From 41de1bb156ca800c5783687de309a8187fda4a72 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 14 Nov 2019 18:15:04 +0100 Subject: [PATCH] WIP --- configure.ac | 3 +- src/ssl.c | 90 ++++++++++++++++++++++++++++++++++++++ tests/api.c | 5 +++ wolfcrypt/src/dsa.c | 8 ---- wolfssl/openssl/bn.h | 2 + wolfssl/openssl/dsa.h | 20 +++++++++ wolfssl/openssl/evp.h | 3 ++ wolfssl/openssl/opensslv.h | 5 ++- wolfssl/openssl/ssl.h | 6 +++ wolfssl/ssl.h | 3 ++ wolfssl/wolfcrypt/asn.h | 4 +- wolfssl/wolfcrypt/dsa.h | 5 +++ 12 files changed, 142 insertions(+), 12 deletions(-) diff --git a/configure.ac b/configure.ac index 7ad86ed65..b606e3059 100644 --- a/configure.ac +++ b/configure.ac @@ -426,7 +426,7 @@ AC_ARG_ENABLE([mcast], # List of open source project defines using our openssl compatibility layer: -# openssh (--enable-openssh) +# openssh (--enable-openssh) WOLFSSL_OPENSSH # openvpn (--enable-openvpn) # nginix (--enable-nginx) WOLFSSL_NGINX # haproxy (--enable-haproxy) WOLFSSL_HAPROXY @@ -500,6 +500,7 @@ fi if test "$ENABLED_OPENSSH" = "yes" then ENABLED_FORTRESS="yes" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OPENSSH" fi #Qt Support diff --git a/src/ssl.c b/src/ssl.c index 7bb58e1fd..a4cac156c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16553,6 +16553,15 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) return WOLFSSL_FAILURE; ret = wolfSSL_EVP_CIPHER_CTX_set_iv_length(ctx, arg); break; + case EVP_CTRL_AEAD_SET_IV_FIXED: + /* arg=-1 copies ctx->ivSz from ptr */ + if (arg == -1) { + ret = wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, ptr, ctx->ivSz); + } + else { + ret = wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, ptr, arg); + } + break; case EVP_CTRL_AEAD_SET_TAG: if(arg <= 0 || arg > 16 || (ptr == NULL)) return WOLFSSL_FAILURE; @@ -17125,6 +17134,26 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) return WOLFSSL_SUCCESS; } + + /* returns WOLFSSL_SUCCESS on success, otherwise returns WOLFSSL_FAILURE */ + int wolfSSL_EVP_CIPHER_CTX_set_iv(WOLFSSL_EVP_CIPHER_CTX* ctx, byte* iv, + int ivLen) + { + WOLFSSL_ENTER("wolfSSL_EVP_CIPHER_CTX_set_iv_length"); + if (!ctx || !iv +#ifndef NO_AES + || ivLen != AES_BLOCK_SIZE +#elif !defined(NO_DES3) + || ivLen != DES_BLOCK_SIZE +#endif + ) { + return WOLFSSL_FAILURE; + } + XMEMCPY(ctx->iv, iv, ivLen); + ctx->ivSz= ivLen; + + return WOLFSSL_SUCCESS; + } #endif /* WOLFSSL_SUCCESS on ok */ @@ -30557,6 +30586,30 @@ int wolfSSL_DSA_generate_parameters_ex(WOLFSSL_DSA* dsa, int bits, return ret; } +WOLFSSL_DSA_SIG* wolfSSL_DSA_SIG_new(void) +{ + WOLFSSL_DSA_SIG* sig; + WOLFSSL_ENTER("wolfSSL_DSA_SIG_new"); + sig = (WOLFSSL_DSA_SIG*)XMALLOC(sizeof(WOLFSSL_DSA_SIG), NULL, DYNAMIC_TYPE_OPENSSL); + if (sig) + XMEMSET(sig, 0, sizeof(WOLFSSL_DSA_SIG)); + return sig; +} + +void wolfSSL_DSA_SIG_free(WOLFSSL_DSA_SIG *sig) +{ + WOLFSSL_ENTER("wolfSSL_DSA_SIG_free"); + if (sig) { + if (sig->r) { + wolfSSL_BN_free(sig->r); + } + if (sig->s) { + wolfSSL_BN_free(sig->s); + } + XFREE(sig, NULL, DYNAMIC_TYPE_OPENSSL); + } +} + /* return WOLFSSL_SUCCESS on success, < 0 otherwise */ int wolfSSL_DSA_do_sign(const unsigned char* d, unsigned char* sigRet, WOLFSSL_DSA* dsa) @@ -30621,6 +30674,43 @@ int wolfSSL_DSA_do_sign(const unsigned char* d, unsigned char* sigRet, return ret; } +WOLFSSL_DSA_SIG* wolfSSL_DSA_do_sign_ex(const unsigned char* digest, + int outLen, WOLFSSL_DSA* dsa) +{ + WOLFSSL_DSA_SIG* sig = NULL; + byte sigBin[DSA_SIG_SIZE]; + + WOLFSSL_ENTER("wolfSSL_DSA_do_sign_ex"); + + if (digest == NULL || dsa == NULL || outLen != WC_SHA_DIGEST_SIZE) { + WOLFSSL_MSG("Bad function arguments"); + return NULL; + } + + if (wolfSSL_DSA_do_sign(digest, sigBin, dsa) != WOLFSSL_SUCCESS) { + return NULL; + } + + if (!(sig = wolfSSL_DSA_SIG_new())) { + goto error; + } + + if (!(sig->r = wolfSSL_BN_bin2bn(sigBin, DSA_HALF_SIZE, NULL))) { + goto error; + } + + if (!(sig->s = wolfSSL_BN_bin2bn(sigBin+DSA_HALF_SIZE, DSA_HALF_SIZE, NULL))) { + goto error; + } + + return sig; +error: + if (sig) { + wolfSSL_DSA_SIG_free(sig); + } + return NULL; +} + int wolfSSL_DSA_do_verify(const unsigned char* d, unsigned char* sig, WOLFSSL_DSA* dsa, int *dsacheck) diff --git a/tests/api.c b/tests/api.c index 3b67e66c8..b3b41bad5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -20089,6 +20089,8 @@ static void test_wolfSSL_tmp_dh(void) BIO* bio; SSL* ssl; SSL_CTX* ctx; + unsigned char digest[WC_SHA_DIGEST_SIZE] = {202}; // initialize to anything + DSA_SIG* sig; printf(testingFmt, "wolfSSL_tmp_dh()"); @@ -20115,6 +20117,9 @@ static void test_wolfSSL_tmp_dh(void) dh = wolfSSL_DSA_dup_DH(dsa); AssertNotNull(dh); + AssertNotNull(sig = DSA_do_sign(digest, WC_SHA_DIGEST_SIZE, dsa)); + DSA_SIG_free(sig); + AssertIntEQ((int)SSL_CTX_set_tmp_dh(ctx, dh), WOLFSSL_SUCCESS); #ifndef NO_WOLFSSL_SERVER AssertIntEQ((int)SSL_set_tmp_dh(ssl, dh), WOLFSSL_SUCCESS); diff --git a/wolfcrypt/src/dsa.c b/wolfcrypt/src/dsa.c index b9183f8ca..4b83a571d 100644 --- a/wolfcrypt/src/dsa.c +++ b/wolfcrypt/src/dsa.c @@ -42,14 +42,6 @@ #include #endif - -enum { - DSA_HALF_SIZE = 20, /* r and s size */ - DSA_SIG_SIZE = 40 /* signature size */ -}; - - - int wc_InitDsaKey(DsaKey* key) { if (key == NULL) diff --git a/wolfssl/openssl/bn.h b/wolfssl/openssl/bn.h index 853106a7a..067d873d7 100644 --- a/wolfssl/openssl/bn.h +++ b/wolfssl/openssl/bn.h @@ -196,6 +196,8 @@ typedef WOLFSSL_BN_GENCB BN_GENCB; #define BN_mod_inverse