From 349edd40c2147f014113c16c1c8b9534a180dcbc Mon Sep 17 00:00:00 2001 From: Ludovic FLAMENT Date: Wed, 22 Jul 2015 14:18:07 +0200 Subject: [PATCH 1/5] Add support for OpenSSH ssh-keygen tools refactor existing code --- src/ssl.c | 1126 +++++++++++++++++++++++--------- wolfcrypt/src/aes.c | 33 + wolfcrypt/src/asn.c | 265 +++++--- wolfcrypt/src/coding.c | 33 + wolfcrypt/src/des3.c | 79 ++- wolfcrypt/src/dsa.c | 266 +++++++- wolfcrypt/src/ecc.c | 140 ++-- wolfcrypt/src/integer.c | 109 +++- wolfcrypt/src/rsa.c | 97 +-- wolfcrypt/src/tfm.c | 150 ++++- wolfcrypt/test/test.c | 40 +- wolfssl/openssl/dsa.h | 2 +- wolfssl/openssl/pem.h | 143 ++-- wolfssl/wolfcrypt/aes.h | 63 +- wolfssl/wolfcrypt/asn.h | 21 +- wolfssl/wolfcrypt/asn_public.h | 3 +- wolfssl/wolfcrypt/coding.h | 2 + wolfssl/wolfcrypt/des3.h | 38 +- wolfssl/wolfcrypt/dsa.h | 5 + wolfssl/wolfcrypt/ecc.h | 17 +- wolfssl/wolfcrypt/integer.h | 3 + wolfssl/wolfcrypt/rsa.h | 16 +- wolfssl/wolfcrypt/tfm.h | 11 +- 23 files changed, 1957 insertions(+), 705 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 626436fec..211112164 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1546,6 +1546,20 @@ int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz, #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) +static const char *EVP_AES_128_CBC = "AES-128-CBC"; +static const char *EVP_AES_192_CBC = "AES-192-CBC"; +static const char *EVP_AES_256_CBC = "AES-256-CBC"; +static const char *EVP_AES_128_CTR = "AES-128-CTR"; +static const char *EVP_AES_192_CTR = "AES-192-CTR"; +static const char *EVP_AES_256_CTR = "AES-256-CTR"; +static const int EVP_AES_SIZE = 11; + +static const char *EVP_DES_CBC = "DES-CBC"; +static const int EVP_DES_SIZE = 7; + +static const char *EVP_DES_EDE3_CBC = "DES-EDE3-CBC"; +static const int EVP_DES_EDE3_SIZE = 12; + /* our KeyPemToDer password callback, password in userData */ static INLINE int OurPasswordCb(char* passwd, int sz, int rw, void* userdata) { @@ -2162,6 +2176,7 @@ int wolfSSL_Init(void) #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) +/* SSL_SUCCESS if ok, <= 0 else */ static int wolfssl_decrypt_buffer_key(buffer* der, byte* password, int passwordSz, EncryptedInfo* info) { @@ -2169,63 +2184,60 @@ static int wolfssl_decrypt_buffer_key(buffer* der, byte* password, #ifdef WOLFSSL_SMALL_STACK byte* key = NULL; - byte* iv = NULL; #else byte key[AES_256_KEY_SIZE]; -#ifndef NO_MD5 - byte iv[AES_IV_SIZE]; -#endif #endif - if (der == NULL || password == NULL || info == NULL) + WOLFSSL_ENTER("wolfssl_decrypt_buffer_key"); + + if (der == NULL || password == NULL || info == NULL) { + WOLFSSL_MSG("bad arguments"); return SSL_FATAL_ERROR; + } /* use file's salt for key derivation, hex decode first */ - if (Base16_Decode(info->iv, info->ivSz, info->iv, &info->ivSz) != 0) - return ASN_INPUT_E; + if (Base16_Decode(info->iv, info->ivSz, info->iv, &info->ivSz) != 0) { + WOLFSSL_MSG("base16 decode failed"); + return SSL_FATAL_ERROR; + } #ifndef NO_MD5 #ifdef WOLFSSL_SMALL_STACK - iv = (byte*)XMALLOC(AES_IV_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (iv == NULL) - return MEMORY_E; - key = (byte*)XMALLOC(AES_256_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (key == NULL) { - XFREE(iv, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return MEMORY_E; + WOLFSSL_MSG("memory failure"); + return SSL_FATAL_ERROR; } #endif /* WOLFSSL_SMALL_STACK */ - if ((ret = EVP_BytesToKey(info->name, "MD5", info->iv, - password, passwordSz, 1, key, iv)) <= 0) { - + if ((ret = wolfSSL_EVP_BytesToKey(info->name, "MD5", info->iv, + password, passwordSz, 1, key, NULL)) <= 0) { + WOLFSSL_MSG("bytes to key failure"); #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(iv, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - return ASN_INPUT_E; + return SSL_FATAL_ERROR; } #endif /* NO_MD5 */ #ifndef NO_DES3 - if (XSTRNCMP(info->name, "DES-CBC", 7) == 0) + if (XSTRNCMP(info->name, EVP_DES_CBC, EVP_DES_SIZE) == 0) ret = wc_Des_CbcDecryptWithKey(der->buffer, der->buffer, der->length, key, info->iv); - else if (XSTRNCMP(info->name, "DES-EDE3-CBC", 12) == 0) + else if (XSTRNCMP(info->name, EVP_DES_EDE3_CBC, EVP_DES_EDE3_SIZE) == 0) ret = wc_Des3_CbcDecryptWithKey(der->buffer, der->buffer, der->length, key, info->iv); #endif /* NO_DES3 */ #ifndef NO_AES - else if (XSTRNCMP(info->name, "AES-128-CBC", 11) == 0) + else if (XSTRNCMP(info->name, EVP_AES_128_CBC, EVP_AES_SIZE) == 0) ret = wc_AesCbcDecryptWithKey(der->buffer, der->buffer, der->length, key, AES_128_KEY_SIZE, info->iv); - else if (XSTRNCMP(info->name, "AES-192-CBC", 11) == 0) + else if (XSTRNCMP(info->name, EVP_AES_192_CBC, EVP_AES_SIZE) == 0) ret = wc_AesCbcDecryptWithKey(der->buffer, der->buffer, der->length, key, AES_192_KEY_SIZE, info->iv); - else if (XSTRNCMP(info->name, "AES-256-CBC", 11) == 0) + else if (XSTRNCMP(info->name, EVP_AES_256_CBC, EVP_AES_SIZE) == 0) ret = wc_AesCbcDecryptWithKey(der->buffer, der->buffer, der->length, key, AES_256_KEY_SIZE, info->iv); #endif /* NO_AES */ @@ -2234,34 +2246,93 @@ static int wolfssl_decrypt_buffer_key(buffer* der, byte* password, #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(iv, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - return ret; + if (ret == MP_OKAY) + return SSL_SUCCESS; + else if (ret == SSL_BAD_FILE) + return SSL_BAD_FILE; + + return SSL_FATAL_ERROR; } #endif /* defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) */ -#ifndef NO_CERTS +#if defined(WOLFSSL_KEY_GEN) +static int wolfssl_encrypt_buffer_key(byte* der, word32 derSz, byte* password, + int passwordSz, EncryptedInfo* info) +{ + int ret; -static const char* BEGIN_CERT = "-----BEGIN CERTIFICATE-----"; -static const char* END_CERT = "-----END CERTIFICATE-----"; -static const char* BEGIN_CERT_REQ = "-----BEGIN CERTIFICATE REQUEST-----"; -static const char* END_CERT_REQ = "-----END CERTIFICATE REQUEST-----"; -static const char* BEGIN_DH_PARAM = "-----BEGIN DH PARAMETERS-----"; -static const char* END_DH_PARAM = "-----END DH PARAMETERS-----"; -static const char* BEGIN_X509_CRL = "-----BEGIN X509 CRL-----"; -static const char* END_X509_CRL = "-----END X509 CRL-----"; -static const char* BEGIN_RSA_PRIV = "-----BEGIN RSA PRIVATE KEY-----"; -static const char* END_RSA_PRIV = "-----END RSA PRIVATE KEY-----"; -static const char* BEGIN_PRIV_KEY = "-----BEGIN PRIVATE KEY-----"; -static const char* END_PRIV_KEY = "-----END PRIVATE KEY-----"; -static const char* BEGIN_ENC_PRIV_KEY = "-----BEGIN ENCRYPTED PRIVATE KEY-----"; -static const char* END_ENC_PRIV_KEY = "-----END ENCRYPTED PRIVATE KEY-----"; -static const char* BEGIN_EC_PRIV = "-----BEGIN EC PRIVATE KEY-----"; -static const char* END_EC_PRIV = "-----END EC PRIVATE KEY-----"; -static const char* BEGIN_DSA_PRIV = "-----BEGIN DSA PRIVATE KEY-----"; -static const char* END_DSA_PRIV = "-----END DSA PRIVATE KEY-----"; +#ifdef WOLFSSL_SMALL_STACK + byte* key = NULL; +#else + byte key[AES_256_KEY_SIZE]; +#endif + + WOLFSSL_ENTER("wolfssl_encrypt_buffer_key"); + + if (der == NULL || password == NULL || info == NULL || info->ivSz == 0) { + WOLFSSL_MSG("bad arguments"); + return SSL_FATAL_ERROR; + } + +#ifndef NO_MD5 + +#ifdef WOLFSSL_SMALL_STACK + key = (byte*)XMALLOC(AES_256_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (key == NULL) { + WOLFSSL_MSG("memory failure"); + return SSL_FATAL_ERROR; + } +#endif /* WOLFSSL_SMALL_STACK */ + + if ((ret = wolfSSL_EVP_BytesToKey(info->name, "MD5", info->iv, + password, passwordSz, 1, key, NULL)) <= 0) { + WOLFSSL_MSG("bytes to key failure"); +#ifdef WOLFSSL_SMALL_STACK + XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + return SSL_FATAL_ERROR; + } + +#endif /* NO_MD5 */ + +#ifndef NO_DES3 + if (XSTRNCMP(info->name, EVP_DES_CBC, EVP_DES_SIZE) == 0) + ret = wc_Des_CbcEncryptWithKey(der, der, derSz, key, info->iv); + else if (XSTRNCMP(info->name, EVP_DES_EDE3_CBC, EVP_DES_EDE3_SIZE) == 0) + ret = wc_Des3_CbcEncryptWithKey(der, der, derSz, key, info->iv); +#endif /* NO_DES3 */ +#ifndef NO_AES + else if (XSTRNCMP(info->name, EVP_AES_128_CBC, EVP_AES_SIZE) == 0) + ret = wc_AesCbcEncryptWithKey(der, der, derSz, + key, AES_128_KEY_SIZE, info->iv); + else if (XSTRNCMP(info->name, EVP_AES_192_CBC, EVP_AES_SIZE) == 0) + ret = wc_AesCbcEncryptWithKey(der, der, derSz, + key, AES_192_KEY_SIZE, info->iv); + else if (XSTRNCMP(info->name, EVP_AES_256_CBC, EVP_AES_SIZE) == 0) + ret = wc_AesCbcEncryptWithKey(der, der, derSz, + key, AES_256_KEY_SIZE, info->iv); +#endif /* NO_AES */ + else + ret = SSL_BAD_FILE; + +#ifdef WOLFSSL_SMALL_STACK + XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + + if (ret == MP_OKAY) + return SSL_SUCCESS; + else if (ret == SSL_BAD_FILE) + return SSL_BAD_FILE; + + return SSL_FATAL_ERROR; +} +#endif /* defined(WOLFSSL_KEY_GEN) */ + + +#ifndef NO_CERTS /* Remove PEM header/footer, convert to ASN1, store any encrypted data info->consumed tracks of PEM bytes consumed in case multiple parts */ @@ -2280,6 +2351,8 @@ int PemToDer(const unsigned char* buff, long longSz, int type, int sz = (int)longSz; int encrypted_key = 0; + WOLFSSL_ENTER("PemToDer"); + switch (type) { case CA_TYPE: /* same as below */ case CERT_TYPE: header=BEGIN_CERT; footer=END_CERT; break; @@ -2361,9 +2434,11 @@ int PemToDer(const unsigned char* buff, long longSz, int type, if (start && finish && (start < finish)) { newline = XSTRNSTR(finish, "\r", PEM_LINE_LEN); - XMEMCPY(info->name, start, finish - start); + if (XMEMCPY(info->name, start, finish - start) == NULL) + return SSL_FATAL_ERROR; info->name[finish - start] = 0; - XMEMCPY(info->iv, finish + 1, sizeof(info->iv)); + if (XMEMCPY(info->iv, finish + 1, sizeof(info->iv)) == NULL) + return SSL_FATAL_ERROR; if (!newline) newline = XSTRNSTR(finish, "\n", PEM_LINE_LEN); if (newline && (newline > finish)) { @@ -2470,7 +2545,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, #ifdef WOLFSSL_SMALL_STACK XFREE(password, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - if (ret != 0) { + if (ret != SSL_SUCCESS) { XFREE(der->buffer, heap, dynamicType); return ret; } @@ -2702,7 +2777,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, XFREE(password, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - if (ret != 0) { + if (ret != SSL_SUCCESS) { #ifdef WOLFSSL_SMALL_STACK XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif @@ -7490,30 +7565,30 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return 0; #endif - WOLFSSL_ENTER("EVP_BytesToKey"); + WOLFSSL_ENTER("wolfSSL_EVP_BytesToKey"); wc_InitMd5(md5); /* only support MD5 for now */ if (XSTRNCMP(md, "MD5", 3) != 0) return 0; /* only support CBC DES and AES for now */ - if (XSTRNCMP(type, "DES-CBC", 7) == 0) { + if (XSTRNCMP(type, EVP_DES_CBC, EVP_DES_SIZE) == 0) { keyLen = DES_KEY_SIZE; ivLen = DES_IV_SIZE; } - else if (XSTRNCMP(type, "DES-EDE3-CBC", 12) == 0) { + else if (XSTRNCMP(type, EVP_DES_EDE3_CBC, EVP_DES_EDE3_SIZE) == 0) { keyLen = DES3_KEY_SIZE; ivLen = DES_IV_SIZE; } - else if (XSTRNCMP(type, "AES-128-CBC", 11) == 0) { + else if (XSTRNCMP(type, EVP_AES_128_CBC, EVP_AES_SIZE) == 0) { keyLen = AES_128_KEY_SIZE; ivLen = AES_IV_SIZE; } - else if (XSTRNCMP(type, "AES-192-CBC", 11) == 0) { + else if (XSTRNCMP(type, EVP_AES_192_CBC, EVP_AES_SIZE) == 0) { keyLen = AES_192_KEY_SIZE; ivLen = AES_IV_SIZE; } - else if (XSTRNCMP(type, "AES-256-CBC", 11) == 0) { + else if (XSTRNCMP(type, EVP_AES_256_CBC, EVP_AES_SIZE) == 0) { keyLen = AES_256_KEY_SIZE; ivLen = AES_IV_SIZE; } @@ -7555,8 +7630,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) if (ivLeft && digestLeft) { int store = min(ivLeft, digestLeft); - XMEMCPY(&iv[ivLen - ivLeft], &digest[MD5_DIGEST_SIZE - - digestLeft], store); + if (iv != NULL) + XMEMCPY(&iv[ivLen - ivLeft], + &digest[MD5_DIGEST_SIZE - digestLeft], store); keyOutput += store; ivLeft -= store; } @@ -7814,68 +7890,59 @@ int wolfSSL_set_compression(WOLFSSL* ssl) /* do nothing */ } - const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_cbc(void) { - static const char* type = "AES128-CBC"; WOLFSSL_ENTER("wolfSSL_EVP_aes_128_cbc"); - return type; + return EVP_AES_128_CBC; } const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_cbc(void) { - static const char* type = "AES192-CBC"; WOLFSSL_ENTER("wolfSSL_EVP_aes_192_cbc"); - return type; + return EVP_AES_192_CBC; } const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_cbc(void) { - static const char* type = "AES256-CBC"; WOLFSSL_ENTER("wolfSSL_EVP_aes_256_cbc"); - return type; + return EVP_AES_256_CBC; } const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_ctr(void) { - static const char* type = "AES128-CTR"; WOLFSSL_ENTER("wolfSSL_EVP_aes_128_ctr"); - return type; + return EVP_AES_128_CTR; } const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_ctr(void) { - static const char* type = "AES192-CTR"; WOLFSSL_ENTER("wolfSSL_EVP_aes_192_ctr"); - return type; + return EVP_AES_192_CTR; } const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_ctr(void) { - static const char* type = "AES256-CTR"; WOLFSSL_ENTER("wolfSSL_EVP_aes_256_ctr"); - return type; + return EVP_AES_256_CTR; } const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_des_cbc(void) { - static const char* type = "DES-CBC"; WOLFSSL_ENTER("wolfSSL_EVP_des_cbc"); - return type; + return EVP_DES_CBC; } const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_des_ede3_cbc(void) { - static const char* type = "DES-EDE3-CBC"; WOLFSSL_ENTER("wolfSSL_EVP_des_ede3_cbc"); - return type; + return EVP_DES_EDE3_CBC; } @@ -7952,9 +8019,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } #ifndef NO_AES - if (ctx->cipherType == AES_128_CBC_TYPE || (type && - XSTRNCMP(type, "AES128-CBC", 10) == 0)) { - WOLFSSL_MSG("AES-128-CBC"); + if (ctx->cipherType == AES_128_CBC_TYPE || + (type && XSTRNCMP(type, EVP_AES_128_CBC, EVP_AES_SIZE) == 0)) { + WOLFSSL_MSG(EVP_AES_128_CBC); ctx->cipherType = AES_128_CBC_TYPE; ctx->keyLen = 16; if (enc == 0 || enc == 1) @@ -7971,9 +8038,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return ret; } } - else if (ctx->cipherType == AES_192_CBC_TYPE || (type && - XSTRNCMP(type, "AES192-CBC", 10) == 0)) { - WOLFSSL_MSG("AES-192-CBC"); + else if (ctx->cipherType == AES_192_CBC_TYPE || + (type && XSTRNCMP(type, EVP_AES_192_CBC, EVP_AES_SIZE) == 0)) { + WOLFSSL_MSG(EVP_AES_192_CBC); ctx->cipherType = AES_192_CBC_TYPE; ctx->keyLen = 24; if (enc == 0 || enc == 1) @@ -7990,9 +8057,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return ret; } } - else if (ctx->cipherType == AES_256_CBC_TYPE || (type && - XSTRNCMP(type, "AES256-CBC", 10) == 0)) { - WOLFSSL_MSG("AES-256-CBC"); + else if (ctx->cipherType == AES_256_CBC_TYPE || + (type && XSTRNCMP(type, EVP_AES_256_CBC, EVP_AES_SIZE) == 0)) { + WOLFSSL_MSG(EVP_AES_256_CBC); ctx->cipherType = AES_256_CBC_TYPE; ctx->keyLen = 32; if (enc == 0 || enc == 1) @@ -8010,9 +8077,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } } #ifdef WOLFSSL_AES_COUNTER - else if (ctx->cipherType == AES_128_CTR_TYPE || (type && - XSTRNCMP(type, "AES128-CTR", 10) == 0)) { - WOLFSSL_MSG("AES-128-CTR"); + else if (ctx->cipherType == AES_128_CTR_TYPE || + (type && XSTRNCMP(type, EVP_AES_128_CTR, EVP_AES_SIZE) == 0)) { + WOLFSSL_MSG(EVP_AES_128_CTR); ctx->cipherType = AES_128_CTR_TYPE; ctx->keyLen = 16; if (enc == 0 || enc == 1) @@ -8029,9 +8096,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return ret; } } - else if (ctx->cipherType == AES_192_CTR_TYPE || (type && - XSTRNCMP(type, "AES192-CTR", 10) == 0)) { - WOLFSSL_MSG("AES-192-CTR"); + else if (ctx->cipherType == AES_192_CTR_TYPE || + (type && XSTRNCMP(type, EVP_AES_192_CTR, EVP_AES_SIZE) == 0)) { + WOLFSSL_MSG(EVP_AES_192_CTR); ctx->cipherType = AES_192_CTR_TYPE; ctx->keyLen = 24; if (enc == 0 || enc == 1) @@ -8048,9 +8115,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return ret; } } - else if (ctx->cipherType == AES_256_CTR_TYPE || (type && - XSTRNCMP(type, "AES256-CTR", 10) == 0)) { - WOLFSSL_MSG("AES-256-CTR"); + else if (ctx->cipherType == AES_256_CTR_TYPE || + (type && XSTRNCMP(type, EVP_AES_256_CTR, EVP_AES_SIZE) == 0)) { + WOLFSSL_MSG(EVP_AES_256_CTR); ctx->cipherType = AES_256_CTR_TYPE; ctx->keyLen = 32; if (enc == 0 || enc == 1) @@ -8071,9 +8138,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) #endif /* NO_AES */ #ifndef NO_DES3 - else if (ctx->cipherType == DES_CBC_TYPE || (type && - XSTRNCMP(type, "DES-CBC", 7) == 0)) { - WOLFSSL_MSG("DES-CBC"); + else if (ctx->cipherType == DES_CBC_TYPE || + (type && XSTRNCMP(type, EVP_DES_CBC, EVP_DES_SIZE) == 0)) { + WOLFSSL_MSG(EVP_DES_CBC); ctx->cipherType = DES_CBC_TYPE; ctx->keyLen = 8; if (enc == 0 || enc == 1) @@ -8088,9 +8155,10 @@ int wolfSSL_set_compression(WOLFSSL* ssl) if (iv && key == NULL) wc_Des_SetIV(&ctx->cipher.des, iv); } - else if (ctx->cipherType == DES_EDE3_CBC_TYPE || (type && - XSTRNCMP(type, "DES-EDE3-CBC", 11) == 0)) { - WOLFSSL_MSG("DES-EDE3-CBC"); + else if (ctx->cipherType == DES_EDE3_CBC_TYPE || + (type && + XSTRNCMP(type, EVP_DES_EDE3_CBC, EVP_DES_EDE3_SIZE) == 0)) { + WOLFSSL_MSG(EVP_DES_EDE3_CBC); ctx->cipherType = DES_EDE3_CBC_TYPE; ctx->keyLen = 24; if (enc == 0 || enc == 1) @@ -10926,7 +10994,7 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num) RNG tmpRNG[1]; #endif - WOLFSSL_ENTER("RAND_bytes"); + WOLFSSL_ENTER("wolfSSL_RAND_bytes"); #ifdef WOLFSSL_SMALL_STACK tmpRNG = (RNG*)XMALLOC(sizeof(RNG), NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -11035,6 +11103,7 @@ void wolfSSL_BN_free(WOLFSSL_BIGNUM* bn) bn->internal = NULL; } XFREE(bn, NULL, DYNAMIC_TYPE_BIGINT); + bn = NULL; } } @@ -11327,7 +11396,7 @@ int wolfSSL_BN_set_bit(WOLFSSL_BIGNUM* bn, int n) return SSL_FAILURE; } - if (mp_set_int((mp_int*)bn->internal, n) != MP_OKAY) { + if (mp_set_bit((mp_int*)bn->internal, n) != MP_OKAY) { WOLFSSL_MSG("mp_set_int error"); return SSL_FAILURE; } @@ -11485,6 +11554,7 @@ int wolfSSL_BN_lshift(WOLFSSL_BIGNUM *r, const WOLFSSL_BIGNUM *bn, int n) if (mp_mul_2d((mp_int*)bn->internal, n, (mp_int*)r->internal) != MP_OKAY) { WOLFSSL_MSG("mp_mul_2d error"); + wolfSSL_BN_free(r); return SSL_FAILURE; } @@ -11515,11 +11585,11 @@ int wolfSSL_BN_rshift(WOLFSSL_BIGNUM *r, const WOLFSSL_BIGNUM *bn, int n) if (mp_div_2d((mp_int*)bn->internal, n, (mp_int*)r->internal, NULL) != MP_OKAY) { WOLFSSL_MSG("mp_mul_2d error"); + wolfSSL_BN_free(r); return SSL_FAILURE; } return SSL_SUCCESS; - } /* return code compliant with OpenSSL : @@ -11596,7 +11666,6 @@ int wolfSSL_BN_is_prime_ex(const WOLFSSL_BIGNUM *bn, int nbchecks, return SSL_SUCCESS; } -#endif /* #ifdef WOLFSSL_KEY_GEN */ /* return code compliant with OpenSSL : * (bn mod w) if success, -1 if error @@ -11604,7 +11673,6 @@ int wolfSSL_BN_is_prime_ex(const WOLFSSL_BIGNUM *bn, int nbchecks, WOLFSSL_BN_ULONG wolfSSL_BN_mod_word(const WOLFSSL_BIGNUM *bn, WOLFSSL_BN_ULONG w) { - mp_int mod, res; WOLFSSL_BN_ULONG ret = 0; WOLFSSL_MSG("wolfSSL_BN_mod_word"); @@ -11614,32 +11682,16 @@ WOLFSSL_BN_ULONG wolfSSL_BN_mod_word(const WOLFSSL_BIGNUM *bn, return SSL_FATAL_ERROR; } - if (mp_init_multi(&mod, &res, NULL, NULL, NULL, NULL) != MP_OKAY) { - WOLFSSL_MSG("mp_init error"); - return SSL_FATAL_ERROR; - } - - if (mp_set_int(&mod, w) != MP_OKAY) { - WOLFSSL_MSG("mp_set_int error"); - mp_clear(&mod); - return SSL_FATAL_ERROR; - } - - if (mp_mod((mp_int*)bn->internal, &mod, &res) != MP_OKAY) { + if (mp_mod_d((mp_int*)bn->internal, w, &ret) != MP_OKAY) { WOLFSSL_MSG("mp_add_d error"); - mp_clear(&mod); - mp_clear(&res); return SSL_FATAL_ERROR; } - ret = res.dp[0]; - - mp_clear(&mod); - mp_clear(&res); return ret; } +#endif /* #ifdef WOLFSSL_KEY_GEN */ -#if (defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY)) && defined(HAVE_ECC) +#if defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) char *wolfSSL_BN_bn2hex(const WOLFSSL_BIGNUM *bn) { int len = 0; @@ -11697,7 +11749,7 @@ int wolfSSL_BN_print_fp(FILE *fp, const WOLFSSL_BIGNUM *bn) return SSL_SUCCESS; } -#else /* defined(HAVE_ECC) */ +#else /* defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) */ char *wolfSSL_BN_bn2hex(const WOLFSSL_BIGNUM *bn) { @@ -11720,7 +11772,8 @@ int wolfSSL_BN_print_fp(FILE *fp, const WOLFSSL_BIGNUM *bn) return SSL_SUCCESS; } -#endif /*(defined(WOLFSSL_KEY_GEN)||defined(HAVE_COMP_KEY))&&defined(HAVE_ECC)*/ +#endif /* defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) */ + WOLFSSL_BIGNUM *wolfSSL_BN_CTX_get(WOLFSSL_BN_CTX *ctx) { @@ -12097,36 +12150,9 @@ void wolfSSL_DSA_free(WOLFSSL_DSA* dsa) InitwolfSSL_DSA(dsa); /* set back to NULLs for safety */ XFREE(dsa, NULL, DYNAMIC_TYPE_DSA); + dsa = NULL; } } - - -int wolfSSL_DSA_generate_key(WOLFSSL_DSA* dsa) -{ - (void)dsa; - - WOLFSSL_MSG("wolfSSL_DSA_generate_key"); - - return 0; /* key gen not needed by server */ -} - - -int wolfSSL_DSA_generate_parameters_ex(WOLFSSL_DSA* dsa, int bits, - unsigned char* seed, int seedLen, int* counterRet, - unsigned long* hRet, void* cb) -{ - (void)dsa; - (void)bits; - (void)seed; - (void)seedLen; - (void)counterRet; - (void)hRet; - (void)cb; - - WOLFSSL_MSG("wolfSSL_DSA_generate_parameters_ex"); - - return 0; /* key gen not needed by server */ -} #endif /* NO_DSA */ #ifndef NO_RSA @@ -12203,6 +12229,7 @@ void wolfSSL_RSA_free(WOLFSSL_RSA* rsa) InitwolfSSL_Rsa(rsa); /* set back to NULLs for safety */ XFREE(rsa, NULL, DYNAMIC_TYPE_RSA); + rsa = NULL; } } #endif /* NO_RSA */ @@ -12238,7 +12265,7 @@ static int SetIndividualInternal(WOLFSSL_BIGNUM* bn, mp_int* mpi) { WOLFSSL_MSG("Entering SetIndividualInternal"); - if (bn == NULL) { + if (bn == NULL || bn->internal == NULL) { WOLFSSL_MSG("bn NULL error"); return SSL_FATAL_ERROR; } @@ -12333,16 +12360,24 @@ static int SetDsaInternal(WOLFSSL_DSA* dsa) return SSL_FATAL_ERROR; } - if (dsa->pub_key != NULL && - SetIndividualInternal(dsa->pub_key, &key->y) != SSL_SUCCESS) { - WOLFSSL_MSG("rsa pub_key error"); - return SSL_FATAL_ERROR; + if (dsa->pub_key != NULL) { + if (SetIndividualInternal(dsa->pub_key, &key->y) != SSL_SUCCESS) { + WOLFSSL_MSG("rsa pub_key error"); + return SSL_FATAL_ERROR; + } + + /* public key */ + key->type = DSA_PUBLIC; } - if (dsa->priv_key != NULL && - SetIndividualInternal(dsa->priv_key, &key->x) != SSL_SUCCESS) { - WOLFSSL_MSG("rsa priv_key error"); - return SSL_FATAL_ERROR; + if (dsa->priv_key != NULL) { + if (SetIndividualInternal(dsa->priv_key, &key->x) != SSL_SUCCESS) { + WOLFSSL_MSG("rsa priv_key error"); + return SSL_FATAL_ERROR; + } + + /* private key */ + key->type = DSA_PRIVATE; } dsa->inSet = 1; @@ -12434,10 +12469,17 @@ static int SetRsaInternal(WOLFSSL_RSA* rsa) return SSL_FATAL_ERROR; } - if (rsa->d != NULL && - SetIndividualInternal(rsa->d, &key->d) != SSL_SUCCESS) { - WOLFSSL_MSG("rsa d key error"); - return SSL_FATAL_ERROR; + /* public key */ + key->type = RSA_PUBLIC; + + if (rsa->d != NULL) { + if (SetIndividualInternal(rsa->d, &key->d) != SSL_SUCCESS) { + WOLFSSL_MSG("rsa d key error"); + return SSL_FATAL_ERROR; + } + + /* private key */ + key->type = RSA_PRIVATE; } if (rsa->p != NULL && @@ -12476,19 +12518,25 @@ static int SetRsaInternal(WOLFSSL_RSA* rsa) } -/* SSL_SUCCESS on ok */ +/* return compliant with OpenSSL + * 1 if success, 0 if error + */ int wolfSSL_RSA_generate_key_ex(WOLFSSL_RSA* rsa, int bits, WOLFSSL_BIGNUM* bn, void* cb) { - int ret = SSL_FATAL_ERROR; + int ret = SSL_FAILURE; - WOLFSSL_MSG("wolfSSL_RSA_generate_key_ex"); - - (void)rsa; - (void)bits; (void)cb; (void)bn; + WOLFSSL_ENTER("wolfSSL_RSA_generate_key_ex"); + + if (rsa == NULL || rsa->internal == NULL || + bits < RSA_MIN_SIZE || bits > RSA_MAX_SIZE) { + WOLFSSL_MSG("bad arguments"); + return SSL_FAILURE; + } + #ifdef WOLFSSL_KEY_GEN { #ifdef WOLFSSL_SMALL_STACK @@ -12500,12 +12548,13 @@ int wolfSSL_RSA_generate_key_ex(WOLFSSL_RSA* rsa, int bits, WOLFSSL_BIGNUM* bn, #ifdef WOLFSSL_SMALL_STACK rng = (RNG*)XMALLOC(sizeof(RNG), NULL, DYNAMIC_TYPE_TMP_BUFFER); if (rng == NULL) - return SSL_FATAL_ERROR; + return SSL_FAILURE; #endif if (wc_InitRng(rng) < 0) WOLFSSL_MSG("RNG init failed"); - else if (wc_MakeRsaKey((RsaKey*)rsa->internal, bits, 65537, rng) < 0) + else if (wc_MakeRsaKey((RsaKey*)rsa->internal, + bits, 65537, rng) != MP_OKAY) WOLFSSL_MSG("wc_MakeRsaKey failed"); else if (SetRsaExternal(rsa) != SSL_SUCCESS) WOLFSSL_MSG("SetRsaExternal failed"); @@ -12585,8 +12634,146 @@ int wolfSSL_RSA_size(const WOLFSSL_RSA* rsa) } #endif /* NO_RSA */ - #ifndef NO_DSA +/* return code compliant with OpenSSL : + * 1 if success, 0 if error + */ +int wolfSSL_DSA_generate_key(WOLFSSL_DSA* dsa) +{ + int ret = SSL_FAILURE; + + WOLFSSL_ENTER("wolfSSL_DSA_generate_key"); + + if (dsa == NULL || dsa->internal == NULL) { + WOLFSSL_MSG("Bad arguments"); + return SSL_FAILURE; + } + +#ifdef WOLFSSL_KEY_GEN + { + int initTmpRng = 0; + RNG *rng = NULL; +#ifdef WOLFSSL_SMALL_STACK + RNG *tmpRNG = NULL; +#else + RNG tmpRNG[1]; +#endif + +#ifdef WOLFSSL_SMALL_STACK + tmpRNG = (RNG*)XMALLOC(sizeof(RNG), NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (tmpRNG == NULL) + return SSL_FATAL_ERROR; +#endif + if (wc_InitRng(tmpRNG) == 0) { + rng = tmpRNG; + initTmpRng = 1; + } + else { + WOLFSSL_MSG("Bad RNG Init, trying global"); + if (initGlobalRNG == 0) + WOLFSSL_MSG("Global RNG no Init"); + else + rng = &globalRNG; + } + + if (rng) { + if (wc_MakeDsaKey(rng, (DsaKey*)dsa->internal) != MP_OKAY) + WOLFSSL_MSG("wc_MakeDsaKey failed"); + else if (SetDsaExternal(dsa) != SSL_SUCCESS) + WOLFSSL_MSG("SetDsaExternal failed"); + else + ret = SSL_SUCCESS; + } + + if (initTmpRng) + wc_FreeRng(tmpRNG); + +#ifdef WOLFSSL_SMALL_STACK + XFREE(tmpRNG, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + } +#else /* WOLFSSL_KEY_GEN */ + WOLFSSL_MSG("No Key Gen built in"); +#endif + return ret; +} + +/* return code compliant with OpenSSL : + * 1 if success, 0 if error + */ +int wolfSSL_DSA_generate_parameters_ex(WOLFSSL_DSA* dsa, int bits, + unsigned char* seed, int seedLen, + int* counterRet, + unsigned long* hRet, void* cb) +{ + int ret = SSL_FAILURE; + + (void)seed; + (void)seedLen; + (void)counterRet; + (void)hRet; + (void)cb; + + WOLFSSL_ENTER("wolfSSL_DSA_generate_parameters_ex"); + + if (dsa == NULL || dsa->internal == NULL) { + WOLFSSL_MSG("Bad arguments"); + return SSL_FAILURE; + } + +#ifdef WOLFSSL_KEY_GEN + { + int initTmpRng = 0; + RNG *rng = NULL; +#ifdef WOLFSSL_SMALL_STACK + RNG *tmpRNG = NULL; +#else + RNG tmpRNG[1]; +#endif + +#ifdef WOLFSSL_SMALL_STACK + tmpRNG = (RNG*)XMALLOC(sizeof(RNG), NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (tmpRNG == NULL) + return SSL_FATAL_ERROR; +#endif + if (wc_InitRng(tmpRNG) == 0) { + rng = tmpRNG; + initTmpRng = 1; + } + else { + WOLFSSL_MSG("Bad RNG Init, trying global"); + if (initGlobalRNG == 0) + WOLFSSL_MSG("Global RNG no Init"); + else + rng = &globalRNG; + } + + if (rng) { + if (wc_MakeDsaParameters(rng, bits, + (DsaKey*)dsa->internal) != MP_OKAY) + WOLFSSL_MSG("wc_MakeDsaParameters failed"); + else if (SetDsaExternal(dsa) != SSL_SUCCESS) + WOLFSSL_MSG("SetDsaExternal failed"); + else { + dsa->inSet = 1; + ret = SSL_SUCCESS; + } + } + + if (initTmpRng) + wc_FreeRng(tmpRNG); + +#ifdef WOLFSSL_SMALL_STACK + XFREE(tmpRNG, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + } +#else /* WOLFSSL_KEY_GEN */ + WOLFSSL_MSG("No Key Gen built in"); +#endif + + return ret; +} + /* return SSL_SUCCESS on success, < 0 otherwise */ int