feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fix no ECC builds with TLS13 code.

Browse Source 
Fix tests so that having ECC disabled works as well.
Fix define protection for Draft 18 and HRR Cookie.
This commit is contained in:
Sean Parkinson
2017-10-20 11:24:20 +10:00
committed by David Garske
parent 8a01d725da
commit 323db1a95d
10 changed files with 125 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
configure.ac
View File

@@ -285,11 +285,7 @@ fi
if test "$ENABLED_TLS13" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS $AM_CFLAGS"
if test "$ENABLED_DH" = "yes"
then
AM_CFLAGS="-DHAVE_FFDHE_2048 $AM_CFLAGS"
fi
AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES $AM_CFLAGS"
fi
# check if TLS v1.3 was enabled for conditionally running tls13.test script
@@ -1512,6 +1508,11 @@ else
fi
fi
if test "$ENABLED_TLS13" = "yes" && test "$ENABLED_DH" = "yes"
then
AM_CFLAGS="-DHAVE_FFDHE_2048 $AM_CFLAGS"
fi
AM_CONDITIONAL([BUILD_DH], [test "x$ENABLED_DH" = "xyes"])

31
scripts/tls13.test
View File

@@ -175,21 +175,24 @@ if [ $RESULT -ne 0 ]; then
fi
echo ""
# Usual TLS v1.3 server / TLS v1.3 client and ECC certificates.
echo -e "\n\nTLS v1.3 server with TLS v1.3 client - ECC certificates"
port=0
./examples/server/server -v 4 -A certs/client-ecc-cert.pem -c certs/server-ecc.pem -k certs/ecc-key.pem -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -v 4 -A certs/ca-ecc-cert.pem -c certs/client-ecc-cert.pem -k certs/ecc-client-key.pem -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\n\nTLS v1.3 ECC certificates not working"
do_cleanup
exit 1
./examples/client/client -v 4 -e 2>&1 | grep -- '-ECC'
if [ $? -eq 0 ]; then
# Usual TLS v1.3 server / TLS v1.3 client and ECC certificates.
echo -e "\n\nTLS v1.3 server with TLS v1.3 client - ECC certificates"
port=0
./examples/server/server -v 4 -A certs/client-ecc-cert.pem -c certs/server-ecc.pem -k certs/ecc-key.pem -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -v 4 -A certs/ca-ecc-cert.pem -c certs/client-ecc-cert.pem -k certs/ecc-client-key.pem -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\n\nTLS v1.3 ECC certificates not working"
do_cleanup
exit 1
fi
echo ""
fi
echo ""
# Usual TLS v1.3 server / TLS v1.3 client and no client certificate.
echo -e "\n\nTLS v1.3 server with TLS v1.3 client - no client cretificate"

2
src/internal.c
View File

@@ -22014,7 +22014,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
}
}
#ifdef HAVE_SUPPORTED_CURVES
#if defined(HAVE_SUPPORTED_CURVES) && defined(HAVE_ECC)
if (!TLSX_ValidateSupportedCurves(ssl, first, second)) {
WOLFSSL_MSG("Don't have matching curves");
return 0;

20
src/tls.c
View File

@@ -2818,7 +2818,7 @@ int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type,
#ifdef HAVE_SUPPORTED_CURVES
#ifndef HAVE_ECC
#if !defined(HAVE_ECC) && !defined(WOLFSSL_TLS13)
#error Elliptic Curves Extension requires Elliptic Curve Cryptography. \
Use --enable-ecc in the configure script or define HAVE_ECC.
#endif
@@ -3077,6 +3077,7 @@ static int TLSX_PointFormat_Parse(WOLFSSL* ssl, byte* input, word16 length,
return 0;
}
#ifdef HAVE_ECC
int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
TLSX* extension = (first == ECC_BYTE || first == CHACHA_BYTE)
? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)
@@ -3366,6 +3367,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
return sig && key;
}
#endif
#endif /* NO_WOLFSSL_SERVER */
@@ -5200,6 +5202,7 @@ static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap)
while ((current = list) != NULL) {
list = current->next;
#ifdef HAVE_ECC
if ((current->group & NAMED_DH_MASK) == 0) {
if (current->group == WOLFSSL_ECC_X25519) {
#ifdef HAVE_CURVE25519
@@ -5212,6 +5215,7 @@ static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap)
#endif
}
}
#endif
XFREE(current->key, heap, DYNAMIC_TYPE_PRIVATE_KEY);
XFREE(current->ke, heap, DYNAMIC_TYPE_PUBLIC_KEY);
XFREE(current, heap, DYNAMIC_TYPE_TLSX);
@@ -7759,18 +7763,18 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
#endif
if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) {
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
!defined(NO_ECC_SECP)
#if defined(HAVE_ECC) && (!defined(NO_ECC256) || \
defined(HAVE_ALL_CURVES)) && !defined(NO_ECC_SECP)
ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP256R1, 0, NULL,
NULL);
#elif defined(HAVE_CURVE25519)
#elif defined(HAVE_ECC) && defined(HAVE_CURVE25519)
ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_X25519, 0, NULL, NULL);
#elif (!defined(NO_ECC384) || defined(HAVE_ALL_CURVES)) && \
!defined(NO_ECC_SECP)
#elif defined(HAVE_ECC) && (!defined(NO_ECC384) || \
defined(HAVE_ALL_CURVES)) && !defined(NO_ECC_SECP)
ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP384R1, 0, NULL,
NULL);
#elif (!defined(NO_ECC521) || defined(HAVE_ALL_CURVES)) && \
!defined(NO_ECC_SECP)
#elif defined(HAVE_ECC) && (!defined(NO_ECC521) || \
defined(HAVE_ALL_CURVES)) && !defined(NO_ECC_SECP)
ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP521R1, 0, NULL,
NULL);
#elif defined(HAVE_FFDHE_2048)

