feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #717 from wolfSSL/auto_ecc_sup_curves

Browse Source 
Added code to automatically populate supported ECC curve information
This commit is contained in:
toddouska
2017-01-23 13:57:56 -08:00
committed by GitHub
parent 008a69f185 784ce57f45
commit a1b79abedb
5 changed files with 168 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
examples/client/client.c
View File

@ -1340,6 +1340,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
wolfSSL_KeepArrays(ssl); wolfSSL_KeepArrays(ssl);
#endif #endif
#if 0 /* all enabled and supported ECC curves will be added automatically */
#ifdef HAVE_SUPPORTED_CURVES /* add curves to supported curves extension */ #ifdef HAVE_SUPPORTED_CURVES /* add curves to supported curves extension */
if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP256R1) if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP256R1)
!= SSL_SUCCESS) { != SSL_SUCCESS) {
@ -1378,6 +1379,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
err_sys("unable to set curve secp160r1"); err_sys("unable to set curve secp160r1");
} }
#endif #endif
#endif
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session"); wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session");
@ -1732,6 +1734,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
wolfSSL_set_SessionTicket_cb(sslResume, sessionTicketCB, wolfSSL_set_SessionTicket_cb(sslResume, sessionTicketCB,
(void*)"resumed session"); (void*)"resumed session");
#endif #endif
#if 0 /* all enabled and supported ECC curves will be added automatically */
#ifdef HAVE_SUPPORTED_CURVES /* add curves to supported curves extension */ #ifdef HAVE_SUPPORTED_CURVES /* add curves to supported curves extension */
if (wolfSSL_UseSupportedCurve(sslResume, WOLFSSL_ECC_SECP256R1) if (wolfSSL_UseSupportedCurve(sslResume, WOLFSSL_ECC_SECP256R1)
!= SSL_SUCCESS) { != SSL_SUCCESS) {
@ -1770,6 +1773,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
err_sys("unable to set curve secp160r1"); err_sys("unable to set curve secp160r1");
} }
#endif #endif
#endif
#ifndef WOLFSSL_CALLBACKS #ifndef WOLFSSL_CALLBACKS
if (nonBlocking) { if (nonBlocking) {

3
src/internal.c
View File

@ -3488,6 +3488,9 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
#ifdef HAVE_ALPN #ifdef HAVE_ALPN
ssl->alpn_client_list = NULL; ssl->alpn_client_list = NULL;
#endif #endif
#ifdef HAVE_SUPPORTED_CURVES
ssl->options.userCurves = ctx->userCurves;
#endif
#endif /* HAVE_TLS_EXTENSIONS */ #endif /* HAVE_TLS_EXTENSIONS */
/* default alert state (none) */ /* default alert state (none) */

4
src/ssl.c
View File

@ -1401,6 +1401,8 @@ int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, word16 name)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
ssl->options.userCurves = 1;
return TLSX_UseSupportedCurve(&ssl->extensions, name, ssl->heap); return TLSX_UseSupportedCurve(&ssl->extensions, name, ssl->heap);
} }
@ -1431,6 +1433,8 @@ int wolfSSL_CTX_UseSupportedCurve(WOLFSSL_CTX* ctx, word16 name)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
ctx->userCurves = 1;
return TLSX_UseSupportedCurve(&ctx->extensions, name, ctx->heap); return TLSX_UseSupportedCurve(&ctx->extensions, name, ctx->heap);
} }

