forked from wolfSSL/wolfssl
naming for AEAD macros and TLSX with chacha-poly
This commit is contained in:
Jacob Barthelmeh
@ -1024,6 +1024,34 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
|
||||
ssl = wolfSSL_new(ctx);
|
||||
if (ssl == NULL)
|
||||
err_sys("unable to get SSL object");
|
||||
|
||||
#ifdef HAVE_SUPPORTED_CURVES /* add curves to supported curves extension */
|
||||
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP256R1)
|
||||
!= SSL_SUCCESS) {
|
||||
err_sys("unable to set curve secp256r1");
|
||||
}
|
||||
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP384R1)
|
||||
!= SSL_SUCCESS) {
|
||||
err_sys("unable to set curve secp384r1");
|
||||
}
|
||||
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP521R1)
|
||||
!= SSL_SUCCESS) {
|
||||
err_sys("unable to set curve secp521r1");
|
||||
}
|
||||
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP224R1)
|
||||
!= SSL_SUCCESS) {
|
||||
err_sys("unable to set curve secp224r1");
|
||||
}
|
||||
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP192R1)
|
||||
!= SSL_SUCCESS) {
|
||||
err_sys("unable to set curve secp192r1");
|
||||
}
|
||||
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP160R1)
|
||||
!= SSL_SUCCESS) {
|
||||
err_sys("unable to set curve secp160r1");
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session");
|
||||
#endif
|
||||
|
||||
116
src/internal.c
116
src/internal.c
@ -2030,8 +2030,9 @@ void FreeArrays(WOLFSSL* ssl, int keep)
|
||||
if (ssl->arrays) {
|
||||
XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
|
||||
ssl->arrays->pendingMsg = NULL;
|
||||
ForceZero(ssl->arrays, sizeof(Arrays)); /* clear arrays struct */
|
||||
}
|
||||
XFREE(ssl->arrays, ssl->heap, DYNAMIC_TYPE_CERT);
|
||||
XFREE(ssl->arrays, ssl->heap, DYNAMIC_TYPE_ARRAYS);
|
||||
ssl->arrays = NULL;
|
||||
}
|
||||
|
||||
@ -2053,6 +2054,9 @@ void SSL_ResourceFree(WOLFSSL* ssl)
|
||||
XFREE(ssl->hsHashes, ssl->heap, DYNAMIC_TYPE_HASHES);
|
||||
XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN);
|
||||
|
||||
/* clear keys struct after session */
|
||||
ForceZero(&(ssl->keys), sizeof(Keys));
|
||||
|
||||
#ifndef NO_DH
|
||||
XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH);
|
||||
XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH);
|
||||
@ -6031,7 +6035,7 @@ static INLINE word32 GetSEQIncrement(WOLFSSL* ssl, int verify)
|
||||
static INLINE void AeadIncrementExpIV(WOLFSSL* ssl)
|
||||
{
|
||||
int i;
|
||||
for (i = AEAD_EXP_IV_SZ-1; i >= 0; i--) {
|
||||
for (i = AEAD_MAX_EXP_SZ-1; i >= 0; i--) {
|
||||
if (++ssl->keys.aead_exp_IV[i]) return;
|
||||
}
|
||||
}
|
||||
@ -6099,7 +6103,7 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
|
||||
word32 msgLen = (sz - ssl->specs.aead_mac_size);
|
||||
byte tag[POLY1305_AUTH_SZ];
|
||||
byte add[AEAD_AUTH_DATA_SZ];
|
||||
byte nonce[CHACHA20_IV_SIZE];
|
||||
byte nonce[CHACHA20_NONCE_SZ];
|
||||
byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for poly1305 */
|
||||
#ifdef CHACHA_AEAD_TEST
|
||||
int i;
|
||||
@ -6112,8 +6116,7 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
|
||||
|
||||
if (ssl->options.oldPoly != 0) {
|
||||
/* get nonce */
|
||||
c32toa(ssl->keys.sequence_number, nonce + AEAD_IMP_IV_SZ
|
||||
+ AEAD_SEQ_OFFSET);
|
||||
c32toa(ssl->keys.sequence_number, nonce + CHACHA20_OLD_OFFSET);
|
||||
}
|
||||
|
||||
/* opaque SEQ number stored for AD */
|
||||
@ -6152,7 +6155,7 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
|
||||
if (ssl->options.oldPoly == 0) {
|
||||
/* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte
|
||||
* record sequence number XORed with client_write_IV/server_write_IV */
|
||||
XMEMCPY(nonce, ssl->keys.aead_enc_imp_IV, CHACHA20_IV_SIZE);
|
||||
XMEMCPY(nonce, ssl->keys.aead_enc_imp_IV, CHACHA20_IMP_IV_SZ);
|
||||
nonce[4] ^= add[0];
|
||||
nonce[5] ^= add[1];
|
||||
nonce[6] ^= add[2];
|
||||
@ -6165,11 +6168,11 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
|
||||
|
||||
/* set the nonce for chacha and get poly1305 key */
|
||||
if ((ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0)) != 0) {
|
||||
ForceZero(nonce, AEAD_NONCE_SZ);
|
||||
ForceZero(nonce, CHACHA20_NONCE_SZ);
|
||||
return ret;
|
||||
}
|
||||
|
||||
ForceZero(nonce, AEAD_NONCE_SZ); /* done with nonce, clear it */
|
||||
ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */
|
||||
