feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

naming for AEAD macros and TLSX with chacha-poly

Browse Source
This commit is contained in:
Jacob Barthelmeh
2016-01-29 09:38:13 -07:00
parent 7d71d756f3
commit 611e37b3e8
6 changed files with 267 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
examples/client/client.c
View File

@ -1024,6 +1024,34 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
ssl = wolfSSL_new(ctx);
if (ssl == NULL)
err_sys("unable to get SSL object");
#ifdef HAVE_SUPPORTED_CURVES /* add curves to supported curves extension */
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP256R1)
!= SSL_SUCCESS) {
err_sys("unable to set curve secp256r1");
}
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP384R1)
!= SSL_SUCCESS) {
err_sys("unable to set curve secp384r1");
}
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP521R1)
!= SSL_SUCCESS) {
err_sys("unable to set curve secp521r1");
}
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP224R1)
!= SSL_SUCCESS) {
err_sys("unable to set curve secp224r1");
}
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP192R1)
!= SSL_SUCCESS) {
err_sys("unable to set curve secp192r1");
}
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP160R1)
!= SSL_SUCCESS) {
err_sys("unable to set curve secp160r1");
}
#endif
#ifdef HAVE_SESSION_TICKET
wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session");
#endif

116
src/internal.c
View File

@ -2030,8 +2030,9 @@ void FreeArrays(WOLFSSL* ssl, int keep)
if (ssl->arrays) {
XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
ssl->arrays->pendingMsg = NULL;
ForceZero(ssl->arrays, sizeof(Arrays)); /* clear arrays struct */
}
XFREE(ssl->arrays, ssl->heap, DYNAMIC_TYPE_CERT);
XFREE(ssl->arrays, ssl->heap, DYNAMIC_TYPE_ARRAYS);
ssl->arrays = NULL;
}
@ -2053,6 +2054,9 @@ void SSL_ResourceFree(WOLFSSL* ssl)
XFREE(ssl->hsHashes, ssl->heap, DYNAMIC_TYPE_HASHES);
XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN);
/* clear keys struct after session */
ForceZero(&(ssl->keys), sizeof(Keys));
#ifndef NO_DH
XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH);
XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH);
@ -6031,7 +6035,7 @@ static INLINE word32 GetSEQIncrement(WOLFSSL* ssl, int verify)
static INLINE void AeadIncrementExpIV(WOLFSSL* ssl)
{
int i;
for (i = AEAD_EXP_IV_SZ-1; i >= 0; i--) {
for (i = AEAD_MAX_EXP_SZ-1; i >= 0; i--) {
if (++ssl->keys.aead_exp_IV[i]) return;
}
}
@ -6099,7 +6103,7 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
word32 msgLen = (sz - ssl->specs.aead_mac_size);
byte tag[POLY1305_AUTH_SZ];
byte add[AEAD_AUTH_DATA_SZ];
byte nonce[CHACHA20_IV_SIZE];
byte nonce[CHACHA20_NONCE_SZ];
byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for poly1305 */
#ifdef CHACHA_AEAD_TEST
int i;
@ -6112,8 +6116,7 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
if (ssl->options.oldPoly != 0) {
/* get nonce */
c32toa(ssl->keys.sequence_number, nonce + AEAD_IMP_IV_SZ
+ AEAD_SEQ_OFFSET);
c32toa(ssl->keys.sequence_number, nonce + CHACHA20_OLD_OFFSET);
}
/* opaque SEQ number stored for AD */
@ -6152,7 +6155,7 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
if (ssl->options.oldPoly == 0) {
/* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte
* record sequence number XORed with client_write_IV/server_write_IV */
XMEMCPY(nonce, ssl->keys.aead_enc_imp_IV, CHACHA20_IV_SIZE);
XMEMCPY(nonce, ssl->keys.aead_enc_imp_IV, CHACHA20_IMP_IV_SZ);
nonce[4] ^= add[0];
nonce[5] ^= add[1];
nonce[6] ^= add[2];
@ -6165,11 +6168,11 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
