feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

sync w/upstream; resolve merge conflict

Browse Source
This commit is contained in:
gojimmypi
2023-12-08 09:06:10 -08:00
parent 5e5286d30d 448b83697a
commit 62c0910e15
19 changed files with 1316 additions and 615 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
IDE/ARDUINO/README.md
View File

@@ -2,10 +2,11 @@
##### Reformatting wolfSSL as a compatible Arduino Library ##### Reformatting wolfSSL as a compatible Arduino Library
This is a shell script that will re-organize the wolfSSL library to be This is a shell script that will re-organize the wolfSSL library to be
compatible with Arduino projects. The Arduino IDE requires a library's source compatible with Arduino projects that use Arduino IDE 1.5.0 or newer.
files to be in the library's root directory with a header file in the name of The Arduino IDE requires a library's source files to be in the library's root
the library. This script moves all src/ files to the `IDE/ARDUINO/wolfSSL` directory with a header file in the name of the library. This script moves all
directory and creates a stub header file called `wolfssl.h`. src/ files to the `IDE/ARDUINO/wolfSSL/src` directory and creates a stub header
file called `wolfssl.h` inside that directory.
Step 1: To configure wolfSSL with Arduino, enter the following from within the Step 1: To configure wolfSSL with Arduino, enter the following from within the
wolfssl/IDE/ARDUINO directory: wolfssl/IDE/ARDUINO directory:
@@ -15,7 +16,7 @@ wolfssl/IDE/ARDUINO directory:
Step 2: Copy the directory wolfSSL that was just created to: Step 2: Copy the directory wolfSSL that was just created to:
`~/Documents/Arduino/libraries/` directory so the Arduino IDE can find it. `~/Documents/Arduino/libraries/` directory so the Arduino IDE can find it.
Step 3: Edit `<arduino-libraries>/wolfSSL/user_settings.h` Step 3: Edit `<arduino-libraries>/wolfSSL/src/user_settings.h`
If building for Intel Galileo platform add: `#define INTEL_GALILEO`. If building for Intel Galileo platform add: `#define INTEL_GALILEO`.
Add any other custom settings, for a good start see the examples in wolfssl root Add any other custom settings, for a good start see the examples in wolfssl root
"/examples/configs/user_settings_*.h" "/examples/configs/user_settings_*.h"

61
IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino
View File

@@ -19,10 +19,18 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/ */
/*
This was original tested with Intel Galileo acting as the Client, with a
laptop acting as a server using the server example provided in examples/server.
Legacy Ardunio v1.86 was used to compile and program the Galileo
*/
#define USE_CERT_BUFFERS_2048
#include <wolfssl.h> #include <wolfssl.h>
#include <wolfssl/ssl.h> #include <wolfssl/ssl.h>
#include <Ethernet.h> #include <Ethernet.h>
#include <wolfssl/certs_test.h>
const char host[] = "192.168.1.148"; /* server to connect to */ const char host[] = "192.168.1.148"; /* server to connect to */
const int port = 11111; /* port on server to connect to */ const int port = 11111; /* port on server to connect to */
@@ -38,8 +46,11 @@ WOLFSSL* ssl = NULL;
void setup() { void setup() {
WOLFSSL_METHOD* method; WOLFSSL_METHOD* method;
/* Initialize Return Code */
int rc;
Serial.begin(9600); Serial.begin(9600);
/* Delay need to ensure connection to server */
delay(4000);
method = wolfTLSv1_2_client_method(); method = wolfTLSv1_2_client_method();
if (method == NULL) { if (method == NULL) {
@@ -52,28 +63,41 @@ void setup() {
return; return;
} }
/* initialize wolfSSL using callback functions */ /* initialize wolfSSL using callback functions */
wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);
rc = wolfSSL_CTX_load_verify_buffer(ctx, ca_cert_der_2048,\
sizeof_ca_cert_der_2048,\
WOLFSSL_FILETYPE_ASN1);
Serial.print("\n\n Return code of load_verify is:");
Serial.println(rc);
Serial.println("");
rc = wolfSSL_CTX_use_certificate_buffer(ctx, client_cert_der_2048,\
sizeof_client_cert_der_2048,\
WOLFSSL_FILETYPE_ASN1);
Serial.print("\n\n Return code of use_certificate_buffer is:");
Serial.println(rc);
Serial.println("");
rc = wolfSSL_CTX_use_PrivateKey_buffer(ctx, client_key_der_2048,\
sizeof_client_key_der_2048,\
WOLFSSL_FILETYPE_ASN1);
Serial.print("\n\n Return code of use_PrivateKey_buffer is:");
Serial.println(rc);
Serial.println("");
wolfSSL_SetIOSend(ctx, EthernetSend); wolfSSL_SetIOSend(ctx, EthernetSend);
wolfSSL_SetIORecv(ctx, EthernetReceive); wolfSSL_SetIORecv(ctx, EthernetReceive);
return; return;
} }
int EthernetSend(WOLFSSL* ssl, char* msg, int sz, void* ctx) { int EthernetSend(WOLFSSL* ssl, char* msg, int sz, void* ctx) {
int sent = 0; int sent = 0;
sent = client.write((byte*)msg, sz); sent = client.write((byte*)msg, sz);
return sent; return sent;
} }
int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx) { int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx) {
int ret = 0; int ret = 0;
while (client.available() > 0 && ret < sz) { while (client.available() > 0 && ret < sz) {
reply[ret++] = client.read(); reply[ret++] = client.read();
} }
return ret; return ret;
} }
@@ -86,21 +110,16 @@ void loop() {
char errBuf[80]; char errBuf[80];
char reply[80]; char reply[80];
const char* cipherName; const char* cipherName;
if (reconnect) { if (reconnect) {
reconnect--; reconnect--;
if (client.connect(host, port)) { if (client.connect(host, port)) {
Serial.print("Connected to "); Serial.print("Connected to ");
Serial.println(host); Serial.println(host);
ssl = wolfSSL_new(ctx); ssl = wolfSSL_new(ctx);
if (ssl == NULL) { if (ssl == NULL) {
Serial.println("Unable to allocate SSL object"); Serial.println("Unable to allocate SSL object");
return; return;
} }
err = wolfSSL_connect(ssl); err = wolfSSL_connect(ssl);
if (err != WOLFSSL_SUCCESS) { if (err != WOLFSSL_SUCCESS) {
err = wolfSSL_get_error(ssl, 0); err = wolfSSL_get_error(ssl, 0);
@@ -108,16 +127,12 @@ void loop() {
Serial.print("TLS Connect Error: "); Serial.print("TLS Connect Error: ");
Serial.println(errBuf); Serial.println(errBuf);
} }
Serial.print("SSL version is "); Serial.print("SSL version is ");
Serial.println(wolfSSL_get_version(ssl)); Serial.println(wolfSSL_get_version(ssl));
cipherName = wolfSSL_get_cipher(ssl); cipherName = wolfSSL_get_cipher(ssl);
Serial.print("SSL cipher suite is "); Serial.print("SSL cipher suite is ");
Serial.println(cipherName); Serial.println(cipherName);
if ((wolfSSL_write(ssl, msg, msgSz)) == msgSz) { if ((wolfSSL_write(ssl, msg, msgSz)) == msgSz) {
Serial.print("Server response: "); Serial.print("Server response: ");
/* wait for data */ /* wait for data */
while (!client.available()) {} while (!client.available()) {}
@@ -131,27 +146,29 @@ void loop() {
Serial.print("TLS Read Error: "); Serial.print("TLS Read Error: ");
Serial.println(errBuf); Serial.println(errBuf);
break; break;
} else if (input > 0) { }
else if (input > 0) {
reply[input] = '\0'; reply[input] = '\0';
Serial.print(reply); Serial.print(reply);
} else { }
else {
Serial.println(); Serial.println();
} }
} }
} else { }
else {
err = wolfSSL_get_error(ssl, 0); err = wolfSSL_get_error(ssl, 0);
wolfSSL_ERR_error_string(err, errBuf); wolfSSL_ERR_error_string(err, errBuf);
Serial.print("TLS Write Error: "); Serial.print("TLS Write Error: ");
Serial.println(errBuf); Serial.println(errBuf);
} }
wolfSSL_shutdown(ssl); wolfSSL_shutdown(ssl);
wolfSSL_free(ssl); wolfSSL_free(ssl);
client.stop(); client.stop();
Serial.println("Connection complete."); Serial.println("Connection complete.");
reconnect = 0; reconnect = 0;
} else { }
else {
Serial.println("Trying to reconnect..."); Serial.println("Trying to reconnect...");
} }
} }

173
IDE/ARDUINO/wolfssl-arduino.sh
View File

@@ -4,86 +4,141 @@
# an Arduino project # an Arduino project
# run as bash ./wolfssl-arduino.sh # run as bash ./wolfssl-arduino.sh
ROOT_DIR="/wolfSSL"
ROOT_SRC_DIR="${ROOT_DIR}/src"
WOLFSSL_SRC="${ROOT_SRC_DIR}/src"
WOLFSSL_HEADERS="${ROOT_SRC_DIR}/wolfssl"
WOLFCRYPT_ROOT="${ROOT_SRC_DIR}/wolfcrypt"
WOLFCRYPT_SRC="${WOLFCRYPT_ROOT}/src"
WOLFCRYPT_HEADERS="${WOLFSSL_HEADERS}/wolfcrypt"
OPENSSL_DIR="${WOLFSSL_HEADERS}/openssl"
WOLFSSL_VERSION="5.6.4"
# TOP indicates the file directory comes from the top level of the wolfssl repo
TOP_DIR="../.."
WOLFSSL_SRC_TOP="${TOP_DIR}/src"
WOLFSSL_HEADERS_TOP="${TOP_DIR}/wolfssl"
WOLFCRYPT_ROOT_TOP="${TOP_DIR}/wolfcrypt"
WOLFCRYPT_SRC_TOP="${WOLFCRYPT_ROOT_TOP}/src"
WOLFCRYPT_HEADERS_TOP="${WOLFSSL_HEADERS_TOP}/wolfcrypt"
OPENSSL_DIR_TOP="${WOLFSSL_HEADERS_TOP}/openssl"
# TODO: Parse version number
WOLFSSL_VERSION=$(grep -i "LIBWOLFSSL_VERSION_STRING" ${TOP_DIR}/wolfssl/version.h | cut -d '"' -f 2)
DIR=${PWD##*/} DIR=${PWD##*/}
space(){
echo "" >> "$1"
}
if [ "$DIR" = "ARDUINO" ]; then if [ "$DIR" = "ARDUINO" ]; then
if [ ! -d "wolfSSL" ]; then if [ ! -d ".${ROOT_DIR}" ]; then
mkdir wolfSSL mkdir .${ROOT_DIR}
fi
if [ ! -d ".${ROOT_SRC_DIR}" ]; then
mkdir .${ROOT_SRC_DIR}
fi fi
cp ../../src/*.c ./wolfSSL if [ ! -d ".${WOLFSSL_HEADERS}" ]; then
cp ../../wolfcrypt/src/*.c ./wolfSSL mkdir .${WOLFSSL_HEADERS}
fi
if [ ! -d "wolfSSL/wolfssl" ]; then cp ${WOLFSSL_HEADERS_TOP}/*.h .${WOLFSSL_HEADERS}
mkdir wolfSSL/wolfssl if [ ! -d ".${WOLFCRYPT_HEADERS}" ]; then
mkdir .${WOLFCRYPT_HEADERS}
fi fi
cp ../../wolfssl/*.h ./wolfSSL/wolfssl cp ${WOLFCRYPT_HEADERS_TOP}/*.h .${WOLFCRYPT_HEADERS}
if [ ! -d "wolfSSL/wolfssl/wolfcrypt" ]; then
mkdir wolfSSL/wolfssl/wolfcrypt
fi
cp ../../wolfssl/wolfcrypt/*.h ./wolfSSL/wolfssl/wolfcrypt
# support misc.c as include in wolfcrypt/src # Add in source files to wolfcrypt/src
if [ ! -d "./wolfSSL/wolfcrypt" ]; then if [ ! -d ".${WOLFCRYPT_ROOT}" ]; then
mkdir ./wolfSSL/wolfcrypt mkdir .${WOLFCRYPT_ROOT}
fi fi
if [ ! -d "./wolfSSL/wolfcrypt/src" ]; then if [ ! -d ".${WOLFCRYPT_SRC}" ]; then
mkdir ./wolfSSL/wolfcrypt/src mkdir .${WOLFCRYPT_SRC}
fi fi
cp ../../wolfcrypt/src/misc.c ./wolfSSL/wolfcrypt/src cp ${WOLFCRYPT_SRC_TOP}/*.c .${WOLFCRYPT_SRC}
cp ../../wolfcrypt/src/asm.c ./wolfSSL/wolfcrypt/src
# Add in source files to top level src folders
if [ ! -d ".${WOLFSSL_SRC}" ]; then
mkdir .${WOLFSSL_SRC}
fi
cp ${WOLFSSL_SRC_TOP}/*.c .${WOLFSSL_SRC}
# put bio and evp as includes # put bio and evp as includes
mv ./wolfSSL/bio.c ./wolfSSL/wolfssl cp .${WOLFSSL_SRC}/bio.c .${WOLFSSL_HEADERS}
mv ./wolfSSL/evp.c ./wolfSSL/wolfssl cp .${WOLFCRYPT_SRC}/evp.c .${WOLFSSL_HEADERS}
# make a copy of evp.c and bio.c for ssl.c to include inline # make a copy of evp.c and bio.c for ssl.c to include inline
cp ./wolfSSL/wolfssl/evp.c ./wolfSSL/wolfcrypt/src/evp.c cp .${WOLFSSL_HEADERS}/evp.c .${WOLFCRYPT_SRC}/evp.c
cp ./wolfSSL/wolfssl/bio.c ./wolfSSL/wolfcrypt/src/bio.c cp .${WOLFSSL_HEADERS}/bio.c .${WOLFCRYPT_SRC}/bio.c
# copy openssl compatibility headers to their appropriate location # copy openssl compatibility headers to their appropriate location
if [ ! -d "./wolfSSL/wolfssl/openssl" ]; then if [ ! -d ".${OPENSSL_DIR}" ]; then
mkdir ./wolfSSL/wolfssl/openssl mkdir .${OPENSSL_DIR}
fi fi
cp ../../wolfssl/openssl/* ./wolfSSL/wolfssl/openssl cp ${OPENSSL_DIR_TOP}/* .${OPENSSL_DIR}
echo "/* Generated wolfSSL header file for Arduino */" > ./wolfSSL/wolfssl.h
echo "#include <user_settings.h>" >> ./wolfSSL/wolfssl.h
echo "#include <wolfssl/wolfcrypt/settings.h>" >> ./wolfSSL/wolfssl.h
echo "#include <wolfssl/ssl.h>" >> ./wolfSSL/wolfssl.h
if [ ! -f "./wolfSSL/user_settings.h" ]; then cat > .${ROOT_SRC_DIR}/wolfssl.h <<EOF
echo "/* Generated wolfSSL user_settings.h file for Arduino */" > ./wolfSSL/user_settings.h /* Generated wolfSSL header file for Arduino */
echo "#ifndef ARDUINO_USER_SETTINGS_H" >> ./wolfSSL/user_settings.h #include <user_settings.h>
echo "#define ARDUINO_USER_SETTINGS_H" >> ./wolfSSL/user_settings.h #include <wolfssl/wolfcrypt/settings.h>
space ./wolfSSL/user_settings.h #include <wolfssl/ssl.h>
echo "/* Platform */" >> ./wolfSSL/user_settings.h EOF
echo "#define WOLFSSL_ARDUINO" >> ./wolfSSL/user_settings.h
space ./wolfSSL/user_settings.h
echo "/* Math library (remove this to use normal math)*/" >> ./wolfSSL/user_settings.h # Creates user_settings file if one does not exist
echo "#define USE_FAST_MATH" >> ./wolfSSL/user_settings.h if [ ! -f ".${ROOT_SRC_DIR}/user_settings.h" ]; then
echo "#define TFM_NO_ASM" >> ./wolfSSL/user_settings.h cat > .${ROOT_SRC_DIR}/user_settings.h <<EOF
space ./wolfSSL/user_settings.h /* Generated wolfSSL user_settings.h file for Arduino */
echo "/* RNG DEFAULT !!FOR TESTING ONLY!! */" >> ./wolfSSL/user_settings.h #ifndef ARDUINO_USER_SETTINGS_H
echo "/* comment out the error below to get started w/ bad entropy source" >> ./wolfSSL/user_settings.h #define ARDUINO_USER_SETTINGS_H
echo " * This will need fixed before distribution but is OK to test with */" >> ./wolfSSL/user_settings.h
echo "#error \"needs solved, see: https://www.wolfssl.com/docs/porting-guide/\"" >> ./wolfSSL/user_settings.h /* Platform */
echo "#define WOLFSSL_GENSEED_FORTEST" >> ./wolfSSL/user_settings.h #define WOLFSSL_ARDUINO
space ./wolfSSL/user_settings.h
echo "#endif /* ARDUINO_USER_SETTINGS_H */" >> ./wolfSSL/user_settings.h /* Math library (remove this to use normal math)*/
#define USE_FAST_MATH
#define TFM_NO_ASM
#define NO_ASN_TIME
/* When using Intel Galileo Uncomment the line below */
/* #define INTEL_GALILEO */
/* RNG DEFAULT !!FOR TESTING ONLY!! */
/* comment out the error below to get started w/ bad entropy source
* This will need fixed before distribution but is OK to test with */
#error "needs solved, see: https://www.wolfssl.com/docs/porting-guide/"
#define WOLFSSL_GENSEED_FORTEST
#endif /* ARDUINO_USER_SETTINGS_H */
EOF
fi fi
cp wolfSSL/wolfssl/wolfcrypt/settings.h wolfSSL/wolfssl/wolfcrypt/settings.h.bak cp .${WOLFCRYPT_HEADERS}/settings.h .${WOLFCRYPT_HEADERS}/settings.h.bak
echo " /* wolfSSL Generated ARDUINO settings */" > ./wolfSSL/wolfssl/wolfcrypt/settings.h cat > .${WOLFCRYPT_HEADERS}/settings.h <<EOF
echo "#ifndef WOLFSSL_USER_SETTINGS" >> ./wolfSSL/wolfssl/wolfcrypt/settings.h /*wolfSSL Generated ARDUINO settings */
echo " #define WOLFSSL_USER_SETTINGS" >> ./wolfSSL/wolfssl/wolfcrypt/settings.h #ifndef WOLFSSL_USER_SETTINGS
echo "#endif /* WOLFSSL_USER_SETTINGS */" >> ./wolfSSL/wolfssl/wolfcrypt/settings.h #define WOLFSSL_USER_SETTINGS
echo " /* wolfSSL Generated ARDUINO settings: END */" >> ./wolfSSL/wolfssl/wolfcrypt/settings.h #endif /* WOLFSSL_USER_SETTINGS */
cat ./wolfSSL/wolfssl/wolfcrypt/settings.h.bak >> ./wolfSSL/wolfssl/wolfcrypt/settings.h /*wolfSSL Generated ARDUINO settings: END */
EOF
cat .${WOLFCRYPT_HEADERS}/settings.h.bak >> .${WOLFCRYPT_HEADERS}/settings.h
#Creating library.properties file based off of:
#https://arduino.github.io/arduino-cli/0.35/library-specification/#libraryproperties-file-format
cat > .${ROOT_DIR}/library.properties <<EOF
name=wolfSSL
version=${WOLFSSL_VERSION}
author=wolfSSL inc
maintainer=wolfSSL inc <support@wolfssl.com>
sentence=A lightweight SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments.
paragraph=Manual: https://www.wolfssl.com/documentation/manuals/wolfssl/index.html.
category=Communication
url=https://www.wolfssl.com/
architectures=*
EOF
else else
echo "ERROR: You must be in the IDE/ARDUINO directory to run this script" echo "ERROR: You must be in the IDE/ARDUINO directory to run this script"

