From 542e0d79ecc4c24c40823f1f9e257c76ef40b99a Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 1 Feb 2021 14:59:57 +0100 Subject: [PATCH] Jenkins Fixes - explicit conversions - not all curves available for wolfSSL_CTX_set1_groups_list - group funcs depend on HAVE_ECC - `InitSuites` after `ssl->suites` has been set --- examples/server/server.c | 2 +- src/internal.c | 13 ++--- src/ssl.c | 109 +++++++++++++++++++++++++++------------ src/tls13.c | 8 +-- tests/api.c | 22 ++++++-- wolfcrypt/src/asn.c | 2 +- wolfssl/ssl.h | 9 ---- 7 files changed, 107 insertions(+), 58 deletions(-) diff --git a/examples/server/server.c b/examples/server/server.c index 2c4f81609..0d476392a 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -1107,7 +1107,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) WOLFSSL_MEM_STATS mem_stats; #endif #endif -#ifdef WOLFSSL_TLS13 +#if defined(WOLFSSL_TLS13) int onlyKeyShare = 0; #endif #if defined(HAVE_SESSION_TICKET) diff --git a/src/internal.c b/src/internal.c index 0f6bdca45..fe428309b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5340,12 +5340,6 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->pkCurveOID = ctx->pkCurveOID; #endif -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) - if (ctx->mask != 0 && wolfSSL_set_options(ssl, ctx->mask) == 0) { - WOLFSSL_MSG("wolfSSL_set_options error"); - return BAD_FUNC_ARG; - } -#endif #ifdef OPENSSL_EXTRA ssl->CBIS = ctx->CBIS; #endif @@ -5471,6 +5465,13 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) } } /* writeDup check */ +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) + if (ctx->mask != 0 && wolfSSL_set_options(ssl, ctx->mask) == 0) { + WOLFSSL_MSG("wolfSSL_set_options error"); + return BAD_FUNC_ARG; + } +#endif + #ifdef WOLFSSL_SESSION_EXPORT #ifdef WOLFSSL_DTLS ssl->dtls_export = ctx->dtls_export; /* export function for session */ diff --git a/src/ssl.c b/src/ssl.c index 62f957b12..1c26f0f7d 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2376,7 +2376,7 @@ int wolfSSL_CTX_UseOCSPStaplingV2(WOLFSSL_CTX* ctx, byte status_type, #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ /* Elliptic Curves */ -#if defined(HAVE_SUPPORTED_CURVES) && !defined(NO_WOLFSSL_CLIENT) +#if defined(HAVE_SUPPORTED_CURVES) static int isValidCurveGroup(word16 name) { @@ -2403,16 +2403,16 @@ static int isValidCurveGroup(word16 name) case WOLFSSL_FFDHE_4096: case WOLFSSL_FFDHE_6144: case WOLFSSL_FFDHE_8192: - return 0; + return 1; default: - return BAD_FUNC_ARG; + return 0; } } int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, word16 name) { - if (ssl == NULL || isValidCurveGroup(name) != 0) + if (ssl == NULL || !isValidCurveGroup(name)) return BAD_FUNC_ARG; ssl->options.userCurves = 1; @@ -2423,7 +2423,7 @@ int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, word16 name) int wolfSSL_CTX_UseSupportedCurve(WOLFSSL_CTX* ctx, word16 name) { - if (ctx == NULL || isValidCurveGroup(name) != 0) + if (ctx == NULL || !isValidCurveGroup(name)) return BAD_FUNC_ARG; ctx->userCurves = 1; @@ -2431,7 +2431,7 @@ int wolfSSL_CTX_UseSupportedCurve(WOLFSSL_CTX* ctx, word16 name) return TLSX_UseSupportedCurve(&ctx->extensions, name, ctx->heap); } -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) int wolfSSL_CTX_set1_groups(WOLFSSL_CTX* ctx, int* groups, int count) { @@ -2443,9 +2443,10 @@ int wolfSSL_CTX_set1_groups(WOLFSSL_CTX* ctx, int* groups, return WOLFSSL_FAILURE; } for (i = 0; i < count; i++) { - if (isValidCurveGroup(groups[i]) == 0) { + if (isValidCurveGroup((word16)groups[i])) { _groups[i] = groups[i]; } +#ifdef HAVE_ECC else { /* groups may be populated with curve NIDs */ int oid = nid2oid(groups[i], oidCurveType); @@ -2456,6 +2457,12 @@ int wolfSSL_CTX_set1_groups(WOLFSSL_CTX* ctx, int* groups, } _groups[i] = name; } +#else + else { + WOLFSSL_MSG("Invalid group name"); + return WOLFSSL_FAILURE; + } +#endif } return