diff --git a/configure.ac b/configure.ac index bc15219aa..cb3cbaed3 100644 --- a/configure.ac +++ b/configure.ac @@ -85,7 +85,7 @@ AC_CHECK_TYPES(__uint128_t) AC_C_BIGENDIAN # mktime check takes forever on some systems, if time supported it would be # highly unusual for mktime to be missing -#AC_FUNC_MKTIME +#AC_FUNC_MKTIME AC_PROG_CC AC_PROG_CC_C_O @@ -199,7 +199,7 @@ fi AM_CONDITIONAL([BUILD_IPV6], [test "x$ENABLED_IPV6" = "xyes"]) -# Fortress build +# Fortress build AC_ARG_ENABLE([fortress], [ --enable-fortress Enable SSL fortress build (default: disabled)], [ ENABLED_FORTRESS=$enableval ], @@ -217,7 +217,7 @@ then fi -# ssl bump build +# ssl bump build AC_ARG_ENABLE([bump], [ --enable-bump Enable SSL Bump build (default: disabled)], [ ENABLED_BUMP=$enableval ], @@ -231,7 +231,7 @@ fi ENABLED_SLOWMATH="yes" -# lean psk build +# lean psk build AC_ARG_ENABLE([leanpsk], [ --enable-leanpsk Enable Lean PSK build (default: disabled)], [ ENABLED_LEANPSK=$enableval ], @@ -287,7 +287,7 @@ then fi -# Persistent session cache +# Persistent session cache AC_ARG_ENABLE([savesession], [ --enable-savesession Enable persistent session cache (default: disabled)], [ ENABLED_SAVESESSION=$enableval ], @@ -300,7 +300,7 @@ then fi -# Persistent cert cache +# Persistent cert cache AC_ARG_ENABLE([savecert], [ --enable-savecert Enable persistent cert cache (default: disabled)], [ ENABLED_SAVECERT=$enableval ], @@ -313,7 +313,7 @@ then fi -# Atomic User Record Layer +# Atomic User Record Layer AC_ARG_ENABLE([atomicuser], [ --enable-atomicuser Enable Atomic User Record Layer (default: disabled)], [ ENABLED_ATOMICUSER=$enableval ], @@ -326,7 +326,7 @@ then fi -# Public Key Callbacks +# Public Key Callbacks AC_ARG_ENABLE([pkcallbacks], [ --enable-pkcallbacks Enable Public Key Callbacks (default: disabled)], [ ENABLED_PKCALLBACKS=$enableval ], @@ -491,7 +491,7 @@ fi AM_CONDITIONAL([BUILD_MD2], [test "x$ENABLED_MD2" = "xyes"]) -# NULL CIPHER +# NULL CIPHER AC_ARG_ENABLE([nullcipher], [ --enable-nullcipher Enable wolfSSL NULL cipher support (default: disabled)], [ ENABLED_NULL_CIPHER=$enableval ], @@ -650,7 +650,7 @@ then fi -# HKDF +# HKDF AC_ARG_ENABLE([hkdf], [ --enable-hkdf Enable HKDF (HMAC-KDF) support (default: disabled)], [ ENABLED_HKDF=$enableval ], @@ -792,7 +792,7 @@ if test "$ENABLED_FPECC" = "yes" then if test "$ENABLED_ECC" = "no" then - AC_MSG_ERROR([cannot enable fpecc without enabling ecc.]) + AC_MSG_ERROR([cannot enable fpecc without enabling ecc.]) fi AM_CFLAGS="$AM_CFLAGS -DFP_ECC" fi @@ -809,17 +809,17 @@ if test "$ENABLED_ECC_ENCRYPT" = "yes" then if test "$ENABLED_ECC" = "no" then - AC_MSG_ERROR([cannot enable eccencrypt without enabling ecc.]) + AC_MSG_ERROR([cannot enable eccencrypt without enabling ecc.]) fi if test "$ENABLED_HKDF" = "no" then - AC_MSG_ERROR([cannot enable eccencrypt without enabling hkdf.]) + AC_MSG_ERROR([cannot enable eccencrypt without enabling hkdf.]) fi AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC_ENCRYPT" fi -# PSK +# PSK AC_ARG_ENABLE([psk], [ --enable-psk Enable PSK (default: disabled)], [ ENABLED_PSK=$enableval ], @@ -857,7 +857,7 @@ else fi -# OLD TLS +# OLD TLS AC_ARG_ENABLE([oldtls], [ --enable-oldtls Enable old TLS versions < 1.2 (default: enabled)], [ ENABLED_OLD_TLS=$enableval ], @@ -877,7 +877,7 @@ else fi -# STACK SIZE info for