/* create Poly1305 key using chacha20 keystream */
|
||||
if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, poly,
|
||||
poly, sizeof(poly))) != 0)
|
||||
@ -6233,7 +6236,7 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
|
||||
word16 sz)
|
||||
{
|
||||
byte add[AEAD_AUTH_DATA_SZ];
|
||||
byte nonce[CHACHA20_IV_SIZE];
|
||||
byte nonce[CHACHA20_NONCE_SZ];
|
||||
byte tag[POLY1305_AUTH_SZ];
|
||||
byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
|
||||
int ret = 0;
|
||||
@ -6257,8 +6260,7 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
|
||||
|
||||
if (ssl->options.oldPoly != 0) {
|
||||
/* get nonce */
|
||||
c32toa(ssl->keys.peer_sequence_number, nonce + AEAD_IMP_IV_SZ
|
||||
+ AEAD_SEQ_OFFSET);
|
||||
c32toa(ssl->keys.peer_sequence_number, nonce + CHACHA20_OLD_OFFSET);
|
||||
}
|
||||
|
||||
/* sequence number field is 64-bits, we only use 32-bits */
|
||||
@ -6290,7 +6292,7 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
|
||||
if (ssl->options.oldPoly == 0) {
|
||||
/* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte
|
||||
* record sequence number XORed with client_write_IV/server_write_IV */
|
||||
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, CHACHA20_IV_SIZE);
|
||||
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, CHACHA20_IMP_IV_SZ);
|
||||
nonce[4] ^= add[0];
|
||||
nonce[5] ^= add[1];
|
||||
nonce[6] ^= add[2];
|
||||
@ -6303,11 +6305,11 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
|
||||
|
||||
/* set nonce and get poly1305 key */
|
||||
if ((ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0)) != 0) {
|
||||
ForceZero(nonce, AEAD_NONCE_SZ);
|
||||
ForceZero(nonce, CHACHA20_NONCE_SZ);
|
||||
return ret;
|
||||
}
|
||||
|
||||
ForceZero(nonce, AEAD_NONCE_SZ); /* done with nonce, clear it */
|
||||
ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */
|
||||
/* use chacha20 keystream to get poly1305 key for tag */
|
||||
if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, poly,
|
||||
poly, sizeof(poly))) != 0)
|
||||
@ -6403,7 +6405,7 @@ static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz)
|
||||
case wolfssl_aes_gcm:
|
||||
{
|
||||
byte additional[AEAD_AUTH_DATA_SZ];
|
||||
byte nonce[AEAD_NONCE_SZ];
|
||||
byte nonce[AESGCM_NONCE_SZ];
|
||||
const byte* additionalSrc = input - 5;
|
||||
|
||||
XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
|
||||
@ -6424,30 +6426,31 @@ static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz)
|
||||
|
||||
/* Store the length of the plain text minus the explicit
|
||||
* IV length minus the authentication tag size. */
|
||||
c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
additional + AEAD_LEN_OFFSET);
|
||||
XMEMCPY(nonce,
|
||||
ssl->keys.aead_enc_imp_IV, AEAD_IMP_IV_SZ);
|
||||
XMEMCPY(nonce + AEAD_IMP_IV_SZ,
|
||||
ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ);
|
||||
ssl->keys.aead_enc_imp_IV, AESGCM_IMP_IV_SZ);
|
||||
XMEMCPY(nonce + AESGCM_IMP_IV_SZ,
|
||||
ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ);
|
||||
ret = wc_AesGcmEncrypt(ssl->encrypt.aes,
|
||||
out + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ,
|
||||
sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
nonce, AEAD_NONCE_SZ,
|
||||
out + AESGCM_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ,
|
||||
sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
nonce, AESGCM_NONCE_SZ,
|
||||
out + sz - ssl->specs.aead_mac_size,
|
||||
ssl->specs.aead_mac_size,
|
||||
additional, AEAD_AUTH_DATA_SZ);
|
||||
AeadIncrementExpIV(ssl);
|
||||
ForceZero(nonce, AEAD_NONCE_SZ);
|
||||
ForceZero(nonce, AESGCM_NONCE_SZ);
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_AESCCM
|
||||
/* AEAD CCM uses same size as macros for AESGCM */
|
||||
case wolfssl_aes_ccm:
|
||||
{
|
||||
byte additional[AEAD_AUTH_DATA_SZ];
|
||||
byte nonce[AEAD_NONCE_SZ];
|
||||
byte nonce[AESGCM_NONCE_SZ];
|
||||
const byte* additionalSrc = input - 5;
|
||||
|
||||
XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
|
||||
@ -6468,21 +6471,21 @@ static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz)
|
||||
|
||||
/* Store the length of the plain text minus the explicit
|
||||
* IV length minus the authentication tag size. */
|
||||
c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
additional + AEAD_LEN_OFFSET);
|
||||
XMEMCPY(nonce,
|
||||