/* set the nonce for chacha and get poly1305 key */
if ((ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0)) != 0) {
ForceZero(nonce, AEAD_NONCE_SZ);
ForceZero(nonce, CHACHA20_NONCE_SZ);
return ret;
}
ForceZero(nonce, AEAD_NONCE_SZ); /* done with nonce, clear it */
ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */
/* create Poly1305 key using chacha20 keystream */
if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, poly,
poly, sizeof(poly))) != 0)
@ -6233,7 +6236,7 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
word16 sz)
{
byte add[AEAD_AUTH_DATA_SZ];
byte nonce[CHACHA20_IV_SIZE];
byte nonce[CHACHA20_NONCE_SZ];
byte tag[POLY1305_AUTH_SZ];
byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
int ret = 0;
@ -6257,8 +6260,7 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
if (ssl->options.oldPoly != 0) {
/* get nonce */
c32toa(ssl->keys.peer_sequence_number, nonce + AEAD_IMP_IV_SZ
+ AEAD_SEQ_OFFSET);
c32toa(ssl->keys.peer_sequence_number, nonce + CHACHA20_OLD_OFFSET);
}
/* sequence number field is 64-bits, we only use 32-bits */
@ -6290,7 +6292,7 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
if (ssl->options.oldPoly == 0) {
/* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte
* record sequence number XORed with client_write_IV/server_write_IV */
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, CHACHA20_IV_SIZE);
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, CHACHA20_IMP_IV_SZ);
nonce[4] ^= add[0];
nonce[5] ^= add[1];
nonce[6] ^= add[2];
@ -6303,11 +6305,11 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
/* set nonce and get poly1305 key */
if ((ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0)) != 0) {
ForceZero(nonce, AEAD_NONCE_SZ);
ForceZero(nonce, CHACHA20_NONCE_SZ);
return ret;
}
ForceZero(nonce, AEAD_NONCE_SZ); /* done with nonce, clear it */
ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */
/* use chacha20 keystream to get poly1305 key for tag */
if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, poly,
poly, sizeof(poly))) != 0)
@ -6403,7 +6405,7 @@ static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz)
case wolfssl_aes_gcm:
{
byte additional[AEAD_AUTH_DATA_SZ];
byte nonce[AEAD_NONCE_SZ];
byte nonce[AESGCM_NONCE_SZ];
const byte* additionalSrc = input - 5;
XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
@ -6424,30 +6426,31 @@ static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz)
/* Store the length of the plain text minus the explicit
* IV length minus the authentication tag size. */
c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
additional + AEAD_LEN_OFFSET);
XMEMCPY(nonce,
ssl->keys.aead_enc_imp_IV, AEAD_IMP_IV_SZ);
XMEMCPY(nonce + AEAD_IMP_IV_SZ,
ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ);
ssl->keys.aead_enc_imp_IV, AESGCM_IMP_IV_SZ);
XMEMCPY(nonce + AESGCM_IMP_IV_SZ,
ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ);
ret = wc_AesGcmEncrypt(ssl->encrypt.aes,
out + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ,
sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
nonce, AEAD_NONCE_SZ,
out + AESGCM_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ,
sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
nonce, AESGCM_NONCE_SZ,
out + sz - ssl->specs.aead_mac_size,
ssl->specs.aead_mac_size,
additional, AEAD_AUTH_DATA_SZ);
AeadIncrementExpIV(ssl);
ForceZero(nonce, AEAD_NONCE_SZ);
ForceZero(nonce, AESGCM_NONCE_SZ);
}
break;
#endif
#ifdef HAVE_AESCCM
/* AEAD CCM uses same size as macros for AESGCM */
case wolfssl_aes_ccm:
{
byte additional[AEAD_AUTH_DATA_SZ];
