feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

naming for AEAD macros and TLSX with chacha-poly

Browse Source
This commit is contained in:
Jacob Barthelmeh
2016-01-29 09:38:13 -07:00
parent 7d71d756f3
commit 611e37b3e8
6 changed files with 267 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
examples/client/client.c
View File

@@ -1024,6 +1024,34 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
ssl = wolfSSL_new(ctx); ssl = wolfSSL_new(ctx);
if (ssl == NULL) if (ssl == NULL)
err_sys("unable to get SSL object"); err_sys("unable to get SSL object");
#ifdef HAVE_SUPPORTED_CURVES /* add curves to supported curves extension */
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP256R1)
!= SSL_SUCCESS) {
err_sys("unable to set curve secp256r1");
}
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP384R1)
!= SSL_SUCCESS) {
err_sys("unable to set curve secp384r1");
}
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP521R1)
!= SSL_SUCCESS) {
err_sys("unable to set curve secp521r1");
}
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP224R1)
!= SSL_SUCCESS) {
err_sys("unable to set curve secp224r1");
}
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP192R1)
!= SSL_SUCCESS) {
err_sys("unable to set curve secp192r1");
}
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP160R1)
!= SSL_SUCCESS) {
err_sys("unable to set curve secp160r1");
}
#endif
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session"); wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session");
#endif #endif

116
src/internal.c
View File

@@ -2030,8 +2030,9 @@ void FreeArrays(WOLFSSL* ssl, int keep)
if (ssl->arrays) { if (ssl->arrays) {
XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS); XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
ssl->arrays->pendingMsg = NULL; ssl->arrays->pendingMsg = NULL;
ForceZero(ssl->arrays, sizeof(Arrays)); /* clear arrays struct */
} }
XFREE(ssl->arrays, ssl->heap, DYNAMIC_TYPE_CERT); XFREE(ssl->arrays, ssl->heap, DYNAMIC_TYPE_ARRAYS);
ssl->arrays = NULL; ssl->arrays = NULL;
} }
@@ -2053,6 +2054,9 @@ void SSL_ResourceFree(WOLFSSL* ssl)
XFREE(ssl->hsHashes, ssl->heap, DYNAMIC_TYPE_HASHES); XFREE(ssl->hsHashes, ssl->heap, DYNAMIC_TYPE_HASHES);
XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN); XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN);
/* clear keys struct after session */
ForceZero(&(ssl->keys), sizeof(Keys));
#ifndef NO_DH #ifndef NO_DH
XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH);
XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH);
@@ -6031,7 +6035,7 @@ static INLINE word32 GetSEQIncrement(WOLFSSL* ssl, int verify)
static INLINE void AeadIncrementExpIV(WOLFSSL* ssl) static INLINE void AeadIncrementExpIV(WOLFSSL* ssl)
{ {
int i; int i;
for (i = AEAD_EXP_IV_SZ-1; i >= 0; i--) { for (i = AEAD_MAX_EXP_SZ-1; i >= 0; i--) {
if (++ssl->keys.aead_exp_IV[i]) return; if (++ssl->keys.aead_exp_IV[i]) return;
} }
} }
@@ -6099,7 +6103,7 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
word32 msgLen = (sz - ssl->specs.aead_mac_size); word32 msgLen = (sz - ssl->specs.aead_mac_size);
byte tag[POLY1305_AUTH_SZ]; byte tag[POLY1305_AUTH_SZ];
byte add[AEAD_AUTH_DATA_SZ]; byte add[AEAD_AUTH_DATA_SZ];
byte nonce[CHACHA20_IV_SIZE]; byte nonce[CHACHA20_NONCE_SZ];
byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for poly1305 */ byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for poly1305 */
#ifdef CHACHA_AEAD_TEST #ifdef CHACHA_AEAD_TEST
int i; int i;
@@ -6112,8 +6116,7 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
if (ssl->options.oldPoly != 0) { if (ssl->options.oldPoly != 0) {
/* get nonce */ /* get nonce */
c32toa(ssl->keys.sequence_number, nonce + AEAD_IMP_IV_SZ c32toa(ssl->keys.sequence_number, nonce + CHACHA20_OLD_OFFSET);
+ AEAD_SEQ_OFFSET);
} }
/* opaque SEQ number stored for AD */ /* opaque SEQ number stored for AD */
@@ -6152,7 +6155,7 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
if (ssl->options.oldPoly == 0) { if (ssl->options.oldPoly == 0) {
/* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte /* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte
* record sequence number XORed with client_write_IV/server_write_IV */ * record sequence number XORed with client_write_IV/server_write_IV */
XMEMCPY(nonce, ssl->keys.aead_enc_imp_IV, CHACHA20_IV_SIZE); XMEMCPY(nonce, ssl->keys.aead_enc_imp_IV, CHACHA20_IMP_IV_SZ);
nonce[4] ^= add[0]; nonce[4] ^= add[0];
nonce[5] ^= add[1]; nonce[5] ^= add[1];
nonce[6] ^= add[2]; nonce[6] ^= add[2];
@@ -6165,11 +6168,11 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
/* set the nonce for chacha and get poly1305 key */ /* set the nonce for chacha and get poly1305 key */
if ((ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0)) != 0) { if ((ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0)) != 0) {
