feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #717 from wolfSSL/auto_ecc_sup_curves

Browse Source 
Added code to automatically populate supported ECC curve information
This commit is contained in:
toddouska
2017-01-23 13:57:56 -08:00
committed by GitHub
parent 008a69f185 784ce57f45
commit a1b79abedb
5 changed files with 168 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
examples/client/client.c
View File

@ -1340,6 +1340,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
wolfSSL_KeepArrays(ssl);
#endif
#if 0 /* all enabled and supported ECC curves will be added automatically */
#ifdef HAVE_SUPPORTED_CURVES /* add curves to supported curves extension */
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP256R1)
!= SSL_SUCCESS) {
@ -1378,6 +1379,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
err_sys("unable to set curve secp160r1");
}
#endif
#endif
#ifdef HAVE_SESSION_TICKET
wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session");
@ -1732,6 +1734,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
wolfSSL_set_SessionTicket_cb(sslResume, sessionTicketCB,
(void*)"resumed session");
#endif
#if 0 /* all enabled and supported ECC curves will be added automatically */
#ifdef HAVE_SUPPORTED_CURVES /* add curves to supported curves extension */
if (wolfSSL_UseSupportedCurve(sslResume, WOLFSSL_ECC_SECP256R1)
!= SSL_SUCCESS) {
@ -1770,6 +1773,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
err_sys("unable to set curve secp160r1");
}
#endif
#endif
#ifndef WOLFSSL_CALLBACKS
if (nonBlocking) {

3
src/internal.c
View File

@ -3488,6 +3488,9 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
#ifdef HAVE_ALPN
ssl->alpn_client_list = NULL;
#endif
#ifdef HAVE_SUPPORTED_CURVES
ssl->options.userCurves = ctx->userCurves;
#endif
#endif /* HAVE_TLS_EXTENSIONS */
/* default alert state (none) */

4
src/ssl.c
View File

@ -1401,6 +1401,8 @@ int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, word16 name)
return BAD_FUNC_ARG;
}
ssl->options.userCurves = 1;
return TLSX_UseSupportedCurve(&ssl->extensions, name, ssl->heap);
}
@ -1431,6 +1433,8 @@ int wolfSSL_CTX_UseSupportedCurve(WOLFSSL_CTX* ctx, word16 name)
return BAD_FUNC_ARG;
}
ctx->userCurves = 1;
return TLSX_UseSupportedCurve(&ctx->extensions, name, ctx->heap);
}