examples +# STACK SIZE info for examples AC_ARG_ENABLE([stacksize], [ --enable-stacksize Enable stack size info on examples (default: disabled)], [ ENABLED_STACKSIZE=$enableval ], @@ -892,7 +892,7 @@ then fi -# MEMORY +# MEMORY AC_ARG_ENABLE([memory], [ --enable-memory Enable memory callbacks (default: enabled)], [ ENABLED_MEMORY=$enableval ], @@ -914,7 +914,7 @@ fi AM_CONDITIONAL([BUILD_MEMORY], [test "x$ENABLED_MEMORY" = "xyes"]) -# RSA +# RSA AC_ARG_ENABLE([rsa], [ --enable-rsa Enable RSA (default: enabled)], [ ENABLED_RSA=$enableval ], @@ -1119,7 +1119,7 @@ fi AM_CONDITIONAL([BUILD_DES3], [test "x$ENABLED_DES3" = "xyes"]) -# ARC4 +# ARC4 AC_ARG_ENABLE([arc4], [ --enable-arc4 Enable ARC4 (default: disabled)], [ ENABLED_ARC4=$enableval ], @@ -1146,7 +1146,7 @@ fi AM_CONDITIONAL([BUILD_RC4], [test "x$ENABLED_ARC4" = "xyes"]) -# MD5 +# MD5 AC_ARG_ENABLE([md5], [ --enable-md5 Enable MD5 (default: enabled)], [ ENABLED_MD5=$enableval ], @@ -1168,7 +1168,7 @@ fi AM_CONDITIONAL([BUILD_MD5], [test "x$ENABLED_MD5" = "xyes"]) -# SHA +# SHA AC_ARG_ENABLE([sha], [ --enable-sha Enable SHA (default: enabled)], [ ENABLED_SHA=$enableval ], @@ -1190,7 +1190,7 @@ fi AM_CONDITIONAL([BUILD_SHA], [test "x$ENABLED_SHA" = "xyes"]) -# Web Server Build +# Web Server Build AC_ARG_ENABLE([webserver], [ --enable-webserver Enable Web Server (default: disabled)], [ ENABLED_WEBSERVER=$enableval ], @@ -1204,7 +1204,7 @@ fi -# HC128 +# HC128 AC_ARG_ENABLE([hc128], [ --enable-hc128 Enable HC-128 (default: disabled)], [ ENABLED_HC128=$enableval ], @@ -1350,7 +1350,7 @@ else fi -# Filesystem Build +# Filesystem Build AC_ARG_ENABLE([filesystem], [ --enable-filesystem Enable Filesystem support (default: enabled)], [ ENABLED_FILESYSTEM=$enableval ], @@ -1370,7 +1370,7 @@ else fi -# inline Build +# inline Build AC_ARG_ENABLE([inline], [ --enable-inline Enable inline functions (default: enabled)], [ ENABLED_INLINE=$enableval ], @@ -1492,7 +1492,7 @@ AM_CONDITIONAL([BUILD_NTRU], [test "x$ENABLED_NTRU" = "xyes"]) if test "$ENABLED_NTRU" = "yes" && test "$ENABLED_SMALL" = "yes" then - AC_MSG_ERROR([cannot enable ntru and small, ntru requires TLS which small turns off.]) + AC_MSG_ERROR([cannot enable ntru and small, ntru requires TLS which small turns off.]) fi # SNI @@ -1648,6 +1648,22 @@ then fi +# Secure Remote Password +AC_ARG_ENABLE([srp], + [ --enable-srp Enable Secure Remote Password (default: disabled)], + [ ENABLED_SRP=$enableval ], + [ ENABLED_SRP=no ] + ) + +if test "x$ENABLED_SRP" = "xyes" +then + AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_HAVE_SRP" +fi + +AM_CONDITIONAL([BUILD_SRP], [test "x$ENABLED_SRP" = "xyes"]) + + + # Small Stack AC_ARG_ENABLE([smallstack], [ --enable-smallstack Enable Small Stack Usage (default: disabled)], @@ -1684,7 +1700,7 @@ fi AM_CONDITIONAL([USE_VALGRIND], [test "x$ENABLED_VALGRIND" = "xyes"]) -# Test certs, use internal cert functions for extra testing +# Test certs, use internal cert functions for extra testing AC_ARG_ENABLE([testcert], [ --enable-testcert Enable Test Cert (default: disabled)], [ ENABLED_TESTCERT=$enableval ], @@ -1715,7 +1731,7 @@ then fi -# Certificate Service Support +# Certificate Service Support AC_ARG_ENABLE([certservice], [ --enable-certservice Enable cert service (default: disabled)], [ ENABLED_CERT_SERVICE=$enableval ], @@ -1957,7 +1973,7 @@ AC_ARG_WITH([libz], AM_CONDITIONAL([BUILD_LIBZ], [test "x$ENABLED_LIBZ" = "xyes"]) -# cavium +# cavium trycaviumdir="" AC_ARG_WITH([cavium], [ --with-cavium=PATH PATH to cavium/software dir ], @@ -2183,7 +2199,7 @@ touch ctaocrypt/src/fips.c touch ctaocrypt/src/fips_test.c echo -# generate user options header +# generate user options header echo "---" echo "Generating user options header..." @@ -2193,7 +2209,7 @@ OPTION_FILE="wolfssl/options.h" #fi rm -f $OPTION_FILE -echo "/* wolfssl options.h" > $OPTION_FILE +echo "/* wolfssl options.h" > $OPTION_FILE echo " * generated from configure options" >> $OPTION_FILE echo " *" >> $OPTION_FILE echo " * Copyright (C) 2006-2015 wolfSSL Inc." >> $OPTION_FILE @@ -2202,13 +2218,13 @@ echo " * This file is part of wolfSSL. (formerly known as CyaSSL)" >> $OPTION_FI echo " *" >> $OPTION_FILE echo " */" >> $OPTION_FILE -echo "" >> $OPTION_FILE -echo "#pragma once" >> $OPTION_FILE -echo "" >> $OPTION_FILE -echo "#ifdef __cplusplus" >> $OPTION_FILE -echo "extern \"C\" {" >> $OPTION_FILE -echo "#endif" >> $OPTION_FILE -echo "" >> $OPTION_FILE +echo "" >> $OPTION_FILE +echo "#pragma once" >> $OPTION_FILE +echo "" >> $OPTION_FILE +echo "#ifdef __cplusplus" >> $OPTION_FILE +echo "extern \"C\" {" >> $OPTION_FILE +echo "#endif" >> $OPTION_FILE +echo "" >> $OPTION_FILE for option in $OPTION_FLAGS; do defonly=`echo $option | sed 's/-D//'` @@ -2244,11 +2260,11 @@ for option in $OPTION_FLAGS; do fi done -echo "" >> $OPTION_FILE -echo "#ifdef __cplusplus" >> $OPTION_FILE -echo "}" >> $OPTION_FILE -echo "#endif" >> $OPTION_FILE -echo "" >> $OPTION_FILE +echo "" >> $OPTION_FILE +echo "#ifdef __cplusplus" >> $OPTION_FILE +echo "}" >> $OPTION_FILE +echo "#endif" >> $OPTION_FILE +echo "" >> $OPTION_FILE echo #backwards compatability for those who have included options or version @@ -2279,7 +2295,7 @@ echo " * Debug enabled: $ax_enable_debug" echo " * Warnings as failure: $ac_cv_warnings_as_errors" echo " * make -j: $enable_jobserver" echo " * VCS checkout: $ac_cv_vcs_checkout" -echo +echo echo " Features " echo " * Single threaded: $ENABLED_SINGLETHREADED" echo " * Filesystem: $ENABLED_FILESYSTEM" @@ -2351,10 +2367,10 @@ echo " * Session Ticket: $ENABLED_SESSION_TICKET" echo " * All TLS Extensions: $ENABLED_TLSX" echo " * PKCS#7 $ENABLED_PKCS7" echo " * wolfSCEP $ENABLED_WOLFSCEP" +echo " * Secure Remote Password $ENABLED_SRP" echo " * Small Stack: $ENABLED_SMALL_STACK" echo " * valgrind unit tests: $ENABLED_VALGRIND" echo " * LIBZ: $ENABLED_LIBZ" echo " * Examples: $ENABLED_EXAMPLES" echo "" echo "---" - diff --git a/src/include.am b/src/include.am index b4ba39ddd..6c2629bc0 100644 --- a/src/include.am +++ b/src/include.am @@ -201,6 +201,10 @@ if BUILD_PKCS7 src_libwolfssl_la_SOURCES += wolfcrypt/src/pkcs7.c endif +if BUILD_SRP +src_libwolfssl_la_SOURCES += wolfcrypt/src/srp.c +endif + # ssl files src_libwolfssl_la_SOURCES += \ src/internal.c \ @@ -220,4 +224,3 @@ endif if BUILD_SNIFFER src_libwolfssl_la_SOURCES += src/sniffer.c endif - diff --git a/wolfcrypt/src/srp.c b/wolfcrypt/src/srp.c index a0a22cf47..66a4f00cd 100644 --- a/wolfcrypt/src/srp.c +++ b/wolfcrypt/src/srp.c @@ -19,4 +19,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ - +#ifdef WOLFCRYPT_HAVE_SRP + +#include + +#endif /* WOLFCRYPT_HAVE_SRP */ diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am