273
IDE/apple-universal/build-wolfssl-framework.sh
View File

@@ -20,7 +20,6 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
set -euo pipefail set -euo pipefail
WOLFSSL_DIR=$(pwd)/../../ WOLFSSL_DIR=$(pwd)/../../
@@ -28,12 +27,9 @@ OUTDIR=$(pwd)/artifacts
LIPODIR=${OUTDIR}/lib LIPODIR=${OUTDIR}/lib
SDK_OUTPUT_DIR=${OUTDIR}/xcframework SDK_OUTPUT_DIR=${OUTDIR}/xcframework
CFLAGS_COMMON="" CFLAGS_COMMON=""
# Optional configure flags passed in by user through -c argument
CONF_OPTS_EXTRA=""
# Base configure flags # Base configure flags
CONF_OPTS_COMMON="--disable-shared --enable-static" CONF_OPTS="--disable-shared --enable-static"
helpFunction() helpFunction()
{ {
@@ -47,7 +43,7 @@ helpFunction()
while getopts ":c:" opt; do while getopts ":c:" opt; do
case $opt in case $opt in
c) c)
CONF_OPTS_EXTRA="$OPTARG" CONF_OPTS+=" $OPTARG"
;; ;;
\?) \?)
echo "Invalid option: -$OPTARG" >&2; helpFunction echo "Invalid option: -$OPTARG" >&2; helpFunction
@@ -55,279 +51,60 @@ while getopts ":c:" opt; do
esac esac
done done
# Amalgamate extra CLI options with base options
CONF_OPTS="${CONF_OPTS_COMMON} ${CONF_OPTS_EXTRA}"
rm -rf $OUTDIR rm -rf $OUTDIR
mkdir -p $LIPODIR mkdir -p $LIPODIR
mkdir -p $SDK_OUTPUT_DIR mkdir -p $SDK_OUTPUT_DIR
build() { # <ARCH=arm64|x86_64> <TYPE=iphonesimulator|iphoneos|macosx|watchos|watchsimulator|appletvos|appletvsimulator>
buildIOSSim()
{
set -x set -x
pushd . pushd .
cd $WOLFSSL_DIR cd $WOLFSSL_DIR
ARCH=$1 ARCH=$1
HOST="${ARCH}-apple-darwin" HOST="${ARCH}-apple-darwin"
SDK_ROOT=$(xcrun --sdk iphonesimulator --show-sdk-path) TYPE=$2
SDK_ROOT=$(xcrun --sdk ${TYPE} --show-sdk-path)
./configure -prefix=${OUTDIR}/wolfssl-ios-simulator-${ARCH} ${CONF_OPTS} --host=${HOST} \ ./configure -prefix=${OUTDIR}/wolfssl-${TYPE}-${ARCH} ${CONF_OPTS} --host=${HOST} \
CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}" CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}"
make -j make -j src/libwolfssl.la
make install make install
popd popd
set +x set +x
} }
buildIOS() XCFRAMEWORKS=
{ for type in iphonesimulator macosx appletvsimulator watchsimulator ; do
set -x build arm64 ${type}
pushd . build x86_64 ${type}
cd $WOLFSSL_DIR
ARCH=$1
HOST="${ARCH}-apple-darwin"
SDK_ROOT=$(xcrun --sdk iphoneos --show-sdk-path)
./configure -prefix=${OUTDIR}/wolfssl-ios-${ARCH} ${CONF_OPTS} --host=${HOST} \
CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}"
make -j
make install
popd
set +x
}
buildMacOS()
{
set -x
pushd .
cd $WOLFSSL_DIR
ARCH=$1
HOST="${ARCH}-apple-darwin"
SDK_ROOT=$(xcrun --sdk macosx --show-sdk-path)
./configure -prefix=${OUTDIR}/wolfssl-macos-${ARCH} ${CONF_OPTS} --host=${HOST} \
CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}"
make -j
make install
popd
set +x
}
buildWatchOS()
{
set -x
pushd .
cd $WOLFSSL_DIR
ARCH=$1
HOST="${ARCH}-apple-darwin"
SDK_ROOT=$(xcrun --sdk watchos --show-sdk-path)
./configure -prefix=${OUTDIR}/wolfssl-watchos-${ARCH} ${CONF_OPTS} --host=${HOST} \
CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}"
make -j
make install
popd
set +x
}
buildWatchOSSim()
{
set -x
pushd .
cd $WOLFSSL_DIR
ARCH=$1
HOST="${ARCH}-apple-darwin"
SDK_ROOT=$(xcrun --sdk watchsimulator --show-sdk-path)
./configure -prefix=${OUTDIR}/wolfssl-watchos-simulator-${ARCH} ${CONF_OPTS} --host=${HOST} \
CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}"
make -j
make install
popd
set +x
}
buildTVOS()
{
set -x
pushd .
cd $WOLFSSL_DIR
ARCH=arm64
HOST="${ARCH}-apple-darwin"
SDK_ROOT=$(xcrun --sdk appletvos --show-sdk-path)
./configure -prefix=${OUTDIR}/wolfssl-tvos-${ARCH} ${CONF_OPTS} --host=${HOST} \
CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}"
make -j
make install
popd
set +x
}
buildTVOSSim()
{
set -x
pushd .
cd $WOLFSSL_DIR
ARCH=$1
HOST="${ARCH}-apple-darwin"
SDK_ROOT=$(xcrun --sdk appletvsimulator --show-sdk-path)
./configure -prefix=${OUTDIR}/wolfssl-tvos-simulator-${ARCH} ${CONF_OPTS} --host=${HOST} \
CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}"
make -j
make install
popd
set +x
}
buildCatalyst()
{
echo "TBD"
}
############################################################################################################################################
# IOS Simulator ############################################################################################################################
############################################################################################################################################
buildIOSSim arm64
buildIOSSim x86_64
# Create universal binaries from architecture-specific static libraries # Create universal binaries from architecture-specific static libraries
lipo \ lipo \
"$OUTDIR/wolfssl-ios-simulator-x86_64/lib/libwolfssl.a" \ "$OUTDIR/wolfssl-${type}-x86_64/lib/libwolfssl.a" \
"$OUTDIR/wolfssl-ios-simulator-arm64/lib/libwolfssl.a" \ "$OUTDIR/wolfssl-${type}-arm64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-ios-simulator.a -create -output $LIPODIR/libwolfssl-${type}.a
echo "Checking libraries" echo "Checking libraries"
xcrun -sdk iphonesimulator lipo -info $LIPODIR/libwolfssl-ios-simulator.a xcrun -sdk ${type} lipo -info $LIPODIR/libwolfssl-${type}.a
XCFRAMEWORKS+=" -library ${LIPODIR}/libwolfssl-${type}.a -headers ${OUTDIR}/wolfssl-${type}-arm64/include"
done
############################################################################################################################################ for type in iphoneos appletvos ; do
# IOS ###################################################################################################################################### build arm64 ${type}
############################################################################################################################################
buildIOS arm64
# Create universal binaries from architecture-specific static libraries # Create universal binaries from architecture-specific static libraries
lipo \ lipo \
"$OUTDIR/wolfssl-ios-arm64/lib/libwolfssl.a" \ "$OUTDIR/wolfssl-${type}-arm64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-ios.a -create -output $LIPODIR/libwolfssl-${type}.a
echo "Checking libraries" echo "Checking libraries"
xcrun -sdk iphoneos lipo -info $LIPODIR/libwolfssl-ios.a xcrun -sdk ${type} lipo -info $LIPODIR/libwolfssl-${type}.a
XCFRAMEWORKS+=" -library ${LIPODIR}/libwolfssl-${type}.a -headers ${OUTDIR}/wolfssl-${type}-arm64/include"
done
############################################################################################################################################
# MacOS ####################################################################################################################################
############################################################################################################################################
buildMacOS arm64
buildMacOS x86_64
# Create universal binaries from architecture-specific static libraries
lipo \
"$OUTDIR/wolfssl-macos-x86_64/lib/libwolfssl.a" \
"$OUTDIR/wolfssl-macos-arm64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-macos.a
echo "Checking libraries"
xcrun -sdk macosx lipo -info $LIPODIR/libwolfssl-macos.a
############################################################################################################################################
# tvOS Simulator ###########################################################################################################################
############################################################################################################################################
buildTVOSSim arm64
buildTVOSSim x86_64
# Create universal binaries from architecture-specific static libraries
lipo \
"$OUTDIR/wolfssl-tvos-simulator-x86_64/lib/libwolfssl.a" \
"$OUTDIR/wolfssl-tvos-simulator-arm64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-tvos-simulator.a
echo "Checking libraries"
xcrun -sdk appletvsimulator lipo -info $LIPODIR/libwolfssl-tvos-simulator.a
############################################################################################################################################
# tvOS #####################################################################################################################################
############################################################################################################################################
buildTVOS arm64
# Create universal binaries from architecture-specific static libraries
lipo \
"$OUTDIR/wolfssl-tvos-arm64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-tvos.a
echo "Checking libraries"
xcrun -sdk appletvos lipo -info $LIPODIR/libwolfssl-tvos.a
############################################################################################################################################
# watchOS Simulator ########################################################################################################################
############################################################################################################################################
buildWatchOSSim arm64
buildWatchOSSim x86_64
# Create universal binaries from architecture-specific static libraries
lipo \
"$OUTDIR/wolfssl-watchos-simulator-arm64/lib/libwolfssl.a" \
"$OUTDIR/wolfssl-watchos-simulator-x86_64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-watchos-simulator.a
echo "Checking libraries"
xcrun -sdk watchsimulator lipo -info $LIPODIR/libwolfssl-watchos-simulator.a
############################################################################################################################################
# watchOS ##################################################################################################################################
############################################################################################################################################
buildWatchOS arm64
# Create universal binaries from architecture-specific static libraries
lipo \
"$OUTDIR/wolfssl-watchos-arm64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-watchos.a
echo "Checking libraries"
xcrun -sdk watchos lipo -info $LIPODIR/libwolfssl-watchos.a
############################################################################################################################################
# Catalyst #################################################################################################################################
############################################################################################################################################
############################################################################################################################################ ############################################################################################################################################
# ********** BUILD FRAMEWORK # ********** BUILD FRAMEWORK
############################################################################################################################################ ############################################################################################################################################
xcodebuild -create-xcframework \ xcodebuild -create-xcframework ${XCFRAMEWORKS} -output ${SDK_OUTPUT_DIR}/libwolfssl.xcframework
-library ${LIPODIR}/libwolfssl-ios-simulator.a \
-headers ${OUTDIR}/wolfssl-ios-simulator-arm64/include \
-library ${LIPODIR}/libwolfssl-ios.a \
-headers ${OUTDIR}/wolfssl-ios-arm64/include \
-library ${LIPODIR}/libwolfssl-macos.a \
-headers ${OUTDIR}/wolfssl-macos-arm64/include \
-library ${LIPODIR}/libwolfssl-tvos.a \
-headers ${OUTDIR}/wolfssl-tvos-arm64/include \
-library ${LIPODIR}/libwolfssl-tvos-simulator.a \
-headers ${OUTDIR}/wolfssl-tvos-simulator-arm64/include \
-library ${LIPODIR}/libwolfssl-watchos.a \
-headers ${OUTDIR}/wolfssl-watchos-arm64/include \
-library ${LIPODIR}/libwolfssl-watchos-simulator.a \
-headers ${OUTDIR}/wolfssl-watchos-simulator-arm64/include \
-output ${SDK_OUTPUT_DIR}/libwolfssl.xcframework

