From 7850d71ccb908cadb24b5712ad47b3c7986b0212 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 11 Nov 2020 22:46:02 -0600 Subject: [PATCH] add wolfSSL_get_cipher_suite_from_name(); add flags arg to GetCipherSuiteFromName(); fix GetCipherSuiteFromName() to prevent spurious substring matching; add SUITE_ALIAS() macros for use defining CipherSuiteInfo, and add CipherSuiteInfo.flags slot and associated logic, to allow alternative cipher names to be recognized; add "CCM8" cipher name variants wherever applicable, including the unit.test conf files, to recognize and test the OpenSSL variants; add tests in client_test() and server_test() to confirm correct forward and backward mapping of cipher names/aliases. --- examples/client/client.c | 41 ++++++++++++++++ examples/server/server.c | 44 +++++++++++++++++ src/internal.c | 80 +++++++++++++++++++++++++------ src/ssl.c | 14 ++++++ src/tls.c | 4 +- src/tls13.c | 8 +++- tests/suites.c | 4 ++ tests/test-dtls-group.conf | 30 ++++++++++++ tests/test-dtls-reneg-client.conf | 31 ++++++++++++ tests/test-dtls-reneg-server.conf | 30 ++++++++++++ tests/test-dtls-resume.conf | 30 ++++++++++++ tests/test-dtls.conf | 26 ++++++++++ tests/test-qsh.conf | 58 ++++++++++++++++++++++ tests/test-sctp.conf | 26 ++++++++++ tests/test-sig.conf | 11 +++++ tests/test-tls13-ecc.conf | 11 +++++ tests/test-tls13.conf | 8 ++++ tests/test.conf | 58 ++++++++++++++++++++++ wolfssl/internal.h | 4 +- wolfssl/ssl.h | 5 ++ 20 files changed, 505 insertions(+), 18 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 23c8214df..dee29ac05 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -3118,6 +3118,47 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) showPeerEx(ssl, lng_index); + /* if the caller requested a particular cipher, check here that either + * a canonical name of the established cipher matches the requested + * cipher name, or the requested cipher name is marked as an alias + * that matches the established cipher. + */ + if (cipherList && (! XSTRSTR(cipherList, ":"))) { + WOLFSSL_CIPHER* established_cipher = wolfSSL_get_current_cipher(ssl); + byte requested_cipherSuite0, requested_cipherSuite; + int requested_cipherFlags; + if (established_cipher && + /* don't test for pseudo-ciphers like "ALL" and "DEFAULT". */ + (wolfSSL_get_cipher_suite_from_name(cipherList, + &requested_cipherSuite0, + &requested_cipherSuite, + &requested_cipherFlags) == 0)) { + word32 established_cipher_id = + wolfSSL_CIPHER_get_id(established_cipher); + byte established_cipherSuite0 = (established_cipher_id >> 8) & 0xff; + byte established_cipherSuite = established_cipher_id & 0xff; + const char *established_cipher_name = + wolfSSL_get_cipher_name_from_suite(established_cipherSuite0, + established_cipherSuite); + const char *established_cipher_name_iana = + wolfSSL_get_cipher_name_iana_from_suite(established_cipherSuite0, + established_cipherSuite); + + if (established_cipher_name == NULL) + err_sys("error looking up name of established cipher"); + + if (strcmp(cipherList, established_cipher_name) && + ((established_cipher_name_iana == NULL) || + strcmp(cipherList, established_cipher_name_iana))) { + if (! (requested_cipherFlags & WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS)) + err_sys("Unexpected mismatch between names of requested and established ciphers."); + else if ((requested_cipherSuite0 != established_cipherSuite0) || + (requested_cipherSuite != established_cipherSuite)) + err_sys("Mismatch between IDs