byte nonce[AEAD_NONCE_SZ];
byte nonce[AESGCM_NONCE_SZ];
const byte* additionalSrc = input - 5;
XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
@ -6468,21 +6471,21 @@ static INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz)
/* Store the length of the plain text minus the explicit
* IV length minus the authentication tag size. */
c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
additional + AEAD_LEN_OFFSET);
XMEMCPY(nonce,
ssl->keys.aead_enc_imp_IV, AEAD_IMP_IV_SZ);
XMEMCPY(nonce + AEAD_IMP_IV_SZ,
ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ);
ssl->keys.aead_enc_imp_IV, AESGCM_IMP_IV_SZ);
XMEMCPY(nonce + AESGCM_IMP_IV_SZ,
ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ);
ret = wc_AesCcmEncrypt(ssl->encrypt.aes,
out + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ,
sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
nonce, AEAD_NONCE_SZ,
out + AESGCM_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ,
sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
nonce, AESGCM_NONCE_SZ,
out + sz - ssl->specs.aead_mac_size,
ssl->specs.aead_mac_size,
additional, AEAD_AUTH_DATA_SZ);
AeadIncrementExpIV(ssl);
ForceZero(nonce, AEAD_NONCE_SZ);
ForceZero(nonce, AESGCM_NONCE_SZ);
}
break;
#endif
@ -6572,7 +6575,7 @@ static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
case wolfssl_aes_gcm:
{
byte additional[AEAD_AUTH_DATA_SZ];
byte nonce[AEAD_NONCE_SZ];
byte nonce[AESGCM_NONCE_SZ];
XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
@ -6588,31 +6591,32 @@ static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
additional + AEAD_LEN_OFFSET);
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ);
XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ);
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ);
XMEMCPY(nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ);
if (wc_AesGcmDecrypt(ssl->decrypt.aes,
plain + AEAD_EXP_IV_SZ,
input + AEAD_EXP_IV_SZ,
sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
nonce, AEAD_NONCE_SZ,
plain + AESGCM_EXP_IV_SZ,
input + AESGCM_EXP_IV_SZ,
sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
nonce, AESGCM_NONCE_SZ,
input + sz - ssl->specs.aead_mac_size,
ssl->specs.aead_mac_size,
additional, AEAD_AUTH_DATA_SZ) < 0) {
SendAlert(ssl, alert_fatal, bad_record_mac);
ret = VERIFY_MAC_ERROR;
}
ForceZero(nonce, AEAD_NONCE_SZ);
ForceZero(nonce, AESGCM_NONCE_SZ);
}
break;
#endif
#ifdef HAVE_AESCCM
/* AESGCM AEAD macros use same size as AESCCM */
case wolfssl_aes_ccm:
{
byte additional[AEAD_AUTH_DATA_SZ];
byte nonce[AEAD_NONCE_SZ];
byte nonce[AESGCM_NONCE_SZ];
XMEMSET(additional, 0, AEAD_AUTH_DATA_SZ);
@ -6628,22 +6632,22 @@ static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
additional + AEAD_LEN_OFFSET);
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ);
XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ);
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ);
XMEMCPY(nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ);
if (wc_AesCcmDecrypt(ssl->decrypt.aes,
plain + AEAD_EXP_IV_SZ,
input + AEAD_EXP_IV_SZ,
sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
nonce, AEAD_NONCE_SZ,
plain + AESGCM_EXP_IV_SZ,
input + AESGCM_EXP_IV_SZ,
sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
nonce, AESGCM_NONCE_SZ,
input + sz - ssl->specs.aead_mac_size,
ssl->specs.aead_mac_size,
additional, AEAD_AUTH_DATA_SZ) < 0) {
SendAlert(ssl, alert_fatal, bad_record_mac);
ret = VERIFY_MAC_ERROR;
}
ForceZero(nonce, AEAD_NONCE_SZ);
ForceZero(nonce, AESGCM_NONCE_SZ);
}
break;
#endif
@ -6722,7 +6726,7 @@ static int SanityCheckCipherText(WOLFSSL* ssl, word32 encryptSz)