wolfSSL_DSA_do_sign(const unsigned char* d, unsigned char* sigRet, WOLFSSL_DSA* dsa) @@ -12616,6 +12803,7 @@ int wolfSSL_DSA_do_sign(const unsigned char* d, unsigned char* sigRet, return ret; } } + #ifdef WOLFSSL_SMALL_STACK tmpRNG = (RNG*)XMALLOC(sizeof(RNG), NULL, DYNAMIC_TYPE_TMP_BUFFER); if (tmpRNG == NULL) @@ -13202,20 +13390,123 @@ void wolfSSL_OPENSSL_free(void* p) XFREE(p, NULL, 0); } +#if defined(WOLFSSL_KEY_GEN) + +static int EncryptDerKey(byte *der, int *derSz, const EVP_CIPHER* cipher, + unsigned char* passwd, int passwdSz, byte **cipherInfo) +{ + int ret, paddingSz; + word32 idx, cipherInfoSz; +#ifdef WOLFSSL_SMALL_STACK + EncryptedInfo* info = NULL; +#else + EncryptedInfo info[1]; +#endif + + WOLFSSL_ENTER("EncryptDerKey"); + + if (der == NULL || derSz == NULL || cipher == NULL || + passwd == NULL || cipherInfo == NULL) + return BAD_FUNC_ARG; + +#ifdef WOLFSSL_SMALL_STACK + info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (info == NULL) { + WOLFSSL_MSG("malloc failed"); + return SSL_FAILURE; + } +#endif + info->set = 0; + info->ctx = NULL; + info->consumed = 0; + + /* set iv size */ + if (XSTRNCMP(cipher, "DES", 3) == 0) + info->ivSz = DES_IV_SIZE; + else if (XSTRNCMP(cipher, "AES", 3) == 0) + info->ivSz = AES_IV_SIZE; + else { + WOLFSSL_MSG("unsupported cipher"); +#ifdef WOLFSSL_SMALL_STACK + XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + return SSL_FAILURE; + } + + /* set the cipher name on info */ + XSTRNCPY(info->name, cipher, NAME_SZ); + + /* Generate a random salt */ + if (wolfSSL_RAND_bytes(info->iv, info->ivSz) != SSL_SUCCESS) { + WOLFSSL_MSG("generate iv failed"); +#ifdef WOLFSSL_SMALL_STACK + XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + return SSL_FAILURE; + } + + /* add the padding before encryption */ + paddingSz = ((*derSz)/info->ivSz + 1) * info->ivSz - (*derSz); + if (paddingSz == 0) + paddingSz = info->ivSz; + XMEMSET(der+(*derSz), (byte)paddingSz, paddingSz); + (*derSz) += paddingSz; + + /* encrypt buffer */ + if (wolfssl_encrypt_buffer_key(der, *derSz, + passwd, passwdSz, info) != SSL_SUCCESS) { + WOLFSSL_MSG("encrypt key failed"); +#ifdef WOLFSSL_SMALL_STACK + XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + return SSL_FAILURE; + } + + /* create cipher info : 'cipher_name,Salt(hex)' */ + cipherInfoSz = (word32)(2*info->ivSz + XSTRLEN(info->name) + 2); + *cipherInfo = (byte*)XMALLOC(cipherInfoSz, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (*cipherInfo == NULL) { + WOLFSSL_MSG("malloc failed"); +#ifdef WOLFSSL_SMALL_STACK + XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + return SSL_FAILURE; + } + XSTRNCPY((char*)*cipherInfo, info->name, cipherInfoSz); + XSTRNCAT((char*)*cipherInfo, ",", 1); + + idx = (word32)XSTRLEN((char*)*cipherInfo); + cipherInfoSz -= idx; + ret = Base16_Encode(info->iv, info->ivSz, *cipherInfo+idx, &cipherInfoSz); + +#ifdef WOLFSSL_SMALL_STACK + XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + if (ret != 0) { + WOLFSSL_MSG("Base16_Encode failed"); + XFREE(*cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return SSL_FAILURE; + } + + return SSL_SUCCESS; +} +#endif /* defined(WOLFSSL_KEY_GEN) */ + #if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) -int wolfSSL_PEM_write_buf_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, - unsigned char* passwd, int len, +/* return code compliant with OpenSSL : + * 1 if success, 0 if error + */ +int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, + unsigned char* passwd, int passwdSz, byte **pem, int *plen) { - (void)cipher; - (void)passwd; - (void)len; + byte *der, *tmp, *cipherInfo = NULL; + int der_max_len = 0, derSz = 0; - byte *der, *tmp; - int der_max_len = 0, derSz = 0; - - WOLFSSL_MSG("wolfSSL_PEM_write_buf_RSAPrivateKey"); + WOLFSSL_ENTER("wolfSSL_PEM_write_mem_RSAPrivateKey"); if (pem == NULL || plen == NULL || rsa == NULL || rsa->internal == NULL) { WOLFSSL_MSG("Bad function arguments"); @@ -13231,8 +13522,7 @@ int wolfSSL_PEM_write_buf_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, } } - der_max_len = 5 * wolfSSL_RSA_size(rsa); - printf("der_max_len = %d\n", der_max_len); + der_max_len = 5 * wolfSSL_RSA_size(rsa) + 16; der = (byte*)XMALLOC(der_max_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (der == NULL) { @@ -13248,23 +13538,45 @@ int wolfSSL_PEM_write_buf_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, return SSL_FAILURE; } - /* tmp buffer with a max size */ - *plen = (derSz * 2) + sizeof(BEGIN_RSA_PRIV) + sizeof(END_RSA_PRIV); + /* encrypt DER buffer if required */ + if (passwd != NULL && passwdSz > 0 && cipher != NULL) { + int ret; + + ret = EncryptDerKey(der, &derSz, cipher, + passwd, passwdSz, &cipherInfo); + if (ret != SSL_SUCCESS) { + WOLFSSL_MSG("EncryptDerKey failed"); + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return ret; + } + + /* tmp buffer with a max size */ + *plen = (derSz * 2) + sizeof(BEGIN_RSA_PRIV) + + sizeof(END_RSA_PRIV) + HEADER_ENCRYPTED_KEY_SIZE; + } + else /* tmp buffer with a max size */ + *plen = (derSz * 2) + sizeof(BEGIN_RSA_PRIV) + sizeof(END_RSA_PRIV); + tmp = (byte*)XMALLOC(*plen, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (tmp == NULL) { WOLFSSL_MSG("malloc failed"); + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } /* DER to PEM */ - *plen = wc_DerToPem(der, derSz, tmp, *plen, PRIVATEKEY_TYPE); + *plen = wc_DerToPem(der, derSz, tmp, *plen, cipherInfo, PRIVATEKEY_TYPE); if (*plen <= 0) { WOLFSSL_MSG("wc_DerToPem failed"); XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (cipherInfo != NULL) + XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (cipherInfo != NULL) + XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_OUT_BUFFER); if (*pem == NULL) { @@ -13275,29 +13587,30 @@ int wolfSSL_PEM_write_buf_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, XMEMSET(*pem, 0, (*plen)+1); if (XMEMCPY(*pem, tmp, *plen) == NULL) { - WOLFSSL_MSG("malloc failed"); + WOLFSSL_MSG("memcpy failed"); XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } + XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_SUCCESS; } +/* return code compliant with OpenSSL : + * 1 if success, 0 if error + */ int wolfSSL_PEM_write_RSAPrivateKey(FILE *fp, WOLFSSL_RSA *rsa, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u) { - (void)enc; - (void)kstr; - (void)klen; + byte *pem; + int plen, ret; + (void)cb; (void)u; - byte *pem; - int plen, ret; - WOLFSSL_MSG("wolfSSL_PEM_write_RSAPrivateKey"); if (fp == NULL || rsa == NULL || rsa->internal == NULL) { @@ -13305,9 +13618,9 @@ int wolfSSL_PEM_write_RSAPrivateKey(FILE *fp, WOLFSSL_RSA *rsa, return SSL_FAILURE; } - ret = wolfSSL_PEM_write_buf_RSAPrivateKey(rsa, enc, NULL, 0, &pem, &plen); - if (ret != 1) { - WOLFSSL_MSG("wolfSSL_PEM_write_buf_RSAPrivateKey failed"); + ret = wolfSSL_PEM_write_mem_RSAPrivateKey(rsa, enc, kstr, klen, &pem, &plen); + if (ret != SSL_SUCCESS) { + WOLFSSL_MSG("wolfSSL_PEM_write_mem_RSAPrivateKey failed"); return SSL_FAILURE; } @@ -13340,24 +13653,6 @@ int wolfSSL_PEM_write_bio_RSAPrivateKey(WOLFSSL_BIO* bio, RSA* rsa, } #endif /* defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) */ -int wolfSSL_PEM_write_bio_ECPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EC_KEY* ec, - const EVP_CIPHER* cipher, - unsigned char* passwd, int len, - pem_password_cb cb, void* arg) -{ - (void)bio; - (void)ec; - (void)cipher; - (void)passwd; - (void)len; - (void)cb; - (void)arg; - - WOLFSSL_MSG("wolfSSL_PEM_write_bio_ECPrivateKey not implemented"); - - return SSL_FAILURE; -} - #ifdef HAVE_ECC /* EC_POINT Openssl -> WolfSSL */ @@ -13447,7 +13742,7 @@ static int SetECKeyExternal(WOLFSSL_EC_KEY* eckey) if (eckey->pub_key->internal != NULL) { /* set the internal public key */ - if (ecc_copy_point(&key->pubkey, eckey->pub_key->internal) != MP_OKAY) { + if (wc_ecc_copy_point(&key->pubkey, eckey->pub_key->internal) != MP_OKAY) { WOLFSSL_MSG("SetECKeyExternal ecc_copy_point failed"); return SSL_FATAL_ERROR; } @@ -13486,29 +13781,38 @@ static int SetECKeyInternal(WOLFSSL_EC_KEY* eckey) key = (ecc_key*)eckey->internal; + /* validate group */ + if ((eckey->group->curve_idx < 0) || + (wc_ecc_is_valid_idx(eckey->group->curve_idx) == 0)) { + WOLFSSL_MSG("invalid curve idx"); + return SSL_FATAL_ERROR; + } + /* set group (idx of curve and corresponding domain parameters) */ key->idx = eckey->group->curve_idx; key->dp = &ecc_sets[key->idx]; /* set pubkey (point) */ - if (eckey->pub_key != NULL && eckey->pub_key->internal != NULL) { + if (eckey->pub_key != NULL) { if (SetECPointInternal(eckey->pub_key) != SSL_SUCCESS) { - WOLFSSL_MSG("SetECPointInternal failure"); + WOLFSSL_MSG("ec key pub error"); return SSL_FATAL_ERROR; } + + /* public key */ + key->type = ECC_PUBLICKEY; } /* set privkey */ - if (eckey->priv_key != NULL && eckey->priv_key->internal != NULL) { - key->type = ECC_PRIVATEKEY; - + if (eckey->priv_key != NULL) { if (SetIndividualInternal(eckey->priv_key, &key->k) != SSL_SUCCESS) { - WOLFSSL_MSG("rsa p key error"); + WOLFSSL_MSG("ec key priv error"); return SSL_FATAL_ERROR; } + + /* private key */ + key->type = ECC_PRIVATEKEY; } - else - key->type = ECC_PUBLICKEY; eckey->inSet = 1; @@ -13539,21 +13843,40 @@ const WOLFSSL_EC_GROUP *wolfSSL_EC_KEY_get0_group(const WOLFSSL_EC_KEY *key) return key->group; } + /* return code compliant with OpenSSL : * 1 if success, 0 if error */ int wolfSSL_EC_KEY_set_private_key(WOLFSSL_EC_KEY *key, const WOLFSSL_BIGNUM *priv_key) { - (void)key; - (void)priv_key; - WOLFSSL_ENTER("wolfSSL_EC_KEY_set_private_key"); - WOLFSSL_MSG("wolfSSL_EC_KEY_set_private_key TBD"); - return SSL_FAILURE; + if (key == NULL || priv_key == NULL) { + WOLFSSL_MSG("Bad arguments"); + return SSL_FAILURE; + } + + /* free key if previously set */ + if (key->priv_key != NULL) + wolfSSL_BN_free(key->priv_key); + + key->priv_key = wolfSSL_BN_dup(priv_key); + if (key->priv_key == NULL) { + WOLFSSL_MSG("key ecc priv key NULL"); + return SSL_FAILURE; + } + + if (SetECKeyInternal(key) != SSL_SUCCESS) { + WOLFSSL_MSG("SetECKeyInternal failed"); + wolfSSL_BN_free(key->priv_key); + return SSL_FAILURE; + } + + return SSL_SUCCESS; } + WOLFSSL_BIGNUM *wolfSSL_EC_KEY_get0_private_key(const WOLFSSL_EC_KEY *key) { WOLFSSL_ENTER("wolfSSL_EC_KEY_get0_private_key"); @@ -13807,14 +14130,14 @@ int wolfSSL_EC_KEY_set_public_key(WOLFSSL_EC_KEY *key, /* create new point if required */ if (key_p == NULL) - key_p = ecc_new_point(); + key_p = wc_ecc_new_point(); if (key_p == NULL) { WOLFSSL_MSG("key ecc point NULL"); return SSL_FAILURE; } - if (ecc_copy_point(pub_p, key_p) != MP_OKAY) { + if (wc_ecc_copy_point(pub_p, key_p) != MP_OKAY) { WOLFSSL_MSG("ecc_copy_point failure"); return SSL_FAILURE; } @@ -13829,7 +14152,6 @@ int wolfSSL_EC_KEY_set_public_key(WOLFSSL_EC_KEY *key, wolfssl_EC_POINT_dump("key->pub_key", key->pub_key); #endif return SSL_SUCCESS; - } /* End EC_KEY */ @@ -13885,6 +14207,7 @@ void wolfSSL_EC_GROUP_free(WOLFSSL_EC_GROUP *group) WOLFSSL_ENTER("wolfSSL_EC_GROUP_free"); XFREE(group, NULL, DYNAMIC_TYPE_ECC); + group = NULL; } void wolfSSL_EC_GROUP_set_asn1_flag(WOLFSSL_EC_GROUP *group, int flag) @@ -14092,7 +14415,7 @@ WOLFSSL_EC_POINT *wolfSSL_EC_POINT_new(const WOLFSSL_EC_GROUP *group) } XMEMSET(p, 0, sizeof(WOLFSSL_EC_POINT)); - p->internal = ecc_new_point(); + p->internal = wc_ecc_new_point(); if (p->internal == NULL) { WOLFSSL_MSG("ecc_new_point failure"); return NULL; @@ -14176,8 +14499,8 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, } /* r = q * m % prime */ - if (ecc_mulmod((mp_int*)m->internal, (ecc_point*)q->internal, - (ecc_point*)r->internal, &prime, 1) != MP_OKAY) { + if (wc_ecc_mulmod((mp_int*)m->internal, (ecc_point*)q->internal, + (ecc_point*)r->internal, &prime, 1) != MP_OKAY) { WOLFSSL_MSG("ecc_mulmod failure"); mp_clear(&prime); return SSL_FAILURE; @@ -14219,7 +14542,7 @@ int wolfSSL_EC_POINT_cmp(const WOLFSSL_EC_GROUP *group, return SSL_FATAL_ERROR; } - ret = ecc_cmp_point((ecc_point*)a->internal, (ecc_point*)b->internal); + ret = wc_ecc_cmp_point((ecc_point*)a->internal, (ecc_point*)b->internal); if (ret == MP_EQ) return 0; else if (ret == MP_LT || ret == MP_GT) @@ -14234,7 +14557,7 @@ void wolfSSL_EC_POINT_free(WOLFSSL_EC_POINT *p) if (p != NULL) { if (p->internal == NULL) { - ecc_del_point((ecc_point*)p->internal); + wc_ecc_del_point((ecc_point*)p->internal); XFREE(p->internal, NULL, DYNAMIC_TYPE_ECC); p->internal = NULL; } @@ -14275,7 +14598,7 @@ int wolfSSL_EC_POINT_is_at_infinity(const WOLFSSL_EC_GROUP *group, } } - ret = ecc_point_is_at_infinity(point->internal); + ret = wc_ecc_point_is_at_infinity(point->internal); if (ret <= 0) { WOLFSSL_MSG("ecc_point_is_at_infinity failure"); return SSL_FAILURE; @@ -14499,8 +14822,8 @@ int wolfSSL_ECDH_compute_key(void *out, size_t outlen, return len; } - /* End ECDH */ + /* return code compliant with OpenSSL : * 1 if success, 0 if error */ @@ -14514,19 +14837,184 @@ int wolfSSL_PEM_write_EC_PUBKEY(FILE *fp, WOLFSSL_EC_KEY *x) return SSL_FAILURE; } +#if defined(WOLFSSL_KEY_GEN) + +/* return code compliant with OpenSSL : + * 1 if success, 0 if error + */ +int wolfSSL_PEM_write_bio_ECPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EC_KEY* ecc, + const EVP_CIPHER* cipher, + unsigned char* passwd, int len, + pem_password_cb cb, void* arg) +{ + (void)bio; + (void)ecc; + (void)cipher; + (void)passwd; + (void)len; + (void)cb; + (void)arg; + + WOLFSSL_MSG("wolfSSL_PEM_write_bio_ECPrivateKey not implemented"); + + return SSL_FAILURE; +} + +/* return code compliant with OpenSSL : + * 1 if success, 0 if error + */ +int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ecc, + const EVP_CIPHER* cipher, + unsigned char* passwd, int passwdSz, + byte **pem, int *plen) +{ + byte *der, *tmp, *cipherInfo = NULL; + int der_max_len = 0, derSz = 0; + + WOLFSSL_MSG("wolfSSL_PEM_write_mem_ECPrivateKey"); + + if (pem == NULL || plen == NULL || ecc == NULL || ecc->internal == NULL) { + WOLFSSL_MSG("Bad function arguments"); + return SSL_FAILURE; + } + + if (ecc->inSet == 0) { + WOLFSSL_MSG("No ECC internal set, do it"); + + if (SetECKeyInternal(ecc) != SSL_SUCCESS) { + WOLFSSL_MSG("SetDsaInternal failed"); + return SSL_FAILURE; + } + } + + der_max_len = 4 * wc_ecc_size((ecc_key*)ecc->internal) + 16; + + der = (byte*)XMALLOC(der_max_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (der == NULL) { + WOLFSSL_MSG("malloc failed"); + return SSL_FAILURE; + } + + /* Key to DER */ + derSz = wc_EccKeyToDer(ecc->internal, der, der_max_len); + if (derSz < 0) { + WOLFSSL_MSG("wc_DsaKeyToDer failed"); + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return SSL_FAILURE; + } + + /* encrypt DER buffer if required */ + if (passwd != NULL && passwdSz > 0 && cipher != NULL) { + int ret; + + ret = EncryptDerKey(der, &derSz, cipher, + passwd, passwdSz, &cipherInfo); + if (ret != SSL_SUCCESS) { + WOLFSSL_MSG("EncryptDerKey failed"); + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return ret; + } + + /* tmp buffer with a max size */ + *plen = (derSz * 2) + sizeof(BEGIN_EC_PRIV) + + sizeof(END_EC_PRIV) + HEADER_ENCRYPTED_KEY_SIZE; + } + else /* tmp buffer with a max size */ + *plen = (derSz * 2) + sizeof(BEGIN_EC_PRIV) + sizeof(END_EC_PRIV); + + tmp = (byte*)XMALLOC(*plen, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (tmp == NULL) { + WOLFSSL_MSG("malloc failed"); + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return SSL_FAILURE; + } + + /* DER to PEM */ + *plen = wc_DerToPem(der, derSz, tmp, *plen, cipherInfo, ECC_PRIVATEKEY_TYPE); + if (*plen <= 0) { + WOLFSSL_MSG("wc_DerToPem failed"); + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (cipherInfo != NULL) + XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return SSL_FAILURE; + } + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (cipherInfo != NULL) + XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_OUT_BUFFER); + if (*pem == NULL) { + WOLFSSL_MSG("malloc failed"); + XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return SSL_FAILURE; + } + XMEMSET(*pem, 0, (*plen)+1); + + if (XMEMCPY(*pem, tmp, *plen) == NULL) { + WOLFSSL_MSG("memcpy failed"); + XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); + XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return SSL_FAILURE; + } + XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + return SSL_SUCCESS; +} + +/* return code compliant with OpenSSL : + * 1 if success, 0 if error + */ +int wolfSSL_PEM_write_ECPrivateKey(FILE *fp, WOLFSSL_EC_KEY *ecc, + const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + byte *pem; + int plen, ret; + + (void)cb; + (void)u; + + WOLFSSL_MSG("wolfSSL_PEM_write_ECPrivateKey"); + + if (fp == NULL || ecc == NULL || ecc->internal == NULL) { + WOLFSSL_MSG("Bad function arguments"); + return SSL_FAILURE; + } + + ret = wolfSSL_PEM_write_mem_ECPrivateKey(ecc, enc, kstr, klen, &pem, &plen); + if (ret != SSL_SUCCESS) { + WOLFSSL_MSG("wolfSSL_PEM_write_mem_ECPrivateKey failed"); + return SSL_FAILURE; + } + + ret = (int)XFWRITE(pem, plen, 1, fp); + if (ret != 1) { + WOLFSSL_MSG("ECC private key file write failed"); + return SSL_FAILURE; + } + + XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); + return SSL_SUCCESS; +} + +#endif /* defined(WOLFSSL_KEY_GEN) */ #endif /* HAVE_ECC */ #ifndef NO_DSA +#if defined(WOLFSSL_KEY_GEN) + /* return code compliant with OpenSSL : * 1 if success, 0 if error */ -int wolfSSL_PEM_write_bio_DSAPrivateKey(WOLFSSL_BIO* bio, DSA* dsa, - const EVP_CIPHER* cipher, - unsigned char* passwd, int len, - pem_password_cb cb, void* arg) +int wolfSSL_PEM_write_bio_DSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_DSA* dsa, + const EVP_CIPHER* cipher, + unsigned char* passwd, int len, + pem_password_cb cb, void* arg) { (void)bio; (void)dsa; @@ -14544,31 +15032,23 @@ int wolfSSL_PEM_write_bio_DSAPrivateKey(WOLFSSL_BIO* bio, DSA* dsa, /* return code compliant with OpenSSL : * 1 if success, 0 if error */ -int wolfSSL_PEM_write_DSAPrivateKey(FILE *fp, WOLFSSL_DSA *dsa, - const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) +int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, + const EVP_CIPHER* cipher, + unsigned char* passwd, int passwdSz, + byte **pem, int *plen) { - (void)enc; - (void)kstr; - (void)klen; - (void)cb; - (void)u; + byte *der, *tmp, *cipherInfo = NULL; + int der_max_len = 0, derSz = 0; - byte *der, *pem; - int derSz = 0, pemSz = 0; + WOLFSSL_MSG("wolfSSL_PEM_write_mem_DSAPrivateKey"); - - WOLFSSL_MSG("wolfSSL_PEM_write_DSAPrivateKey"); - - if (fp == NULL || dsa == NULL || dsa->internal == NULL || - kstr == NULL || klen <= 0) { + if (pem == NULL || plen == NULL || dsa == NULL || dsa->internal == NULL) { WOLFSSL_MSG("Bad function arguments"); return SSL_FAILURE; } if (dsa->inSet == 0) { - WOLFSSL_MSG("No RSA internal set, do it"); + WOLFSSL_MSG("No DSA internal set, do it"); if (SetDsaInternal(dsa) != SSL_SUCCESS) { WOLFSSL_MSG("SetDsaInternal failed"); @@ -14576,40 +15056,120 @@ int wolfSSL_PEM_write_DSAPrivateKey(FILE *fp, WOLFSSL_DSA *dsa, } } - der = (byte*)XMALLOC(klen, NULL, DYNAMIC_TYPE_TMP_BUFFER); + der_max_len = 4 * wolfSSL_BN_num_bytes(dsa->g) + 16; + + der = (byte*)XMALLOC(der_max_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (der == NULL) { WOLFSSL_MSG("malloc failed"); return SSL_FAILURE; } /* Key to DER */ - derSz = wc_DsaKeyToDer(dsa->internal, der, klen); + derSz = wc_DsaKeyToDer(dsa->internal, der, der_max_len); if (derSz < 0) { + WOLFSSL_MSG("wc_DsaKeyToDer failed"); XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } - pemSz = (derSz * 4)/3 + 8; - pem = (byte*)XMALLOC(pemSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (der == NULL) { + /* encrypt DER buffer if required */ + if (passwd != NULL && passwdSz > 0 && cipher != NULL) { + int ret; + + ret = EncryptDerKey(der, &derSz, cipher, + passwd, passwdSz, &cipherInfo); + if (ret != SSL_SUCCESS) { + WOLFSSL_MSG("EncryptDerKey failed"); + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return ret; + } + + /* tmp buffer with a max size */ + *plen = (derSz * 2) + sizeof(BEGIN_DSA_PRIV) + + sizeof(END_DSA_PRIV) + HEADER_ENCRYPTED_KEY_SIZE; + } + else /* tmp buffer with a max size */ + *plen = (derSz * 2) + sizeof(BEGIN_DSA_PRIV) + sizeof(END_DSA_PRIV); + + tmp = (byte*)XMALLOC(*plen, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (tmp == NULL) { WOLFSSL_MSG("malloc failed"); + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } /* DER to PEM */ - pemSz = wc_DerToPem(der, derSz, pem, pemSz, PRIVATEKEY_TYPE); - if (pemSz <= 0) { + *plen = wc_DerToPem(der, derSz, tmp, *plen, cipherInfo, DSA_PRIVATEKEY_TYPE); + if (*plen <= 0) { + WOLFSSL_MSG("wc_DerToPem failed"); XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (cipherInfo != NULL) + XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (cipherInfo != NULL) + XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); - fwrite(pem, 1, pemSz, fp); + *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_OUT_BUFFER); + if (*pem == NULL) { + WOLFSSL_MSG("malloc failed"); + XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return SSL_FAILURE; + } + XMEMSET(*pem, 0, (*plen)+1); + + if (XMEMCPY(*pem, tmp, *plen) == NULL) { + WOLFSSL_MSG("memcpy failed"); + XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); + XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return SSL_FAILURE; + } + XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_SUCCESS; } +/* return code compliant with OpenSSL : + * 1 if success, 0 if error + */ +int wolfSSL_PEM_write_DSAPrivateKey(FILE *fp, WOLFSSL_DSA *dsa, + const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + byte *pem; + int plen, ret; + + (void)cb; + (void)u; + + WOLFSSL_MSG("wolfSSL_PEM_write_DSAPrivateKey"); + + if (fp == NULL || dsa == NULL || dsa->internal == NULL) { + WOLFSSL_MSG("Bad function arguments"); + return SSL_FAILURE; + } + + ret = wolfSSL_PEM_write_mem_DSAPrivateKey(dsa, enc, kstr, klen, &pem, &plen); + if (ret != SSL_SUCCESS) { + WOLFSSL_MSG("wolfSSL_PEM_write_mem_DSAPrivateKey failed"); + return SSL_FAILURE; + } + + ret = (int)XFWRITE(pem, plen, 1, fp); + if (ret != 1) { + WOLFSSL_MSG("DSA private key file write failed"); + return SSL_FAILURE; + } + + XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); + return SSL_SUCCESS; +} + +#endif /* defined(WOLFSSL_KEY_GEN) */ + /* return code compliant with OpenSSL : * 1 if success, 0 if error */ @@ -14662,27 +15222,6 @@ WOLFSSL_EVP_PKEY *wolfSSL_PEM_read_PUBKEY(FILE *fp, EVP_PKEY **x, return NULL; } -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_PEM_write_ECPrivateKey(FILE *fp, WOLFSSL_EC_KEY *key, - const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - (void)fp; - (void)key; - (void)enc; - (void)kstr; - (void)klen; - (void)cb; - (void)u; - - WOLFSSL_MSG("wolfSSL_PEM_write_ECPrivateKey not implemented"); - - return SSL_FAILURE; -} - #ifndef NO_RSA WOLFSSL_RSA *wolfSSL_PEM_read_RSAPublicKey(FILE *fp, WOLFSSL_RSA **x, @@ -14943,7 +15482,9 @@ int wolfSSL_get_chain_cert_pem(WOLFSSL_X509_CHAIN* chain, int idx, return BAD_FUNC_ARG; /* header */ - XMEMCPY(buf, header, headerLen); + if (XMEMCPY(buf, header, headerLen) == NULL) + return SSL_FATAL_ERROR; + i = headerLen; /* body */ @@ -14956,7 +15497,8 @@ int wolfSSL_get_chain_cert_pem(WOLFSSL_X509_CHAIN* chain, int idx, /* footer */ if ( (i + footerLen) > inLen) return BAD_FUNC_ARG; - XMEMCPY(buf + i, footer, footerLen); + if (XMEMCPY(buf + i, footer, footerLen) == NULL) + return SSL_FATAL_ERROR; *outLen += headerLen + footerLen; return SSL_SUCCESS; diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 85f01a0d1..c9f8c74ad 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -55,6 +55,12 @@ int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz) } +int wc_AesCbcEncryptWithKey(byte* out, const byte* in, word32 inSz, + const byte* key, word32 keySz, const byte* iv) +{ + return AesCbcDecryptWithKey(out, in, inSz, key, keySz, iv); +} + int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz, const byte* key, word32 keySz, const byte* iv) { @@ -1748,6 +1754,33 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz, return ret; } +int wc_AesCbcEncryptWithKey(byte* out, const byte* in, word32 inSz, + const byte* key, word32 keySz, const byte* iv) +{ + int ret = 0; +#ifdef WOLFSSL_SMALL_STACK + Aes* aes = NULL; +#else + Aes aes[1]; +#endif + +#ifdef WOLFSSL_SMALL_STACK + aes = (Aes*)XMALLOC(sizeof(Aes), NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (aes == NULL) + return MEMORY_E; +#endif + + ret = wc_AesSetKey(aes, key, keySz, iv, AES_ENCRYPTION); + if (ret == 0) + ret = wc_AesCbcEncrypt(aes, out, in, inSz); + +#ifdef WOLFSSL_SMALL_STACK + XFREE(aes, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + + return ret; +} + /* AES-DIRECT */ #if defined(WOLFSSL_AES_DIRECT) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 01fd2eaca..e9019456d 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -1386,7 +1386,8 @@ int DsaPublicKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key, if (GetInt(&key->p, input, inOutIdx, inSz) < 0 || GetInt(&key->q, input, inOutIdx, inSz) < 0 || GetInt(&key->g, input, inOutIdx, inSz) < 0 || - GetInt(&key->y, input, inOutIdx, inSz) < 0 ) return ASN_DH_KEY_E; + GetInt(&key->y, input, inOutIdx, inSz) < 0 ) + return ASN_DH_KEY_E; key->type = DSA_PUBLIC; return 0; @@ -1408,7 +1409,8 @@ int DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key, GetInt(&key->q, input, inOutIdx, inSz) < 0 || GetInt(&key->g, input, inOutIdx, inSz) < 0 || GetInt(&key->y, input, inOutIdx, inSz) < 0 || - GetInt(&key->x, input, inOutIdx, inSz) < 0 ) return ASN_DH_KEY_E; + GetInt(&key->x, input, inOutIdx, inSz) < 0 ) + return ASN_DH_KEY_E; key->type = DSA_PRIVATE; return 0; @@ -1423,9 +1425,9 @@ static mp_int* GetDsaInt(DsaKey* key, int idx) if (idx == 2) return &key->g; if (idx == 3) - return &key->x; - if (idx == 4) return &key->y; + if (idx == 4) + return &key->x; return NULL; } @@ -1445,7 +1447,7 @@ int wc_DsaKeyToDer(DsaKey* key, byte* output, word32 inLen) { word32 seqSz, verSz, rawLen, intTotalLen = 0; word32 sizes[DSA_INTS]; - int i, j, outLen, ret = 0; + int i, j, outLen, ret = 0, lbit; byte seq[MAX_SEQ_SZ]; byte ver[MAX_VERSION_SZ]; @@ -1463,7 +1465,15 @@ int wc_DsaKeyToDer(DsaKey* key, byte* output, word32 inLen) /* write all big ints from key to DER tmps */ for (i = 0; i < DSA_INTS; i++) { mp_int* keyInt = GetDsaInt(key, i); - rawLen = mp_unsigned_bin_size(keyInt); + + /* leading zero */ + if ((mp_count_bits(keyInt) & 7) == 0 || mp_iszero(keyInt) == MP_YES) + lbit = 1; + else + lbit = 0; + + rawLen = mp_unsigned_bin_size(keyInt) + lbit; + tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, NULL, DYNAMIC_TYPE_DSA); if (tmps[i] == NULL) { ret = MEMORY_E; @@ -1471,12 +1481,16 @@ int wc_DsaKeyToDer(DsaKey* key, byte* output, word32 inLen) } tmps[i][0] = ASN_INTEGER; - sizes[i] = SetLength(rawLen, tmps[i] + 1) + 1; /* int tag */ + sizes[i] = SetLength(rawLen, tmps[i] + 1) + 1 + lbit; /* tag & lbit */ if (sizes[i] <= MAX_SEQ_SZ) { + /* leading zero */ + if (lbit) + tmps[i][sizes[i]-1] = 0x00; + int err = mp_to_unsigned_bin(keyInt, tmps[i] + sizes[i]); if (err == MP_OKAY) { - sizes[i] += rawLen; + sizes[i] += (rawLen-lbit); /* lbit included in rawLen */ intTotalLen += sizes[i]; } else { @@ -4641,24 +4655,42 @@ WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output) +const char* BEGIN_CERT = "-----BEGIN CERTIFICATE-----"; +const char* END_CERT = "-----END CERTIFICATE-----"; +const char* BEGIN_CERT_REQ = "-----BEGIN CERTIFICATE REQUEST-----"; +const char* END_CERT_REQ = "-----END CERTIFICATE REQUEST-----"; +const char* BEGIN_DH_PARAM = "-----BEGIN DH PARAMETERS-----"; +const char* END_DH_PARAM = "-----END DH PARAMETERS-----"; +const char* BEGIN_X509_CRL = "-----BEGIN X509 CRL-----"; +const char* END_X509_CRL = "-----END X509 CRL-----"; +const char* BEGIN_RSA_PRIV = "-----BEGIN RSA PRIVATE KEY-----"; +const char* END_RSA_PRIV = "-----END RSA PRIVATE KEY-----"; +const char* BEGIN_PRIV_KEY = "-----BEGIN PRIVATE KEY-----"; +const char* END_PRIV_KEY = "-----END PRIVATE KEY-----"; +const char* BEGIN_ENC_PRIV_KEY = "-----BEGIN ENCRYPTED PRIVATE KEY-----"; +const char* END_ENC_PRIV_KEY = "-----END ENCRYPTED PRIVATE KEY-----"; +const char* BEGIN_EC_PRIV = "-----BEGIN EC PRIVATE KEY-----"; +const char* END_EC_PRIV = "-----END EC PRIVATE KEY-----"; +const char* BEGIN_DSA_PRIV = "-----BEGIN DSA PRIVATE KEY-----"; +const char* END_DSA_PRIV = "-----END DSA PRIVATE KEY-----"; -#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) || !defined(NO_DSA) +#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) /* convert der buffer to pem into output, can't do inplace, der and output need to be different */ int wc_DerToPem(const byte* der, word32 derSz, byte* output, word32 outSz, - int type) + byte *cipher_info, int type) { #ifdef WOLFSSL_SMALL_STACK char* header = NULL; char* footer = NULL; #else - char header[80]; - char footer[80]; + char header[40 + HEADER_ENCRYPTED_KEY_SIZE]; + char footer[40]; #endif - int headerLen = 80; - int footerLen = 80; + int headerLen = 40 + HEADER_ENCRYPTED_KEY_SIZE; + int footerLen = 40; int i; int err; int outLen; /* return length or error */ @@ -4670,36 +4702,55 @@ int wc_DerToPem(const byte* der, word32 derSz, byte* output, word32 outSz, header = (char*)XMALLOC(headerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (header == NULL) return MEMORY_E; - + footer = (char*)XMALLOC(footerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (footer == NULL) { XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); return MEMORY_E; } #endif - if (type == CERT_TYPE) { - XSTRNCPY(header, "-----BEGIN CERTIFICATE-----\n", headerLen); - XSTRNCPY(footer, "-----END CERTIFICATE-----\n", footerLen); + XSTRNCPY(header, BEGIN_CERT, headerLen); + XSTRNCAT(header, "\n", 1); + + XSTRNCPY(footer, END_CERT, footerLen); + XSTRNCAT(footer, "\n", 1); } else if (type == PRIVATEKEY_TYPE) { - XSTRNCPY(header, "-----BEGIN RSA PRIVATE KEY-----\n", headerLen); - XSTRNCPY(footer, "-----END RSA PRIVATE KEY-----\n", footerLen); + XSTRNCPY(header, BEGIN_RSA_PRIV, headerLen); + XSTRNCAT(header, "\n", 1); + + XSTRNCPY(footer, END_RSA_PRIV, footerLen); + XSTRNCAT(footer, "\n", 1); } - #ifdef HAVE_ECC +#ifndef NO_DSA + else if (type == DSA_PRIVATEKEY_TYPE) { + XSTRNCPY(header, BEGIN_DSA_PRIV, headerLen); + XSTRNCAT(header, "\n", 1); + + XSTRNCPY(footer, END_DSA_PRIV, footerLen); + XSTRNCAT(footer, "\n", 1); + } +#endif +#ifdef HAVE_ECC else if (type == ECC_PRIVATEKEY_TYPE) { - XSTRNCPY(header, "-----BEGIN EC PRIVATE KEY-----\n", headerLen); - XSTRNCPY(footer, "-----END EC PRIVATE KEY-----\n", footerLen); + XSTRNCPY(header, BEGIN_EC_PRIV, headerLen); + XSTRNCAT(header, "\n", 1); + + XSTRNCPY(footer, END_EC_PRIV, footerLen); + XSTRNCAT(footer, "\n", 1); } - #endif - #ifdef WOLFSSL_CERT_REQ +#endif +#ifdef WOLFSSL_CERT_REQ else if (type == CERTREQ_TYPE) { - XSTRNCPY(header, - "-----BEGIN CERTIFICATE REQUEST-----\n", headerLen); - XSTRNCPY(footer, "-----END CERTIFICATE REQUEST-----\n", footerLen); + XSTRNCPY(header, BEGIN_CERT_REQ, headerLen); + XSTRNCAT(header, "\n", 1); + + XSTRNCPY(footer, END_CERT_REQ, footerLen); + XSTRNCAT(footer, "\n", 1); } - #endif +#endif else { #ifdef WOLFSSL_SMALL_STACK XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -4708,6 +4759,14 @@ int wc_DerToPem(const byte* der, word32 derSz, byte* output, word32 outSz, return BAD_FUNC_ARG; } + /* extra header information for encrypted key */ + if (cipher_info != NULL) { + XSTRNCAT(header, "Proc-Type: 4,ENCRYPTED\n", 23); + XSTRNCAT(header, "DEK-Info: ", 10); + XSTRNCAT(header, (char*)cipher_info, XSTRLEN((char*)cipher_info)); + XSTRNCAT(header, "\n\n", 2); + } + headerLen = (int)XSTRLEN(header); footerLen = (int)XSTRLEN(footer); @@ -4762,7 +4821,6 @@ int wc_DerToPem(const byte* der, word32 derSz, byte* output, word32 outSz, return outLen + headerLen + footerLen; } - #endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */ @@ -4810,7 +4868,7 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) { word32 seqSz, verSz, rawLen, intTotalLen = 0; word32 sizes[RSA_INTS]; - int i, j, outLen, ret = 0; + int i, j, outLen, ret = 0, lbit; byte seq[MAX_SEQ_SZ]; byte ver[MAX_VERSION_SZ]; @@ -4828,7 +4886,15 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) /* write all big ints from key to DER tmps */ for (i = 0; i < RSA_INTS; i++) { mp_int* keyInt = GetRsaInt(key, i); - rawLen = mp_unsigned_bin_size(keyInt); + + /* leading zero */ + if ((mp_count_bits(keyInt) & 7) == 0 || mp_iszero(keyInt) == MP_YES) + lbit = 1; + else + lbit = 0; + + rawLen = mp_unsigned_bin_size(keyInt) + lbit; + tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap, DYNAMIC_TYPE_RSA); if (tmps[i] == NULL) { @@ -4837,12 +4903,16 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) } tmps[i][0] = ASN_INTEGER; - sizes[i] = SetLength(rawLen, tmps[i] + 1) + 1; /* int tag */ + sizes[i] = SetLength(rawLen, tmps[i] + 1) + 1 + lbit; /* tag & lbit */ if (sizes[i] <= MAX_SEQ_SZ) { + /* leading zero */ + if (lbit) + tmps[i][sizes[i]-1] = 0x00; + int err = mp_to_unsigned_bin(keyInt, tmps[i] + sizes[i]); if (err == MP_OKAY) { - sizes[i] += rawLen; + sizes[i] += (rawLen-lbit); /* lbit included in rawLen */ intTotalLen += sizes[i]; } else { @@ -6846,84 +6916,109 @@ int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key, /* Write a Private ecc key to DER format, length on success else < 0 */ int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen) { - byte curve[MAX_ALGO_SZ]; + byte curve[MAX_ALGO_SZ+2]; byte ver[MAX_VERSION_SZ]; byte seq[MAX_SEQ_SZ]; - int ret; - int curveSz; - int verSz; + byte *prv, *pub; + int ret, totalSz, curveSz, verSz; int privHdrSz = ASN_ECC_HEADER_SZ; int pubHdrSz = ASN_ECC_CONTEXT_SZ + ASN_ECC_HEADER_SZ; - int curveHdrSz = ASN_ECC_CONTEXT_SZ; - word32 seqSz; - word32 idx = 0; - word32 pubSz = ECC_BUFSIZE; - word32 privSz; - word32 totalSz; + + word32 idx = 0, prvidx = 0, pubidx = 0, curveidx = 0; + word32 seqSz, privSz, pubSz = ECC_BUFSIZE; if (key == NULL || output == NULL || inLen == 0) return BAD_FUNC_ARG; - ret = wc_ecc_export_x963(key, NULL, &pubSz); - if (ret != LENGTH_ONLY_E) { + /* curve */ + curve[curveidx++] = ECC_PREFIX_0; + curveidx++ /* to put the size after computation */; + curveSz = SetCurve(key, curve+curveidx); + if (curveSz < 0) + return curveSz; + /* set computed size */ + curve[1] = (byte)curveSz; + curveidx += curveSz; + + /* private */ + privSz = key->dp->size; + prv = (byte*)XMALLOC(privSz + privHdrSz + MAX_SEQ_SZ, + NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (prv == NULL) { + return MEMORY_E; + } + prv[prvidx++] = ASN_OCTET_STRING; + prv[prvidx++] = (byte)key->dp->size; + ret = wc_ecc_export_private_only(key, prv + prvidx, &privSz); + if (ret < 0) { + XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER); return ret; } - curveSz = SetCurve(key, curve); - if (curveSz < 0) { - return curveSz; + prvidx += privSz; + + /* public */ + ret = wc_ecc_export_x963(key, NULL, &pubSz); + if (ret != LENGTH_ONLY_E) { + XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return ret; } - privSz = key->dp->size; + pub = (byte*)XMALLOC(pubSz + pubHdrSz + MAX_SEQ_SZ, + NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (pub == NULL) { + XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return MEMORY_E; + } + pub[pubidx++] = ECC_PREFIX_1; + if (pubSz > 128) /* leading zero + extra size byte */ + pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 2, pub+pubidx); + else /* leading zero */ + pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 1, pub+pubidx); + pub[pubidx++] = ASN_BIT_STRING; + pubidx += SetLength(pubSz + 1, pub+pubidx); + pub[pubidx++] = (byte)0; /* leading zero */ + ret = wc_ecc_export_x963(key, pub + pubidx, &pubSz); + if (ret != 0) { + XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return ret; + } + pubidx += pubSz; + + /* make headers */ verSz = SetMyVersion(1, ver, FALSE); - if (verSz < 0) { - return verSz; + seqSz = SetSequence(verSz + prvidx + pubidx + curveidx, seq); + + totalSz = prvidx + pubidx + curveidx + verSz + seqSz; + if (totalSz > (int)inLen) { + XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return BAD_FUNC_ARG; } - totalSz = verSz + privSz + privHdrSz + curveSz + curveHdrSz + - pubSz + pubHdrSz + 1; /* plus null byte b4 public */ - seqSz = SetSequence(totalSz, seq); - totalSz += seqSz; - - if (totalSz > inLen) { - return BUFFER_E; - } - - /* write it out */ + /* write out */ /* seq */ XMEMCPY(output + idx, seq, seqSz); - idx += seqSz; + idx = seqSz; - /* ver */ + /* ver */ XMEMCPY(output + idx, ver, verSz); idx += verSz; /* private */ - output[idx++] = ASN_OCTET_STRING; - output[idx++] = (byte)privSz; - ret = wc_ecc_export_private_only(key, output + idx, &privSz); - if (ret < 0) { - return ret; - } - idx += privSz; + XMEMCPY(output + idx, prv, prvidx); + idx += prvidx; + XFREE(prv, NULL, DYNAMIC_TYPE_TMP_BUFFER); /* curve */ - output[idx++] = ECC_PREFIX_0; - output[idx++] = (byte)curveSz; - XMEMCPY(output + idx, curve, curveSz); - idx += curveSz; + XMEMCPY(output + idx, curve, curveidx); + idx += curveidx; /* public */ - output[idx++] = ECC_PREFIX_1; - output[idx++] = (byte)pubSz + ASN_ECC_CONTEXT_SZ + 1; /* plus null byte */ - output[idx++] = ASN_BIT_STRING; - output[idx++] = (byte)pubSz + 1; /* plus null byte */ - output[idx++] = (byte)0; /* null byte */ - ret = wc_ecc_export_x963(key, output + idx, &pubSz); - if (ret != 0) { - return ret; - } - /* idx += pubSz if do more later */ + XMEMCPY(output + idx, pub, pubidx); + idx += pubidx; + XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER); return totalSz; } diff --git a/wolfcrypt/src/coding.c b/wolfcrypt/src/coding.c index 6ead79caf..bed85a5a1 100644 --- a/wolfcrypt/src/coding.c +++ b/wolfcrypt/src/coding.c @@ -393,6 +393,39 @@ int Base16_Decode(const byte* in, word32 inLen, byte* out, word32* outLen) return 0; } +int Base16_Encode(const byte* in, word32 inLen, byte* out, word32* outLen) +{ + word32 outIdx = 0; + word32 i; + byte hb, lb; + + if (*outLen < (2 * inLen + 1)) + return BAD_FUNC_ARG; + + for (i = 0; i < inLen; i++) { + hb = in[i] >> 4; + lb = in[i] & 0x0f; + + /* ASCII value */ + hb += '0'; + if (hb > '9') + hb += 7; + + /* ASCII value */ + lb += '0'; + if (lb>'9') + lb += 7; + + out[outIdx++] = hb; + out[outIdx++] = lb; + } + + /* force 0 at this end */ + out[outIdx++] = 0; + + *outLen = outIdx; + return 0; +} #endif /* (OPENSSL_EXTRA) || (HAVE_WEBSERVER) || (HAVE_FIPS) */ diff --git a/wolfcrypt/src/des3.c b/wolfcrypt/src/des3.c index f886ecdc7..ee068a0bc 100644 --- a/wolfcrypt/src/des3.c +++ b/wolfcrypt/src/des3.c @@ -91,8 +91,14 @@ void wc_Des_SetIV(Des* des, const byte* iv) } -int wc_Des_CbcDecryptWithKey(byte* out, const byte* in, word32 sz, +int wc_Des_CbcEncryptWithKey(byte* out, const byte* in, word32 sz, const byte* key, const byte* iv) +{ + return Des_CbcEncryptWithKey(out, in, sz, key, iv); +} + +int wc_Des_CbcDecryptWithKey(byte* out, const byte* in, word32 sz, + const byte* key, const byte* iv) { return Des_CbcDecryptWithKey(out, in, sz, key, iv); } @@ -104,13 +110,18 @@ int wc_Des3_SetIV(Des3* des, const byte* iv) } +int wc_Des3_CbcEncryptWithKey(byte* out, const byte* in, word32 sz, + const byte* key, const byte* iv) +{ + return Des3_CbcEncryptWithKey(out, in, sz, key, iv); +} + int wc_Des3_CbcDecryptWithKey(byte* out, const byte* in, word32 sz, - const byte* key, const byte* iv) + const byte* key, const byte* iv) { return Des3_CbcDecryptWithKey(out, in, sz, key, iv); } - #ifdef HAVE_CAVIUM /* Initiliaze Des3 for use with Nitrox device */ @@ -1490,8 +1501,35 @@ void wc_Des_SetIV(Des* des, const byte* iv) } +int wc_Des_CbcEncryptWithKey(byte* out, const byte* in, word32 sz, + const byte* key, const byte* iv) +{ + int ret = 0; +#ifdef WOLFSSL_SMALL_STACK + Des* des = NULL; +#else + Des des[1]; +#endif + +#ifdef WOLFSSL_SMALL_STACK + des = (Des*)XMALLOC(sizeof(Des), NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (des == NULL) + return MEMORY_E; +#endif + + ret = wc_Des_SetKey(des, key, iv, DES_ENCRYPTION); + if (ret == 0) + ret = wc_Des_CbcEncrypt(des, out, in, sz); + +#ifdef WOLFSSL_SMALL_STACK + XFREE(des, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + + return ret; +} + int wc_Des_CbcDecryptWithKey(byte* out, const byte* in, word32 sz, - const byte* key, const byte* iv) + const byte* key, const byte* iv) { int ret = 0; #ifdef WOLFSSL_SMALL_STACK @@ -1508,7 +1546,7 @@ int wc_Des_CbcDecryptWithKey(byte* out, const byte* in, word32 sz, ret = wc_Des_SetKey(des, key, iv, DES_DECRYPTION); if (ret == 0) - ret = wc_Des_CbcDecrypt(des, out, in, sz); + ret = wc_Des_CbcDecrypt(des, out, in, sz); #ifdef WOLFSSL_SMALL_STACK XFREE(des, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -1529,8 +1567,35 @@ int wc_Des3_SetIV(Des3* des, const byte* iv) } +int wc_Des3_CbcEncryptWithKey(byte* out, const byte* in, word32 sz, + const byte* key, const byte* iv) +{ + int ret = 0; +#ifdef WOLFSSL_SMALL_STACK + Des3* des3 = NULL; +#else + Des3 des3[1]; +#endif + +#ifdef WOLFSSL_SMALL_STACK + des3 = (Des3*)XMALLOC(sizeof(Des3), NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (des3 == NULL) + return MEMORY_E; +#endif + + ret = wc_Des3_SetKey(des3, key, iv, DES_ENCRYPTION); + if (ret == 0) + ret = wc_Des3_CbcEncrypt(des3, out, in, sz); + +#ifdef WOLFSSL_SMALL_STACK + XFREE(des3, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + + return ret; +} + int wc_Des3_CbcDecryptWithKey(byte* out, const byte* in, word32 sz, - const byte* key, const byte* iv) + const byte* key, const byte* iv) { int ret = 0; #ifdef WOLFSSL_SMALL_STACK @@ -1547,7 +1612,7 @@ int wc_Des3_CbcDecryptWithKey(byte* out, const byte* in, word32 sz, ret = wc_Des3_SetKey(des3, key, iv, DES_DECRYPTION); if (ret == 0) - ret = wc_Des3_CbcDecrypt(des3, out, in, sz); + ret = wc_Des3_CbcDecrypt(des3, out, in, sz); #ifdef WOLFSSL_SMALL_STACK XFREE(des3, NULL, DYNAMIC_TYPE_TMP_BUFFER); diff --git a/wolfcrypt/src/dsa.c b/wolfcrypt/src/dsa.c index f2124b197..1f9308e86 100644 --- a/wolfcrypt/src/dsa.c +++ b/wolfcrypt/src/dsa.c @@ -27,10 +27,12 @@ #ifndef NO_DSA -#include -#include #include +#include #include +#include +#include +#include enum { @@ -80,6 +82,266 @@ void wc_FreeDsaKey(DsaKey* key) #endif } +#ifdef WOLFSSL_KEY_GEN + +int wc_MakeDsaKey(RNG *rng, DsaKey *dsa) +{ + unsigned char *buf; + int qsize, err; + + if (rng == NULL || dsa == NULL) + return BAD_FUNC_ARG; + + qsize = mp_unsigned_bin_size(&dsa->q); + + /* allocate ram */ + buf = (unsigned char *)XMALLOC(qsize, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (buf == NULL) + return MEMORY_E; + + if (mp_init(&dsa->x) != MP_OKAY) { + XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return MP_INIT_E; + } + + do { + /* make a random exponent mod q */ + err = wc_RNG_GenerateBlock(rng, buf, qsize); + if (err != MP_OKAY) { + mp_clear(&dsa->x); + XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return err; + } + + /* force magnitude */ + buf[0] |= 0xC0; + + err = mp_read_unsigned_bin(&dsa->x, buf, qsize); + if (err != MP_OKAY) { + mp_clear(&dsa->x); + XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return err; + } + } while (mp_cmp_d(&dsa->x, 1) != MP_GT); + + XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + if (mp_init(&dsa->y) != MP_OKAY) { + mp_clear(&dsa->x); + return MP_INIT_E; + } + + /* public key : y = g^x mod p */ + err = mp_exptmod(&dsa->g, &dsa->x, &dsa->p, &dsa->y); + if (err != MP_OKAY) { + mp_clear(&dsa->x); + mp_clear(&dsa->y); + return err; + } + + dsa->type = DSA_PRIVATE; + + return MP_OKAY; +} + +/* modulus_size in bits */ +int wc_MakeDsaParameters(RNG *rng, int modulus_size, DsaKey *dsa) +{ + mp_int tmp, tmp2; + int err, res, msize, qsize, loop; + unsigned char *buf; + + if (rng == NULL || dsa == NULL) + return BAD_FUNC_ARG; + + /* set group size in bytes from modulus size + * FIPS 186-4 defines valid values (1024, 160) (2048, 256) (3072, 256) + */ + switch (modulus_size) { + case 1024: + qsize = 20; + break; + case 2048: + case 3072: + qsize = 32; + break; + default: + return BAD_FUNC_ARG; + break; + } + + /* modulus size in bytes */ + msize = modulus_size / 8; + + if (mp_init(&dsa->q) != MP_OKAY) + return MP_INIT_E; + + /* make our prime q */ + err = mp_rand_prime(&dsa->q, qsize, rng, NULL); + if (err != MP_OKAY) { + mp_clear(&dsa->q); + return err; + } + + if (mp_init(&tmp) != MP_OKAY) { + mp_clear(&dsa->q); + return MP_INIT_E; + } + + /* tmp = 2q */ + err = mp_add(&dsa->q, &dsa->q, &tmp); + if (err != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&tmp); + return err; + } + + /* allocate ram */ + buf = (unsigned char *)XMALLOC(msize - qsize, + NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (buf == NULL) { + mp_clear(&dsa->q); + mp_clear(&tmp); + return MEMORY_E; + } + + /* now make a random string and multply it against q */ + err = wc_RNG_GenerateBlock(rng, buf, msize - qsize); + if (err != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&tmp); + XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return err; + } + + /* force magnitude */ + buf[0] |= 0xC0; + + /* force even */ + buf[msize - qsize - 1] &= ~1; + + if (mp_init_multi(&tmp2, &dsa->p, 0, 0, 0, 0) != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&tmp); + XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return MP_INIT_E; + } + + err = mp_read_unsigned_bin(&tmp2, buf, msize - qsize); + if (err != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&dsa->p); + mp_clear(&tmp); + mp_clear(&tmp2); + XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return err; + } + XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + /* p = tmp2 * q */ + err = mp_mul(&dsa->q, &tmp2, &dsa->p); + if (err != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&dsa->p); + mp_clear(&tmp); + mp_clear(&tmp2); + return err; + } + + /* p = tmp2 * q + 1, so q is a prime divisor of p-1 */ + err = mp_add_d(&dsa->p, 1, &dsa->p); + if (err != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&dsa->p); + mp_clear(&tmp); + mp_clear(&tmp2); + return err; + } + + /* loop until p is prime */ + for (loop = 0; loop++;) { + err = mp_prime_is_prime(&dsa->p, 8, &res); + if (err != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&dsa->p); + mp_clear(&tmp); + mp_clear(&tmp2); + return err; + } + + if (res == MP_YES) + break; + + /* p += 2q */ + err = mp_add(&tmp, &dsa->p, &dsa->p); + if (err != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&dsa->p); + mp_clear(&tmp); + mp_clear(&tmp2); + return err; + } + } + + /* tmp2 += (2*loop) + * to have p = (q * tmp2) + 1 prime + */ + if (loop) { + err = mp_add_d(&tmp2, 2*loop, &tmp2); + if (err != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&dsa->p); + mp_clear(&tmp); + mp_clear(&tmp2); + return err; + } + } + + if (mp_init(&dsa->g) != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&dsa->p); + mp_clear(&tmp); + mp_clear(&tmp2); + return MP_INIT_E; + } + + /* find a value g for which g^tmp2 != 1 */ + mp_set(&dsa->g, 1); + + do { + err = mp_add_d(&dsa->g, 1, &dsa->g); + if (err != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&dsa->p); + mp_clear(&dsa->g); + mp_clear(&tmp); + mp_clear(&tmp2); + return err; + } + + err = mp_exptmod(&dsa->g, &tmp2, &dsa->p, &tmp); + if (err != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&dsa->p); + mp_clear(&dsa->g); + mp_clear(&tmp); + mp_clear(&tmp2); + return err; + } + + } while (mp_cmp_d(&tmp, 1) == MP_EQ); + + /* at this point tmp generates a group of order q mod p */ + mp_exch(&tmp, &dsa->g); + + mp_clear(&tmp); + mp_clear(&tmp2); + + return MP_OKAY; +} +#endif /* WOLFSSL_KEY_GEN */ + int wc_DsaSign(const byte* digest, byte* out, DsaKey* key, RNG* rng) { diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index 42411a7b8..d247cb3b7 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -1014,7 +1014,7 @@ int ecc_map(ecc_point* P, mp_int* modulus, mp_digit* mp) static int normal_ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus, int map) #else -int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus, +int wc_ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus, int map) #endif { @@ -1043,10 +1043,10 @@ int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus, /* alloc ram for window temps */ for (i = 0; i < 8; i++) { - M[i] = ecc_new_point(); + M[i] = wc_ecc_new_point(); if (M[i] == NULL) { for (j = 0; j < i; j++) { - ecc_del_point(M[j]); + wc_ecc_del_point(M[j]); } mp_clear(&mu); return MEMORY_E; @@ -1054,7 +1054,7 @@ int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus, } /* make a copy of G incase R==G */ - tG = ecc_new_point(); + tG = wc_ecc_new_point(); if (tG == NULL) err = MEMORY_E; @@ -1204,9 +1204,9 @@ int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus, err = ecc_map(R, modulus, &mp); mp_clear(&mu); - ecc_del_point(tG); + wc_ecc_del_point(tG); for (i = 0; i < 8; i++) { - ecc_del_point(M[i]); + wc_ecc_del_point(M[i]); } return err; } @@ -1229,7 +1229,7 @@ int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus, static int normal_ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus, int map) #else -int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus, +int wc_ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus, int map) #endif { @@ -1257,10 +1257,10 @@ int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus, /* alloc ram for window temps */ for (i = 0; i < 3; i++) { - M[i] = ecc_new_point(); + M[i] = wc_ecc_new_point(); if (M[i] == NULL) { for (j = 0; j < i; j++) { - ecc_del_point(M[j]); + wc_ecc_del_point(M[j]); } mp_clear(&mu); return MEMORY_E; @@ -1268,7 +1268,7 @@ int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus, } /* make a copy of G incase R==G */ - tG = ecc_new_point(); + tG = wc_ecc_new_point(); if (tG == NULL) err = MEMORY_E; @@ -1364,9 +1364,9 @@ int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus, /* done */ mp_clear(&mu); - ecc_del_point(tG); + wc_ecc_del_point(tG); for (i = 0; i < 3; i++) { - ecc_del_point(M[i]); + wc_ecc_del_point(M[i]); } return err; } @@ -1389,7 +1389,7 @@ static void alt_fp_init(fp_int* a) Allocate a new ECC point return A newly allocated point or NULL on error */ -ecc_point* ecc_new_point(void) +ecc_point* wc_ecc_new_point(void) { ecc_point* p; @@ -1425,7 +1425,7 @@ ecc_point* ecc_new_point(void) /** Free an ECC point from memory p The point to free */ -void ecc_del_point(ecc_point* p) +void wc_ecc_del_point(ecc_point* p) { /* prevents free'ing null arguments */ if (p != NULL) { @@ -1440,7 +1440,7 @@ void ecc_del_point(ecc_point* p) p The point to copy r The created point */ -int ecc_copy_point(ecc_point* p, ecc_point *r) +int wc_ecc_copy_point(ecc_point* p, ecc_point *r) { int ret; @@ -1467,7 +1467,7 @@ int ecc_copy_point(ecc_point* p, ecc_point *r) return MP_EQ if equal, MP_LT/MP_GT if not, < 0 in case of error */ -int ecc_cmp_point(ecc_point* a, ecc_point *b) +int wc_ecc_cmp_point(ecc_point* a, ecc_point *b) { int ret; @@ -1492,7 +1492,7 @@ int ecc_cmp_point(ecc_point* a, ecc_point *b) n The idx number to check return 1 if valid, 0 if not */ -static int ecc_is_valid_idx(int n) +int wc_ecc_is_valid_idx(int n) { int x; @@ -1533,28 +1533,28 @@ int wc_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out, return ECC_BAD_ARG_E; } - if (ecc_is_valid_idx(private_key->idx) == 0 || - ecc_is_valid_idx(public_key->idx) == 0) + if (wc_ecc_is_valid_idx(private_key->idx) == 0 || + wc_ecc_is_valid_idx(public_key->idx) == 0) return ECC_BAD_ARG_E; if (XSTRNCMP(private_key->dp->name, public_key->dp->name, ECC_MAXNAME) != 0) return ECC_BAD_ARG_E; /* make new point */ - result = ecc_new_point(); + result = wc_ecc_new_point(); if (result == NULL) { return MEMORY_E; } if ((err = mp_init(&prime)) != MP_OKAY) { - ecc_del_point(result); + wc_ecc_del_point(result); return err; } err = mp_read_radix(&prime, (char *)private_key->dp->prime, 16); if (err == MP_OKAY) - err = ecc_mulmod(&private_key->k, &public_key->pubkey, result, &prime,1); + err = wc_ecc_mulmod(&private_key->k, &public_key->pubkey, result, &prime,1); if (err == MP_OKAY) { x = mp_unsigned_bin_size(&prime); @@ -1570,7 +1570,7 @@ int wc_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out, } mp_clear(&prime); - ecc_del_point(result); + wc_ecc_del_point(result); return err; } @@ -1600,24 +1600,24 @@ int wc_ecc_shared_secret_ssh(ecc_key* private_key, ecc_point* point, return ECC_BAD_ARG_E; } - if (ecc_is_valid_idx(private_key->idx) == 0) + if (wc_ecc_is_valid_idx(private_key->idx) == 0) return ECC_BAD_ARG_E; /* make new point */ - result = ecc_new_point(); + result = wc_ecc_new_point(); if (result == NULL) { return MEMORY_E; } if ((err = mp_init(&prime)) != MP_OKAY) { - ecc_del_point(result); + wc_ecc_del_point(result); return err; } err = mp_read_radix(&prime, (char *)private_key->dp->prime, 16); if (err == MP_OKAY) - err = ecc_mulmod(&private_key->k, point, result, &prime, 1); + err = wc_ecc_mulmod(&private_key->k, point, result, &prime, 1); if (err == MP_OKAY) { x = mp_unsigned_bin_size(&prime); @@ -1633,14 +1633,14 @@ int wc_ecc_shared_secret_ssh(ecc_key* private_key, ecc_point* point, } mp_clear(&prime); - ecc_del_point(result); + wc_ecc_del_point(result); return err; } /* return 1 if point is at infinity, 0 if not, < 0 on error */ -int ecc_point_is_at_infinity(ecc_point* p) +int wc_ecc_point_is_at_infinity(ecc_point* p) { if (p == NULL) return BAD_FUNC_ARG; @@ -1708,7 +1708,7 @@ static int wc_ecc_make_key_ex(RNG* rng, ecc_key* key, const ecc_set_type* dp) } if (err == MP_OKAY) { - base = ecc_new_point(); + base = wc_ecc_new_point(); if (base == NULL) err = MEMORY_E; } @@ -1735,7 +1735,7 @@ static int wc_ecc_make_key_ex(RNG* rng, ecc_key* key, const ecc_set_type* dp) } /* make the public key */ if (err == MP_OKAY) - err = ecc_mulmod(&key->k, base, &key->pubkey, &prime, 1); + err = wc_ecc_mulmod(&key->k, base, &key->pubkey, &prime, 1); #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN /* validate the public key, order * pubkey = point at infinity */ @@ -1753,7 +1753,7 @@ static int wc_ecc_make_key_ex(RNG* rng, ecc_key* key, const ecc_set_type* dp) mp_clear(key->pubkey.z); mp_clear(&key->k); } - ecc_del_point(base); + wc_ecc_del_point(base); if (po_init) { mp_clear(&prime); mp_clear(&order); @@ -1886,7 +1886,7 @@ int wc_ecc_sign_hash_ex(const byte* in, word32 inlen, RNG* rng, } /* is the IDX valid ? */ - if (ecc_is_valid_idx(key->idx) != 1) { + if (wc_ecc_is_valid_idx(key->idx) != 1) { return ECC_BAD_ARG_E; } @@ -2059,10 +2059,10 @@ static int ecc_mul2add(ecc_point* A, mp_int* kA, /* allocate the table */ if (err == MP_OKAY) { for (x = 0; x < 16; x++) { - precomp[x] = ecc_new_point(); + precomp[x] = wc_ecc_new_point(); if (precomp[x] == NULL) { for (y = 0; y < x; ++y) { - ecc_del_point(precomp[y]); + wc_ecc_del_point(precomp[y]); } err = GEN_MEM_ERR; break; @@ -2203,7 +2203,7 @@ static int ecc_mul2add(ecc_point* A, mp_int* kA, if (tableInit) { for (x = 0; x < 16; x++) { - ecc_del_point(precomp[x]); + wc_ecc_del_point(precomp[x]); } } ForceZero(tA, ECC_BUFSIZE); @@ -2300,7 +2300,7 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash, *stat = 0; /* is the IDX valid ? */ - if (ecc_is_valid_idx(key->idx) != 1) { + if (wc_ecc_is_valid_idx(key->idx) != 1) { return ECC_BAD_ARG_E; } @@ -2320,8 +2320,8 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash, } /* allocate points */ - mG = ecc_new_point(); - mQ = ecc_new_point(); + mG = wc_ecc_new_point(); + mQ = wc_ecc_new_point(); if (mQ == NULL || mG == NULL) err = MEMORY_E; @@ -2388,9 +2388,9 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash, /* compute u1*mG + u2*mQ = mG */ if (err == MP_OKAY) - err = ecc_mulmod(&u1, mG, mG, &m, 0); + err = wc_ecc_mulmod(&u1, mG, mG, &m, 0); if (err == MP_OKAY) - err = ecc_mulmod(&u2, mQ, mQ, &m, 0); + err = wc_ecc_mulmod(&u2, mQ, mQ, &m, 0); /* find the montgomery mp */ if (err == MP_OKAY) @@ -2420,8 +2420,8 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash, *stat = 1; } - ecc_del_point(mG); - ecc_del_point(mQ); + wc_ecc_del_point(mG); + wc_ecc_del_point(mQ); mp_clear(&v); mp_clear(&w); @@ -2442,7 +2442,7 @@ int wc_ecc_import_point_der(byte* in, word32 inLen, const int curve_idx, int compressed = 0; if (in == NULL || point == NULL || (curve_idx < 0) || - (ecc_is_valid_idx(curve_idx) == 0)) + (wc_ecc_is_valid_idx(curve_idx) == 0)) return ECC_BAD_ARG_E; /* must be odd */ @@ -2568,7 +2568,7 @@ int wc_ecc_export_point_der(const int curve_idx, ecc_point* point, byte* out, word32 numlen; int ret = MP_OKAY; - if ((curve_idx < 0) || (ecc_is_valid_idx(curve_idx) == 0)) + if ((curve_idx < 0) || (wc_ecc_is_valid_idx(curve_idx) == 0)) return ECC_BAD_ARG_E; /* return length needed only */ @@ -2646,7 +2646,7 @@ int wc_ecc_export_x963(ecc_key* key, byte* out, word32* outLen) if (key == NULL || out == NULL || outLen == NULL) return ECC_BAD_ARG_E; - if (ecc_is_valid_idx(key->idx) == 0) { + if (wc_ecc_is_valid_idx(key->idx) == 0) { return ECC_BAD_ARG_E; } numlen = key->dp->size; @@ -2782,7 +2782,7 @@ static int ecc_check_privkey_gen(ecc_key* key, mp_int* prime) if (key == NULL) return BAD_FUNC_ARG; - base = ecc_new_point(); + base = wc_ecc_new_point(); if (base == NULL) return MEMORY_E; @@ -2794,11 +2794,11 @@ static int ecc_check_privkey_gen(ecc_key* key, mp_int* prime) mp_set(base->z, 1); if (err == MP_OKAY) { - res = ecc_new_point(); + res = wc_ecc_new_point(); if (res == NULL) err = MEMORY_E; else { - err = ecc_mulmod(&key->k, base, res, prime, 1); + err = wc_ecc_mulmod(&key->k, base, res, prime, 1); if (err == MP_OKAY) { /* compare result to public key */ if (mp_cmp(res->x, key->pubkey.x) != MP_EQ || @@ -2811,8 +2811,8 @@ static int ecc_check_privkey_gen(ecc_key* key, mp_int* prime) } } - ecc_del_point(res); - ecc_del_point(base); + wc_ecc_del_point(res); + wc_ecc_del_point(base); return err; } @@ -2855,16 +2855,16 @@ static int ecc_check_pubkey_order(ecc_key* key, mp_int* prime, mp_int* order) if (key == NULL) return BAD_FUNC_ARG; - inf = ecc_new_point(); + inf = wc_ecc_new_point(); if (inf == NULL) err = MEMORY_E; else { - err = ecc_mulmod(order, &key->pubkey, inf, prime, 1); - if (err == MP_OKAY && !ecc_point_is_at_infinity(inf)) + err = wc_ecc_mulmod(order, &key->pubkey, inf, prime, 1); + if (err == MP_OKAY && !wc_ecc_point_is_at_infinity(inf)) err = ECC_INF_E; } - ecc_del_point(inf); + wc_ecc_del_point(inf); return err; } @@ -2881,7 +2881,7 @@ int wc_ecc_check_key(ecc_key* key) return BAD_FUNC_ARG; /* pubkey point cannot be at inifinity */ - if (ecc_point_is_at_infinity(&key->pubkey)) + if (wc_ecc_point_is_at_infinity(&key->pubkey)) return ECC_INF_E; err = mp_init_multi(&prime, &order, NULL, NULL, NULL, NULL); @@ -3071,7 +3071,7 @@ int wc_ecc_export_private_only(ecc_key* key, byte* out, word32* outLen) if (key == NULL || out == NULL || outLen == NULL) return ECC_BAD_ARG_E; - if (ecc_is_valid_idx(key->idx) == 0) { + if (wc_ecc_is_valid_idx(key->idx) == 0) { return ECC_BAD_ARG_E; } numlen = key->dp->size; @@ -3848,10 +3848,10 @@ static int find_hole(void) /* free entry z */ if (z >= 0 && fp_cache[z].g) { mp_clear(&fp_cache[z].mu); - ecc_del_point(fp_cache[z].g); + wc_ecc_del_point(fp_cache[z].g); fp_cache[z].g = NULL; for (x = 0; x < (1U<x, fp_cache[idx].g->x) != MP_OKAY) || (mp_copy(g->y, fp_cache[idx].g->y) != MP_OKAY) || (mp_copy(g->z, fp_cache[idx].g->z) != MP_OKAY)) { - ecc_del_point(fp_cache[idx].g); + wc_ecc_del_point(fp_cache[idx].g); fp_cache[idx].g = NULL; return GEN_MEM_ERR; } for (x = 0; x < (1U<idx) == 0) { + if (wc_ecc_is_valid_idx(key->idx) == 0) { return ECC_BAD_ARG_E; } numlen = key->dp->size; diff --git a/wolfcrypt/src/integer.c b/wolfcrypt/src/integer.c index 00685acfc..aaf9954b5 100644 --- a/wolfcrypt/src/integer.c +++ b/wolfcrypt/src/integer.c @@ -45,6 +45,14 @@ #endif #endif +#ifdef SHOW_GEN + #ifdef FREESCALE_MQX + #include + #else + #include + #endif +#endif + /* reverse an array, used for radix code */ static void bn_reverse (unsigned char *s, int len) @@ -2526,13 +2534,15 @@ mp_set_bit (mp_int * a, int b) { int i = b / DIGIT_BIT, res; - /* grow a to accomodate the single bit */ - if ((res = mp_grow (a, i + 1)) != MP_OKAY) { - return res; - } + if (a->used < (int)(i + 1)) { + /* grow a to accomodate the single bit */ + if ((res = mp_grow (a, i + 1)) != MP_OKAY) { + return res; + } - /* set the used count of where the bit will go */ - a->used = i + 1; + /* set the used count of where the bit will go */ + a->used = (int)(i + 1); + } /* put the single bit in its place */ a->dp[i] |= ((mp_digit)1) << (b % DIGIT_BIT); @@ -4086,12 +4096,15 @@ static int mp_div_d (mp_int * a, mp_digit b, mp_int * c, mp_digit * d) #endif /* no easy answer [c'est la vie]. Just division */ - if ((res = mp_init_size(&q, a->used)) != MP_OKAY) { - return res; + if (c != NULL) { + if ((res = mp_init_size(&q, a->used)) != MP_OKAY) { + return res; + } + + q.used = a->used; + q.sign = a->sign; } - q.used = a->used; - q.sign = a->sign; w = 0; for (ix = a->used - 1; ix >= 0; ix--) { w = (w << ((mp_word)DIGIT_BIT)) | ((mp_word)a->dp[ix]); @@ -4102,7 +4115,8 @@ static int mp_div_d (mp_int * a, mp_digit b, mp_int * c, mp_digit * d) } else { t = 0; } - q.dp[ix] = (mp_digit)t; + if (c != NULL) + q.dp[ix] = (mp_digit)t; } if (d != NULL) { @@ -4112,8 +4126,8 @@ static int mp_div_d (mp_int * a, mp_digit b, mp_int * c, mp_digit * d) if (c != NULL) { mp_clamp(&q); mp_exch(&q, c); + mp_clear(&q); } - mp_clear(&q); return res; } @@ -4282,6 +4296,70 @@ static int mp_prime_is_divisible (mp_int * a, int *result) return MP_OKAY; } +static const int USE_BBS = 1; + +int mp_rand_prime(mp_int* N, int len, RNG* rng, void* heap) +{ + int err, res, type; + byte* buf; + + if (N == NULL || rng == NULL) + return BAD_FUNC_ARG; + + /* get type */ + if (len < 0) { + type = USE_BBS; + len = -len; + } else { + type = 0; + } + + /* allow sizes between 2 and 512 bytes for a prime size */ + if (len < 2 || len > 512) { + return BAD_FUNC_ARG; + } + + /* allocate buffer to work with */ + buf = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_RSA); + if (buf == NULL) { + return MEMORY_E; + } + XMEMSET(buf, 0, len); + + do { +#ifdef SHOW_GEN + printf("."); + fflush(stdout); +#endif + /* generate value */ + err = wc_RNG_GenerateBlock(rng, buf, len); + if (err != 0) { + XFREE(buf, heap, DYNAMIC_TYPE_RSA); + return err; + } + + /* munge bits */ + buf[0] |= 0x80 | 0x40; + buf[len-1] |= 0x01 | ((type & USE_BBS) ? 0x02 : 0x00); + + /* load value */ + if ((err = mp_read_unsigned_bin(N, buf, len)) != MP_OKAY) { + XFREE(buf, heap, DYNAMIC_TYPE_RSA); + return err; + } + + /* test */ + if ((err = mp_prime_is_prime(N, 8, &res)) != MP_OKAY) { + XFREE(buf, heap, DYNAMIC_TYPE_RSA); + return err; + } + } while (res == MP_NO); + + ForceZero(buf, len); + XFREE(buf, heap, DYNAMIC_TYPE_RSA); + + return MP_OKAY; +} /* * Sets result to 1 if probably prime, 0 otherwise @@ -4468,8 +4546,6 @@ LBL_U:mp_clear (&v); return res; } - - #endif /* WOLFSSL_KEY_GEN */ @@ -4542,6 +4618,9 @@ int mp_read_radix (mp_int * a, const char *str, int radix) } return MP_OKAY; } +#endif /* HAVE_ECC */ + +#if defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) /* returns size of ASCII representation */ int mp_radix_size (mp_int *a, int radix, int *size) @@ -4652,7 +4731,7 @@ int mp_toradix (mp_int *a, char *str, int radix) return MP_OKAY; } -#endif /* HAVE_ECC */ +#endif /* defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) */ #endif /* USE_FAST_MATH */ diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index 1a5021783..bc85a949e 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -131,14 +131,6 @@ int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b, #include #endif -#ifdef SHOW_GEN - #ifdef FREESCALE_MQX - #include - #else - #include - #endif -#endif - #ifdef HAVE_CAVIUM static int InitCaviumRsaKey(RsaKey* key, void* heap); static int FreeCaviumRsaKey(RsaKey* key); @@ -152,22 +144,6 @@ int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b, word32 outLen, RsaKey* key); #endif -enum { - RSA_PUBLIC_ENCRYPT = 0, - RSA_PUBLIC_DECRYPT = 1, - RSA_PRIVATE_ENCRYPT = 2, - RSA_PRIVATE_DECRYPT = 3, - - RSA_BLOCK_TYPE_1 = 1, - RSA_BLOCK_TYPE_2 = 2, - - RSA_MIN_SIZE = 512, - RSA_MAX_SIZE = 4096, - - RSA_MIN_PAD_SZ = 11 /* seperator + 0 + pad value + 8 pads */ -}; - - int wc_InitRsaKey(RsaKey* key, void* heap) { #ifdef HAVE_CAVIUM @@ -610,76 +586,7 @@ int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n, return 0; } - #ifdef WOLFSSL_KEY_GEN - -static const int USE_BBS = 1; - -static int rand_prime(mp_int* N, int len, RNG* rng, void* heap) -{ - int err, res, type; - byte* buf; - - (void)heap; - if (N == NULL || rng == NULL) - return BAD_FUNC_ARG; - - /* get type */ - if (len < 0) { - type = USE_BBS; - len = -len; - } else { - type = 0; - } - - /* allow sizes between 2 and 512 bytes for a prime size */ - if (len < 2 || len > 512) { - return BAD_FUNC_ARG; - } - - /* allocate buffer to work with */ - buf = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_RSA); - if (buf == NULL) { - return MEMORY_E; - } - XMEMSET(buf, 0, len); - - do { -#ifdef SHOW_GEN - printf("."); - fflush(stdout); -#endif - /* generate value */ - err = wc_RNG_GenerateBlock(rng, buf, len); - if (err != 0) { - XFREE(buf, heap, DYNAMIC_TYPE_RSA); - return err; - } - - /* munge bits */ - buf[0] |= 0x80 | 0x40; - buf[len-1] |= 0x01 | ((type & USE_BBS) ? 0x02 : 0x00); - - /* load value */ - if ((err = mp_read_unsigned_bin(N, buf, len)) != MP_OKAY) { - XFREE(buf, heap, DYNAMIC_TYPE_RSA); - return err; - } - - /* test */ - if ((err = mp_prime_is_prime(N, 8, &res)) != MP_OKAY) { - XFREE(buf, heap, DYNAMIC_TYPE_RSA); - return err; - } - } while (res == MP_NO); - - ForceZero(buf, len); - XFREE(buf, heap, DYNAMIC_TYPE_RSA); - - return 0; -} - - /* Make an RSA key for size bits, with e specified, 65537 is a good e */ int wc_MakeRsaKey(RsaKey* key, int size, long e, RNG* rng) { @@ -703,7 +610,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, RNG* rng) /* make p */ if (err == MP_OKAY) { do { - err = rand_prime(&p, size/16, rng, key->heap); /* size in bytes/2 */ + err = mp_rand_prime(&p, size/16, rng, key->heap); /* size in bytes/2 */ if (err == MP_OKAY) err = mp_sub_d(&p, 1, &tmp1); /* tmp1 = p-1 */ @@ -716,7 +623,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, RNG* rng) /* make q */ if (err == MP_OKAY) { do { - err = rand_prime(&q, size/16, rng, key->heap); /* size in bytes/2 */ + err = mp_rand_prime(&q, size/16, rng, key->heap); /* size in bytes/2 */ if (err == MP_OKAY) err = mp_sub_d(&q, 1, &tmp1); /* tmp1 = q-1 */ diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c index 3391693ae..cbb922199 100755 --- a/wolfcrypt/src/tfm.c +++ b/wolfcrypt/src/tfm.c @@ -39,6 +39,7 @@ #ifdef USE_FAST_MATH +#include #include #include /* will define asm MACROS or C ones */ @@ -1815,10 +1816,37 @@ void fp_set(fp_int *a, fp_digit b) /* chek if a bit is set */ int fp_is_bit_set (fp_int *a, fp_digit b) { - if ((fp_digit)a->used < b/DIGIT_BIT) + fp_digit i; + + if (b > FP_MAX_BITS) + return 0; + else + i = b/DIGIT_BIT; + + if ((fp_digit)a->used < i) return 0; - return (int)((a->dp[b/DIGIT_BIT] >> b%DIGIT_BIT) & (fp_digit)1); + return (int)((a->dp[i] >> b%DIGIT_BIT) & (fp_digit)1); +} + +/* set the b bit of a */ +int fp_set_bit (fp_int * a, fp_digit b) +{ + fp_digit i; + + if (b > FP_MAX_BITS) + return 0; + else + i = b/DIGIT_BIT; + + /* set the used count of where the bit will go if required */ + if (a->used < (int)(i + 1)) + a->used = (int)(i + 1); + + /* put the single bit in its place */ + a->dp[i] |= ((mp_digit)1) << (b % DIGIT_BIT); + + return MP_OKAY; } int fp_count_bits (fp_int * a) @@ -2186,17 +2214,22 @@ void mp_rshb (mp_int* a, int x) /* fast math wrappers */ -int mp_set_int(fp_int *a, fp_digit b) +int mp_set_int(mp_int *a, mp_digit b) { fp_set(a, b); return MP_OKAY; } -int mp_is_bit_set (fp_int *a, fp_digit b) +int mp_is_bit_set (mp_int *a, mp_digit b) { return fp_is_bit_set(a, b); } +int mp_set_bit(mp_int *a, mp_digit b) +{ + return fp_set_bit(a, b); +} + #if defined(WOLFSSL_KEY_GEN) || defined (HAVE_ECC) /* c = a * a (mod b) */ @@ -2230,6 +2263,18 @@ static const int lnz[16] = { 4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0 }; +/* swap the elements of two integers, for cases where you can't simply swap the + * mp_int pointers around + */ +static void fp_exch (fp_int * a, fp_int * b) +{ + fp_int t; + + t = *a; + *a = *b; + *b = t; +} + /* Counts the number of lsbs which are zero before the first zero bit */ int fp_cnt_lsb(fp_int *a) { @@ -2258,8 +2303,6 @@ int fp_cnt_lsb(fp_int *a) } - - static int s_is_power_of_two(fp_digit b, int *p) { int x; @@ -2313,11 +2356,14 @@ static int fp_div_d(fp_int *a, fp_digit b, fp_int *c, fp_digit *d) return FP_OKAY; } - /* no easy answer [c'est la vie]. Just division */ - fp_init(&q); + if (c != NULL) { + /* no easy answer [c'est la vie]. Just division */ + fp_init(&q); + + q.used = a->used; + q.sign = a->sign; + } - q.used = a->used; - q.sign = a->sign; w = 0; for (ix = a->used - 1; ix >= 0; ix--) { w = (w << ((fp_word)DIGIT_BIT)) | ((fp_word)a->dp[ix]); @@ -2328,7 +2374,8 @@ static int fp_div_d(fp_int *a, fp_digit b, fp_int *c, fp_digit *d) } else { t = 0; } - q.dp[ix] = (fp_digit)t; + if (c != NULL) + q.dp[ix] = (fp_digit)t; } if (d != NULL) { @@ -2362,6 +2409,7 @@ int mp_mod_d(fp_int *a, fp_digit b, fp_digit *c) void fp_gcd(fp_int *a, fp_int *b, fp_int *c); void fp_lcm(fp_int *a, fp_int *b, fp_int *c); int fp_isprime(fp_int *a); +int fp_randprime(fp_int* N, int len, RNG* rng, void* heap); int mp_gcd(fp_int *a, fp_int *b, fp_int *c) { @@ -2384,6 +2432,31 @@ int mp_prime_is_prime(mp_int* a, int t, int* result) return MP_OKAY; } +int mp_rand_prime(mp_int* N, int len, RNG* rng, void* heap) +{ + int err; + + err = fp_randprime(N, len, rng, heap); + switch(err) { + case FP_VAL: + return MP_VAL; + break; + case FP_MEM: + return MP_MEM; + break; + default: + break; + } + + return MP_OKAY; +} + +int mp_exch (mp_int * a, mp_int * b) +{ + fp_exch(a, b); + return MP_OKAY; +} + /* Miller-Rabin test of "a" to the base of "b" as described in * HAC pp. 139 Algorithm 4.24 * @@ -2513,6 +2586,59 @@ int fp_isprime(fp_int *a) return FP_YES; } +int fp_randprime(fp_int* N, int len, RNG* rng, void* heap) +{ + static const int USE_BBS = 1; + int err, type; + byte* buf; + + /* get type */ + if (len < 0) { + type = USE_BBS; + len = -len; + } else { + type = 0; + } + + /* allow sizes between 2 and 512 bytes for a prime size */ + if (len < 2 || len > 512) { + return FP_VAL; + } + + /* allocate buffer to work with */ + buf = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_TMP_BUFFER); + if (buf == NULL) { + return FP_MEM; + } + XMEMSET(buf, 0, len); + + do { +#ifdef SHOW_GEN + printf("."); + fflush(stdout); +#endif + /* generate value */ + err = wc_RNG_GenerateBlock(rng, buf, len); + if (err != 0) { + XFREE(buf, heap, DYNAMIC_TYPE_TMP_BUFFER); + return FP_VAL; + } + + /* munge bits */ + buf[0] |= 0x80 | 0x40; + buf[len-1] |= 0x01 | ((type & USE_BBS) ? 0x02 : 0x00); + + /* load value */ + fp_read_unsigned_bin(N, buf, len); + + /* test */ + } while (fp_isprime(N) == FP_NO); + + XMEMSET(buf, 0, len); + XFREE(buf, heap, DYNAMIC_TYPE_TMP_BUFFER); + + return FP_OKAY; +} /* c = [a, b] */ void fp_lcm(fp_int *a, fp_int *b, fp_int *c) @@ -2740,7 +2866,7 @@ int mp_radix_size (mp_int *a, int radix, int *size) if (fp_iszero(a) == MP_YES) { *size = 2; - return FP_YES; + return FP_OKAY; } /* digs is the digit count */ diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 6286e3eac..f4a624432 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -210,7 +210,7 @@ int pbkdf2_test(void); #endif -/* General big buffer size for many tests. */ +/* General big buffer size for many tests. */ #define FOURK_BUF 4096 @@ -3385,6 +3385,8 @@ int rsa_test(void) #ifdef HAVE_CAVIUM wc_RsaInitCavium(&key, CAVIUM_DEV_ID); #endif + +printf("1\n"); ret = wc_InitRsaKey(&key, 0); if (ret != 0) { free(tmp); @@ -3445,7 +3447,7 @@ int rsa_test(void) free(tmp); return -49; } - +printf("11\n"); bytes = fread(tmp, 1, FOURK_BUF, file2); fclose(file2); #endif @@ -3465,7 +3467,7 @@ int rsa_test(void) (void)bytes; #endif - +printf("111\n"); #ifdef WOLFSSL_KEY_GEN { byte* der; @@ -3476,7 +3478,7 @@ int rsa_test(void) RsaKey genKey; FILE* keyFile; FILE* pemFile; - +printf("2\n"); ret = wc_InitRsaKey(&genKey, 0); if (ret != 0) return -300; @@ -3502,7 +3504,7 @@ int rsa_test(void) free(pem); return -302; } - +printf("22\n"); #ifdef FREESCALE_MQX keyFile = fopen("a:\\certs\\key.der", "wb"); #else @@ -3523,14 +3525,14 @@ int rsa_test(void) return -313; } - pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, PRIVATEKEY_TYPE); + pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, NULL, PRIVATEKEY_TYPE); if (pemSz < 0) { free(der); free(pem); wc_FreeRsaKey(&genKey); return -304; } - +printf("222\n"); #ifdef FREESCALE_MQX pemFile = fopen("a:\\certs\\key.pem", "wb"); #else @@ -3567,7 +3569,7 @@ int rsa_test(void) wc_FreeRsaKey(&genKey); return -306; } - +printf("2222\n"); wc_FreeRsaKey(&derIn); wc_FreeRsaKey(&genKey); free(pem); @@ -3575,7 +3577,7 @@ int rsa_test(void) } #endif /* WOLFSSL_KEY_GEN */ - +printf("3\n"); #ifdef WOLFSSL_CERT_GEN /* self signed */ { @@ -3598,7 +3600,7 @@ int rsa_test(void) free(derCert); return -310; } - +printf("33\n"); wc_InitCert(&myCert); strncpy(myCert.subject.country, "US", CTC_NAME_SIZE); @@ -3628,7 +3630,7 @@ int rsa_test(void) } FreeDecodedCert(&decode); #endif - +printf("333\n"); #ifdef FREESCALE_MQX derFile = fopen("a:\\certs\\cert.der", "wb"); #else @@ -3646,14 +3648,14 @@ int rsa_test(void) free(pem); return -414; } - - pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE); +printf("4\n"); + pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, NULL, CERT_TYPE); if (pemSz < 0) { free(derCert); free(pem); return -404; } - +printf("41\n"); #ifdef FREESCALE_MQX pemFile = fopen("a:\\certs\\cert.pem", "wb"); #else @@ -3793,7 +3795,7 @@ int rsa_test(void) return -416; } - pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE); + pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, NULL, CERT_TYPE); if (pemSz < 0) { free(derCert); free(pem); @@ -3938,7 +3940,7 @@ int rsa_test(void) return -5414; } - pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE); + pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, NULL, CERT_TYPE); if (pemSz < 0) { free(pem); free(derCert); @@ -4122,7 +4124,7 @@ int rsa_test(void) return -473; } - pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE); + pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, NULL, CERT_TYPE); if (pemSz < 0) { free(derCert); free(pem); @@ -4207,7 +4209,7 @@ int rsa_test(void) return -466; } - pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, CERTREQ_TYPE); + pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, NULL, CERTREQ_TYPE); if (pemSz < 0) { free(pem); free(der); @@ -5125,7 +5127,7 @@ int ecc_test(void) return -1026; } - pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, ECC_PRIVATEKEY_TYPE); + pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, NULL, ECC_PRIVATEKEY_TYPE); if (pemSz < 0) { return -1027; } diff --git a/wolfssl/openssl/dsa.h b/wolfssl/openssl/dsa.h index aedcab452..98048bd9c 100644 --- a/wolfssl/openssl/dsa.h +++ b/wolfssl/openssl/dsa.h @@ -24,7 +24,7 @@ struct WOLFSSL_DSA { WOLFSSL_API WOLFSSL_DSA* wolfSSL_DSA_new(void); -WOLFSSL_API void wolfSSL_DSA_free(WOLFSSL_DSA*); +WOLFSSL_API void wolfSSL_DSA_free(WOLFSSL_DSA*); WOLFSSL_API int wolfSSL_DSA_generate_key(WOLFSSL_DSA*); WOLFSSL_API int wolfSSL_DSA_generate_parameters_ex(WOLFSSL_DSA*, int bits, diff --git a/wolfssl/openssl/pem.h b/wolfssl/openssl/pem.h index 56b85baec..7da6074a9 100644 --- a/wolfssl/openssl/pem.h +++ b/wolfssl/openssl/pem.h @@ -14,75 +14,104 @@ #endif -WOLFSSL_API int wolfSSL_PEM_write_bio_ECPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EC_KEY* ec, - const EVP_CIPHER* cipher, - unsigned char* passwd, int len, - pem_password_cb cb, void* arg); +/* RSA */ +WOLFSSL_API +int wolfSSL_PEM_write_bio_RSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa, + const EVP_CIPHER* cipher, + unsigned char* passwd, int len, + pem_password_cb cb, void* arg); +WOLFSSL_API +int wolfSSL_PEM_write_RSAPrivateKey(FILE *fp, WOLFSSL_RSA *rsa, + const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u); +WOLFSSL_API +int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, + unsigned char* passwd, int len, + byte **pem, int *plen); +WOLFSSL_API +WOLFSSL_RSA *wolfSSL_PEM_read_RSAPublicKey(FILE *fp, WOLFSSL_RSA **x, + pem_password_cb *cb, void *u); +WOLFSSL_API +int wolfSSL_PEM_write_RSAPublicKey(FILE *fp, WOLFSSL_RSA *x); -WOLFSSL_API int wolfSSL_PEM_write_bio_RSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa, - const EVP_CIPHER* cipher, - unsigned char* passwd, int len, - pem_password_cb cb, void* arg); +WOLFSSL_API +int wolfSSL_PEM_write_RSA_PUBKEY(FILE *fp, WOLFSSL_RSA *x); -WOLFSSL_API int wolfSSL_PEM_write_RSAPrivateKey(FILE *fp, WOLFSSL_RSA *rsa, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u); +/* DSA */ +WOLFSSL_API +int wolfSSL_PEM_write_bio_DSAPrivateKey(WOLFSSL_BIO* bio, + WOLFSSL_DSA* dsa, + const EVP_CIPHER* cipher, + unsigned char* passwd, int len, + pem_password_cb cb, void* arg); +WOLFSSL_API +int wolfSSL_PEM_write_DSAPrivateKey(FILE *fp, WOLFSSL_DSA *dsa, + const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u); +WOLFSSL_API +int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, + const EVP_CIPHER* cipher, + unsigned char* passwd, int len, + byte **pem, int *plen); +WOLFSSL_API +int wolfSSL_PEM_write_DSA_PUBKEY(FILE *fp, WOLFSSL_DSA *x); -WOLFSSL_API int wolfSSL_PEM_write_bio_DSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_DSA* dsa, - const EVP_CIPHER* cipher, - unsigned char* passwd, int len, - pem_password_cb cb, void* arg); +/* ECC */ +WOLFSSL_API +int wolfSSL_PEM_write_bio_ECPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EC_KEY* ec, + const EVP_CIPHER* cipher, + unsigned char* passwd, int len, + pem_password_cb cb, void* arg); +WOLFSSL_API +int wolfSSL_PEM_write_ECPrivateKey(FILE *fp, WOLFSSL_EC_KEY *key, + const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u); +WOLFSSL_API +int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* key, + const EVP_CIPHER* cipher, + unsigned char* passwd, int len, + byte **pem, int *plen); +WOLFSSL_API +int wolfSSL_PEM_write_EC_PUBKEY(FILE *fp, WOLFSSL_EC_KEY *key); -WOLFSSL_API int wolfSSL_PEM_write_DSAPrivateKey(FILE *fp, WOLFSSL_DSA *dsa, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u); +/* EVP_KEY */ +WOLFSSL_API +WOLFSSL_EVP_PKEY* wolfSSL_PEM_read_bio_PrivateKey(WOLFSSL_BIO* bio, + WOLFSSL_EVP_PKEY**, + pem_password_cb cb, + void* arg); +WOLFSSL_API +int wolfSSL_EVP_PKEY_type(int type); -WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_PEM_read_bio_PrivateKey(WOLFSSL_BIO* bio, - WOLFSSL_EVP_PKEY**, pem_password_cb cb, void* arg); +WOLFSSL_API +WOLFSSL_EVP_PKEY *wolfSSL_PEM_read_PUBKEY(FILE *fp, EVP_PKEY **x, + pem_password_cb *cb, void *u); -WOLFSSL_API int wolfSSL_EVP_PKEY_type(int type); - -WOLFSSL_API WOLFSSL_EVP_PKEY *wolfSSL_PEM_read_PUBKEY(FILE *fp, EVP_PKEY **x, - pem_password_cb *cb, void *u); - -WOLFSSL_API WOLFSSL_RSA *wolfSSL_PEM_read_RSAPublicKey(FILE *fp, WOLFSSL_RSA **x, - pem_password_cb *cb, void *u); - -WOLFSSL_API int wolfSSL_PEM_write_DSA_PUBKEY(FILE *fp, WOLFSSL_DSA *x); - -WOLFSSL_API int wolfSSL_PEM_write_RSAPublicKey(FILE *fp, WOLFSSL_RSA *x); - -WOLFSSL_API int wolfSSL_PEM_write_RSA_PUBKEY(FILE *fp, WOLFSSL_RSA *x); - -WOLFSSL_API int wolfSSL_PEM_write_buf_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, - unsigned char* passwd, int len, - byte **pem, int *plen); - -WOLFSSL_API int wolfSSL_PEM_write_EC_PUBKEY(FILE *fp, WOLFSSL_EC_KEY *key); -WOLFSSL_API int wolfSSL_PEM_write_ECPrivateKey(FILE *fp, WOLFSSL_EC_KEY *key, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u); - -#define PEM_write_bio_ECPrivateKey wolfSSL_PEM_write_bio_ECPrivateKey +/* RSA */ #define PEM_write_bio_RSAPrivateKey wolfSSL_PEM_write_bio_RSAPrivateKey -#define PEM_write_RSAPrivateKey wolfSSL_PEM_write_RSAPrivateKey +#define PEM_write_RSAPrivateKey wolfSSL_PEM_write_RSAPrivateKey +#define PEM_write_RSA_PUBKEY wolfSSL_PEM_write_RSA_PUBKEY +#define PEM_write_RSAPublicKey wolfSSL_PEM_write_RSAPublicKey +#define PEM_read_RSAPublicKey wolfSSL_PEM_read_RSAPublicKey +/* DSA */ #define PEM_write_bio_DSAPrivateKey wolfSSL_PEM_write_bio_DSAPrivateKey -#define PEM_write_DSAPrivateKey wolfSSL_PEM_write_DSAPrivateKey -#define PEM_read_bio_PrivateKey wolfSSL_PEM_read_bio_PrivateKey -#define PEM_write_RSA_PUBKEY wolfSSL_PEM_write_RSA_PUBKEY -#define PEM_write_RSAPublicKey wolfSSL_PEM_write_RSAPublicKey -#define PEM_write_DSA_PUBKEY wolfSSL_PEM_write_DSA_PUBKEY -#define PEM_read_RSAPublicKey wolfSSL_PEM_read_RSAPublicKey -#define PEM_read_RSAPublicKey wolfSSL_PEM_read_RSAPublicKey -#define PEM_read_PUBKEY wolfSSL_PEM_read_PUBKEY -#define PEM_write_EC_PUBKEY wolfSSL_PEM_write_EC_PUBKEY -#define PEM_write_ECPrivateKey wolfSSL_PEM_write_ECPrivateKey -#define EVP_PKEY_type wolfSSL_EVP_PKEY_type +#define PEM_write_DSAPrivateKey wolfSSL_PEM_write_DSAPrivateKey +#define PEM_write_DSA_PUBKEY wolfSSL_PEM_write_DSA_PUBKEY +/* ECC */ +#define PEM_write_bio_ECPrivateKey wolfSSL_PEM_write_bio_ECPrivateKey +#define PEM_write_EC_PUBKEY wolfSSL_PEM_write_EC_PUBKEY +#define PEM_write_ECPrivateKey wolfSSL_PEM_write_ECPrivateKey +/* EVP_KEY */ +#define PEM_read_bio_PrivateKey wolfSSL_PEM_read_bio_PrivateKey +#define PEM_read_PUBKEY wolfSSL_PEM_read_PUBKEY +#define EVP_PKEY_type wolfSSL_EVP_PKEY_type #ifdef __cplusplus } /* extern "C" */ #endif - #endif /* WOLFSSL_PEM_H_ */ diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h index a94ad0801..d99558cbb 100644 --- a/wolfssl/wolfcrypt/aes.h +++ b/wolfssl/wolfcrypt/aes.h @@ -126,17 +126,24 @@ typedef struct Gmac { #endif /* HAVE_AESGCM */ #endif /* HAVE_FIPS */ - WOLFSSL_API int wc_AesSetKey(Aes* aes, const byte* key, word32 len, const byte* iv, - int dir); - WOLFSSL_API int wc_AesSetIV(Aes* aes, const byte* iv); - WOLFSSL_API int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz); - WOLFSSL_API int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz); - WOLFSSL_API int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz, - const byte* key, word32 keySz, const byte* iv); +WOLFSSL_API int wc_AesSetKey(Aes* aes, const byte* key, word32 len, + const byte* iv, int dir); +WOLFSSL_API int wc_AesSetIV(Aes* aes, const byte* iv); +WOLFSSL_API int wc_AesCbcEncrypt(Aes* aes, byte* out, + const byte* in, word32 sz); +WOLFSSL_API int wc_AesCbcDecrypt(Aes* aes, byte* out, + const byte* in, word32 sz); +WOLFSSL_API int wc_AesCbcEncryptWithKey(byte* out, const byte* in, word32 inSz, + const byte* key, word32 keySz, + const byte* iv); +WOLFSSL_API int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz, + const byte* key, word32 keySz, + const byte* iv); /* AES-CTR */ #ifdef WOLFSSL_AES_COUNTER - WOLFSSL_API void wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz); + WOLFSSL_API void wc_AesCtrEncrypt(Aes* aes, byte* out, + const byte* in, word32 sz); #endif /* AES-DIRECT */ #if defined(WOLFSSL_AES_DIRECT) @@ -147,30 +154,34 @@ typedef struct Gmac { #endif #ifdef HAVE_AESGCM WOLFSSL_API int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len); - WOLFSSL_API int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, - const byte* iv, word32 ivSz, - byte* authTag, word32 authTagSz, - const byte* authIn, word32 authInSz); - WOLFSSL_API int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, - const byte* iv, word32 ivSz, - const byte* authTag, word32 authTagSz, - const byte* authIn, word32 authInSz); + WOLFSSL_API int wc_AesGcmEncrypt(Aes* aes, byte* out, + const byte* in, word32 sz, + const byte* iv, word32 ivSz, + byte* authTag, word32 authTagSz, + const byte* authIn, word32 authInSz); + WOLFSSL_API int wc_AesGcmDecrypt(Aes* aes, byte* out, + const byte* in, word32 sz, + const byte* iv, word32 ivSz, + const byte* authTag, word32 authTagSz, + const byte* authIn, word32 authInSz); WOLFSSL_API int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len); WOLFSSL_API int wc_GmacUpdate(Gmac* gmac, const byte* iv, word32 ivSz, - const byte* authIn, word32 authInSz, - byte* authTag, word32 authTagSz); + const byte* authIn, word32 authInSz, + byte* authTag, word32 authTagSz); #endif /* HAVE_AESGCM */ #ifdef HAVE_AESCCM WOLFSSL_API void wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz); - WOLFSSL_API void wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz, - const byte* nonce, word32 nonceSz, - byte* authTag, word32 authTagSz, - const byte* authIn, word32 authInSz); - WOLFSSL_API int wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz, - const byte* nonce, word32 nonceSz, - const byte* authTag, word32 authTagSz, - const byte* authIn, word32 authInSz); + WOLFSSL_API void wc_AesCcmEncrypt(Aes* aes, byte* out, + const byte* in, word32 inSz, + const byte* nonce, word32 nonceSz, + byte* authTag, word32 authTagSz, + const byte* authIn, word32 authInSz); + WOLFSSL_API int wc_AesCcmDecrypt(Aes* aes, byte* out, + const byte* in, word32 inSz, + const byte* nonce, word32 nonceSz, + const byte* authTag, word32 authTagSz, + const byte* authIn, word32 authInSz); #endif /* HAVE_AESCCM */ #ifdef HAVE_CAVIUM diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 824ea019b..311cad852 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -182,8 +182,9 @@ enum Misc_ASN { MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */ MAX_OCSP_NONCE_SZ = 18, /* OCSP Nonce size */ EIGHTK_BUF = 8192, /* Tmp buffer size */ - MAX_PUBLIC_KEY_SZ = MAX_NTRU_ENC_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2 + MAX_PUBLIC_KEY_SZ = MAX_NTRU_ENC_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2, /* use bigger NTRU size */ + HEADER_ENCRYPTED_KEY_SIZE = 88 /* Extra header size for encrypted key */ }; @@ -476,6 +477,24 @@ struct DecodedCert { #endif /* WOLFSSL_SEP */ }; +extern const char* BEGIN_CERT; +extern const char* END_CERT; +extern const char* BEGIN_CERT_REQ; +extern const char* END_CERT_REQ; +extern const char* BEGIN_DH_PARAM; +extern const char* END_DH_PARAM; +extern const char* BEGIN_X509_CRL; +extern const char* END_X509_CRL; +extern const char* BEGIN_RSA_PRIV; +extern const char* END_RSA_PRIV; +extern const char* BEGIN_PRIV_KEY; +extern const char* END_PRIV_KEY; +extern const char* BEGIN_ENC_PRIV_KEY; +extern const char* END_ENC_PRIV_KEY; +extern const char* BEGIN_EC_PRIV; +extern const char* END_EC_PRIV; +extern const char* BEGIN_DSA_PRIV; +extern const char* END_DSA_PRIV; #ifdef NO_SHA #define SIGNER_DIGEST_SIZE SHA256_DIGEST_SIZE diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index 223cea9be..cf5c5bc66 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -43,6 +43,7 @@ enum CertType { CRL_TYPE, CA_TYPE, ECC_PRIVATEKEY_TYPE, + DSA_PRIVATEKEY_TYPE, CERTREQ_TYPE, DSA_TYPE, ECC_TYPE, @@ -177,7 +178,7 @@ WOLFSSL_API int wc_SetDatesBuffer(Cert*, const byte*, int); #if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) || !defined(NO_DSA) WOLFSSL_API int wc_DerToPem(const byte* der, word32 derSz, byte* output, - word32 outputSz, int type); + word32 outputSz, byte *cipherIno, int type); #endif #ifdef HAVE_ECC diff --git a/wolfssl/wolfcrypt/coding.h b/wolfssl/wolfcrypt/coding.h index 286e437a4..e7b482379 100644 --- a/wolfssl/wolfcrypt/coding.h +++ b/wolfssl/wolfcrypt/coding.h @@ -53,6 +53,8 @@ WOLFSSL_API int Base64_Decode(const byte* in, word32 inLen, byte* out, #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(HAVE_FIPS) WOLFSSL_API int Base16_Decode(const byte* in, word32 inLen, byte* out, word32* outLen); + WOLFSSL_API + int Base16_Encode(const byte* in, word32 inLen, byte* out, word32* outLen); #endif diff --git a/wolfssl/wolfcrypt/des3.h b/wolfssl/wolfcrypt/des3.h index c17884968..c0d9394a2 100644 --- a/wolfssl/wolfcrypt/des3.h +++ b/wolfssl/wolfcrypt/des3.h @@ -83,21 +83,35 @@ typedef struct Des3 { } Des3; #endif /* HAVE_FIPS */ -WOLFSSL_API int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir); +WOLFSSL_API int wc_Des_SetKey(Des* des, const byte* key, + const byte* iv, int dir); WOLFSSL_API void wc_Des_SetIV(Des* des, const byte* iv); -WOLFSSL_API int wc_Des_CbcEncrypt(Des* des, byte* out, const byte* in, word32 sz); -WOLFSSL_API int wc_Des_CbcDecrypt(Des* des, byte* out, const byte* in, word32 sz); -WOLFSSL_API int wc_Des_EcbEncrypt(Des* des, byte* out, const byte* in, word32 sz); -WOLFSSL_API int wc_Des_CbcDecryptWithKey(byte* out, const byte* in, word32 sz, - const byte* key, const byte* iv); +WOLFSSL_API int wc_Des_CbcEncrypt(Des* des, byte* out, + const byte* in, word32 sz); +WOLFSSL_API int wc_Des_CbcDecrypt(Des* des, byte* out, + const byte* in, word32 sz); +WOLFSSL_API int wc_Des_EcbEncrypt(Des* des, byte* out, + const byte* in, word32 sz); +WOLFSSL_API int wc_Des_CbcDecryptWithKey(byte* out, + const byte* in, word32 sz, + const byte* key, const byte* iv); +WOLFSSL_API int wc_Des_CbcEncryptWithKey(byte* out, + const byte* in, word32 sz, + const byte* key, const byte* iv); -WOLFSSL_API int wc_Des3_SetKey(Des3* des, const byte* key, const byte* iv,int dir); +WOLFSSL_API int wc_Des3_SetKey(Des3* des, const byte* key, + const byte* iv,int dir); WOLFSSL_API int wc_Des3_SetIV(Des3* des, const byte* iv); -WOLFSSL_API int wc_Des3_CbcEncrypt(Des3* des, byte* out, const byte* in,word32 sz); -WOLFSSL_API int wc_Des3_CbcDecrypt(Des3* des, byte* out, const byte* in,word32 sz); -WOLFSSL_API int wc_Des3_CbcDecryptWithKey(byte* out, const byte* in, word32 sz, - const byte* key, const byte* iv); - +WOLFSSL_API int wc_Des3_CbcEncrypt(Des3* des, byte* out, + const byte* in,word32 sz); +WOLFSSL_API int wc_Des3_CbcDecrypt(Des3* des, byte* out, + const byte* in,word32 sz); +WOLFSSL_API int wc_Des3_CbcEncryptWithKey(byte* out, + const byte* in, word32 sz, + const byte* key, const byte* iv); +WOLFSSL_API int wc_Des3_CbcDecryptWithKey(byte* out, + const byte* in, word32 sz, + const byte* key, const byte* iv); #ifdef HAVE_CAVIUM WOLFSSL_API int wc_Des3_InitCavium(Des3*, int); diff --git a/wolfssl/wolfcrypt/dsa.h b/wolfssl/wolfcrypt/dsa.h index 8da15cf31..115c18c6e 100644 --- a/wolfssl/wolfcrypt/dsa.h +++ b/wolfssl/wolfcrypt/dsa.h @@ -66,6 +66,11 @@ WOLFSSL_API int wc_DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey*, word32); WOLFSSL_API int wc_DsaKeyToDer(DsaKey* key, byte* output, word32 inLen); +#ifdef WOLFSSL_KEY_GEN +WOLFSSL_API int wc_MakeDsaKey(RNG *rng, DsaKey *dsa); +WOLFSSL_API int wc_MakeDsaParameters(RNG *rng, int modulus_size, DsaKey *dsa); +#endif + #ifdef __cplusplus } /* extern "C" */ #endif diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h index 9908ff9e8..01ad398b8 100644 --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h @@ -84,7 +84,7 @@ typedef struct { */ #ifndef FP_MAX_BITS_ECC - #define FP_MAX_BITS_ECC 512 + #define FP_MAX_BITS_ECC 528 #endif #define FP_MAX_SIZE_ECC (FP_MAX_BITS_ECC+(8*DIGIT_BIT)) #if FP_MAX_BITS_ECC % CHAR_BIT @@ -163,17 +163,20 @@ WOLFSSL_API void wc_ecc_fp_free(void); WOLFSSL_API -ecc_point* ecc_new_point(void); +ecc_point* wc_ecc_new_point(void); WOLFSSL_API -void ecc_del_point(ecc_point* p); +void wc_ecc_del_point(ecc_point* p); WOLFSSL_API -int ecc_copy_point(ecc_point* p, ecc_point *r); +int wc_ecc_copy_point(ecc_point* p, ecc_point *r); WOLFSSL_API -int ecc_cmp_point(ecc_point* a, ecc_point *b); +int wc_ecc_cmp_point(ecc_point* a, ecc_point *b); WOLFSSL_API -int ecc_point_is_at_infinity(ecc_point *p); +int wc_ecc_point_is_at_infinity(ecc_point *p); WOLFSSL_API -int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus, int map); +int wc_ecc_is_valid_idx(int n); +WOLFSSL_API +int wc_ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, + mp_int* modulus, int map); /* ASN key helpers */ WOLFSSL_API diff --git a/wolfssl/wolfcrypt/integer.h b/wolfssl/wolfcrypt/integer.h index bd7da60d9..8e43a395b 100644 --- a/wolfssl/wolfcrypt/integer.h +++ b/wolfssl/wolfcrypt/integer.h @@ -36,6 +36,8 @@ #include #else +#include + #ifndef CHAR_BIT #include #endif @@ -313,6 +315,7 @@ int mp_radix_size (mp_int * a, int radix, int *size); int mp_prime_is_prime (mp_int * a, int t, int *result); int mp_gcd (mp_int * a, mp_int * b, mp_int * c); int mp_lcm (mp_int * a, mp_int * b, mp_int * c); + int mp_rand_prime(mp_int* N, int len, RNG* rng, void* heap); #endif int mp_cnt_lsb(mp_int *a); diff --git a/wolfssl/wolfcrypt/rsa.h b/wolfssl/wolfcrypt/rsa.h index 5441535eb..1f12df941 100644 --- a/wolfssl/wolfcrypt/rsa.h +++ b/wolfssl/wolfcrypt/rsa.h @@ -46,9 +46,23 @@ enum { RSA_PUBLIC = 0, - RSA_PRIVATE = 1 + RSA_PRIVATE = 1, + + RSA_PUBLIC_ENCRYPT = 0, + RSA_PUBLIC_DECRYPT = 1, + RSA_PRIVATE_ENCRYPT = 2, + RSA_PRIVATE_DECRYPT = 3, + + RSA_BLOCK_TYPE_1 = 1, + RSA_BLOCK_TYPE_2 = 2, + + RSA_MIN_SIZE = 512, + RSA_MAX_SIZE = 4096, + + RSA_MIN_PAD_SZ = 11 /* seperator + 0 + pad value + 8 pads */ }; + /* RSA */ typedef struct RsaKey { mp_int n, e, d, p, q, dP, dQ, u; diff --git a/wolfssl/wolfcrypt/tfm.h b/wolfssl/wolfcrypt/tfm.h index 50e9712e7..782dc7046 100644 --- a/wolfssl/wolfcrypt/tfm.h +++ b/wolfssl/wolfcrypt/tfm.h @@ -40,6 +40,7 @@ #include #endif +#include #ifdef __cplusplus extern "C" { @@ -377,6 +378,8 @@ void fp_set(fp_int *a, fp_digit b); /* check if a bit is set */ int fp_is_bit_set(fp_int *a, fp_digit b); +/* set the b bit to 1 */ +int fp_set_bit (fp_int * a, fp_digit b); /* copy from a to b */ #ifndef ALT_ECC_SIZE @@ -651,6 +654,7 @@ void fp_sqr_comba64(fp_int *a, fp_int *b); #define MP_EQ FP_EQ /* equal to */ #define MP_GT FP_GT /* greater than */ #define MP_VAL FP_VAL /* invalid */ + #define MP_MEM FP_MEM /* memory error */ #define MP_NOT_INF FP_NOT_INF /* point not at infinity */ #define MP_OKAY FP_OKAY /* ok result */ #define MP_NO FP_NO /* yes/no result */ @@ -688,8 +692,9 @@ int mp_isodd(mp_int* a); int mp_iszero(mp_int* a); int mp_count_bits(mp_int *a); int mp_leading_bit(mp_int *a); -int mp_set_int(fp_int *a, fp_digit b); -int mp_is_bit_set (fp_int * a, fp_digit b); +int mp_set_int(mp_int *a, mp_digit b); +int mp_is_bit_set (mp_int * a, mp_digit b); +int mp_set_bit (mp_int * a, mp_digit b); void mp_rshb(mp_int *a, int x); int mp_toradix (mp_int *a, char *str, int radix); int mp_radix_size (mp_int * a, int radix, int *size); @@ -713,6 +718,8 @@ int mp_radix_size (mp_int * a, int radix, int *size); int mp_gcd(fp_int *a, fp_int *b, fp_int *c); int mp_lcm(fp_int *a, fp_int *b, fp_int *c); int mp_prime_is_prime(mp_int* a, int t, int* result); +int mp_rand_prime(mp_int* N, int len, RNG* rng, void* heap); +int mp_exch(mp_int *a, mp_int *b); #endif /* WOLFSSL_KEY_GEN */ int mp_cnt_lsb(fp_int *a); From 8951d72f03c2c9d13f1cfc9d448e842982635c36 Mon Sep 17 00:00:00 2001 From: Ludovic FLAMENT Date: Thu, 23 Jul 2015 13:24:20 +0200 Subject: [PATCH 2/5] Merge branch 'master' of https://github.com/wolfSSL/wolfssl Fix DSA key generation --- .../Projects/CryptBenchmark/benchmark.c | 2 +- IDE/MDK5-ARM/Projects/CryptTest/test.c | 2 +- IDE/WIN/README.txt | 21 +- IDE/WIN/test.vcxproj | 17 +- IDE/WIN/wolfssl-fips.vcxproj | 24 +- LICENSING | 6 +- README | 13 +- README.md | 12 + configure.ac | 147 +++- cyassl/ctaocrypt/blake2-impl.h | 2 +- cyassl/ctaocrypt/blake2-int.h | 2 +- mcapi/crypto.h | 2 +- scripts/resume.test | 16 +- src/internal.c | 16 +- src/ssl.c | 770 +++++++++++++----- src/tls.c | 8 +- support/wolfssl.pc | 2 +- tests/test-qsh.conf | 3 + tests/test.conf | 3 + wolfcrypt/benchmark/benchmark.c | 2 +- wolfcrypt/src/asn.c | 2 +- wolfcrypt/src/coding.c | 35 +- wolfcrypt/src/dsa.c | 110 ++- wolfcrypt/src/ecc.c | 2 +- wolfcrypt/src/integer.c | 42 +- wolfcrypt/src/tfm.c | 9 +- wolfcrypt/test/test.c | 128 ++- wolfssl/internal.h | 12 +- wolfssl/openssl/asn1.h | 17 + wolfssl/openssl/bn.h | 4 +- wolfssl/openssl/crypto.h | 8 + wolfssl/openssl/dh.h | 7 +- wolfssl/openssl/ecdh.h | 2 +- wolfssl/openssl/ecdsa.h | 3 +- wolfssl/openssl/err.h | 3 +- wolfssl/openssl/opensslv.h | 10 +- wolfssl/openssl/rand.h | 2 + wolfssl/openssl/ssl.h | 76 +- wolfssl/ssl.h | 120 ++- wolfssl/version.h | 4 +- wolfssl/wolfcrypt/coding.h | 9 + wolfssl/wolfcrypt/ecc.h | 1 + wolfssl/wolfcrypt/logging.h | 5 + 43 files changed, 1254 insertions(+), 427 deletions(-) diff --git a/IDE/MDK5-ARM/Projects/CryptBenchmark/benchmark.c b/IDE/MDK5-ARM/Projects/CryptBenchmark/benchmark.c index 417ae3177..fa13b8b80 100644 --- a/IDE/MDK5-ARM/Projects/CryptBenchmark/benchmark.c +++ b/IDE/MDK5-ARM/Projects/CryptBenchmark/benchmark.c @@ -52,7 +52,7 @@ #include "cavium_ioctl.h" #endif #ifdef HAVE_NTRU - #include "ntru_crypto.h" + #include "libntruencrypt/ntru_crypto.h" #endif #if defined(CYASSL_MDK_ARM) diff --git a/IDE/MDK5-ARM/Projects/CryptTest/test.c b/IDE/MDK5-ARM/Projects/CryptTest/test.c index ac5c775b2..167832eae 100644 --- a/IDE/MDK5-ARM/Projects/CryptTest/test.c +++ b/IDE/MDK5-ARM/Projects/CryptTest/test.c @@ -101,7 +101,7 @@ #endif #ifdef HAVE_NTRU - #include "ntru_crypto.h" + #include "libntruencrypt/ntru_crypto.h" #endif #ifdef HAVE_CAVIUM #include "cavium_sysdep.h" diff --git a/IDE/WIN/README.txt b/IDE/WIN/README.txt index d2ed0faaa..81695ded9 100644 --- a/IDE/WIN/README.txt +++ b/IDE/WIN/README.txt @@ -3,7 +3,7 @@ First, if you did not get the FIPS files with your archive, you must contact wolfSSL to obtain them. -# On Building the wolfssl-fips project +# Building the wolfssl-fips project The wolfCrypt FIPS library for Windows is a part of the wolfSSL library. It must be built as a static library. @@ -14,10 +14,25 @@ There are two functions added to the library that are used as markers in memory for the in-core memory check of the code. WPO consolidates them into a single function. WPO also optimizes away the automatic FIPS entry function. -A project using the library must disable - Each of the source files inside the FIPS boundary defines their own code and constant section. The code section names start with ".fipsA$" and the constant section names start with ".fipsB$". Each subsection has a letter to organize them in a secific order. This specific ordering puts marker functions and constants on either end of the boundary so it can be hashed. + +# In Core Memory Test + +The In Core Memory test calculates a checksum (HMAC-SHA256) of the wolfCrypt +FIPS library code and constant data and compares it with a known value in +the code. + +The Randomized Base Address setting doesn't cause any problems because +(I believe) that the addrsses in the executable are all offsets from the base +rather than absolute addresses. + +The "verifyCore" check value in the source fips_test.c needs to be updated when +building the code. The POS performs this check and the default failure callback +will print out the calculated checksum. When developing your code, copy this +value and paste it back into your code in the verifyCore initializer then +rebuild the code. When statically linking, you may have to recalculate your +check value when changing your application. diff --git a/IDE/WIN/test.vcxproj b/IDE/WIN/test.vcxproj index 47681399b..38e264b20 100644 --- a/IDE/WIN/test.vcxproj +++ b/IDE/WIN/test.vcxproj @@ -111,7 +111,7 @@ Disabled ..\..\;%(AdditionalIncludeDirectories) - WIN32;_DEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;%(PreprocessorDefinitions) + WIN32;_DEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;%(PreprocessorDefinitions) EnableFastChecks MultiThreadedDebugDLL @@ -130,7 +130,7 @@ Disabled ..\..\;%(AdditionalIncludeDirectories) - WIN32;_DEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;%(PreprocessorDefinitions) + WIN32;_DEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;%(PreprocessorDefinitions) EnableFastChecks MultiThreadedDebugDLL @@ -147,7 +147,7 @@ ..\..\;%(AdditionalIncludeDirectories) - WIN32;NDEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;%(PreprocessorDefinitions) + WIN32;NDEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;%(PreprocessorDefinitions) MultiThreadedDLL Level3 @@ -167,7 +167,7 @@ ..\..\;%(AdditionalIncludeDirectories) - WIN32;NDEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;%(PreprocessorDefinitions) + WIN32;NDEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;%(PreprocessorDefinitions) MultiThreadedDLL Level3 @@ -181,14 +181,13 @@ true true UseLinkTimeCodeGeneration - false Disabled ..\..\;%(AdditionalIncludeDirectories) - WIN32;_DEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;WOLFSSL_DLL;%(PreprocessorDefinitions) + WIN32;_DEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;WOLFSSL_DLL;%(PreprocessorDefinitions) EnableFastChecks MultiThreadedDebugDLL @@ -207,7 +206,7 @@ Disabled ..\..\;%(AdditionalIncludeDirectories) - WIN32;_DEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;WOLFSSL_DLL;%(PreprocessorDefinitions) + WIN32;_DEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;WOLFSSL_DLL;%(PreprocessorDefinitions) EnableFastChecks MultiThreadedDebugDLL @@ -224,7 +223,7 @@ ..\..\;%(AdditionalIncludeDirectories) - WIN32;NDEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;WOLFSSL_DLL;%(PreprocessorDefinitions) + WIN32;NDEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;WOLFSSL_DLL;%(PreprocessorDefinitions) MultiThreadedDLL Level3 @@ -244,7 +243,7 @@ ..\..\;%(AdditionalIncludeDirectories) - WIN32;NDEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;WOLFSSL_DLL;%(PreprocessorDefinitions) + WIN32;NDEBUG;_CONSOLE;OPENSSL_EXTRA;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;USE_CERT_BUFFERS_2048;WOLFSSL_DLL;%(PreprocessorDefinitions) MultiThreadedDLL Level3 diff --git a/IDE/WIN/wolfssl-fips.vcxproj b/IDE/WIN/wolfssl-fips.vcxproj index b1a68ebac..c63c79bd1 100644 --- a/IDE/WIN/wolfssl-fips.vcxproj +++ b/IDE/WIN/wolfssl-fips.vcxproj @@ -120,7 +120,7 @@ Disabled ./;../../;%(AdditionalIncludeDirectories) - OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) + OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) EnableFastChecks MultiThreadedDebugDLL Level4 @@ -132,7 +132,7 @@ Disabled ./;../../;%(AdditionalIncludeDirectories) - OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;BUILDING_WOLFSSL;WOLFSSL_DLL;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) + OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;BUILDING_WOLFSSL;WOLFSSL_DLL;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) true EnableFastChecks MultiThreadedDebugDLL @@ -145,7 +145,7 @@ Disabled ./;../../;%(AdditionalIncludeDirectories) - OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) + OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) EnableFastChecks MultiThreadedDebugDLL Level4 @@ -157,7 +157,7 @@ Disabled ./;../../;%(AdditionalIncludeDirectories) - OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;BUILDING_WOLFSSL;WOLFSSL_DLL;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) + OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;BUILDING_WOLFSSL;WOLFSSL_DLL;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) EnableFastChecks MultiThreadedDebugDLL Level4 @@ -175,7 +175,7 @@ MaxSpeed true ./;../../;%(AdditionalIncludeDirectories) - OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) + OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) MultiThreadedDLL true Level3 @@ -187,7 +187,7 @@ MaxSpeed true ./;../../;%(AdditionalIncludeDirectories) - OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;BUILDING_WOLFSSL;WOLFSSL_DLL;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) + OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;BUILDING_WOLFSSL;WOLFSSL_DLL;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) MultiThreadedDLL true Level3 @@ -199,7 +199,7 @@ MaxSpeed true ./;../../;%(AdditionalIncludeDirectories) - OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) + OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) MultiThreadedDLL true Level3 @@ -212,7 +212,7 @@ MaxSpeed true ./;../../;%(AdditionalIncludeDirectories) - OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;BUILDING_WOLFSSL;WOLFSSL_DLL;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) + OPENSSL_EXTRA;HAVE_THREAD_LS;WOLFSSL_KEY_GEN;BUILDING_WOLFSSL;WOLFSSL_DLL;HAVE_FIPS;HAVE_AESGCM;HAVE_HASHDRBG;WOLFSSL_SHA384;WOLFSSL_SHA512;NO_PSK;NO_HC128;NO_RC4;NO_RABBIT;NO_DSA;NO_MD4;%(PreprocessorDefinitions) MultiThreadedDLL true Level3 @@ -261,34 +261,26 @@ $(IntDir)ctaocrypt\ - - - - - - - - diff --git a/LICENSING b/LICENSING index e43bb9f39..9f50165fd 100644 --- a/LICENSING +++ b/LICENSING @@ -1,7 +1,7 @@ -CyaSSL and wolfCrypt are either licensed for use under the GPLv2 or a -standard commercial license. For our users who cannot use CyaSSL under -GPLv2, a commercial license to CyaSSL and wolfCrypt is available. +wolfSSL (formerly known as CyaSSL) and wolfCrypt are either licensed for use +under the GPLv2 or a standard commercial license. For our users who cannot use +wolfSSL under GPLv2, a commercial license to wolfSSL and wolfCrypt is available. Please contact wolfSSL Inc. directly at: Email: licensing@wolfssl.com diff --git a/README b/README index c7245ecbc..74abbb0e8 100644 --- a/README +++ b/README @@ -34,7 +34,18 @@ before calling wolfSSL_new(); Though it's not recommended. *** end Notes *** -wolfSSL (Formerly CyaSSL) Release 3.6.0 (06/19/2015) +wolfSSL (Formerly CyaSSL) Release 3.6.2 (07/20/2015) + +Release 3.6.2 of wolfSSL is an intermediate custom release including: + +- OpenSSH compatibility with --enable-openssh +- stunnel compatibility with --enable-stunnel +- lighttpd compatibility with --enable-lighty + +See INSTALL file for build instructions. +More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html + + **************** wolfSSL (Formerly CyaSSL) Release 3.6.0 (06/19/2015) Release 3.6.0 of wolfSSL has bug fixes and new features including: diff --git a/README.md b/README.md index 7b7d57ce8..edbfb9d35 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,18 @@ before calling wolfSSL_new(); Though it's not recommended. - GNU Binutils 2.24 ld has problems with some debug builds, to fix an ld error add -fdebug-types-section to C_EXTRA_FLAGS +#wolfSSL (Formerly CyaSSL) Release 3.6.2 (07/20/2015) + +##Release 3.6.2 of wolfSSL is an intermediate custom release including: + +- OpenSSH compatibility with --enable-openssh +- stunnel compatibility with --enable-stunnel +- lighttpd compatibility with --enable-lighty + +See INSTALL file for build instructions. +More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html + + #wolfSSL (Formerly CyaSSL) Release 3.6.0 (06/19/2015) ##Release 3.6.0 of wolfSSL has bug fixes and new features including: diff --git a/configure.ac b/configure.ac index 96a7aa7a9..e66b68718 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([wolfssl],[3.6.1],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) +AC_INIT([wolfssl],[3.6.2],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) AC_CONFIG_AUX_DIR([build-aux]) @@ -148,12 +148,24 @@ then fi +# OpenSSH compatibility Build +AC_ARG_ENABLE([openssh], + [AS_HELP_STRING([--enable-openssh],[Enable OpenSSH compatibility build (default: disabled)])], + [ENABLED_OPENSSH=$enableval], + [ENABLED_OPENSSH=no]) + + # OPENSSL Extra Compatibility AC_ARG_ENABLE([opensslextra], [ --enable-opensslextra Enable extra OpenSSL API, size+ (default: disabled)], [ ENABLED_OPENSSLEXTRA=$enableval ], [ ENABLED_OPENSSLEXTRA=no ] ) +if test "$ENABLED_OPENSSH" = "yes" +then + ENABLED_OPENSSLEXTRA="yes" +fi + if test "$ENABLED_OPENSSLEXTRA" = "yes" then AM_CFLAGS="-DOPENSSL_EXTRA $AM_CFLAGS" @@ -194,6 +206,11 @@ AC_ARG_ENABLE([fortress], [ ENABLED_FORTRESS=no ] ) +if test "$ENABLED_OPENSSH" = "yes" +then + ENABLED_FORTRESS="yes" +fi + if test "$ENABLED_FORTRESS" = "yes" then AM_CFLAGS="$AM_CFLAGS -DFORTRESS -DWOLFSSL_ALWAYS_VERIFY_CB -DOPENSSL_EXTRA -DWOLFSSL_DES_ECB -DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT -DWOLFSSL_DER_LOAD -DWOLFSSL_SHA512 -DWOLFSSL_SHA384 -DWOLFSSL_KEY_GEN" @@ -481,6 +498,11 @@ AC_ARG_ENABLE([nullcipher], [ ENABLED_NULL_CIPHER=no ] ) +if test "$ENABLED_OPENSSH" = "yes" +then + ENABLED_NULL_CIPHER="yes" +fi + if test "$ENABLED_NULL_CIPHER" = "yes" then AM_CFLAGS="$AM_CFLAGS -DHAVE_NULL_CIPHER" @@ -493,6 +515,11 @@ AC_ARG_ENABLE([ripemd], [ ENABLED_RIPEMD=no ] ) +if test "$ENABLED_OPENSSH" = "yes" +then + ENABLED_RIPEMD="yes" +fi + if test "$ENABLED_RIPEMD" = "yes" then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RIPEMD" @@ -536,6 +563,11 @@ then ENABLED_SHA512=no fi +if test "$ENABLED_OPENSSH" = "yes" +then + ENABLED_SHA512="yes" +fi + if test "$ENABLED_SHA512" = "yes" then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384" @@ -637,6 +669,11 @@ AC_ARG_ENABLE([dsa], [ ENABLED_DSA=no ] ) +if test "$ENABLED_OPENSSH" = "yes" +then + ENABLED_DSA="yes" +fi + if test "$ENABLED_DSA" = "no" then AM_CFLAGS="$AM_CFLAGS -DNO_DSA" @@ -666,6 +703,11 @@ then ENABLED_ECC=no fi +if test "$ENABLED_OPENSSH" = "yes" +then + ENABLED_ECC="yes" +fi + if test "$ENABLED_ECC" = "yes" then AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DECC_SHAMIR" @@ -901,6 +943,11 @@ AC_ARG_ENABLE([dh], [ ENABLED_DH=yes ] ) +if test "$ENABLED_OPENSSH" = "yes" +then + ENABLED_DH="yes" +fi + if test "$ENABLED_DH" = "no" then AM_CFLAGS="$AM_CFLAGS -DNO_DH" @@ -1000,6 +1047,14 @@ AC_ARG_ENABLE([aes], if test "$ENABLED_AES" = "no" then AM_CFLAGS="$AM_CFLAGS -DNO_AES" + if test "$ENABLED_FORTRESS" = "yes" + then + AC_MSG_ERROR([fortress requires aes]) + fi + if test "$ENABLED_ECC_ENCRYPT" = "yes" + then + AC_MSG_ERROR([cannot enable eccencrypt and hkdf without aes.]) + fi if test "$ENABLED_AESGCM" = "yes" then AC_MSG_ERROR([AESGCM requires AES.]) @@ -1071,6 +1126,11 @@ AC_ARG_ENABLE([arc4], [ ENABLED_ARC4=no ] ) +if test "$ENABLED_OPENSSH" = "yes" +then + ENABLED_ARC4="yes" +fi + if test "$ENABLED_ARC4" = "no" then AM_CFLAGS="$AM_CFLAGS -DNO_RC4" @@ -1130,21 +1190,6 @@ fi AM_CONDITIONAL([BUILD_SHA], [test "x$ENABLED_SHA" = "xyes"]) -# MD4 -AC_ARG_ENABLE([md4], - [ --enable-md4 Enable MD4 (default: disabled)], - [ ENABLED_MD4=$enableval ], - [ ENABLED_MD4=no ] - ) - -if test "$ENABLED_MD4" = "no" -then - AM_CFLAGS="$AM_CFLAGS -DNO_MD4" -fi - -AM_CONDITIONAL([BUILD_MD4], [test "x$ENABLED_MD4" = "xyes"]) - - # Web Server Build AC_ARG_ENABLE([webserver], [ --enable-webserver Enable Web Server (default: disabled)], @@ -1412,9 +1457,9 @@ AC_ARG_WITH([ntru], [ AC_MSG_CHECKING([for NTRU]) CPPFLAGS="$CPPFLAGS -DHAVE_NTRU -DHAVE_QSH -DHAVE_TLS_EXTENSIONS" - LIBS="$LIBS -lNTRUEncrypt" + LIBS="$LIBS -lntruencrypt" - AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ ntru_crypto_drbg_instantiate(0, 0, 0, 0, 0); ]])], [ ntru_linked=yes ],[ ntru_linked=no ]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ ntru_crypto_drbg_instantiate(0, 0, 0, 0, 0); ]])], [ ntru_linked=yes ],[ ntru_linked=no ]) if test "x$ntru_linked" == "xno" ; then if test "x$withval" != "xno" ; then @@ -1427,7 +1472,7 @@ AC_ARG_WITH([ntru], LDFLAGS="$AM_LDFLAGS -L$tryntrudir/lib" CPPFLAGS="$CPPFLAGS -I$tryntrudir/include" - AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ ntru_crypto_drbg_instantiate(0, 0, 0, 0, 0); ]])], [ ntru_linked=yes ],[ ntru_linked=no ]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ ntru_crypto_drbg_instantiate(0, 0, 0, 0, 0); ]])], [ ntru_linked=yes ],[ ntru_linked=no ]) if test "x$ntru_linked" == "xno" ; then AC_MSG_ERROR([NTRU isn't found. @@ -1717,6 +1762,66 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_LIGHTY -DHAVE_WOLFSSL_SSL_H=1" fi +# stunnel Support +AC_ARG_ENABLE([stunnel], + [ --enable-stunnel Enable stunnel (default: disabled)], + [ ENABLED_STUNNEL=$enableval ], + [ ENABLED_STUNNEL=no ] + ) +if test "$ENABLED_STUNNEL" = "yes" +then + # Requires opensslextra make sure on + if test "x$ENABLED_OPENSSLEXTRA" = "xno" + then + ENABLED_OPENSSLEXTRA="yes" + AM_CFLAGS="-DOPENSSL_EXTRA $AM_CFLAGS" + fi + + # Requires coding make sure on + if test "x$ENABLED_CODING" = "xno" + then + ENABLED_CODING="yes" + fi + + # Requires sessioncerts make sure on + if test "x$ENABLED_SESSIONCERTS" = "xno" + then + ENABLED_SESSIONCERTS="yes" + AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS" + fi + + # Requires crls, make sure on + if test "x$ENABLED_CRL" = "xno" + then + ENABLED_CRL="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL" + AM_CONDITIONAL([BUILD_CRL], [test "x$ENABLED_CRL" = "xyes"]) + fi + AM_CFLAGS="$AM_CFLAGS -DHAVE_STUNNEL" +fi + + +# MD4 +AC_ARG_ENABLE([md4], + [ --enable-md4 Enable MD4 (default: disabled)], + [ ENABLED_MD4=$enableval ], + [ ENABLED_MD4=no ] + ) + + +if test "$ENABLED_MD4" = "no" +then + #turn on MD4 if using stunnel + if test "x$ENABLED_STUNNEL" = "xyes" + then + ENABLED_MD4="yes" + else + AM_CFLAGS="$AM_CFLAGS -DNO_MD4" + fi +fi + +AM_CONDITIONAL([BUILD_MD4], [test "x$ENABLED_MD4" = "xyes"]) + # PWDBASED has to come after certservice since we want it on w/o explicit on # PWDBASED @@ -1745,7 +1850,7 @@ FASTMATH_DEFAULT=no if test "$host_cpu" = "x86_64" then -FASTMATH_DEFAULT=yes + FASTMATH_DEFAULT=yes fi # fastmath @@ -2173,6 +2278,7 @@ echo echo " Features " echo " * Single threaded: $ENABLED_SINGLETHREADED" echo " * Filesystem: $ENABLED_FILESYSTEM" +echo " * OpenSSH Build: $ENABLED_OPENSSH" echo " * OpenSSL Extra API: $ENABLED_OPENSSLEXTRA" echo " * Max Strength Build: $ENABLED_MAXSTRENGTH" echo " * fastmath: $ENABLED_FASTMATH" @@ -2218,6 +2324,7 @@ echo " * CODING: $ENABLED_CODING" echo " * MEMORY: $ENABLED_MEMORY" echo " * I/O POOL: $ENABLED_IOPOOL" echo " * LIGHTY: $ENABLED_LIGHTY" +echo " * STUNNEL: $ENABLED_STUNNEL" echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS" echo " * DTLS: $ENABLED_DTLS" echo " * Old TLS Versions: $ENABLED_OLD_TLS" diff --git a/cyassl/ctaocrypt/blake2-impl.h b/cyassl/ctaocrypt/blake2-impl.h index fc5ec3a49..de6ed273b 100644 --- a/cyassl/ctaocrypt/blake2-impl.h +++ b/cyassl/ctaocrypt/blake2-impl.h @@ -36,7 +36,7 @@ #define CTAOCRYPT_BLAKE2_IMPL_H #include -#include +#include #endif /* CTAOCRYPT_BLAKE2_IMPL_H */ diff --git a/cyassl/ctaocrypt/blake2-int.h b/cyassl/ctaocrypt/blake2-int.h index 07ea8e745..9dadaadcb 100644 --- a/cyassl/ctaocrypt/blake2-int.h +++ b/cyassl/ctaocrypt/blake2-int.h @@ -37,7 +37,7 @@ #define CTAOCRYPT_BLAKE2_INT_H #include -#include +#include #endif /* CTAOCRYPT_BLAKE2_INT_H */ diff --git a/mcapi/crypto.h b/mcapi/crypto.h index 7a960d855..82b4d0249 100644 --- a/mcapi/crypto.h +++ b/mcapi/crypto.h @@ -163,7 +163,7 @@ enum { /* AES */ typedef struct CRYPT_AES_CTX { - int holder[70]; /* big enough to hold internal, but check on init */ + int holder[74]; /* big enough to hold internal, but check on init */ } CRYPT_AES_CTX; /* key */ diff --git a/scripts/resume.test b/scripts/resume.test index e4b0a6eb3..17bfd8c9f 100755 --- a/scripts/resume.test +++ b/scripts/resume.test @@ -7,6 +7,15 @@ resume_port=11112 no_pid=-1 server_pid=$no_pid + +remove_ready_file() { + if test -e /tmp/wolfssl_server_ready; then + echo -e "removing exisitng server_ready file" + rm /tmp/wolfssl_server_ready + fi +} + + do_cleanup() { echo "in cleanup" @@ -15,6 +24,7 @@ do_cleanup() { echo "killing server" kill -9 $server_pid fi + remove_ready_file } do_trap() { @@ -27,10 +37,7 @@ trap do_trap INT TERM echo -e "\nStarting example server for resume test...\n" -if test -e /tmp/wolfssl_server_ready; then - echo -e "removing exisitng server_ready file" - rm /tmp/wolfssl_server_ready -fi +remove_ready_file ./examples/server/server -r -R -p $resume_port & server_pid=$! @@ -51,6 +58,7 @@ fi wait $server_pid server_result=$? +remove_ready_file if [ $server_result != 0 ] then diff --git a/src/internal.c b/src/internal.c index b63b1fe2a..fa4208c44 100644 --- a/src/internal.c +++ b/src/internal.c @@ -41,7 +41,7 @@ #endif #ifdef HAVE_NTRU - #include "ntru_crypto.h" + #include "libntruencrypt/ntru_crypto.h" #endif #if defined(DEBUG_WOLFSSL) || defined(SHOW_SECRETS) || defined(CHACHA_AEAD_TEST) @@ -247,7 +247,7 @@ static int QSH_FreeAll(WOLFSSL* ssl) static RNG* rng; static wolfSSL_Mutex* rngMutex; -static word32 GetEntropy(unsigned char* out, unsigned long long num_bytes) +static word32 GetEntropy(unsigned char* out, word32 num_bytes) { int ret = 0; @@ -265,7 +265,7 @@ static word32 GetEntropy(unsigned char* out, unsigned long long num_bytes) } ret |= LockMutex(rngMutex); - ret |= wc_RNG_GenerateBlock(rng, out, (word32)num_bytes); + ret |= wc_RNG_GenerateBlock(rng, out, num_bytes); ret |= UnLockMutex(rngMutex); if (ret != 0) @@ -4464,7 +4464,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #else store->current_cert = NULL; #endif -#ifdef FORTRESS +#if defined(HAVE_FORTRESS) || defined(HAVE_STUNNEL) store->ex_data = ssl; #endif ok = ssl->verifyCallback(0, store); @@ -10623,7 +10623,7 @@ static int NtruSecretEncrypt(QSHKey* key, byte* bufIn, word32 inSz, } /* set up ntru drbg */ - ret = ntru_crypto_external_drbg_instantiate(GetEntropy, &drbg); + ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); if (ret != DRBG_OK) return NTRU_DRBG_ERROR; @@ -10670,7 +10670,7 @@ static int NtruSecretDecrypt(QSHKey* key, byte* bufIn, word32 inSz, /* set up drbg */ - ret = ntru_crypto_external_drbg_instantiate(GetEntropy, &drbg); + ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); if (ret != DRBG_OK) return NTRU_DRBG_ERROR; @@ -10805,7 +10805,7 @@ static word32 QSH_MaxSecret(QSHKey* key) } if (isNtru) { - ret = ntru_crypto_external_drbg_instantiate(GetEntropy, &drbg); + ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); if (ret != DRBG_OK) return NTRU_DRBG_ERROR; ret = ntru_crypto_ntru_encrypt(drbg, key->pub.length, @@ -11251,7 +11251,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer) return NO_PEER_KEY; } - rc = ntru_crypto_external_drbg_instantiate(GetEntropy, &drbg); + rc = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); if (rc != DRBG_OK) { #ifdef WOLFSSL_SMALL_STACK XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER); diff --git a/src/ssl.c b/src/ssl.c index 211112164..feb86736c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -521,6 +521,35 @@ int wolfSSL_CTX_SetTmpDH(WOLFSSL_CTX* ctx, const unsigned char* p, int pSz, return SSL_SUCCESS; } + +int wolfSSL_CTX_SetMinDhKey_Sz(WOLFSSL_CTX* ctx, word16 keySz) +{ + if (ctx == NULL || keySz > 16000 || keySz % 8 != 0) + return BAD_FUNC_ARG; + + ctx->minDhKeySz = keySz / 8; + return SSL_SUCCESS; +} + + +int wolfSSL_SetMinDhKey_Sz(WOLFSSL* ssl, word16 keySz) +{ + if (ssl == NULL || keySz > 16000 || keySz % 8 != 0) + return BAD_FUNC_ARG; + + ssl->options.minDhKeySz = keySz / 8; + return SSL_SUCCESS; +} + + +int wolfSSL_GetDhKey_Sz(WOLFSSL* ssl) +{ + if (ssl == NULL) + return BAD_FUNC_ARG; + + return (ssl->options.dhKeySz * 8); +} + #endif /* !NO_DH */ @@ -1648,7 +1677,6 @@ int wolfSSL_KeyPemToDer(const unsigned char* pem, int pemSz, } XFREE(der.buffer, NULL, DYNAMIC_TYPE_KEY); - return ret; } @@ -3493,8 +3521,10 @@ int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file, #ifdef WOLFSSL_SMALL_STACK name = (char*)XMALLOC(MAX_FILENAME_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (name == NULL) + if (name == NULL) { + closedir(dir); return MEMORY_E; + } #endif while ( ret == SSL_SUCCESS && (entry = readdir(dir)) != NULL) { @@ -4130,36 +4160,6 @@ int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX* ctx, const char* fname, int format) return wolfSSL_SetTmpDH_file_wrapper(ctx, NULL, fname, format); } - -int wolfSSL_CTX_SetMinDhKey_Sz(WOLFSSL_CTX* ctx, word16 keySz) -{ - if (ctx == NULL || keySz > 16000 || keySz % 8 != 0) - return BAD_FUNC_ARG; - - ctx->minDhKeySz = keySz / 8; - return SSL_SUCCESS; -} - - -int wolfSSL_SetMinDhKey_Sz(WOLFSSL* ssl, word16 keySz) -{ - if (ssl == NULL || keySz > 16000 || keySz % 8 != 0) - return BAD_FUNC_ARG; - - ssl->options.minDhKeySz = keySz / 8; - return SSL_SUCCESS; -} - - -int wolfSSL_GetDhKey_Sz(WOLFSSL* ssl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - return (ssl->options.dhKeySz * 8); -} - - #endif /* NO_DH */ @@ -7184,8 +7184,14 @@ int wolfSSL_set_compression(WOLFSSL* ssl) void wolfSSL_set_shutdown(WOLFSSL* ssl, int opt) { - (void)ssl; - (void)opt; + WOLFSSL_ENTER("wolfSSL_set_shutdown"); + if(ssl==NULL) { + WOLFSSL_MSG("Shutdown not set. ssl is null"); + return; + } + + ssl->options.sentNotify = (opt&SSL_SENT_SHUTDOWN) > 0; + ssl->options.closeNotify = (opt&SSL_RECEIVED_SHUTDOWN) > 0; } @@ -7238,7 +7244,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) WOLFSSL_X509_STORE_CTX* ctx) { (void)ctx; - return 0; + return NULL; } @@ -8855,14 +8861,18 @@ int wolfSSL_set_compression(WOLFSSL* ssl) WOLFSSL_X509_NAME* wolfSSL_X509_get_issuer_name(WOLFSSL_X509* cert) { WOLFSSL_ENTER("X509_get_issuer_name"); - return &cert->issuer; + if(cert) + return &cert->issuer; + return NULL; } WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name(WOLFSSL_X509* cert) { WOLFSSL_ENTER("X509_get_subject_name"); - return &cert->subject; + if(cert) + return &cert->subject; + return NULL; } @@ -9535,23 +9545,6 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format) #ifdef OPENSSL_EXTRA -int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data) -{ -#ifdef FORTRESS - if (ssl != NULL && idx < MAX_EX_DATA) - { - ssl->ex_data[idx] = data; - return SSL_SUCCESS; - } -#else - (void)ssl; - (void)idx; - (void)data; -#endif - return SSL_FAILURE; -} - - int wolfSSL_set_session_id_context(WOLFSSL* ssl, const unsigned char* id, unsigned int len) { @@ -9571,9 +9564,14 @@ void wolfSSL_set_connect_state(WOLFSSL* ssl) int wolfSSL_get_shutdown(const WOLFSSL* ssl) { + WOLFSSL_ENTER("wolfSSL_get_shutdown"); +#ifdef HAVE_STUNNEL + return (ssl->options.sentNotify << 1) | (ssl->options.closeNotify); +#else return (ssl->options.isClosed || ssl->options.connReset || ssl->options.sentNotify); +#endif } @@ -10198,19 +10196,6 @@ int wolfSSL_COMP_add_compression_method(int method, void* data) } - -int wolfSSL_get_ex_new_index(long idx, void* data, void* cb1, void* cb2, - void* cb3) -{ - (void)idx; - (void)data; - (void)cb1; - (void)cb2; - (void)cb3; - return 0; -} - - void wolfSSL_set_dynlock_create_callback(WOLFSSL_dynlock_value* (*f)( const char*, int)) { @@ -10368,6 +10353,7 @@ int wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX* ctx, WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509, STACK_OF(WOLFSSL_X509)* sk) { (void)sk; + WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_init"); if (ctx != NULL) { ctx->store = store; ctx->current_cert = x509; @@ -10554,7 +10540,8 @@ long wolfSSL_ASN1_INTEGER_get(const WOLFSSL_ASN1_INTEGER* i) void* wolfSSL_X509_STORE_CTX_get_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx) { -#ifdef FORTRESS + WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_ex_data"); +#if defined(FORTRESS) || defined(HAVE_STUNNEL) if (ctx != NULL && idx == 0) return ctx->ex_data; #else @@ -10567,24 +10554,13 @@ void* wolfSSL_X509_STORE_CTX_get_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx) int wolfSSL_get_ex_data_X509_STORE_CTX_idx(void) { + WOLFSSL_ENTER("wolfSSL_get_ex_data_X509_STORE_CTX_idx"); return 0; } -void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx) -{ -#ifdef FORTRESS - if (ssl != NULL && idx < MAX_EX_DATA) - return ssl->ex_data[idx]; -#else - (void)ssl; - (void)idx; -#endif - return 0; -} - - -void wolfSSL_CTX_set_info_callback(WOLFSSL_CTX* ctx, void (*f)(void)) +void wolfSSL_CTX_set_info_callback(WOLFSSL_CTX* ctx, + void (*f)(const WOLFSSL* ssl, int type, int val)) { (void)ctx; (void)f; @@ -10597,7 +10573,7 @@ unsigned long wolfSSL_ERR_peek_error(void) } -int wolfSSL_ERR_GET_REASON(int err) +int wolfSSL_ERR_GET_REASON(unsigned long err) { (void)err; return 0; @@ -10618,7 +10594,7 @@ char* wolfSSL_alert_desc_string_long(int alertID) } -char* wolfSSL_state_string_long(WOLFSSL* ssl) +char* wolfSSL_state_string_long(const WOLFSSL* ssl) { (void)ssl; return 0; @@ -10777,23 +10753,6 @@ void* wolfSSL_sk_value(WOLFSSL_X509_REVOKED* rev, int i) /* stunnel 4.28 needs */ -void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int d) -{ - (void)ctx; - (void)d; - return 0; -} - - -int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX* ctx, int d, void* p) -{ - (void)ctx; - (void)d; - (void)p; - return SSL_SUCCESS; -} - - void wolfSSL_CTX_sess_set_get_cb(WOLFSSL_CTX* ctx, WOLFSSL_SESSION*(*f)(WOLFSSL*, unsigned char*, int, int*)) { @@ -10851,17 +10810,6 @@ long wolfSSL_SESSION_get_time(const WOLFSSL_SESSION* sess) } -int wolfSSL_CTX_get_ex_new_index(long idx, void* arg, void* a, void* b, - void* c) -{ - (void)idx; - (void)arg; - (void)a; - (void)b; - (void)c; - return 0; -} - #endif /* OPENSSL_EXTRA */ @@ -10901,6 +10849,7 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname) WOLFSSL_X509* peer_cert = &ssl->peerCert; buffer fileDer; + fileDer.buffer = 0; file = XFOPEN(fname, "rb"); if (file == XBADFILE) return SSL_BAD_FILE; @@ -10926,7 +10875,6 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname) info->set = 0; info->ctx = ctx; info->consumed = 0; - fileDer.buffer = 0; if ((myBuffer != NULL) && (sz > 0) && @@ -11280,17 +11228,27 @@ int wolfSSL_BN_bn2bin(const WOLFSSL_BIGNUM* bn, unsigned char* r) WOLFSSL_BIGNUM* wolfSSL_BN_bin2bn(const unsigned char* str, int len, WOLFSSL_BIGNUM* ret) { + int weOwn = 0; + WOLFSSL_MSG("wolfSSL_BN_bin2bn"); + /* if ret is null create a BN */ + if (ret == NULL) { + ret = wolfSSL_BN_new(); + weOwn = 1; + if (ret == NULL) + return NULL; + } + + /* check ret and ret->internal then read in value */ if (ret && ret->internal) { if (mp_read_unsigned_bin((mp_int*)ret->internal, str, len) != 0) { WOLFSSL_MSG("mp_read_unsigned_bin failure"); + if (weOwn) + wolfSSL_BN_free(ret); return NULL; } } - else { - WOLFSSL_MSG("wolfSSL_BN_bin2bn wants return bignum"); - } return ret; } @@ -11522,6 +11480,38 @@ int wolfSSL_BN_dec2bn(WOLFSSL_BIGNUM** bn, const char* str) } +#if defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) +char *wolfSSL_BN_bn2dec(const WOLFSSL_BIGNUM *bn) +{ + int len = 0; + char *buf; + + WOLFSSL_MSG("wolfSSL_BN_bn2dec"); + + if (bn == NULL || bn->internal == NULL) { + WOLFSSL_MSG("bn NULL error"); + return NULL; + } + + if (mp_radix_size((mp_int*)bn->internal, 10, &len) != MP_OKAY) { + WOLFSSL_MSG("mp_radix_size failure"); + return NULL; + } + + buf = (char*) XMALLOC(len, NULL, DYNAMIC_TYPE_ECC); + if (buf == NULL) { + WOLFSSL_MSG("wolfSSL_BN_bn2hex malloc buffer failure"); + return NULL; + } + + if (mp_toradix((mp_int*)bn->internal, buf, 10) != MP_OKAY) { + XFREE(buf, NULL, DYNAMIC_TYPE_ECC); + return NULL; + } + + return buf; +} +#else char* wolfSSL_BN_bn2dec(const WOLFSSL_BIGNUM* bn) { (void)bn; @@ -11530,6 +11520,7 @@ char* wolfSSL_BN_bn2dec(const WOLFSSL_BIGNUM* bn) return NULL; } +#endif /* defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) */ /* return code compliant with OpenSSL : * 1 if success, 0 else @@ -11538,23 +11529,13 @@ int wolfSSL_BN_lshift(WOLFSSL_BIGNUM *r, const WOLFSSL_BIGNUM *bn, int n) { WOLFSSL_MSG("wolfSSL_BN_lshift"); - if (bn == NULL || bn->internal == NULL) { + if (r == NULL || r->internal == NULL || bn == NULL || bn->internal == NULL){ WOLFSSL_MSG("bn NULL error"); return SSL_FAILURE; } - /* create new bn for res, if not done before */ - if (r == NULL) - r = wolfSSL_BN_new(); - - if (r == NULL) { - WOLFSSL_MSG("bn new error"); - return SSL_FAILURE; - } - if (mp_mul_2d((mp_int*)bn->internal, n, (mp_int*)r->internal) != MP_OKAY) { WOLFSSL_MSG("mp_mul_2d error"); - wolfSSL_BN_free(r); return SSL_FAILURE; } @@ -11568,24 +11549,14 @@ int wolfSSL_BN_rshift(WOLFSSL_BIGNUM *r, const WOLFSSL_BIGNUM *bn, int n) { WOLFSSL_MSG("wolfSSL_BN_rshift"); - if (bn == NULL || bn->internal == NULL) { + if (r == NULL || r->internal == NULL || bn == NULL || bn->internal == NULL){ WOLFSSL_MSG("bn NULL error"); return SSL_FAILURE; } - /* create new bn for res, if not done before */ - if (r == NULL) - r = wolfSSL_BN_new(); - - if (r == NULL) { - WOLFSSL_MSG("bn new error"); - return SSL_FAILURE; - } - if (mp_div_2d((mp_int*)bn->internal, n, (mp_int*)r->internal, NULL) != MP_OKAY) { WOLFSSL_MSG("mp_mul_2d error"); - wolfSSL_BN_free(r); return SSL_FAILURE; } @@ -11642,11 +11613,11 @@ int wolfSSL_BN_add(WOLFSSL_BIGNUM *r, WOLFSSL_BIGNUM *a, WOLFSSL_BIGNUM *b) int wolfSSL_BN_is_prime_ex(const WOLFSSL_BIGNUM *bn, int nbchecks, WOLFSSL_BN_CTX *ctx, WOLFSSL_BN_GENCB *cb) { + int res; + (void)ctx; (void)cb; - int res; - WOLFSSL_MSG("wolfSSL_BN_is_prime_ex"); if (bn == NULL || bn->internal == NULL) { @@ -11679,12 +11650,12 @@ WOLFSSL_BN_ULONG wolfSSL_BN_mod_word(const WOLFSSL_BIGNUM *bn, if (bn == NULL || bn->internal == NULL) { WOLFSSL_MSG("bn NULL error"); - return SSL_FATAL_ERROR; + return (WOLFSSL_BN_ULONG)SSL_FATAL_ERROR; } if (mp_mod_d((mp_int*)bn->internal, w, &ret) != MP_OKAY) { WOLFSSL_MSG("mp_add_d error"); - return SSL_FATAL_ERROR; + return (WOLFSSL_BN_ULONG)SSL_FATAL_ERROR; } return ret; @@ -11723,6 +11694,7 @@ char *wolfSSL_BN_bn2hex(const WOLFSSL_BIGNUM *bn) return buf; } +#ifndef NO_FILESYSTEM /* return code compliant with OpenSSL : * 1 if success, 0 if error */ @@ -11748,6 +11720,7 @@ int wolfSSL_BN_print_fp(FILE *fp, const WOLFSSL_BIGNUM *bn) return SSL_SUCCESS; } +#endif /* !defined(NO_FILESYSTEM) */ #else /* defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) */ @@ -11760,6 +11733,7 @@ char *wolfSSL_BN_bn2hex(const WOLFSSL_BIGNUM *bn) return (char*)""; } +#ifndef NO_FILESYSTEM /* return code compliant with OpenSSL : * 1 if success, 0 if error */ @@ -11772,6 +11746,8 @@ int wolfSSL_BN_print_fp(FILE *fp, const WOLFSSL_BIGNUM *bn) return SSL_SUCCESS; } +#endif /* !defined(NO_FILESYSTEM) */ + #endif /* defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) */ @@ -12649,6 +12625,16 @@ int wolfSSL_DSA_generate_key(WOLFSSL_DSA* dsa) return SSL_FAILURE; } + if (dsa->inSet == 0) + { + WOLFSSL_MSG("No DSA internal set, do it"); + + if (SetDsaInternal(dsa) != SSL_SUCCESS) { + WOLFSSL_MSG("SetDsaInternal failed"); + return ret; + } + } + #ifdef WOLFSSL_KEY_GEN { int initTmpRng = 0; @@ -12754,10 +12740,8 @@ int wolfSSL_DSA_generate_parameters_ex(WOLFSSL_DSA* dsa, int bits, WOLFSSL_MSG("wc_MakeDsaParameters failed"); else if (SetDsaExternal(dsa) != SSL_SUCCESS) WOLFSSL_MSG("SetDsaExternal failed"); - else { - dsa->inSet = 1; + else ret = SSL_SUCCESS; - } } if (initTmpRng) @@ -12863,6 +12847,8 @@ int wolfSSL_DSA_do_verify(const unsigned char* d, unsigned char* sig, ret = DsaVerify(d, sig, (DsaKey*)dsa->internal, dsacheck); if (ret != 0 || *dsacheck != 1) { WOLFSSL_MSG("DsaVerify failed"); + printf("ret = %d\n", ret); + printf("*dsacheck = %d\n", *dsacheck); return ret; } @@ -14789,8 +14775,8 @@ int wolfSSL_ECDH_compute_key(void *out, size_t outlen, void *(*KDF) (const void *in, size_t inlen, void *out, size_t *outlen)) { - (void)KDF; word32 len; + (void)KDF; WOLFSSL_ENTER("wolfSSL_ECDH_compute_key"); @@ -15696,142 +15682,558 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) unsigned char *wolfSSL_SHA1(const unsigned char *d, size_t n, unsigned char *md) { (void) *d; (void) n; (void) *md; + WOLFSSL_ENTER("wolfSSL_SHA1"); + WOLFSSL_STUB("wolfssl_SHA1"); + return NULL; } - char WOLFSSL_CTX_use_certificate(WOLFSSL_CTX *ctx, WOLFSSL_X509 *x) { + char wolfSSL_CTX_use_certificate(WOLFSSL_CTX *ctx, WOLFSSL_X509 *x) { (void)ctx; (void)x; + WOLFSSL_ENTER("wolfSSL_CTX_use_certificate"); + WOLFSSL_STUB("wolfSSL_CTX_use_certificate"); return 0; } - int WOLFSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey) { + int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey) { (void)ctx; (void)pkey; + WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey"); + WOLFSSL_STUB("wolfSSL_CTX_use_PrivateKey"); return 0; } - WOLFSSL_BIO *wolfSSL_BIO_new_file(const char *filename, const char *mode) { - (void)filename; - (void)mode; - - return NULL; - } int wolfSSL_BIO_read_filename(WOLFSSL_BIO *b, const char *name) { (void)b; (void)name; + WOLFSSL_ENTER("wolfSSL_BIO_read_filename"); + WOLFSSL_STUB("wolfSSL_BIO_read_filename"); return 0; } - WOLFSSL_BIO_METHOD* WOLFSSL_BIO_s_file(void) { + WOLFSSL_BIO_METHOD* wolfSSL_BIO_s_file(void) { + WOLFSSL_ENTER("wolfSSL_BIO_s_file"); + WOLFSSL_STUB("wolfSSL_BIO_s_file"); + return NULL; } const char * wolf_OBJ_nid2sn(int n) { (void)n; + WOLFSSL_ENTER("wolf_OBJ_nid2sn"); + WOLFSSL_STUB("wolf_OBJ_nid2sn"); return 0; } int wolf_OBJ_obj2nid(const WOLFSSL_ASN1_OBJECT *o) { (void)o; + WOLFSSL_ENTER("wolf_OBJ_obj2nid"); + WOLFSSL_STUB("wolf_OBJ_obj2nid"); return 0; } int wolf_OBJ_sn2nid(const char *sn) { (void)sn; + WOLFSSL_ENTER("wolf_OBJ_osn2nid"); + WOLFSSL_STUB("wolf_OBJ_osn2nid"); return 0; } - WOLFSSL_DH *PEM_read_bio_DHparams(WOLFSSL_BIO *bp, WOLFSSL_DH **x, pem_password_cb *cb, void *u) { - (void)bp; - (void)x; - (void)cb; - (void)u; - - return NULL; - } WOLFSSL_X509 *PEM_read_bio_WOLFSSL_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 **x, pem_password_cb *cb, void *u) { (void)bp; (void)x; (void)cb; (void)u; + WOLFSSL_ENTER("PEM_read_bio_WOLFSSL_X509"); + WOLFSSL_STUB("PEM_read_bio_WOLFSSL_X509"); return NULL; } - int PEM_write_bio_WOLFSSL_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x) { - (void)bp; - (void)x; - - return 0; - } - - long WOLFSSL_CTX_set_tmp_dh(WOLFSSL_CTX *ctx, WOLFSSL_DH *dh) { - (void)ctx; - (void)dh; - - return 0; - } - - void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx,int depth) { + void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx, int depth) { (void)ctx; (void)depth; + WOLFSSL_ENTER("wolfSSL_CTX_set_verify_depth"); + WOLFSSL_STUB("wolfSSL_CTX_set_verify_depth"); + } - void* WOLFSSL_get_app_data( const WOLFSSL *ssl) + void* wolfSSL_get_app_data( const WOLFSSL *ssl) { /* checkout exdata stuff... */ (void)ssl; + WOLFSSL_ENTER("wolfSSL_get_app_data"); + WOLFSSL_STUB("wolfSSL_get_app_data"); return 0; } - void WOLFSSL_set_app_data(WOLFSSL *ssl, void *arg) { + void wolfSSL_set_app_data(WOLFSSL *ssl, void *arg) { (void)ssl; (void)arg; + WOLFSSL_ENTER("wolfSSL_set_app_data"); + WOLFSSL_STUB("wolfSSL_set_app_data"); } - WOLFSSL_ASN1_OBJECT * WOLFSSL_X509_NAME_ENTRY_get_object(WOLFSSL_X509_NAME_ENTRY *ne) { + WOLFSSL_ASN1_OBJECT * wolfSSL_X509_NAME_ENTRY_get_object(WOLFSSL_X509_NAME_ENTRY *ne) { (void)ne; + WOLFSSL_ENTER("wolfSSL_X509_NAME_ENTRY_get_object"); + WOLFSSL_STUB("wolfSSL_X509_NAME_ENTRY_get_object"); return NULL; } - WOLFSSL_X509_NAME_ENTRY *WOLFSSL_X509_NAME_get_entry(WOLFSSL_X509_NAME *name, int loc) { + WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry(WOLFSSL_X509_NAME *name, int loc) { (void)name; (void)loc; + WOLFSSL_ENTER("wolfSSL_X509_NAME_get_entry"); + WOLFSSL_STUB("wolfSSL_X509_NAME_get_entry"); return NULL; } - void WOLFSSL_X509_NAME_free(WOLFSSL_X509_NAME *name){ + void wolfSSL_X509_NAME_free(WOLFSSL_X509_NAME *name){ FreeX509Name(name); + WOLFSSL_ENTER("wolfSSL_X509_NAME_free"); + WOLFSSL_STUB("wolfSSL_X509_NAME_free"); } void wolfSSL_sk_X509_NAME_pop_free(STACK_OF(WOLFSSL_X509_NAME)* sk, void f (WOLFSSL_X509_NAME*)){ (void) sk; (void) f; + WOLFSSL_ENTER("wolfSSL_sk_X509_NAME_pop_free"); + WOLFSSL_STUB("wolfSSL_sk_X509_NAME_pop_free"); } int wolfSSL_X509_check_private_key(WOLFSSL_X509 *x509, WOLFSSL_EVP_PKEY *key){ (void) x509; (void) key; - return 0; + WOLFSSL_ENTER("wolfSSL_X509_check_private_key"); + WOLFSSL_STUB("wolfSSL_X509_check_private_key"); + + return SSL_SUCCESS; } STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list( STACK_OF(WOLFSSL_X509_NAME) *sk ){ (void) sk; + WOLFSSL_ENTER("wolfSSL_dup_CA_list"); + WOLFSSL_STUB("wolfSSL_dup_CA_list"); + return NULL; } #endif #endif + +#ifdef OPENSSL_EXTRA +void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int idx) +{ + WOLFSSL_ENTER("wolfSSL_CTX_get_ex_data"); + #ifdef HAVE_STUNNEL + if(ctx != NULL && idx < MAX_EX_DATA) { + return ctx->ex_data[idx]; + } + #else + (void)ctx; + (void)idx; + #endif + return NULL; +} + + +int wolfSSL_CTX_get_ex_new_index(long idx, void* arg, void* a, void* b, + void* c) +{ + WOLFSSL_ENTER("wolfSSL_CTX_get_ex_new_index"); + (void)idx; + (void)arg; + (void)a; + (void)b; + (void)c; + return 0; +} + + +int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX* ctx, int idx, void* data) +{ + WOLFSSL_ENTER("wolfSSL_CTX_set_ex_data"); + #ifdef HAVE_STUNNEL + if (ctx != NULL && idx < MAX_EX_DATA) + { + ctx->ex_data[idx] = data; + return SSL_SUCCESS; + } + #else + (void)ctx; + (void)idx; + (void)data; + #endif + return SSL_FAILURE; +} + + +int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data) +{ + WOLFSSL_ENTER("wolfSSL_set_ex_data"); +#if defined(FORTRESS) || defined(HAVE_STUNNEL) + if (ssl != NULL && idx < MAX_EX_DATA) + { + ssl->ex_data[idx] = data; + return SSL_SUCCESS; + } +#else + (void)ssl; + (void)idx; + (void)data; +#endif + return SSL_FAILURE; +} + + +int wolfSSL_get_ex_new_index(long idx, void* data, void* cb1, void* cb2, + void* cb3) +{ + WOLFSSL_ENTER("wolfSSL_get_ex_new_index"); + (void)idx; + (void)data; + (void)cb1; + (void)cb2; + (void)cb3; + return 0; +} + + +void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx) +{ + WOLFSSL_ENTER("wolfSSL_get_ex_data"); +#if defined(FORTRESS) || defined(HAVE_STUNNEL) + if (ssl != NULL && idx < MAX_EX_DATA) + return ssl->ex_data[idx]; +#else + (void)ssl; + (void)idx; +#endif + return 0; +} +#endif /* OPENSSL_EXTRA */ + + +#if defined(HAVE_LIGHTY) || defined(HAVE_STUNNEL) +WOLFSSL_BIO *wolfSSL_BIO_new_file(const char *filename, const char *mode) { + (void)filename; + (void)mode; + WOLFSSL_ENTER("wolfSSL_BIO_new_file"); + WOLFSSL_STUB("wolfSSL_BIO_new_file"); + + return NULL; +} + + +WOLFSSL_DH *wolfSSL_PEM_read_bio_DHparams(WOLFSSL_BIO *bp, WOLFSSL_DH **x, pem_password_cb *cb, void *u) +{ + (void) bp; + (void) x; + (void) cb; + (void) u; + + WOLFSSL_ENTER("wolfSSL_PEM_read_bio_DHparams"); + WOLFSSL_STUB("wolfSSL_PEM_read_bio_DHparams"); + + return NULL; +} + +int PEM_write_bio_WOLFSSL_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x) { + (void)bp; + (void)x; + WOLFSSL_ENTER("PEM_write_bio_WOLFSSL_X509"); + WOLFSSL_STUB("PEM_write_bio_WOLFSSL_X509"); + + return 0; +} + + +#ifndef NO_DH +/* Intialize ctx->dh with dh's params. Return SSL_SUCCESS on ok */ +long wolfSSL_CTX_set_tmp_dh(WOLFSSL_CTX* ctx, WOLFSSL_DH* dh) +{ + int pSz, gSz; + byte *p, *g; + int ret=0; + + WOLFSSL_ENTER("wolfSSL_CTX_set_tmp_dh"); + + if(!ctx || !dh) + return BAD_FUNC_ARG; + + /* Get needed size for p and g */ + pSz = wolfSSL_BN_bn2bin(dh->p, NULL); + gSz = wolfSSL_BN_bn2bin(dh->g, NULL); + + if(pSz <= 0 || gSz <= 0) + return SSL_FATAL_ERROR; + + p = XMALLOC(pSz, ctx->heap, DYNAMIC_TYPE_DH); + if(!p) + return MEMORY_E; + + g = XMALLOC(gSz, ctx->heap, DYNAMIC_TYPE_DH); + if(!g) { + XFREE(p, ctx->heap, DYNAMIC_TYPE_DH); + return MEMORY_E; + } + + pSz = wolfSSL_BN_bn2bin(dh->p, p); + gSz = wolfSSL_BN_bn2bin(dh->g, g); + + if(pSz >= 0 && gSz >= 0) /* Conversion successful */ + ret = wolfSSL_CTX_SetTmpDH(ctx, p, pSz, g, gSz); + + XFREE(p, ctx->heap, DYNAMIC_TYPE_DH); + XFREE(g, ctx->heap, DYNAMIC_TYPE_DH); + + return pSz > 0 && gSz > 0 ? ret : SSL_FATAL_ERROR; +} +#endif /* NO_DH */ +#endif /* HAVE_LIGHTY || HAVE_STUNNEL */ + + +/* stunnel compatability functions*/ +#if defined(OPENSSL_EXTRA) && defined(HAVE_STUNNEL) +int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION* session, int idx, void* data) +{ + WOLFSSL_ENTER("wolfSSL_SESSION_set_ex_data"); + if(session != NULL && idx < MAX_EX_DATA) { + session->ex_data[idx] = data; + return SSL_SUCCESS; + } + return SSL_FAILURE; +} + + +int wolfSSL_SESSION_get_ex_new_index(long idx, void* data, void* cb1, + void* cb2, CRYPTO_free_func* cb3) +{ + WOLFSSL_ENTER("wolfSSL_SESSION_get_ex_new_index"); + (void)idx; + (void)cb1; + (void)cb2; + (void)cb3; + if(XSTRNCMP(data, "redirect index", 14) == 0) { + return 0; + } + else if(XSTRNCMP(data, "addr index", 10) == 0) { + return 1; + } + return SSL_FAILURE; +} + + +void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION* session, int idx) +{ + WOLFSSL_ENTER("wolfSSL_SESSION_get_ex_data"); + if (session != NULL && idx < MAX_EX_DATA) + return session->ex_data[idx]; + return NULL; +} + + +int wolfSSL_CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const char *, int), + void *(*r) (void *, size_t, const char *, + int), void (*f) (void *)) +{ + (void) m; + (void) r; + (void) f; + + return SSL_FAILURE; +} + + +WOLFSSL_DH *wolfSSL_DH_generate_parameters(int prime_len, int generator, + void (*callback) (int, int, void *), void *cb_arg) +{ + (void)prime_len; + (void)generator; + (void)callback; + (void)cb_arg; + return NULL; +} + + +void wolfSSL_ERR_load_crypto_strings(void){} +unsigned long wolfSSL_ERR_peek_last_error(void) +{ + unsigned long l = 0UL; + return l; +} + + +int wolfSSL_FIPS_mode(void) +{ + return SSL_FAILURE; +} + +int wolfSSL_FIPS_mode_set(int r) +{ + (void)r; + return SSL_FAILURE; +} + + +int wolfSSL_RAND_set_rand_method(const void *meth) +{ + (void) meth; + return SSL_FAILURE; +} + + +int wolfSSL_CIPHER_get_bits(const WOLFSSL_CIPHER *c, int *alg_bits) +{ + int ret = SSL_FAILURE; + if(c != NULL && c->ssl != NULL) { + ret = 8 * c->ssl->specs.key_size; + if(alg_bits != NULL) { + *alg_bits = ret; + } + } + return ret; +} + + +int wolfSSL_sk_X509_NAME_num(const STACK_OF(WOLFSSL_X509_NAME) *s) +{ + (void) s; + return SSL_FAILURE; +} + + +int wolfSSL_sk_X509_num(const STACK_OF(WOLFSSL_X509) *s) +{ + (void) s; + return SSL_FAILURE; +} + + +int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* nm, + int indent, unsigned long flags) +{ + (void)bio; + (void)nm; + (void)indent; + (void)flags; + return SSL_FAILURE; +} + + +WOLFSSL_ASN1_BIT_STRING* wolfSSL_X509_get0_pubkey_bitstr(const WOLFSSL_X509* x) +{ + (void)x; + return NULL; +} + + +int wolfSSL_CTX_add_session(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session) +{ + (void)ctx; + (void)session; + return SSL_SUCCESS; +} + + +int wolfSSL_get_state(const WOLFSSL* ssl) +{ + (void)ssl; + return SSL_FAILURE; +} + + +void* wolfSSL_sk_X509_NAME_value(STACK_OF(WOLFSSL_X509_NAME)* sk, int i) +{ + (void)sk; + (void)i; + return NULL; +} + + +void* wolfSSL_sk_X509_value(STACK_OF(WOLFSSL_X509)* sk, int i) +{ + (void)sk; + (void)i; + return NULL; +} + + +int wolfSSL_version(WOLFSSL* ssl) +{ + if (ssl->version.major == SSLv3_MAJOR) { + switch (ssl->version.minor) { + case SSLv3_MINOR : + return SSL3_VERSION; + case TLSv1_MINOR : + case TLSv1_1_MINOR : + case TLSv1_2_MINOR : + return TLS1_VERSION; + default: + return SSL_FAILURE; + } + } + else if (ssl->version.major == DTLS_MAJOR) { + switch (ssl->version.minor) { + case DTLS_MINOR : + case DTLSv1_2_MINOR : + return DTLS1_VERSION; + default: + return SSL_FAILURE; + } + } + return SSL_FAILURE; +} + + +STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL* ssl) +{ + (void)ssl; + return NULL; +} + + +long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx) +{ + (void)ctx; + return 0; +} + + +WOLFSSL_CTX* wolfSSL_get_SSL_CTX(WOLFSSL* ssl) +{ + return ssl->ctx; +} + +int wolfSSL_X509_NAME_get_sz(WOLFSSL_X509_NAME* name) +{ + if(!name) + return -1; + return name->sz; +} + + +const byte* wolfSSL_SESSION_get_id(WOLFSSL_SESSION* sess, unsigned int* idLen) +{ + if(!sess || !idLen) { + WOLFSSL_MSG("Bad func args. Please provide idLen"); + return NULL; + } + *idLen = sess->sessionIDSz; + return sess->sessionID; +} +#endif /* OPENSSL_EXTRA and HAVE_STUNNEL */ diff --git a/src/tls.c b/src/tls.c index 5a070f667..39f36bb17 100644 --- a/src/tls.c +++ b/src/tls.c @@ -37,7 +37,7 @@ #endif #ifdef HAVE_NTRU - #include "ntru_crypto.h" + #include "libntruencrypt/ntru_crypto.h" #include #endif #ifdef HAVE_QSH @@ -2836,7 +2836,7 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, #ifdef HAVE_NTRU -static word32 GetEntropy(unsigned char* out, unsigned long long num_bytes) +static word32 GetEntropy(unsigned char* out, word32 num_bytes) { int ret = 0; @@ -2854,7 +2854,7 @@ static word32 GetEntropy(unsigned char* out, unsigned long long num_bytes) } ret |= LockMutex(rngMutex); - ret |= wc_RNG_GenerateBlock(rng, out, (word32)num_bytes); + ret |= wc_RNG_GenerateBlock(rng, out, num_bytes); ret |= UnLockMutex(rngMutex); if (ret != 0) @@ -2947,7 +2947,7 @@ int TLSX_CreateNtruKey(WOLFSSL* ssl, int type) WOLFSSL_MSG("Unknown type for creating NTRU key"); return -1; } - ret = ntru_crypto_external_drbg_instantiate(GetEntropy, &drbg); + ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); if (ret != DRBG_OK) { WOLFSSL_MSG("NTRU drbg instantiate failed\n"); return ret; diff --git a/support/wolfssl.pc b/support/wolfssl.pc index 024f117ab..f95d19b7a 100644 --- a/support/wolfssl.pc +++ b/support/wolfssl.pc @@ -5,6 +5,6 @@ includedir=${prefix}/include Name: wolfssl Description: wolfssl C library. -Version: 3.6.1 +Version: 3.6.2 Libs: -L${libdir} -lwolfssl Cflags: -I${includedir} diff --git a/tests/test-qsh.conf b/tests/test-qsh.conf index 8261f147d..0f59c428f 100644 --- a/tests/test-qsh.conf +++ b/tests/test-qsh.conf @@ -2018,4 +2018,7 @@ -c ./certs/ntru-cert.pem -k ./certs/ntru-key.raw +# client TLSv1.2 NTRU_AES128 +-v 3 +-l QSH:NTRU-AES128-SHA diff --git a/tests/test.conf b/tests/test.conf index 963db7b06..9e6d0674a 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -2018,4 +2018,7 @@ -c ./certs/ntru-cert.pem -k ./certs/ntru-key.raw +# client TLSv1.2 NTRU_AES128 +-v 3 +-l NTRU-AES128-SHA diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 891ce0bf9..e68af6177 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -71,7 +71,7 @@ #include "cavium_ioctl.h" #endif #ifdef HAVE_NTRU - #include "ntru_crypto.h" + #include "libntruencrypt/ntru_crypto.h" #endif #if defined(WOLFSSL_MDK_ARM) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e9019456d..90edfc77c 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -49,7 +49,7 @@ #endif #ifdef HAVE_NTRU - #include "ntru_crypto.h" + #include "libntruencrypt/ntru_crypto.h" #endif #if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384) diff --git a/wolfcrypt/src/coding.c b/wolfcrypt/src/coding.c index bed85a5a1..0dff4c94d 100644 --- a/wolfcrypt/src/coding.c +++ b/wolfcrypt/src/coding.c @@ -166,8 +166,8 @@ static int CEscape(int escaped, byte e, byte* out, word32* i, word32 max, else basic = base64Encode[e]; - /* check whether to escape */ - if (escaped) { + /* check whether to escape. Only escape for EncodeEsc */ + if (escaped == WC_ESC_NL_ENC) { switch ((char)basic) { case '+' : plus = 1; @@ -235,15 +235,17 @@ static int DoBase64_Encode(const byte* in, word32 inLen, byte* out, word32 outSz = (inLen + 3 - 1) / 3 * 4; word32 addSz = (outSz + PEM_LINE_SZ - 1) / PEM_LINE_SZ; /* new lines */ - if (escaped) + if (escaped == WC_ESC_NL_ENC) addSz *= 3; /* instead of just \n, we're doing %0A triplet */ + else if (escaped == WC_NO_NL_ENC) + addSz = 0; /* encode without \n */ outSz += addSz; /* if escaped we can't predetermine size for one pass encoding, but * make sure we have enough if no escapes are in input */ if (outSz > *outLen) return BAD_FUNC_ARG; - + while (inLen > 2) { byte b1 = in[j++]; byte b2 = in[j++]; @@ -267,7 +269,8 @@ static int DoBase64_Encode(const byte* in, word32 inLen, byte* out, inLen -= 3; - if ((++n % (PEM_LINE_SZ / 4)) == 0 && inLen) { + /* Insert newline after PEM_LINE_SZ, unless no \n requested */ + if (escaped != WC_NO_NL_ENC && (++n % (PEM_LINE_SZ/4)) == 0 && inLen){ ret = CEscape(escaped, '\n', out, &i, *outLen, 1); if (ret != 0) break; } @@ -285,44 +288,48 @@ static int DoBase64_Encode(const byte* in, word32 inLen, byte* out, byte e3 = (byte)((b2 & 0xF) << 2); ret = CEscape(escaped, e1, out, &i, *outLen, 0); - if (ret == 0) + if (ret == 0) ret = CEscape(escaped, e2, out, &i, *outLen, 0); if (ret == 0) { /* third */ if (twoBytes) ret = CEscape(escaped, e3, out, &i, *outLen, 0); - else + else ret = CEscape(escaped, '=', out, &i, *outLen, 1); } /* fourth always pad */ if (ret == 0) ret = CEscape(escaped, '=', out, &i, *outLen, 1); - } + } - if (ret == 0) + if (ret == 0 && escaped != WC_NO_NL_ENC) ret = CEscape(escaped, '\n', out, &i, *outLen, 1); - if (i != outSz && escaped == 0 && ret == 0) - return ASN_INPUT_E; + if (i != outSz && escaped != 1 && ret == 0) + return ASN_INPUT_E; *outLen = i; - return ret; + return ret; } /* Base64 Encode, PEM style, with \n line endings */ int Base64_Encode(const byte* in, word32 inLen, byte* out, word32* outLen) { - return DoBase64_Encode(in, inLen, out, outLen, 0); + return DoBase64_Encode(in, inLen, out, outLen, WC_STD_ENC); } /* Base64 Encode, with %0A esacped line endings instead of \n */ int Base64_EncodeEsc(const byte* in, word32 inLen, byte* out, word32* outLen) { - return DoBase64_Encode(in, inLen, out, outLen, 1); + return DoBase64_Encode(in, inLen, out, outLen, WC_ESC_NL_ENC); } +int Base64_Encode_NoNl(const byte* in, word32 inLen, byte* out, word32* outLen) +{ + return DoBase64_Encode(in, inLen, out, outLen, WC_NO_NL_ENC); +} #endif /* defined(WOLFSSL_BASE64_ENCODE) */ diff --git a/wolfcrypt/src/dsa.c b/wolfcrypt/src/dsa.c index 1f9308e86..dc0e20e4b 100644 --- a/wolfcrypt/src/dsa.c +++ b/wolfcrypt/src/dsa.c @@ -18,6 +18,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ +#include #ifdef HAVE_CONFIG_H #include @@ -93,6 +94,8 @@ int wc_MakeDsaKey(RNG *rng, DsaKey *dsa) return BAD_FUNC_ARG; qsize = mp_unsigned_bin_size(&dsa->q); + if (qsize == 0) + return BAD_FUNC_ARG; /* allocate ram */ buf = (unsigned char *)XMALLOC(qsize, NULL, @@ -114,9 +117,6 @@ int wc_MakeDsaKey(RNG *rng, DsaKey *dsa) return err; } - /* force magnitude */ - buf[0] |= 0xC0; - err = mp_read_unsigned_bin(&dsa->x, buf, qsize); if (err != MP_OKAY) { mp_clear(&dsa->x); @@ -148,9 +148,11 @@ int wc_MakeDsaKey(RNG *rng, DsaKey *dsa) /* modulus_size in bits */ int wc_MakeDsaParameters(RNG *rng, int modulus_size, DsaKey *dsa) { - mp_int tmp, tmp2; - int err, res, msize, qsize, loop; - unsigned char *buf; + mp_int tmp, tmp2; + int err, msize, qsize, + loop_check_prime = 0, + check_prime = MP_NO; + unsigned char *buf; if (rng == NULL || dsa == NULL) return BAD_FUNC_ARG; @@ -174,43 +176,16 @@ int wc_MakeDsaParameters(RNG *rng, int modulus_size, DsaKey *dsa) /* modulus size in bytes */ msize = modulus_size / 8; - if (mp_init(&dsa->q) != MP_OKAY) - return MP_INIT_E; - - /* make our prime q */ - err = mp_rand_prime(&dsa->q, qsize, rng, NULL); - if (err != MP_OKAY) { - mp_clear(&dsa->q); - return err; - } - - if (mp_init(&tmp) != MP_OKAY) { - mp_clear(&dsa->q); - return MP_INIT_E; - } - - /* tmp = 2q */ - err = mp_add(&dsa->q, &dsa->q, &tmp); - if (err != MP_OKAY) { - mp_clear(&dsa->q); - mp_clear(&tmp); - return err; - } - /* allocate ram */ buf = (unsigned char *)XMALLOC(msize - qsize, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (buf == NULL) { - mp_clear(&dsa->q); - mp_clear(&tmp); return MEMORY_E; } - /* now make a random string and multply it against q */ + /* make a random string that will be multplied against q */ err = wc_RNG_GenerateBlock(rng, buf, msize - qsize); if (err != MP_OKAY) { - mp_clear(&dsa->q); - mp_clear(&tmp); XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); return err; } @@ -221,9 +196,8 @@ int wc_MakeDsaParameters(RNG *rng, int modulus_size, DsaKey *dsa) /* force even */ buf[msize - qsize - 1] &= ~1; - if (mp_init_multi(&tmp2, &dsa->p, 0, 0, 0, 0) != MP_OKAY) { + if (mp_init_multi(&tmp2, &dsa->p, &dsa->q, 0, 0, 0) != MP_OKAY) { mp_clear(&dsa->q); - mp_clear(&tmp); XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); return MP_INIT_E; } @@ -232,25 +206,48 @@ int wc_MakeDsaParameters(RNG *rng, int modulus_size, DsaKey *dsa) if (err != MP_OKAY) { mp_clear(&dsa->q); mp_clear(&dsa->p); - mp_clear(&tmp); mp_clear(&tmp2); XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); return err; } XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - /* p = tmp2 * q */ - err = mp_mul(&dsa->q, &tmp2, &dsa->p); + /* make our prime q */ + err = mp_rand_prime(&dsa->q, qsize, rng, NULL); if (err != MP_OKAY) { mp_clear(&dsa->q); mp_clear(&dsa->p); - mp_clear(&tmp); mp_clear(&tmp2); return err; } - /* p = tmp2 * q + 1, so q is a prime divisor of p-1 */ + /* p = random * q */ + err = mp_mul(&dsa->q, &tmp2, &dsa->p); + if (err != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&dsa->p); + mp_clear(&tmp2); + return err; + } + + /* p = random * q + 1, so q is a prime divisor of p-1 */ err = mp_add_d(&dsa->p, 1, &dsa->p); + if (err != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&dsa->p); + mp_clear(&tmp2); + return err; + } + + if (mp_init(&tmp) != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&dsa->p); + mp_clear(&tmp2); + return MP_INIT_E; + } + + /* tmp = 2q */ + err = mp_add(&dsa->q, &dsa->q, &tmp); if (err != MP_OKAY) { mp_clear(&dsa->q); mp_clear(&dsa->p); @@ -260,8 +257,8 @@ int wc_MakeDsaParameters(RNG *rng, int modulus_size, DsaKey *dsa) } /* loop until p is prime */ - for (loop = 0; loop++;) { - err = mp_prime_is_prime(&dsa->p, 8, &res); + while (check_prime == MP_NO) { + err = mp_prime_is_prime(&dsa->p, 8, &check_prime); if (err != MP_OKAY) { mp_clear(&dsa->q); mp_clear(&dsa->p); @@ -270,25 +267,26 @@ int wc_MakeDsaParameters(RNG *rng, int modulus_size, DsaKey *dsa) return err; } - if (res == MP_YES) - break; + if (check_prime != MP_YES) { + /* p += 2q */ + err = mp_add(&tmp, &dsa->p, &dsa->p); + if (err != MP_OKAY) { + mp_clear(&dsa->q); + mp_clear(&dsa->p); + mp_clear(&tmp); + mp_clear(&tmp2); + return err; + } - /* p += 2q */ - err = mp_add(&tmp, &dsa->p, &dsa->p); - if (err != MP_OKAY) { - mp_clear(&dsa->q); - mp_clear(&dsa->p); - mp_clear(&tmp); - mp_clear(&tmp2); - return err; + loop_check_prime++; } } - /* tmp2 += (2*loop) + /* tmp2 += (2*loop_check_prime) * to have p = (q * tmp2) + 1 prime */ - if (loop) { - err = mp_add_d(&tmp2, 2*loop, &tmp2); + if (loop_check_prime) { + err = mp_add_d(&tmp2, 2*loop_check_prime, &tmp2); if (err != MP_OKAY) { mp_clear(&dsa->q); mp_clear(&dsa->p); diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index d247cb3b7..f9b82f220 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -4912,7 +4912,7 @@ static int ecc_get_key_sizes(ecEncCtx* ctx, int* encKeySz, int* ivSz, switch (ctx->encAlgo) { case ecAES_128_CBC: *encKeySz = KEY_SIZE_128; - *ivSz = IV_SIZE_64; + *ivSz = IV_SIZE_128; *blockSz = AES_BLOCK_SIZE; break; default: diff --git a/wolfcrypt/src/integer.c b/wolfcrypt/src/integer.c index aaf9954b5..5f337fd30 100644 --- a/wolfcrypt/src/integer.c +++ b/wolfcrypt/src/integer.c @@ -963,7 +963,7 @@ top: /* if not zero goto step 4 */ if (mp_iszero (&u) == 0) { - if (++loop_check > 1024) { + if (++loop_check > 4096) { res = MP_VAL; goto LBL_ERR; } @@ -2501,33 +2501,6 @@ int mp_reduce_2k_setup(mp_int *a, mp_digit *d) } -/* computes a = 2**b - * - * Simple algorithm which zeroes the int, grows it then just sets one bit - * as required. - */ -int -mp_2expt (mp_int * a, int b) -{ - int res; - - /* zero a as per default */ - mp_zero (a); - - /* grow a to accomodate the single bit */ - if ((res = mp_grow (a, b / DIGIT_BIT + 1)) != MP_OKAY) { - return res; - } - - /* set the used count of where the bit will go */ - a->used = b / DIGIT_BIT + 1; - - /* put the single bit in its place */ - a->dp[b / DIGIT_BIT] = ((mp_digit)1) << (b % DIGIT_BIT); - - return MP_OKAY; -} - /* set the b bit of a */ int mp_set_bit (mp_int * a, int b) @@ -2550,6 +2523,19 @@ mp_set_bit (mp_int * a, int b) return MP_OKAY; } +/* computes a = 2**b + * + * Simple algorithm which zeroes the int, set the required bit + */ +int +mp_2expt (mp_int * a, int b) +{ + /* zero a as per default */ + mp_zero (a); + + return mp_set_bit(a, b); +} + /* multiply by a digit */ int mp_mul_d (mp_int * a, mp_digit b, mp_int * c) diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c index cbb922199..5c5f60bda 100755 --- a/wolfcrypt/src/tfm.c +++ b/wolfcrypt/src/tfm.c @@ -933,7 +933,7 @@ top: /* if not zero goto step 4 */ if (fp_iszero (&u) == FP_NO) { - if (++loop_check > 1024) /* bad input */ + if (++loop_check > 4096) /* bad input */ return FP_VAL; goto top; } @@ -1840,11 +1840,11 @@ int fp_set_bit (fp_int * a, fp_digit b) i = b/DIGIT_BIT; /* set the used count of where the bit will go if required */ - if (a->used < (int)(i + 1)) - a->used = (int)(i + 1); + if (a->used < (int)(i+1)) + a->used = (int)(i+1); /* put the single bit in its place */ - a->dp[i] |= ((mp_digit)1) << (b % DIGIT_BIT); + a->dp[i] |= ((fp_digit)1) << (b % DIGIT_BIT); return MP_OKAY; } @@ -1868,6 +1868,7 @@ int fp_count_bits (fp_int * a) ++r; q >>= ((fp_digit) 1); } + return r; } diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index f4a624432..a36a2fa36 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -115,7 +115,7 @@ #endif #ifdef HAVE_NTRU - #include "ntru_crypto.h" + #include "libntruencrypt/ntru_crypto.h" #endif #ifdef HAVE_CAVIUM #include "cavium_sysdep.h" @@ -3386,7 +3386,6 @@ int rsa_test(void) wc_RsaInitCavium(&key, CAVIUM_DEV_ID); #endif -printf("1\n"); ret = wc_InitRsaKey(&key, 0); if (ret != 0) { free(tmp); @@ -3447,7 +3446,7 @@ printf("1\n"); free(tmp); return -49; } -printf("11\n"); + bytes = fread(tmp, 1, FOURK_BUF, file2); fclose(file2); #endif @@ -3467,7 +3466,6 @@ printf("11\n"); (void)bytes; #endif -printf("111\n"); #ifdef WOLFSSL_KEY_GEN { byte* der; @@ -3478,7 +3476,7 @@ printf("111\n"); RsaKey genKey; FILE* keyFile; FILE* pemFile; -printf("2\n"); + ret = wc_InitRsaKey(&genKey, 0); if (ret != 0) return -300; @@ -3504,7 +3502,7 @@ printf("2\n"); free(pem); return -302; } -printf("22\n"); + #ifdef FREESCALE_MQX keyFile = fopen("a:\\certs\\key.der", "wb"); #else @@ -3532,7 +3530,7 @@ printf("22\n"); wc_FreeRsaKey(&genKey); return -304; } -printf("222\n"); + #ifdef FREESCALE_MQX pemFile = fopen("a:\\certs\\key.pem", "wb"); #else @@ -3569,7 +3567,7 @@ printf("222\n"); wc_FreeRsaKey(&genKey); return -306; } -printf("2222\n"); + wc_FreeRsaKey(&derIn); wc_FreeRsaKey(&genKey); free(pem); @@ -3577,7 +3575,6 @@ printf("2222\n"); } #endif /* WOLFSSL_KEY_GEN */ -printf("3\n"); #ifdef WOLFSSL_CERT_GEN /* self signed */ { @@ -3600,7 +3597,7 @@ printf("3\n"); free(derCert); return -310; } -printf("33\n"); + wc_InitCert(&myCert); strncpy(myCert.subject.country, "US", CTC_NAME_SIZE); @@ -3630,7 +3627,7 @@ printf("33\n"); } FreeDecodedCert(&decode); #endif -printf("333\n"); + #ifdef FREESCALE_MQX derFile = fopen("a:\\certs\\cert.der", "wb"); #else @@ -3648,14 +3645,14 @@ printf("333\n"); free(pem); return -414; } -printf("4\n"); + pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, NULL, CERT_TYPE); if (pemSz < 0) { free(derCert); free(pem); return -404; } -printf("41\n"); + #ifdef FREESCALE_MQX pemFile = fopen("a:\\certs\\cert.pem", "wb"); #else @@ -4430,8 +4427,111 @@ int dsa_test(void) if (answer != 1) return -65; wc_FreeDsaKey(&key); - wc_FreeRng(&rng); +#ifdef WOLFSSL_KEY_GEN + { + byte* der; + byte* pem; + int derSz = 0; + int pemSz = 0; + DsaKey derIn; + DsaKey genKey; + FILE* keyFile; + FILE* pemFile; + + wc_InitDsaKey(&genKey); + ret = wc_MakeDsaParameters(&rng, 1024, &genKey); + if (ret != 0) return -362; + + ret = wc_MakeDsaKey(&rng, &genKey); + if (ret != 0) return -363; + + der = (byte*)malloc(FOURK_BUF); + if (der == NULL) { + wc_FreeDsaKey(&genKey); + return -364; + } + pem = (byte*)malloc(FOURK_BUF); + if (pem == NULL) { + free(der); + wc_FreeDsaKey(&genKey); + return -365; + } + + derSz = wc_DsaKeyToDer(&genKey, der, FOURK_BUF); + if (derSz < 0) { + free(der); + free(pem); + return -366; + } + +#ifdef FREESCALE_MQX + keyFile = fopen("a:\\certs\\key.der", "wb"); +#else + keyFile = fopen("./key.der", "wb"); +#endif + if (!keyFile) { + free(der); + free(pem); + wc_FreeDsaKey(&genKey); + return -367; + } + ret = (int)fwrite(der, 1, derSz, keyFile); + fclose(keyFile); + if (ret != derSz) { + free(der); + free(pem); + wc_FreeDsaKey(&genKey); + return -368; + } + + pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, NULL, DSA_PRIVATEKEY_TYPE); + if (pemSz < 0) { + free(der); + free(pem); + wc_FreeDsaKey(&genKey); + return -369; + } + +#ifdef FREESCALE_MQX + pemFile = fopen("a:\\certs\\key.pem", "wb"); +#else + pemFile = fopen("./key.pem", "wb"); +#endif + if (!pemFile) { + free(der); + free(pem); + wc_FreeDsaKey(&genKey); + return -370; + } + ret = (int)fwrite(pem, 1, pemSz, pemFile); + fclose(pemFile); + if (ret != pemSz) { + free(der); + free(pem); + wc_FreeDsaKey(&genKey); + return -371; + } + + wc_InitDsaKey(&derIn); + idx = 0; + ret = wc_DsaPrivateKeyDecode(der, &idx, &derIn, derSz); + if (ret != 0) { + free(der); + free(pem); + wc_FreeDsaKey(&derIn); + wc_FreeDsaKey(&genKey); + return -373; + } + + wc_FreeDsaKey(&derIn); + wc_FreeDsaKey(&genKey); + free(pem); + free(der); + } +#endif /* WOLFSSL_KEY_GEN */ + + wc_FreeRng(&rng); return 0; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 9664bf0e4..66c0d18cd 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -890,7 +890,7 @@ enum Misc { MAX_WOLFSSL_FILE_SIZE = 1024 * 1024 * 4, /* 4 mb file size alloc limit */ -#ifdef FORTRESS +#if defined(FORTRESS) || defined (HAVE_STUNNEL) MAX_EX_DATA = 3, /* allow for three items of ex_data */ #endif @@ -1612,8 +1612,11 @@ struct WOLFSSL_CTX { #endif /* HAVE_ANON */ #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) pem_password_cb passwd_cb; - void* userdata; + void* userdata; #endif /* OPENSSL_EXTRA */ +#ifdef HAVE_STUNNEL + void* ex_data[MAX_EX_DATA]; +#endif #ifdef HAVE_OCSP WOLFSSL_OCSP ocsp; #endif @@ -1847,6 +1850,9 @@ struct WOLFSSL_SESSION { word16 ticketLen; byte ticket[SESSION_TICKET_LEN]; #endif +#ifdef HAVE_STUNNEL + void* ex_data[MAX_EX_DATA]; +#endif }; @@ -2300,7 +2306,7 @@ struct WOLFSSL { #ifdef KEEP_PEER_CERT WOLFSSL_X509 peerCert; /* X509 peer cert */ #endif -#ifdef FORTRESS +#if defined(FORTRESS) || defined(HAVE_STUNNEL) void* ex_data[MAX_EX_DATA]; /* external data, for Fortress */ #endif #ifdef HAVE_CAVIUM diff --git a/wolfssl/openssl/asn1.h b/wolfssl/openssl/asn1.h index 3f34d7d2c..11cafa840 100644 --- a/wolfssl/openssl/asn1.h +++ b/wolfssl/openssl/asn1.h @@ -1,2 +1,19 @@ /* asn1.h for openssl */ +#ifndef WOLFSSL_ASN1_H_ +#define WOLFSSL_ASN1_H_ +struct WOLFSSL_ASN1_BIT_STRING { + int length; + int type; + char* data; + long flags; +}; + +struct WOLFSSL_ASN1_STRING { + int length; + int type; + char* data; + long flags; +}; + +#endif /* WOLFSSL_ASN1_H_ */ diff --git a/wolfssl/openssl/bn.h b/wolfssl/openssl/bn.h index 225e6976d..c56a3cfca 100644 --- a/wolfssl/openssl/bn.h +++ b/wolfssl/openssl/bn.h @@ -77,7 +77,9 @@ WOLFSSL_API int wolfSSL_BN_is_prime_ex(const WOLFSSL_BIGNUM*, int, WOLFSSL_BN_CTX*, WOLFSSL_BN_GENCB*); WOLFSSL_API WOLFSSL_BN_ULONG wolfSSL_BN_mod_word(const WOLFSSL_BIGNUM*, WOLFSSL_BN_ULONG); -WOLFSSL_API int wolfSSL_BN_print_fp(FILE*, const WOLFSSL_BIGNUM*); +#ifndef NO_FILESYSTEM + WOLFSSL_API int wolfSSL_BN_print_fp(FILE*, const WOLFSSL_BIGNUM*); +#endif WOLFSSL_API int wolfSSL_BN_rshift(WOLFSSL_BIGNUM*, const WOLFSSL_BIGNUM*, int); WOLFSSL_API WOLFSSL_BIGNUM *wolfSSL_BN_CTX_get(WOLFSSL_BN_CTX *ctx); WOLFSSL_API void wolfSSL_BN_CTX_start(WOLFSSL_BN_CTX *ctx); diff --git a/wolfssl/openssl/crypto.h b/wolfssl/openssl/crypto.h index 8f7c6f40e..034b1cfe1 100644 --- a/wolfssl/openssl/crypto.h +++ b/wolfssl/openssl/crypto.h @@ -21,6 +21,14 @@ WOLFSSL_API unsigned long wolfSSLeay(void); #define SSLEAY_VERSION 0x0090600fL #define SSLEAY_VERSION_NUMBER SSLEAY_VERSION +#ifdef HAVE_STUNNEL +#define CRYPTO_set_mem_ex_functions wolfSSL_CRYPTO_set_mem_ex_functions +#define FIPS_mode wolfSSL_FIPS_mode +#define FIPS_mode_set wolfSSL_FIPS_mode_set +typedef struct CRYPTO_EX_DATA CRYPTO_EX_DATA; +typedef void (CRYPTO_free_func)(void*parent, void*ptr, CRYPTO_EX_DATA *ad, int idx, + long argl, void* argp); +#endif /* HAVE_STUNNEL */ #endif /* header */ diff --git a/wolfssl/openssl/dh.h b/wolfssl/openssl/dh.h index 2bdb67522..e38b7f7af 100644 --- a/wolfssl/openssl/dh.h +++ b/wolfssl/openssl/dh.h @@ -11,7 +11,7 @@ extern "C" { #endif -typedef struct WOLFSSL_DH { +struct WOLFSSL_DH { WOLFSSL_BIGNUM* p; WOLFSSL_BIGNUM* g; WOLFSSL_BIGNUM* pub_key; /* openssh deference g^x */ @@ -23,7 +23,7 @@ typedef struct WOLFSSL_DH { * lighttpd src code. */ int length; -} WOLFSSL_DH; +}; WOLFSSL_API