of requested and established ciphers."); + } + } + } + #if defined(HAVE_OCSP) && !defined(NO_ASN_TIME) #ifdef HAVE_STRFTIME { diff --git a/examples/server/server.c b/examples/server/server.c index 0bd6efd2c..339833fd6 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -2449,6 +2449,50 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) err_sys_ex(runWithErrors, "SSL in error state"); } + /* if the caller requested a particular cipher, check here that either + * a canonical name of the established cipher matches the requested + * cipher name, or the requested cipher name is marked as an alias + * that matches the established cipher. + */ + if (cipherList && (! XSTRSTR(cipherList, ":"))) { + WOLFSSL_CIPHER* established_cipher = wolfSSL_get_current_cipher(ssl); + byte requested_cipherSuite0, requested_cipherSuite; + int requested_cipherFlags; + if (established_cipher && + /* don't test for pseudo-ciphers like "ALL" and "DEFAULT". */ + (wolfSSL_get_cipher_suite_from_name(cipherList, + &requested_cipherSuite0, + &requested_cipherSuite, + &requested_cipherFlags) == 0)) { + word32 established_cipher_id = wolfSSL_CIPHER_get_id(established_cipher); + byte established_cipherSuite0 = (established_cipher_id >> 8) & 0xff; + byte established_cipherSuite = established_cipher_id & 0xff; + const char *established_cipher_name = + wolfSSL_get_cipher_name_from_suite(established_cipherSuite0, + established_cipherSuite); + const char *established_cipher_name_iana = + wolfSSL_get_cipher_name_iana_from_suite(established_cipherSuite0, + established_cipherSuite); + + if (established_cipher_name == NULL) + err_sys_ex(catastrophic, "error looking up name of established cipher"); + + if (strcmp(cipherList, established_cipher_name) && + ((established_cipher_name_iana == NULL) || + strcmp(cipherList, established_cipher_name_iana))) { + if (! (requested_cipherFlags & WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS)) + err_sys_ex( + catastrophic, + "Unexpected mismatch between names of requested and established ciphers."); + else if ((requested_cipherSuite0 != established_cipherSuite0) || + (requested_cipherSuite != established_cipherSuite)) + err_sys_ex( + catastrophic, + "Mismatch between IDs of requested and established ciphers."); + } + } + } + #ifdef OPENSSL_EXTRA { byte* rnd; diff --git a/src/internal.c b/src/internal.c index 414477d06..9df72e374 100644 --- a/src/internal.c +++ b/src/internal.c @@ -18614,19 +18614,49 @@ void SetErrorString(int error, char* str) str[WOLFSSL_MAX_ERROR_SZ-1] = 0; } -#ifndef NO_ERROR_STRINGS - #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),(v),(u)} +#ifdef NO_CIPHER_SUITE_ALIASES + #ifndef NO_ERROR_STRINGS + #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) + #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE} + #define SUITE_ALIAS(x,z,w,v,u) + #else + #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE} + #define SUITE_ALIAS(x,z,w,v,u) + #endif #else - #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w)} + #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) + #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE} + #define SUITE_ALIAS(x,z,w,v,u) + #else + #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE} + #define SUITE_ALIAS(x,z,w,v,u) + #endif #endif -#else - #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),(v),(u)} +#else /* !NO_CIPHER_SUITE_ALIASES */ + + /* note that the comma is included at the end of the SUITE_ALIAS() macro + * definitions, to allow