ssl->keys.aead_enc_imp_IV, AEAD_IMP_IV_SZ);
|
||||
XMEMCPY(nonce + AEAD_IMP_IV_SZ,
|
||||
ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ);
|
||||
ssl->keys.aead_enc_imp_IV, AESGCM_IMP_IV_SZ);
|
||||
XMEMCPY(nonce + AESGCM_IMP_IV_SZ,
|
||||
ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ);
|
||||
ret = wc_AesCcmEncrypt(ssl->encrypt.aes,
|
||||
out + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ,
|
||||
sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
nonce, AEAD_NONCE_SZ,
|
||||
out + AESGCM_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ,
|
||||
sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
nonce, AESGCM_NONCE_SZ,
|
||||
out + sz - ssl->specs.aead_mac_size,
|
||||
ssl->specs.aead_mac_size,
|
||||
additional, AEAD_AUTH_DATA_SZ);
|
||||
AeadIncrementExpIV(ssl);
|
||||
ForceZero(nonce, AEAD_NONCE_SZ);
|
||||
ForceZero(nonce, AESGCM_NONCE_SZ);
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
@ -6572,7 +6575,7 @@ static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
|
||||
case wolfssl_aes_gcm:
|
||||
{
|
||||
byte additional[AEAD_AUTH_DATA_SZ];
|
||||
byte nonce[AEAD_NONCE_SZ];
|
||||
byte nonce[AESGCM_NONCE_SZ];
|
||||
|
||||
XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
|
||||
|
||||
@ -6588,31 +6591,32 @@ static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
|
||||
additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
|
||||
additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
|
||||
|
||||
c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
additional + AEAD_LEN_OFFSET);
|
||||
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ);
|
||||
XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ);
|
||||
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ);
|
||||
XMEMCPY(nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ);
|
||||
if (wc_AesGcmDecrypt(ssl->decrypt.aes,
|
||||
plain + AEAD_EXP_IV_SZ,
|
||||
input + AEAD_EXP_IV_SZ,
|
||||
sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
nonce, AEAD_NONCE_SZ,
|
||||
plain + AESGCM_EXP_IV_SZ,
|
||||
input + AESGCM_EXP_IV_SZ,
|
||||
sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
nonce, AESGCM_NONCE_SZ,
|
||||
input + sz - ssl->specs.aead_mac_size,
|
||||
ssl->specs.aead_mac_size,
|
||||
additional, AEAD_AUTH_DATA_SZ) < 0) {
|
||||
SendAlert(ssl, alert_fatal, bad_record_mac);
|
||||
ret = VERIFY_MAC_ERROR;
|
||||
}
|
||||
ForceZero(nonce, AEAD_NONCE_SZ);
|
||||
ForceZero(nonce, AESGCM_NONCE_SZ);
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_AESCCM
|
||||
/* AESGCM AEAD macros use same size as AESCCM */
|
||||
case wolfssl_aes_ccm:
|
||||
{
|
||||
byte additional[AEAD_AUTH_DATA_SZ];
|
||||
byte nonce[AEAD_NONCE_SZ];
|
||||
byte nonce[AESGCM_NONCE_SZ];
|
||||
|
||||
XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
|
||||
|
||||
@ -6628,22 +6632,22 @@ static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
|
||||
additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
|
||||
additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
|
||||
|
||||
c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
additional + AEAD_LEN_OFFSET);
|
||||
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ);
|
||||
XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ);
|
||||
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ);
|
||||
XMEMCPY(nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ);
|
||||
if (wc_AesCcmDecrypt(ssl->decrypt.aes,
|
||||
plain + AEAD_EXP_IV_SZ,
|
||||
input + AEAD_EXP_IV_SZ,
|
||||
sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
nonce, AEAD_NONCE_SZ,
|
||||
plain + AESGCM_EXP_IV_SZ,
|
||||
input + AESGCM_EXP_IV_SZ,
|
||||
sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
nonce, AESGCM_NONCE_SZ,
|
||||
input + sz - ssl->specs.aead_mac_size,
|
||||
ssl->specs.aead_mac_size,
|
||||
additional, AEAD_AUTH_DATA_SZ) < 0) {
|
||||
SendAlert(ssl, alert_fatal, bad_record_mac);
|
||||
ret = VERIFY_MAC_ERROR;
|
||||
}
|
||||
ForceZero(nonce, AEAD_NONCE_SZ);
|
||||
ForceZero(nonce, AESGCM_NONCE_SZ);
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
@ -6722,7 +6726,7 @@ static int SanityCheckCipherText(WOLFSSL* ssl, word32 encryptSz)
|
||||
else if (ssl->specs.cipher_type == aead) {
|
||||
minLength = ssl->specs.aead_mac_size; /* authTag size */
|
||||
if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
|
||||