108
doc/dox_comments/header_files/ssl.h
View File

@@ -14854,3 +14854,111 @@ available size need to be provided in bufferSz.
*/ */
int wolfSSL_dtls_cid_get_tx(WOLFSSL* ssl, unsigned char* buffer, int wolfSSL_dtls_cid_get_tx(WOLFSSL* ssl, unsigned char* buffer,
unsigned int bufferSz); unsigned int bufferSz);
/*!
\ingroup TLS
\brief This function returns the raw list of ciphersuites and signature
algorithms offered by the client. The lists are only stored and returned
inside a callback setup with wolfSSL_CTX_set_cert_cb(). This is useful to
be able to dynamically load certificates and keys based on the available
ciphersuites and signature algorithms.
\param [in] ssl The WOLFSSL object to extract the lists from.
\param [out] optional suites Raw and unfiltered list of client ciphersuites
\param [out] optional suiteSz Size of suites in bytes
\param [out] optional hashSigAlgo Raw and unfiltered list of client
signature algorithms
\param [out] optional hashSigAlgoSz Size of hashSigAlgo in bytes
\return WOLFSSL_SUCCESS when suites available
\return WOLFSSL_FAILURE when suites not available
_Example_
\code
int certCB(WOLFSSL* ssl, void* arg)
{
const byte* suites = NULL;
word16 suiteSz = 0;
const byte* hashSigAlgo = NULL;
word16 hashSigAlgoSz = 0;
wolfSSL_get_client_suites_sigalgs(ssl, &suites, &suiteSz, &hashSigAlgo,
&hashSigAlgoSz);
// Choose certificate to load based on ciphersuites and sigalgs
}
WOLFSSL* ctx;
ctx = wolfSSL_CTX_new(wolfTLSv1_3_method_ex(NULL));
wolfSSL_CTX_set_cert_cb(ctx, certCB, NULL);
\endcode
\sa wolfSSL_get_ciphersuite_info
\sa wolfSSL_get_sigalg_info
*/
int wolfSSL_get_client_suites_sigalgs(const WOLFSSL* ssl,
const byte** suites, word16* suiteSz,
const byte** hashSigAlgo, word16* hashSigAlgoSz);
/*!
\ingroup TLS
\brief This returns information about the ciphersuite directly from the
raw ciphersuite bytes.
\param [in] first First byte of the ciphersuite
\param [in] second Second byte of the ciphersuite
\return WOLFSSL_CIPHERSUITE_INFO A struct containing information about the
type of authentication used in the ciphersuite.
_Example_
\code
WOLFSSL_CIPHERSUITE_INFO info =
wolfSSL_get_ciphersuite_info(suites[0], suites[1]);
if (info.rsaAuth)
haveRSA = 1;
else if (info.eccAuth)
haveECC = 1;
\endcode
\sa wolfSSL_get_client_suites_sigalgs
\sa wolfSSL_get_sigalg_info
*/
WOLFSSL_CIPHERSUITE_INFO wolfSSL_get_ciphersuite_info(byte first,
byte second);
/*!
\ingroup TLS
\brief This returns information about the hash and signature algorithm
directly from the raw ciphersuite bytes.
\param [in] first First byte of the hash and signature algorithm
\param [in] second Second byte of the hash and signature algorithm
\param [out] hashAlgo The enum wc_HashType of the MAC algorithm
\param [out] sigAlgo The enum Key_Sum of the authentication algorithm
\return 0 when info was correctly set
\return BAD_FUNC_ARG when either input paramters are NULL or the bytes
are not a recognized sigalg suite
_Example_
\code
enum wc_HashType hashAlgo;
enum Key_Sum sigAlgo;
wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], hashSigAlgo[idx+1],
&hashAlgo, &sigAlgo);
if (sigAlgo == RSAk || sigAlgo == RSAPSSk)
haveRSA = 1;
else if (sigAlgo == ECDSAk)
haveECC = 1;
\endcode
\sa wolfSSL_get_client_suites_sigalgs
\sa wolfSSL_get_ciphersuite_info
*/
int wolfSSL_get_sigalg_info(byte first, byte second,
int* hashAlgo, int* sigAlgo);

23
src/internal.c
View File

@@ -4236,7 +4236,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
* hashalgo The hash algorithm. * hashalgo The hash algorithm.
* hsType The signature type. * hsType The signature type.
*/ */
static WC_INLINE void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsType) void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsType)
{ {
*hsType = invalid_sa_algo; *hsType = invalid_sa_algo;
switch (input[0]) { switch (input[0]) {
@@ -4324,7 +4324,7 @@ static WC_INLINE void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsTy
#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ #if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
defined(HAVE_CURVE448) || (!defined(NO_RSA) && defined(WC_RSA_PSS)) defined(HAVE_CURVE448) || (!defined(NO_RSA) && defined(WC_RSA_PSS))
static enum wc_HashType HashAlgoToType(int hashAlgo) enum wc_HashType HashAlgoToType(int hashAlgo)
{ {
switch (hashAlgo) { switch (hashAlgo) {
#ifdef WOLFSSL_SHA512 #ifdef WOLFSSL_SHA512
@@ -11224,23 +11224,11 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
#endif /* WOLFSSL_NO_TLS12 */ #endif /* WOLFSSL_NO_TLS12 */
#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT) #if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
/* cipher requirements */
enum {
REQUIRES_RSA,
REQUIRES_DHE,
REQUIRES_ECC,
REQUIRES_ECC_STATIC,
REQUIRES_PSK,
REQUIRES_RSA_SIG,
REQUIRES_AEAD
};
/* Does this cipher suite (first, second) have the requirement /* Does this cipher suite (first, second) have the requirement
an ephemeral key exchange will still require the key for signing an ephemeral key exchange will still require the key for signing
the key exchange so ECDHE_RSA requires an rsa key thus rsa_kea */ the key exchange so ECDHE_RSA requires an rsa key thus rsa_kea */
static int CipherRequires(byte first, byte second, int requirement) int CipherRequires(byte first, byte second, int requirement)
{ {
(void)requirement; (void)requirement;
@@ -35435,6 +35423,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif #endif
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
ssl->clSuites = clSuites;
/* Give user last chance to provide a cert for cipher selection */ /* Give user last chance to provide a cert for cipher selection */
if (ret == 0 && ssl->ctx->certSetupCb != NULL) if (ret == 0 && ssl->ctx->certSetupCb != NULL)
ret = CertSetupCbWrapper(ssl); ret = CertSetupCbWrapper(ssl);
@@ -35458,7 +35447,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif #endif
out: out:
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
ssl->clSuites = NULL;
#endif
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
if (clSuites != NULL) if (clSuites != NULL)
XFREE(clSuites, ssl->heap, DYNAMIC_TYPE_SUITES); XFREE(clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);

157
src/ssl.c
View File

@@ -16303,6 +16303,163 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ctx->certSetupCbArg = arg; ctx->certSetupCbArg = arg;
} }
int wolfSSL_get_client_suites_sigalgs(const WOLFSSL* ssl,
const byte** suites, word16* suiteSz,
const byte** hashSigAlgo, word16* hashSigAlgoSz)
{
WOLFSSL_ENTER("wolfSSL_get_client_suites_sigalgs");
if (suites != NULL)
*suites = NULL;
if (suiteSz != NULL)
*suiteSz = 0;
if (hashSigAlgo != NULL)
*hashSigAlgo = NULL;
if (hashSigAlgoSz != NULL)
*hashSigAlgoSz = 0;
if (ssl != NULL && ssl->clSuites != NULL) {
if (suites != NULL && suiteSz != NULL) {
*suites = ssl->clSuites->suites;
*suiteSz = ssl->clSuites->suiteSz;
}
if (hashSigAlgo != NULL && hashSigAlgoSz != NULL) {
*hashSigAlgo = ssl->clSuites->hashSigAlgo;
*hashSigAlgoSz = ssl->clSuites->hashSigAlgoSz;
}
return WOLFSSL_SUCCESS;
}
return WOLFSSL_FAILURE;
}
WOLFSSL_CIPHERSUITE_INFO wolfSSL_get_ciphersuite_info(byte first,
byte second)
{
WOLFSSL_CIPHERSUITE_INFO info;
info.rsaAuth = (byte)(CipherRequires(first, second, REQUIRES_RSA) ||
CipherRequires(first, second, REQUIRES_RSA_SIG));
info.eccAuth = (byte)(CipherRequires(first, second, REQUIRES_ECC) ||
/* Static ECC ciphers may require RSA for authentication */
(CipherRequires(first, second, REQUIRES_ECC_STATIC) &&
!CipherRequires(first, second, REQUIRES_RSA_SIG)));
info.eccStatic =
(byte)CipherRequires(first, second, REQUIRES_ECC_STATIC);
info.psk = (byte)CipherRequires(first, second, REQUIRES_PSK);
return info;
}
/**
* @param first First byte of the hash and signature algorithm
* @param second Second byte of the hash and signature algorithm
* @param hashAlgo The enum wc_HashType of the MAC algorithm
* @param sigAlgo The enum Key_Sum of the authentication algorithm
*/
int wolfSSL_get_sigalg_info(byte first, byte second,
int* hashAlgo, int* sigAlgo)
{
byte input[2];
byte hashType;
byte sigType;
if (hashAlgo == NULL || sigAlgo == NULL)
return BAD_FUNC_ARG;
input[0] = first;
input[1] = second;
DecodeSigAlg(input, &hashType, &sigType);
/* cast so that compiler reminds us of unimplemented values */
switch ((enum SignatureAlgorithm)sigType) {
case anonymous_sa_algo:
*sigAlgo = (enum Key_Sum)0;
break;
case rsa_sa_algo:
*sigAlgo = RSAk;
break;
case dsa_sa_algo:
*sigAlgo = DSAk;
break;
case ecc_dsa_sa_algo:
*sigAlgo = ECDSAk;
break;
case rsa_pss_sa_algo:
*sigAlgo = RSAPSSk;
break;
case ed25519_sa_algo:
*sigAlgo = ED25519k;
break;
case rsa_pss_pss_algo:
*sigAlgo = RSAPSSk;
break;
case ed448_sa_algo:
*sigAlgo = ED448k;
break;
case falcon_level1_sa_algo:
*sigAlgo = FALCON_LEVEL1k;
break;
case falcon_level5_sa_algo:
*sigAlgo = FALCON_LEVEL5k;
break;
case dilithium_level2_sa_algo:
*sigAlgo = DILITHIUM_LEVEL2k;
break;
case dilithium_level3_sa_algo:
*sigAlgo = DILITHIUM_LEVEL3k;
break;
case dilithium_level5_sa_algo:
*sigAlgo = DILITHIUM_LEVEL5k;
break;
case sm2_sa_algo:
*sigAlgo = SM2k;
break;
case invalid_sa_algo:
default:
*hashAlgo = WC_HASH_TYPE_NONE;
*sigAlgo = 0;
return BAD_FUNC_ARG;
}
/* cast so that compiler reminds us of unimplemented values */
switch((enum wc_MACAlgorithm)hashType) {
case no_mac:
case rmd_mac: /* Don't have a RIPEMD type in wc_HashType */
*hashAlgo = WC_HASH_TYPE_NONE;
break;
case md5_mac:
*hashAlgo = WC_HASH_TYPE_MD5;
break;
case sha_mac:
*hashAlgo = WC_HASH_TYPE_SHA;
break;
case sha224_mac:
*hashAlgo = WC_HASH_TYPE_SHA224;
break;
case sha256_mac:
*hashAlgo = WC_HASH_TYPE_SHA256;
break;
case sha384_mac:
*hashAlgo = WC_HASH_TYPE_SHA384;
break;
case sha512_mac:
*hashAlgo = WC_HASH_TYPE_SHA512;
break;
case blake2b_mac:
*hashAlgo = WC_HASH_TYPE_BLAKE2B;
break;
case sm3_mac:
#ifdef WOLFSSL_SM3
*hashAlgo = WC_HASH_TYPE_SM3;
#else
*hashAlgo = WC_HASH_TYPE_NONE;
#endif
break;
default:
*hashAlgo = WC_HASH_TYPE_NONE;
*sigAlgo = 0;
return BAD_FUNC_ARG;
}
return 0;
}
/** /**
* Internal wrapper for calling certSetupCb * Internal wrapper for calling certSetupCb
* @param ssl The SSL/TLS Object * @param ssl The SSL/TLS Object

18
src/tls13.c
View File

@@ -5617,6 +5617,11 @@ static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo); if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo);
#endif #endif
#ifdef OPENSSL_EXTRA
if ((ret = CertSetupCbWrapper(ssl)) != 0)
return ret;
#endif
if (OPAQUE8_LEN > size) if (OPAQUE8_LEN > size)
return BUFFER_ERROR; return BUFFER_ERROR;
@@ -6594,6 +6599,9 @@ static void FreeDch13Args(WOLFSSL* ssl, void* pArgs)
XFREE(args->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES); XFREE(args->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);
args->clSuites = NULL; args->clSuites = NULL;
} }
#ifdef OPENSSL_EXTRA
ssl->clSuites = NULL;
#endif
} }
int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
@@ -6978,6 +6986,11 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
case TLS_ASYNC_DO: case TLS_ASYNC_DO:
{ {
#ifdef OPENSSL_EXTRA
ssl->clSuites = args->clSuites;
if ((ret = CertSetupCbWrapper(ssl)) != 0)
goto exit_dch;
#endif
#ifndef NO_CERTS #ifndef NO_CERTS
if (!args->usingPSK) { if (!args->usingPSK) {
if ((ret = MatchSuite(ssl, args->clSuites)) < 0) { if ((ret = MatchSuite(ssl, args->clSuites)) < 0) {
@@ -8244,11 +8257,6 @@ static int SendTls13Certificate(WOLFSSL* ssl)
listSz = 0; listSz = 0;
} }
else { else {
#ifdef OPENSSL_EXTRA
if ((ret = CertSetupCbWrapper(ssl)) != 0)
return ret;
#endif
if (!ssl->buffers.certificate) { if (!ssl->buffers.certificate) {
WOLFSSL_MSG("Send Cert missing certificate buffer"); WOLFSSL_MSG("Send Cert missing certificate buffer");
return BUFFER_ERROR; return BUFFER_ERROR;

