diff --git a/.gitignore b/.gitignore index 1d8b7f5bd..bf1d9b1e1 100644 --- a/.gitignore +++ b/.gitignore @@ -37,6 +37,7 @@ examples/echoserver/echoserver examples/server/server snifftest output +mcapi/test testsuite/testsuite tests/unit testsuite/*.der diff --git a/Makefile.am b/Makefile.am index 62a1de399..05a6c655d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -31,6 +31,7 @@ EXTRA_DIST+= lib/dummy EXTRA_DIST+= cyassl-ntru.vcproj EXTRA_DIST+= cyassl.vcproj EXTRA_DIST+= cyassl-iphone.xcodeproj/project.pbxproj +EXTRA_DIST+= cyassl-ios.xcodeproj/project.pbxproj EXTRA_DIST+= cyassl-ntru.sln EXTRA_DIST+= cyassl.sln EXTRA_DIST+= valgrind-error.sh @@ -62,6 +63,7 @@ include mqx/util_lib/Sources/include.am include mplabx/ctaocrypt_benchmark.X/nbproject/include.am include mplabx/ctaocrypt_test.X/nbproject/include.am include mplabx/cyassl.X/nbproject/include.am +include mcapi/include.am if USE_VALGRIND TESTS_ENVIRONMENT=./valgrind-error.sh diff --git a/autogen.sh b/autogen.sh index f16dbd7b9..38665be47 100755 --- a/autogen.sh +++ b/autogen.sh @@ -10,4 +10,7 @@ else fi autoreconf --install --force --verbose -ln -s -f ../../pre-commit.sh .git/hooks/pre-commit + +if test -d .git; then + ln -s -f ../../pre-commit.sh .git/hooks/pre-commit +fi diff --git a/commit-tests.sh b/commit-tests.sh index 31a4bc3d0..1c0a1fa8f 100755 --- a/commit-tests.sh +++ b/commit-tests.sh @@ -23,7 +23,7 @@ RESULT=$? # make sure full config is ok echo -e "\n\nTesting full config as well...\n\n" -./configure --enable-opensslExtra --enable-fastmath --enable-dtls --enable-aesgcm --enable-aesccm --enable-hc128 --enable-sniffer --enable-psk --enable-rabbit --enable-camellia; +./configure --enable-opensslextra --enable-ecc --enable-dtls --enable-aesgcm --enable-aesccm --enable-hc128 --enable-sniffer --enable-psk --enable-rabbit --enable-camellia; RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nFull config ./configure failed" && exit 1 diff --git a/configure.ac b/configure.ac index 5b42d3201..f4bbbd63c 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([cyassl],[2.5.1],[http://www.yassl.com]) +AC_INIT([cyassl],[2.5.4],[http://www.yassl.com]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIR([m4]) @@ -106,8 +106,8 @@ AS_IF([test "$ax_enable_debug" = "yes"], # SINGLE THREADED -AC_ARG_ENABLE([singleThreaded], - [ --enable-singleThreaded Enable CyaSSL single threaded (default: disabled)], +AC_ARG_ENABLE([singlethreaded], + [ --enable-singlethreaded Enable CyaSSL single threaded (default: disabled)], [ ENABLED_SINGLETHREADED=$enableval ], [ ENABLED_SINGLETHREADED=no ]) @@ -136,8 +136,8 @@ fi # OPENSSL Extra Compatibility -AC_ARG_ENABLE([opensslExtra], - [ --enable-opensslExtra Enable extra OpenSSL API, size+ (default: disabled)], +AC_ARG_ENABLE([opensslextra], + [ --enable-opensslextra Enable extra OpenSSL API, size+ (default: disabled)], [ ENABLED_OPENSSLEXTRA=$enableval ], [ ENABLED_OPENSSLEXTRA=no ] ) @@ -148,7 +148,7 @@ fi if test "$ENABLED_OPENSSLEXTRA" = "yes" && test "$ENABLED_SMALL" = "yes" then - AC_MSG_ERROR([cannot enable small and opensslExtra, only one or the other.]) + AC_MSG_ERROR([cannot enable small and opensslextra, only one or the other.]) fi @@ -201,7 +201,7 @@ AC_ARG_ENABLE([leanpsk], if test "$ENABLED_LEANPSK" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DCYASSL_LEANPSK -DHAVE_NULL_CIPHER -DSINGLE_THREADED -DNO_AES -DNO_FILESYSTEM -DNO_RABBIT -DNO_RSA -DNO_DSA -DNO_DH -DNO_CERTS -DNO_PWDBASED -DNO_DES3 -DNO_MD4 -DNO_MD5 -DNO_ERROR_STRINGS -DNO_OLD_TLS -DNO_RC4 -DNO_WRITEV -DNO_SESSION_CACHE -DNO_DEV_RANDOM -DCYASSL_USER_IO -DUSE_SLOW_SHA" + AM_CFLAGS="$AM_CFLAGS -DCYASSL_LEANPSK -DHAVE_NULL_CIPHER -DSINGLE_THREADED -DNO_AES -DNO_FILESYSTEM -DNO_RABBIT -DNO_RSA -DNO_DSA -DNO_DH -DNO_CERTS -DNO_PWDBASED -DNO_DES3 -DNO_MD4 -DNO_MD5 -DNO_ERROR_STRINGS -DNO_OLD_TLS -DNO_RC4 -DNO_WRITEV -DNO_SESSION_CACHE -DNO_DEV_RANDOM -DCYASSL_USER_IO -DNO_SHA -DUSE_SLOW_SHA" ENABLED_SLOWMATH="no" ENABLED_SINGLETHREADED="yes" fi @@ -209,42 +209,6 @@ fi AM_CONDITIONAL([BUILD_LEANPSK], [test "x$ENABLED_LEANPSK" = "xyes"]) -# fastmath -AC_ARG_ENABLE([fastmath], - [ --enable-fastmath Enable fast math for BigInts (default: disabled)], - [ ENABLED_FASTMATH=$enableval ], - [ ENABLED_FASTMATH=no ] - ) - -if test "x$ENABLED_FASTMATH" = "xyes" -then - AM_CFLAGS="$AM_CFLAGS -DUSE_FAST_MATH" - ENABLED_SLOWMATH="no" -fi - - -# fast HUGE math -AC_ARG_ENABLE([fasthugemath], - [ --enable-fasthugemath Enable fast math + huge code (default: disabled)], - [ ENABLED_FASTHUGEMATH=$enableval ], - [ ENABLED_FASTHUGEMATH=no ] - ) - -if test "$ENABLED_BUMP" = "yes" -then - ENABLED_FASTHUGEMATH="yes" -fi - -if test "$ENABLED_FASTHUGEMATH" = "yes" -then - ENABLED_FASTMATH="yes" - AM_CFLAGS="$AM_CFLAGS -DUSE_FAST_MATH" - ENABLED_SLOWMATH="no" -fi - -AM_CONDITIONAL([BUILD_FASTMATH], [test "x$ENABLED_FASTMATH" = "xyes"]) -AM_CONDITIONAL([BUILD_SLOWMATH], [test "x$ENABLED_SLOWMATH" = "xyes"]) - # big cache AC_ARG_ENABLE([bigcache], [ --enable-bigcache Enable big session cache (default: disabled)], @@ -400,6 +364,18 @@ fi AM_CONDITIONAL([BUILD_MD2], [test "x$ENABLED_MD2" = "xyes"]) +# NULL CIPHER +AC_ARG_ENABLE([nullcipher], + [ --enable-nullcipher Enable CyaSSL NULL cipher support (default: disabled)], + [ ENABLED_NULL_CIPHER=$enableval ], + [ ENABLED_NULL_CIPHER=no ] + ) + +if test "$ENABLED_NULL_CIPHER" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_NULL_CIPHER" +fi + # RIPEMD AC_ARG_ENABLE([ripemd], [ --enable-ripemd Enable CyaSSL RIPEMD-160 support (default: disabled)], @@ -500,6 +476,389 @@ then fi +# DSA +AC_ARG_ENABLE([dsa], + [ --enable-dsa Enable DSA (default: disabled)], + [ ENABLED_DSA=$enableval ], + [ ENABLED_DSA=no ] + ) + +if test "$ENABLED_DSA" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_DSA" +fi + +AM_CONDITIONAL([BUILD_DSA], [test "x$ENABLED_DSA" = "xyes"]) + + +# ECC +AC_ARG_ENABLE([ecc], + [ --enable-ecc Enable ECC (default: disabled)], + [ ENABLED_ECC=$enableval ], + [ ENABLED_ECC=no ] + ) + +if test "$ENABLED_ECC" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC" +fi + +AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"]) + + +if test "$ENABLED_ECC" = "yes" && test "$ENABLED_SMALL" = "yes" +then + AC_MSG_ERROR([cannot enable ecc and small, ecc requires TLS which small turns off.]) +fi + + +# PSK +AC_ARG_ENABLE([psk], + [ --enable-psk Enable PSK (default: disabled)], + [ ENABLED_PSK=$enableval ], + [ ENABLED_PSK=no ] + ) + +if test "$ENABLED_PSK" = "no" && test "$ENABLED_LEANPSK" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_PSK" +fi + +if test "$ENABLED_PSK" = "no" && test "$ENABLED_LEANPSK" = "yes" +then + ENABLED_PSK=yes +fi + + +# ERROR STRINGS +AC_ARG_ENABLE([errorstrings], + [ --enable-errorstrings Enable error strings table (default: enabled)], + [ ENABLED_ERROR_STRINGS=$enableval ], + [ ENABLED_ERROR_STRINGS=yes ] + ) + +if test "$ENABLED_ERROR_STRINGS" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_STRINGS" +else + # turn off error strings if leanpsk on + if test "$ENABLED_LEANPSK" = "yes" + then + AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_STRINGS" + ENABLED_ERROR_STRINGS=no + fi +fi + + +# OLD TLS +AC_ARG_ENABLE([oldtls], + [ --enable-oldtls Enable old TLS versions < 1.2 (default: enabled)], + [ ENABLED_OLD_TLS=$enableval ], + [ ENABLED_OLD_TLS=yes ] + ) + +if test "$ENABLED_OLD_TLS" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS" +else + # turn off old if leanpsk on + if test "$ENABLED_LEANPSK" = "yes" + then + AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS" + ENABLED_OLD_TLS=no + fi +fi + + +# MEMORY +AC_ARG_ENABLE([memory], + [ --enable-memory Enable memory callbacks (default: enabled)], + [ ENABLED_MEMORY=$enableval ], + [ ENABLED_MEMORY=yes ] + ) + +if test "$ENABLED_MEMORY" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_CYASSL_MEMORY" +else + # turn off memory cb if leanpsk on + if test "$ENABLED_LEANPSK" = "yes" + then + # but don't turn on NO_CYASSL_MEMORY because using own + ENABLED_MEMORY=no + fi +fi + +AM_CONDITIONAL([BUILD_MEMORY], [test "x$ENABLED_MEMORY" = "xyes"]) + + +# RSA +AC_ARG_ENABLE([rsa], + [ --enable-rsa Enable RSA (default: enabled)], + [ ENABLED_RSA=$enableval ], + [ ENABLED_RSA=yes ] + ) + +if test "$ENABLED_RSA" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_RSA" +else + # turn off RSA if leanpsk on + if test "$ENABLED_LEANPSK" = "yes" + then + AM_CFLAGS="$AM_CFLAGS -DNO_RSA" + ENABLED_RSA=no + fi +fi + +AM_CONDITIONAL([BUILD_RSA], [test "x$ENABLED_RSA" = "xyes"]) + + +# DH +AC_ARG_ENABLE([dh], + [ --enable-dh Enable DH (default: enabled)], + [ ENABLED_DH=$enableval ], + [ ENABLED_DH=yes ] + ) + +if test "$ENABLED_DH" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_DH" +else + # turn off DH if leanpsk on + if test "$ENABLED_LEANPSK" = "yes" + then + AM_CFLAGS="$AM_CFLAGS -DNO_DH" + ENABLED_DH=no + fi +fi + +AM_CONDITIONAL([BUILD_DH], [test "x$ENABLED_DH" = "xyes"]) + + +# ASN +# turn off asn, which means no certs, no rsa, no dh, no dsa, no ecc, +# and no big int, use this to disable all public key stuff +AC_ARG_ENABLE([asn], + [ --enable-asn Enable ASN (default: enabled)], + [ ENABLED_ASN=$enableval ], + [ ENABLED_ASN=yes ] + ) + +if test "$ENABLED_ASN" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_CERTS -DNO_BIG_INT" +else + # turn off ASN if leanpsk on + if test "$ENABLED_LEANPSK" = "yes" + then + AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_CERTS -DNO_BIG_INT" + ENABLED_ASN=no + fi +fi + +if test "$ENABLED_RSA" = "yes" && test "$ENABLED_ASN" = "no" +then + AC_MSG_ERROR([please disable rsa if disabling asn.]) +fi + +if test "$ENABLED_DSA" = "yes" && test "$ENABLED_ASN" = "no" +then + AC_MSG_ERROR([please disable dsa if disabling asn.]) +fi + +if test "$ENABLED_DH" = "yes" && test "$ENABLED_ASN" = "no" +then + AC_MSG_ERROR([please disable dh if disabling asn.]) +fi + +if test "$ENABLED_ECC" = "yes" && test "$ENABLED_ASN" = "no" +then + AC_MSG_ERROR([please disable ecc if disabling asn.]) +fi + +if test "$ENABLED_PSK" = "no" && test "$ENABLED_ASN" = "no" +then + AC_MSG_ERROR([please enable psk if disabling asn.]) +fi + +if test "$ENABLED_ASN" = "no" +then + ENABLED_FASTMATH=no + ENABLED_SLOWMATH=no +fi + +AM_CONDITIONAL([BUILD_ASN], [test "x$ENABLED_ASN" = "xyes"]) + + +# AES +AC_ARG_ENABLE([aes], + [ --enable-aes Enable AES (default: enabled)], + [ ENABLED_AES=$enableval ], + [ ENABLED_AES=yes ] + ) + +if test "$ENABLED_AES" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_AES" +else + # turn off AES if leanpsk on + if test "$ENABLED_LEANPSK" = "yes" + then + AM_CFLAGS="$AM_CFLAGS -DNO_AES" + ENABLED_AES=no + fi +fi + +AM_CONDITIONAL([BUILD_AES], [test "x$ENABLED_AES" = "xyes"]) + + +# CODING +AC_ARG_ENABLE([coding], + [ --enable-coding Enable Coding base 16/64 (default: enabled)], + [ ENABLED_CODING=$enableval ], + [ ENABLED_CODING=yes ] + ) + +if test "$ENABLED_CODING" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_CODING" +else + # turn off CODING if leanpsk on + if test "$ENABLED_LEANPSK" = "yes" + then + AM_CFLAGS="$AM_CFLAGS -DNO_CODING" + ENABLED_CODING=no + fi +fi + +AM_CONDITIONAL([BUILD_CODING], [test "x$ENABLED_CODING" = "xyes"]) + + +# DES3 +AC_ARG_ENABLE([des3], + [ --enable-des3 Enable DES3 (default: enabled)], + [ ENABLED_DES3=$enableval ], + [ ENABLED_DES3=yes ] + ) + +if test "$ENABLED_DES3" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_DES3" +else + # turn off DES3 if leanpsk on + if test "$ENABLED_LEANPSK" = "yes" + then + AM_CFLAGS="$AM_CFLAGS -DNO_DES3" + ENABLED_DES3=no + fi +fi + +AM_CONDITIONAL([BUILD_DES3], [test "x$ENABLED_DES3" = "xyes"]) + + +# ARC4 +AC_ARG_ENABLE([arc4], + [ --enable-arc4 Enable ARC4 (default: enabled)], + [ ENABLED_ARC4=$enableval ], + [ ENABLED_ARC4=yes ] + ) + +if test "$ENABLED_ARC4" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_RC4" +else + # turn off ARC4 if leanpsk on + if test "$ENABLED_LEANPSK" = "yes" + then + AM_CFLAGS="$AM_CFLAGS -DNO_RC4" + ENABLED_ARC4=no + fi +fi + +AM_CONDITIONAL([BUILD_RC4], [test "x$ENABLED_ARC4" = "xyes"]) + + +# MD5 +AC_ARG_ENABLE([md5], + [ --enable-md5 Enable MD5 (default: enabled)], + [ ENABLED_MD5=$enableval ], + [ ENABLED_MD5=yes ] + ) + +if test "$ENABLED_MD5" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS" +else + # turn off MD5 if leanpsk on + if test "$ENABLED_LEANPSK" = "yes" + then + AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS" + ENABLED_MD5=no + fi +fi + +AM_CONDITIONAL([BUILD_MD5], [test "x$ENABLED_MD5" = "xyes"]) + + +# SHA +AC_ARG_ENABLE([sha], + [ --enable-sha Enable SHA (default: enabled)], + [ ENABLED_SHA=$enableval ], + [ ENABLED_SHA=yes ] + ) + +if test "$ENABLED_SHA" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_SHA -DNO_OLD_TLS" +else + # turn off SHA if leanpsk on + if test "$ENABLED_LEANPSK" = "yes" + then + AM_CFLAGS="$AM_CFLAGS -DNO_SHA -DNO_OLD_TLS" + ENABLED_SHA=no + fi +fi + +AM_CONDITIONAL([BUILD_SHA], [test "x$ENABLED_SHA" = "xyes"]) + + +# MD4 +AC_ARG_ENABLE([md4], + [ --enable-md4 Enable MD4 (default: disabled)], + [ ENABLED_MD4=$enableval ], + [ ENABLED_MD4=no ] + ) + +if test "$ENABLED_MD4" = "no" +then + AM_CFLAGS="$AM_CFLAGS -DNO_MD4" +fi + +AM_CONDITIONAL([BUILD_MD4], [test "x$ENABLED_MD4" = "xyes"]) + + +# PWDBASED +AC_ARG_ENABLE([pwdbased], + [ --enable-pwdbased Enable PWDBASED (default: disabled)], + [ ENABLED_PWDBASED=$enableval ], + [ ENABLED_PWDBASED=no ] + ) + +if test "$ENABLED_PWDBASED" = "no" +then + if test "$ENABLED_OPENSSLEXTRA" = "yes" + then + # opensslextra needs pwdbased + ENABLED_PWDBASED=yes + else + AM_CFLAGS="$AM_CFLAGS -DNO_PWDBASED" + fi +fi + +AM_CONDITIONAL([BUILD_PWDBASED], [test "x$ENABLED_PWDBASED" = "xyes"]) + + # HC128 AC_ARG_ENABLE([hc128], [ --enable-hc128 Enable HC-128 (default: disabled)], @@ -534,22 +893,9 @@ fi AM_CONDITIONAL([BUILD_RABBIT], [test "x$ENABLED_RABBIT" = "xyes"]) -# PSK -AC_ARG_ENABLE([psk], - [ --enable-psk Enable PSK (default: disabled)], - [ ENABLED_PSK=$enableval ], - [ ENABLED_PSK=no ] - ) - -if test "$ENABLED_PSK" = "no" && test "$ENABLED_LEANPSK" = "no" -then - AM_CFLAGS="$AM_CFLAGS -DNO_PSK" -fi - - # Web Server Build -AC_ARG_ENABLE([webServer], - [ --enable-webServer Enable Web Server (default: disabled)], +AC_ARG_ENABLE([webserver], + [ --enable-webserver Enable Web Server (default: disabled)], [ ENABLED_WEBSERVER=$enableval ], [ ENABLED_WEBSERVER=no ] ) @@ -560,53 +906,39 @@ then fi -# No Filesystem Build -AC_ARG_ENABLE([noFilesystem], - [ --enable-noFilesystem Enable No Filesystem (default: disabled)], - [ ENABLED_NOFILESYSTEM=$enableval ], - [ ENABLED_NOFILESYSTEM=no ] +# Filesystem Build +AC_ARG_ENABLE([filesystem], + [ --enable-filesystem Enable Filesystem support (default: disabled)], + [ ENABLED_FILESYSTEM=$enableval ], + [ ENABLED_FILESYSTEM=yes ] ) -if test "$ENABLED_NOFILESYSTEM" = "yes" +if test "$ENABLED_FILESYSTEM" = "no" then AM_CFLAGS="$AM_CFLAGS -DNO_FILESYSTEM" +else + # turn off filesystem if leanpsk on + if test "$ENABLED_LEANPSK" = "yes" + then + AM_CFLAGS="$AM_CFLAGS -DNO_FILESYSTEM" + ENABLED_FILESYSTEM=no + fi fi -# No inline Build -AC_ARG_ENABLE([noInline], - [ --enable-noInline Enable No inline (default: disabled)], - [ ENABLED_NOINLINE=$enableval ], - [ ENABLED_NOINLINE=no ] +# inline Build +AC_ARG_ENABLE([inline], + [ --enable-inline Enable inline functions (default: disabled)], + [ ENABLED_INLINE=$enableval ], + [ ENABLED_INLINE=yes ] ) -if test "$ENABLED_NOINLINE" = "yes" +if test "$ENABLED_INLINE" = "no" then AM_CFLAGS="$AM_CFLAGS -DNO_INLINE" fi -AM_CONDITIONAL([BUILD_NOINLINE], [test "x$ENABLED_NOINLINE" = "xyes"]) - - -# ECC -AC_ARG_ENABLE([ecc], - [ --enable-ecc Enable ECC (default: disabled)], - [ ENABLED_ECC=$enableval ], - [ ENABLED_ECC=no ] - ) - -if test "$ENABLED_ECC" = "yes" -then - AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC" -fi - -AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"]) - - -if test "$ENABLED_ECC" = "yes" && test "$ENABLED_SMALL" = "yes" -then - AC_MSG_ERROR([cannot enable ecc and small, ecc requires TLS which small turns off.]) -fi +AM_CONDITIONAL([BUILD_INLINE], [test "x$ENABLED_INLINE" = "xyes"]) # OCSP @@ -718,6 +1050,49 @@ then fi +# fastmath +AC_ARG_ENABLE([fastmath], + [ --enable-fastmath Enable fast math for BigInts (default: enabled)], + [ ENABLED_FASTMATH=$enableval ], + [ ENABLED_FASTMATH=yes ] + ) + +if test "x$ENABLED_FASTMATH" = "xyes" +then + # turn off fastmth if leanpsk on or asn off + if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_ASN" = "no" + then + ENABLED_FASTMATH=no + else + AM_CFLAGS="$AM_CFLAGS -DUSE_FAST_MATH" + ENABLED_SLOWMATH="no" + fi +fi + + +# fast HUGE math +AC_ARG_ENABLE([fasthugemath], + [ --enable-fasthugemath Enable fast math + huge code (default: disabled)], + [ ENABLED_FASTHUGEMATH=$enableval ], + [ ENABLED_FASTHUGEMATH=no ] + ) + +if test "$ENABLED_BUMP" = "yes" +then + ENABLED_FASTHUGEMATH="yes" +fi + +if test "$ENABLED_FASTHUGEMATH" = "yes" +then + ENABLED_FASTMATH="yes" + AM_CFLAGS="$AM_CFLAGS -DUSE_FAST_MATH" + ENABLED_SLOWMATH="no" +fi + +AM_CONDITIONAL([BUILD_FASTMATH], [test "x$ENABLED_FASTMATH" = "xyes"]) +AM_CONDITIONAL([BUILD_SLOWMATH], [test "x$ENABLED_SLOWMATH" = "xyes"]) + + # Enable Examples, used to disable examples AC_ARG_ENABLE([examples], [ --enable-examples Enable Examples (default: enabled)], @@ -726,11 +1101,15 @@ AC_ARG_ENABLE([examples], ) AS_IF([test "x$ENABLED_SINGLETHREADED" = "xyes"], [ENABLED_EXAMPLES="no"]) -AS_IF([test "x$ENABLED_NOFILESYSTEM" = "xyes"], [ENABLED_EXAMPLES="no"]) +AS_IF([test "x$ENABLED_FILESYSTEM" = "xno"], [ENABLED_EXAMPLES="no"]) +AS_IF([test "x$ENABLED_INLINE" = "xno"], [ENABLED_EXAMPLES="no"]) +# certs still have sha signatures for now +AS_IF([test "x$ENABLED_SHA" = "xno"], [ENABLED_EXAMPLES="no"]) AM_CONDITIONAL([BUILD_EXAMPLES], [test "x$ENABLED_EXAMPLES" = "xyes"]) # LIBZ +ENABLED_LIBZ="no" trylibzdir="" AC_ARG_WITH([libz], [ --with-libz=PATH PATH to libz install (default /usr/) ], @@ -762,9 +1141,10 @@ AC_ARG_WITH([libz], else AC_MSG_RESULT([yes]) fi - + ENABLED_LIBZ="yes" ] ) +AM_CONDITIONAL([BUILD_LIBZ], [test "x$ENABLED_LIBZ" = "xyes"]) # cavium @@ -797,6 +1177,37 @@ AC_ARG_WITH([cavium], ) +# microchip api +AC_ARG_ENABLE([mcapi], + [ --enable-mcapi Enable Microchip API (default: disabled)], + [ ENABLED_MCAPI=$enableval ], + [ ENABLED_MCAPI=no ] + ) + +if test "$ENABLED_MCAPI" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_MCAPI -DCYASSL_AES_COUNTER -DCYASSL_AES_DIRECT" +fi + +if test "$ENABLED_MCAPI" = "yes" && test "$ENABLED_SHA512" = "no" +then + AC_MSG_ERROR([please enable sha512 if enabling mcapi.]) +fi + +if test "$ENABLED_MCAPI" = "yes" && test "$ENABLED_ECC" = "no" +then + AC_MSG_ERROR([please enable ecc if enabling mcapi.]) +fi + +if test "$ENABLED_MCAPI" = "yes" && test "$ENABLED_LIBZ" = "no" +then + AC_MSG_ERROR([please use --with-libz if enabling mcapi.]) +fi + +AM_CONDITIONAL([BUILD_MCAPI], [test "x$ENABLED_MCAPI" = "xyes"]) + + + # OPTIMIZE FLAGS if test "$GCC" = "yes" then @@ -873,29 +1284,47 @@ echo " * VCS checkout: $ac_cv_vcs_checkout" echo echo " Features " echo " * Single threaded: $ENABLED_SINGLETHREADED" -echo " * DTLS: $ENABLED_DTLS" -echo " * Enable extra OpenSSL API: $ENABLED_OPENSSLEXTRA" +echo " * Filesystem: $ENABLED_FILESYSTEM" +echo " * OpenSSL Extra API: $ENABLED_OPENSSLEXTRA" echo " * fastmath: $ENABLED_FASTMATH" echo " * sniffer: $ENABLED_SNIFFER" +echo " * ARC4: $ENABLED_ARC4" +echo " * AES: $ENABLED_AES" echo " * AES-NI: $ENABLED_AESNI" echo " * AES-GCM: $ENABLED_AESGCM" echo " * AES-CCM: $ENABLED_AESCCM" +echo " * DES3: $ENABLED_DES3" echo " * Camellia: $ENABLED_CAMELLIA" +echo " * NULL Cipher: $ENABLED_NULL_CIPHER" +echo " * MD5: $ENABLED_MD5" echo " * RIPEMD: $ENABLED_RIPEMD" +echo " * SHA: $ENABLED_SHA" echo " * SHA-512: $ENABLED_SHA512" echo " * BLAKE2: $ENABLED_BLAKE2" echo " * keygen: $ENABLED_KEYGEN" echo " * certgen: $ENABLED_CERTGEN" echo " * HC-128: $ENABLED_HC128" echo " * RABBIT: $ENABLED_RABBIT" +echo " * PWDBASED: $ENABLED_PWDBASED" +echo " * MD4: $ENABLED_MD4" echo " * PSK: $ENABLED_PSK" echo " * LEANPSK: $ENABLED_LEANPSK" +echo " * RSA: $ENABLED_RSA" +echo " * DSA: $ENABLED_DSA" +echo " * DH: $ENABLED_DH" echo " * ECC: $ENABLED_ECC" +echo " * ASN: $ENABLED_ASN" +echo " * CODING: $ENABLED_CODING" +echo " * MEMORY: $ENABLED_MEMORY" +echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS" +echo " * DTLS: $ENABLED_DTLS" +echo " * Old TLS Versions: $ENABLED_OLD_TLS" echo " * OCSP: $ENABLED_OCSP" echo " * CRL: $ENABLED_CRL" echo " * CRL-MONITOR: $ENABLED_CRL_MONITOR" echo " * NTRU: $ENABLED_NTRU" echo " * valgrind unit tests: $ENABLED_VALGRIND" +echo " * LIBZ: $ENABLED_LIBZ" echo " * Examples: $ENABLED_EXAMPLES" echo "" echo "---" diff --git a/ctaocrypt/benchmark/benchmark.c b/ctaocrypt/benchmark/benchmark.c index 108214a0b..256261444 100644 --- a/ctaocrypt/benchmark/benchmark.c +++ b/ctaocrypt/benchmark/benchmark.c @@ -160,7 +160,9 @@ int main(int argc, char** argv) #ifndef NO_MD5 bench_md5(); #endif +#ifndef NO_SHA bench_sha(); +#endif #ifndef NO_SHA256 bench_sha256(); #endif @@ -506,6 +508,7 @@ void bench_md5(void) #endif /* NO_MD5 */ +#ifndef NO_SHA void bench_sha(void) { Sha hash; @@ -531,6 +534,7 @@ void bench_sha(void) printf("SHA %d %s took %5.3f seconds, %6.2f MB/s\n", numBlocks, blockType, total, persec); } +#endif /* NO_SHA */ #ifndef NO_SHA256 diff --git a/ctaocrypt/src/asm.c b/ctaocrypt/src/asm.c index ba1d4a716..21751c098 100644 --- a/ctaocrypt/src/asm.c +++ b/ctaocrypt/src/asm.c @@ -437,9 +437,10 @@ __asm__( \ #define INNERMUL \ do { fp_word t; \ - _c[0] = t = ((fp_word)_c[0] + (fp_word)cy) + \ + t = ((fp_word)_c[0] + (fp_word)cy) + \ (((fp_word)mu) * ((fp_word)*tmpm++)); \ - cy = (t >> DIGIT_BIT); \ + _c[0] = (fp_digit)t; \ + cy = (fp_digit)(t >> DIGIT_BIT); \ } while (0) #define PROPCARRY \ @@ -975,8 +976,9 @@ __asm__( \ /* multiplies point i and j, updates carry "c1" and digit c2 */ #define SQRADD(i, j) \ do { fp_word t; \ - t = c0 + ((fp_word)i) * ((fp_word)j); c0 = t; \ - t = c1 + (t >> DIGIT_BIT); c1 = t; c2 += t >> DIGIT_BIT; \ + t = c0 + ((fp_word)i) * ((fp_word)j); c0 = (fp_digit)t; \ + t = c1 + (t >> DIGIT_BIT); c1 = (fp_digit)t; \ + c2 +=(fp_digit) (t >> DIGIT_BIT); \ } while (0); @@ -984,10 +986,12 @@ __asm__( \ #define SQRADD2(i, j) \ do { fp_word t; \ t = ((fp_word)i) * ((fp_word)j); \ - tt = (fp_word)c0 + t; c0 = tt; \ - tt = (fp_word)c1 + (tt >> DIGIT_BIT); c1 = tt; c2 += tt >> DIGIT_BIT; \ - tt = (fp_word)c0 + t; c0 = tt; \ - tt = (fp_word)c1 + (tt >> DIGIT_BIT); c1 = tt; c2 += tt >> DIGIT_BIT; \ + tt = (fp_word)c0 + t; c0 = (fp_digit)tt; \ + tt = (fp_word)c1 + (tt >> DIGIT_BIT); c1 = (fp_digit)tt; \ + c2 +=(fp_digit)( tt >> DIGIT_BIT); \ + tt = (fp_word)c0 + t; c0 = (fp_digit)tt; \ + tt = (fp_word)c1 + (tt >> DIGIT_BIT); c1 = (fp_digit)tt; \ + c2 +=(fp_digit) (tt >> DIGIT_BIT); \ } while (0); #define SQRADDSC(i, j) \ @@ -1274,10 +1278,11 @@ ____asm__( \ #define COMBA_FINI -#define MULADD(i, j) \ - do { fp_word t; \ - t = (fp_word)c0 + ((fp_word)i) * ((fp_word)j); c0 = t; \ - t = (fp_word)c1 + (t >> DIGIT_BIT); c1 = t; c2 += t >> DIGIT_BIT; \ +#define MULADD(i, j) \ + do { fp_word t; \ + t = (fp_word)c0 + ((fp_word)i) * ((fp_word)j); c0 = (fp_digit)t; \ + t = (fp_word)c1 + (t >> DIGIT_BIT); \ + c1 = (fp_digit)t; c2 += (fp_digit)(t >> DIGIT_BIT); \ } while (0); #endif diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index fb19e214c..72dee4f9f 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -71,10 +71,10 @@ #ifndef TRUE -enum { - FALSE = 0, - TRUE = 1 -}; + #define TRUE 1 +#endif +#ifndef FALSE + #define FALSE 0 #endif @@ -92,12 +92,33 @@ enum { #define NO_TIME_H /* since Micrium not defining XTIME or XGMTIME, CERT_GEN not available */ #elif defined(USER_TIME) - /* no structures used */ - #define NO_TIME_H /* user time, and gmtime compatible functions, there is a gmtime implementation here that WINCE uses, so really just need some ticks since the EPOCH */ + + struct tm { + int tm_sec; /* seconds after the minute [0-60] */ + int tm_min; /* minutes after the hour [0-59] */ + int tm_hour; /* hours since midnight [0-23] */ + int tm_mday; /* day of the month [1-31] */ + int tm_mon; /* months