wolfSSL_CTX_set_groups(ctx, _groups, count) == WOLFSSL_SUCCESS ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; @@ -2471,9 +2478,10 @@ int wolfSSL_set1_groups(WOLFSSL* ssl, int* groups, int count) return WOLFSSL_FAILURE; } for (i = 0; i < count; i++) { - if (isValidCurveGroup(groups[i]) == 0) { + if (isValidCurveGroup((word16)groups[i])) { _groups[i] = groups[i]; } +#ifdef HAVE_ECC else { /* groups may be populated with curve NIDs */ int oid = nid2oid(groups[i], oidCurveType); @@ -2484,12 +2492,18 @@ int wolfSSL_set1_groups(WOLFSSL* ssl, int* groups, int count) } _groups[i] = name; } +#else + else { + WOLFSSL_MSG("Invalid group name"); + return WOLFSSL_FAILURE; + } +#endif } return wolfSSL_set_groups(ssl, _groups, count) == WOLFSSL_SUCCESS ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; } -#endif -#endif /* HAVE_SUPPORTED_CURVES && !NO_WOLFSSL_CLIENT */ +#endif /* OPENSSL_EXTRA && WOLFSSL_TLS13 */ +#endif /* HAVE_SUPPORTED_CURVES */ /* QSH quantum safe handshake */ #ifdef HAVE_QSH @@ -11915,6 +11929,13 @@ int wolfSSL_set_cipher_list(WOLFSSL* ssl, const char* list) } #ifdef HAVE_KEYING_MATERIAL + +#define TLS_PRF_LABEL_CLIENT_FINISHED "client finished" +#define TLS_PRF_LABEL_SERVER_FINISHED "server finished" +#define TLS_PRF_LABEL_MASTER_SECRET "master secret" +#define TLS_PRF_LABEL_EXT_MASTER_SECRET "extended master secret" +#define TLS_PRF_LABEL_KEY_EXPANSION "key expansion" + static const struct ForbiddenLabels { const char* label; size_t labelLen; @@ -11942,7 +11963,7 @@ int wolfSSL_export_keying_material(WOLFSSL *ssl, /* clientRandom + serverRandom * OR * clientRandom + serverRandom + ctx len encoding + ctx */ - word32 seedLen = !use_context ? SEED_LEN : SEED_LEN + 2 + contextLen; + word32 seedLen = !use_context ? SEED_LEN : SEED_LEN + 2 + (word32)contextLen; const struct ForbiddenLabels* fl; WOLFSSL_ENTER("wolfSSL_export_keying_material"); @@ -11977,7 +11998,7 @@ int wolfSSL_export_keying_material(WOLFSSL *ssl, context = (byte*)""; /* Give valid pointer for 0 length memcpy */ } - if (Tls13_Exporter(ssl, out, outLen, label, labelLen, + if (Tls13_Exporter(ssl, out, (word32)outLen, label, labelLen, context, contextLen) != 0) { WOLFSSL_MSG("Tls13_Exporter error"); return WOLFSSL_FAILURE; @@ -12006,8 +12027,8 @@ int wolfSSL_export_keying_material(WOLFSSL *ssl, } } - if (wc_PRF_TLS(out, outLen, ssl->arrays->masterSecret, SECRET_LEN, - (byte*)label, labelLen, seed, seedLen, IsAtLeastTLSv1_2(ssl), + if (wc_PRF_TLS(out, (word32)outLen, ssl->arrays->masterSecret, SECRET_LEN, + (byte*)label, (word32)labelLen, seed, seedLen, IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm, ssl->heap, ssl->devId) != 0) { WOLFSSL_MSG("wc_PRF_TLS error"); XFREE(seed, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -16464,21 +16485,33 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version) } switch (version) { +#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) case SSL3_VERSION: ctx->minDowngrade = SSLv3_MINOR; break; +#endif +#ifndef NO_TLS + #ifndef NO_OLD_TLS + #ifdef WOLFSSL_ALLOW_TLSV10 case TLS1_VERSION: ctx->minDowngrade = TLSv1_MINOR; break; + #endif case TLS1_1_VERSION: ctx->minDowngrade = TLSv1_1_MINOR; break; + #endif + #ifndef WOLFSSL_NO_TLS12 case TLS1_2_VERSION: ctx->minDowngrade = TLSv1_2_MINOR; break; + #endif + #ifdef WOLFSSL_TLS13 case TLS1_3_VERSION: ctx->minDowngrade = TLSv1_3_MINOR; break; + #endif +#endif #ifdef WOLFSSL_DTLS #ifndef NO_OLD_TLS case DTLS1_VERSION: @@ -16490,18 +16523,15 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version) break; #endif default: + WOLFSSL_MSG("Unrecognized protocol version or not compiled in"); return WOLFSSL_FAILURE; } switch (version) { +#ifndef NO_TLS case TLS1_3_VERSION: -#ifdef WOLFSSL_TLS13 wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1_2); FALL_THROUGH; -#else - WOLFSSL_MSG("wolfSSL TLS1.3 support not compiled in"); - return WOLFSSL_FAILURE; -#endif case