370
tests/api.c
View File

@@ -370,7 +370,7 @@
defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)) || \ defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)) || \
defined(WOLFSSL_TEST_STATIC_BUILD) || defined(WOLFSSL_DTLS) || \ defined(WOLFSSL_TEST_STATIC_BUILD) || defined(WOLFSSL_DTLS) || \
defined(HAVE_ECH) || defined(HAVE_EX_DATA) || !defined(NO_SESSION_CACHE) \ defined(HAVE_ECH) || defined(HAVE_EX_DATA) || !defined(NO_SESSION_CACHE) \
|| !defined(WOLFSSL_NO_TLS12) || !defined(WOLFSSL_NO_TLS12) || defined(WOLFSSL_TLS13)
/* for testing SSL_get_peer_cert_chain, or SESSION_TICKET_HINT_DEFAULT, /* for testing SSL_get_peer_cert_chain, or SESSION_TICKET_HINT_DEFAULT,
* for setting authKeyIdSrc in WOLFSSL_X509, or testing DTLS sequence * for setting authKeyIdSrc in WOLFSSL_X509, or testing DTLS sequence
* number tracking */ * number tracking */
@@ -5824,8 +5824,12 @@ static WC_INLINE int test_ssl_memio_setup(test_ssl_memio_ctx *ctx)
#ifdef WOLFSSL_ENCRYPTED_KEYS #ifdef WOLFSSL_ENCRYPTED_KEYS
wolfSSL_CTX_set_default_passwd_cb(ctx->c_ctx, PasswordCallBack); wolfSSL_CTX_set_default_passwd_cb(ctx->c_ctx, PasswordCallBack);
#endif #endif
ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->c_ctx, caCertFile, 0), if (ctx->c_cb.caPemFile != NULL)
WOLFSSL_SUCCESS); ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->c_ctx,
ctx->c_cb.caPemFile, 0), WOLFSSL_SUCCESS);
else
ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->c_ctx,
caCertFile, 0), WOLFSSL_SUCCESS);
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
if (!c_sharedCtx) if (!c_sharedCtx)
#endif #endif
@@ -5889,8 +5893,12 @@ static WC_INLINE int test_ssl_memio_setup(test_ssl_memio_ctx *ctx)
wolfSSL_SetIOSend(ctx->s_ctx, test_ssl_memio_write_cb); wolfSSL_SetIOSend(ctx->s_ctx, test_ssl_memio_write_cb);
wolfSSL_CTX_set_verify(ctx->s_ctx, WOLFSSL_VERIFY_PEER | wolfSSL_CTX_set_verify(ctx->s_ctx, WOLFSSL_VERIFY_PEER |
WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->s_ctx, cliCertFile, 0), if (ctx->s_cb.caPemFile != NULL)
WOLFSSL_SUCCESS); ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->s_ctx,
ctx->s_cb.caPemFile, 0), WOLFSSL_SUCCESS);
else
ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->s_ctx,
cliCertFile, 0), WOLFSSL_SUCCESS);
#ifdef WOLFSSL_ENCRYPTED_KEYS #ifdef WOLFSSL_ENCRYPTED_KEYS
wolfSSL_CTX_set_default_passwd_cb(ctx->s_ctx, PasswordCallBack); wolfSSL_CTX_set_default_passwd_cb(ctx->s_ctx, PasswordCallBack);
#endif #endif
@@ -44748,60 +44756,40 @@ static int test_wolfSSL_BIO_reset(void)
/* test that the callback arg is correct */ /* test that the callback arg is correct */
static int certCbArg = 0; static int certCbArg = 0;
static int clientCertCb(WOLFSSL* ssl, void* arg) static int certCb(WOLFSSL* ssl, void* arg)
{
if (ssl == NULL || arg != &certCbArg)
return 0;
if (wolfSSL_use_certificate_file(ssl, cliCertFile,
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS)
return 0;
if (wolfSSL_use_PrivateKey_file(ssl, cliKeyFile,
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS)
return 0;
return 1;
}
static int clientCertSetupCb(WOLFSSL_CTX* ctx)
{
SSL_CTX_set_cert_cb(ctx, clientCertCb, &certCbArg);
return TEST_SUCCESS;
}
/**
* This is only done because test_client_nofail has no way to stop
* certificate and key loading
*/
static int clientCertClearCb(WOLFSSL* ssl)
{
/* Clear the loaded certs to force the callbacks to set them up */
SSL_certs_clear(ssl);
return TEST_SUCCESS;
}
static int serverCertCb(WOLFSSL* ssl, void* arg)
{ {
if (ssl == NULL || arg != &certCbArg) if (ssl == NULL || arg != &certCbArg)
return 0; return 0;
if (wolfSSL_is_server(ssl)) {
if (wolfSSL_use_certificate_file(ssl, svrCertFile, if (wolfSSL_use_certificate_file(ssl, svrCertFile,
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS)
return 0; return 0;
if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile,
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS)
return 0; return 0;
}
else {
if (wolfSSL_use_certificate_file(ssl, cliCertFile,
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS)
return 0;
if (wolfSSL_use_PrivateKey_file(ssl, cliKeyFile,
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS)
return 0;
}
return 1; return 1;
} }
static int serverCertSetupCb(WOLFSSL_CTX* ctx) static int certSetupCb(WOLFSSL_CTX* ctx)
{ {
SSL_CTX_set_cert_cb(ctx, serverCertCb, &certCbArg); SSL_CTX_set_cert_cb(ctx, certCb, &certCbArg);
return TEST_SUCCESS; return TEST_SUCCESS;
} }
/** /**
* This is only done because test_server_nofail has no way to stop * This is only done because test_wolfSSL_client_server_nofail_memio has no way
* certificate and key loading * to stop certificate and key loading
*/ */
static int serverCertClearCb(WOLFSSL* ssl) static int certClearCb(WOLFSSL* ssl)
{ {
/* Clear the loaded certs to force the callbacks to set them up */ /* Clear the loaded certs to force the callbacks to set them up */
SSL_certs_clear(ssl); SSL_certs_clear(ssl);
@@ -44820,10 +44808,10 @@ static int test_wolfSSL_cert_cb(void)
XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); XMEMSET(&func_cb_client, 0, sizeof(func_cb_client));
XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); XMEMSET(&func_cb_server, 0, sizeof(func_cb_server));
func_cb_client.ctx_ready = clientCertSetupCb; func_cb_client.ctx_ready = certSetupCb;
func_cb_client.ssl_ready = clientCertClearCb; func_cb_client.ssl_ready = certClearCb;
func_cb_server.ctx_ready = serverCertSetupCb; func_cb_server.ctx_ready = certSetupCb;
func_cb_server.ssl_ready = serverCertClearCb; func_cb_server.ssl_ready = certClearCb;
ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client,
&func_cb_server, NULL), TEST_SUCCESS); &func_cb_server, NULL), TEST_SUCCESS);
@@ -44831,6 +44819,295 @@ static int test_wolfSSL_cert_cb(void)
return EXPECT_RESULT(); return EXPECT_RESULT();
} }
#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES)
static const char* test_wolfSSL_cert_cb_dyn_ciphers_client_cipher = NULL;
static const char* test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs = NULL;
static int test_wolfSSL_cert_cb_dyn_ciphers_client_ctx_ready(WOLFSSL_CTX* ctx)
{
EXPECT_DECLS;
ExpectIntEQ(wolfSSL_CTX_set_cipher_list(ctx,
test_wolfSSL_cert_cb_dyn_ciphers_client_cipher), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx,
test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs), WOLFSSL_SUCCESS);
return EXPECT_RESULT();
}
static int test_wolfSSL_cert_cb_dyn_ciphers_certCB(WOLFSSL* ssl, void* arg)
{
const byte* suites = NULL;
word16 suiteSz = 0;
const byte* hashSigAlgo = NULL;
word16 hashSigAlgoSz = 0;
word16 idx = 0;
int haveRSA = 0;
int haveECC = 0;
(void)arg;
if (wolfSSL_get_client_suites_sigalgs(ssl, &suites, &suiteSz, &hashSigAlgo,
&hashSigAlgoSz) != WOLFSSL_SUCCESS)
return 0;
if (suites == NULL || suiteSz == 0 || hashSigAlgo == NULL ||
hashSigAlgoSz == 0)
return 0;
for (idx = 0; idx < suiteSz; idx += 2) {
WOLFSSL_CIPHERSUITE_INFO info =
wolfSSL_get_ciphersuite_info(suites[idx], suites[idx+1]);
if (info.rsaAuth)
haveRSA = 1;
else if (info.eccAuth)
haveECC = 1;
}
if (hashSigAlgoSz > 0) {
/* sigalgs extension takes precedence over ciphersuites */
haveRSA = 0;
haveECC = 0;
}
for (idx = 0; idx < hashSigAlgoSz; idx += 2) {
int hashAlgo;
int sigAlgo;
if (wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], hashSigAlgo[idx+1],
&hashAlgo, &sigAlgo) != 0)
return 0;
if (sigAlgo == RSAk || sigAlgo == RSAPSSk)
haveRSA = 1;
else if (sigAlgo == ECDSAk)
haveECC = 1;
}
if (haveRSA) {
if (wolfSSL_use_certificate_file(ssl, svrCertFile, WOLFSSL_FILETYPE_PEM)
!= WOLFSSL_SUCCESS)
return 0;
if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, WOLFSSL_FILETYPE_PEM)
!= WOLFSSL_SUCCESS)
return 0;
}
else if (haveECC) {
if (wolfSSL_use_certificate_file(ssl, eccCertFile, WOLFSSL_FILETYPE_PEM)
!= WOLFSSL_SUCCESS)
return 0;
if (wolfSSL_use_PrivateKey_file(ssl, eccKeyFile, WOLFSSL_FILETYPE_PEM)
!= WOLFSSL_SUCCESS)
return 0;
}
return 1;
}
static int test_wolfSSL_cert_cb_dyn_ciphers_server_ctx_ready(WOLFSSL_CTX* ctx)
{
SSL_CTX_set_cert_cb(ctx, test_wolfSSL_cert_cb_dyn_ciphers_certCB, NULL);
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL);
return TEST_SUCCESS;
}
#endif
/* Testing dynamic ciphers offered by client */
static int test_wolfSSL_cert_cb_dyn_ciphers(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES)
test_ssl_cbf func_cb_client;
test_ssl_cbf func_cb_server;
struct {
method_provider client_meth;
const char* client_ciphers;
const char* client_sigalgs;
const char* client_ca;
method_provider server_meth;
} test_params[] = {
#if !defined(NO_SHA256) && defined(HAVE_AESGCM)
#ifdef WOLFSSL_TLS13
#if !defined(NO_RSA) && defined(WC_RSA_PSS)
{wolfTLSv1_3_client_method,
"TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256",
"RSA-PSS+SHA256", caCertFile, wolfTLSv1_3_server_method},
#endif
#ifdef HAVE_ECC
{wolfTLSv1_3_client_method,
"TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256",
"ECDSA+SHA256", caEccCertFile, wolfTLSv1_3_server_method},
#endif
#endif
#ifndef WOLFSSL_NO_TLS12
#if !defined(NO_RSA) && defined(WC_RSA_PSS) && !defined(NO_DH)
{wolfTLSv1_2_client_method,
"DHE-RSA-AES128-GCM-SHA256",
"RSA-PSS+SHA256", caCertFile, wolfTLSv1_2_server_method},
#endif
#ifdef HAVE_ECC
{wolfTLSv1_2_client_method,
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDSA+SHA256", caEccCertFile, wolfTLSv1_2_server_method},
#endif
#endif
#endif
};
size_t i;
for (i = 0; i < sizeof(test_params)/sizeof(*test_params); i++) {
printf("\tTesting %s ciphers with %s sigalgs\n",
test_params[i].client_ciphers, test_params[i].client_sigalgs);
XMEMSET(&func_cb_client, 0, sizeof(func_cb_client));
XMEMSET(&func_cb_server, 0, sizeof(func_cb_server));
test_wolfSSL_cert_cb_dyn_ciphers_client_cipher =
test_params[i].client_ciphers;
test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs =
test_params[i].client_sigalgs;
func_cb_client.method = test_params[i].client_meth;
func_cb_client.caPemFile = test_params[i].client_ca;
func_cb_client.ctx_ready =
test_wolfSSL_cert_cb_dyn_ciphers_client_ctx_ready;
func_cb_server.ctx_ready =
test_wolfSSL_cert_cb_dyn_ciphers_server_ctx_ready;
func_cb_server.ssl_ready = certClearCb; /* Reuse from previous test */
func_cb_server.method = test_params[i].server_meth;
ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client,
&func_cb_server, NULL), TEST_SUCCESS);
}
#endif
return EXPECT_RESULT();
}
static int test_wolfSSL_ciphersuite_auth(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
WOLFSSL_CIPHERSUITE_INFO info;
(void)info;
#ifndef WOLFSSL_NO_TLS12
#ifdef HAVE_CHACHA
info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
ExpectIntEQ(info.rsaAuth, 1);
ExpectIntEQ(info.eccAuth, 0);
ExpectIntEQ(info.eccStatic, 0);
ExpectIntEQ(info.psk, 0);
info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256);
ExpectIntEQ(info.rsaAuth, 0);
ExpectIntEQ(info.eccAuth, 1);
ExpectIntEQ(info.eccStatic, 0);
ExpectIntEQ(info.psk, 0);
info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE,
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256);
ExpectIntEQ(info.rsaAuth, 0);
ExpectIntEQ(info.eccAuth, 0);
ExpectIntEQ(info.eccStatic, 0);
ExpectIntEQ(info.psk, 1);
#endif
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
#ifndef NO_RSA
info = wolfSSL_get_ciphersuite_info(ECC_BYTE,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
ExpectIntEQ(info.rsaAuth, 1);
ExpectIntEQ(info.eccAuth, 0);
ExpectIntEQ(info.eccStatic, 0);
ExpectIntEQ(info.psk, 0);
info = wolfSSL_get_ciphersuite_info(ECC_BYTE,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA);
ExpectIntEQ(info.rsaAuth, 1);
ExpectIntEQ(info.eccAuth, 0);
ExpectIntEQ(info.eccStatic, 1);
ExpectIntEQ(info.psk, 0);
info = wolfSSL_get_ciphersuite_info(ECC_BYTE,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA);
ExpectIntEQ(info.rsaAuth, 1);
ExpectIntEQ(info.eccAuth, 0);
ExpectIntEQ(info.eccStatic, 1);
ExpectIntEQ(info.psk, 0);
#endif
info = wolfSSL_get_ciphersuite_info(ECC_BYTE,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
ExpectIntEQ(info.rsaAuth, 0);
ExpectIntEQ(info.eccAuth, 1);
ExpectIntEQ(info.eccStatic, 0);
ExpectIntEQ(info.psk, 0);
info = wolfSSL_get_ciphersuite_info(ECC_BYTE,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA);
ExpectIntEQ(info.rsaAuth, 0);
ExpectIntEQ(info.eccAuth, 1);
ExpectIntEQ(info.eccStatic, 1);
ExpectIntEQ(info.psk, 0);
info = wolfSSL_get_ciphersuite_info(ECDHE_PSK_BYTE,
TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256);
ExpectIntEQ(info.rsaAuth, 0);
ExpectIntEQ(info.eccAuth, 0);
ExpectIntEQ(info.eccStatic, 0);
ExpectIntEQ(info.psk, 1);
#endif
#endif
#ifdef WOLFSSL_TLS13
info = wolfSSL_get_ciphersuite_info(TLS13_BYTE,
TLS_AES_128_GCM_SHA256);
ExpectIntEQ(info.rsaAuth, 0);
ExpectIntEQ(info.eccAuth, 0);
ExpectIntEQ(info.eccStatic, 0);
ExpectIntEQ(info.psk, 0);
#endif
#endif
return EXPECT_RESULT();
}
static int test_wolfSSL_sigalg_info(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
byte hashSigAlgo[WOLFSSL_MAX_SIGALGO];
word16 len = 0;
word16 idx = 0;
int allSigAlgs = SIG_ECDSA | SIG_RSA | SIG_SM2 | SIG_FALCON | SIG_DILITHIUM;
InitSuitesHashSigAlgo_ex2(hashSigAlgo, allSigAlgs, 1, 0xFFFFFFFF, &len);
for (idx = 0; idx < len; idx += 2) {
int hashAlgo;
int sigAlgo;
ExpectIntEQ(wolfSSL_get_sigalg_info(hashSigAlgo[idx+0],
hashSigAlgo[idx+1], &hashAlgo, &sigAlgo), 0);
ExpectIntNE(hashAlgo, 0);
ExpectIntNE(sigAlgo, 0);
}
InitSuitesHashSigAlgo_ex2(hashSigAlgo, allSigAlgs | SIG_ANON, 1,
0xFFFFFFFF, &len);
for (idx = 0; idx < len; idx += 2) {
int hashAlgo;
int sigAlgo;
ExpectIntEQ(wolfSSL_get_sigalg_info(hashSigAlgo[idx+0],
hashSigAlgo[idx+1], &hashAlgo, &sigAlgo), 0);
ExpectIntNE(hashAlgo, 0);
}
#endif
return EXPECT_RESULT();
}
static int test_wolfSSL_SESSION(void) static int test_wolfSSL_SESSION(void)
{ {
EXPECT_DECLS; EXPECT_DECLS;
@@ -69051,6 +69328,9 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wolfSSL_check_domain), TEST_DECL(test_wolfSSL_check_domain),
#endif #endif
TEST_DECL(test_wolfSSL_cert_cb), TEST_DECL(test_wolfSSL_cert_cb),
TEST_DECL(test_wolfSSL_cert_cb_dyn_ciphers),
TEST_DECL(test_wolfSSL_ciphersuite_auth),
TEST_DECL(test_wolfSSL_sigalg_info),
/* Can't memory test as tcp_connect aborts. */ /* Can't memory test as tcp_connect aborts. */
TEST_DECL(test_wolfSSL_SESSION), TEST_DECL(test_wolfSSL_SESSION),
TEST_DECL(test_wolfSSL_SESSION_expire_downgrade), TEST_DECL(test_wolfSSL_SESSION_expire_downgrade),

