verify) int content, int verify, int epochOrder)
{ {
Hmac hmac; Hmac hmac;
byte myInner[WOLFSSL_TLS_HMAC_INNER_SZ]; byte myInner[WOLFSSL_TLS_HMAC_INNER_SZ];
int ret = 0; int ret = 0;
const byte* macSecret = NULL;
word32 hashSz = 0; word32 hashSz = 0;
if (ssl == NULL) if (ssl == NULL)
@@ -1199,7 +1135,10 @@ int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, int padSz,
} }
#endif #endif
if (!ssl->options.dtls)
wolfSSL_SetTlsHmacInner(ssl, myInner, sz, content, verify); wolfSSL_SetTlsHmacInner(ssl, myInner, sz, content, verify);
else
wolfSSL_SetTlsHmacInner(ssl, myInner, sz, content, epochOrder);
#if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
!defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
if (tsip_useable(ssl)) { if (tsip_useable(ssl)) {
@@ -1219,9 +1158,19 @@ int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, int padSz,
if (ret != 0) if (ret != 0)
return ret; return ret;
#ifdef WOLFSSL_DTLS
if (ssl->options.dtls)
macSecret = wolfSSL_GetDtlsMacSecret(ssl, verify, epochOrder);
else
macSecret = wolfSSL_GetMacSecret(ssl, verify);
#else
macSecret = wolfSSL_GetMacSecret(ssl, verify);
#endif
ret = wc_HmacSetKey(&hmac, wolfSSL_GetHmacType(ssl), ret = wc_HmacSetKey(&hmac, wolfSSL_GetHmacType(ssl),
wolfSSL_GetMacSecret(ssl, verify), macSecret,
ssl->specs.hash_size); ssl->specs.hash_size);
if (ret == 0) { if (ret == 0) {
/* Constant time verification required. */ /* Constant time verification required. */
if (verify && padSz >= 0) { if (verify && padSz >= 0) {

4
src/tls13.c
View File

@@ -1474,7 +1474,7 @@ static void AddTls13FragHeaders(byte* output, word32 fragSz, word32 fragOffset,
* verifyOrder Which set of sequence numbers to use. * verifyOrder Which set of sequence numbers to use.
* out The buffer to write into. * out The buffer to write into.
*/ */
static WC_INLINE void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out) static WC_INLINE void WriteSEQTls13(WOLFSSL* ssl, int verifyOrder, byte* out)
{ {
word32 seq[2] = {0, 0}; word32 seq[2] = {0, 0};
@@ -1510,7 +1510,7 @@ static WC_INLINE void BuildTls13Nonce(WOLFSSL* ssl, byte* nonce, const byte* iv,
int i; int i;
/* The nonce is the IV with the sequence XORed into the last bytes. */ /* The nonce is the IV with the sequence XORed into the last bytes. */
WriteSEQ(ssl, order, nonce + AEAD_NONCE_SZ - SEQ_SZ); WriteSEQTls13(ssl, order, nonce + AEAD_NONCE_SZ - SEQ_SZ);
for (i = 0; i < AEAD_NONCE_SZ - SEQ_SZ; i++) for (i = 0; i < AEAD_NONCE_SZ - SEQ_SZ; i++)
nonce[i] = iv[i]; nonce[i] = iv[i];
for (; i < AEAD_NONCE_SZ; i++) for (; i < AEAD_NONCE_SZ; i++)

4
src/wolfio.c
View File

@@ -318,7 +318,9 @@ int EmbedReceiveFrom(WOLFSSL *ssl, char *buf, int sz, void *ctx)
WOLFSSL_ENTER("EmbedReceiveFrom()"); WOLFSSL_ENTER("EmbedReceiveFrom()");
if (ssl->options.handShakeDone) /* Don't use ssl->options.handShakeDone since it is true even if
* we are in the process of renegotiation */
if (ssl->options.handShakeState == HANDSHAKE_DONE)
dtls_timeout = 0; dtls_timeout = 0;
if (!wolfSSL_get_using_nonblock(ssl)) { if (!wolfSSL_get_using_nonblock(ssl)) {