ForceZero(nonce, AEAD_NONCE_SZ); ForceZero(nonce, CHACHA20_NONCE_SZ);
return ret; return ret;
} }
ForceZero(nonce, AEAD_NONCE_SZ); /* done with nonce, clear it */ ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */
/* create Poly1305 key using chacha20 keystream */ /* create Poly1305 key using chacha20 keystream */
if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, poly,
poly, sizeof(poly))) != 0) poly, sizeof(poly))) != 0)
@@ -6233,7 +6236,7 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
word16 sz) word16 sz)
{ {
byte add[AEAD_AUTH_DATA_SZ]; byte add[AEAD_AUTH_DATA_SZ];
byte nonce[CHACHA20_IV_SIZE]; byte nonce[CHACHA20_NONCE_SZ];
byte tag[POLY1305_AUTH_SZ]; byte tag[POLY1305_AUTH_SZ];
byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */ byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
int ret = 0; int ret = 0;
@@ -6257,8 +6260,7 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
if (ssl->options.oldPoly != 0) { if (ssl->options.oldPoly != 0) {
/* get nonce */ /* get nonce */
c32toa(ssl->keys.peer_sequence_number, nonce + AEAD_IMP_IV_SZ c32toa(ssl->keys.peer_sequence_number, nonce + CHACHA20_OLD_OFFSET);
+ AEAD_SEQ_OFFSET);
} }
/* sequence number field is 64-bits, we only use 32-bits */ /* sequence number field is 64-bits, we only use 32-bits */
@@ -6290,7 +6292,7 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
if (ssl->options.oldPoly == 0) { if (ssl->options.oldPoly == 0) {
/* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte /* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte
* record sequence number XORed with client_write_IV/server_write_IV */ * record sequence number XORed with client_write_IV/server_write_IV */
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, CHACHA20_IV_SIZE); XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, CHACHA20_IMP_IV_SZ);
nonce[4] ^= add[0]; nonce[4] ^= add[0];
nonce[5] ^= add[1]; nonce[5] ^= add[1];
nonce[6] ^= add[2]; nonce[6] ^= add[2];
@@ -6303,11 +6305,11 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
/* set nonce and get poly1305 key */ /* set nonce and get poly1305 key */
if ((ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0)) != 0) { if ((ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0)) != 0) {
ForceZero(nonce, AEAD_NONCE_SZ); ForceZero(nonce, CHACHA20_NONCE_SZ);
return ret; return ret;
} }
ForceZero(nonce, AEAD_NONCE_SZ); /* done with nonce, clear it */ ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */
/* use chacha20 keystream to get poly1305 key for tag */ /* use chacha20 keystream to get poly1305 key for tag */
if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, poly,
poly, sizeof(poly))) != 0) poly, sizeof(poly))) != 0)
@@ -6403,7 +6405,7 @@ static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz)
case wolfssl_aes_gcm: case wolfssl_aes_gcm:
{ {
byte additional[AEAD_AUTH_DATA_SZ]; byte additional[AEAD_AUTH_DATA_SZ];
byte nonce[AEAD_NONCE_SZ]; byte nonce[AESGCM_NONCE_SZ];
const byte* additionalSrc = input - 5; const byte* additionalSrc = input - 5;
XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ); XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
@@ -6424,30 +6426,31 @@ static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz)
/* Store the length of the plain text minus the explicit /* Store the length of the plain text minus the explicit
* IV length minus the authentication tag size. */ * IV length minus the authentication tag size. */
c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
additional + AEAD_LEN_OFFSET); additional + AEAD_LEN_OFFSET);
XMEMCPY(nonce, XMEMCPY(nonce,
ssl->keys.aead_enc_imp_IV, AEAD_IMP_IV_SZ); ssl->keys.aead_enc_imp_IV, AESGCM_IMP_IV_SZ);
XMEMCPY(nonce + AEAD_IMP_IV_SZ, XMEMCPY(nonce + AESGCM_IMP_IV_SZ,
ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ); ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ);
ret = wc_AesGcmEncrypt(ssl->encrypt.aes, ret = wc_AesGcmEncrypt(ssl->encrypt.aes,
out + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ, out + AESGCM_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ,
sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
nonce, AEAD_NONCE_SZ, nonce, AESGCM_NONCE_SZ,
out + sz - ssl->specs.aead_mac_size, out + sz - ssl->specs.aead_mac_size,
ssl->specs.aead_mac_size, ssl->specs.aead_mac_size,
additional, AEAD_AUTH_DATA_SZ); additional, AEAD_AUTH_DATA_SZ);
AeadIncrementExpIV(ssl); AeadIncrementExpIV(ssl);
ForceZero(nonce, AEAD_NONCE_SZ); ForceZero(nonce, AESGCM_NONCE_SZ);
} }
break; break;
#endif #endif
#ifdef HAVE_AESCCM #ifdef HAVE_AESCCM
/* AEAD CCM uses same size as macros for AESGCM */
case wolfssl_aes_ccm: case wolfssl_aes_ccm:
{ {
byte additional[AEAD_AUTH_DATA_SZ]; byte additional[AEAD_AUTH_DATA_SZ];
byte nonce[AEAD_NONCE_SZ]; byte nonce[AESGCM_NONCE_SZ];
const byte* additionalSrc = input - 5; const byte* additionalSrc = input - 5;
XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ); XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
@@ -6468,21 +6471,21 @@ static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz)
/* Store the length of the plain text minus the explicit /* Store the length of the plain text minus the explicit
* IV length minus the authentication tag size. */ * IV length minus the authentication tag size. */
c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
additional + AEAD_LEN_OFFSET); additional + AEAD_LEN_OFFSET);
XMEMCPY(nonce, XMEMCPY(nonce,
ssl->keys.aead_enc_imp_IV, AEAD_IMP_IV_SZ); ssl->keys.aead_enc_imp_IV, AESGCM_IMP_IV_SZ);
XMEMCPY(nonce + AEAD_IMP_IV_SZ, XMEMCPY(nonce + AESGCM_IMP_IV_SZ,
ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ); ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ);
ret = wc_AesCcmEncrypt(ssl->encrypt.aes, ret = wc_AesCcmEncrypt(ssl->encrypt.aes,
out + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ, out + AESGCM_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ,
sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
nonce, AEAD_NONCE_SZ, nonce, AESGCM_NONCE_SZ,
out + sz - ssl->specs.aead_mac_size, out + sz - ssl->specs.aead_mac_size,
ssl->specs.aead_mac_size, ssl->specs.aead_mac_size,
additional, AEAD_AUTH_DATA_SZ); additional, AEAD_AUTH_DATA_SZ);
AeadIncrementExpIV(ssl); AeadIncrementExpIV(ssl);
ForceZero(nonce, AEAD_NONCE_SZ); ForceZero(nonce, AESGCM_NONCE_SZ);
} }
break; break;
#endif #endif
@@ -6572,7 +6575,7 @@ static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
case wolfssl_aes_gcm: case wolfssl_aes_gcm:
{ {
byte additional[AEAD_AUTH_DATA_SZ]; byte additional[AEAD_AUTH_DATA_SZ];
byte nonce[AEAD_NONCE_SZ]; byte nonce[AESGCM_NONCE_SZ];
XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ); XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
@@ -6588,31 +6591,32 @@ static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor; additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor; additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
additional + AEAD_LEN_OFFSET); additional + AEAD_LEN_OFFSET);
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ); XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ);
XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ); XMEMCPY(nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ);
if (wc_AesGcmDecrypt(ssl->decrypt.aes, if (wc_AesGcmDecrypt(ssl->decrypt.aes,
plain + AEAD_EXP_IV_SZ, plain + AESGCM_EXP_IV_SZ,
input + AEAD_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ,
sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
nonce, AEAD_NONCE_SZ, nonce, AESGCM_NONCE_SZ,
input + sz - ssl->specs.aead_mac_size, input + sz - ssl->specs.aead_mac_size,
ssl->specs.aead_mac_size, ssl->specs.aead_mac_size,
additional, AEAD_AUTH_DATA_SZ) < 0) { additional, AEAD_AUTH_DATA_SZ) < 0) {
SendAlert(ssl, alert_fatal, bad_record_mac); SendAlert(ssl, alert_fatal, bad_record_mac);
ret = VERIFY_MAC_ERROR; ret = VERIFY_MAC_ERROR;
} }
ForceZero(nonce, AEAD_NONCE_SZ); ForceZero(nonce, AESGCM_NONCE_SZ);
} }
break; break;
#endif #endif
#ifdef HAVE_AESCCM #ifdef HAVE_AESCCM
/* AESGCM AEAD macros use same size as AESCCM */
case wolfssl_aes_ccm: case wolfssl_aes_ccm:
{ {
byte additional[AEAD_AUTH_DATA_SZ]; byte additional[AEAD_AUTH_DATA_SZ];
byte nonce[AEAD_NONCE_SZ]; byte nonce[AESGCM_NONCE_SZ];
XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ); XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
@@ -6628,22 +6632,22 @@ static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor; additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor; additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
additional + AEAD_LEN_OFFSET); additional + AEAD_LEN_OFFSET);
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ); XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ);
XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ); XMEMCPY(nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ);
if (wc_AesCcmDecrypt(ssl->decrypt.aes, if (wc_AesCcmDecrypt(ssl->decrypt.aes,
plain + AEAD_EXP_IV_SZ, plain + AESGCM_EXP_IV_SZ,
input + AEAD_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ,
sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
nonce, AEAD_NONCE_SZ, nonce, AESGCM_NONCE_SZ,
input + sz - ssl->specs.aead_mac_size, input + sz - ssl->specs.aead_mac_size,
ssl->specs.aead_mac_size, ssl->specs.aead_mac_size,
additional, AEAD_AUTH_DATA_SZ) < 0) { additional, AEAD_AUTH_DATA_SZ) < 0) {
SendAlert(ssl, alert_fatal, bad_record_mac); SendAlert(ssl, alert_fatal, bad_record_mac);
ret = VERIFY_MAC_ERROR; ret = VERIFY_MAC_ERROR;
} }
ForceZero(nonce, AEAD_NONCE_SZ); ForceZero(nonce, AESGCM_NONCE_SZ);
} }
break; break;
#endif #endif
@@ -6722,7 +6726,7 @@ static int SanityCheckCipherText(WOLFSSL* ssl, word32 encryptSz)
else if (ssl->specs.cipher_type == aead) { else if (ssl->specs.cipher_type == aead) {