2
wolfcrypt/benchmark/benchmark.c
View File

@@ -340,7 +340,7 @@
#elif defined(CONFIG_IDF_TARGET_ESP32H2) #elif defined(CONFIG_IDF_TARGET_ESP32H2)
#else #else
/* Other platform */
#endif #endif
#include <esp_log.h> #include <esp_log.h>
#endif /* WOLFSSL_ESPIDF */ #endif /* WOLFSSL_ESPIDF */

13
wolfcrypt/src/port/Espressif/esp32_mp.c
View File

@@ -145,6 +145,8 @@ static portMUX_TYPE wc_rsa_reg_lock = portMUX_INITIALIZER_UNLOCKED;
static unsigned long esp_mp_mulmod_small_x_ct = 0; static unsigned long esp_mp_mulmod_small_x_ct = 0;
static unsigned long esp_mp_mulmod_small_y_ct = 0; static unsigned long esp_mp_mulmod_small_y_ct = 0;
static unsigned long esp_mp_max_timeout = 0;
#ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL #ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL
static unsigned long esp_mp_mul_usage_ct = 0; static unsigned long esp_mp_mul_usage_ct = 0;
static unsigned long esp_mp_mul_error_ct = 0; static unsigned long esp_mp_mul_error_ct = 0;
@@ -236,6 +238,13 @@ static int esp_mp_hw_wait_clean(void)
/* no HW timeout if we don't know the platform. assumes no HW */ /* no HW timeout if we don't know the platform. assumes no HW */
#endif #endif
#if defined(WOLFSSL_HW_METRICS)
{
esp_mp_max_timeout = (timeout > esp_mp_max_timeout) ? timeout :
esp_mp_max_timeout;
}
#endif
if (ESP_TIMEOUT(timeout)) { if (ESP_TIMEOUT(timeout)) {
ESP_LOGE(TAG, "esp_mp_hw_wait_clean waiting HW ready timed out."); ESP_LOGE(TAG, "esp_mp_hw_wait_clean waiting HW ready timed out.");
ret = WC_HW_WAIT_E; /* hardware is busy, MP_HW_BUSY; */ ret = WC_HW_WAIT_E; /* hardware is busy, MP_HW_BUSY; */
@@ -1016,7 +1025,7 @@ int esp_mp_montgomery_init(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M,
} }
if ((X == NULL) || (Y == NULL) || (M == NULL) ) { if ((X == NULL) || (Y == NULL) || (M == NULL) ) {
/* if a bad operand passed, we cannot use HW */ /* if a bad operand passed, we cannot use HW */
ESP_LOGE(TAG, "ERROR: Bad montgomery operand, falling back to SW"); ESP_LOGE(TAG, "ERROR: Bad Montgomery operand, falling back to SW");
return MP_HW_FALLBACK; return MP_HW_FALLBACK;
} }
XMEMSET(mph, 0, sizeof(struct esp_mp_helper)); XMEMSET(mph, 0, sizeof(struct esp_mp_helper));
@@ -3060,6 +3069,8 @@ int esp_hw_show_mp_metrics(void)
#endif /* EXPTMOD not disabled !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ #endif /* EXPTMOD not disabled !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */
ESP_LOGI(TAG, "Max N->used: esp_mp_max_used = %lu", esp_mp_max_used); ESP_LOGI(TAG, "Max N->used: esp_mp_max_used = %lu", esp_mp_max_used);
ESP_LOGI(TAG, "Max timeout: esp_mp_max_timeout = %lu", esp_mp_max_timeout);
#else #else
/* no HW math, no HW math metrics */ /* no HW math, no HW math metrics */
ret = ESP_OK; ret = ESP_OK;