aliases to be gated out by the above null macros + * in the NO_CIPHER_SUITE_ALIASES section. + */ + + #ifndef NO_ERROR_STRINGS + #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) + #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE} + #define SUITE_ALIAS(x,z,w,v,u) {(x),"",(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS}, + #else + #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE} + #define SUITE_ALIAS(x,z,w,v,u) {(x),"",(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS}, + #endif #else - #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w)} + #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) + #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE} + #define SUITE_ALIAS(x,z,w,v,u) {(x),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS}, + #else + #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE} + #define SUITE_ALIAS(x,z,w,v,u) {(x),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS}, + #endif #endif -#endif +#endif /* NO_CIPHER_SUITE_ALIASES */ static const CipherSuiteInfo cipher_names[] = { @@ -18649,6 +18679,7 @@ static const CipherSuiteInfo cipher_names[] = #ifdef BUILD_TLS_AES_128_CCM_8_SHA256 SUITE_INFO("TLS13-AES128-CCM-8-SHA256","TLS_AES_128_CCM_8_SHA256",TLS13_BYTE,TLS_AES_128_CCM_8_SHA256,TLSv1_3_MINOR, SSLv3_MAJOR), + SUITE_ALIAS("TLS13-AES128-CCM8-SHA256",TLS13_BYTE,TLS_AES_128_CCM_8_SHA256,TLSv1_3_MINOR, SSLv3_MAJOR) #endif #ifdef BUILD_TLS_SHA256_SHA256 @@ -18759,10 +18790,12 @@ static const CipherSuiteInfo cipher_names[] = #ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8 SUITE_INFO("PSK-AES128-CCM-8","TLS_PSK_WITH_AES_128_CCM_8",ECC_BYTE,TLS_PSK_WITH_AES_128_CCM_8,TLSv1_MINOR,SSLv3_MAJOR), + SUITE_ALIAS("PSK-AES128-CCM8",ECC_BYTE,TLS_PSK_WITH_AES_128_CCM_8,TLSv1_MINOR,SSLv3_MAJOR) #endif #ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8 SUITE_INFO("PSK-AES256-CCM-8","TLS_PSK_WITH_AES_256_CCM_8",ECC_BYTE,TLS_PSK_WITH_AES_256_CCM_8,TLSv1_MINOR,SSLv3_MAJOR), + SUITE_ALIAS("PSK-AES256-CCM8",ECC_BYTE,TLS_PSK_WITH_AES_256_CCM_8,TLSv1_MINOR,SSLv3_MAJOR) #endif #ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA384 @@ -18815,10 +18848,12 @@ static const CipherSuiteInfo cipher_names[] = #ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8 SUITE_INFO("AES128-CCM-8","TLS_RSA_WITH_AES_128_CCM_8",ECC_BYTE,TLS_RSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR), + SUITE_ALIAS("AES128-CCM8",ECC_BYTE,TLS_RSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR) #endif #ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8 SUITE_INFO("AES256-CCM-8","TLS_RSA_WITH_AES_256_CCM_8",ECC_BYTE,TLS_RSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR), + SUITE_ALIAS("AES256-CCM8",ECC_BYTE,TLS_RSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR) #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM @@ -18827,10 +18862,12 @@ static const CipherSuiteInfo cipher_names[] = #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 SUITE_INFO("ECDHE-ECDSA-AES128-CCM-8","TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR), + SUITE_ALIAS("ECDHE-ECDSA-AES128-CCM8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR) #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 SUITE_INFO("ECDHE-ECDSA-AES256-CCM-8","TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR), + SUITE_ALIAS("ECDHE-ECDSA-AES256-CCM8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR) #endif #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA @@ -19126,7 +19163,11 @@ const char* GetCipherNameInternal(const byte cipherSuite0, const byte cipherSuit for (i = 0; i < GetCipherNamesSize(); i++) { if ((cipher_names[i].cipherSuite0 == cipherSuite0) && - (cipher_names[i].cipherSuite == cipherSuite)) { + (cipher_names[i].cipherSuite == cipherSuite) +#ifndef NO_CIPHER_SUITE_ALIASES + && (! (cipher_names[i].flags & WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS)) +#endif + ) { nameInternal = cipher_names[i].name; break; } @@ -19349,7 +19390,11 @@ const char* GetCipherNameIana(const byte cipherSuite0, const byte cipherSuite) for (i = 0; i < GetCipherNamesSize(); i++) { if ((cipher_names[i].cipherSuite0 == cipherSuite0) && - (cipher_names[i].cipherSuite == cipherSuite)) { + (cipher_names[i].cipherSuite == cipherSuite) +#ifndef NO_CIPHER_SUITE_ALIASES + && (! (cipher_names[i].flags & WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS)) +#endif + ) { nameIana = cipher_names[i].name_iana; break; } @@ -19381,7 +19426,7 @@ const char* wolfSSL_get_cipher_name_iana(WOLFSSL* ssl) } int GetCipherSuiteFromName(const char* name, byte* cipherSuite0, - byte* cipherSuite) + byte* cipherSuite, int* flags) { int ret = BAD_FUNC_ARG; int i; @@ -19396,9 +19441,11 @@ int GetCipherSuiteFromName(const char* name, byte* cipherSuite0, len = (unsigned long)XSTRLEN(name); for (i = 0; i < GetCipherNamesSize(); i++) { - if (XSTRNCMP(name, cipher_names[i].name, len) == 0) { + if ((XSTRNCMP(name, cipher_names[i].name, len) == 0) && + (cipher_names[i].name[len] == 0)) { *cipherSuite0 = cipher_names[i].cipherSuite0; *cipherSuite = cipher_names[i].cipherSuite; + *flags = cipher_names[i].flags; ret = 0; break; } @@ -19731,7 +19778,11 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz) int i; int sz = GetCipherNamesSize(); - for (i = 0; i < sz; i++) + for (i = 0; i < sz; i++) { +#ifndef NO_CIPHER_SUITE_ALIASES + if (cipher_names[i].flags & WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS) + continue; +#endif if (info->ssl->options.cipherSuite == (byte)cipher_names[i].cipherSuite) { if (info->ssl->options.cipherSuite0 == ECC_BYTE) @@ -19740,6 +19791,7 @@ int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz) info->cipherName[MAX_CIPHERNAME_SZ] = '\0'; break; } + } /* error max and min are negative numbers */ if (info->ssl->error <= MIN_PARAM_ERR && info->ssl->error >= MAX_PARAM_ERR) diff --git a/src/ssl.c b/src/ssl.c index d4141c440..1bd07859b 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -904,6 +904,10 @@ int wolfSSL_get_ciphers_iana(char* buf, int len) /* Add each member to the buffer delimited by a : */ for (i = 0; i < ciphersSz; i++) { +#ifndef NO_CIPHER_SUITE_ALIASES + if (ciphers[i].flags & WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS) + continue; +#endif cipherNameSz = (int)XSTRLEN(ciphers[i].name_iana); if (cipherNameSz + 1 < len) { XSTRNCPY(buf, ciphers[i].name_iana, len); @@ -20058,6 +20062,16 @@ const char* wolfSSL_get_cipher_name_iana_from_suite(const byte cipherSuite0, return GetCipherNameIana(cipherSuite0, cipherSuite); } +int wolfSSL_get_cipher_suite_from_name(const char* name, byte* cipherSuite0, + byte* cipherSuite, int *flags) { + if ((name == NULL) || + (cipherSuite0 == NULL) || + (cipherSuite == NULL) || + (flags == NULL)) + return BAD_FUNC_ARG; + return GetCipherSuiteFromName(name, cipherSuite0, cipherSuite, flags); +} + #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) /* Creates and returns a new WOLFSSL_CIPHER stack. */ diff --git a/src/tls.c b/src/tls.c index