minLength += AEAD_EXP_IV_SZ; /* explicit IV */
|
||||
minLength += AESGCM_EXP_IV_SZ; /* explicit IV */
|
||||
}
|
||||
|
||||
if (encryptSz < minLength) {
|
||||
@ -7008,7 +7012,7 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx)
|
||||
}
|
||||
else if (ssl->specs.cipher_type == aead) {
|
||||
if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
|
||||
ivExtra = AEAD_EXP_IV_SZ;
|
||||
ivExtra = AESGCM_EXP_IV_SZ;
|
||||
}
|
||||
|
||||
dataSz = msgSz - ivExtra - ssl->keys.padSz;
|
||||
@ -7410,7 +7414,7 @@ int ProcessReply(WOLFSSL* ssl)
|
||||
/* go past TLSv1.1 IV */
|
||||
if (ssl->specs.cipher_type == aead &&
|
||||
ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
|
||||
ssl->buffers.inputBuffer.idx += AEAD_EXP_IV_SZ;
|
||||
ssl->buffers.inputBuffer.idx += AESGCM_EXP_IV_SZ;
|
||||
#endif /* ATOMIC_USER */
|
||||
}
|
||||
else {
|
||||
@ -7429,7 +7433,7 @@ int ProcessReply(WOLFSSL* ssl)
|
||||
/* go past TLSv1.1 IV */
|
||||
if (ssl->specs.cipher_type == aead &&
|
||||
ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
|
||||
ssl->buffers.inputBuffer.idx += AEAD_EXP_IV_SZ;
|
||||
ssl->buffers.inputBuffer.idx += AESGCM_EXP_IV_SZ;
|
||||
|
||||
ret = VerifyMac(ssl, ssl->buffers.inputBuffer.buffer +
|
||||
ssl->buffers.inputBuffer.idx,
|
||||
@ -7959,10 +7963,10 @@ static int BuildMessage(WOLFSSL* ssl, byte* output, int outSz,
|
||||
#ifdef HAVE_AEAD
|
||||
if (ssl->specs.cipher_type == aead) {
|
||||
if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
|
||||
ivSz = AEAD_EXP_IV_SZ;
|
||||
ivSz = AESGCM_EXP_IV_SZ;
|
||||
|
||||
sz += (ivSz + ssl->specs.aead_mac_size - digestSz);
|
||||
XMEMCPY(iv, ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ);
|
||||
XMEMCPY(iv, ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ);
|
||||
}
|
||||
#endif
|
||||
if (sz > (word32)outSz) {
|
||||
|
||||
152
src/keys.c
152
src/keys.c
@ -597,7 +597,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_128_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -615,7 +615,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_256_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -633,7 +633,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_128_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -651,7 +651,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_256_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -669,7 +669,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 1;
|
||||
ssl->specs.key_size = AES_128_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -687,7 +687,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 1;
|
||||
ssl->specs.key_size = AES_256_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -705,7 +705,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 1;
|
||||
ssl->specs.key_size = AES_128_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -723,7 +723,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 1;
|
||||
ssl->specs.key_size = AES_256_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -741,7 +741,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_128_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -759,7 +759,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_256_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -778,7 +778,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_128_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -796,7 +796,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_256_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -814,7 +814,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_128_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
|
||||
|
||||
ssl->options.usingPSK_cipher = 1;
|
||||
@ -833,7 +833,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_256_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
|
||||
|
||||
ssl->options.usingPSK_cipher = 1;
|
||||
@ -852,7 +852,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_128_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ;
|
||||
|
||||
ssl->options.usingPSK_cipher = 1;
|
||||
@ -871,7 +871,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_256_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ;
|
||||
|
||||
ssl->options.usingPSK_cipher = 1;
|
||||
@ -890,7 +890,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_128_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ;
|
||||
|
||||
ssl->options.usingPSK_cipher = 1;