206
wolfcrypt/src/port/Espressif/esp32_sha.c
View File

@@ -50,7 +50,10 @@
#if defined(WOLFSSL_ESP32_CRYPT) && \ #if defined(WOLFSSL_ESP32_CRYPT) && \
!defined(NO_WOLFSSL_ESP32_CRYPT_HASH) !defined(NO_WOLFSSL_ESP32_CRYPT_HASH)
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
#include <hal/sha_hal.h> #include <hal/sha_hal.h>
#include <hal/sha_ll.h> #include <hal/sha_ll.h>
@@ -72,13 +75,16 @@
#include <wolfcrypt/src/misc.c> #include <wolfcrypt/src/misc.c>
#endif #endif
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) static const char* TAG = "wolf_hw_sha";
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/* keep track of the currently active SHA hash object for interleaving */ /* keep track of the currently active SHA hash object for interleaving */
const static word32 ** _active_digest_address = 0; const static word32 ** _active_digest_address = 0;
#endif #endif
static const char* TAG = "wolf_hw_sha";
#ifdef NO_SHA #ifdef NO_SHA
#define WC_SHA_DIGEST_SIZE 20 #define WC_SHA_DIGEST_SIZE 20
#endif #endif
@@ -158,11 +164,16 @@ static const char* TAG = "wolf_hw_sha";
/* /*
** The wolfCrypt functions for LITTLE_ENDIAN_ORDER typically ** The wolfCrypt functions for LITTLE_ENDIAN_ORDER typically
** reverse the byte order. Except when the hardware doesn't expect it. ** reverse the byte order. Except when the hardware doesn't expect it.
**
** Returns 0 (FALSE) or 1 (TRUE); see wolfSSL types.h
*/ */
int esp_sha_need_byte_reversal(WC_ESP32SHA* ctx) int esp_sha_need_byte_reversal(WC_ESP32SHA* ctx)
{ {
int ret = 1; /* assume we'll need reversal, look for exceptions */ int ret = TRUE; /* assume we'll need reversal, look for exceptions */
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
if (ctx == NULL) { if (ctx == NULL) {
ESP_LOGE(TAG, " ctx is null"); ESP_LOGE(TAG, " ctx is null");
/* return true for bad params */ /* return true for bad params */
@@ -175,10 +186,10 @@ int esp_sha_need_byte_reversal(WC_ESP32SHA* ctx)
#endif #endif
if (ctx->mode == ESP32_SHA_HW) { if (ctx->mode == ESP32_SHA_HW) {
ESP_LOGV(TAG, " No reversal, ESP32_SHA_HW"); ESP_LOGV(TAG, " No reversal, ESP32_SHA_HW");
ret = 0; ret = FALSE;
} }
else { else {
ret = 1; ret = TRUE;
ESP_LOGV(TAG, " Need byte reversal, %d", ctx->mode); ESP_LOGV(TAG, " Need byte reversal, %d", ctx->mode);
/* return true for SW; only HW C3 skips reversal at this time. */ /* return true for SW; only HW C3 skips reversal at this time. */
#ifdef WOLFSSL_HW_METRICS #ifdef WOLFSSL_HW_METRICS
@@ -276,7 +287,10 @@ int esp_sha_init(WC_ESP32SHA* ctx, enum wc_HashType hash_type)
ESP_LOGW(TAG, "Unexpected hash_type in esp_sha_init"); ESP_LOGW(TAG, "Unexpected hash_type in esp_sha_init");
break; break;
} }
#elif defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) #elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
switch (hash_type) { /* check each wolfSSL hash type WC_[n] */ switch (hash_type) { /* check each wolfSSL hash type WC_[n] */
#ifndef NO_SHA #ifndef NO_SHA
case WC_HASH_TYPE_SHA: case WC_HASH_TYPE_SHA:
@@ -312,7 +326,9 @@ int esp_sha_init(WC_ESP32SHA* ctx, enum wc_HashType hash_type)
/* other chipsets will be implemented here */ /* other chipsets will be implemented here */
ESP_LOGW(TAG, "SW Fallback; CONFIG_IDF_TARGET = %s", CONFIG_IDF_TARGET); ESP_LOGW(TAG, "SW Fallback; CONFIG_IDF_TARGET = %s", CONFIG_IDF_TARGET);
ctx->mode = ESP32_SHA_SW; ctx->mode = ESP32_SHA_SW;
#endif /* CONFIG_IDF_TARGET_ESP32 || x_ESP32S2 || x_ESP32S3 */ #endif /* CONFIG_IDF_TARGET_ESP32 ||
* CONFIG_IDF_TARGET_ESP32S2 ||
* CONFIG_IDF_TARGET_ESP32S3 */
return ret; return ret;
} }
@@ -541,9 +557,12 @@ int esp_sha_ctx_copy(struct wc_Sha* src, struct wc_Sha* dst)
} }
if (dst->ctx.mode == ESP32_SHA_SW) { if (dst->ctx.mode == ESP32_SHA_SW) {
#if defined(CONFIG_IDF_TARGET_ESP32C3) || \ #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6) defined(CONFIG_IDF_TARGET_ESP32C6)
/* Reverse digest for C3 when HW enabled but fallback to SW. */ /* Reverse digest for C2/C3/C6 RISC-V platform
* only when HW enabled but fallback to SW. */
ByteReverseWords(dst->digest, dst->digest, WC_SHA_DIGEST_SIZE); ByteReverseWords(dst->digest, dst->digest, WC_SHA_DIGEST_SIZE);
#ifdef WOLFSSL_HW_METRICS #ifdef WOLFSSL_HW_METRICS
esp_sha_reverse_words_ct++; esp_sha_reverse_words_ct++;
@@ -613,7 +632,7 @@ int esp_sha256_ctx_copy(struct wc_Sha256* src, struct wc_Sha256* dst)
ESP_LOGI(TAG, "esp_sha256_ctx_copy esp_sha512_digest_process"); ESP_LOGI(TAG, "esp_sha256_ctx_copy esp_sha512_digest_process");
} }
#endif #endif
ret = esp_sha256_digest_process(dst, 0); ret = esp_sha256_digest_process(dst, 0); /* TODO Use FALSE*/
if (ret == 0) { if (ret == 0) {
/* provide init hint to possibly SW revert */ /* provide init hint to possibly SW revert */
@@ -624,7 +643,9 @@ int esp_sha256_ctx_copy(struct wc_Sha256* src, struct wc_Sha256* dst)
} }
if (dst->ctx.mode == ESP32_SHA_SW) { if (dst->ctx.mode == ESP32_SHA_SW) {
#if defined(CONFIG_IDF_TARGET_ESP32C3) || \ #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6) defined(CONFIG_IDF_TARGET_ESP32C6)
{ {
/* Reverse digest byte order for C3 fallback to SW. */ /* Reverse digest byte order for C3 fallback to SW. */
@@ -665,9 +686,16 @@ int esp_sha256_ctx_copy(struct wc_Sha256* src, struct wc_Sha256* dst)
int esp_sha384_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst) int esp_sha384_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst)
{ {
int ret = 0; int ret = 0;
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
ESP_LOGW(TAG, "Warning: esp_sha384_ctx_copy() called for ESP32-C3!"); defined(CONFIG_IDF_TARGET_ESP8684) || \
ESP_LOGW(TAG, "There's no SHA384 HW for the ESP32-C3"); defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
{
/* We should ever be calling the HW sHA384 copy for this target. */
ESP_LOGW(TAG, "Warning: esp_sha384_ctx_copy() called for %s!",
CONFIG_IDF_TARGET);
ESP_LOGW(TAG, "There's no SHA384 HW for this CONFIG_IDF_TARGET");
}
#else #else
if (src->ctx.mode == ESP32_SHA_HW) { if (src->ctx.mode == ESP32_SHA_HW) {
/* Get a copy of the HW digest, but don't process it. */ /* Get a copy of the HW digest, but don't process it. */
@@ -723,8 +751,16 @@ int esp_sha384_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst)
*/ */
int esp_sha512_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst) int esp_sha512_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst)
{ {
int ret = 0; int ret = ESP_OK; /* Assume success (zero) */
#if !defined(CONFIG_IDF_TARGET_ESP32C3) && !defined(CONFIG_IDF_TARGET_ESP32C6)
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/* there's no SHA512 HW on the RISC-V SoC so there's nothing to do. */
#elif defined(CONFIG_IDF_TARGET_ESP32) || \
defined(CONFIG_IDF_TARGET_ESP32S2) || \
defined(CONFIG_IDF_TARGET_ESP32S3)
if (src->ctx.mode == ESP32_SHA_HW) { if (src->ctx.mode == ESP32_SHA_HW) {
/* Get a copy of the HW digest, but don't process it. */ /* Get a copy of the HW digest, but don't process it. */
ESP_LOGI(TAG, "esp_sha512_ctx_copy esp_sha512_digest_process"); ESP_LOGI(TAG, "esp_sha512_ctx_copy esp_sha512_digest_process");
@@ -752,7 +788,9 @@ int esp_sha512_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst)
/* reminder this happened in XMEMCOPY, above: dst->ctx = src->ctx; /* reminder this happened in XMEMCOPY, above: dst->ctx = src->ctx;
** No special HW init needed when not in active HW mode. ** No special HW init needed when not in active HW mode.
** but we need to set our initializer breadcrumb: */ ** but we need to set our initializer breadcrumb: */
#if !defined(CONFIG_IDF_TARGET_ESP32C3) && \ /* TODO: instead of what is NOT supported, gate on what IS known to be supported */
#if !defined(CONFIG_IDF_TARGET_ESP32C2) && \
!defined(CONFIG_IDF_TARGET_ESP32C3) && \
!defined(CONFIG_IDF_TARGET_ESP32C6) !defined(CONFIG_IDF_TARGET_ESP32C6)
dst->ctx.initializer = &dst->ctx; /*breadcrumb is this ctx address */ dst->ctx.initializer = &dst->ctx; /*breadcrumb is this ctx address */
#endif #endif
@@ -764,6 +802,7 @@ int esp_sha512_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst)
#endif #endif
} }
#endif #endif
return ret; return ret;
} /* esp_sha512_ctx_copy */ } /* esp_sha512_ctx_copy */
#endif #endif
@@ -821,7 +860,7 @@ static word32 wc_esp_sha_digest_size(WC_ESP_SHA_TYPE type)
break; break;
} }
#else #else
/* Xtnsa */ /* Xtensa */
switch (type) { switch (type) {
#ifndef NO_SHA #ifndef NO_SHA
case SHA1: /* typically 20 bytes */ case SHA1: /* typically 20 bytes */
@@ -871,7 +910,10 @@ static int wc_esp_wait_until_idle(void)
int ret = 0; /* assume success */ int ret = 0; /* assume success */
int loop_ct = 10000; int loop_ct = 10000;
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/* ESP32-C3 and ESP32-C6 RISC-V */ /* ESP32-C3 and ESP32-C6 RISC-V */
while ((sha_ll_busy() == true) && (loop_ct > 0)) { while ((sha_ll_busy() == true) && (loop_ct > 0)) {
loop_ct--; loop_ct--;
@@ -925,16 +967,20 @@ int esp_unroll_sha_module_enable(WC_ESP32SHA* ctx)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
/* RISC-V Architecture */ defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/************* RISC-V Architecture *************/
(void)max_unroll_count; (void)max_unroll_count;
(void)_active_digest_address; (void)_active_digest_address;
ets_sha_disable(); ets_sha_disable();
/* We don't check for unroll as done below, for Xtensa*/
#else #else
/* Xtensa Architecture */ /************* Xtensa Architecture *************/
/* unwind prior calls to THIS ctx. decrement ref_counts[periph] */ /* unwind prior calls to THIS ctx. decrement ref_counts[periph]
/* only when ref_counts[periph] == 0 does something actually happen */ ** only when ref_counts[periph] == 0 does something actually happen. */
/* once the value we read is a 0 in the DPORT_PERI_CLK_EN_REG bit /* once the value we read is a 0 in the DPORT_PERI_CLK_EN_REG bit
* then we have fully unrolled the enables via ref_counts[periph]==0 */ * then we have fully unrolled the enables via ref_counts[periph]==0 */
@@ -1243,8 +1289,8 @@ int esp_sha_try_hw_lock(WC_ESP32SHA* ctx)
#ifdef WOLFSSL_DEBUG_MUTEX #ifdef WOLFSSL_DEBUG_MUTEX
if (esp_sha_call_count() == 8 && WOLFSSL_TEST_STRAY) { if (esp_sha_call_count() == 8 && WOLFSSL_TEST_STRAY) {
/* once we've locked 10 times here, /* Once we've locked 10 times here,
* we'll force a fallback to SW until other thread unlocks */ * we'll force a fallback to SW until other thread unlocks. */
taskENTER_CRITICAL(&sha_crit_sect); taskENTER_CRITICAL(&sha_crit_sect);
{ {
(void)stray_ctx; (void)stray_ctx;
@@ -1329,10 +1375,15 @@ int esp_sha_try_hw_lock(WC_ESP32SHA* ctx)
} }
#endif /* not defined(SINGLE_THREADED) */ #endif /* not defined(SINGLE_THREADED) */
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
{
ESP_LOGV(TAG, "ets_sha_enable for RISC-V"); ESP_LOGV(TAG, "ets_sha_enable for RISC-V");
ets_sha_enable(); ets_sha_enable();
ctx->mode = ESP32_SHA_HW; ctx->mode = ESP32_SHA_HW;
}
#else #else
if (ret == 0) { if (ret == 0) {
ctx->lockDepth++; /* depth for THIS ctx (there could be others!) */ ctx->lockDepth++; /* depth for THIS ctx (there could be others!) */
@@ -1361,14 +1412,15 @@ int esp_sha_try_hw_lock(WC_ESP32SHA* ctx)
*/ */
int esp_sha_hw_unlock(WC_ESP32SHA* ctx) int esp_sha_hw_unlock(WC_ESP32SHA* ctx)
{ {
int ret; int ret = ESP_OK; /* assume success (zero) */
#ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG #ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG
ESP_LOGV(TAG, "enter esp_sha_hw_unlock"); ESP_LOGV(TAG, "enter esp_sha_hw_unlock");
#endif #endif
ret = 0;
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
/* ESP32-C3 and ESP32-C6 RISC-V */ defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
ets_sha_disable(); /* disable also resets active, ongoing hash */ ets_sha_disable(); /* disable also resets active, ongoing hash */
ESP_LOGV(TAG, "ets_sha_disable in esp_sha_hw_unlock()"); ESP_LOGV(TAG, "ets_sha_disable in esp_sha_hw_unlock()");
#else #else
@@ -1434,6 +1486,7 @@ int esp_sha_hw_unlock(WC_ESP32SHA* ctx)
#ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG #ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG
ESP_LOGI(TAG, "leave esp_sha_hw_unlock, %x", (int)ctx->initializer); ESP_LOGI(TAG, "leave esp_sha_hw_unlock, %x", (int)ctx->initializer);
#endif #endif
return ret; return ret;
} /* esp_sha_hw_unlock */ } /* esp_sha_hw_unlock */
@@ -1442,8 +1495,13 @@ int esp_sha_hw_unlock(WC_ESP32SHA* ctx)
* Assumes register already loaded. * Assumes register already loaded.
* Returns a negative value error code upon failure. * Returns a negative value error code upon failure.
*/ */
#if !defined(CONFIG_IDF_TARGET_ESP32C3) && !defined(CONFIG_IDF_TARGET_ESP32C6) #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
/* the ESP32-C3 HAL has built-in process start, everything else uses: */ defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/* ESP32-C3 HAL has built-in process start, nothing to declare here. */
#else
/* Everything else uses esp_sha_start_process() */
static int esp_sha_start_process(WC_ESP32SHA* sha) static int esp_sha_start_process(WC_ESP32SHA* sha)
{ {
int ret = 0; int ret = 0;
@@ -1457,7 +1515,10 @@ static int esp_sha_start_process(WC_ESP32SHA* sha)
ESP_LOGV(TAG, " enter esp_sha_start_process"); ESP_LOGV(TAG, " enter esp_sha_start_process");
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
ESP_LOGV(TAG, "SHA1 SHA_START_REG"); ESP_LOGV(TAG, "SHA1 SHA_START_REG");
if (sha->isfirstblock) { if (sha->isfirstblock) {
sha_ll_start_block(SHA2_256); sha_ll_start_block(SHA2_256);
@@ -1477,7 +1538,9 @@ static int esp_sha_start_process(WC_ESP32SHA* sha)
ESP_LOGV(TAG, " continue block #%d", this_block_num); ESP_LOGV(TAG, " continue block #%d", this_block_num);
#endif #endif
} /* not first block */ } /* not first block */
/***** END CONFIG_IDF_TARGET_ESP32C3 or CONFIG_IDF_TARGET_ESP32C6 *****/ /***** END CONFIG_IDF_TARGET_ESP32C2 aka ESP8684 or
* CONFIG_IDF_TARGET_ESP32C3 or
* CONFIG_IDF_TARGET_ESP32C6 *****/
#elif defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3) #elif defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3)
/* Translate from Wolf SHA type to hardware algorithm. */ /* Translate from Wolf SHA type to hardware algorithm. */
@@ -1667,8 +1730,13 @@ static int wc_esp_process_block(WC_ESP32SHA* ctx, /* see ctx->sha_type */
ret = esp_sha_start_process(ctx); ret = esp_sha_start_process(ctx);
/***** END CONFIG_IDF_TARGET_ESP32 */ /***** END CONFIG_IDF_TARGET_ESP32 */
#elif defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) #elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
/* SHA_M_1_REG is not a macro: defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/************* RISC-V Architecture *************
*
* SHA_M_1_REG is not a macro:
* DPORT_REG_WRITE(SHA_M_1_REG + (i*sizeof(word32)), *(data + i)); * DPORT_REG_WRITE(SHA_M_1_REG + (i*sizeof(word32)), *(data + i));
* *
* but we have this HAL: sha_ll_fill_text_block * but we have this HAL: sha_ll_fill_text_block
@@ -1710,7 +1778,10 @@ static int wc_esp_process_block(WC_ESP32SHA* ctx, /* see ctx->sha_type */
ctx->isfirstblock); ctx->isfirstblock);
ctx->isfirstblock = 0; /* once we hash a block, ctx->isfirstblock = 0; /* once we hash a block,
* we're no longer at the first */ * we're no longer at the first */
/***** END CONFIG_IDF_TARGET_ESP32C3 or CONFIG_IDF_TARGET_ESP32C6 */ /***** END CONFIG_IDF_TARGET_ESP32C2 or
* CONFIG_IDF_TARGET_ESP8684 or
* CONFIG_IDF_TARGET_ESP32C3 or
* CONFIG_IDF_TARGET_ESP32C6 */
#elif defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3) #elif defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3)
MessageSource = (word32*)data; MessageSource = (word32*)data;
@@ -1785,7 +1856,9 @@ int wc_esp_digest_state(WC_ESP32SHA* ctx, byte* hash)
/* sanity check */ /* sanity check */
#if defined(CONFIG_IDF_TARGET_ESP32) #if defined(CONFIG_IDF_TARGET_ESP32)
if (ctx->sha_type == SHA_INVALID) { if (ctx->sha_type == SHA_INVALID) {
#elif defined(CONFIG_IDF_TARGET_ESP32C3) || \ #elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32S2) || \ defined(CONFIG_IDF_TARGET_ESP32S2) || \
defined(CONFIG_IDF_TARGET_ESP32S3) || \ defined(CONFIG_IDF_TARGET_ESP32S3) || \
defined(CONFIG_IDF_TARGET_ESP32C6) defined(CONFIG_IDF_TARGET_ESP32C6)
@@ -1805,6 +1878,7 @@ int wc_esp_digest_state(WC_ESP32SHA* ctx, byte* hash)
ESP_LOGE(TAG, "unexpected error. sha_type is invalid."); ESP_LOGE(TAG, "unexpected error. sha_type is invalid.");
return ESP_FAIL; return ESP_FAIL;
} }
#if defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3) #if defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3)
if (ctx->isfirstblock == true) { if (ctx->isfirstblock == true) {
/* no hardware use yet. Nothing to do yet */ /* no hardware use yet. Nothing to do yet */
@@ -1837,20 +1911,34 @@ int wc_esp_digest_state(WC_ESP32SHA* ctx, byte* hash)
} /* not (ctx->sha_type == SHA2_512) */ } /* not (ctx->sha_type == SHA2_512) */
/* end if CONFIG_IDF_TARGET_ESP32S3 */ /* end if CONFIG_IDF_TARGET_ESP32S3 */
#elif defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) #elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
sha_ll_read_digest(ctx->sha_type, defined(CONFIG_IDF_TARGET_ESP8684)
wc_esp_wait_until_idle();
sha_ll_read_digest(
ctx->sha_type,
(void *)hash, (void *)hash,
wc_esp_sha_digest_size(ctx->sha_type) / sizeof(word32)); wc_esp_sha_digest_size(ctx->sha_type) / sizeof(word32)
);
#elif defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
wc_esp_wait_until_idle();
sha_ll_read_digest(
ctx->sha_type,
(void *)hash,
wc_esp_sha_digest_size(ctx->sha_type) / sizeof(word32)
);
#else #else
/* not CONFIG_IDF_TARGET_ESP32S3 */ /* not CONFIG_IDF_TARGET_ESP32S3 */
/* wait until idle */ /* wait until idle */
wc_esp_wait_until_idle(); wc_esp_wait_until_idle();
/* each sha_type register is at a different location */ /* each sha_type register is at a different location */
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
#elif defined(CONFIG_IDF_TARGET_ESP32S2) #elif defined(CONFIG_IDF_TARGET_ESP32S2)
/* nothing here for S2 */
#else #else
switch (ctx->sha_type) { switch (ctx->sha_type) {
case SHA1: case SHA1:
@@ -2051,7 +2139,13 @@ int esp_sha512_block(struct wc_Sha512* sha, const word32* data, byte isfinal)
int ret = 0; /* assume success */ int ret = 0; /* assume success */
ESP_LOGV(TAG, "enter esp_sha512_block"); ESP_LOGV(TAG, "enter esp_sha512_block");
/* start register offset */ /* start register offset */
#if !defined(CONFIG_IDF_TARGET_ESP32C3) && !defined(CONFIG_IDF_TARGET_ESP32C6)
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/* No SHA-512 HW on RISC-V SoC, so nothing to do. */
#else
/* note that in SW mode, wolfSSL uses 64 bit words */ /* note that in SW mode, wolfSSL uses 64 bit words */
if (sha->ctx.mode == ESP32_SHA_SW) { if (sha->ctx.mode == ESP32_SHA_SW) {
ByteReverseWords64(sha->buffer, ByteReverseWords64(sha->buffer,
@@ -2107,8 +2201,14 @@ int esp_sha512_digest_process(struct wc_Sha512* sha, byte blockproc)
{ {
int ret = 0; int ret = 0;
ESP_LOGV(TAG, "enter esp_sha512_digest_process"); ESP_LOGV(TAG, "enter esp_sha512_digest_process");
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
ESP_LOGW(TAG, "Warning: no SHA512 HW to digest on ESP32-C3"); defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
{
ESP_LOGW(TAG, "Warning: no SHA512 HW to digest on %s",
CONFIG_IDF_TARGET);
}
#else #else
if (blockproc) { if (blockproc) {
word32* data = (word32*)sha->buffer; word32* data = (word32*)sha->buffer;
@@ -2171,6 +2271,6 @@ int esp_hw_show_sha_metrics(void)
return ret; return ret;
} }
#endif /* WOLFSSL_HW_METRICS */ #endif /* WOLFSSL_ESP32_CRYPT and WOLFSSL_HW_METRICS */
#endif /* WOLFSSL_ESPIDF */ #endif /* WOLFSSL_ESPIDF (exclude entire contents for non-Espressif projects */