else if (ssl->specs.cipher_type == aead) {
minLength = ssl->specs.aead_mac_size; /* authTag size */
if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
minLength += AEAD_EXP_IV_SZ; /* explicit IV */
minLength += AESGCM_EXP_IV_SZ; /* explicit IV */
}
if (encryptSz < minLength) {
@ -7008,7 +7012,7 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx)
}
else if (ssl->specs.cipher_type == aead) {
if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
ivExtra = AEAD_EXP_IV_SZ;
ivExtra = AESGCM_EXP_IV_SZ;
}
dataSz = msgSz - ivExtra - ssl->keys.padSz;
@ -7410,7 +7414,7 @@ int ProcessReply(WOLFSSL* ssl)
/* go past TLSv1.1 IV */
if (ssl->specs.cipher_type == aead &&
ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
ssl->buffers.inputBuffer.idx += AEAD_EXP_IV_SZ;
ssl->buffers.inputBuffer.idx += AESGCM_EXP_IV_SZ;
#endif /* ATOMIC_USER */
}
else {
@ -7429,7 +7433,7 @@ int ProcessReply(WOLFSSL* ssl)
/* go past TLSv1.1 IV */
if (ssl->specs.cipher_type == aead &&
ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
ssl->buffers.inputBuffer.idx += AEAD_EXP_IV_SZ;
ssl->buffers.inputBuffer.idx += AESGCM_EXP_IV_SZ;
ret = VerifyMac(ssl, ssl->buffers.inputBuffer.buffer +
ssl->buffers.inputBuffer.idx,
@ -7959,10 +7963,10 @@ static int BuildMessage(WOLFSSL* ssl, byte* output, int outSz,
#ifdef HAVE_AEAD
if (ssl->specs.cipher_type == aead) {
if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
ivSz = AEAD_EXP_IV_SZ;
ivSz = AESGCM_EXP_IV_SZ;
sz += (ivSz + ssl->specs.aead_mac_size - digestSz);
XMEMCPY(iv, ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ);
XMEMCPY(iv, ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ);
}
#endif
if (sz > (word32)outSz) {

152
src/keys.c
View File

@ -597,7 +597,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break;
@ -615,7 +615,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break;
@ -633,7 +633,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break;
@ -651,7 +651,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break;
@ -669,7 +669,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 1;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break;
@ -687,7 +687,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 1;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break;
@ -705,7 +705,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 1;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break;
@ -723,7 +723,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 1;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break;
@ -741,7 +741,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
break;
@ -759,7 +759,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
break;
@ -778,7 +778,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
break;
@ -796,7 +796,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
break;
@ -814,7 +814,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
ssl->options.usingPSK_cipher = 1;
@ -833,7 +833,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
ssl->options.usingPSK_cipher = 1;
@ -852,7 +852,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ;
ssl->options.usingPSK_cipher = 1;
@ -871,7 +871,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ;
ssl->options.usingPSK_cipher = 1;
@ -890,7 +890,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ;
ssl->options.usingPSK_cipher = 1;
@ -909,7 +909,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ;
ssl->options.usingPSK_cipher = 1;
@ -1158,7 +1158,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
ssl->options.usingPSK_cipher = 1;