since January [0-11] */ + int tm_year; /* years since 1900 */ + int tm_wday; /* days since Sunday [0-6] */ + int tm_yday; /* days since January 1 [0-365] */ + int tm_isdst; /* Daylight Savings Time flag */ + long tm_gmtoff; /* offset from CUT in seconds */ + char *tm_zone; /* timezone abbreviation */ + }; + typedef long time_t; + + /* forward declaration */ + struct tm* gmtime(const time_t* timer); + extern time_t XTIME(time_t * timer); + + #define XGMTIME(c) gmtime((c)) + #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t)) + #else /* default */ /* uses complete facility */ @@ -137,7 +158,8 @@ time_t time(time_t* timer) return *timer; } - +#endif /* _WIN32_WCE */ +#if defined( _WIN32_WCE ) || defined( USER_TIME ) struct tm* gmtime(const time_t* timer) { @@ -155,17 +177,17 @@ struct tm* gmtime(const time_t* timer) static struct tm st_time; struct tm* ret = &st_time; - time_t time = *timer; + time_t secs = *timer; unsigned long dayclock, dayno; int year = EPOCH_YEAR; - dayclock = (unsigned long)time % SECS_DAY; - dayno = (unsigned long)time / SECS_DAY; + dayclock = (unsigned long)secs % SECS_DAY; + dayno = (unsigned long)secs / SECS_DAY; - ret->tm_sec = dayclock % 60; - ret->tm_min = (dayclock % 3600) / 60; - ret->tm_hour = dayclock / 3600; - ret->tm_wday = (dayno + 4) % 7; /* day 0 a Thursday */ + ret->tm_sec = (int) dayclock % 60; + ret->tm_min = (int)(dayclock % 3600) / 60; + ret->tm_hour = (int) dayclock / 3600; + ret->tm_wday = (int) (dayno + 4) % 7; /* day 0 a Thursday */ while(dayno >= (unsigned long)YEARSIZE(year)) { dayno -= YEARSIZE(year); @@ -173,7 +195,7 @@ struct tm* gmtime(const time_t* timer) } ret->tm_year = year - YEAR0; - ret->tm_yday = dayno; + ret->tm_yday = (int)dayno; ret->tm_mon = 0; while(dayno >= (unsigned long)_ytab[LEAPYEAR(year)][ret->tm_mon]) { @@ -181,13 +203,13 @@ struct tm* gmtime(const time_t* timer) ret->tm_mon++; } - ret->tm_mday = ++dayno; + ret->tm_mday = (int)++dayno; ret->tm_isdst = 0; return ret; } -#endif /* _WIN32_WCE */ +#endif /* _WIN32_WCE || USER_TIME */ #ifdef THREADX @@ -386,6 +408,7 @@ static int GetMyVersion(const byte* input, word32* inOutIdx, int* version) } +#ifndef NO_PWDBASED /* Get small count integer, 32 bits or less */ static int GetShortInt(const byte* input, word32* inOutIdx, int* number) { @@ -409,7 +432,7 @@ static int GetShortInt(const byte* input, word32* inOutIdx, int* number) return *number; } - +#endif /* May not have one, not an error */ static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version) @@ -1413,7 +1436,9 @@ static int GetKey(DecodedCert* cert) /* process NAME, either issuer or subject */ static int GetName(DecodedCert* cert, int nameType) { +#ifndef NO_SHA Sha sha; +#endif int length; /* length of all distinguished names */ int dummy; char* full = (nameType == ISSUER) ? cert->issuer : cert->subject; @@ -1438,12 +1463,14 @@ static int GetName(DecodedCert* cert, int nameType) if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) return ASN_PARSE_E; +#ifndef NO_SHA InitSha(&sha); ShaUpdate(&sha, &cert->source[idx], length + cert->srcIdx - idx); if (nameType == ISSUER) ShaFinal(&sha, cert->issuerHash); else ShaFinal(&sha, cert->subjectHash); +#endif length += cert->srcIdx; idx = 0; @@ -1884,7 +1911,7 @@ static word32 BytePrecision(word32 value) { word32 i; for (i = sizeof(value); i; --i) - if (value >> ((i - 1) * BIT_SIZE)) + if (value >> ((i - 1) * CYASSL_BIT_SIZE)) break; return i; @@ -1901,7 +1928,7 @@ static word32 SetLength(word32 length, byte* output) output[i++] = (byte)(BytePrecision(length) | ASN_LONG_LENGTH); for (j = BytePrecision(length); j; --j) { - output[i] = (byte)(length >> ((j - 1) * BIT_SIZE)); + output[i] = (byte)(length >> ((j - 1) * CYASSL_BIT_SIZE)); i++; } } @@ -2101,8 +2128,10 @@ static int ConfirmSignature(const byte* buf, word32 bufSz, (void)sig; (void)sigSz; (void)heap; + (void)ret; switch (sigOID) { +#ifndef NO_MD5 case CTC_MD5wRSA: { Md5 md5; @@ -2113,6 +2142,7 @@ static int ConfirmSignature(const byte* buf, word32 bufSz, digestSz = MD5_DIGEST_SIZE; } break; +#endif #if defined(CYASSL_MD2) case CTC_MD2wRSA: { @@ -2125,6 +2155,7 @@ static int ConfirmSignature(const byte* buf, word32 bufSz, } break; #endif +#ifndef NO_SHA case CTC_SHAwRSA: case CTC_SHAwDSA: case CTC_SHAwECDSA: @@ -2137,6 +2168,7 @@ static int ConfirmSignature(const byte* buf, word32 bufSz, digestSz = SHA_DIGEST_SIZE; } break; +#endif #ifndef NO_SHA256 case CTC_SHA256wRSA: case CTC_SHA256wECDSA: diff --git a/ctaocrypt/src/coding.c b/ctaocrypt/src/coding.c index d5afdcbe6..c914f9183 100644 --- a/ctaocrypt/src/coding.c +++ b/ctaocrypt/src/coding.c @@ -23,6 +23,8 @@ #include #endif +#ifndef NO_CODING + #include #include #include @@ -104,16 +106,18 @@ int Base64_Decode(const byte* in, word32 inLen, byte* out, word32* outLen) break; inLen -= 4; - if (in[j] == ' ' || in[j] == '\r' || in[j] == '\n') { + if (inLen && (in[j] == ' ' || in[j] == '\r' || in[j] == '\n')) { byte endLine = in[j++]; inLen--; - while (endLine == ' ') { /* allow trailing whitespace */ + while (inLen && endLine == ' ') { /* allow trailing whitespace */ endLine = in[j++]; inLen--; } if (endLine == '\r') { - endLine = in[j++]; - inLen--; + if (inLen) { + endLine = in[j++]; + inLen--; + } } if (endLine != '\n') { CYASSL_MSG("Bad end of line in Base64 Decode"); @@ -263,3 +267,4 @@ int Base16_Decode(const byte* in, word32 inLen, byte* out, word32* outLen) #endif /* defined(OPENSSL_EXTRA) || defined (SESSION_CERTS) || defined(CYASSL_KEY_GEN) || defined(CYASSL_CERT_GEN) || defined(HAVE_WEBSERVER) */ +#endif /* NO_CODING */ diff --git a/ctaocrypt/src/compress.c b/ctaocrypt/src/compress.c new file mode 100644 index 000000000..6e6e05d08 --- /dev/null +++ b/ctaocrypt/src/compress.c @@ -0,0 +1,168 @@ +/* compress.c + * + * Copyright (C) 2006-2013 wolfSSL Inc. + * + * This file is part of CyaSSL. + * + * CyaSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * CyaSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + + +#ifdef HAVE_CONFIG_H + #include +#endif + + +#ifdef HAVE_LIBZ + + +#include +#include +#include +#ifdef NO_INLINE + #include +#else + #include +#endif + +#include + + +/* alloc user allocs to work with zlib */ +static void* myAlloc(void* opaque, unsigned int item, unsigned int size) +{ + (void)opaque; + return XMALLOC(item * size, opaque, DYNAMIC_TYPE_LIBZ); +} + + +static void myFree(void* opaque, void* memory) +{ + (void)opaque; + XFREE(memory, opaque, DYNAMIC_TYPE_LIBZ); +} + + +#ifdef HAVE_MCAPI + #define DEFLATE_DEFAULT_WINDOWBITS 11 + #define DEFLATE_DEFAULT_MEMLEVEL 1 +#else + #define DEFLATE_DEFAULT_WINDOWBITS 15 + #define DEFLATE_DEFAULT_MEMLEVEL 8 +#endif + + +int Compress(byte* out, word32 outSz, const byte* in, word32 inSz, word32 flags) +/* + * out - pointer to destination buffer + * outSz - size of destination buffer + * in - pointer to source buffer to compress + * inSz - size of source to compress + * flags - flags to control how compress operates + * + * return: + * negative - error code + * positive - bytes stored in out buffer + * + * Note, the output buffer still needs to be larger than the input buffer. + * The right chunk of data won't compress at all, and the lookup table will + * add to the size of the output. The libz code says the compressed + * buffer should be srcSz + 0.1% + 12. + */ +{ + z_stream stream; + int result = 0; + + stream.next_in = (Bytef*)in; + stream.avail_in = (uInt)inSz; +#ifdef MAXSEG_64K + /* Check for source > 64K on 16-bit machine: */ + if ((uLong)stream.avail_in != inSz) return COMPRESS_INIT_E; +#endif + stream.next_out = out; + stream.avail_out = (uInt)outSz; + if ((uLong)stream.avail_out != outSz) return COMPRESS_INIT_E; + + stream.zalloc = (alloc_func)myAlloc; + stream.zfree = (free_func)myFree; + stream.opaque = (voidpf)0; + + if (deflateInit2(&stream, Z_DEFAULT_COMPRESSION, Z_DEFLATED, + DEFLATE_DEFAULT_WINDOWBITS, DEFLATE_DEFAULT_MEMLEVEL, + flags ? Z_FIXED : Z_DEFAULT_STRATEGY) != Z_OK) + return COMPRESS_INIT_E; + + if (deflate(&stream, Z_FINISH) != Z_STREAM_END) { + deflateEnd(&stream); + return COMPRESS_E; + } + + result = (int)stream.total_out; + + if (deflateEnd(&stream) != Z_OK) + result = COMPRESS_E; + + return result; +} + + +int DeCompress(byte* out, word32 outSz, const byte* in, word32 inSz) +/* + * out - pointer to destination buffer + * outSz - size of destination buffer + * in - pointer to source buffer to compress + * inSz - size of source to compress + * flags - flags to control how compress operates + * + * return: + * negative - error code + * positive - bytes stored in out buffer + */ +{ + z_stream stream; + int result = 0; + + stream.next_in = (Bytef*)in; + stream.avail_in = (uInt)inSz; + /* Check for source > 64K on 16-bit machine: */ + if ((uLong)stream.avail_in != inSz) return DECOMPRESS_INIT_E; + + stream.next_out = out; + stream.avail_out = (uInt)outSz; + if ((uLong)stream.avail_out != outSz) return DECOMPRESS_INIT_E; + + stream.zalloc = (alloc_func)myAlloc; + stream.zfree = (free_func)myFree; + stream.opaque = (voidpf)0; + + if (inflateInit2(&stream, DEFLATE_DEFAULT_WINDOWBITS) != Z_OK) + return DECOMPRESS_INIT_E; + + if (inflate(&stream, Z_FINISH) != Z_STREAM_END) { + inflateEnd(&stream); + return DECOMPRESS_E; + } + + result = (int)stream.total_out; + + if (inflateEnd(&stream) != Z_OK) + result = DECOMPRESS_E; + + return result; +} + + +#endif /* HAVE_LIBZ */ + diff --git a/ctaocrypt/src/dh.c b/ctaocrypt/src/dh.c index ff64543b0..d5ad83f4f 100644 --- a/ctaocrypt/src/dh.c +++ b/ctaocrypt/src/dh.c @@ -83,8 +83,8 @@ static word32 DiscreteLogWorkFactor(word32 n) static void GeneratePrivate(DhKey* key, RNG* rng, byte* priv, word32* privSz) { word32 sz = mp_unsigned_bin_size(&key->p); - sz = min(sz, 2 * DiscreteLogWorkFactor(sz * BIT_SIZE) / BIT_SIZE + 1); - + sz = min(sz, 2 * DiscreteLogWorkFactor(sz * CYASSL_BIT_SIZE) / + CYASSL_BIT_SIZE + 1); RNG_GenerateBlock(rng, priv, sz); priv[0] |= 0x0C; diff --git a/ctaocrypt/src/error.c b/ctaocrypt/src/error.c index b98db04ca..b1041659e 100644 --- a/ctaocrypt/src/error.c +++ b/ctaocrypt/src/error.c @@ -281,6 +281,22 @@ void CTaoCryptErrorString(int error, char* buffer) XSTRNCPY(buffer, "Cavium Init type error", max); break; + case COMPRESS_INIT_E: + XSTRNCPY(buffer, "Compress Init error", max); + break; + + case COMPRESS_E: + XSTRNCPY(buffer, "Compress error", max); + break; + + case DECOMPRESS_INIT_E: + XSTRNCPY(buffer, "DeCompress Init error", max); + break; + + case DECOMPRESS_E: + XSTRNCPY(buffer, "DeCompress error", max); + break; + default: XSTRNCPY(buffer, "unknown error number", max); diff --git a/ctaocrypt/src/hmac.c b/ctaocrypt/src/hmac.c index 291c6b70f..30b1badf6 100644 --- a/ctaocrypt/src/hmac.c +++ b/ctaocrypt/src/hmac.c @@ -42,7 +42,8 @@ static int InitHmac(Hmac* hmac, int type) hmac->innerHashKeyed = 0; hmac->macType = (byte)type; - if (!(type == MD5 || type == SHA || type == SHA256 || type == SHA384)) + if (!(type == MD5 || type == SHA || type == SHA256 || type == SHA384 + || type == SHA512)) return BAD_FUNC_ARG; switch (type) { @@ -52,9 +53,11 @@ static int InitHmac(Hmac* hmac, int type) break; #endif + #ifndef NO_SHA case SHA: InitSha(&hmac->hash.sha); break; + #endif #ifndef NO_SHA256 case SHA256: @@ -68,6 +71,12 @@ static int InitHmac(Hmac* hmac, int type) break; #endif + #ifdef CYASSL_SHA512 + case SHA512: + InitSha512(&hmac->hash.sha512); + break; + #endif + default: break; } @@ -80,7 +89,7 @@ void HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length) { byte* ip = (byte*) hmac->ipad; byte* op = (byte*) hmac->opad; - word32 i, hmac_block_size = SHA_BLOCK_SIZE; + word32 i, hmac_block_size = 0; #ifdef HAVE_CAVIUM if (hmac->magic == CYASSL_HMAC_CAVIUM_MAGIC) @@ -106,8 +115,10 @@ void HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length) break; #endif + #ifndef NO_SHA case SHA: { + hmac_block_size = SHA_BLOCK_SIZE; if (length <= SHA_BLOCK_SIZE) { XMEMCPY(ip, key, length); } @@ -118,6 +129,7 @@ void HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length) } } break; + #endif #ifndef NO_SHA256 case SHA256: @@ -151,6 +163,22 @@ void HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length) break; #endif + #ifdef CYASSL_SHA512 + case SHA512: + { + hmac_block_size = SHA512_BLOCK_SIZE; + if (length <= SHA512_BLOCK_SIZE) { + XMEMCPY(ip, key, length); + } + else { + Sha512Update(&hmac->hash.sha512, key, length); + Sha512Final(&hmac->hash.sha512, ip); + length = SHA512_DIGEST_SIZE; + } + } + break; + #endif + default: break; } @@ -173,9 +201,11 @@ static void HmacKeyInnerHash(Hmac* hmac) break; #endif + #ifndef NO_SHA case SHA: ShaUpdate(&hmac->hash.sha, (byte*) hmac->ipad, SHA_BLOCK_SIZE); break; + #endif #ifndef NO_SHA256 case SHA256: @@ -191,6 +221,13 @@ static void HmacKeyInnerHash(Hmac* hmac) break; #endif + #ifdef CYASSL_SHA512 + case SHA512: + Sha512Update(&hmac->hash.sha512, + (byte*) hmac->ipad, SHA512_BLOCK_SIZE); + break; + #endif + default: break; } @@ -216,9 +253,11 @@ void HmacUpdate(Hmac* hmac, const byte* msg, word32 length) break; #endif + #ifndef NO_SHA case SHA: ShaUpdate(&hmac->hash.sha, msg, length); break; + #endif #ifndef NO_SHA256 case SHA256: @@ -232,6 +271,12 @@ void HmacUpdate(Hmac* hmac, const byte* msg, word32 length) break; #endif + #ifdef CYASSL_SHA512 + case SHA512: + Sha512Update(&hmac->hash.sha512, msg, length); + break; + #endif + default: break; } @@ -264,6 +309,7 @@ void HmacFinal(Hmac* hmac, byte* hash) break; #endif + #ifndef NO_SHA case SHA: { ShaFinal(&hmac->hash.sha, (byte*) hmac->innerHash); @@ -275,6 +321,7 @@ void HmacFinal(Hmac* hmac, byte* hash) ShaFinal(&hmac->hash.sha, hash); } break; + #endif #ifndef NO_SHA256 case SHA256: @@ -306,6 +353,21 @@ void HmacFinal(Hmac* hmac, byte* hash) break; #endif + #ifdef CYASSL_SHA512 + case SHA512: + { + Sha512Final(&hmac->hash.sha512, (byte*) hmac->innerHash); + + Sha512Update(&hmac->hash.sha512, + (byte*) hmac->opad, SHA512_BLOCK_SIZE); + Sha512Update(&hmac->hash.sha512, + (byte*) hmac->innerHash, SHA512_DIGEST_SIZE); + + Sha512Final(&hmac->hash.sha512, hash); + } + break; + #endif + default: break; } diff --git a/ctaocrypt/src/integer.c b/ctaocrypt/src/integer.c index 94d5f944e..32da4f612 100644 --- a/ctaocrypt/src/integer.c +++ b/ctaocrypt/src/integer.c @@ -33,6 +33,8 @@ /* in case user set USE_FAST_MATH there */ #include +#ifndef NO_BIG_INT + #ifndef USE_FAST_MATH #include @@ -43,6 +45,8 @@ #endif #endif +static void bn_reverse (unsigned char *s, int len); + /* math settings check */ word32 CheckRunTimeSettings(void) { @@ -3732,7 +3736,7 @@ int mp_sqrmod (mp_int * a, mp_int * b, mp_int * c) #endif -#if defined(CYASSL_KEY_GEN) || defined(HAVE_ECC) || !defined(NO_PWDBASED) +#if defined(CYASSL_KEY_GEN) || defined(HAVE_ECC) || defined(OPENSSL_EXTRA) /* single digit addition */ int mp_add_d (mp_int* a, mp_digit b, mp_int* c) @@ -4452,3 +4456,4 @@ int mp_read_radix (mp_int * a, const char *str, int radix) #endif /* USE_FAST_MATH */ +#endif /* NO_BIG_INT */ diff --git a/ctaocrypt/src/md5.c b/ctaocrypt/src/md5.c index 6009c569b..88276d007 100644 --- a/ctaocrypt/src/md5.c +++ b/ctaocrypt/src/md5.c @@ -24,6 +24,8 @@ #include #endif +#ifndef NO_MD5 + #include #ifdef NO_INLINE @@ -340,3 +342,4 @@ void Md5Final(Md5* md5, byte* hash) #endif /* STM32F2_CRYPTO */ +#endif /* NO_MD5 */ diff --git a/ctaocrypt/src/misc.c b/ctaocrypt/src/misc.c index 653be2f3b..1a31b2dca 100644 --- a/ctaocrypt/src/misc.c +++ b/ctaocrypt/src/misc.c @@ -163,8 +163,8 @@ STATIC INLINE void XorWords(word* r, const word* a, word32 n) STATIC INLINE void xorbuf(byte* buf, const byte* mask, word32 count) { - if (((word)buf | (word)mask | count) % WORD_SIZE == 0) - XorWords( (word*)buf, (const word*)mask, count / WORD_SIZE); + if (((word)buf | (word)mask | count) % CYASSL_WORD_SIZE == 0) + XorWords( (word*)buf, (const word*)mask, count / CYASSL_WORD_SIZE); else { word32 i; for (i = 0; i < count; i++) buf[i] ^= mask[i]; diff --git a/ctaocrypt/src/random.c b/ctaocrypt/src/random.c index ba5092e31..0828b56b1 100644 --- a/ctaocrypt/src/random.c +++ b/ctaocrypt/src/random.c @@ -58,6 +58,7 @@ #endif #endif /* USE_WINDOWS_API */ +#if !defined( NO_CYASSL_RANDOM ) #ifdef NO_RC4 @@ -568,7 +569,7 @@ int GenerateSeed(OS_Seed* os, byte* output, word32 sz) #elif defined(NO_DEV_RANDOM) -#error "you need to write an os specific GenerateSeed() here" +#warning "you need to write an os specific GenerateSeed() here" #else /* !USE_WINDOWS_API && !THREADX && !MICRIUM && !NO_DEV_RANDOM */ @@ -613,3 +614,4 @@ int GenerateSeed(OS_Seed* os, byte* output, word32 sz) #endif /* USE_WINDOWS_API */ +#endif /* NO_CYASSL_RANDOM */ diff --git a/ctaocrypt/src/sha.c b/ctaocrypt/src/sha.c index b0b0cc8f1..9a862b76c 100644 --- a/ctaocrypt/src/sha.c +++ b/ctaocrypt/src/sha.c @@ -19,10 +19,13 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ + #ifdef HAVE_CONFIG_H #include #endif +#ifndef NO_SHA + #include #ifdef NO_INLINE #include @@ -345,3 +348,4 @@ void ShaFinal(Sha* sha, byte* hash) #endif /* STM32F2_CRYPTO */ +#endif /* NO_SHA */ diff --git a/ctaocrypt/test/test.c b/ctaocrypt/test/test.c index 08ef0a1e1..7da380252 100644 --- a/ctaocrypt/test/test.c +++ b/ctaocrypt/test/test.c @@ -51,6 +51,9 @@ #ifdef HAVE_ECC #include #endif +#ifdef HAVE_LIBZ + #include +#endif #ifdef _MSC_VER /* 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy */ @@ -116,6 +119,7 @@ int hmac_md5_test(void); int hmac_sha_test(void); int hmac_sha256_test(void); int hmac_sha384_test(void); +int hmac_sha512_test(void); int arc4_test(void); int hc128_test(void); int rabbit_test(void); @@ -138,6 +142,9 @@ int pbkdf2_test(void); #ifdef HAVE_ECC int ecc_test(void); #endif +#ifdef HAVE_LIBZ + int compress_test(void); +#endif @@ -166,7 +173,7 @@ void ctaocrypt_test(void* args) ((func_args*)args)->return_code = -1; /* error state */ -#if !defined(CYASSL_LEANPSK) +#if !defined(NO_BIG_INT) if (CheckCtcSettings() != 1) err_sys("Build vs runtime math mismatch\n", -1234); @@ -174,7 +181,7 @@ void ctaocrypt_test(void* args) if (CheckFastMathSettings() != 1) err_sys("Build vs runtime fastmath FP_MAX_BITS mismatch\n", -1235); #endif /* USE_FAST_MATH */ -#endif /* !CYASSL_LEANPSK */ +#endif /* !NO_BIG_INT */ #ifndef NO_MD5 @@ -198,10 +205,12 @@ void ctaocrypt_test(void* args) printf( "MD4 test passed!