minLength = ssl->specs.aead_mac_size; /* authTag size */ minLength = ssl->specs.aead_mac_size; /* authTag size */
if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
minLength += AEAD_EXP_IV_SZ; /* explicit IV */ minLength += AESGCM_EXP_IV_SZ; /* explicit IV */
} }
if (encryptSz < minLength) { if (encryptSz < minLength) {
@@ -7008,7 +7012,7 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx)
} }
else if (ssl->specs.cipher_type == aead) { else if (ssl->specs.cipher_type == aead) {
if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
ivExtra = AEAD_EXP_IV_SZ; ivExtra = AESGCM_EXP_IV_SZ;
} }
dataSz = msgSz - ivExtra - ssl->keys.padSz; dataSz = msgSz - ivExtra - ssl->keys.padSz;
@@ -7410,7 +7414,7 @@ int ProcessReply(WOLFSSL* ssl)
/* go past TLSv1.1 IV */ /* go past TLSv1.1 IV */
if (ssl->specs.cipher_type == aead && if (ssl->specs.cipher_type == aead &&
ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
ssl->buffers.inputBuffer.idx += AEAD_EXP_IV_SZ; ssl->buffers.inputBuffer.idx += AESGCM_EXP_IV_SZ;
#endif /* ATOMIC_USER */ #endif /* ATOMIC_USER */
} }
else { else {
@@ -7429,7 +7433,7 @@ int ProcessReply(WOLFSSL* ssl)
/* go past TLSv1.1 IV */ /* go past TLSv1.1 IV */
if (ssl->specs.cipher_type == aead && if (ssl->specs.cipher_type == aead &&
ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
ssl->buffers.inputBuffer.idx += AEAD_EXP_IV_SZ; ssl->buffers.inputBuffer.idx += AESGCM_EXP_IV_SZ;
ret = VerifyMac(ssl, ssl->buffers.inputBuffer.buffer + ret = VerifyMac(ssl, ssl->buffers.inputBuffer.buffer +
ssl->buffers.inputBuffer.idx, ssl->buffers.inputBuffer.idx,
@@ -7959,10 +7963,10 @@ static int BuildMessage(WOLFSSL* ssl, byte* output, int outSz,
#ifdef HAVE_AEAD #ifdef HAVE_AEAD
if (ssl->specs.cipher_type == aead) { if (ssl->specs.cipher_type == aead) {
if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
ivSz = AEAD_EXP_IV_SZ; ivSz = AESGCM_EXP_IV_SZ;
sz += (ivSz + ssl->specs.aead_mac_size - digestSz); sz += (ivSz + ssl->specs.aead_mac_size - digestSz);
XMEMCPY(iv, ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ); XMEMCPY(iv, ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ);
} }
#endif #endif
if (sz > (word32)outSz) { if (sz > (word32)outSz) {

152
src/keys.c
View File

@@ -597,7 +597,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break; break;
@@ -615,7 +615,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break; break;
@@ -633,7 +633,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break; break;
@@ -651,7 +651,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break; break;
@@ -669,7 +669,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 1; ssl->specs.static_ecdh = 1;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break; break;
@@ -687,7 +687,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 1; ssl->specs.static_ecdh = 1;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break; break;
@@ -705,7 +705,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 1; ssl->specs.static_ecdh = 1;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break; break;
@@ -723,7 +723,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 1; ssl->specs.static_ecdh = 1;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break; break;
@@ -741,7 +741,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
break; break;
@@ -759,7 +759,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
break; break;
@@ -778,7 +778,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
break; break;
@@ -796,7 +796,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
break; break;
@@ -814,7 +814,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
ssl->options.usingPSK_cipher = 1; ssl->options.usingPSK_cipher = 1;
@@ -833,7 +833,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
ssl->options.usingPSK_cipher = 1; ssl->options.usingPSK_cipher = 1;
@@ -852,7 +852,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ; ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ;
ssl->options.usingPSK_cipher = 1; ssl->options.usingPSK_cipher = 1;
@@ -871,7 +871,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ; ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ;
ssl->options.usingPSK_cipher = 1; ssl->options.usingPSK_cipher = 1;
@@ -890,7 +890,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ; ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ;
ssl->options.usingPSK_cipher = 1; ssl->options.usingPSK_cipher = 1;
@@ -909,7 +909,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ; ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ;
ssl->options.usingPSK_cipher = 1; ssl->options.usingPSK_cipher = 1;
@@ -1158,7 +1158,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
ssl->options.usingPSK_cipher = 1; ssl->options.usingPSK_cipher = 1;
@@ -1177,7 +1177,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
ssl->options.usingPSK_cipher = 1; ssl->options.usingPSK_cipher = 1;