@ -1177,7 +1177,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
ssl->options.usingPSK_cipher = 1;
@ -1196,7 +1196,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
ssl->options.usingPSK_cipher = 1;
@ -1215,7 +1215,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
ssl->options.usingPSK_cipher = 1;
@ -1602,7 +1602,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break;
@ -1620,7 +1620,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break;
@ -1638,7 +1638,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break;
@ -1656,7 +1656,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
ssl->specs.iv_size = AESGCM_IMP_IV_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break;
@ -1958,6 +1958,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
/* Check that the max implicit iv size is suffecient */
#if (AEAD_MAX_IMP_SZ < 12) /* CHACHA20_IMP_IV_SZ */
#error AEAD_MAX_IMP_SZ is too small for ChaCha20
#endif
#if (MAX_WRITE_IV_SZ < 12) /* CHACHA20_IMP_IV_SZ */
#error MAX_WRITE_IV_SZ is too small for ChaCha20
#endif
if (specs->bulk_cipher_algorithm == wolfssl_chacha) {
int chachaRet;
if (enc && enc->chacha == NULL)
@ -1975,14 +1983,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
chachaRet = wc_Chacha_SetKey(enc->chacha, keys->client_write_key,
specs->key_size);
XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
CHACHA20_IV_SIZE);
CHACHA20_IMP_IV_SZ);
if (chachaRet != 0) return chachaRet;
}
if (dec) {
chachaRet = wc_Chacha_SetKey(dec->chacha, keys->server_write_key,
specs->key_size);
XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
CHACHA20_IV_SIZE);
CHACHA20_IMP_IV_SZ);
if (chachaRet != 0) return chachaRet;
}
}
@ -1991,14 +1999,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
chachaRet = wc_Chacha_SetKey(enc->chacha, keys->server_write_key,
specs->key_size);
XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
CHACHA20_IV_SIZE);
CHACHA20_IMP_IV_SZ);
if (chachaRet != 0) return chachaRet;
}
if (dec) {
chachaRet = wc_Chacha_SetKey(dec->chacha, keys->client_write_key,
specs->key_size);
XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
CHACHA20_IV_SIZE);
CHACHA20_IMP_IV_SZ);
if (chachaRet != 0) return chachaRet;
}
}
@ -2011,6 +2019,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif
#ifdef HAVE_HC128
/* check that buffer sizes are sufficient */
#if (MAX_WRITE_IV_SZ < 16) /* HC_128_IV_SIZE */
#error MAX_WRITE_IV_SZ too small for HC128
#endif
if (specs->bulk_cipher_algorithm == wolfssl_hc128) {
int hcRet;
if (enc && enc->hc128 == NULL)
@ -2055,6 +2068,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif
#ifdef BUILD_RABBIT
/* check that buffer sizes are sufficient */
#if (MAX_WRITE_IV_SZ < 8) /* RABBIT_IV_SIZE */
#error MAX_WRITE_IV_SZ too small for RABBIT
#endif
if (specs->bulk_cipher_algorithm == wolfssl_rabbit) {
int rabRet;
if (enc && enc->rabbit == NULL)
@ -2099,6 +2117,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif
#ifdef BUILD_DES3
/* check that buffer sizes are sufficient */
#if (MAX_WRITE_IV_SZ < 8) /* DES_IV_SIZE */
#error MAX_WRITE_IV_SZ too small for 3DES
#endif
if (specs->bulk_cipher_algorithm == wolfssl_triple_des) {
int desRet = 0;
@ -2158,6 +2181,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif
#ifdef BUILD_AES
/* check that buffer sizes are sufficient */
#if (MAX_WRITE_IV_SZ < 16) /* AES_IV_SIZE */
#error MAX_WRITE_IV_SZ too small for AES
#endif
if (specs->bulk_cipher_algorithm == wolfssl_aes) {
int aesRet = 0;
@ -2221,6 +2249,17 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif
#ifdef BUILD_AESGCM
/* check that buffer sizes are sufficient */