fa7c71113..cdf24a91f 100644 --- a/src/tls.c +++ b/src/tls.c @@ -10250,6 +10250,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) /* Default ciphersuite. */ byte cipherSuite0 = TLS13_BYTE; byte cipherSuite = WOLFSSL_DEF_PSK_CIPHER; + int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE; const char* cipherName = NULL; if (ssl->options.client_psk_tls13_cb != NULL) { @@ -10258,7 +10259,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) ssl->arrays->client_identity, MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN, &cipherName); if (GetCipherSuiteFromName(cipherName, &cipherSuite0, - &cipherSuite) != 0) { + &cipherSuite, &cipherSuiteFlags) != 0) { return PSK_KEY_ERROR; } } @@ -10275,6 +10276,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) /* TODO: Callback should be able to change ciphersuite. */ ssl->options.cipherSuite0 = cipherSuite0; ssl->options.cipherSuite = cipherSuite; + (void)cipherSuiteFlags; ret = SetCipherSpecs(ssl); if (ret != 0) return ret; diff --git a/src/tls13.c b/src/tls13.c index eb996a65f..895fcca0c 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -2492,6 +2492,7 @@ static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk) #ifndef WOLFSSL_PSK_ONE_ID const char* cipherName = NULL; byte cipherSuite0 = TLS13_BYTE, cipherSuite = WOLFSSL_DEF_PSK_CIPHER; + int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE; /* Get the pre-shared key. */ if (ssl->options.client_psk_tls13_cb != NULL) { @@ -2500,7 +2501,7 @@ static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk) MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN, &cipherName); if (GetCipherSuiteFromName(cipherName, &cipherSuite0, - &cipherSuite) != 0) { + &cipherSuite, &cipherSuiteFlags) != 0) { return PSK_KEY_ERROR; } } @@ -2518,6 +2519,7 @@ static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk) psk->cipherSuite != cipherSuite) { return PSK_KEY_ERROR; } + (void)cipherSuiteFlags; #else /* PSK information loaded during setting of default TLS extensions. */ #endif @@ -3306,6 +3308,7 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz, const char* cipherName = NULL; byte cipherSuite0 = TLS13_BYTE; byte cipherSuite = WOLFSSL_DEF_PSK_CIPHER; + int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE; #endif WOLFSSL_ENTER("DoPreSharedKeys"); @@ -3420,7 +3423,7 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz, ssl->arrays->client_identity, ssl->arrays->psk_key, MAX_PSK_KEY_LEN, &cipherName)) != 0 && GetCipherSuiteFromName(cipherName, &cipherSuite0, - &cipherSuite) == 0) || + &cipherSuite, &cipherSuiteFlags) == 0) || (ssl->options.server_psk_cb != NULL && (ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl, ssl->arrays->client_identity, ssl->arrays->psk_key, @@ -3431,6 +3434,7 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz, /* Check whether PSK ciphersuite is in SSL. */ suite[0] = cipherSuite0; suite[1] = cipherSuite; + (void)cipherSuiteFlags; if (!FindSuiteSSL(ssl, suite)) { current = current->next; continue; diff --git a/tests/suites.c b/tests/suites.c index f2d797af2..2a820d3c9 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -1156,6 +1156,10 @@ int SuiteTest(int argc, char** argv) } exit: + + if (args.return_code == 0) + printf("\n Success -- All results as expected.