@@ -1196,7 +1196,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
ssl->options.usingPSK_cipher = 1; ssl->options.usingPSK_cipher = 1;
@@ -1215,7 +1215,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
ssl->options.usingPSK_cipher = 1; ssl->options.usingPSK_cipher = 1;
@@ -1602,7 +1602,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break; break;
@@ -1620,7 +1620,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break; break;
@@ -1638,7 +1638,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break; break;
@@ -1656,7 +1656,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ; ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break; break;
@@ -1958,6 +1958,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
/* Check that the max implicit iv size is suffecient */
#if (AEAD_MAX_IMP_SZ < 12) /* CHACHA20_IMP_IV_SZ */
#error AEAD_MAX_IMP_SZ is too small for ChaCha20
#endif
#if (MAX_WRITE_IV_SZ < 12) /* CHACHA20_IMP_IV_SZ */
#error MAX_WRITE_IV_SZ is too small for ChaCha20
#endif
if (specs->bulk_cipher_algorithm == wolfssl_chacha) { if (specs->bulk_cipher_algorithm == wolfssl_chacha) {
int chachaRet; int chachaRet;
if (enc && enc->chacha == NULL) if (enc && enc->chacha == NULL)
@@ -1975,14 +1983,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
chachaRet = wc_Chacha_SetKey(enc->chacha, keys->client_write_key, chachaRet = wc_Chacha_SetKey(enc->chacha, keys->client_write_key,
specs->key_size); specs->key_size);
XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV, XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
CHACHA20_IV_SIZE); CHACHA20_IMP_IV_SZ);
if (chachaRet != 0) return chachaRet; if (chachaRet != 0) return chachaRet;
} }
if (dec) { if (dec) {
chachaRet = wc_Chacha_SetKey(dec->chacha, keys->server_write_key, chachaRet = wc_Chacha_SetKey(dec->chacha, keys->server_write_key,
specs->key_size); specs->key_size);
XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV, XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
CHACHA20_IV_SIZE); CHACHA20_IMP_IV_SZ);
if (chachaRet != 0) return chachaRet; if (chachaRet != 0) return chachaRet;
} }
} }
@@ -1991,14 +1999,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
chachaRet = wc_Chacha_SetKey(enc->chacha, keys->server_write_key, chachaRet = wc_Chacha_SetKey(enc->chacha, keys->server_write_key,
specs->key_size); specs->key_size);
XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV, XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
CHACHA20_IV_SIZE); CHACHA20_IMP_IV_SZ);
if (chachaRet != 0) return chachaRet; if (chachaRet != 0) return chachaRet;
} }
if (dec) { if (dec) {
chachaRet = wc_Chacha_SetKey(dec->chacha, keys->client_write_key, chachaRet = wc_Chacha_SetKey(dec->chacha, keys->client_write_key,
specs->key_size); specs->key_size);
XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV, XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
CHACHA20_IV_SIZE); CHACHA20_IMP_IV_SZ);
if (chachaRet != 0) return chachaRet; if (chachaRet != 0) return chachaRet;
} }
} }
@@ -2011,6 +2019,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif #endif
#ifdef HAVE_HC128 #ifdef HAVE_HC128
/* check that buffer sizes are sufficient */
#if (MAX_WRITE_IV_SZ < 16) /* HC_128_IV_SIZE */
#error MAX_WRITE_IV_SZ too small for HC128
#endif
if (specs->bulk_cipher_algorithm == wolfssl_hc128) { if (specs->bulk_cipher_algorithm == wolfssl_hc128) {
int hcRet; int hcRet;
if (enc && enc->hc128 == NULL) if (enc && enc->hc128 == NULL)
@@ -2055,6 +2068,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif #endif
#ifdef BUILD_RABBIT #ifdef BUILD_RABBIT
/* check that buffer sizes are sufficient */
#if (MAX_WRITE_IV_SZ < 8) /* RABBIT_IV_SIZE */
#error MAX_WRITE_IV_SZ too small for RABBIT
#endif
if (specs->bulk_cipher_algorithm == wolfssl_rabbit) { if (specs->bulk_cipher_algorithm == wolfssl_rabbit) {
int rabRet; int rabRet;
if (enc && enc->rabbit == NULL) if (enc && enc->rabbit == NULL)
@@ -2099,6 +2117,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif #endif
#ifdef BUILD_DES3 #ifdef BUILD_DES3
/* check that buffer sizes are sufficient */
#if (MAX_WRITE_IV_SZ < 8) /* DES_IV_SIZE */
#error MAX_WRITE_IV_SZ too small for 3DES
#endif
if (specs->bulk_cipher_algorithm == wolfssl_triple_des) { if (specs->bulk_cipher_algorithm == wolfssl_triple_des) {
int desRet = 0; int desRet = 0;
@@ -2158,6 +2181,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif #endif
#ifdef BUILD_AES #ifdef BUILD_AES
/* check that buffer sizes are sufficient */
#if (MAX_WRITE_IV_SZ < 16) /* AES_IV_SIZE */
#error MAX_WRITE_IV_SZ too small for AES
#endif
if (specs->bulk_cipher_algorithm == wolfssl_aes) { if (specs->bulk_cipher_algorithm == wolfssl_aes) {
int aesRet = 0; int aesRet = 0;
@@ -2221,6 +2249,17 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif #endif
#ifdef BUILD_AESGCM #ifdef BUILD_AESGCM
/* check that buffer sizes are sufficient */
#if (AEAD_MAX_IMP_SZ < 4) /* AESGCM_IMP_IV_SZ */