#if (AEAD_MAX_IMP_SZ < 4) /* AESGCM_IMP_IV_SZ */
#error AEAD_MAX_IMP_SZ too small for AESGCM
#endif
#if (AEAD_MAX_EXP_SZ < 8) /* AESGCM_EXP_IV_SZ */
#error AEAD_MAX_EXP_SZ too small for AESGCM
#endif
#if (MAX_WRITE_IV_SZ < 4) /* AESGCM_IMP_IV_SZ */
#error MAX_WRITE_IV_SZ too small for AESGCM
#endif
if (specs->bulk_cipher_algorithm == wolfssl_aes_gcm) {
int gcmRet;
@ -2239,14 +2278,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
specs->key_size);
if (gcmRet != 0) return gcmRet;
XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
AEAD_IMP_IV_SZ);
AESGCM_IMP_IV_SZ);
}
if (dec) {
gcmRet = wc_AesGcmSetKey(dec->aes, keys->server_write_key,
specs->key_size);
if (gcmRet != 0) return gcmRet;
XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
AEAD_IMP_IV_SZ);
AESGCM_IMP_IV_SZ);
}
}
else {
@ -2255,14 +2294,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
specs->key_size);
if (gcmRet != 0) return gcmRet;
XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
AEAD_IMP_IV_SZ);
AESGCM_IMP_IV_SZ);
}
if (dec) {
gcmRet = wc_AesGcmSetKey(dec->aes, keys->client_write_key,
specs->key_size);
if (gcmRet != 0) return gcmRet;
XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
AEAD_IMP_IV_SZ);
AESGCM_IMP_IV_SZ);
}
}
if (enc)
@ -2273,6 +2312,17 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif
#ifdef HAVE_AESCCM
/* check that buffer sizes are sufficient (CCM is same size as GCM) */
#if (AEAD_MAX_IMP_SZ < 4) /* AESGCM_IMP_IV_SZ */
#error AEAD_MAX_IMP_SZ too small for AESCCM
#endif
#if (AEAD_MAX_EXP_SZ < 8) /* AESGCM_EXP_IV_SZ */
#error AEAD_MAX_EXP_SZ too small for AESCCM
#endif
#if (MAX_WRITE_IV_SZ < 4) /* AESGCM_IMP_IV_SZ */
#error MAX_WRITE_IV_SZ too small for AESCCM
#endif
if (specs->bulk_cipher_algorithm == wolfssl_aes_ccm) {
if (enc && enc->aes == NULL)
enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
@ -2287,24 +2337,24 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (enc) {
wc_AesCcmSetKey(enc->aes, keys->client_write_key, specs->key_size);
XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
AEAD_IMP_IV_SZ);
AESGCM_IMP_IV_SZ);
}
if (dec) {
wc_AesCcmSetKey(dec->aes, keys->server_write_key, specs->key_size);
XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
AEAD_IMP_IV_SZ);
AESGCM_IMP_IV_SZ);
}
}
else {
if (enc) {
wc_AesCcmSetKey(enc->aes, keys->server_write_key, specs->key_size);
XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
AEAD_IMP_IV_SZ);
AESGCM_IMP_IV_SZ);
}
if (dec) {
wc_AesCcmSetKey(dec->aes, keys->client_write_key, specs->key_size);
XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
AEAD_IMP_IV_SZ);
AESGCM_IMP_IV_SZ);
}
}
if (enc)
@ -2315,6 +2365,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif
#ifdef HAVE_CAMELLIA
/* check that buffer sizes are sufficient */
#if (MAX_WRITE_IV_SZ < 16) /* CAMELLIA_IV_SIZE */
#error MAX_WRITE_IV_SZ too small for CAMELLIA
#endif
if (specs->bulk_cipher_algorithm == wolfssl_camellia) {
int camRet;
@ -2362,6 +2417,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#endif
#ifdef HAVE_IDEA
/* check that buffer sizes are sufficient */
#if (MAX_WRITE_IV_SZ < 8) /* IDEA_IV_SIZE */
#error MAX_WRITE_IV_SZ too small for IDEA
#endif
if (specs->bulk_cipher_algorithm == wolfssl_idea) {
int ideaRet;
@ -2528,14 +2588,14 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side)
XMEMCPY(ssl->keys.client_write_key,
keys->client_write_key, AES_256_KEY_SIZE);
XMEMCPY(ssl->keys.client_write_IV,
keys->client_write_IV, AES_IV_SIZE);
keys->client_write_IV, MAX_WRITE_IV_SZ);
} else {
XMEMCPY(ssl->keys.server_write_MAC_secret,
keys->server_write_MAC_secret, MAX_DIGEST_SIZE);