|
||||
@ -909,7 +909,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_256_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ;
|
||||
|
||||
ssl->options.usingPSK_cipher = 1;
|
||||
@ -1158,7 +1158,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_128_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
ssl->options.usingPSK_cipher = 1;
|
||||
@ -1177,7 +1177,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_256_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
ssl->options.usingPSK_cipher = 1;
|
||||
@ -1196,7 +1196,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_128_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
ssl->options.usingPSK_cipher = 1;
|
||||
@ -1215,7 +1215,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_256_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
ssl->options.usingPSK_cipher = 1;
|
||||
@ -1602,7 +1602,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_128_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -1620,7 +1620,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_256_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -1638,7 +1638,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_128_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -1656,7 +1656,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
|
||||
ssl->specs.static_ecdh = 0;
|
||||
ssl->specs.key_size = AES_256_KEY_SIZE;
|
||||
ssl->specs.block_size = AES_BLOCK_SIZE;
|
||||
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
|
||||
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
|
||||
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
|
||||
|
||||
break;
|
||||
@ -1958,6 +1958,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
|
||||
|
||||
|
||||
#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
|
||||
/* Check that the max implicit iv size is suffecient */
|
||||
#if (AEAD_MAX_IMP_SZ < 12) /* CHACHA20_IMP_IV_SZ */
|
||||
#error AEAD_MAX_IMP_SZ is too small for ChaCha20
|
||||
#endif
|
||||
#if (MAX_WRITE_IV_SZ < 12) /* CHACHA20_IMP_IV_SZ */
|
||||
#error MAX_WRITE_IV_SZ is too small for ChaCha20
|
||||
#endif
|
||||
|
||||
if (specs->bulk_cipher_algorithm == wolfssl_chacha) {
|
||||
int chachaRet;
|
||||
if (enc && enc->chacha == NULL)
|
||||
@ -1975,14 +1983,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
|
||||
chachaRet = wc_Chacha_SetKey(enc->chacha, keys->client_write_key,
|
||||
specs->key_size);
|
||||
XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
|
||||
CHACHA20_IV_SIZE);
|
||||
CHACHA20_IMP_IV_SZ);
|
||||
if (chachaRet != 0) return chachaRet;
|
||||
}
|
||||
if (dec) {
|
||||
chachaRet = wc_Chacha_SetKey(dec->chacha, keys->server_write_key,
|
||||
specs->key_size);
|
||||
XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
|
||||
CHACHA20_IV_SIZE);
|
||||
CHACHA20_IMP_IV_SZ);
|
||||
if (chachaRet != 0) return chachaRet;
|
||||
}
|
||||
}
|
||||
@ -1991,14 +1999,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
|
||||
chachaRet = wc_Chacha_SetKey(enc->chacha, keys->server_write_key,
|
||||
specs->key_size);
|
||||
XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
|
||||
CHACHA20_IV_SIZE);
|
||||
CHACHA20_IMP_IV_SZ);
|
||||
if (chachaRet != 0) return chachaRet;
|
||||
}
|
||||
if (dec) {
|
||||
chachaRet = wc_Chacha_SetKey(dec->chacha, keys->client_write_key,
|
||||
specs->key_size);
|
||||
XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
|
||||
CHACHA20_IV_SIZE);
|
||||
CHACHA20_IMP_IV_SZ);
|
||||
if (chachaRet != 0) return chachaRet;
|
||||
}
|
||||
}
|
||||
@ -2011,6 +2019,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_HC128
|
||||
/* check that buffer sizes are sufficient */
|
||||
#if (MAX_WRITE_IV_SZ < 16) /* HC_128_IV_SIZE */
|
||||
#error MAX_WRITE_IV_SZ too small for HC128
|
||||
#endif
|
||||
|
||||
if (specs->bulk_cipher_algorithm == wolfssl_hc128) {
|
||||
int hcRet;
|
||||
if (enc && enc->hc128 == NULL)
|
||||
@ -2055,6 +2068,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
|
||||
#endif
|
||||
|
||||
#ifdef BUILD_RABBIT
|
||||
/* check that buffer sizes are sufficient */
|
||||
#if (MAX_WRITE_IV_SZ < 8) /* RABBIT_IV_SIZE */
|
||||
#error MAX_WRITE_IV_SZ too small for RABBIT
|
||||
#endif
|
||||
|
||||
if (specs->bulk_cipher_algorithm == wolfssl_rabbit) {
|
||||
int rabRet;
|
||||
if (enc && enc->rabbit == NULL)
|
||||