3
tests/include.am
View File

@@ -31,6 +31,9 @@ EXTRA_DIST += tests/test.conf \
tests/test-psk-no-id.conf \ tests/test-psk-no-id.conf \
tests/test-psk-no-id-sha2.conf \ tests/test-psk-no-id-sha2.conf \
tests/test-dtls.conf \ tests/test-dtls.conf \
tests/test-dtls-group.conf \
tests/test-dtls-reneg-client.conf \
tests/test-dtls-reneg-server.conf \
tests/test-dtls-sha2.conf \ tests/test-dtls-sha2.conf \
tests/test-sctp.conf \ tests/test-sctp.conf \
tests/test-sctp-sha2.conf \ tests/test-sctp-sha2.conf \

28
tests/suites.c
View File

@@ -822,6 +822,34 @@ int SuiteTest(int argc, char** argv)
args.return_code = EXIT_FAILURE; args.return_code = EXIT_FAILURE;
goto exit; goto exit;
} }
/* add dtls grouping suites */
strcpy(argv0[1], "tests/test-dtls-group.conf");
printf("starting dtls message grouping tests\n");
test_harness(&args);
if (args.return_code != 0) {
printf("error from script %d\n", args.return_code);
args.return_code = EXIT_FAILURE;
goto exit;
}
#ifdef HAVE_SECURE_RENEGOTIATION
/* add dtls renegotiation tests */
strcpy(argv0[1], "tests/test-dtls-reneg-client.conf");
printf("starting dtls secure renegotiation client tests\n");
test_harness(&args);
if (args.return_code != 0) {
printf("error from script %d\n", args.return_code);
args.return_code = EXIT_FAILURE;
goto exit;
}
strcpy(argv0[1], "tests/test-dtls-reneg-server.conf");
printf("starting dtls secure renegotiation server tests\n");
test_harness(&args);
if (args.return_code != 0) {
printf("error from script %d\n", args.return_code);
args.return_code = EXIT_FAILURE;
goto exit;
}
#endif
#ifdef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES #ifdef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
/* add dtls extra suites */ /* add dtls extra suites */
strcpy(argv0[1], "tests/test-dtls-sha2.conf"); strcpy(argv0[1], "tests/test-dtls-sha2.conf");