TLS1_2_VERSION: wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1_1); FALL_THROUGH; @@ -16510,11 +16540,13 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version) FALL_THROUGH; case TLS1_VERSION: wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_SSLv3); - FALL_THROUGH; + break; +#endif +#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) case SSL3_VERSION: - FALL_THROUGH; case SSL2_VERSION: /* Nothing to do here */ +#endif break; #ifdef WOLFSSL_DTLS #ifndef NO_OLD_TLS @@ -16524,7 +16556,7 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version) break; #endif default: - WOLFSSL_MSG("Unrecognized protocol version"); + WOLFSSL_MSG("Unrecognized protocol version or not compiled in"); return WOLFSSL_FAILURE; } @@ -16544,6 +16576,7 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver) case SSL2_VERSION: WOLFSSL_MSG("wolfSSL does not support SSLv2"); return WOLFSSL_FAILURE; +#if (defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)) || !defined(NO_TLS) case SSL3_VERSION: wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1); FALL_THROUGH; @@ -16555,12 +16588,11 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver) FALL_THROUGH; case TLS1_2_VERSION: wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1_3); -#ifdef WOLFSSL_TLS13 FALL_THROUGH; case TLS1_3_VERSION: /* Nothing to do here */ -#endif break; +#endif #ifdef WOLFSSL_DTLS #ifndef NO_OLD_TLS case DTLS1_VERSION: @@ -16569,7 +16601,7 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver) break; #endif default: - WOLFSSL_MSG("Unrecognized protocol version"); + WOLFSSL_MSG("Unrecognized protocol version or not compiled in"); return WOLFSSL_FAILURE; } @@ -27373,10 +27405,11 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op) keySz = ssl->buffers.keySz; #endif - InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + if (ssl->suites != NULL && ssl->options.side != WOLFSSL_NEITHER_END) + InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, + ssl->options.haveDH, ssl->options.haveNTRU, + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.side); return ssl->options.mask; } @@ -28354,7 +28387,7 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str, WOLFSSL_API WOLFSSL_CIPHER* wolfSSL_sk_SSL_CIPHER_value(WOLFSSL_STACK* sk, int i) { WOLFSSL_ENTER("wolfSSL_sk_SSL_CIPHER_value"); - return wolfSSL_sk_value(sk, i); + return (WOLFSSL_CIPHER*)wolfSSL_sk_value(sk, i); } WOLFSSL_API void ERR_load_SSL_strings(void) @@ -46756,8 +46789,16 @@ static WC_INLINE int sslCipherMinMaxCheck(const WOLFSSL *ssl, byte suite0, break; if (i == cipherSz) return 1; - if (cipher_names[i].minor < ssl->options.minDowngrade) + /* Check min version */ + if (cipher_names[i].minor < ssl->options.minDowngrade) { + if (ssl->options.minDowngrade <= TLSv1_2_MINOR && + cipher_names[i].minor >= TLSv1_MINOR) + /* 1.0 ciphersuites are in general available in 1.1 and + * 1.1 ciphersuites are in general available in 1.2 */ + return 0; return 1; + } + /* Check max version */ switch (cipher_names[i].minor) { case SSLv3_MINOR : return ssl->options.mask & WOLFSSL_OP_NO_SSLv3; @@ -48497,10 +48538,12 @@ word32 nid2oid(int nid, int grp) default: WOLFSSL_MSG("NID not in table"); - return -1; + /* MSVC warns without the cast */ + return (word32)-1; } - return -1; + /* MSVC warns without the cast */ + return (word32)-1; } int oid2nid(word32 oid, int grp) diff --git a/src/tls13.c b/src/tls13.c index c6008d8b1..03720f157 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -803,17 +803,17 @@ int Tls13_Exporter(WOLFSSL* ssl, unsigned char *out, size_t outLen, /* Derive-Secret(Secret, label, "") */ ret = HKDF_Expand_Label(firstExpand, hashLen, ssl->arrays->exporterSecret, hashLen, - protocol, protocolLen, (byte*)label, labelLen, + protocol, protocolLen, (byte*)label, (word32)labelLen, emptyHash, hashLen, hashType); if (ret != 0) return ret; /* Hash(context_value) */ - ret = wc_Hash(hashType, context, contextLen, hashOut, WC_MAX_DIGEST_SIZE); + ret = wc_Hash(hashType, context, (word32)contextLen, hashOut, WC_MAX_DIGEST_SIZE); if (ret != 0) return ret; - ret = HKDF_Expand_Label(out, outLen, firstExpand, hashLen, + ret = HKDF_Expand_Label(out, (word32)outLen, firstExpand, hashLen, protocol, protocolLen, exporterLabel, EXPORTER_LABEL_SZ, hashOut, hashLen, hashType); @@ -8051,7 +8051,7 @@ int wolfSSL_preferred_group(WOLFSSL* ssl) } #endif -#ifdef HAVE_SUPPORTED_CURVES +#if defined(HAVE_SUPPORTED_CURVES) /* Sets the key exchange groups in rank order on a context. * * ctx SSL/TLS context object. diff --git a/tests/api.c b/tests/api.c index 8dbd871b7..dc64c5737 100644 --- a/tests/api.c +++ b/tests/api.c @@ -37221,12 +37221,24 @@ static int test_tls13_apis(void) #ifdef WOLFSSL_EARLY_DATA int outSz; #endif -#ifdef HAVE_SUPPORTED_CURVES +#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES) int groups[2] = { WOLFSSL_ECC_X25519, WOLFSSL_ECC_X448 }; int numGroups = 2; #endif #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) - char groupList[] = "P-521:P-384:P-256"; + char groupList[] = +#ifndef NO_ECC_SECP +#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521 + "P-521:" +#endif +#if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384 + "P-384:" +#endif +#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 + "P-256" +#endif + ""; +#endif /* !defined(NO_ECC_SECP) */ #endif /* defined(OPENSSL_EXTRA) && defined(HAVE_ECC) */ #ifndef WOLFSSL_NO_TLS12 @@ -37433,6 +37445,7 @@ static int test_tls13_apis(void) #endif #endif +#ifdef HAVE_ECC #ifndef WOLFSSL_NO_SERVER_GROUPS_EXT AssertIntEQ(wolfSSL_preferred_group(NULL), BAD_FUNC_ARG); #ifndef NO_WOLFSSL_SERVER @@ -37488,7 +37501,7 @@ static int test_tls13_apis(void) WOLFSSL_SUCCESS); #endif -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) +#ifdef OPENSSL_EXTRA AssertIntEQ(wolfSSL_CTX_set1_groups_list(NULL, NULL), WOLFSSL_FAILURE); #ifndef NO_WOLFSSL_CLIENT AssertIntEQ(wolfSSL_CTX_set1_groups_list(clientCtx, NULL), WOLFSSL_FAILURE); @@ -37524,8 +37537,9 @@ static int test_tls13_apis(void) AssertIntEQ(wolfSSL_set1_groups_list(serverSsl, groupList), WOLFSSL_SUCCESS); #endif -#endif /* defined(OPENSSL_EXTRA) && defined(HAVE_ECC) */ +#endif /* OPENSSL_EXTRA */ #endif /* HAVE_SUPPORTED_CURVES */ +#endif /* HAVE_ECC */ #ifdef WOLFSSL_EARLY_DATA AssertIntEQ(wolfSSL_CTX_set_max_early_data(NULL, 0), BAD_FUNC_ARG); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 32dfd5896..fd45d44fa 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -5621,7 +5621,7 @@ int wc_OBJ_sn2nid(const char *sn) sn = "SECP256R1"; /* OpenSSL allows lowercase curve names */ for (i = 0; i < (int)(sizeof(curveName) - 1) && *sn; i++) { - curveName[i] = XTOUPPER(*sn++); + curveName[i] = (char)XTOUPPER(*sn++); } curveName[i] = '\0'; /* find based on name and return NID */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index cab58bc2e..77c3c63b2 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1064,11 +1064,6 @@ WOLFSSL_API int wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX*, const char*); WOLFSSL_API int wolfSSL_set_cipher_list(WOLFSSL*, const char*); #ifdef HAVE_KEYING_MATERIAL -#define TLS_PRF_LABEL_CLIENT_FINISHED "client finished" -#define TLS_PRF_LABEL_SERVER_FINISHED "server finished" -#define TLS_PRF_LABEL_MASTER_SECRET "master secret" -#define TLS_PRF_LABEL_EXT_MASTER_SECRET "extended master secret" -#define TLS_PRF_LABEL_KEY_EXPANSION "key expansion" /* Keying Material Exporter for TLS */ WOLFSSL_API int wolfSSL_export_keying_material(WOLFSSL *ssl, unsigned char *out, size_t outLen, @@ -3168,13 +3163,9 @@ enum { }; #ifdef HAVE_SUPPORTED_CURVES -#ifndef NO_WOLFSSL_CLIENT - WOLFSSL_API int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, word16 name); WOLFSSL_API int wolfSSL_CTX_UseSupportedCurve(WOLFSSL_CTX* ctx, word16 name); - -#endif #endif #ifdef WOLFSSL_TLS13