#error AEAD_MAX_IMP_SZ too small for AESGCM
#endif
#if (AEAD_MAX_EXP_SZ < 8) /* AESGCM_EXP_IV_SZ */
#error AEAD_MAX_EXP_SZ too small for AESGCM
#endif
#if (MAX_WRITE_IV_SZ < 4) /* AESGCM_IMP_IV_SZ */
#error MAX_WRITE_IV_SZ too small for AESGCM
#endif
if (specs->bulk_cipher_algorithm == wolfssl_aes_gcm) { if (specs->bulk_cipher_algorithm == wolfssl_aes_gcm) {
int gcmRet; int gcmRet;
@@ -2239,14 +2278,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
specs->key_size); specs->key_size);
if (gcmRet != 0) return gcmRet; if (gcmRet != 0) return gcmRet;
XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV, XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
AEAD_IMP_IV_SZ); AESGCM_IMP_IV_SZ);
} }
if (dec) { if (dec) {
gcmRet = wc_AesGcmSetKey(dec->aes, keys->server_write_key, gcmRet = wc_AesGcmSetKey(dec->aes, keys->server_write_key,
specs->key_size); specs->key_size);
if (gcmRet != 0) return gcmRet; if (gcmRet != 0) return gcmRet;
XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV, XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
AEAD_IMP_IV_SZ); AESGCM_IMP_IV_SZ);
} }
} }
else { else {
@@ -2255,14 +2294,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
specs->key_size); specs->key_size);
if (gcmRet != 0) return gcmRet; if (gcmRet != 0) return gcmRet;
XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV, XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
AEAD_IMP_IV_SZ); AESGCM_IMP_IV_SZ);
} }
if (dec) { if (dec) {
gcmRet = wc_AesGcmSetKey(dec->aes, keys->client_write_key, gcmRet = wc_AesGcmSetKey(dec->aes, keys->client_write_key,
specs->key_size); specs->key_size);
if (gcmRet != 0) return gcmRet; if (gcmRet != 0) return gcmRet;
XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV, XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
AEAD_IMP_IV_SZ); AESGCM_IMP_IV_SZ);
} }
} }
if (enc) if (enc)
@@ -2273,6 +2312,17 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif #endif
#ifdef HAVE_AESCCM #ifdef HAVE_AESCCM
/* check that buffer sizes are sufficient (CCM is same size as GCM) */
#if (AEAD_MAX_IMP_SZ < 4) /* AESGCM_IMP_IV_SZ */
#error AEAD_MAX_IMP_SZ too small for AESCCM
#endif
#if (AEAD_MAX_EXP_SZ < 8) /* AESGCM_EXP_IV_SZ */
#error AEAD_MAX_EXP_SZ too small for AESCCM
#endif
#if (MAX_WRITE_IV_SZ < 4) /* AESGCM_IMP_IV_SZ */
#error MAX_WRITE_IV_SZ too small for AESCCM
#endif
if (specs->bulk_cipher_algorithm == wolfssl_aes_ccm) { if (specs->bulk_cipher_algorithm == wolfssl_aes_ccm) {
if (enc && enc->aes == NULL) if (enc && enc->aes == NULL)
enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER); enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
@@ -2287,24 +2337,24 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (enc) { if (enc) {
wc_AesCcmSetKey(enc->aes, keys->client_write_key, specs->key_size); wc_AesCcmSetKey(enc->aes, keys->client_write_key, specs->key_size);
XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV, XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
AEAD_IMP_IV_SZ); AESGCM_IMP_IV_SZ);
} }
if (dec) { if (dec) {
wc_AesCcmSetKey(dec->aes, keys->server_write_key, specs->key_size); wc_AesCcmSetKey(dec->aes, keys->server_write_key, specs->key_size);
XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV, XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
AEAD_IMP_IV_SZ); AESGCM_IMP_IV_SZ);
} }
} }
else { else {
if (enc) { if (enc) {
wc_AesCcmSetKey(enc->aes, keys->server_write_key, specs->key_size); wc_AesCcmSetKey(enc->aes, keys->server_write_key, specs->key_size);
XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV, XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
AEAD_IMP_IV_SZ); AESGCM_IMP_IV_SZ);
} }
if (dec) { if (dec) {
wc_AesCcmSetKey(dec->aes, keys->client_write_key, specs->key_size); wc_AesCcmSetKey(dec->aes, keys->client_write_key, specs->key_size);
XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV, XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
AEAD_IMP_IV_SZ); AESGCM_IMP_IV_SZ);
} }
} }
if (enc) if (enc)
@@ -2315,6 +2365,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif #endif
#ifdef HAVE_CAMELLIA #ifdef HAVE_CAMELLIA
/* check that buffer sizes are sufficient */
#if (MAX_WRITE_IV_SZ < 16) /* CAMELLIA_IV_SIZE */
#error MAX_WRITE_IV_SZ too small for CAMELLIA
#endif
if (specs->bulk_cipher_algorithm == wolfssl_camellia) { if (specs->bulk_cipher_algorithm == wolfssl_camellia) {
int camRet; int camRet;
@@ -2362,6 +2417,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif #endif
#ifdef HAVE_IDEA #ifdef HAVE_IDEA
/* check that buffer sizes are sufficient */
#if (MAX_WRITE_IV_SZ < 8) /* IDEA_IV_SIZE */
#error MAX_WRITE_IV_SZ too small for IDEA
#endif
if (specs->bulk_cipher_algorithm == wolfssl_idea) { if (specs->bulk_cipher_algorithm == wolfssl_idea) {
int ideaRet; int ideaRet;
@@ -2528,14 +2588,14 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side)