wolfSSL_BN_mod_inverse +#define BN_set_flags(x1, x2) + #if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L #define BN_get_rfc2409_prime_768 wolfSSL_DH_768_prime #define BN_get_rfc2409_prime_1024 wolfSSL_DH_1024_prime diff --git a/wolfssl/openssl/dsa.h b/wolfssl/openssl/dsa.h index 561e0707e..9267cf479 100644 --- a/wolfssl/openssl/dsa.h +++ b/wolfssl/openssl/dsa.h @@ -31,6 +31,11 @@ extern "C" { #endif +typedef struct WOLFSSL_DSA_SIG { + WOLFSSL_BIGNUM *r; + WOLFSSL_BIGNUM *s; +} WOLFSSL_DSA_SIG; + #ifndef WOLFSSL_DSA_TYPE_DEFINED /* guard on redeclaration */ typedef struct WOLFSSL_DSA WOLFSSL_DSA; #define WOLFSSL_DSA_TYPE_DEFINED @@ -75,16 +80,31 @@ WOLFSSL_API int wolfSSL_DSA_do_verify(const unsigned char* d, unsigned char* sig, WOLFSSL_DSA* dsa, int *dsacheck); +WOLFSSL_API WOLFSSL_DSA_SIG* wolfSSL_DSA_SIG_new(void); +WOLFSSL_API void wolfSSL_DSA_SIG_free(WOLFSSL_DSA_SIG *sig); +WOLFSSL_API WOLFSSL_DSA_SIG* wolfSSL_DSA_do_sign_ex(const unsigned char* digest, + int outLen, WOLFSSL_DSA* dsa); +WOLFSSL_API int wolfSSL_DSA_do_verify_ex(const unsigned char* digest, int digest_len, + WOLFSSL_DSA_SIG* sig, WOLFSSL_DSA* dsa); + #define WOLFSSL_DSA_LOAD_PRIVATE 1 #define WOLFSSL_DSA_LOAD_PUBLIC 2 #define DSA_new wolfSSL_DSA_new #define DSA_free wolfSSL_DSA_free +#define DSA_LoadDer wolfSSL_DSA_LoadDer #define DSA_generate_key wolfSSL_DSA_generate_key #define DSA_generate_parameters wolfSSL_DSA_generate_parameters #define DSA_generate_parameters_ex wolfSSL_DSA_generate_parameters_ex +#define DSA_SIG_new wolfSSL_DSA_SIG_new +#define DSA_SIG_free wolfSSL_DSA_SIG_free +#define DSA_do_sign wolfSSL_DSA_do_sign_ex +#define DSA_do_verify wolfSSL_DSA_do_verify_ex + + +#define DSA_SIG WOLFSSL_DSA_SIG #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h index 5388d3deb..cfb9b154d 100644 --- a/wolfssl/openssl/evp.h +++ b/wolfssl/openssl/evp.h @@ -408,6 +408,8 @@ WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_set_key_length(WOLFSSL_EVP_CIPHER_CTX* c int keylen); WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_set_iv_length(WOLFSSL_EVP_CIPHER_CTX* ctx, int ivLen); +WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_set_iv(WOLFSSL_EVP_CIPHER_CTX* ctx, byte* iv, + int ivLen); WOLFSSL_API int wolfSSL_EVP_Cipher(WOLFSSL_EVP_CIPHER_CTX* ctx, unsigned char* dst, unsigned char* src, unsigned int len); @@ -743,6 +745,7 @@ typedef WOLFSSL_EVP_CIPHER_CTX EVP_CIPHER_CTX; #define EVP_CTRL_GCM_SET_IVLEN EVP_CTRL_AEAD_SET_IVLEN #define EVP_CTRL_GCM_GET_TAG EVP_CTRL_AEAD_GET_TAG #define EVP_CTRL_GCM_SET_TAG EVP_CTRL_AEAD_SET_TAG +#define EVP_CTRL_GCM_SET_IV_FIXED EVP_CTRL_AEAD_SET_IV_FIXED #ifndef EVP_MAX_MD_SIZE #define EVP_MAX_MD_SIZE 64 /* sha512 */ diff --git