226
src/tls.c
View File

@ -4480,99 +4480,175 @@ static byte* TLSX_QSHKeyFind_Pub(QSHKey* qsh, word16* pubLen, word16 name)
int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
{ {
int ret = 0;
byte* public_key = NULL; byte* public_key = NULL;
word16 public_key_len = 0; word16 public_key_len = 0;
#ifdef HAVE_QSH #ifdef HAVE_QSH
TLSX* extension; TLSX* extension;
QSHScheme* qsh; QSHScheme* qsh;
QSHScheme* next; QSHScheme* next;
#endif
int ret = 0;
#ifdef HAVE_QSH /* add supported QSHSchemes */
/* add supported QSHSchemes */ WOLFSSL_MSG("Adding supported QSH Schemes");
WOLFSSL_MSG("Adding supported QSH Schemes"); #endif
/* server will add extension depending on whats parsed from client */ /* server will add extension depending on whats parsed from client */
if (!isServer) { if (!isServer) {
#ifdef HAVE_QSH
/* test if user has set a specific scheme already */
if (!ssl->user_set_QSHSchemes) {
if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) {
if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS743)) != 0) {
WOLFSSL_MSG("Error creating ntru keys");
return ret;
}
if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS593)) != 0) {
WOLFSSL_MSG("Error creating ntru keys");
return ret;
}
if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS439)) != 0) {
WOLFSSL_MSG("Error creating ntru keys");
return ret;
}
/* test if user has set a specific scheme already */ /* add NTRU 256 */
if (!ssl->user_set_QSHSchemes) { public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) { &public_key_len, WOLFSSL_NTRU_EESS743);
if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS743)) != 0) { }
WOLFSSL_MSG("Error creating ntru keys"); if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS743,
return ret; public_key, public_key_len, ssl->heap)
} != SSL_SUCCESS)
if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS593)) != 0) { ret = -1;
WOLFSSL_MSG("Error creating ntru keys");
return ret;
}
if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS439)) != 0) {
WOLFSSL_MSG("Error creating ntru keys");
return ret;
}
/* add NTRU 256 */ /* add NTRU 196 */
if (ssl->sendQSHKeys) {
public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key, public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
&public_key_len, WOLFSSL_NTRU_EESS743); &public_key_len, WOLFSSL_NTRU_EESS593);
}
if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS743,
public_key, public_key_len, ssl->heap)
!= SSL_SUCCESS)
ret = -1;
/* add NTRU 196 */
if (ssl->sendQSHKeys) {
public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
&public_key_len, WOLFSSL_NTRU_EESS593);
}
if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS593,
public_key, public_key_len, ssl->heap)
!= SSL_SUCCESS)
ret = -1;
/* add NTRU 128 */
if (ssl->sendQSHKeys) {
public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
&public_key_len, WOLFSSL_NTRU_EESS439);
}
if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS439,
public_key, public_key_len, ssl->heap)
!= SSL_SUCCESS)
ret = -1;
} }
else if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) { if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS593,
/* for each scheme make a client key */ public_key, public_key_len, ssl->heap)
extension = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID); != SSL_SUCCESS)
if (extension) { ret = -1;
qsh = (QSHScheme*)extension->data;
while (qsh) { /* add NTRU 128 */
if ((ret = TLSX_CreateQSHKey(ssl, qsh->name)) != 0) if (ssl->sendQSHKeys) {
return ret; public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
&public_key_len, WOLFSSL_NTRU_EESS439);
}
if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS439,
public_key, public_key_len, ssl->heap)
!= SSL_SUCCESS)
ret = -1;
}
else if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) {
/* for each scheme make a client key */
extension = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID);
if (extension) {
qsh = (QSHScheme*)extension->data;
/* get next now because qsh could be freed */ while (qsh) {
next = qsh->next; if ((ret = TLSX_CreateQSHKey(ssl, qsh->name)) != 0)
return ret;
/* find the public key created and add to extension*/ /* get next now because qsh could be freed */
public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key, next = qsh->next;
&public_key_len, qsh->name);
if (TLSX_UseQSHScheme(&ssl->extensions, qsh->name, /* find the public key created and add to extension*/
public_key, public_key_len, public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
ssl->heap) != SSL_SUCCESS) &public_key_len, qsh->name);
ret = -1; if (TLSX_UseQSHScheme(&ssl->extensions, qsh->name,
qsh = next; public_key, public_key_len,
} ssl->heap) != SSL_SUCCESS)
ret = -1;
qsh = next;
} }
} }
} /* is not server */ }
#endif #endif
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
if (!ssl->options.userCurves && !ssl->ctx->userCurves) {
#if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP160R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_SECPR2
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP160R2, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_KOBLITZ
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP160K1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP192R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_KOBLITZ
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP192K1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP224R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_KOBLITZ
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP224K1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#endif
#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP256R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_KOBLITZ
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP256K1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_BRAINPOOL
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_BRAINPOOLP256R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP384R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#ifdef HAVE_ECC_BRAINPOOL
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_BRAINPOOLP384R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
#ifdef HAVE_ECC_BRAINPOOL
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_BRAINPOOLP512R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#endif
#if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP521R1, ssl->heap);
if (ret != SSL_SUCCESS) return ret;
#endif
#endif
}
#endif /* HAVE_ECC && HAVE_SUPPORTED_CURVES */
} /* is not server */
(void)isServer;
(void)public_key; (void)public_key;
(void)public_key_len; (void)public_key_len;
(void)ssl; (void)ssl;
if (ret == SSL_SUCCESS)
ret = 0;
return ret; return ret;
} }

6
wolfssl/internal.h
View File

@ -2040,6 +2040,9 @@ struct WOLFSSL_CTX {
void* ticketEncCtx; /* session encrypt context */ void* ticketEncCtx; /* session encrypt context */
int ticketHint; /* ticket hint in seconds */ int ticketHint; /* ticket hint in seconds */
#endif #endif
#ifdef HAVE_SUPPORTED_CURVES
byte userCurves; /* indicates user called wolfSSL_CTX_UseSupportedCurve */
#endif
#endif #endif
#ifdef ATOMIC_USER #ifdef ATOMIC_USER
CallbackMacEncrypt MacEncryptCb; /* Atomic User Mac/Encrypt Cb */ CallbackMacEncrypt MacEncryptCb; /* Atomic User Mac/Encrypt Cb */
@ -2453,6 +2456,9 @@ typedef struct Options {
#endif #endif
#endif #endif
word16 haveEMS:1; /* using extended master secret */ word16 haveEMS:1; /* using extended master secret */
#if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_SUPPORTED_CURVES)
word16 userCurves:1; /* indicates user called wolfSSL_UseSupportedCurve */
#endif
/* need full byte values for this section */ /* need full byte values for this section */
byte processReply; /* nonblocking resume */ byte processReply; /* nonblocking resume */