XMEMCPY(ssl->keys.client_write_key, XMEMCPY(ssl->keys.client_write_key,
keys->client_write_key, AES_256_KEY_SIZE); keys->client_write_key, AES_256_KEY_SIZE);
XMEMCPY(ssl->keys.client_write_IV, XMEMCPY(ssl->keys.client_write_IV,
keys->client_write_IV, AES_IV_SIZE); keys->client_write_IV, MAX_WRITE_IV_SZ);
} else { } else {
XMEMCPY(ssl->keys.server_write_MAC_secret, XMEMCPY(ssl->keys.server_write_MAC_secret,
keys->server_write_MAC_secret, MAX_DIGEST_SIZE); keys->server_write_MAC_secret, MAX_DIGEST_SIZE);
XMEMCPY(ssl->keys.server_write_key, XMEMCPY(ssl->keys.server_write_key,
keys->server_write_key, AES_256_KEY_SIZE); keys->server_write_key, AES_256_KEY_SIZE);
XMEMCPY(ssl->keys.server_write_IV, XMEMCPY(ssl->keys.server_write_IV,
keys->server_write_IV, AES_IV_SIZE); keys->server_write_IV, MAX_WRITE_IV_SZ);
} }
if (wc_encrypt) { if (wc_encrypt) {
ssl->keys.sequence_number = keys->sequence_number; ssl->keys.sequence_number = keys->sequence_number;
@@ -2543,15 +2603,15 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side)
if (ssl->specs.cipher_type == aead) { if (ssl->specs.cipher_type == aead) {
/* Initialize the AES-GCM/CCM explicit IV to a zero. */ /* Initialize the AES-GCM/CCM explicit IV to a zero. */
XMEMCPY(ssl->keys.aead_exp_IV, keys->aead_exp_IV, XMEMCPY(ssl->keys.aead_exp_IV, keys->aead_exp_IV,
AEAD_EXP_IV_SZ); AEAD_MAX_EXP_SZ);
/* Initialize encrypt implicit IV by encrypt side */ /* Initialize encrypt implicit IV by encrypt side */
if (ssl->options.side == WOLFSSL_CLIENT_END) { if (ssl->options.side == WOLFSSL_CLIENT_END) {
XMEMCPY(ssl->keys.aead_enc_imp_IV, XMEMCPY(ssl->keys.aead_enc_imp_IV,
keys->client_write_IV, AEAD_NONCE_SZ); keys->client_write_IV, AEAD_MAX_IMP_SZ);
} else { } else {
XMEMCPY(ssl->keys.aead_enc_imp_IV, XMEMCPY(ssl->keys.aead_enc_imp_IV,
keys->server_write_IV, AEAD_NONCE_SZ); keys->server_write_IV, AEAD_MAX_IMP_SZ);
} }
} }
#endif #endif
@@ -2563,10 +2623,10 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side)
/* Initialize decrypt implicit IV by decrypt side */ /* Initialize decrypt implicit IV by decrypt side */
if (ssl->options.side == WOLFSSL_SERVER_END) { if (ssl->options.side == WOLFSSL_SERVER_END) {
XMEMCPY(ssl->keys.aead_dec_imp_IV, XMEMCPY(ssl->keys.aead_dec_imp_IV,
keys->client_write_IV, AEAD_NONCE_SZ); keys->client_write_IV, AEAD_MAX_IMP_SZ);
} else { } else {
XMEMCPY(ssl->keys.aead_dec_imp_IV, XMEMCPY(ssl->keys.aead_dec_imp_IV,
keys->server_write_IV, AEAD_NONCE_SZ); keys->server_write_IV, AEAD_MAX_IMP_SZ);
} }
} }
#endif #endif
@@ -2614,7 +2674,7 @@ int StoreKeys(WOLFSSL* ssl, const byte* keyData)
#ifdef HAVE_AEAD #ifdef HAVE_AEAD
if (ssl->specs.cipher_type == aead) { if (ssl->specs.cipher_type == aead) {
/* Initialize the AES-GCM/CCM explicit IV to a zero. */ /* Initialize the AES-GCM/CCM explicit IV to a zero. */
XMEMSET(keys->aead_exp_IV, 0, AEAD_EXP_IV_SZ); XMEMSET(keys->aead_exp_IV, 0, AEAD_MAX_EXP_SZ);
} }
#endif #endif

16
src/sniffer.c
View File

@@ -1973,23 +1973,23 @@ static int Decrypt(SSL* ssl, byte* output, const byte* input, word32 sz)
#ifdef HAVE_AESGCM #ifdef HAVE_AESGCM
case wolfssl_aes_gcm: case wolfssl_aes_gcm:
if (sz >= (word32)(AEAD_EXP_IV_SZ + ssl->specs.aead_mac_size)) if (sz >= (word32)(AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size))
{ {
byte nonce[AEAD_NONCE_SZ]; byte nonce[AESGCM_NONCE_SZ];
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ); XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ);
XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ); XMEMCPY(nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ);
if (wc_AesGcmEncrypt(ssl->decrypt.aes, if (wc_AesGcmEncrypt(ssl->decrypt.aes,
output, output,
input + AEAD_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ,
sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
nonce, AEAD_NONCE_SZ, nonce, AESGCM_NONCE_SZ,
NULL, 0, NULL, 0,
NULL, 0) < 0) { NULL, 0) < 0) {
Trace(BAD_DECRYPT); Trace(BAD_DECRYPT);
ret = -1; ret = -1;
} }
ForceZero(nonce, AEAD_NONCE_SZ); ForceZero(nonce, AESGCM_NONCE_SZ);
} }
else { else {
Trace(BAD_DECRYPT_SIZE); Trace(BAD_DECRYPT_SIZE);

33
src/tls.c
View File

@@ -2657,7 +2657,8 @@ static void TLSX_EllipticCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
int i; int i;
for (i = 0; i < ssl->suites->suiteSz; i+= 2) for (i = 0; i < ssl->suites->suiteSz; i+= 2)
if (ssl->suites->suites[i] == ECC_BYTE) if (ssl->suites->suites[i] == ECC_BYTE ||
ssl->suites->suites[i] == CHACHA_BYTE)
return; return;
/* turns semaphore on to avoid sending this extension. */ /* turns semaphore on to avoid sending this extension. */
@@ -2734,7 +2735,7 @@ static int TLSX_EllipticCurve_Parse(WOLFSSL* ssl, byte* input, word16 length,
} }
int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) { int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
TLSX* extension = (first == ECC_BYTE) TLSX* extension = (first == ECC_BYTE || first == CHACHA_BYTE)
? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS) ? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)
: NULL; : NULL;
EllipticCurve* curve = NULL; EllipticCurve* curve = NULL;
@@ -2773,6 +2774,7 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
default: continue; /* unsupported curve */ default: continue; /* unsupported curve */
} }
if (first == ECC_BYTE) {
switch (second) { switch (second) {
#ifndef NO_DSA #ifndef NO_DSA
/* ECDHE_ECDSA */ /* ECDHE_ECDSA */
@@ -2835,6 +2837,33 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
key = 1; key = 1;
break; break;
} }
}
/* ChaCha20-Poly1305 ECC cipher suites */
if (first == CHACHA_BYTE) {
switch (second) {
#ifndef NO_DSA
/* ECDHE_ECDSA */
case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :
case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
sig |= ssl->pkCurveOID == oid;
key |= ssl->eccTempKeySz == octets;
break;
#endif
#ifndef NO_RSA
/* ECDHE_RSA */
case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :
case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
sig = 1;
key |= ssl->eccTempKeySz == octets;
break;
#endif
default:
sig = 1;
key = 1;
break;
}
}
} }
return sig && key; return sig && key;

49
wolfssl/internal.h
View File

@@ -820,7 +820,7 @@ enum {
enum Misc { enum Misc {
ECC_BYTE = 0xC0, /* ECC first cipher suite byte */ ECC_BYTE = 0xC0, /* ECC first cipher suite byte */
QSH_BYTE = 0xD0, /* Quantum-safe Handshake cipher suite */ QSH_BYTE = 0xD0, /* Quantum-safe Handshake cipher suite */
CHACHA_BYTE = 0xCC, /* ChaCha first cipher suite */ CHACHA_BYTE = 0xCC, /* ChaCha first cipher suite */
@@ -929,15 +929,21 @@ enum Misc {
AES_IV_SIZE = 16, /* always block size */ AES_IV_SIZE = 16, /* always block size */
AES_128_KEY_SIZE = 16, /* for 128 bit */ AES_128_KEY_SIZE = 16, /* for 128 bit */
AEAD_SEQ_OFFSET = 4, /* Auth Data: Sequence number */ AEAD_SEQ_OFFSET = 4, /* Auth Data: Sequence number */
AEAD_TYPE_OFFSET = 8, /* Auth Data: Type */ AEAD_TYPE_OFFSET = 8, /* Auth Data: Type */
AEAD_VMAJ_OFFSET = 9, /* Auth Data: Major Version */ AEAD_VMAJ_OFFSET = 9, /* Auth Data: Major Version */
AEAD_VMIN_OFFSET = 10, /* Auth Data: Minor Version */ AEAD_VMIN_OFFSET = 10, /* Auth Data: Minor Version */
AEAD_LEN_OFFSET = 11, /* Auth Data: Length */ AEAD_LEN_OFFSET = 11, /* Auth Data: Length */
AEAD_AUTH_DATA_SZ = 13, /* Size of the data to authenticate */ AEAD_AUTH_DATA_SZ = 13, /* Size of the data to authenticate */
AEAD_IMP_IV_SZ = 4, /* Size of the implicit IV */ AESGCM_IMP_IV_SZ = 4, /* Size of GCM/CCM AEAD implicit IV */
AEAD_EXP_IV_SZ = 8, /* Size of the explicit IV */ AESGCM_EXP_IV_SZ = 8, /* Size of GCM/CCM AEAD explicit IV */
AEAD_NONCE_SZ = AEAD_EXP_IV_SZ + AEAD_IMP_IV_SZ, AESGCM_NONCE_SZ = AESGCM_EXP_IV_SZ + AESGCM_IMP_IV_SZ,
CHACHA20_IMP_IV_SZ = 12, /* Size of ChaCha20 AEAD implicit IV */
CHACHA20_NONCE_SZ = 12, /* Size of ChacCha20 nonce */
CHACHA20_OLD_OFFSET = 8, /* Offset for seq # in old poly1305 */
/* For any new implicit/explicit IV size adjust AEAD_MAX_***_SZ */
AES_GCM_AUTH_SZ = 16, /* AES-GCM Auth Tag length */ AES_GCM_AUTH_SZ = 16, /* AES-GCM Auth Tag length */
AES_CCM_16_AUTH_SZ = 16, /* AES-CCM-16 Auth Tag length */ AES_CCM_16_AUTH_SZ = 16, /* AES-CCM-16 Auth Tag length */
@@ -1009,6 +1015,17 @@ enum Misc {
}; };
/* Set max implicit IV size for AEAD cipher suites */
#ifdef HAVE_CHACHA
#define AEAD_MAX_IMP_SZ 12
#else
#define AEAD_MAX_IMP_SZ 4
#endif
/* Set max explicit IV size for AEAD cipher suites */
#define AEAD_MAX_EXP_SZ 8
#ifndef WOLFSSL_MAX_SUITE_SZ #ifndef WOLFSSL_MAX_SUITE_SZ
#define WOLFSSL_MAX_SUITE_SZ 300 #define WOLFSSL_MAX_SUITE_SZ 300
/* 150 suites for now! */ /* 150 suites for now! */
@@ -1455,18 +1472,20 @@ typedef struct WOLFSSL_DTLS_CTX {
#endif /* WOLFSSL_DTLS */ #endif /* WOLFSSL_DTLS */
#define MAX_WRITE_IV_SZ 16 /* max size of client/server write_IV */
/* keys and secrets */ /* keys and secrets */
typedef struct Keys { typedef struct Keys {
byte client_write_MAC_secret[MAX_DIGEST_SIZE]; /* max sizes */ byte client_write_MAC_secret[MAX_DIGEST_SIZE]; /* max sizes */
byte server_write_MAC_secret[MAX_DIGEST_SIZE]; byte server_write_MAC_secret[MAX_DIGEST_SIZE];
byte client_write_key[AES_256_KEY_SIZE]; /* max sizes */ byte client_write_key[AES_256_KEY_SIZE]; /* max sizes */
byte server_write_key[AES_256_KEY_SIZE]; byte server_write_key[AES_256_KEY_SIZE];
byte client_write_IV[AES_IV_SIZE]; /* max sizes */ byte client_write_IV[MAX_WRITE_IV_SZ]; /* max sizes */
byte server_write_IV[AES_IV_SIZE]; byte server_write_IV[MAX_WRITE_IV_SZ];
#ifdef HAVE_AEAD #ifdef HAVE_AEAD
byte aead_exp_IV[AEAD_EXP_IV_SZ]; byte aead_exp_IV[AEAD_MAX_EXP_SZ];
byte aead_enc_imp_IV[AEAD_NONCE_SZ]; /* full size needed for chacha-poly */ byte aead_enc_imp_IV[AEAD_MAX_IMP_SZ];
byte aead_dec_imp_IV[AEAD_NONCE_SZ]; byte aead_dec_imp_IV[AEAD_MAX_IMP_SZ];
#endif #endif
word32 peer_sequence_number; word32 peer_sequence_number;