\n"); + printf(" End Cipher Suite Tests\n"); wolfSSL_CTX_free(cipherSuiteCtx); diff --git a/tests/test-dtls-group.conf b/tests/test-dtls-group.conf index 8722f7b1e..5a9ba324f 100644 --- a/tests/test-dtls-group.conf +++ b/tests/test-dtls-group.conf @@ -1016,6 +1016,36 @@ -l ECDHE-ECDSA-AES256-CCM-8 -A ./certs/ca-ecc-cert.pem +# server DTLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-u +-f +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-u +-f +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-A ./certs/ca-ecc-cert.pem + +# server DTLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-u +-f +-v 3 +-l ECDHE-ECDSA-AES256-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-u +-f +-v 3 +-l ECDHE-ECDSA-AES256-CCM8 +-A ./certs/ca-ecc-cert.pem + # server DTLSv1.2 ADH-AES128-SHA -u -f diff --git a/tests/test-dtls-reneg-client.conf b/tests/test-dtls-reneg-client.conf index 60d73af5c..8292d6554 100644 --- a/tests/test-dtls-reneg-client.conf +++ b/tests/test-dtls-reneg-client.conf @@ -1097,6 +1097,37 @@ -l ECDHE-ECDSA-AES256-CCM-8 -A ./certs/ca-ecc-cert.pem +# server DTLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-M +-u +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-i +-u +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-A ./certs/ca-ecc-cert.pem + +# server DTLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-M +-u +-v 3 +-l ECDHE-ECDSA-AES256-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-i +-u +-v 3 +-l ECDHE-ECDSA-AES256-CCM8 +-A ./certs/ca-ecc-cert.pem + + # server DTLSv1.2 ADH-AES128-SHA -M -u diff --git a/tests/test-dtls-reneg-server.conf b/tests/test-dtls-reneg-server.conf index eba8e7917..362c2a7b6 100644 --- a/tests/test-dtls-reneg-server.conf +++ b/tests/test-dtls-reneg-server.conf @@ -1016,6 +1016,36 @@ -l ECDHE-ECDSA-AES256-CCM-8 -A ./certs/ca-ecc-cert.pem +# server DTLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-m +-u +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-R +-u +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-A ./certs/ca-ecc-cert.pem + +# server DTLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-m +-u +-v 3 +-l ECDHE-ECDSA-AES256-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-R +-u +-v 3 +-l ECDHE-ECDSA-AES256-CCM8 +-A ./certs/ca-ecc-cert.pem + # server DTLSv1.2 ADH-AES128-SHA -m -u diff --git a/tests/test-dtls-resume.conf b/tests/test-dtls-resume.conf index af4b3c003..c9e9647a8 100644 --- a/tests/test-dtls-resume.conf +++ b/tests/test-dtls-resume.conf @@ -1016,6 +1016,36 @@ -l ECDHE-ECDSA-AES256-CCM-8 -A ./certs/ca-ecc-cert.pem +# server DTLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-u +-r +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-u +-r +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-A ./certs/ca-ecc-cert.pem + +# server DTLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-u +-r +-v 3 +-l ECDHE-ECDSA-AES256-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-u +-r +-v 3 +-l ECDHE-ECDSA-AES256-CCM8 +-A ./certs/ca-ecc-cert.pem + # server DTLSv1.2 ADH-AES128-SHA -u -r diff --git a/tests/test-dtls.conf b/tests/test-dtls.conf index ddf658c54..f555e88a5 100644 --- a/tests/test-dtls.conf +++ b/tests/test-dtls.conf @@ -868,6 +868,32 @@ -l ECDHE-ECDSA-AES256-CCM-8 -A ./certs/ca-ecc-cert.pem +# server DTLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-u +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-u +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-A ./certs/ca-ecc-cert.pem + +# server DTLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-u +-v 3 +-l ECDHE-ECDSA-AES256-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-u +-v 3 +-l ECDHE-ECDSA-AES256-CCM8 +-A ./certs/ca-ecc-cert.pem + # server DTLSv1.2 ADH-AES128-SHA -u -a diff --git a/tests/test-qsh.conf b/tests/test-qsh.conf index 61f8ea031..5093e1786 100644 --- a/tests/test-qsh.conf +++ b/tests/test-qsh.conf @@ -1473,6 +1473,22 @@ -v 3 -l QSH:AES256-CCM-8 +# server TLSv1.2 AES128-CCM8 (OpenSSL-compat alias) +-v 3 +-l QSH:AES128-CCM8 + +# client TLSv1.2 AES128-CCM8 (OpenSSL-compat alias) +-v 3 +-l QSH:AES128-CCM8 + +# server TLSv1.2 AES256-CCM8 (OpenSSL-compat alias) +-v 3 +-l QSH:AES256-CCM8 + +# client TLSv1.2 AES256-CCM8 (OpenSSL-compat alias) +-v 3 +-l QSH:AES256-CCM8 + # server TLSv1.2 ECDHE-ECDSA-AES128-CCM -v 3 -l QSH:ECDHE-ECDSA-AES128-CCM @@ -1506,6 +1522,28 @@ -l QSH:ECDHE-ECDSA-AES256-CCM-8 -A ./certs/ca-ecc-cert.pem +# server TLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-v 3 +-l QSH:ECDHE-ECDSA-AES128-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-v 3 +-l QSH:ECDHE-ECDSA-AES128-CCM8 +-A ./certs/ca-ecc-cert.pem + +# server TLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-v 3 +-l QSH:ECDHE-ECDSA-AES256-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-v 3 +-l QSH:ECDHE-ECDSA-AES256-CCM8 +-A ./certs/ca-ecc-cert.pem + # server TLSv1.2 PSK-AES128-CCM -s -v 3 @@ -1546,6 +1584,26 @@ -v 3 -l QSH:PSK-AES256-CCM-8 +# server TLSv1.2 PSK-AES128-CCM8 (OpenSSL-compat alias) +-s +-v 3 +-l QSH:PSK-AES128-CCM8 + +# client TLSv1.2 PSK-AES128-CCM8 (OpenSSL-compat alias) +-s +-v 3 +-l QSH:PSK-AES128-CCM8 + +# server TLSv1.2 PSK-AES256-CCM8 (OpenSSL-compat alias) +-s +-v 3 +-l QSH:PSK-AES256-CCM8 + +# client TLSv1.2 PSK-AES256-CCM8 (OpenSSL-compat alias) +-s +-v 3 +-l QSH:PSK-AES256-CCM8 + # server TLSv1.2 DHE-PSK-AES128-CBC-SHA256 -s -v 3 diff --git a/tests/test-sctp.conf b/tests/test-sctp.conf index 5dfae30c9..d17f56e95 100644 --- a/tests/test-sctp.conf +++ b/tests/test-sctp.conf @@ -984,6 +984,32 @@ -l ECDHE-ECDSA-AES256-CCM-8 -A ./certs/ca-ecc-cert.pem +# server DTLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-G +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-G +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-A ./certs/ca-ecc-cert.pem + +# server DTLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-G +-v 3 +-l ECDHE-ECDSA-AES256-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-G +-v 3 +-l ECDHE-ECDSA-AES256-CCM8 +-A ./certs/ca-ecc-cert.pem + # server DTLSv1.2 ADH-AES128-SHA -G -a diff --git a/tests/test-sig.conf b/tests/test-sig.conf index 680eb3506..56371eea5 100644 --- a/tests/test-sig.conf +++ b/tests/test-sig.conf @@ -217,3 +217,14 @@ -v 3 -l ECDHE-ECDSA-AES128-CCM-8 -A ./certs/ca-cert.pem + +# server TLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-A ./certs/ca-cert.pem diff --git a/tests/test-tls13-ecc.conf b/tests/test-tls13-ecc.conf index ee14f5406..160df27bd 100644 --- a/tests/test-tls13-ecc.conf +++ b/tests/test-tls13-ecc.conf @@ -53,6 +53,17 @@ -l TLS13-AES128-CCM-8-SHA256 -A ./certs/ca-ecc-cert.pem +# server TLSv1.3 TLS13-AES128-CCM8-SHA256 (OpenSSL-compat alias) +-v 4 +-l TLS13-AES128-CCM8-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.3 TLS13-AES128-CCM8-SHA256 (OpenSSL-compat alias) +-v 4 +-l TLS13-AES128-CCM8-SHA256 +-A ./certs/ca-ecc-cert.pem + # server TLSv1.3 TLS13-AES128-GCM-SHA256 -v 4 -l TLS13-AES128-GCM-SHA256 diff --git a/tests/test-tls13.conf b/tests/test-tls13.conf index f946cdcf4..f00316ada 100644 --- a/tests/test-tls13.conf +++ b/tests/test-tls13.conf @@ -38,6 +38,14 @@ -v 4 -l TLS13-AES128-CCM-8-SHA256 +# server TLSv1.3 TLS13-AES128-CCM8-SHA256 (OpenSSL-compat