1045
tests/test-dtls-group.conf Normal file
View File

File diff suppressed because it is too large Load Diff

1045
tests/test-dtls-reneg-client.conf Normal file
View File

File diff suppressed because it is too large Load Diff

1045
tests/test-dtls-reneg-server.conf Normal file
View File

File diff suppressed because it is too large Load Diff

57
wolfssl/internal.h
View File

@@ -3003,6 +3003,13 @@ enum CipherType { aead };
#define CIPHER_NONCE #define CIPHER_NONCE
#endif #endif
#if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
enum CipherSrc {
KEYS_NOT_SET = 0,
KEYS, /* keys from ssl->keys are loaded */
SCR /* keys from ssl->secure_renegotiation->tmp_keys are loaded */
};
#endif
/* cipher for now */ /* cipher for now */
typedef struct Ciphers { typedef struct Ciphers {
@@ -3042,6 +3049,10 @@ typedef struct Ciphers {
#endif #endif
byte state; byte state;
byte setup; /* have we set it up flag for detection */ byte setup; /* have we set it up flag for detection */
#if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
enum CipherSrc src; /* DTLS uses this to determine which keys
* are currently loaded */
#endif
} Ciphers; } Ciphers;
@@ -3177,7 +3188,7 @@ WOLFSSL_SESSION* GetSession(WOLFSSL*, byte*, byte);
WOLFSSL_LOCAL WOLFSSL_LOCAL
int SetSession(WOLFSSL*, WOLFSSL_SESSION*); int SetSession(WOLFSSL*, WOLFSSL_SESSION*);
typedef int (*hmacfp) (WOLFSSL*, byte*, const byte*, word32, int, int, int); typedef int (*hmacfp) (WOLFSSL*, byte*, const byte*, word32, int, int, int, int);
#ifndef NO_CLIENT_CACHE #ifndef NO_CLIENT_CACHE
WOLFSSL_SESSION* GetSessionClient(WOLFSSL*, const byte*, int); WOLFSSL_SESSION* GetSessionClient(WOLFSSL*, const byte*, int);
@@ -3734,6 +3745,7 @@ typedef struct DtlsMsg {
byte* msg; byte* msg;
DtlsFrag* fragList; DtlsFrag* fragList;
word32 fragSz; /* Length of fragments received */ word32 fragSz; /* Length of fragments received */
word16 epoch; /* Epoch that this message belongs to */
word32 seq; /* Handshake sequence number */ word32 seq; /* Handshake sequence number */
word32 sz; /* Length of whole message */ word32 sz; /* Length of whole message */
byte type; byte type;
@@ -3803,6 +3815,20 @@ typedef struct HS_Hashes {
} HS_Hashes; } HS_Hashes;
#ifndef WOLFSSL_NO_TLS12
/* Persistable BuildMessage arguments */
typedef struct BuildMsgArgs {
word32 digestSz;
word32 sz;
word32 pad;
word32 idx;
word32 headerSz;
word16 size;
word32 ivSz; /* TLSv1.1 IV */
byte* iv;
} BuildMsgArgs;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
#define MAX_ASYNC_ARGS 18 #define MAX_ASYNC_ARGS 18
typedef void (*FreeArgsCb)(struct WOLFSSL* ssl, void* pArgs); typedef void (*FreeArgsCb)(struct WOLFSSL* ssl, void* pArgs);
@@ -3811,6 +3837,7 @@ typedef struct HS_Hashes {
WC_ASYNC_DEV* dev; WC_ASYNC_DEV* dev;
FreeArgsCb freeArgs; /* function pointer to cleanup args */ FreeArgsCb freeArgs; /* function pointer to cleanup args */
word32 args[MAX_ASYNC_ARGS]; /* holder for current args */ word32 args[MAX_ASYNC_ARGS]; /* holder for current args */
BuildMsgArgs buildArgs; /* holder for current BuildMessage args */
}; };
#endif #endif
@@ -4451,7 +4478,7 @@ WOLFSSL_LOCAL int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength);
WOLFSSL_LOCAL int MakeTlsMasterSecret(WOLFSSL*); WOLFSSL_LOCAL int MakeTlsMasterSecret(WOLFSSL*);
#ifndef WOLFSSL_AEAD_ONLY #ifndef WOLFSSL_AEAD_ONLY
WOLFSSL_LOCAL int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, WOLFSSL_LOCAL int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in,
word32 sz, int padSz, int content, int verify); word32 sz, int padSz, int content, int verify, int epochOrder);
#endif #endif
#endif #endif
@@ -4473,24 +4500,30 @@ WOLFSSL_LOCAL int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength);
WOLFSSL_LOCAL DtlsMsg* DtlsMsgNew(word32, void*); WOLFSSL_LOCAL DtlsMsg* DtlsMsgNew(word32, void*);
WOLFSSL_LOCAL void DtlsMsgDelete(DtlsMsg*, void*); WOLFSSL_LOCAL void DtlsMsgDelete(DtlsMsg*, void*);
WOLFSSL_LOCAL void DtlsMsgListDelete(DtlsMsg*, void*); WOLFSSL_LOCAL void DtlsMsgListDelete(DtlsMsg*, void*);
WOLFSSL_LOCAL int DtlsMsgSet(DtlsMsg*, word32, const byte*, byte, WOLFSSL_LOCAL void DtlsTxMsgListClean(WOLFSSL* ssl);
WOLFSSL_LOCAL int DtlsMsgSet(DtlsMsg*, word32, word16, const byte*, byte,
word32, word32, void*); word32, word32, void*);
WOLFSSL_LOCAL DtlsMsg* DtlsMsgFind(DtlsMsg*, word32); WOLFSSL_LOCAL DtlsMsg* DtlsMsgFind(DtlsMsg*, word32, word32);
WOLFSSL_LOCAL void DtlsMsgStore(WOLFSSL*, word32, const byte*, word32, WOLFSSL_LOCAL void DtlsMsgStore(WOLFSSL*, word32, word32, const byte*, word32,
byte, word32, word32, void*); byte, word32, word32, void*);
WOLFSSL_LOCAL DtlsMsg* DtlsMsgInsert(DtlsMsg*, DtlsMsg*); WOLFSSL_LOCAL DtlsMsg* DtlsMsgInsert(DtlsMsg*, DtlsMsg*);
WOLFSSL_LOCAL int DtlsMsgPoolSave(WOLFSSL*, const byte*, word32); WOLFSSL_LOCAL int DtlsMsgPoolSave(WOLFSSL*, const byte*, word32, enum HandShakeType);
WOLFSSL_LOCAL int DtlsMsgPoolTimeout(WOLFSSL*); WOLFSSL_LOCAL int DtlsMsgPoolTimeout(WOLFSSL*);
WOLFSSL_LOCAL int VerifyForDtlsMsgPoolSend(WOLFSSL*, byte, word32); WOLFSSL_LOCAL int VerifyForDtlsMsgPoolSend(WOLFSSL*, byte, word32);
WOLFSSL_LOCAL int VerifyForTxDtlsMsgDelete(WOLFSSL* ssl, DtlsMsg* head);
WOLFSSL_LOCAL void DtlsMsgPoolReset(WOLFSSL*); WOLFSSL_LOCAL void DtlsMsgPoolReset(WOLFSSL*);
WOLFSSL_LOCAL int DtlsMsgPoolSend(WOLFSSL*, int); WOLFSSL_LOCAL int DtlsMsgPoolSend(WOLFSSL*, int);
#endif /* WOLFSSL_DTLS */ #endif /* WOLFSSL_DTLS */
#ifndef NO_TLS #if defined(HAVE_SECURE_RENEGOTIATION) && defined(WOLFSSL_DTLS)
WOLFSSL_LOCAL int DtlsSCRKeysSet(WOLFSSL* ssl);
WOLFSSL_LOCAL int IsDtlsMsgSCRKeys(WOLFSSL* ssl);
WOLFSSL_LOCAL int DtlsUseSCRKeys(WOLFSSL* ssl);
WOLFSSL_LOCAL int DtlsCheckOrder(WOLFSSL* ssl, int order);
#endif
WOLFSSL_LOCAL void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out);
#endif /* NO_TLS */
#if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) #if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
WOLFSSL_LOCAL word32 TimeNowInMilliseconds(void); WOLFSSL_LOCAL word32 TimeNowInMilliseconds(void);
@@ -4585,9 +4618,13 @@ WOLFSSL_LOCAL int SetDhExternal(WOLFSSL_DH *dh);
WOLFSSL_LOCAL int InitHandshakeHashes(WOLFSSL* ssl); WOLFSSL_LOCAL int InitHandshakeHashes(WOLFSSL* ssl);
WOLFSSL_LOCAL void FreeHandshakeHashes(WOLFSSL* ssl); WOLFSSL_LOCAL void FreeHandshakeHashes(WOLFSSL* ssl);
#ifndef WOLFSSL_NO_TLS12
WOLFSSL_LOCAL void FreeBuildMsgArgs(WOLFSSL* ssl, BuildMsgArgs* args);
#endif
WOLFSSL_LOCAL int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, WOLFSSL_LOCAL int BuildMessage(WOLFSSL* ssl, byte* output, int outSz,
const byte* input, int inSz, int type, int hashOutput, const byte* input, int inSz, int type, int hashOutput,
int sizeOnly, int asyncOkay); int sizeOnly, int asyncOkay, int epochOrder);
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input, int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input,