107
wolfcrypt/src/port/Espressif/esp32_util.c
View File

@@ -201,7 +201,11 @@ static int ShowExtendedSystemInfo_platform_espressif(void)
WOLFSSL_VERSION_PRINTF("Xthal_have_ccount = %u", WOLFSSL_VERSION_PRINTF("Xthal_have_ccount = %u",
Xthal_have_ccount); Xthal_have_ccount);
#elif CONFIG_IDF_TARGET_ESP32C6 #elif CONFIG_IDF_TARGET_ESP32C6
/* not supported at this time */ /* TODO find Xthal for C6 */
#elif CONFIG_IDF_TARGET_ESP32C2
/* TODO find Xthal for C6 */
#elif defined(CONFIG_IDF_TARGET_ESP8684)
/* TODO find Xthal for C6 */
#elif CONFIG_IDF_TARGET_ESP32C3 #elif CONFIG_IDF_TARGET_ESP32C3
/* not supported at this time */ /* not supported at this time */
#elif CONFIG_IDF_TARGET_ESP32S3 #elif CONFIG_IDF_TARGET_ESP32S3
@@ -228,6 +232,9 @@ static int ShowExtendedSystemInfo_platform_espressif(void)
WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-S2."); WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-S2.");
#elif defined(CONFIG_IDF_TARGET_ESP32S3) #elif defined(CONFIG_IDF_TARGET_ESP32S3)
WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-S3."); WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-S3.");
#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684)
WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-C2.");
#elif defined(CONFIG_IDF_TARGET_ESP32C3) #elif defined(CONFIG_IDF_TARGET_ESP32C3)
WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-C3."); WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-C3.");
#elif defined(CONFIG_IDF_TARGET_ESP32C6) #elif defined(CONFIG_IDF_TARGET_ESP32C6)
@@ -235,7 +242,7 @@ static int ShowExtendedSystemInfo_platform_espressif(void)
#elif defined(CONFIG_IDF_TARGET_ESP32H2) #elif defined(CONFIG_IDF_TARGET_ESP32H2)
WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-H2."); WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-H2.");
#else #else
/* this should have been detected & disabled in user_settins.h */ /* This should have been detected & disabled in user_settins.h */
#error "ESP32_CRYPT not yet supported on this IDF TARGET" #error "ESP32_CRYPT not yet supported on this IDF TARGET"
#endif #endif
@@ -376,7 +383,7 @@ int esp_current_boot_count(void)
} }
/* See macro helpers above; not_defined is macro name when *not* defined */ /* See macro helpers above; not_defined is macro name when *not* defined */
static int esp_ShowMacroStatus(char* s, char* not_defined) static int show_macro(char* s, char* not_defined)
{ {
char hd1[] = "Macro Name Defined Not Defined"; char hd1[] = "Macro Name Defined Not Defined";
char hd2[] = "------------------------- --------- -------------"; char hd2[] = "------------------------- --------- -------------";
@@ -397,9 +404,11 @@ static int esp_ShowMacroStatus(char* s, char* not_defined)
/* Depending on if defined, put an "x" in the appropriate column */ /* Depending on if defined, put an "x" in the appropriate column */
if (not_defined == NULL || not_defined[0] == '\0') { if (not_defined == NULL || not_defined[0] == '\0') {
msg[ESP_SMS_ENA_POS] = 'X'; msg[ESP_SMS_ENA_POS] = 'X';
msg[ESP_SMS_ENA_POS+1] = 0; /* end of line to eliminate space pad */
} }
else { else {
msg[ESP_SMS_DIS_POS] = 'X'; msg[ESP_SMS_DIS_POS] = 'X';
msg[ESP_SMS_DIS_POS+1] = 0; /* end of line to eliminate space pad */
} }
/* do we need a header? */ /* do we need a header? */
@@ -415,35 +424,78 @@ static int esp_ShowMacroStatus(char* s, char* not_defined)
} }
/* Show some interesting settings */ /* Show some interesting settings */
int esp_ShowHardwareAcclerationSettings(void) int ShowExtendedSystemInfo_config(void)
{ {
esp_ShowMacroStatus_need_header = 1; esp_ShowMacroStatus_need_header = 1;
esp_ShowMacroStatus("HW_MATH_ENABLED", STR_IFNDEF(HW_MATH_ENABLED));
esp_ShowMacroStatus("RSA_LOW_MEM", STR_IFNDEF(RSA_LOW_MEM));
esp_ShowMacroStatus("WOLFSSL_SHA224", STR_IFNDEF(WOLFSSL_SHA224));
esp_ShowMacroStatus("WOLFSSL_SHA384", STR_IFNDEF(WOLFSSL_SHA384));
esp_ShowMacroStatus("WOLFSSL_SHA512", STR_IFNDEF(WOLFSSL_SHA512));
esp_ShowMacroStatus("WOLFSSL_SHA3", STR_IFNDEF(WOLFSSL_SHA3));
esp_ShowMacroStatus("HAVE_ED25519", STR_IFNDEF(HAVE_ED25519));
esp_ShowMacroStatus("USE_FAST_MATH", STR_IFNDEF(USE_FAST_MATH));
esp_ShowMacroStatus("WOLFSSL_SP_MATH_ALL", STR_IFNDEF(WOLFSSL_SP_MATH_ALL));
esp_ShowMacroStatus("WOLFSSL_SP_RISCV32", STR_IFNDEF(WOLFSSL_SP_RISCV32));
esp_ShowMacroStatus("SP_MATH", STR_IFNDEF(SP_MATH));
esp_ShowMacroStatus("WOLFSSL_HW_METRICS", STR_IFNDEF(WOLFSSL_HW_METRICS));
#ifdef USE_FAST_MATH show_macro("NO_ESPIDF_DEFAULT", STR_IFNDEF(NO_ESPIDF_DEFAULT));
ESP_LOGI(TAG, "USE_FAST_MATH");
#endif /* USE_FAST_MATH */
#ifdef WOLFSSL_SP_MATH_ALL show_macro("HW_MATH_ENABLED", STR_IFNDEF(HW_MATH_ENABLED));
/* Features */
show_macro("WOLFSSL_SHA224", STR_IFNDEF(WOLFSSL_SHA224));
show_macro("WOLFSSL_SHA384", STR_IFNDEF(WOLFSSL_SHA384));
show_macro("WOLFSSL_SHA512", STR_IFNDEF(WOLFSSL_SHA512));
show_macro("WOLFSSL_SHA3", STR_IFNDEF(WOLFSSL_SHA3));
show_macro("HAVE_ED25519", STR_IFNDEF(HAVE_ED25519));
show_macro("HAVE_AES_ECB", STR_IFNDEF(HAVE_AES_ECB));
show_macro("HAVE_AES_DIRECT", STR_IFNDEF(HAVE_AES_DIRECT));
/* Math Library Selection */
show_macro("USE_FAST_MATH", STR_IFNDEF(USE_FAST_MATH));
show_macro("WOLFSSL_SP_MATH_ALL", STR_IFNDEF(WOLFSSL_SP_MATH_ALL));
#ifdef WOLFSSL_SP_RISCV32 #ifdef WOLFSSL_SP_RISCV32
ESP_LOGI(TAG, "WOLFSSL_SP_MATH_ALL + WOLFSSL_SP_RISCV32"); show_macro("WOLFSSL_SP_RISCV32", STR_IFNDEF(WOLFSSL_SP_RISCV32));
#else
ESP_LOGI(TAG, "WOLFSSL_SP_MATH_ALL");
#endif #endif
#endif /* WOLFSSL_SP_MATH_ALL */ show_macro("SP_MATH", STR_IFNDEF(SP_MATH));
/* Diagnostics */
show_macro("WOLFSSL_HW_METRICS", STR_IFNDEF(WOLFSSL_HW_METRICS));
/* Optimizations */
show_macro("RSA_LOW_MEM", STR_IFNDEF(RSA_LOW_MEM));
/* Security Hardening */
show_macro("WC_NO_HARDEN", STR_IFNDEF(WC_NO_HARDEN));
show_macro("TFM_TIMING_RESISTANT", STR_IFNDEF(TFM_TIMING_RESISTANT));
show_macro("ECC_TIMING_RESISTANT", STR_IFNDEF(ECC_TIMING_RESISTANT));
/* WC_NO_CACHE_RESISTANT is only important if another process can be
* run on the device. With embedded it is less likely to be exploitable.
* Timing attacks are usually by probe. So typically turn this on: */
show_macro("WC_NO_CACHE_RESISTANT", STR_IFNDEF(WC_NO_CACHE_RESISTANT));
/* Side channel bit slicing */
show_macro("WC_AES_BITSLICED", STR_IFNDEF(WC_AES_BITSLICED));
/* Unrolling will normally improve performance,
* so make sure WOLFSSL_AES_NO_UNROLL isn't defined unless you want it. */
show_macro("WOLFSSL_AES_NO_UNROLL", STR_IFNDEF(WOLFSSL_AES_NO_UNROLL));
show_macro("TFM_TIMING_RESISTANT", STR_IFNDEF(TFM_TIMING_RESISTANT));
show_macro("ECC_TIMING_RESISTANT", STR_IFNDEF(ECC_TIMING_RESISTANT));
show_macro("WC_RSA_BLINDING", STR_IFNDEF(WC_RSA_BLINDING));
show_macro("NO_WRITEV", STR_IFNDEF(NO_WRITEV));
/* Environment */
show_macro("FREERTOS", STR_IFNDEF(FREERTOS));
show_macro("NO_WOLFSSL_DIR", STR_IFNDEF(NO_WOLFSSL_DIR));
show_macro("WOLFSSL_NO_CURRDIR", STR_IFNDEF(WOLFSSL_NO_CURRDIR));
show_macro("WOLFSSL_LWIP", STR_IFNDEF(WOLFSSL_LWIP));
ESP_LOGI(TAG, ""); ESP_LOGI(TAG, "");
#if defined(CONFIG_COMPILER_OPTIMIZATION_DEFAULT)
ESP_LOGI(TAG, "Compiler Optimization: Default");
#elif defined(CONFIG_COMPILER_OPTIMIZATION_SIZE)
ESP_LOGI(TAG, "Compiler Optimization: Size");
#elif defined(CONFIG_COMPILER_OPTIMIZATION_PERF)
ESP_LOGI(TAG, "Compiler Optimization: Performance");
#elif defined(CONFIG_COMPILER_OPTIMIZATION_NONE)
ESP_LOGI(TAG, "Compiler Optimization: None");
#else
ESP_LOGI(TAG, "Compiler Optimization: Unknown");
#endif
ESP_LOGI(TAG, "");
return ESP_OK; return ESP_OK;
} }
/* /*
@@ -536,7 +588,7 @@ int ShowExtendedSystemInfo(void)
ESP_LOGW(TAG, "Warning: ESP_RSA_MULM_BITS not defined for ESP32"); ESP_LOGW(TAG, "Warning: ESP_RSA_MULM_BITS not defined for ESP32");
#endif #endif
#elif defined(CONFIG_IDF_TARGET_ESP32C2) #elif defined(CONFIG_IDF_TARGET_ESP32C2) || defined(CONFIG_IDF_TARGET_ESP8684)
ESP_LOGI(TAG, "CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ = %u MHz", ESP_LOGI(TAG, "CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ = %u MHz",
CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ
); );
@@ -578,7 +630,7 @@ int ShowExtendedSystemInfo(void)
#endif #endif
ESP_LOGI(TAG, ""); ESP_LOGI(TAG, "");
esp_ShowHardwareAcclerationSettings(); ShowExtendedSystemInfo_config();
ShowExtendedSystemInfo_git(); ShowExtendedSystemInfo_git();
ShowExtendedSystemInfo_platform(); ShowExtendedSystemInfo_platform();
ShowExtendedSystemInfo_thread(); ShowExtendedSystemInfo_thread();
@@ -732,7 +784,8 @@ int esp_hw_show_metrics(void)
#if defined(WOLFSSL_ESP32_CRYPT) #if defined(WOLFSSL_ESP32_CRYPT)
esp_hw_show_sha_metrics(); esp_hw_show_sha_metrics();
#else #else
ESP_LOGI(TAG, "WOLFSSL_ESP32_CRYPT"); ESP_LOGI(TAG, "WOLFSSL_ESP32_CRYPT not defined, "
"HW SHA hash not enabled");
#endif #endif
#if defined(WOLFSSL_ESP32_CRYPT_RSA_PRI) #if defined(WOLFSSL_ESP32_CRYPT_RSA_PRI)

6
wolfcrypt/src/tfm.c
View File

@@ -4051,12 +4051,16 @@ int fp_read_unsigned_bin(fp_int *a, const unsigned char *b, int c)
/* zero the int */ /* zero the int */
fp_zero (a); fp_zero (a);
if (c < 0) {
return FP_VAL;
}
if (c == 0) { if (c == 0) {
return FP_OKAY; return FP_OKAY;
} }
/* if input b excess max, then truncate */ /* if input b excess max, then truncate */
if (c > 0 && (word32)c > maxC) { if ((word32)c > maxC) {
int excess = (c - maxC); int excess = (c - maxC);
c -= excess; c -= excess;
b += excess; b += excess;

9
wolfcrypt/test/test.c
View File

@@ -16930,7 +16930,7 @@ static wc_test_ret_t rsa_decode_test(RsaKey* keyPub)
goto done; goto done;
} }
ret = wc_RsaPublicKeyDecodeRaw(n, (word32)-1, e, sizeof(e), keyPub); ret = wc_RsaPublicKeyDecodeRaw(n, (word32)-1, e, sizeof(e), keyPub);
#if !defined(WOLFSSL_SP_MATH) & !defined(WOLFSSL_SP_MATH_ALL) #if defined(USE_INTEGER_HEAP_MATH)
if (ret != 0) if (ret != 0)
#else #else
if (ret != ASN_GETINT_E) if (ret != ASN_GETINT_E)
@@ -16944,11 +16944,12 @@ static wc_test_ret_t rsa_decode_test(RsaKey* keyPub)
if (ret != 0) if (ret != 0)
return WC_TEST_RET_ENC_EC(ret); return WC_TEST_RET_ENC_EC(ret);
ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), e, (word32)-1, keyPub); ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), e, (word32)-1, keyPub);
#if !defined(WOLFSSL_SP_MATH) & !defined(WOLFSSL_SP_MATH_ALL) #if defined(USE_INTEGER_HEAP_MATH)
if (ret != 0) { if (ret != 0)
#else #else
if (ret != ASN_GETINT_E) { if (ret != ASN_GETINT_E)
#endif #endif
{
ret = WC_TEST_RET_ENC_EC(ret); ret = WC_TEST_RET_ENC_EC(ret);
goto done; goto done;
} }

21
wolfssl/internal.h
View File

@@ -2352,7 +2352,8 @@ WOLFSSL_LOCAL void InitSuitesHashSigAlgo_ex(byte* hashSigAlgo, int haveECDSAsig,
int haveRSAsig, int haveFalconSig, int haveRSAsig, int haveFalconSig,
int haveDilithiumSig, int haveAnon, int haveDilithiumSig, int haveAnon,
int tls1_2, int keySz, word16* len); int tls1_2, int keySz, word16* len);
WOLFSSL_LOCAL void InitSuitesHashSigAlgo_ex2(byte* hashSigAlgo, int have, /* use wolfSSL_API visibility to be able to test in tests/api.c */
WOLFSSL_API void InitSuitesHashSigAlgo_ex2(byte* hashSigAlgo, int have,
int tls1_2, int keySz, int tls1_2, int keySz,
word16* len); word16* len);
WOLFSSL_LOCAL int AllocateCtxSuites(WOLFSSL_CTX* ctx); WOLFSSL_LOCAL int AllocateCtxSuites(WOLFSSL_CTX* ctx);
@@ -5389,6 +5390,9 @@ struct WOLFSSL {
* re-using the context's object. When WOLFSSL * re-using the context's object. When WOLFSSL
* object needs separate instance of suites use * object needs separate instance of suites use
* AllocateSuites(). */ * AllocateSuites(). */
#ifdef OPENSSL_EXTRA
const Suites* clSuites;
#endif
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
WOLF_STACK_OF(WOLFSSL_CIPHER)* suitesStack; /* stack of available cipher WOLF_STACK_OF(WOLFSSL_CIPHER)* suitesStack; /* stack of available cipher
* suites */ * suites */
@@ -6011,6 +6015,16 @@ enum ProvisionSide {
PROVISION_CLIENT_SERVER = 3 PROVISION_CLIENT_SERVER = 3
}; };
/* cipher requirements */
enum {
REQUIRES_RSA,
REQUIRES_DHE,
REQUIRES_ECC,
REQUIRES_ECC_STATIC,
REQUIRES_PSK,
REQUIRES_RSA_SIG,
REQUIRES_AEAD
};
static const byte kTlsClientStr[SIZEOF_SENDER+1] = { 0x43, 0x4C, 0x4E, 0x54, 0x00 }; /* CLNT */ static const byte kTlsClientStr[SIZEOF_SENDER+1] = { 0x43, 0x4C, 0x4E, 0x54, 0x00 }; /* CLNT */
static const byte kTlsServerStr[SIZEOF_SENDER+1] = { 0x53, 0x52, 0x56, 0x52, 0x00 }; /* SRVR */ static const byte kTlsServerStr[SIZEOF_SENDER+1] = { 0x53, 0x52, 0x56, 0x52, 0x00 }; /* SRVR */
@@ -6102,6 +6116,7 @@ WOLFSSL_LOCAL void ShrinkInputBuffer(WOLFSSL* ssl, int forcedFree);
WOLFSSL_LOCAL void ShrinkOutputBuffer(WOLFSSL* ssl); WOLFSSL_LOCAL void ShrinkOutputBuffer(WOLFSSL* ssl);
WOLFSSL_LOCAL byte* GetOutputBuffer(WOLFSSL* ssl); WOLFSSL_LOCAL byte* GetOutputBuffer(WOLFSSL* ssl);
WOLFSSL_LOCAL int CipherRequires(byte first, byte second, int requirement);
WOLFSSL_LOCAL int VerifyClientSuite(word16 havePSK, byte cipherSuite0, WOLFSSL_LOCAL int VerifyClientSuite(word16 havePSK, byte cipherSuite0,
byte cipherSuite); byte cipherSuite);
@@ -6311,6 +6326,10 @@ WOLFSSL_LOCAL word32 LowResTimer(void);
WOLFSSL_LOCAL int FindSuiteSSL(const WOLFSSL* ssl, byte* suite); WOLFSSL_LOCAL int FindSuiteSSL(const WOLFSSL* ssl, byte* suite);
WOLFSSL_LOCAL void DecodeSigAlg(const byte* input, byte* hashAlgo,
byte* hsType);
WOLFSSL_LOCAL enum wc_HashType HashAlgoToType(int hashAlgo);
#ifndef NO_CERTS #ifndef NO_CERTS
WOLFSSL_LOCAL void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag, WOLFSSL_LOCAL void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag,
void* heap); void* heap);

