From 611e37b3e8b66c7261ad7fef85d42e705b7566de Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 29 Jan 2016 09:38:13 -0700 Subject: [PATCH] naming for AEAD macros and TLSX with chacha-poly --- examples/client/client.c | 28 ++++++++ src/internal.c | 116 +++++++++++++++--------------- src/keys.c | 152 +++++++++++++++++++++++++++------------ src/sniffer.c | 16 ++--- src/tls.c | 33 ++++++++- wolfssl/internal.h | 49 +++++++++---- 6 files changed, 267 insertions(+), 127 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 586f773b0..b8238ba1d 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -1024,6 +1024,34 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) ssl = wolfSSL_new(ctx); if (ssl == NULL) err_sys("unable to get SSL object"); + + #ifdef HAVE_SUPPORTED_CURVES /* add curves to supported curves extension */ + if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP256R1) + != SSL_SUCCESS) { + err_sys("unable to set curve secp256r1"); + } + if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP384R1) + != SSL_SUCCESS) { + err_sys("unable to set curve secp384r1"); + } + if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP521R1) + != SSL_SUCCESS) { + err_sys("unable to set curve secp521r1"); + } + if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP224R1) + != SSL_SUCCESS) { + err_sys("unable to set curve secp224r1"); + } + if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP192R1) + != SSL_SUCCESS) { + err_sys("unable to set curve secp192r1"); + } + if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP160R1) + != SSL_SUCCESS) { + err_sys("unable to set curve secp160r1"); + } + #endif + #ifdef HAVE_SESSION_TICKET wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session"); #endif diff --git a/src/internal.c b/src/internal.c index 96a315f7a..ceb5c6cb5 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2030,8 +2030,9 @@ void FreeArrays(WOLFSSL* ssl, int keep) if (ssl->arrays) { XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS); ssl->arrays->pendingMsg = NULL; + ForceZero(ssl->arrays, sizeof(Arrays)); /* clear arrays struct */ } - XFREE(ssl->arrays, ssl->heap, DYNAMIC_TYPE_CERT); + XFREE(ssl->arrays, ssl->heap, DYNAMIC_TYPE_ARRAYS); ssl->arrays = NULL; } @@ -2053,6 +2054,9 @@ void SSL_ResourceFree(WOLFSSL* ssl) XFREE(ssl->hsHashes, ssl->heap, DYNAMIC_TYPE_HASHES); XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN); + /* clear keys struct after session */ + ForceZero(&(ssl->keys), sizeof(Keys)); + #ifndef NO_DH XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH); @@ -6031,7 +6035,7 @@ static INLINE word32 GetSEQIncrement(WOLFSSL* ssl, int verify) static INLINE void AeadIncrementExpIV(WOLFSSL* ssl) { int i; - for (i = AEAD_EXP_IV_SZ-1; i >= 0; i--) { + for (i = AEAD_MAX_EXP_SZ-1; i >= 0; i--) { if (++ssl->keys.aead_exp_IV[i]) return; } } @@ -6099,7 +6103,7 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input, word32 msgLen = (sz - ssl->specs.aead_mac_size); byte tag[POLY1305_AUTH_SZ]; byte add[AEAD_AUTH_DATA_SZ]; - byte nonce[CHACHA20_IV_SIZE]; + byte nonce[CHACHA20_NONCE_SZ]; byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for poly1305 */ #ifdef CHACHA_AEAD_TEST int i; @@ -6112,8 +6116,7 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input, if (ssl->options.oldPoly != 0) { /* get nonce */ - c32toa(ssl->keys.sequence_number, nonce + AEAD_IMP_IV_SZ - + AEAD_SEQ_OFFSET); + c32toa(ssl->keys.sequence_number, nonce + CHACHA20_OLD_OFFSET); } /* opaque SEQ number stored for AD */ @@ -6152,7 +6155,7 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input, if (ssl->options.oldPoly == 0) { /* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte * record sequence number XORed with client_write_IV/server_write_IV */ - XMEMCPY(nonce, ssl->keys.aead_enc_imp_IV, CHACHA20_IV_SIZE); + XMEMCPY(nonce, ssl->keys.aead_enc_imp_IV, CHACHA20_IMP_IV_SZ); nonce[4] ^= add[0]; nonce[5] ^= add[1]; nonce[6] ^= add[2]; @@ -6165,11 +6168,11 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input, /* set the nonce for chacha and get poly1305 key */ if ((ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0)) != 0) { - ForceZero(nonce, AEAD_NONCE_SZ); + ForceZero(nonce, CHACHA20_NONCE_SZ); return ret; } - ForceZero(nonce, AEAD_NONCE_SZ); /* done with nonce, clear it */ + ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */ /* create Poly1305 key using chacha20 keystream */ if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, poly, sizeof(poly))) != 0) @@ -6233,7 +6236,7 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input, word16 sz) { byte add[AEAD_AUTH_DATA_SZ]; - byte nonce[CHACHA20_IV_SIZE]; + byte nonce[CHACHA20_NONCE_SZ]; byte tag[POLY1305_AUTH_SZ]; byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */ int ret = 0; @@ -6257,8 +6260,7 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input, if (ssl->options.oldPoly != 0) { /* get nonce */ - c32toa(ssl->keys.peer_sequence_number, nonce + AEAD_IMP_IV_SZ - + AEAD_SEQ_OFFSET); + c32toa(ssl->keys.peer_sequence_number, nonce + CHACHA20_OLD_OFFSET); } /* sequence number field is 64-bits, we only use 32-bits */ @@ -6290,7 +6292,7 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input, if (ssl->options.oldPoly == 0) { /* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte * record sequence number XORed with client_write_IV/server_write_IV */ - XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, CHACHA20_IV_SIZE); + XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, CHACHA20_IMP_IV_SZ); nonce[4] ^= add[0]; nonce[5] ^= add[1]; nonce[6] ^= add[2]; @@ -6303,11 +6305,11 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input, /* set nonce and get poly1305 key */ if ((ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0)) != 0) { - ForceZero(nonce, AEAD_NONCE_SZ); + ForceZero(nonce, CHACHA20_NONCE_SZ); return ret; } - ForceZero(nonce, AEAD_NONCE_SZ); /* done with nonce, clear it */ + ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */ /* use chacha20 keystream to get poly1305 key for tag */ if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, poly, sizeof(poly))) != 0) @@ -6403,7 +6405,7 @@ static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz) case wolfssl_aes_gcm: { byte additional[AEAD_AUTH_DATA_SZ]; - byte nonce[AEAD_NONCE_SZ]; + byte nonce[AESGCM_NONCE_SZ]; const byte* additionalSrc = input - 5; XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ); @@ -6424,30 +6426,31 @@ static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz) /* Store the length of the plain text minus the explicit * IV length minus the authentication tag size. */ - c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, + c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, additional + AEAD_LEN_OFFSET); XMEMCPY(nonce, - ssl->keys.aead_enc_imp_IV, AEAD_IMP_IV_SZ); - XMEMCPY(nonce + AEAD_IMP_IV_SZ, - ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ); + ssl->keys.aead_enc_imp_IV, AESGCM_IMP_IV_SZ); + XMEMCPY(nonce + AESGCM_IMP_IV_SZ, + ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ); ret = wc_AesGcmEncrypt(ssl->encrypt.aes, - out + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ, - sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, - nonce, AEAD_NONCE_SZ, + out + AESGCM_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ, + sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, + nonce, AESGCM_NONCE_SZ, out + sz - ssl->specs.aead_mac_size, ssl->specs.aead_mac_size, additional, AEAD_AUTH_DATA_SZ); AeadIncrementExpIV(ssl); - ForceZero(nonce, AEAD_NONCE_SZ); + ForceZero(nonce, AESGCM_NONCE_SZ); } break; #endif #ifdef HAVE_AESCCM + /* AEAD CCM uses same size as macros for AESGCM */ case wolfssl_aes_ccm: { byte additional[AEAD_AUTH_DATA_SZ]; - byte nonce[AEAD_NONCE_SZ]; + byte nonce[AESGCM_NONCE_SZ]; const byte* additionalSrc = input - 5; XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ); @@ -6468,21 +6471,21 @@ static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz) /* Store the length of the plain text minus the explicit * IV length minus the authentication tag size. */ - c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, + c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, additional + AEAD_LEN_OFFSET); XMEMCPY(nonce, - ssl->keys.aead_enc_imp_IV, AEAD_IMP_IV_SZ); - XMEMCPY(nonce + AEAD_IMP_IV_SZ, - ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ); + ssl->keys.aead_enc_imp_IV, AESGCM_IMP_IV_SZ); + XMEMCPY(nonce + AESGCM_IMP_IV_SZ, + ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ); ret = wc_AesCcmEncrypt(ssl->encrypt.aes, - out + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ, - sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, - nonce, AEAD_NONCE_SZ, + out + AESGCM_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ, + sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, + nonce, AESGCM_NONCE_SZ, out + sz - ssl->specs.aead_mac_size, ssl->specs.aead_mac_size, additional, AEAD_AUTH_DATA_SZ); AeadIncrementExpIV(ssl); - ForceZero(nonce, AEAD_NONCE_SZ); + ForceZero(nonce, AESGCM_NONCE_SZ); } break; #endif @@ -6572,7 +6575,7 @@ static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input, case wolfssl_aes_gcm: { byte additional[AEAD_AUTH_DATA_SZ]; - byte nonce[AEAD_NONCE_SZ]; + byte nonce[AESGCM_NONCE_SZ]; XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ); @@ -6588,31 +6591,32 @@ static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input, additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor; additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor; - c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, + c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, additional + AEAD_LEN_OFFSET); - XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ); - XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ); + XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ); + XMEMCPY(nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ); if (wc_AesGcmDecrypt(ssl->decrypt.aes, - plain + AEAD_EXP_IV_SZ, - input + AEAD_EXP_IV_SZ, - sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, - nonce, AEAD_NONCE_SZ, + plain + AESGCM_EXP_IV_SZ, + input + AESGCM_EXP_IV_SZ, + sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, + nonce, AESGCM_NONCE_SZ, input + sz - ssl->specs.aead_mac_size, ssl->specs.aead_mac_size, additional, AEAD_AUTH_DATA_SZ) < 0) { SendAlert(ssl, alert_fatal, bad_record_mac); ret = VERIFY_MAC_ERROR; } - ForceZero(nonce, AEAD_NONCE_SZ); + ForceZero(nonce, AESGCM_NONCE_SZ); } break; #endif #ifdef HAVE_AESCCM + /* AESGCM AEAD macros use same size as AESCCM */ case wolfssl_aes_ccm: { byte additional[AEAD_AUTH_DATA_SZ]; - byte nonce[AEAD_NONCE_SZ]; + byte nonce[AESGCM_NONCE_SZ]; XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ); @@ -6628,22 +6632,22 @@ static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input, additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor; additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor; - c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, + c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, additional + AEAD_LEN_OFFSET); - XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ); - XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ); + XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ); + XMEMCPY(nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ); if (wc_AesCcmDecrypt(ssl->decrypt.aes, - plain + AEAD_EXP_IV_SZ, - input + AEAD_EXP_IV_SZ, - sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, - nonce, AEAD_NONCE_SZ, + plain + AESGCM_EXP_IV_SZ, + input + AESGCM_EXP_IV_SZ, + sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, + nonce, AESGCM_NONCE_SZ, input + sz - ssl->specs.aead_mac_size, ssl->specs.aead_mac_size, additional, AEAD_AUTH_DATA_SZ) < 0) { SendAlert(ssl, alert_fatal, bad_record_mac); ret = VERIFY_MAC_ERROR; } - ForceZero(nonce, AEAD_NONCE_SZ); + ForceZero(nonce, AESGCM_NONCE_SZ); } break; #endif @@ -6722,7 +6726,7 @@ static int SanityCheckCipherText(WOLFSSL* ssl, word32 encryptSz) else if (ssl->specs.cipher_type == aead) { minLength = ssl->specs.aead_mac_size; /* authTag size */ if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) - minLength += AEAD_EXP_IV_SZ; /* explicit IV */ + minLength += AESGCM_EXP_IV_SZ; /* explicit IV */ } if (encryptSz < minLength) { @@ -7008,7 +7012,7 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx) } else if (ssl->specs.cipher_type == aead) { if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) - ivExtra = AEAD_EXP_IV_SZ; + ivExtra = AESGCM_EXP_IV_SZ; } dataSz = msgSz - ivExtra - ssl->keys.padSz; @@ -7410,7 +7414,7 @@ int ProcessReply(WOLFSSL* ssl) /* go past TLSv1.1 IV */ if (ssl->specs.cipher_type == aead && ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) - ssl->buffers.inputBuffer.idx += AEAD_EXP_IV_SZ; + ssl->buffers.inputBuffer.idx += AESGCM_EXP_IV_SZ; #endif /* ATOMIC_USER */ } else { @@ -7429,7 +7433,7 @@ int ProcessReply(WOLFSSL* ssl) /* go past TLSv1.1 IV */ if (ssl->specs.cipher_type == aead && ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) - ssl->buffers.inputBuffer.idx += AEAD_EXP_IV_SZ; + ssl->buffers.inputBuffer.idx += AESGCM_EXP_IV_SZ; ret = VerifyMac(ssl, ssl->buffers.inputBuffer.buffer + ssl->buffers.inputBuffer.idx, @@ -7959,10 +7963,10 @@ static int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, #ifdef HAVE_AEAD if (ssl->specs.cipher_type == aead) { if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) - ivSz = AEAD_EXP_IV_SZ; + ivSz = AESGCM_EXP_IV_SZ; sz += (ivSz + ssl->specs.aead_mac_size - digestSz); - XMEMCPY(iv, ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ); + XMEMCPY(iv, ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ); } #endif if (sz > (word32)outSz) { diff --git a/src/keys.c b/src/keys.c index 65529efeb..27d7ac598 100644 --- a/src/keys.c +++ b/src/keys.c @@ -597,7 +597,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; @@ -615,7 +615,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; @@ -633,7 +633,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; @@ -651,7 +651,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; @@ -669,7 +669,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 1; ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; @@ -687,7 +687,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 1; ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; @@ -705,7 +705,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 1; ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; @@ -723,7 +723,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 1; ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; @@ -741,7 +741,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; break; @@ -759,7 +759,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; break; @@ -778,7 +778,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; break; @@ -796,7 +796,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; break; @@ -814,7 +814,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; ssl->options.usingPSK_cipher = 1; @@ -833,7 +833,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; ssl->options.usingPSK_cipher = 1; @@ -852,7 +852,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ; ssl->options.usingPSK_cipher = 1; @@ -871,7 +871,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ; ssl->options.usingPSK_cipher = 1; @@ -890,7 +890,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ; ssl->options.usingPSK_cipher = 1; @@ -909,7 +909,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ; ssl->options.usingPSK_cipher = 1; @@ -1158,7 +1158,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->options.usingPSK_cipher = 1; @@ -1177,7 +1177,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->options.usingPSK_cipher = 1; @@ -1196,7 +1196,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->options.usingPSK_cipher = 1; @@ -1215,7 +1215,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->options.usingPSK_cipher = 1; @@ -1602,7 +1602,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; @@ -1620,7 +1620,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; @@ -1638,7 +1638,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; @@ -1656,7 +1656,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; @@ -1958,6 +1958,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) + /* Check that the max implicit iv size is suffecient */ + #if (AEAD_MAX_IMP_SZ < 12) /* CHACHA20_IMP_IV_SZ */ + #error AEAD_MAX_IMP_SZ is too small for ChaCha20 + #endif + #if (MAX_WRITE_IV_SZ < 12) /* CHACHA20_IMP_IV_SZ */ + #error MAX_WRITE_IV_SZ is too small for ChaCha20 + #endif + if (specs->bulk_cipher_algorithm == wolfssl_chacha) { int chachaRet; if (enc && enc->chacha == NULL) @@ -1975,14 +1983,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, chachaRet = wc_Chacha_SetKey(enc->chacha, keys->client_write_key, specs->key_size); XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV, - CHACHA20_IV_SIZE); + CHACHA20_IMP_IV_SZ); if (chachaRet != 0) return chachaRet; } if (dec) { chachaRet = wc_Chacha_SetKey(dec->chacha, keys->server_write_key, specs->key_size); XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV, - CHACHA20_IV_SIZE); + CHACHA20_IMP_IV_SZ); if (chachaRet != 0) return chachaRet; } } @@ -1991,14 +1999,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, chachaRet = wc_Chacha_SetKey(enc->chacha, keys->server_write_key, specs->key_size); XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV, - CHACHA20_IV_SIZE); + CHACHA20_IMP_IV_SZ); if (chachaRet != 0) return chachaRet; } if (dec) { chachaRet = wc_Chacha_SetKey(dec->chacha, keys->client_write_key, specs->key_size); XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV, - CHACHA20_IV_SIZE); + CHACHA20_IMP_IV_SZ); if (chachaRet != 0) return chachaRet; } } @@ -2011,6 +2019,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, #endif #ifdef HAVE_HC128 + /* check that buffer sizes are sufficient */ + #if (MAX_WRITE_IV_SZ < 16) /* HC_128_IV_SIZE */ + #error MAX_WRITE_IV_SZ too small for HC128 + #endif + if (specs->bulk_cipher_algorithm == wolfssl_hc128) { int hcRet; if (enc && enc->hc128 == NULL) @@ -2055,6 +2068,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, #endif #ifdef BUILD_RABBIT + /* check that buffer sizes are sufficient */ + #if (MAX_WRITE_IV_SZ < 8) /* RABBIT_IV_SIZE */ + #error MAX_WRITE_IV_SZ too small for RABBIT + #endif + if (specs->bulk_cipher_algorithm == wolfssl_rabbit) { int rabRet; if (enc && enc->rabbit == NULL) @@ -2099,6 +2117,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, #endif #ifdef BUILD_DES3 + /* check that buffer sizes are sufficient */ + #if (MAX_WRITE_IV_SZ < 8) /* DES_IV_SIZE */ + #error MAX_WRITE_IV_SZ too small for 3DES + #endif + if (specs->bulk_cipher_algorithm == wolfssl_triple_des) { int desRet = 0; @@ -2158,6 +2181,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, #endif #ifdef BUILD_AES + /* check that buffer sizes are sufficient */ + #if (MAX_WRITE_IV_SZ < 16) /* AES_IV_SIZE */ + #error MAX_WRITE_IV_SZ too small for AES + #endif + if (specs->bulk_cipher_algorithm == wolfssl_aes) { int aesRet = 0; @@ -2221,6 +2249,17 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, #endif #ifdef BUILD_AESGCM + /* check that buffer sizes are sufficient */ + #if (AEAD_MAX_IMP_SZ < 4) /* AESGCM_IMP_IV_SZ */ + #error AEAD_MAX_IMP_SZ too small for AESGCM + #endif + #if (AEAD_MAX_EXP_SZ < 8) /* AESGCM_EXP_IV_SZ */ + #error AEAD_MAX_EXP_SZ too small for AESGCM + #endif + #if (MAX_WRITE_IV_SZ < 4) /* AESGCM_IMP_IV_SZ */ + #error MAX_WRITE_IV_SZ too small for AESGCM + #endif + if (specs->bulk_cipher_algorithm == wolfssl_aes_gcm) { int gcmRet; @@ -2239,14 +2278,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, specs->key_size); if (gcmRet != 0) return gcmRet; XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV, - AEAD_IMP_IV_SZ); + AESGCM_IMP_IV_SZ); } if (dec) { gcmRet = wc_AesGcmSetKey(dec->aes, keys->server_write_key, specs->key_size); if (gcmRet != 0) return gcmRet; XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV, - AEAD_IMP_IV_SZ); + AESGCM_IMP_IV_SZ); } } else { @@ -2255,14 +2294,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, specs->key_size); if (gcmRet != 0) return gcmRet; XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV, - AEAD_IMP_IV_SZ); + AESGCM_IMP_IV_SZ); } if (dec) { gcmRet = wc_AesGcmSetKey(dec->aes, keys->client_write_key, specs->key_size); if (gcmRet != 0) return gcmRet; XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV, - AEAD_IMP_IV_SZ); + AESGCM_IMP_IV_SZ); } } if (enc) @@ -2273,6 +2312,17 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, #endif #ifdef HAVE_AESCCM + /* check that buffer sizes are sufficient (CCM is same size as GCM) */ + #if (AEAD_MAX_IMP_SZ < 4) /* AESGCM_IMP_IV_SZ */ + #error AEAD_MAX_IMP_SZ too small for AESCCM + #endif + #if (AEAD_MAX_EXP_SZ < 8) /* AESGCM_EXP_IV_SZ */ + #error AEAD_MAX_EXP_SZ too small for AESCCM + #endif + #if (MAX_WRITE_IV_SZ < 4) /* AESGCM_IMP_IV_SZ */ + #error MAX_WRITE_IV_SZ too small for AESCCM + #endif + if (specs->bulk_cipher_algorithm == wolfssl_aes_ccm) { if (enc && enc->aes == NULL) enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER); @@ -2287,24 +2337,24 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, if (enc) { wc_AesCcmSetKey(enc->aes, keys->client_write_key, specs->key_size); XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV, - AEAD_IMP_IV_SZ); + AESGCM_IMP_IV_SZ); } if (dec) { wc_AesCcmSetKey(dec->aes, keys->server_write_key, specs->key_size); XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV, - AEAD_IMP_IV_SZ); + AESGCM_IMP_IV_SZ); } } else { if (enc) { wc_AesCcmSetKey(enc->aes, keys->server_write_key, specs->key_size); XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV, - AEAD_IMP_IV_SZ); + AESGCM_IMP_IV_SZ); } if (dec) { wc_AesCcmSetKey(dec->aes, keys->client_write_key, specs->key_size); XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV, - AEAD_IMP_IV_SZ); + AESGCM_IMP_IV_SZ); } } if (enc) @@ -2315,6 +2365,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, #endif #ifdef HAVE_CAMELLIA + /* check that buffer sizes are sufficient */ + #if (MAX_WRITE_IV_SZ < 16) /* CAMELLIA_IV_SIZE */ + #error MAX_WRITE_IV_SZ too small for CAMELLIA + #endif + if (specs->bulk_cipher_algorithm == wolfssl_camellia) { int camRet; @@ -2362,6 +2417,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, #endif #ifdef HAVE_IDEA + /* check that buffer sizes are sufficient */ + #if (MAX_WRITE_IV_SZ < 8) /* IDEA_IV_SIZE */ + #error MAX_WRITE_IV_SZ too small for IDEA + #endif + if (specs->bulk_cipher_algorithm == wolfssl_idea) { int ideaRet; @@ -2528,14 +2588,14 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side) XMEMCPY(ssl->keys.client_write_key, keys->client_write_key, AES_256_KEY_SIZE); XMEMCPY(ssl->keys.client_write_IV, - keys->client_write_IV, AES_IV_SIZE); + keys->client_write_IV, MAX_WRITE_IV_SZ); } else { XMEMCPY(ssl->keys.server_write_MAC_secret, keys->server_write_MAC_secret, MAX_DIGEST_SIZE); XMEMCPY(ssl->keys.server_write_key, keys->server_write_key, AES_256_KEY_SIZE); XMEMCPY(ssl->keys.server_write_IV, - keys->server_write_IV, AES_IV_SIZE); + keys->server_write_IV, MAX_WRITE_IV_SZ); } if (wc_encrypt) { ssl->keys.sequence_number = keys->sequence_number; @@ -2543,15 +2603,15 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side) if (ssl->specs.cipher_type == aead) { /* Initialize the AES-GCM/CCM explicit IV to a zero. */ XMEMCPY(ssl->keys.aead_exp_IV, keys->aead_exp_IV, - AEAD_EXP_IV_SZ); + AEAD_MAX_EXP_SZ); /* Initialize encrypt implicit IV by encrypt side */ if (ssl->options.side == WOLFSSL_CLIENT_END) { XMEMCPY(ssl->keys.aead_enc_imp_IV, - keys->client_write_IV, AEAD_NONCE_SZ); + keys->client_write_IV, AEAD_MAX_IMP_SZ); } else { XMEMCPY(ssl->keys.aead_enc_imp_IV, - keys->server_write_IV, AEAD_NONCE_SZ); + keys->server_write_IV, AEAD_MAX_IMP_SZ); } } #endif @@ -2563,10 +2623,10 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side) /* Initialize decrypt implicit IV by decrypt side */ if (ssl->options.side == WOLFSSL_SERVER_END) { XMEMCPY(ssl->keys.aead_dec_imp_IV, - keys->client_write_IV, AEAD_NONCE_SZ); + keys->client_write_IV, AEAD_MAX_IMP_SZ); } else { XMEMCPY(ssl->keys.aead_dec_imp_IV, - keys->server_write_IV, AEAD_NONCE_SZ); + keys->server_write_IV, AEAD_MAX_IMP_SZ); } } #endif @@ -2614,7 +2674,7 @@ int StoreKeys(WOLFSSL* ssl, const byte* keyData) #ifdef HAVE_AEAD if (ssl->specs.cipher_type == aead) { /* Initialize the AES-GCM/CCM explicit IV to a zero. */ - XMEMSET(keys->aead_exp_IV, 0, AEAD_EXP_IV_SZ); + XMEMSET(keys->aead_exp_IV, 0, AEAD_MAX_EXP_SZ); } #endif diff --git a/src/sniffer.c b/src/sniffer.c index 3ab4fd96c..86fc136dc 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -1973,23 +1973,23 @@ static int Decrypt(SSL* ssl, byte* output, const byte* input, word32 sz) #ifdef HAVE_AESGCM case wolfssl_aes_gcm: - if (sz >= (word32)(AEAD_EXP_IV_SZ + ssl->specs.aead_mac_size)) + if (sz >= (word32)(AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size)) { - byte nonce[AEAD_NONCE_SZ]; - XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ); - XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ); + byte nonce[AESGCM_NONCE_SZ]; + XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ); + XMEMCPY(nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ); if (wc_AesGcmEncrypt(ssl->decrypt.aes, output, - input + AEAD_EXP_IV_SZ, - sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, - nonce, AEAD_NONCE_SZ, + input + AESGCM_EXP_IV_SZ, + sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, + nonce, AESGCM_NONCE_SZ, NULL, 0, NULL, 0) < 0) { Trace(BAD_DECRYPT); ret = -1; } - ForceZero(nonce, AEAD_NONCE_SZ); + ForceZero(nonce, AESGCM_NONCE_SZ); } else { Trace(BAD_DECRYPT_SIZE); diff --git a/src/tls.c b/src/tls.c index 793b55c33..77437a8c6 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2657,7 +2657,8 @@ static void TLSX_EllipticCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore) int i; for (i = 0; i < ssl->suites->suiteSz; i+= 2) - if (ssl->suites->suites[i] == ECC_BYTE) + if (ssl->suites->suites[i] == ECC_BYTE || + ssl->suites->suites[i] == CHACHA_BYTE) return; /* turns semaphore on to avoid sending this extension. */ @@ -2734,7 +2735,7 @@ static int TLSX_EllipticCurve_Parse(WOLFSSL* ssl, byte* input, word16 length, } int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) { - TLSX* extension = (first == ECC_BYTE) + TLSX* extension = (first == ECC_BYTE || first == CHACHA_BYTE) ? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS) : NULL; EllipticCurve* curve = NULL; @@ -2773,6 +2774,7 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) { default: continue; /* unsupported curve */ } + if (first == ECC_BYTE) { switch (second) { #ifndef NO_DSA /* ECDHE_ECDSA */ @@ -2835,6 +2837,33 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) { key = 1; break; } + } + + /* ChaCha20-Poly1305 ECC cipher suites */ + if (first == CHACHA_BYTE) { + switch (second) { +#ifndef NO_DSA + /* ECDHE_ECDSA */ + case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 : + case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : + sig |= ssl->pkCurveOID == oid; + key |= ssl->eccTempKeySz == octets; + break; +#endif +#ifndef NO_RSA + /* ECDHE_RSA */ + case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : + case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : + sig = 1; + key |= ssl->eccTempKeySz == octets; + break; +#endif + default: + sig = 1; + key = 1; + break; + } + } } return sig && key; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index c0de16edc..03b72cf77 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -820,7 +820,7 @@ enum { enum Misc { - ECC_BYTE = 0xC0, /* ECC first cipher suite byte */ + ECC_BYTE = 0xC0, /* ECC first cipher suite byte */ QSH_BYTE = 0xD0, /* Quantum-safe Handshake cipher suite */ CHACHA_BYTE = 0xCC, /* ChaCha first cipher suite */ @@ -929,15 +929,21 @@ enum Misc { AES_IV_SIZE = 16, /* always block size */ AES_128_KEY_SIZE = 16, /* for 128 bit */ - AEAD_SEQ_OFFSET = 4, /* Auth Data: Sequence number */ - AEAD_TYPE_OFFSET = 8, /* Auth Data: Type */ - AEAD_VMAJ_OFFSET = 9, /* Auth Data: Major Version */ - AEAD_VMIN_OFFSET = 10, /* Auth Data: Minor Version */ - AEAD_LEN_OFFSET = 11, /* Auth Data: Length */ - AEAD_AUTH_DATA_SZ = 13, /* Size of the data to authenticate */ - AEAD_IMP_IV_SZ = 4, /* Size of the implicit IV */ - AEAD_EXP_IV_SZ = 8, /* Size of the explicit IV */ - AEAD_NONCE_SZ = AEAD_EXP_IV_SZ + AEAD_IMP_IV_SZ, + AEAD_SEQ_OFFSET = 4, /* Auth Data: Sequence number */ + AEAD_TYPE_OFFSET = 8, /* Auth Data: Type */ + AEAD_VMAJ_OFFSET = 9, /* Auth Data: Major Version */ + AEAD_VMIN_OFFSET = 10, /* Auth Data: Minor Version */ + AEAD_LEN_OFFSET = 11, /* Auth Data: Length */ + AEAD_AUTH_DATA_SZ = 13, /* Size of the data to authenticate */ + AESGCM_IMP_IV_SZ = 4, /* Size of GCM/CCM AEAD implicit IV */ + AESGCM_EXP_IV_SZ = 8, /* Size of GCM/CCM AEAD explicit IV */ + AESGCM_NONCE_SZ = AESGCM_EXP_IV_SZ + AESGCM_IMP_IV_SZ, + + CHACHA20_IMP_IV_SZ = 12, /* Size of ChaCha20 AEAD implicit IV */ + CHACHA20_NONCE_SZ = 12, /* Size of ChacCha20 nonce */ + CHACHA20_OLD_OFFSET = 8, /* Offset for seq # in old poly1305 */ + + /* For any new implicit/explicit IV size adjust AEAD_MAX_***_SZ */ AES_GCM_AUTH_SZ = 16, /* AES-GCM Auth Tag length */ AES_CCM_16_AUTH_SZ = 16, /* AES-CCM-16 Auth Tag length */ @@ -1009,6 +1015,17 @@ enum Misc { }; +/* Set max implicit IV size for AEAD cipher suites */ +#ifdef HAVE_CHACHA + #define AEAD_MAX_IMP_SZ 12 +#else + #define AEAD_MAX_IMP_SZ 4 +#endif + +/* Set max explicit IV size for AEAD cipher suites */ +#define AEAD_MAX_EXP_SZ 8 + + #ifndef WOLFSSL_MAX_SUITE_SZ #define WOLFSSL_MAX_SUITE_SZ 300 /* 150 suites for now! */ @@ -1455,18 +1472,20 @@ typedef struct WOLFSSL_DTLS_CTX { #endif /* WOLFSSL_DTLS */ +#define MAX_WRITE_IV_SZ 16 /* max size of client/server write_IV */ + /* keys and secrets */ typedef struct Keys { byte client_write_MAC_secret[MAX_DIGEST_SIZE]; /* max sizes */ byte server_write_MAC_secret[MAX_DIGEST_SIZE]; byte client_write_key[AES_256_KEY_SIZE]; /* max sizes */ byte server_write_key[AES_256_KEY_SIZE]; - byte client_write_IV[AES_IV_SIZE]; /* max sizes */ - byte server_write_IV[AES_IV_SIZE]; + byte client_write_IV[MAX_WRITE_IV_SZ]; /* max sizes */ + byte server_write_IV[MAX_WRITE_IV_SZ]; #ifdef HAVE_AEAD - byte aead_exp_IV[AEAD_EXP_IV_SZ]; - byte aead_enc_imp_IV[AEAD_NONCE_SZ]; /* full size needed for chacha-poly */ - byte aead_dec_imp_IV[AEAD_NONCE_SZ]; + byte aead_exp_IV[AEAD_MAX_EXP_SZ]; + byte aead_enc_imp_IV[AEAD_MAX_IMP_SZ]; + byte aead_dec_imp_IV[AEAD_MAX_IMP_SZ]; #endif word32 peer_sequence_number;