1
wolfssl/ssl.h
View File

@@ -2431,6 +2431,7 @@ WOLFSSL_API void wolfSSL_SetVerifyDecryptCtx(WOLFSSL* ssl, void *ctx);
WOLFSSL_API void* wolfSSL_GetVerifyDecryptCtx(WOLFSSL* ssl); WOLFSSL_API void* wolfSSL_GetVerifyDecryptCtx(WOLFSSL* ssl);
WOLFSSL_API const unsigned char* wolfSSL_GetMacSecret(WOLFSSL*, int); WOLFSSL_API const unsigned char* wolfSSL_GetMacSecret(WOLFSSL*, int);
WOLFSSL_API const unsigned char* wolfSSL_GetDtlsMacSecret(WOLFSSL*, int, int);
WOLFSSL_API const unsigned char* wolfSSL_GetClientWriteKey(WOLFSSL*); WOLFSSL_API const unsigned char* wolfSSL_GetClientWriteKey(WOLFSSL*);
WOLFSSL_API const unsigned char* wolfSSL_GetClientWriteIV(WOLFSSL*); WOLFSSL_API const unsigned char* wolfSSL_GetClientWriteIV(WOLFSSL*);
WOLFSSL_API const unsigned char* wolfSSL_GetServerWriteKey(WOLFSSL*); WOLFSSL_API const unsigned char* wolfSSL_GetServerWriteKey(WOLFSSL*);