alias) +-v 4 +-l TLS13-AES128-CCM8-SHA256 + +# client TLSv1.3 TLS13-AES128-CCM8-SHA256 (OpenSSL-compat alias) +-v 4 +-l TLS13-AES128-CCM8-SHA256 + # server TLSv1.3 resumption -v 4 -l TLS13-AES128-GCM-SHA256 diff --git a/tests/test.conf b/tests/test.conf index 83c228bc3..dc98e037e 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -1513,6 +1513,22 @@ -v 3 -l AES256-CCM-8 +# server TLSv1.2 AES128-CCM8 (OpenSSL-compat alias) +-v 3 +-l AES128-CCM8 + +# client TLSv1.2 AES128-CCM8 (OpenSSL-compat alias) +-v 3 +-l AES128-CCM8 + +# server TLSv1.2 AES256-CCM8 (OpenSSL-compat alias) +-v 3 +-l AES256-CCM8 + +# client TLSv1.2 AES256-CCM8 (OpenSSL-compat alias) +-v 3 +-l AES256-CCM8 + # server TLSv1.2 ECDHE-ECDSA-AES128-CCM -v 3 -l ECDHE-ECDSA-AES128-CCM @@ -1546,6 +1562,28 @@ -l ECDHE-ECDSA-AES256-CCM-8 -A ./certs/ca-ecc-cert.pem +# server TLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) +-v 3 +-l ECDHE-ECDSA-AES128-CCM8 +-A ./certs/ca-ecc-cert.pem + +# server TLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-v 3 +-l ECDHE-ECDSA-AES256-CCM8 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) +-v 3 +-l ECDHE-ECDSA-AES256-CCM8 +-A ./certs/ca-ecc-cert.pem + # server TLSv1.2 PSK-AES128-CCM -s -v 3 @@ -1586,6 +1624,26 @@ -v 3 -l PSK-AES256-CCM-8 +# server TLSv1.2 PSK-AES128-CCM8 (OpenSSL-compat alias) +-s +-v 3 +-l PSK-AES128-CCM8 + +# client TLSv1.2 PSK-AES128-CCM8 (OpenSSL-compat alias) +-s +-v 3 +-l PSK-AES128-CCM8 + +# server TLSv1.2 PSK-AES256-CCM8 (OpenSSL-compat alias) +-s +-v 3 +-l PSK-AES256-CCM8 + +# client TLSv1.2 PSK-AES256-CCM8 (OpenSSL-compat alias) +-s +-v 3 +-l PSK-AES256-CCM8 + # server TLSv1.2 DHE-PSK-AES128-CBC-SHA256 -s -v 3 diff --git a/wolfssl/internal.h b/wolfssl/internal.h index e0df1438b..29b3c4cb3 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4606,6 +4606,7 @@ typedef struct CipherSuiteInfo { byte minor; byte major; #endif + byte flags; } CipherSuiteInfo; WOLFSSL_LOCAL const CipherSuiteInfo* GetCipherNames(void); @@ -4627,7 +4628,8 @@ WOLFSSL_LOCAL const char* GetCipherNameIana(const byte cipherSuite0, const byte WOLFSSL_LOCAL const char* wolfSSL_get_cipher_name_internal(WOLFSSL* ssl); WOLFSSL_LOCAL const char* wolfSSL_get_cipher_name_iana(WOLFSSL* ssl); WOLFSSL_LOCAL int GetCipherSuiteFromName(const char* name, byte* cipherSuite0, - byte* cipherSuite); + byte* cipherSuite, int* flags); + enum encrypt_side { ENCRYPT_SIDE_ONLY = 1, diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 1e9d9512e..b2e8a9836 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -795,6 +795,9 @@ WOLFSSL_API long wolfSSL_CTX_get_verify_depth(WOLFSSL_CTX* ctx); WOLFSSL_API void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx,int depth); #endif /* !NO_CERTS */ +#define WOLFSSL_CIPHER_SUITE_FLAG_NONE 0x0 +#define WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS 0x1 + #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) WOLFSSL_API int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX*, const char*, @@ -854,6 +857,8 @@ WOLFSSL_API const char* wolfSSL_get_cipher_name_from_suite(const unsigned char, const unsigned char); WOLFSSL_API const char* wolfSSL_get_cipher_name_iana_from_suite( const unsigned char, const unsigned char); +WOLFSSL_API int wolfSSL_get_cipher_suite_from_name(const char* name, + byte* cipherSuite0, byte* cipherSuite, int* flags); WOLFSSL_API const char* wolfSSL_get_shared_ciphers(WOLFSSL* ssl, char* buf, int len); WOLFSSL_API const char* wolfSSL_get_curve_name(WOLFSSL* ssl);