13
wolfssl/ssl.h
View File

@@ -2121,6 +2121,19 @@ WOLFSSL_API void wolfSSL_CTX_set_client_cert_cb(WOLFSSL_CTX *ctx, client_cert_cb
typedef int (*CertSetupCallback)(WOLFSSL* ssl, void*); typedef int (*CertSetupCallback)(WOLFSSL* ssl, void*);
WOLFSSL_API void wolfSSL_CTX_set_cert_cb(WOLFSSL_CTX* ctx, WOLFSSL_API void wolfSSL_CTX_set_cert_cb(WOLFSSL_CTX* ctx,
CertSetupCallback cb, void *arg); CertSetupCallback cb, void *arg);
WOLFSSL_API int wolfSSL_get_client_suites_sigalgs(const WOLFSSL* ssl,
const byte** suites, word16* suiteSz,
const byte** hashSigAlgo, word16* hashSigAlgoSz);
typedef struct WOLFSSL_CIPHERSUITE_INFO {
byte rsaAuth:1;
byte eccAuth:1;
byte eccStatic:1;
byte psk:1;
} WOLFSSL_CIPHERSUITE_INFO;
WOLFSSL_API WOLFSSL_CIPHERSUITE_INFO wolfSSL_get_ciphersuite_info(byte first,
byte second);
WOLFSSL_API int wolfSSL_get_sigalg_info(byte first,
byte second, int* hashAlgo, int* sigAlgo);
WOLFSSL_LOCAL int CertSetupCbWrapper(WOLFSSL* ssl); WOLFSSL_LOCAL int CertSetupCbWrapper(WOLFSSL* ssl);
WOLFSSL_API void* wolfSSL_X509_STORE_CTX_get_ex_data( WOLFSSL_API void* wolfSSL_X509_STORE_CTX_get_ex_data(

87
wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h
View File

@@ -22,9 +22,17 @@
#define __ESP32_CRYPT_H__ #define __ESP32_CRYPT_H__
/* WOLFSSL_USER_SETTINGS must be defined, typically in the CMakeLists.txt:
*
* set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") */
#include <wolfssl/wolfcrypt/settings.h> /* references user_settings.h */ #include <wolfssl/wolfcrypt/settings.h> /* references user_settings.h */
#if defined(WOLFSSL_ESPIDF) /* Entire file is only for Espressif EDP-IDF */ #if defined(WOLFSSL_ESPIDF) /* Entire file is only for Espressif EDP-IDF */
#ifndef WOLFSSL_USER_SETTINGS
#error "WOLFSSL_USER_SETTINGS must be defined for Espressif targts"
#endif
#include "sdkconfig.h" /* ensure ESP-IDF settings are available everywhere */ #include "sdkconfig.h" /* ensure ESP-IDF settings are available everywhere */
/* wolfSSL */ /* wolfSSL */
@@ -72,6 +80,12 @@ enum {
** **
** Primary Settings: ** Primary Settings:
** **
** WC_NO_HARDEN
** Disables some timing resistance / side-channel attack prevention.
**
** NO_ESPIDF_DEFAULT
** When defined, disables some default definitions. See wolfcrypt/settings.h
**
** NO_ESP32_CRYPT ** NO_ESP32_CRYPT
** When defined, disables all hardware acceleration on the ESP32 ** When defined, disables all hardware acceleration on the ESP32
** **
@@ -143,11 +157,15 @@ enum {
** WOLFSSL_HW_METRICS ** WOLFSSL_HW_METRICS
** Enables metric counters for calls to HW, success, fall back, oddities. ** Enables metric counters for calls to HW, success, fall back, oddities.
** **
** WOLFSSL_HAS_METRICS
** Indicates that we actually have metrics to show. Useful for old wolfSSL
** libraries tested with newer examples, or when all HW turned off.
**
** DEBUG_WOLFSSL ** DEBUG_WOLFSSL
** Turns on development testing. Validates HW accelerated results to software ** Turns on development testing. Validates HW accelerated results to software
** - Automatically turns on WOLFSSL_HW_METRICS ** - Automatically turns on WOLFSSL_HW_METRICS
** **
** WOLFSSL_DEBUG_MUTEX ** DEBUG_WOLFSSL_SHA_MUTEX
** Turns on diagnostic messages for SHA mutex. Note that given verbosity, ** Turns on diagnostic messages for SHA mutex. Note that given verbosity,
** there may be TLS timing issues encountered. Use with caution. ** there may be TLS timing issues encountered. Use with caution.
** **
@@ -203,10 +221,12 @@ enum {
** **
** CONFIG_IDF_TARGET_[SoC] ** CONFIG_IDF_TARGET_[SoC]
** CONFIG_IDF_TARGET_ESP32 ** CONFIG_IDF_TARGET_ESP32
** CONFIG_IDF_TARGET_ESP32S2 ** CONFIG_IDF_TARGET_ESP32C2
** CONFIG_IDF_TARGET_ESP32S3
** CONFIG_IDF_TARGET_ESP32C3 ** CONFIG_IDF_TARGET_ESP32C3
** CONFIG_IDF_TARGET_ESP32C6 ** CONFIG_IDF_TARGET_ESP32C6
** CONFIG_IDF_TARGET_ESP32S2
** CONFIG_IDF_TARGET_ESP32S3
** CONFIG_IDF_TARGET_ESP32H2
** **
]******************************************************************************* ]*******************************************************************************
** Informative settings. Not meant to be edited: ** Informative settings. Not meant to be edited:
@@ -254,6 +274,60 @@ enum {
#define ESP_PROHIBIT_SMALL_X FALSE #define ESP_PROHIBIT_SMALL_X FALSE
/***** END CONFIG_IDF_TARGET_ESP32 *****/ /***** END CONFIG_IDF_TARGET_ESP32 *****/
#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684)
/* ESP8684 is essentially ESP32-C2 chip + flash embedded together in a
* single QFN 4x4 mm package. Out of released documentation, Technical
* Reference Manual as well as ESP-IDF Programming Guide is applicable
* to both ESP32-C2 and ESP8684.
*
* Note there is not currently an expected CONFIG_IDF_TARGET_ESP8684.
* The ESP8684 is detected with CONFIG_IDF_TARGET_ESP32C2.
* The macro is included for clarity, and possible future rename. */
/* #define NO_ESP32_CRYPT */
/* #define NO_WOLFSSL_ESP32_CRYPT_HASH */
#define NO_WOLFSSL_ESP32_CRYPT_AES /* No AES HW */
#define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI /* No RSA HW*/
#define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL /* No RSA, so no mp_mul */
#define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD /* No RSA, so no mp_mulmod */
#define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD /* No RSA, no mp_exptmod */
#include <soc/dport_access.h>
#include <soc/hwcrypto_reg.h>
#if ESP_IDF_VERSION_MAJOR < 5
#include <soc/cpu.h>
#endif
#if defined(ESP_IDF_VERSION_MAJOR) && ESP_IDF_VERSION_MAJOR >= 5
#include <esp_private/periph_ctrl.h>
#else
#include <driver/periph_ctrl.h>
#endif
#if ESP_IDF_VERSION_MAJOR >= 4
/* #include <esp32/rom/ets_sys.h> */
#else
#include <rom/ets_sys.h>
#endif
/* If for some reason there's a desire to disable specific HW on the C2: */
/* #undef NO_WOLFSSL_ESP32_CRYPT_HASH_SHA */
/* #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA there is SHA HW on C2 */
/* #undef NO_WOLFSSL_ESP32_CRYPT_HASH_SHA224 */
/* #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA224 there is SHA224 HW on C2 */
/* #undef NO_WOLFSSL_ESP32_CRYPT_HASH_SHA256 */
/* #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA256 there is SHA256 HW on C2 */
/* Code will fall back to SW with warning if these are removed:
* Note there is no SHA384/SHA512 HW on ESP32-C3 */
#undef NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384
#define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384
#undef NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512
#define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512
/***** END CONFIG_IDF_TARGET_ESP32C2 aka CONFIG_IDF_TARGET_ESP8684 *****/
#elif defined(CONFIG_IDF_TARGET_ESP32C3) #elif defined(CONFIG_IDF_TARGET_ESP32C3)
#include <soc/dport_access.h> #include <soc/dport_access.h>
#include <soc/hwcrypto_reg.h> #include <soc/hwcrypto_reg.h>
@@ -499,7 +573,8 @@ extern "C"
#if defined(CONFIG_IDF_TARGET_ESP32) #if defined(CONFIG_IDF_TARGET_ESP32)
#include "esp32/rom/sha.h" #include "esp32/rom/sha.h"
#define WC_ESP_SHA_TYPE enum SHA_TYPE #define WC_ESP_SHA_TYPE enum SHA_TYPE
#elif defined(CONFIG_IDF_TARGET_ESP32C2) #elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684)
#include "esp32c2/rom/sha.h" #include "esp32c2/rom/sha.h"
#define WC_ESP_SHA_TYPE SHA_TYPE #define WC_ESP_SHA_TYPE SHA_TYPE
#elif defined(CONFIG_IDF_TARGET_ESP32C3) #elif defined(CONFIG_IDF_TARGET_ESP32C3)
@@ -686,6 +761,8 @@ extern "C"
******************************************************************************* *******************************************************************************
*/ */
#ifdef WOLFSSL_HW_METRICS #ifdef WOLFSSL_HW_METRICS
#define WOLFSSL_HAS_METRICS
/* Allow sha256 code to keep track of SW fallback during active HW */ /* Allow sha256 code to keep track of SW fallback during active HW */
WOLFSSL_LOCAL int esp_sw_sha256_count_add(); WOLFSSL_LOCAL int esp_sw_sha256_count_add();
@@ -780,6 +857,6 @@ extern "C"
} }
#endif #endif
#endif /* WOLFSSL_ESPIDF */ #endif /* WOLFSSL_ESPIDF (entire contents excluded when not Espressif ESP-IDF) */
#endif /* __ESP32_CRYPT_H__ */ #endif /* __ESP32_CRYPT_H__ */

37
wolfssl/wolfcrypt/settings.h
View File

@@ -378,16 +378,19 @@
#endif #endif
#if defined(WOLFSSL_ESPIDF) #if defined(WOLFSSL_ESPIDF)
#define SIZEOF_LONG_LONG 8
#ifndef NO_ESPIDF_DEFAULT
#define FREERTOS #define FREERTOS
#define WOLFSSL_LWIP #define WOLFSSL_LWIP
#define NO_WRITEV #define NO_WRITEV
#define SIZEOF_LONG_LONG 8
#define NO_WOLFSSL_DIR #define NO_WOLFSSL_DIR
#define WOLFSSL_NO_CURRDIR #define WOLFSSL_NO_CURRDIR
#define TFM_TIMING_RESISTANT #define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT #define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING #define WC_RSA_BLINDING
#define WC_NO_CACHE_RESISTANT
#endif /* !WOLFSSL_ESPIDF_NO_DEFAULT */
#if defined(WOLFSSL_ESPWROOM32) #if defined(WOLFSSL_ESPWROOM32)
/* WOLFSSL_ESPWROOM32 is a legacy macro gate. /* WOLFSSL_ESPWROOM32 is a legacy macro gate.
@@ -396,6 +399,32 @@
#define WOLFSSL_ESP32 #define WOLFSSL_ESP32
#endif #endif
#if defined(NO_ESP32WROOM32_CRYPT)
#undef NO_ESP32WROOM32_CRYPT
#define NO_ESP32_CRYPT
#error "Please use NO_ESP32_CRYPT not NO_ESP32WROOM32_CRYPT"
#endif
#if defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
#undef NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH
#define NO_WOLFSSL_ESP32_CRYPT_HASH
#error "Please use NO_WOLFSSL_ESP32_CRYPT_HASH not NO_ESP32WROOM32_CRYPT"
#endif
#if defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES)
#undef NO_WOLFSSL_ESP32WROOM32_CRYPT_AES
#define NO_WOLFSSL_ESP32_CRYPT_AES
#error "Please use NO_WOLFSSL_ESP32_CRYPT_AES" \
" not " "NO_WOLFSSL_ESP32WROOM32_CRYPT_AES"
#endif
#if defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
#undef NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI
#define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
#error "Please use NO_WOLFSSL_ESP32_CRYPT_RSA_PRI" \
" not " "NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI"
#endif
#if defined(WOLFSSL_ESP32) || defined(WOLFSSL_ESPWROOM32SE) #if defined(WOLFSSL_ESP32) || defined(WOLFSSL_ESPWROOM32SE)
#ifndef NO_ESP32_CRYPT #ifndef NO_ESP32_CRYPT
#define WOLFSSL_ESP32_CRYPT #define WOLFSSL_ESP32_CRYPT
@@ -407,9 +436,9 @@
#endif #endif
#if defined(WOLFSSL_SP_RISCV32) #if defined(WOLFSSL_SP_RISCV32)
#if defined(CONFIG_IDF_TARGET_ESP32C2) \ #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
|| defined(CONFIG_IDF_TARGET_ESP32C3) \ defined(CONFIG_IDF_TARGET_ESP32C3) || \
|| defined(CONFIG_IDF_TARGET_ESP32C6) defined(CONFIG_IDF_TARGET_ESP32C6)
/* ok, only the known C2, C3, C6 chips allowed */ /* ok, only the known C2, C3, C6 chips allowed */
#else #else
#error "WOLFSSL_SP_RISCV32 can only be used on RISC-V architecture" #error "WOLFSSL_SP_RISCV32 can only be used on RISC-V architecture"