@ -2099,6 +2117,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
|
||||
#endif
|
||||
|
||||
#ifdef BUILD_DES3
|
||||
/* check that buffer sizes are sufficient */
|
||||
#if (MAX_WRITE_IV_SZ < 8) /* DES_IV_SIZE */
|
||||
#error MAX_WRITE_IV_SZ too small for 3DES
|
||||
#endif
|
||||
|
||||
if (specs->bulk_cipher_algorithm == wolfssl_triple_des) {
|
||||
int desRet = 0;
|
||||
|
||||
@ -2158,6 +2181,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
|
||||
#endif
|
||||
|
||||
#ifdef BUILD_AES
|
||||
/* check that buffer sizes are sufficient */
|
||||
#if (MAX_WRITE_IV_SZ < 16) /* AES_IV_SIZE */
|
||||
#error MAX_WRITE_IV_SZ too small for AES
|
||||
#endif
|
||||
|
||||
if (specs->bulk_cipher_algorithm == wolfssl_aes) {
|
||||
int aesRet = 0;
|
||||
|
||||
@ -2221,6 +2249,17 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
|
||||
#endif
|
||||
|
||||
#ifdef BUILD_AESGCM
|
||||
/* check that buffer sizes are sufficient */
|
||||
#if (AEAD_MAX_IMP_SZ < 4) /* AESGCM_IMP_IV_SZ */
|
||||
#error AEAD_MAX_IMP_SZ too small for AESGCM
|
||||
#endif
|
||||
#if (AEAD_MAX_EXP_SZ < 8) /* AESGCM_EXP_IV_SZ */
|
||||
#error AEAD_MAX_EXP_SZ too small for AESGCM
|
||||
#endif
|
||||
#if (MAX_WRITE_IV_SZ < 4) /* AESGCM_IMP_IV_SZ */
|
||||
#error MAX_WRITE_IV_SZ too small for AESGCM
|
||||
#endif
|
||||
|
||||
if (specs->bulk_cipher_algorithm == wolfssl_aes_gcm) {
|
||||
int gcmRet;
|
||||
|
||||
@ -2239,14 +2278,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
|
||||
specs->key_size);
|
||||
if (gcmRet != 0) return gcmRet;
|
||||
XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
|
||||
AEAD_IMP_IV_SZ);
|
||||
AESGCM_IMP_IV_SZ);
|
||||
}
|
||||
if (dec) {
|
||||
gcmRet = wc_AesGcmSetKey(dec->aes, keys->server_write_key,
|
||||
specs->key_size);
|
||||
if (gcmRet != 0) return gcmRet;
|
||||
XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
|
||||
AEAD_IMP_IV_SZ);
|
||||
AESGCM_IMP_IV_SZ);
|
||||
}
|
||||
}
|
||||
else {
|
||||
@ -2255,14 +2294,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
|
||||
specs->key_size);
|
||||
if (gcmRet != 0) return gcmRet;
|
||||
XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
|
||||
AEAD_IMP_IV_SZ);
|
||||
AESGCM_IMP_IV_SZ);
|
||||
}
|
||||
if (dec) {
|
||||
gcmRet = wc_AesGcmSetKey(dec->aes, keys->client_write_key,
|
||||
specs->key_size);
|
||||
if (gcmRet != 0) return gcmRet;
|
||||
XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
|
||||
AEAD_IMP_IV_SZ);
|
||||
AESGCM_IMP_IV_SZ);
|
||||
}
|
||||
}
|
||||
if (enc)
|
||||
@ -2273,6 +2312,17 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_AESCCM
|
||||
/* check that buffer sizes are sufficient (CCM is same size as GCM) */
|
||||
#if (AEAD_MAX_IMP_SZ < 4) /* AESGCM_IMP_IV_SZ */
|
||||
#error AEAD_MAX_IMP_SZ too small for AESCCM
|
||||
#endif
|
||||
#if (AEAD_MAX_EXP_SZ < 8) /* AESGCM_EXP_IV_SZ */
|
||||
#error AEAD_MAX_EXP_SZ too small for AESCCM
|
||||
#endif
|
||||
#if (MAX_WRITE_IV_SZ < 4) /* AESGCM_IMP_IV_SZ */
|
||||
#error MAX_WRITE_IV_SZ too small for AESCCM
|
||||
#endif
|
||||
|
||||
if (specs->bulk_cipher_algorithm == wolfssl_aes_ccm) {
|
||||
if (enc && enc->aes == NULL)
|
||||
enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
|
||||
@ -2287,24 +2337,24 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
|
||||
if (enc) {
|
||||
wc_AesCcmSetKey(enc->aes, keys->client_write_key, specs->key_size);
|
||||
XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
|
||||
AEAD_IMP_IV_SZ);
|
||||
AESGCM_IMP_IV_SZ);
|
||||
}
|
||||
if (dec) {
|
||||
wc_AesCcmSetKey(dec->aes, keys->server_write_key, specs->key_size);
|
||||
XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
|
||||
AEAD_IMP_IV_SZ);
|
||||
AESGCM_IMP_IV_SZ);
|
||||
}
|
||||
}
|
||||
else {
|
||||
if (enc) {
|
||||
wc_AesCcmSetKey(enc->aes, keys->server_write_key, specs->key_size);
|
||||
XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
|
||||
AEAD_IMP_IV_SZ);
|
||||
AESGCM_IMP_IV_SZ);
|
||||
}
|
||||
if (dec) {
|
||||
wc_AesCcmSetKey(dec->aes, keys->client_write_key, specs->key_size);
|
||||
XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
|
||||
AEAD_IMP_IV_SZ);
|
||||
AESGCM_IMP_IV_SZ);
|
||||
}
|
||||
}
|
||||
if (enc)
|
||||
@ -2315,6 +2365,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_CAMELLIA
|
||||
/* check that buffer sizes are sufficient */
|
||||
#if (MAX_WRITE_IV_SZ < 16) /* CAMELLIA_IV_SIZE */