index 67949fc28..8387ed7df 100644 --- a/wolfssl/wolfcrypt/include.am +++ b/wolfssl/wolfcrypt/include.am @@ -46,6 +46,7 @@ nobase_include_HEADERS+= \ wolfssl/wolfcrypt/blake2-int.h \ wolfssl/wolfcrypt/blake2-impl.h \ wolfssl/wolfcrypt/tfm.h \ + wolfssl/wolfcrypt/srp.h \ wolfssl/wolfcrypt/types.h \ wolfssl/wolfcrypt/visibility.h \ wolfssl/wolfcrypt/logging.h \ @@ -57,4 +58,3 @@ noinst_HEADERS+= \ wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h \ wolfssl/wolfcrypt/port/ti/ti-hash.h \ wolfssl/wolfcrypt/port/ti/ti-ccm.h - diff --git a/wolfssl/wolfcrypt/srp.h b/wolfssl/wolfcrypt/srp.h index 23bdeb947..f6a3edc10 100644 --- a/wolfssl/wolfcrypt/srp.h +++ b/wolfssl/wolfcrypt/srp.h @@ -19,12 +19,30 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ -#ifndef WOLF_CRYPT_SRP_H -#define WOLF_CRYPT_SRP_H +#ifndef WOLFCRYPT_SRP_H +#define WOLFCRYPT_SRP_H #include +#include +#include +#include +#include -#ifdef HAVE_SRP +#ifdef WOLFCRYPT_HAVE_SRP + +enum { +#ifdef NO_SHA + SRP_SHA = 1, +#endif +#ifdef NO_SHA256 + SRP_SHA256 = 2, +#endif +#ifndef WOLFSSL_SHA384 + SRP_SHA384 = 3, +#endif +#ifndef WOLFSSL_SHA512 + SRP_SHA512 = 4, +#endif /* Select the largest available hash for the buffer size. */ #if defined(WOLFSSL_SHA512) @@ -38,41 +56,43 @@ #else #error "You have to have some kind of SHA hash if you want to use SRP." #endif +}; typedef struct { - mp_int N; /**< Modulus. N = 2q+1, [q, N] are primes. */ - mp_int g; /**< Generator. A generator modulo N. */ mp_int a; /**< Private ephemeral value. Random. */ mp_int A; /**< Public ephemeral value. pow(g, a, N) */ mp_int B; /**< Server's public ephemeral value. */ - mp_int s; /**< Session key. */ - byte k[SRP_MAX_DIGEST_SIZE]; /**< Multiplier parameeter. H(N, g) */ byte x[SRP_MAX_DIGEST_SIZE]; /**< Priv key. H(salt, H(user, ":", pswd)) */ - byte u[SRP_MAX_DIGEST_SIZE]; /**< Random scrambling parameeter. */ - byte type; /**< Hash type, SHA[1:256:384:512] */ - byte* user; /**< Username, login. */ - word32 userSz; /**< Username length. */ - byte* salt; /**< Small salt. */ - word32 saltSz; /**< Salt length. */ byte* pswd; /**< Password. */ word32 pswdSz; /**< Password length. */ } SrpClient; typedef struct { - mp_int N; /**< Modulus. N = 2q+1, [q, N] are primes. */ - mp_int g; /**< Generator. A generator modulo N. */ mp_int b; /**< Private ephemeral value. */ mp_int B; /**< Public ephemeral value. */ mp_int A; /**< Client's public ephemeral value. */ + mp_int v; /**< Verifier. v = pow(g, x, N) */ +} SrpServer; + +typedef struct { + mp_int N; /**< Modulus. N = 2q+1, [q, N] are primes. */ + mp_int g; /**< Generator. A generator modulo N. */ mp_int s; /**< Session key. */ byte k[SRP_MAX_DIGEST_SIZE]; /**< Multiplier parameeter. H(N, g) */ - mp_int v; /**< Verifier. v = pow(g, x, N) */ byte u[SRP_MAX_DIGEST_SIZE]; /**< Random scrambling parameeter. */ + byte type; /**< Hash type, SHA[1:256:384:512] */ + byte side; /**< Client or Server side. */ byte* user; /**< Username, login. */ word32 userSz; /**< Username length. */ byte* salt; /**< Small salt. */ word32 saltSz; /**< Salt length. */ -} SrpServer; + union { + SrpClient client; + SrpServer server; + } specific; +} Srp; -#endif /* HAVE_SRP */ +int SrpInit(Srp* srp, byte* N, word32 nSz, byte* g, word32 gSz); + +#endif /* WOLFCRYPT_HAVE_SRP */ #endif /* WOLF_CRYPT_SRP_H */