XMEMCPY(ssl->keys.server_write_key,
keys->server_write_key, AES_256_KEY_SIZE);
XMEMCPY(ssl->keys.server_write_IV,
keys->server_write_IV, AES_IV_SIZE);
keys->server_write_IV, MAX_WRITE_IV_SZ);
}
if (wc_encrypt) {
ssl->keys.sequence_number = keys->sequence_number;
@ -2543,15 +2603,15 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side)
if (ssl->specs.cipher_type == aead) {
/* Initialize the AES-GCM/CCM explicit IV to a zero. */
XMEMCPY(ssl->keys.aead_exp_IV, keys->aead_exp_IV,
AEAD_EXP_IV_SZ);
AEAD_MAX_EXP_SZ);
/* Initialize encrypt implicit IV by encrypt side */
if (ssl->options.side == WOLFSSL_CLIENT_END) {
XMEMCPY(ssl->keys.aead_enc_imp_IV,
keys->client_write_IV, AEAD_NONCE_SZ);
keys->client_write_IV, AEAD_MAX_IMP_SZ);
} else {
XMEMCPY(ssl->keys.aead_enc_imp_IV,
keys->server_write_IV, AEAD_NONCE_SZ);
keys->server_write_IV, AEAD_MAX_IMP_SZ);
}
}
#endif
@ -2563,10 +2623,10 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side)
/* Initialize decrypt implicit IV by decrypt side */
if (ssl->options.side == WOLFSSL_SERVER_END) {
XMEMCPY(ssl->keys.aead_dec_imp_IV,
keys->client_write_IV, AEAD_NONCE_SZ);
keys->client_write_IV, AEAD_MAX_IMP_SZ);
} else {
XMEMCPY(ssl->keys.aead_dec_imp_IV,
keys->server_write_IV, AEAD_NONCE_SZ);
keys->server_write_IV, AEAD_MAX_IMP_SZ);
}
}
#endif
@ -2614,7 +2674,7 @@ int StoreKeys(WOLFSSL* ssl, const byte* keyData)
#ifdef HAVE_AEAD
if (ssl->specs.cipher_type == aead) {
/* Initialize the AES-GCM/CCM explicit IV to a zero. */
XMEMSET(keys->aead_exp_IV, 0, AEAD_EXP_IV_SZ);
XMEMSET(keys->aead_exp_IV, 0, AEAD_MAX_EXP_SZ);
}
#endif

16
src/sniffer.c
View File

@ -1973,23 +1973,23 @@ static int Decrypt(SSL* ssl, byte* output, const byte* input, word32 sz)
#ifdef HAVE_AESGCM
case wolfssl_aes_gcm:
if (sz >= (word32)(AEAD_EXP_IV_SZ + ssl->specs.aead_mac_size))
if (sz >= (word32)(AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size))
{
byte nonce[AEAD_NONCE_SZ];
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ);
XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ);
byte nonce[AESGCM_NONCE_SZ];
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ);
XMEMCPY(nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ);
if (wc_AesGcmEncrypt(ssl->decrypt.aes,
output,
input + AEAD_EXP_IV_SZ,
sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size,
nonce, AEAD_NONCE_SZ,
input + AESGCM_EXP_IV_SZ,
sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
nonce, AESGCM_NONCE_SZ,
NULL, 0,
NULL, 0) < 0) {
Trace(BAD_DECRYPT);
ret = -1;
}
ForceZero(nonce, AEAD_NONCE_SZ);
ForceZero(nonce, AESGCM_NONCE_SZ);
}
else {
Trace(BAD_DECRYPT_SIZE);

33
src/tls.c
View File

@ -2657,7 +2657,8 @@ static void TLSX_EllipticCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
int i;
for (i = 0; i < ssl->suites->suiteSz; i+= 2)
if (ssl->suites->suites[i] == ECC_BYTE)
if (ssl->suites->suites[i] == ECC_BYTE ||
ssl->suites->suites[i] == CHACHA_BYTE)
return;
/* turns semaphore on to avoid sending this extension. */
@ -2734,7 +2735,7 @@ static int TLSX_EllipticCurve_Parse(WOLFSSL* ssl, byte* input, word16 length,
}
int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
TLSX* extension = (first == ECC_BYTE)
TLSX* extension = (first == ECC_BYTE || first == CHACHA_BYTE)
? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)
: NULL;
EllipticCurve* curve = NULL;
@ -2773,6 +2774,7 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
default: continue; /* unsupported curve */
}
if (first == ECC_BYTE) {
switch (second) {
#ifndef NO_DSA
/* ECDHE_ECDSA */
@ -2835,6 +2837,33 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