a/wolfssl/openssl/opensslv.h b/wolfssl/openssl/opensslv.h index 884cad29d..1ec8db137 100644 --- a/wolfssl/openssl/opensslv.h +++ b/wolfssl/openssl/opensslv.h @@ -30,10 +30,11 @@ /* For Apache httpd, Use 1.1.0 compatibility */ #define OPENSSL_VERSION_NUMBER 0x10100000L #elif defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) || \ - defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_QT) + defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ + defined(WOLFSSL_OPENSSH) || defined(WOLFSSL_QT) /* version number can be increased for Lighty after compatibility for ECDH is added */ - #define OPENSSL_VERSION_NUMBER 0x10001000L + #define OPENSSL_VERSION_NUMBER 0x1000100fL #else #define OPENSSL_VERSION_NUMBER 0x0090810fL #endif diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 28a1fce22..36c7b33f2 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -1093,8 +1093,12 @@ enum { #define PEM_R_NO_START_LINE 108 #define PEM_R_PROBLEMS_GETTING_PASSWORD 109 +#define PEM_R_BAD_PASSWORD_READ 110 +#define PEM_R_BAD_DECRYPT 111 #define ERR_LIB_PEM 9 #define ERR_LIB_X509 10 +#define ERR_LIB_EVP 11 +#define ERR_LIB_ASN1 12 #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_ALL) || \ @@ -1201,6 +1205,8 @@ enum { #define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) #define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) +#define EC_METHOD_get_field_type(x) -1 + #define EVP_CIPHER_mode WOLFSSL_CIPHER_mode /* WOLFSSL_EVP_CIPHER is just the string name of the cipher */ #define EVP_CIPHER_name(x) x diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 9767e4d1f..e98c9543f 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1672,6 +1672,9 @@ enum { SSL_MAX_SSL_SESSION_ID_LENGTH = 32, EVP_R_BAD_DECRYPT = 2, + EVP_R_BN_DECODE_ERROR = 3, + EVP_R_DECODE_ERROR = 4, + EVP_R_PRIVATE_KEY_DECODE_ERROR = 5, SSL_ST_CONNECT = 0x1000, SSL_ST_ACCEPT = 0x2000, diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 017a3652c..b35a01dc4 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -220,7 +220,9 @@ enum NID_domainComponent = 0x19, /* matches ASN_DOMAIN_COMPONENT in asn.h */ NID_emailAddress = 0x30, /* emailAddress */ NID_id_on_dnsSRV = 82, /* 1.3.6.1.5.5.7.8.7 */ - NID_ms_upn = 265 /* 1.3.6.1.4.1.311.20.2.3 */ + NID_ms_upn = 265, /* 1.3.6.1.4.1.311.20.2.3 */ + + NID_X9_62_prime_field = 406 }; enum ECC_TYPES diff --git a/wolfssl/wolfcrypt/dsa.h b/wolfssl/wolfcrypt/dsa.h index bf0b104e2..acc133e5c 100644 --- a/wolfssl/wolfcrypt/dsa.h +++ b/wolfssl/wolfcrypt/dsa.h @@ -52,6 +52,11 @@ enum { DSA_PRIVATE = 1 }; +enum { + DSA_HALF_SIZE = 20, /* r and s size */ + DSA_SIG_SIZE = 40 /* signature size */ +}; + /* DSA */ typedef struct DsaKey { mp_int p, q, g, y, x;