2
src/tls13.c
View File

@@ -3325,7 +3325,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ssl->version.minor = pv.minor;
}
#ifdef WOLFSSL_SEND_HRR_COOKIE
#if !defined(WOLFSSL_TLS13_DRAFT_18) && defined(WOLFSSL_SEND_HRR_COOKIE)
if (ssl->options.sendCookie &&
ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
TLSX* ext;

10
tests/api.c
View File

@@ -10721,6 +10721,7 @@ static int test_tls13_apis(void)
WOLFSSL_SUCCESS);
#endif
#ifdef HAVE_ECC
AssertIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_SECP256R1), BAD_FUNC_ARG);
AssertIntEQ(wolfSSL_UseKeyShare(serverSsl, WOLFSSL_ECC_SECP256R1),
SIDE_ERROR);
@@ -10728,6 +10729,15 @@ static int test_tls13_apis(void)
WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_UseKeyShare(clientSsl, WOLFSSL_ECC_SECP256R1),
WOLFSSL_SUCCESS);
#else
AssertIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_SECP256R1), BAD_FUNC_ARG);
AssertIntEQ(wolfSSL_UseKeyShare(serverSsl, WOLFSSL_ECC_SECP256R1),
SIDE_ERROR);
AssertIntEQ(wolfSSL_UseKeyShare(clientTls12Ssl, WOLFSSL_ECC_SECP256R1),
NOT_COMPILED_IN);
AssertIntEQ(wolfSSL_UseKeyShare(clientSsl, WOLFSSL_ECC_SECP256R1),
NOT_COMPILED_IN);
#endif
AssertIntEQ(wolfSSL_NoKeyShares(NULL), BAD_FUNC_ARG);
AssertIntEQ(wolfSSL_NoKeyShares(serverSsl), SIDE_ERROR);

1
tests/include.am
View File

@@ -21,6 +21,7 @@ endif
EXTRA_DIST += tests/unit.h
EXTRA_DIST += tests/test.conf \
tests/test-tls13.conf \
tests/test-tls13-ecc.conf \
tests/test-qsh.conf \
tests/test-psk-no-id.conf \
tests/test-dtls.conf \

10
tests/suites.c
View File

@@ -577,6 +577,16 @@ int SuiteTest(void)
printf("error from script %d\n", args.return_code);
exit(EXIT_FAILURE);
}
#ifdef HAVE_ECC
/* add TLSv13 ECC extra suites */
strcpy(argv0[1], "tests/test-tls13-ecc.conf");
printf("starting TLSv13 ECC extra cipher suite tests\n");
test_harness(&args);
if (args.return_code != 0) {
printf("error from script %d\n", args.return_code);
exit(EXIT_FAILURE);
}
#endif
#endif
#if defined(HAVE_CURVE25519) && defined(HAVE_ED25519)
/* add ED25519 certificate cipher suite tests */

67
tests/test-tls13-ecc.conf Normal file
View File

@@ -0,0 +1,67 @@
# server TLSv1.3 TLS13-CHACH20-POLY1305-SHA256
-v 4
-l TLS13-CHACH20-POLY1305-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-CHACH20-POLY1305-SHA256
-v 4
-l TLS13-CHACH20-POLY1305-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES256-GCM-SHA384
-v 4
-l TLS13-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES256-GCM-SHA384
-v 4
-l TLS13-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-CCM-SHA256
-v 4
-l TLS13-AES128-CCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-CCM-SHA256
-v 4
-l TLS13-AES128-CCM-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-CCM-8-SHA256
-v 4
-l TLS13-AES128-CCM-8-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-CCM-8-SHA256
-v 4
-l TLS13-AES128-CCM-8-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/ca-ecc-cert.pem
-t

67
tests/test-tls13.conf
View File

@@ -38,73 +38,6 @@
-v 4
-l TLS13-AES128-CCM-8-SHA256
# server TLSv1.3 TLS13-CHACH20-POLY1305-SHA256
-v 4
-l TLS13-CHACH20-POLY1305-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-CHACH20-POLY1305-SHA256
-v 4
-l TLS13-CHACH20-POLY1305-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES256-GCM-SHA384
-v 4
-l TLS13-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES256-GCM-SHA384
-v 4
-l TLS13-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-CCM-SHA256
-v 4
-l TLS13-AES128-CCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-CCM-SHA256
-v 4
-l TLS13-AES128-CCM-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-CCM-8-SHA256
-v 4
-l TLS13-AES128-CCM-8-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-CCM-8-SHA256
-v 4
-l TLS13-AES128-CCM-8-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/ca-ecc-cert.pem
-t
# server TLSv1.3 accepting EarlyData
-v 4
-l TLS13-AES128-GCM-SHA256