|
||||
#error MAX_WRITE_IV_SZ too small for CAMELLIA
|
||||
#endif
|
||||
|
||||
if (specs->bulk_cipher_algorithm == wolfssl_camellia) {
|
||||
int camRet;
|
||||
|
||||
@ -2362,6 +2417,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_IDEA
|
||||
/* check that buffer sizes are sufficient */
|
||||
#if (MAX_WRITE_IV_SZ < 8) /* IDEA_IV_SIZE */
|
||||
#error MAX_WRITE_IV_SZ too small for IDEA
|
||||
#endif
|
||||
|
||||
if (specs->bulk_cipher_algorithm == wolfssl_idea) {
|
||||
int ideaRet;
|
||||
|
||||
@ -2528,14 +2588,14 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side)
|
||||
XMEMCPY(ssl->keys.client_write_key,
|
||||
keys->client_write_key, AES_256_KEY_SIZE);
|
||||
XMEMCPY(ssl->keys.client_write_IV,
|
||||
keys->client_write_IV, AES_IV_SIZE);
|
||||
keys->client_write_IV, MAX_WRITE_IV_SZ);
|
||||
} else {
|
||||
XMEMCPY(ssl->keys.server_write_MAC_secret,
|
||||
keys->server_write_MAC_secret, MAX_DIGEST_SIZE);
|
||||
XMEMCPY(ssl->keys.server_write_key,
|
||||
keys->server_write_key, AES_256_KEY_SIZE);
|
||||
XMEMCPY(ssl->keys.server_write_IV,
|
||||
keys->server_write_IV, AES_IV_SIZE);
|
||||
keys->server_write_IV, MAX_WRITE_IV_SZ);
|
||||
}
|
||||
if (wc_encrypt) {
|
||||
ssl->keys.sequence_number = keys->sequence_number;
|
||||
@ -2543,15 +2603,15 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side)
|
||||
if (ssl->specs.cipher_type == aead) {
|
||||
/* Initialize the AES-GCM/CCM explicit IV to a zero. */
|
||||
XMEMCPY(ssl->keys.aead_exp_IV, keys->aead_exp_IV,
|
||||
AEAD_EXP_IV_SZ);
|
||||
AEAD_MAX_EXP_SZ);
|
||||
|
||||
/* Initialize encrypt implicit IV by encrypt side */
|
||||
if (ssl->options.side == WOLFSSL_CLIENT_END) {
|
||||
XMEMCPY(ssl->keys.aead_enc_imp_IV,
|
||||
keys->client_write_IV, AEAD_NONCE_SZ);
|
||||
keys->client_write_IV, AEAD_MAX_IMP_SZ);
|
||||
} else {
|
||||
XMEMCPY(ssl->keys.aead_enc_imp_IV,
|
||||
keys->server_write_IV, AEAD_NONCE_SZ);
|
||||
keys->server_write_IV, AEAD_MAX_IMP_SZ);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
@ -2563,10 +2623,10 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side)
|
||||
/* Initialize decrypt implicit IV by decrypt side */
|
||||
if (ssl->options.side == WOLFSSL_SERVER_END) {
|
||||
XMEMCPY(ssl->keys.aead_dec_imp_IV,
|
||||
keys->client_write_IV, AEAD_NONCE_SZ);
|
||||
keys->client_write_IV, AEAD_MAX_IMP_SZ);
|
||||
} else {
|
||||
XMEMCPY(ssl->keys.aead_dec_imp_IV,
|
||||
keys->server_write_IV, AEAD_NONCE_SZ);
|
||||
keys->server_write_IV, AEAD_MAX_IMP_SZ);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
@ -2614,7 +2674,7 @@ int StoreKeys(WOLFSSL* ssl, const byte* keyData)
|
||||
#ifdef HAVE_AEAD
|
||||
if (ssl->specs.cipher_type == aead) {
|
||||
/* Initialize the AES-GCM/CCM explicit IV to a zero. */
|
||||
XMEMSET(keys->aead_exp_IV, 0, AEAD_EXP_IV_SZ);
|
||||
XMEMSET(keys->aead_exp_IV, 0, AEAD_MAX_EXP_SZ);
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
@ -1973,23 +1973,23 @@ static int Decrypt(SSL* ssl, byte* output, const byte* input, word32 sz)
|
||||
|
||||
#ifdef HAVE_AESGCM
|
||||
case wolfssl_aes_gcm:
|
||||
if (sz >= (word32)(AEAD_EXP_IV_SZ + ssl->specs.aead_mac_size))
|
||||
if (sz >= (word32)(AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size))
|
||||
{
|
||||
byte nonce[AEAD_NONCE_SZ];
|
||||
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ);
|
||||
XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ);
|
||||
byte nonce[AESGCM_NONCE_SZ];
|
||||
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ);
|
||||
XMEMCPY(nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ);
|
||||
|
||||
if (wc_AesGcmEncrypt(ssl->decrypt.aes,
|
||||
output,
|
||||
input + AEAD_EXP_IV_SZ,
|
||||
sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
nonce, AEAD_NONCE_SZ,
|
||||
input + AESGCM_EXP_IV_SZ,
|
||||
sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||
nonce, AESGCM_NONCE_SZ,
|
||||
NULL, 0,
|
||||
NULL, 0) < 0) {
|
||||
Trace(BAD_DECRYPT);
|
||||
ret = -1;
|
||||
}
|
||||
ForceZero(nonce, AEAD_NONCE_SZ);
|
||||
ForceZero(nonce, AESGCM_NONCE_SZ);
|
||||
}
|
||||
else {
|
||||
Trace(BAD_DECRYPT_SIZE);
|
||||
|
||||
33
src/tls.c
33
src/tls.c
@ -2657,7 +2657,8 @@ static void TLSX_EllipticCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
|
||||
int i;
|
||||
|
||||
for (i = 0; i < ssl->suites->suiteSz; i+= 2)
|
||||
if (ssl->suites->suites[i] == ECC_BYTE)