WOLFSSL_DH* wolfSSL_DH_new(void); @@ -48,4 +48,7 @@ typedef WOLFSSL_DH DH; } /* extern "C" */ #endif +#ifdef HAVE_STUNNEL +#define DH_generate_parameters wolfSSL_DH_generate_parameters +#endif /* HAVE_STUNNEL */ #endif /* header */ diff --git a/wolfssl/openssl/ecdh.h b/wolfssl/openssl/ecdh.h index b5583dd93..57d9e2e37 100644 --- a/wolfssl/openssl/ecdh.h +++ b/wolfssl/openssl/ecdh.h @@ -7,7 +7,7 @@ #include #ifdef __cplusplus -extern C { +extern "C" { #endif diff --git a/wolfssl/openssl/ecdsa.h b/wolfssl/openssl/ecdsa.h index 22b2d4cda..a92841fff 100644 --- a/wolfssl/openssl/ecdsa.h +++ b/wolfssl/openssl/ecdsa.h @@ -35,4 +35,5 @@ WOLFSSL_API int wolfSSL_ECDSA_do_verify(const unsigned char *dgst, } /* extern "C" */ #endif -#endif /* header */ \ No newline at end of file +#endif /* header */ + diff --git a/wolfssl/openssl/err.h b/wolfssl/openssl/err.h index 7e7f1eb78..951386868 100644 --- a/wolfssl/openssl/err.h +++ b/wolfssl/openssl/err.h @@ -1,2 +1,3 @@ /* err.h for openssl */ - +#define ERR_load_crypto_strings wolfSSL_ERR_load_crypto_strings +#define ERR_peek_last_error wolfSSL_ERR_peek_last_error diff --git a/wolfssl/openssl/opensslv.h b/wolfssl/openssl/opensslv.h index dc8de4260..e569ec52a 100644 --- a/wolfssl/openssl/opensslv.h +++ b/wolfssl/openssl/opensslv.h @@ -5,7 +5,15 @@ /* api version compatibility */ -#define OPENSSL_VERSION_NUMBER 0x0090810fL +#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) + /* version number can be increased for Lighty after compatibility for ECDH + is added */ + #define OPENSSL_VERSION_NUMBER 0x0090700fL +#else + #define OPENSSL_VERSION_NUMBER 0x0090810fL +#endif + +#define OPENSSL_VERSION_TEXT LIBWOLFSSL_VERSION_STRING #endif /* header */ diff --git a/wolfssl/openssl/rand.h b/wolfssl/openssl/rand.h index c1fa62e1c..bc1f83a88 100644 --- a/wolfssl/openssl/rand.h +++ b/wolfssl/openssl/rand.h @@ -1,4 +1,6 @@ /* rand.h for openSSL */ #include +#include +#define RAND_set_rand_method wolfSSL_RAND_set_rand_method diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 103d5f217..cae159e55 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -289,7 +289,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define X509_get_serialNumber wolfSSL_X509_get_serialNumber -#define ASN1_TIME_pr wolfSSL_ASN1_TIME_pr +#define ASN1_TIME_print wolfSSL_ASN1_TIME_print #define ASN1_INTEGER_cmp wolfSSL_ASN1_INTEGER_cmp #define ASN1_INTEGER_get wolfSSL_ASN1_INTEGER_get @@ -304,7 +304,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define SSL_CTX_set_default_passwd_cb_userdata wolfSSL_CTX_set_default_passwd_cb_userdata #define SSL_CTX_set_default_passwd_cb wolfSSL_CTX_set_default_passwd_cb -#define SSL_CTX_set_timeout wolfSSL_CTX_set_timeout +#define SSL_CTX_set_timeout(ctx, to) wolfSSL_CTX_set_timeout(ctx, (unsigned int) to) #define SSL_CTX_set_info_callback wolfSSL_CTX_set_info_callback #define ERR_peek_error wolfSSL_ERR_peek_error @@ -407,25 +407,21 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define SSL_CB_HANDSHAKE_START 0x10 -#define X509_NAME_free WOLFSSL_X509_NAME_free -#define SSL_CTX_use_certificate WOLFSSL_CTX_use_certificate -#define SSL_CTX_use_PrivateKey WOLFSSL_CTX_use_PrivateKey -#define BIO_new_file wolfSSL_BIO_new_file +#define X509_NAME_free wolfSSL_X509_NAME_free +#define SSL_CTX_use_certificate wolfSSL_CTX_use_certificate +#define SSL_CTX_use_PrivateKey wolfSSL_CTX_use_PrivateKey #define BIO_read_filename wolfSSL_BIO_read_filename -#define BIO_s_file WOLFSSL_BIO_s_file +#define BIO_s_file wolfSSL_BIO_s_file #define OBJ_nid2sn wolf_OBJ_nid2sn #define OBJ_obj2nid wolf_OBJ_obj2nid #define OBJ_sn2nid wolf_OBJ_sn2nid -#define PEM_read_bio_DHparams PEM_read_bio_DHparams #define PEM_read_bio_X509 PEM_read_bio_WOLFSSL_X509 -#define PEM_write_bio_X509 PEM_write_bio_WOLFSSL_X509 -#define SSL_CTX_set_tmp_dh WOLFSSL_CTX_set_tmp_dh #define SSL_CTX_set_verify_depth wolfSSL_CTX_set_verify_depth -#define SSL_get_app_data WOLFSSL_get_app_data -#define SSL_set_app_data WOLFSSL_set_app_data +#define SSL_get_app_data wolfSSL_get_app_data +#define SSL_set_app_data wolfSSL_set_app_data #define X509_NAME_entry_count wolfSSL_X509_NAME_entry_count -#define X509_NAME_ENTRY_get_object WOLFSSL_X509_NAME_ENTRY_get_object -#define X509_NAME_get_entry WOLFSSL_X509_NAME_get_entry +#define X509_NAME_ENTRY_get_object wolfSSL_X509_NAME_ENTRY_get_object +#define X509_NAME_get_entry wolfSSL_X509_NAME_get_entry #define sk_X509_NAME_pop_free wolfSSL_sk_X509_NAME_pop_free #define SHA1 wolfSSL_SHA1 #define X509_check_private_key wolfSSL_X509_check_private_key @@ -433,6 +429,58 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #endif +#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) + +#define PEM_read_bio_DHparams wolfSSL_PEM_read_bio_DHparams +#define PEM_write_bio_X509 PEM_write_bio_WOLFSSL_X509 +#define SSL_CTX_set_tmp_dh wolfSSL_CTX_set_tmp_dh +#define BIO_new_file wolfSSL_BIO_new_file + + +#endif /* HAVE_STUNNEL || HAVE_LIGHTY */ + +#ifdef HAVE_STUNNEL +#include + +/* defined as: (SSL_ST_ACCEPT|SSL_CB_LOOP), which becomes 0x2001*/ +#define SSL_CB_ACCEPT_LOOP 0x2001 +#define SSL2_VERSION 0x0002 +#define SSL3_VERSION 0x0300 +#define TLS1_VERSION 0x0301 +#define DTLS1_VERSION 0xFEFF +#define SSL23_ST_SR_CLNT_HELLO_A (0x210|0x2000) +#define SSL3_ST_SR_CLNT_HELLO_A (0x110|0x2000) +#define ASN1_STRFLGS_ESC_MSB 4 +#define X509_V_ERR_CERT_REJECTED 28 + +#define SSL_alert_desc_string_long wolfSSL_alert_desc_string_long +#define SSL_alert_type_string_long wolfSSL_alert_type_string_long +#define SSL_CIPHER_get_bits wolfSSL_CIPHER_get_bits +#define sk_X509_NAME_num wolfSSL_sk_X509_NAME_num +#define sk_X509_num wolfSSL_sk_X509_num +#define X509_NAME_print_ex wolfSSL_X509_NAME_print_ex +#define X509_get0_pubkey_bitstr wolfSSL_X509_get0_pubkey_bitstr +#define SSL_CTX_get_options wolfSSL_CTX_get_options + +#define SSL_CTX_flush_sessions wolfSSL_flush_sessions +#define SSL_CTX_add_session wolfSSL_CTX_add_session +#define SSL_get_SSL_CTX wolfSSL_get_SSL_CTX +#define SSL_version wolfSSL_version +#define SSL_get_state wolfSSL_get_state +#define SSL_state_string_long wolfSSL_state_string_long +#define SSL_get_peer_cert_chain wolfSSL_get_peer_cert_chain +#define sk_X509_NAME_value wolfSSL_sk_X509_NAME_value +#define sk_X509_value wolfSSL_sk_X509_value +#define SSL_SESSION_get_ex_data wolfSSL_SESSION_get_ex_data +#define SSL_SESSION_set_ex_data wolfSSL_SESSION_set_ex_data +#define SSL_SESSION_get_ex_new_index wolfSSL_SESSION_get_ex_new_index +#define SSL_SESSION_get_id wolfSSL_SESSION_get_id +#define CRYPTO_dynlock_value WOLFSSL_dynlock_value +typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; + + +#endif /* HAVE_STUNNEL */ + #ifdef __cplusplus } /* extern "C" */ #endif diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 58c21e7b9..25b86a6c5 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -91,13 +91,10 @@ typedef struct WOLFSSL_ASN1_TIME WOLFSSL_ASN1_TIME; typedef struct WOLFSSL_ASN1_INTEGER WOLFSSL_ASN1_INTEGER; typedef struct WOLFSSL_ASN1_OBJECT WOLFSSL_ASN1_OBJECT; -typedef struct WOLFSSL_ASN1_STRING{ - #ifdef HAVE_LIGHTY - char* data; - int length; - #endif -} WOLFSSL_ASN1_STRING; -typedef struct WOLFSSL_dynlock_value WOLFSSL_dynlock_value; +typedef struct WOLFSSL_ASN1_STRING WOLFSSL_ASN1_STRING; +typedef struct WOLFSSL_dynlock_value WOLFSSL_dynlock_value; +typedef struct WOLFSSL_DH WOLFSSL_DH; +typedef struct WOLFSSL_ASN1_BIT_STRING WOLFSSL_ASN1_BIT_STRING; #define WOLFSSL_ASN1_UTCTIME WOLFSSL_ASN1_TIME @@ -146,6 +143,7 @@ typedef struct WOLFSSL_X509_REVOKED { typedef struct WOLFSSL_X509_OBJECT { union { char* ptr; + WOLFSSL_X509 *x509; WOLFSSL_X509_CRL* crl; /* stunnel dereference */ } data; } WOLFSSL_X509_OBJECT; @@ -340,7 +338,7 @@ WOLFSSL_API int wolfSSL_dtls(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_dtls_set_peer(WOLFSSL*, void*, unsigned int); WOLFSSL_API int wolfSSL_dtls_get_peer(WOLFSSL*, void*, unsigned int*); -WOLFSSL_API int wolfSSL_ERR_GET_REASON(int err); +WOLFSSL_API int wolfSSL_ERR_GET_REASON(unsigned long err); WOLFSSL_API char* wolfSSL_ERR_error_string(unsigned long,char*); WOLFSSL_API void wolfSSL_ERR_error_string_n(unsigned long e, char* buf, unsigned long sz); @@ -524,14 +522,15 @@ WOLFSSL_API void wolfSSL_CTX_set_default_passwd_cb_userdata(WOLFSSL_CTX*, WOLFSSL_API void wolfSSL_CTX_set_default_passwd_cb(WOLFSSL_CTX*, pem_password_cb); -WOLFSSL_API void wolfSSL_CTX_set_info_callback(WOLFSSL_CTX*, void (*)(void)); +WOLFSSL_API void wolfSSL_CTX_set_info_callback(WOLFSSL_CTX*, + void (*)(const WOLFSSL* ssl, int type, int val)); WOLFSSL_API unsigned long wolfSSL_ERR_peek_error(void); WOLFSSL_API int wolfSSL_GET_REASON(int); WOLFSSL_API char* wolfSSL_alert_type_string_long(int); WOLFSSL_API char* wolfSSL_alert_desc_string_long(int); -WOLFSSL_API char* wolfSSL_state_string_long(WOLFSSL*); +WOLFSSL_API char* wolfSSL_state_string_long(const WOLFSSL*); WOLFSSL_API WOLFSSL_RSA* wolfSSL_RSA_generate_key(int, unsigned long, void(*)(int, int, void*), void*); @@ -644,11 +643,16 @@ enum { X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = 20, X509_V_ERR_CERT_HAS_EXPIRED = 21, X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = 22, - + X509_V_ERR_CERT_REJECTED = 23, X509_V_OK = 0, + XN_FLAG_SPC_EQ = (1 << 23), + XN_FLAG_ONELINE = 0, + CRYPTO_LOCK = 1, - CRYPTO_NUM_LOCKS = 10 + CRYPTO_NUM_LOCKS = 10, + + ASN1_STRFLGS_ESC_MSB = 4 }; /* extras end */ @@ -1509,26 +1513,23 @@ typedef struct WOLFSSL_X509_NAME_ENTRY { #include +#include -WOLFSSL_API void WOLFSSL_X509_NAME_free(WOLFSSL_X509_NAME *name); -WOLFSSL_API char WOLFSSL_CTX_use_certificate(WOLFSSL_CTX *ctx, WOLFSSL_X509 *x); -WOLFSSL_API int WOLFSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey); -WOLFSSL_API WOLFSSL_BIO* wolfSSL_BIO_new_file(const char *filename, const char *mode); +WOLFSSL_API void wolfSSL_X509_NAME_free(WOLFSSL_X509_NAME *name); +WOLFSSL_API char wolfSSL_CTX_use_certificate(WOLFSSL_CTX *ctx, WOLFSSL_X509 *x); +WOLFSSL_API int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey); WOLFSSL_API int wolfSSL_BIO_read_filename(WOLFSSL_BIO *b, const char *name); -WOLFSSL_API WOLFSSL_BIO_METHOD* WOLFSSL_BIO_s_file(void); +WOLFSSL_API WOLFSSL_BIO_METHOD* wolfSSL_BIO_s_file(void); /* These are to be merged shortly */ WOLFSSL_API const char * wolf_OBJ_nid2sn(int n); WOLFSSL_API int wolf_OBJ_obj2nid(const WOLFSSL_ASN1_OBJECT *o); WOLFSSL_API int wolf_OBJ_sn2nid(const char *sn); -WOLFSSL_API WOLFSSL_DH *PEM_read_bio_DHparams(WOLFSSL_BIO *bp, WOLFSSL_DH **x, pem_password_cb *cb, void *u); WOLFSSL_API WOLFSSL_X509 *PEM_read_bio_WOLFSSL_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 **x, pem_password_cb *cb, void *u); -WOLFSSL_API int PEM_write_bio_WOLFSSL_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x); -WOLFSSL_API long WOLFSSL_CTX_set_tmp_dh(WOLFSSL_CTX *ctx, WOLFSSL_DH *dh); WOLFSSL_API void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx,int depth); -WOLFSSL_API void* WOLFSSL_get_app_data( const WOLFSSL *ssl); -WOLFSSL_API void WOLFSSL_set_app_data(WOLFSSL *ssl, void *arg); -WOLFSSL_API WOLFSSL_ASN1_OBJECT * WOLFSSL_X509_NAME_ENTRY_get_object(WOLFSSL_X509_NAME_ENTRY *ne); -WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *WOLFSSL_X509_NAME_get_entry(WOLFSSL_X509_NAME *name, int loc); +WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl); +WOLFSSL_API void wolfSSL_set_app_data(WOLFSSL *ssl, void *arg); +WOLFSSL_API WOLFSSL_ASN1_OBJECT * wolfSSL_X509_NAME_ENTRY_get_object(WOLFSSL_X509_NAME_ENTRY *ne); +WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry(WOLFSSL_X509_NAME *name, int loc); WOLFSSL_API void wolfSSL_sk_X509_NAME_pop_free(STACK_OF(WOLFSSL_X509_NAME)* sk, void f (WOLFSSL_X509_NAME*)); WOLFSSL_API unsigned char *wolfSSL_SHA1(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API int wolfSSL_X509_check_private_key(WOLFSSL_X509*, WOLFSSL_EVP_PKEY*); @@ -1538,6 +1539,77 @@ WOLFSSL_API STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list( STACK_OF(WOLFSSL_X #endif #endif +#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) + +WOLFSSL_API WOLFSSL_BIO* wolfSSL_BIO_new_file(const char *filename, const char *mode); +WOLFSSL_API long wolfSSL_CTX_set_tmp_dh(WOLFSSL_CTX*, WOLFSSL_DH*); +WOLFSSL_API WOLFSSL_DH *wolfSSL_PEM_read_bio_DHparams(WOLFSSL_BIO *bp, + WOLFSSL_DH **x, pem_password_cb *cb, void *u); +WOLFSSL_API int PEM_write_bio_WOLFSSL_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x); + + +#endif /* HAVE_STUNNEL || HAVE_LIGHTY */ + + +#ifdef HAVE_STUNNEL + +#include + +WOLFSSL_API int wolfSSL_CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const char *, int), + void *(*r) (void *, size_t, const char *, int), void (*f) (void *)); + +WOLFSSL_API WOLFSSL_DH *wolfSSL_DH_generate_parameters(int prime_len, int generator, + void (*callback) (int, int, void *), void *cb_arg); + +WOLFSSL_API void wolfSSL_ERR_load_crypto_strings(void); + +WOLFSSL_API unsigned long wolfSSL_ERR_peek_last_error(void); + +WOLFSSL_API int wolfSSL_FIPS_mode(void); + +WOLFSSL_API int wolfSSL_FIPS_mode_set(int r); + +WOLFSSL_API int wolfSSL_RAND_set_rand_method(const void *meth); + +WOLFSSL_API int wolfSSL_CIPHER_get_bits(const WOLFSSL_CIPHER *c, int *alg_bits); + +WOLFSSL_API int wolfSSL_sk_X509_NAME_num(const STACK_OF(WOLFSSL_X509_NAME) *s); + +WOLFSSL_API int wolfSSL_sk_X509_num(const STACK_OF(WOLFSSL_X509) *s); + +WOLFSSL_API int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO*,WOLFSSL_X509_NAME*,int,unsigned long); + +WOLFSSL_API WOLFSSL_ASN1_BIT_STRING* wolfSSL_X509_get0_pubkey_bitstr( + const WOLFSSL_X509*); + +WOLFSSL_API int wolfSSL_CTX_add_session(WOLFSSL_CTX*, WOLFSSL_SESSION*); + +WOLFSSL_API WOLFSSL_CTX* wolfSSL_get_SSL_CTX(WOLFSSL* ssl); + +WOLFSSL_API int wolfSSL_version(WOLFSSL*); + +WOLFSSL_API int wolfSSL_get_state(const WOLFSSL*); + +WOLFSSL_API void* wolfSSL_sk_X509_NAME_value(STACK_OF(WOLFSSL_X509_NAME)*, int); + +WOLFSSL_API void* wolfSSL_sk_X509_value(STACK_OF(WOLFSSL_X509)*, int); + +WOLFSSL_API STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL*); + +WOLFSSL_API long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx); + +WOLFSSL_API void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION*, int); + +WOLFSSL_API int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION*, int, void*); + +WOLFSSL_API int wolfSSL_SESSION_get_ex_new_index(long,void*,void*,void*, + CRYPTO_free_func*); + +WOLFSSL_API int wolfSSL_X509_NAME_get_sz(WOLFSSL_X509_NAME*); + + +WOLFSSL_API const unsigned char* wolfSSL_SESSION_get_id(WOLFSSL_SESSION*, unsigned int*); +#endif /* HAVE_STUNNEL */ #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/version.h b/wolfssl/version.h index 6ec106bab..f5a990a10 100644 --- a/wolfssl/version.h +++ b/wolfssl/version.h @@ -26,8 +26,8 @@ extern "C" { #endif -#define LIBWOLFSSL_VERSION_STRING "3.6.1" -#define LIBWOLFSSL_VERSION_HEX 0x03006001 +#define LIBWOLFSSL_VERSION_STRING "3.6.2" +#define LIBWOLFSSL_VERSION_HEX 0x03006002 #ifdef __cplusplus } diff --git a/wolfssl/wolfcrypt/coding.h b/wolfssl/wolfcrypt/coding.h index e7b482379..6c203e964 100644 --- a/wolfssl/wolfcrypt/coding.h +++ b/wolfssl/wolfcrypt/coding.h @@ -41,6 +41,12 @@ WOLFSSL_API int Base64_Decode(const byte* in, word32 inLen, byte* out, #ifdef WOLFSSL_BASE64_ENCODE + enum Escaped { + WC_STD_ENC = 0, /* normal \n line ending encoding */ + WC_ESC_NL_ENC, /* use escape sequence encoding */ + WC_NO_NL_ENC /* no encoding at all */ + }; /* Encoding types */ + /* encode isn't */ WOLFSSL_API int Base64_Encode(const byte* in, word32 inLen, byte* out, @@ -48,6 +54,9 @@ WOLFSSL_API int Base64_Decode(const byte* in, word32 inLen, byte* out, WOLFSSL_API int Base64_EncodeEsc(const byte* in, word32 inLen, byte* out, word32* outLen); + WOLFSSL_API + int Base64_Encode_NoNl(const byte* in, word32 inLen, byte* out, + word32* outLen); #endif #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(HAVE_FIPS) diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h index 01ad398b8..92fcc4f4f 100644 --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h @@ -234,6 +234,7 @@ enum { KEY_SIZE_128 = 16, KEY_SIZE_256 = 32, IV_SIZE_64 = 8, + IV_SIZE_128 = 16, EXCHANGE_SALT_SZ = 16, EXCHANGE_INFO_SZ = 23 }; diff --git a/wolfssl/wolfcrypt/logging.h b/wolfssl/wolfcrypt/logging.h index 0b124835b..2e604080d 100644 --- a/wolfssl/wolfcrypt/logging.h +++ b/wolfssl/wolfcrypt/logging.h @@ -46,9 +46,13 @@ typedef void (*wolfSSL_Logging_cb)(const int logLevel, WOLFSSL_API int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb log_function); #ifdef DEBUG_WOLFSSL + /* a is prepended to m and b is appended, creating a log msg a + m + b */ + #define WOLFSSL_LOG_CAT(a, m, b) #a " " m " " #b void WOLFSSL_ENTER(const char* msg); void WOLFSSL_LEAVE(const char* msg, int ret); + #define WOLFSSL_STUB(m) \ + WOLFSSL_MSG(WOLFSSL_LOG_CAT(wolfSSL Stub, m, not implemented)) void WOLFSSL_ERROR(int); void WOLFSSL_MSG(const char* msg); @@ -57,6 +61,7 @@ WOLFSSL_API int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb log_function); #define WOLFSSL_ENTER(m) #define WOLFSSL_LEAVE(m, r) + #define WOLFSSL_STUB(m) #define WOLFSSL_ERROR(e) #define WOLFSSL_MSG(m) From 8d7d803e588a18b4b0b362d8be2e47e4b1ec9825 Mon Sep 17 00:00:00 2001 From: Ludovic FLAMENT Date: Fri, 24 Jul 2015 07:50:29 +0200 Subject: [PATCH 3/5] add wc_DerToPemEx to restore compatibility API with wc_DerToPem --- src/ssl.c | 12 ++++++------ wolfcrypt/src/asn.c | 9 ++++++++- wolfcrypt/test/test.c | 16 ++++++++-------- wolfssl/wolfcrypt/asn_public.h | 4 +++- 4 files changed, 25 insertions(+), 16 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 7f861db21..15cf1ad08 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -13550,9 +13550,9 @@ int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, } /* DER to PEM */ - *plen = wc_DerToPem(der, derSz, tmp, *plen, cipherInfo, PRIVATEKEY_TYPE); + *plen = wc_DerToPemEx(der, derSz, tmp, *plen, cipherInfo, PRIVATEKEY_TYPE); if (*plen <= 0) { - WOLFSSL_MSG("wc_DerToPem failed"); + WOLFSSL_MSG("wc_DerToPemEx failed"); XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (cipherInfo != NULL) @@ -14916,9 +14916,9 @@ int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ecc, } /* DER to PEM */ - *plen = wc_DerToPem(der, derSz, tmp, *plen, cipherInfo, ECC_PRIVATEKEY_TYPE); + *plen = wc_DerToPemEx(der, derSz, tmp, *plen, cipherInfo, ECC_PRIVATEKEY_TYPE); if (*plen <= 0) { - WOLFSSL_MSG("wc_DerToPem failed"); + WOLFSSL_MSG("wc_DerToPemEx failed"); XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (cipherInfo != NULL) @@ -15085,9 +15085,9 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, } /* DER to PEM */ - *plen = wc_DerToPem(der, derSz, tmp, *plen, cipherInfo, DSA_PRIVATEKEY_TYPE); + *plen = wc_DerToPemEx(der, derSz, tmp, *plen, cipherInfo, DSA_PRIVATEKEY_TYPE); if (*plen <= 0) { - WOLFSSL_MSG("wc_DerToPem failed"); + WOLFSSL_MSG("wc_DerToPemEx failed"); XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (cipherInfo != NULL) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index c1a023a6b..daed24e9d 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4676,9 +4676,16 @@ const char* END_DSA_PRIV = "-----END DSA PRIVATE KEY-----"; #if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) +/* Used for compatibility API */ +int wc_DerToPem(const byte* der, word32 derSz, + byte* output, word32 outSz, int type) +{ + return wc_DerToPemEx(der, derSz, output, outSz, NULL, type); +} + /* convert der buffer to pem into output, can't do inplace, der and output need to be different */ -int wc_DerToPem(const byte* der, word32 derSz, byte* output, word32 outSz, +int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz, byte *cipher_info, int type) { #ifdef WOLFSSL_SMALL_STACK diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index a36a2fa36..26ee84d4c 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -3523,7 +3523,7 @@ int rsa_test(void) return -313; } - pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, NULL, PRIVATEKEY_TYPE); + pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, PRIVATEKEY_TYPE); if (pemSz < 0) { free(der); free(pem); @@ -3646,7 +3646,7 @@ int rsa_test(void) return -414; } - pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, NULL, CERT_TYPE); + pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE); if (pemSz < 0) { free(derCert); free(pem); @@ -3792,7 +3792,7 @@ int rsa_test(void) return -416; } - pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, NULL, CERT_TYPE); + pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE); if (pemSz < 0) { free(derCert); free(pem); @@ -3937,7 +3937,7 @@ int rsa_test(void) return -5414; } - pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, NULL, CERT_TYPE); + pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE); if (pemSz < 0) { free(pem); free(derCert); @@ -4121,7 +4121,7 @@ int rsa_test(void) return -473; } - pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, NULL, CERT_TYPE); + pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE); if (pemSz < 0) { free(derCert); free(pem); @@ -4206,7 +4206,7 @@ int rsa_test(void) return -466; } - pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, NULL, CERTREQ_TYPE); + pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, CERTREQ_TYPE); if (pemSz < 0) { free(pem); free(der); @@ -4485,7 +4485,7 @@ int dsa_test(void) return -368; } - pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, NULL, DSA_PRIVATEKEY_TYPE); + pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, DSA_PRIVATEKEY_TYPE); if (pemSz < 0) { free(der); free(pem); @@ -5227,7 +5227,7 @@ int ecc_test(void) return -1026; } - pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, NULL, ECC_PRIVATEKEY_TYPE); + pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, ECC_PRIVATEKEY_TYPE); if (pemSz < 0) { return -1027; } diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index cf5c5bc66..04f77851a 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -178,7 +178,9 @@ WOLFSSL_API int wc_SetDatesBuffer(Cert*, const byte*, int); #if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) || !defined(NO_DSA) WOLFSSL_API int wc_DerToPem(const byte* der, word32 derSz, byte* output, - word32 outputSz, byte *cipherIno, int type); + word32 outputSz, int type); + WOLFSSL_API int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, + word32 outputSz, byte *cipherIno, int type); #endif #ifdef HAVE_ECC From 78a936a4fd83e6983224ec771e103418591898c5 Mon Sep 17 00:00:00 2001 From: Ludovic FLAMENT Date: Fri, 24 Jul 2015 10:58:17 +0200 Subject: [PATCH 4/5] remove debug info fix potential memory leaks comments the size used --- src/ssl.c | 21 ++++++++++++++++----- wolfssl/wolfcrypt/ecc.h | 4 ++-- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 15cf1ad08..58cc6fe94 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -12846,8 +12846,6 @@ int wolfSSL_DSA_do_verify(const unsigned char* d, unsigned char* sig, ret = DsaVerify(d, sig, (DsaKey*)dsa->internal, dsacheck); if (ret != 0 || *dsacheck != 1) { WOLFSSL_MSG("DsaVerify failed"); - printf("ret = %d\n", ret); - printf("*dsacheck = %d\n", *dsacheck); return ret; } @@ -13507,7 +13505,10 @@ int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, } } - der_max_len = 5 * wolfSSL_RSA_size(rsa) + 16; + /* 5 > size of n, d, p, q, d%(p-1), d(q-1), 1/q%p, e + ASN.1 additionnal + * informations + */ + der_max_len = 5 * wolfSSL_RSA_size(rsa) + AES_BLOCK_SIZE; der = (byte*)XMALLOC(der_max_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (der == NULL) { @@ -13546,6 +13547,8 @@ int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, if (tmp == NULL) { WOLFSSL_MSG("malloc failed"); XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (cipherInfo != NULL) + XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } @@ -14873,7 +14876,9 @@ int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ecc, } } - der_max_len = 4 * wc_ecc_size((ecc_key*)ecc->internal) + 16; + /* 4 > size of pub, priv + ASN.1 additionnal informations + */ + der_max_len = 4 * wc_ecc_size((ecc_key*)ecc->internal) + AES_BLOCK_SIZE; der = (byte*)XMALLOC(der_max_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (der == NULL) { @@ -14912,6 +14917,8 @@ int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ecc, if (tmp == NULL) { WOLFSSL_MSG("malloc failed"); XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (cipherInfo != NULL) + XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } @@ -15042,7 +15049,9 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, } } - der_max_len = 4 * wolfSSL_BN_num_bytes(dsa->g) + 16; + /* 4 > size of pub, priv, p, q, g + ASN.1 additionnal informations + */ + der_max_len = 4 * wolfSSL_BN_num_bytes(dsa->g) + AES_BLOCK_SIZE; der = (byte*)XMALLOC(der_max_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (der == NULL) { @@ -15081,6 +15090,8 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, if (tmp == NULL) { WOLFSSL_MSG("malloc failed"); XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (cipherInfo != NULL) + XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h index 92fcc4f4f..6630a1ae8 100644 --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h @@ -73,11 +73,11 @@ typedef struct { * mp_ints for the components of the point. With ALT_ECC_SIZE, the components * of the point are pointers that are set to each of a three item array of * alt_fp_ints. While an mp_int will have 4096 bits of digit inside the - * structure, the alt_fp_int will only have 512 bits. A size value was added + * structure, the alt_fp_int will only have 528 bits. A size value was added * in the ALT case, as well, and is set by mp_init() and alt_fp_init(). The * functions fp_zero() and fp_copy() use the size parameter. An int needs to * be initialized before using it instead of just fp_zeroing it, the init will - * call zero. FP_MAX_BITS_ECC defaults to 512, but can be set to change the + * call zero. FP_MAX_BITS_ECC defaults to 528, but can be set to change the * number of bits used in the alternate FP_INT. * * Do not enable ALT_ECC_SIZE and disable fast math in the configuration. From 9c2a85d9f6f5da6dafec2469be77deddc8a15802 Mon Sep 17 00:00:00 2001 From: Ludovic FLAMENT Date: Fri, 24 Jul 2015 11:17:06 +0200 Subject: [PATCH 5/5] fix compilation for 32 bits OS --- wolfcrypt/src/integer.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/wolfcrypt/src/integer.c b/wolfcrypt/src/integer.c index 5f337fd30..383f7dab8 100644 --- a/wolfcrypt/src/integer.c +++ b/wolfcrypt/src/integer.c @@ -4290,7 +4290,7 @@ int mp_rand_prime(mp_int* N, int len, RNG* rng, void* heap) byte* buf; if (N == NULL || rng == NULL) - return BAD_FUNC_ARG; + return MP_VAL; /* get type */ if (len < 0) { @@ -4302,13 +4302,13 @@ int mp_rand_prime(mp_int* N, int len, RNG* rng, void* heap) /* allow sizes between 2 and 512 bytes for a prime size */ if (len < 2 || len > 512) { - return BAD_FUNC_ARG; + return MP_VAL; } /* allocate buffer to work with */ buf = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_RSA); if (buf == NULL) { - return MEMORY_E; + return MP_MEM; } XMEMSET(buf, 0, len); @@ -4341,7 +4341,7 @@ int mp_rand_prime(mp_int* N, int len, RNG* rng, void* heap) } } while (res == MP_NO); - ForceZero(buf, len); + XMEMSET(buf, 0, len); XFREE(buf, heap, DYNAMIC_TYPE_RSA); return MP_OKAY;