226
src/tls.c
View File

@ -4480,99 +4480,175 @@ static byte* TLSX_QSHKeyFind_Pub(QSHKey* qsh, word16* pubLen, word16 name)
int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
{
int ret = 0;
byte* public_key = NULL;
word16 public_key_len = 0;
#ifdef HAVE_QSH
TLSX* extension;
QSHScheme* qsh;
QSHScheme* next;
#endif
int ret = 0;
#ifdef HAVE_QSH
TLSX* extension;
QSHScheme* qsh;
QSHScheme* next;
#ifdef HAVE_QSH
/* add supported QSHSchemes */
WOLFSSL_MSG("Adding supported QSH Schemes");
/* add supported QSHSchemes */
WOLFSSL_MSG("Adding supported QSH Schemes");
#endif
/* server will add extension depending on whats parsed from client */
if (!isServer) {
/* server will add extension depending on whats parsed from client */
if (!isServer) {
#ifdef HAVE_QSH
/* test if user has set a specific scheme already */
if (!ssl->user_set_QSHSchemes) {
if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) {
if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS743)) != 0) {
WOLFSSL_MSG("Error creating ntru keys");
return ret;
}
if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS593)) != 0) {
WOLFSSL_MSG("Error creating ntru keys");
return ret;
}
if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS439)) != 0) {
WOLFSSL_MSG("Error creating ntru keys");
return ret;
}
/* test if user has set a specific scheme already */
if (!ssl->user_set_QSHSchemes) {
if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) {
if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS743)) != 0) {
WOLFSSL_MSG("Error creating ntru keys");
return ret;
}
if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS593)) != 0) {
WOLFSSL_MSG("Error creating ntru keys");
return ret;
}
if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS439)) != 0) {
WOLFSSL_MSG("Error creating ntru keys");
return ret;
}
/* add NTRU 256 */
public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
&public_key_len, WOLFSSL_NTRU_EESS743);
}
if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS743,
public_key, public_key_len, ssl->heap)
!= SSL_SUCCESS)
ret = -1;
/* add NTRU 256 */
/* add NTRU 196 */
if (ssl->sendQSHKeys) {
public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
&public_key_len, WOLFSSL_NTRU_EESS743);
}
if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS743,
public_key, public_key_len, ssl->heap)
!= SSL_SUCCESS)
ret = -1;
/* add NTRU 196 */
if (ssl->sendQSHKeys) {
public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
&public_key_len, WOLFSSL_NTRU_EESS593);
}
if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS593,
public_key, public_key_len, ssl->heap)
!= SSL_SUCCESS)
ret = -1;
/* add NTRU 128 */
if (ssl->sendQSHKeys) {
public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
&public_key_len, WOLFSSL_NTRU_EESS439);
}
if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS439,
public_key, public_key_len, ssl->heap)
!= SSL_SUCCESS)
ret = -1;
&public_key_len, WOLFSSL_NTRU_EESS593);
}
else if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) {
/* for each scheme make a client key */
extension = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID);
if (extension) {
qsh = (QSHScheme*)extension->data;
if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS593,
public_key, public_key_len, ssl->heap)
!= SSL_SUCCESS)
ret = -1;
while (qsh) {
if ((ret = TLSX_CreateQSHKey(ssl, qsh->name)) != 0)
return ret;
/* add NTRU 128 */
if (ssl->sendQSHKeys) {
public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
&public_key_len, WOLFSSL_NTRU_EESS439);
}
if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS439,
public_key, public_key_len, ssl->heap)
!= SSL_SUCCESS)
ret = -1;
}
else if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) {
/* for each scheme make a client key */
extension = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID);
if (extension) {
qsh = (QSHScheme*)extension->data;
/* get next now because qsh could be freed */
next = qsh->next;
while (qsh) {
if ((ret = TLSX_CreateQSHKey(ssl, qsh->name)) != 0)
return ret;
/* find the public key created and add to extension*/
public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
&public_key_len, qsh->name);
if (TLSX_UseQSHScheme(&ssl->extensions, qsh->name,
public_key, public_key_len,
ssl->heap) != SSL_SUCCESS)
ret = -1;
qsh = next;
}
/* get next now because qsh could be freed */
next = qsh->next;
/* find the public key created and add to extension*/
public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
&public_key_len, qsh->name);
if (TLSX_UseQSHScheme(&ssl->extensions, qsh->name,
public_key, public_key_len,
ssl->heap) != SSL_SUCCESS)
ret = -1;
qsh = next;
}
}
} /* is not server */
#endif
}
#endif
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
if (!ssl->options.userCurves && !ssl->ctx->userCurves) {
#if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP160R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_SECPR2
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP160R2, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_KOBLITZ
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP160K1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP192R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_KOBLITZ
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP192K1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP224R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_KOBLITZ
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP224K1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#endif
#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP256R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_KOBLITZ
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP256K1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_BRAINPOOL
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_BRAINPOOLP256R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP384R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_BRAINPOOL
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_BRAINPOOLP384R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
#ifdef HAVE_ECC_BRAINPOOL
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_BRAINPOOLP512R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP521R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#endif
}
#endif /* HAVE_ECC && HAVE_SUPPORTED_CURVES */
} /* is not server */
(void)isServer;
(void)public_key;
(void)public_key_len;
(void)ssl;
if (ret == SSL_SUCCESS)
ret = 0;
return ret;
}

6
wolfssl/internal.h
View File

@ -2040,6 +2040,9 @@ struct WOLFSSL_CTX {
void* ticketEncCtx; /* session encrypt context */
int ticketHint; /* ticket hint in seconds */
#endif
#ifdef HAVE_SUPPORTED_CURVES
byte userCurves; /* indicates user called wolfSSL_CTX_UseSupportedCurve */
#endif
#endif
#ifdef ATOMIC_USER
CallbackMacEncrypt MacEncryptCb; /* Atomic User Mac/Encrypt Cb */
@ -2453,6 +2456,9 @@ typedef struct Options {
#endif
#endif
word16 haveEMS:1; /* using extended master secret */
#if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_SUPPORTED_CURVES)
word16 userCurves:1; /* indicates user called wolfSSL_UseSupportedCurve */
#endif
/* need full byte values for this section */
byte processReply; /* nonblocking resume */