|
||||
if (ssl->suites->suites[i] == ECC_BYTE ||
|
||||
ssl->suites->suites[i] == CHACHA_BYTE)
|
||||
return;
|
||||
|
||||
/* turns semaphore on to avoid sending this extension. */
|
||||
@ -2734,7 +2735,7 @@ static int TLSX_EllipticCurve_Parse(WOLFSSL* ssl, byte* input, word16 length,
|
||||
}
|
||||
|
||||
int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
|
||||
TLSX* extension = (first == ECC_BYTE)
|
||||
TLSX* extension = (first == ECC_BYTE || first == CHACHA_BYTE)
|
||||
? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)
|
||||
: NULL;
|
||||
EllipticCurve* curve = NULL;
|
||||
@ -2773,6 +2774,7 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
|
||||
default: continue; /* unsupported curve */
|
||||
}
|
||||
|
||||
if (first == ECC_BYTE) {
|
||||
switch (second) {
|
||||
#ifndef NO_DSA
|
||||
/* ECDHE_ECDSA */
|
||||
@ -2837,6 +2839,33 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
|
||||
}
|
||||
}
|
||||
|
||||
/* ChaCha20-Poly1305 ECC cipher suites */
|
||||
if (first == CHACHA_BYTE) {
|
||||
switch (second) {
|
||||
#ifndef NO_DSA
|
||||
/* ECDHE_ECDSA */
|
||||
case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :
|
||||
case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
|
||||
sig |= ssl->pkCurveOID == oid;
|
||||
key |= ssl->eccTempKeySz == octets;
|
||||
break;
|
||||
#endif
|
||||
#ifndef NO_RSA
|
||||
/* ECDHE_RSA */
|
||||
case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :
|
||||
case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
|
||||
sig = 1;
|
||||
key |= ssl->eccTempKeySz == octets;
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
sig = 1;
|
||||
key = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return sig && key;
|
||||
}
|
||||
|
||||
|
||||
@ -935,9 +935,15 @@ enum Misc {
|
||||
AEAD_VMIN_OFFSET = 10, /* Auth Data: Minor Version */
|
||||
AEAD_LEN_OFFSET = 11, /* Auth Data: Length */
|
||||
AEAD_AUTH_DATA_SZ = 13, /* Size of the data to authenticate */
|
||||
AEAD_IMP_IV_SZ = 4, /* Size of the implicit IV */
|
||||
AEAD_EXP_IV_SZ = 8, /* Size of the explicit IV */
|
||||
AEAD_NONCE_SZ = AEAD_EXP_IV_SZ + AEAD_IMP_IV_SZ,
|
||||
AESGCM_IMP_IV_SZ = 4, /* Size of GCM/CCM AEAD implicit IV */
|
||||
AESGCM_EXP_IV_SZ = 8, /* Size of GCM/CCM AEAD explicit IV */
|
||||
AESGCM_NONCE_SZ = AESGCM_EXP_IV_SZ + AESGCM_IMP_IV_SZ,
|
||||
|
||||
CHACHA20_IMP_IV_SZ = 12, /* Size of ChaCha20 AEAD implicit IV */
|
||||
CHACHA20_NONCE_SZ = 12, /* Size of ChacCha20 nonce */
|
||||
CHACHA20_OLD_OFFSET = 8, /* Offset for seq # in old poly1305 */
|
||||
|
||||
/* For any new implicit/explicit IV size adjust AEAD_MAX_***_SZ */
|
||||
|
||||
AES_GCM_AUTH_SZ = 16, /* AES-GCM Auth Tag length */
|
||||
AES_CCM_16_AUTH_SZ = 16, /* AES-CCM-16 Auth Tag length */
|
||||
@ -1009,6 +1015,17 @@ enum Misc {
|
||||
};
|
||||
|
||||
|
||||
/* Set max implicit IV size for AEAD cipher suites */
|
||||
#ifdef HAVE_CHACHA
|
||||
#define AEAD_MAX_IMP_SZ 12
|
||||
#else
|
||||
#define AEAD_MAX_IMP_SZ 4
|
||||
#endif
|
||||
|
||||
/* Set max explicit IV size for AEAD cipher suites */
|
||||
#define AEAD_MAX_EXP_SZ 8
|
||||
|
||||
|
||||
#ifndef WOLFSSL_MAX_SUITE_SZ
|
||||
#define WOLFSSL_MAX_SUITE_SZ 300
|
||||
/* 150 suites for now! */
|
||||
@ -1455,18 +1472,20 @@ typedef struct WOLFSSL_DTLS_CTX {
|
||||
#endif /* WOLFSSL_DTLS */
|
||||
|
||||
|
||||
#define MAX_WRITE_IV_SZ 16 /* max size of client/server write_IV */
|
||||
|
||||
/* keys and secrets */
|
||||
typedef struct Keys {
|
||||
byte client_write_MAC_secret[MAX_DIGEST_SIZE]; /* max sizes */
|
||||
byte server_write_MAC_secret[MAX_DIGEST_SIZE];
|
||||
byte client_write_key[AES_256_KEY_SIZE]; /* max sizes */
|
||||
byte server_write_key[AES_256_KEY_SIZE];
|
||||
byte client_write_IV[AES_IV_SIZE]; /* max sizes */
|
||||
byte server_write_IV[AES_IV_SIZE];
|
||||
byte client_write_IV[MAX_WRITE_IV_SZ]; /* max sizes */
|
||||
byte server_write_IV[MAX_WRITE_IV_SZ];
|
||||
#ifdef HAVE_AEAD
|
||||
byte aead_exp_IV[AEAD_EXP_IV_SZ];
|
||||
byte aead_enc_imp_IV[AEAD_NONCE_SZ]; /* full size needed for chacha-poly */
|
||||
byte aead_dec_imp_IV[AEAD_NONCE_SZ];
|
||||
byte aead_exp_IV[AEAD_MAX_EXP_SZ];
|
||||
byte aead_enc_imp_IV[AEAD_MAX_IMP_SZ];
|
||||
byte aead_dec_imp_IV[AEAD_MAX_IMP_SZ];
|
||||
#endif
|
||||
|
||||
word32 peer_sequence_number;
|
||||
|
||||
Reference in New Issue
Block a user