key = 1;
break;
}
}
/* ChaCha20-Poly1305 ECC cipher suites */
if (first == CHACHA_BYTE) {
switch (second) {
#ifndef NO_DSA
/* ECDHE_ECDSA */
case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :
case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
sig |= ssl->pkCurveOID == oid;
key |= ssl->eccTempKeySz == octets;
break;
#endif
#ifndef NO_RSA
/* ECDHE_RSA */
case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :
case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
sig = 1;
key |= ssl->eccTempKeySz == octets;
break;
#endif
default:
sig = 1;
key = 1;
break;
}
}
}
return sig && key;

49
wolfssl/internal.h
View File

@ -820,7 +820,7 @@ enum {
enum Misc {
ECC_BYTE = 0xC0, /* ECC first cipher suite byte */
ECC_BYTE = 0xC0, /* ECC first cipher suite byte */
QSH_BYTE = 0xD0, /* Quantum-safe Handshake cipher suite */
CHACHA_BYTE = 0xCC, /* ChaCha first cipher suite */
@ -929,15 +929,21 @@ enum Misc {
AES_IV_SIZE = 16, /* always block size */
AES_128_KEY_SIZE = 16, /* for 128 bit */
AEAD_SEQ_OFFSET = 4, /* Auth Data: Sequence number */
AEAD_TYPE_OFFSET = 8, /* Auth Data: Type */
AEAD_VMAJ_OFFSET = 9, /* Auth Data: Major Version */
AEAD_VMIN_OFFSET = 10, /* Auth Data: Minor Version */
AEAD_LEN_OFFSET = 11, /* Auth Data: Length */
AEAD_AUTH_DATA_SZ = 13, /* Size of the data to authenticate */
AEAD_IMP_IV_SZ = 4, /* Size of the implicit IV */
AEAD_EXP_IV_SZ = 8, /* Size of the explicit IV */
AEAD_NONCE_SZ = AEAD_EXP_IV_SZ + AEAD_IMP_IV_SZ,
AEAD_SEQ_OFFSET = 4, /* Auth Data: Sequence number */
AEAD_TYPE_OFFSET = 8, /* Auth Data: Type */
AEAD_VMAJ_OFFSET = 9, /* Auth Data: Major Version */
AEAD_VMIN_OFFSET = 10, /* Auth Data: Minor Version */
AEAD_LEN_OFFSET = 11, /* Auth Data: Length */
AEAD_AUTH_DATA_SZ = 13, /* Size of the data to authenticate */
AESGCM_IMP_IV_SZ = 4, /* Size of GCM/CCM AEAD implicit IV */
AESGCM_EXP_IV_SZ = 8, /* Size of GCM/CCM AEAD explicit IV */
AESGCM_NONCE_SZ = AESGCM_EXP_IV_SZ + AESGCM_IMP_IV_SZ,
CHACHA20_IMP_IV_SZ = 12, /* Size of ChaCha20 AEAD implicit IV */
CHACHA20_NONCE_SZ = 12, /* Size of ChacCha20 nonce */
CHACHA20_OLD_OFFSET = 8, /* Offset for seq # in old poly1305 */
/* For any new implicit/explicit IV size adjust AEAD_MAX_***_SZ */
AES_GCM_AUTH_SZ = 16, /* AES-GCM Auth Tag length */
AES_CCM_16_AUTH_SZ = 16, /* AES-CCM-16 Auth Tag length */
@ -1009,6 +1015,17 @@ enum Misc {
};
/* Set max implicit IV size for AEAD cipher suites */
#ifdef HAVE_CHACHA
#define AEAD_MAX_IMP_SZ 12
#else
#define AEAD_MAX_IMP_SZ 4
#endif
/* Set max explicit IV size for AEAD cipher suites */
#define AEAD_MAX_EXP_SZ 8
#ifndef WOLFSSL_MAX_SUITE_SZ
#define WOLFSSL_MAX_SUITE_SZ 300
/* 150 suites for now! */
@ -1455,18 +1472,20 @@ typedef struct WOLFSSL_DTLS_CTX {
#endif /* WOLFSSL_DTLS */
#define MAX_WRITE_IV_SZ 16 /* max size of client/server write_IV */
/* keys and secrets */
typedef struct Keys {
byte client_write_MAC_secret[MAX_DIGEST_SIZE]; /* max sizes */
byte server_write_MAC_secret[MAX_DIGEST_SIZE];
byte client_write_key[AES_256_KEY_SIZE]; /* max sizes */
byte server_write_key[AES_256_KEY_SIZE];
byte client_write_IV[AES_IV_SIZE]; /* max sizes */
byte server_write_IV[AES_IV_SIZE];
byte client_write_IV[MAX_WRITE_IV_SZ]; /* max sizes */
byte server_write_IV[MAX_WRITE_IV_SZ];
#ifdef HAVE_AEAD
byte aead_exp_IV[AEAD_EXP_IV_SZ];
byte aead_enc_imp_IV[AEAD_NONCE_SZ]; /* full size needed for chacha-poly */
byte aead_dec_imp_IV[AEAD_NONCE_SZ];
byte aead_exp_IV[AEAD_MAX_EXP_SZ];
byte aead_enc_imp_IV[AEAD_MAX_IMP_SZ];
byte aead_dec_imp_IV[AEAD_MAX_IMP_SZ];
#endif
word32 peer_sequence_number;