\n"); #endif +#ifndef NO_SHA if ( (ret = sha_test()) ) err_sys("SHA test failed!\n", ret); else printf( "SHA test passed!\n"); +#endif #ifndef NO_SHA256 if ( (ret = sha256_test()) ) @@ -239,10 +248,12 @@ void ctaocrypt_test(void* args) printf( "HMAC-MD5 test passed!\n"); #endif + #ifndef NO_SHA if ( (ret = hmac_sha_test()) ) err_sys("HMAC-SHA test failed!\n", ret); else printf( "HMAC-SHA test passed!\n"); + #endif #ifndef NO_SHA256 if ( (ret = hmac_sha256_test()) ) @@ -258,6 +269,13 @@ void ctaocrypt_test(void* args) printf( "HMAC-SHA384 test passed!\n"); #endif + #ifdef CYASSL_SHA512 + if ( (ret = hmac_sha512_test()) ) + err_sys("HMAC-SHA512 test failed!\n", ret); + else + printf( "HMAC-SHA512 test passed!\n"); + #endif + #endif #ifndef NO_RC4 @@ -370,6 +388,12 @@ void ctaocrypt_test(void* args) printf( "ECC test passed!\n"); #endif +#ifdef HAVE_LIBZ + if ( (ret = compress_test()) ) + err_sys("COMPRESS test failed!\n", ret); + else + printf( "COMPRESS test passed!\n"); +#endif ((func_args*)args)->return_code = ret; } @@ -643,6 +667,8 @@ int md4_test(void) #endif /* NO_MD4 */ +#ifndef NO_SHA + int sha_test(void) { Sha sha; @@ -697,6 +723,7 @@ int sha_test(void) return 0; } +#endif /* NO_SHA */ #ifdef CYASSL_RIPEMD int ripemd_test(void) @@ -1161,6 +1188,75 @@ int hmac_sha384_test(void) #endif +#if !defined(NO_HMAC) && defined(CYASSL_SHA512) +int hmac_sha512_test(void) +{ + Hmac hmac; + byte hash[SHA512_DIGEST_SIZE]; + + const char* keys[]= + { + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b", + "Jefe", + "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA" + "\xAA\xAA\xAA" + }; + + testVector a, b, c; + testVector test_hmac[3]; + + int times = sizeof(test_hmac) / sizeof(testVector), i; + + a.input = "Hi There"; + a.output = "\x87\xaa\x7c\xde\xa5\xef\x61\x9d\x4f\xf0\xb4\x24\x1a\x1d\x6c" + "\xb0\x23\x79\xf4\xe2\xce\x4e\xc2\x78\x7a\xd0\xb3\x05\x45\xe1" + "\x7c\xde\xda\xa8\x33\xb7\xd6\xb8\xa7\x02\x03\x8b\x27\x4e\xae" + "\xa3\xf4\xe4\xbe\x9d\x91\x4e\xeb\x61\xf1\x70\x2e\x69\x6c\x20" + "\x3a\x12\x68\x54"; + a.inLen = strlen(a.input); + a.outLen = SHA512_DIGEST_SIZE; + + b.input = "what do ya want for nothing?"; + b.output = "\x16\x4b\x7a\x7b\xfc\xf8\x19\xe2\xe3\x95\xfb\xe7\x3b\x56\xe0" + "\xa3\x87\xbd\x64\x22\x2e\x83\x1f\xd6\x10\x27\x0c\xd7\xea\x25" + "\x05\x54\x97\x58\xbf\x75\xc0\x5a\x99\x4a\x6d\x03\x4f\x65\xf8" + "\xf0\xe6\xfd\xca\xea\xb1\xa3\x4d\x4a\x6b\x4b\x63\x6e\x07\x0a" + "\x38\xbc\xe7\x37"; + b.inLen = strlen(b.input); + b.outLen = SHA512_DIGEST_SIZE; + + c.input = "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" + "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" + "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" + "\xDD\xDD\xDD\xDD\xDD\xDD"; + c.output = "\xfa\x73\xb0\x08\x9d\x56\xa2\x84\xef\xb0\xf0\x75\x6c\x89\x0b" + "\xe9\xb1\xb5\xdb\xdd\x8e\xe8\x1a\x36\x55\xf8\x3e\x33\xb2\x27" + "\x9d\x39\xbf\x3e\x84\x82\x79\xa7\x22\xc8\x06\xb4\x85\xa4\x7e" + "\x67\xc8\x07\xb9\x46\xa3\x37\xbe\xe8\x94\x26\x74\x27\x88\x59" + "\xe1\x32\x92\xfb"; + c.inLen = strlen(c.input); + c.outLen = SHA512_DIGEST_SIZE; + + test_hmac[0] = a; + test_hmac[1] = b; + test_hmac[2] = c; + + for (i = 0; i < times; ++i) { + HmacSetKey(&hmac, SHA512, (byte*)keys[i], (word32)strlen(keys[i])); + HmacUpdate(&hmac, (byte*)test_hmac[i].input, + (word32)test_hmac[i].inLen); + HmacFinal(&hmac, hash); + + if (memcmp(hash, test_hmac[i].output, SHA512_DIGEST_SIZE) != 0) + return -20 - i; + } + + return 0; +} +#endif + + #ifndef NO_RC4 int arc4_test(void) { @@ -3056,3 +3152,120 @@ int ecc_test(void) } #endif /* HAVE_ECC */ + +#ifdef HAVE_LIBZ + +const byte sample_text[] = + "Biodiesel cupidatat marfa, cliche aute put a bird on it incididunt elit\n" + "polaroid. Sunt tattooed bespoke reprehenderit. Sint twee organic id\n" + "marfa. Commodo veniam ad esse gastropub. 3 wolf moon sartorial vero,\n" + "plaid delectus biodiesel squid +1 vice. Post-ironic keffiyeh leggings\n" + "selfies cray fap hoodie, forage anim. Carles cupidatat shoreditch, VHS\n" + "small batch meggings kogi dolore food truck bespoke gastropub.\n" + "\n" + "Terry richardson adipisicing actually typewriter tumblr, twee whatever\n" + "four loko you probably haven't heard of them high life. Messenger bag\n" + "whatever tattooed deep v mlkshk. Brooklyn pinterest assumenda chillwave\n" + "et, banksy ullamco messenger bag umami pariatur direct trade forage.\n" + "Typewriter culpa try-hard, pariatur sint brooklyn meggings. Gentrify\n" + "food truck next level, tousled irony non semiotics PBR ethical anim cred\n" + "readymade. Mumblecore brunch lomo odd future, portland organic terry\n" + "richardson elit leggings adipisicing ennui raw denim banjo hella. Godard\n" + "mixtape polaroid, pork belly readymade organic cray typewriter helvetica\n" + "four loko whatever street art yr farm-to-table.\n" + "\n" + "Vinyl keytar vice tofu. Locavore you probably haven't heard of them pug\n" + "pickled, hella tonx labore truffaut DIY mlkshk elit cosby sweater sint\n" + "et mumblecore. Elit swag semiotics, reprehenderit DIY sartorial nisi ugh\n" + "nesciunt pug pork belly wayfarers selfies delectus. Ethical hoodie\n" + "seitan fingerstache kale chips. Terry richardson artisan williamsburg,\n" + "eiusmod fanny pack irony tonx ennui lo-fi incididunt tofu YOLO\n" + "readymade. 8-bit sed ethnic beard officia. Pour-over iphone DIY butcher,\n" + "ethnic art party qui letterpress nisi proident jean shorts mlkshk\n" + "locavore.\n" + "\n" + "Narwhal flexitarian letterpress, do gluten-free voluptate next level\n" + "banh mi tonx incididunt carles DIY. Odd future nulla 8-bit beard ut\n" + "cillum pickled velit, YOLO officia you probably haven't heard of them\n" + "trust fund gastropub. Nisi adipisicing tattooed, Austin mlkshk 90's\n" + "small batch american apparel. Put a bird on it cosby sweater before they\n" + "sold out pork belly kogi hella. Street art mollit sustainable polaroid,\n" + "DIY ethnic ea pug beard dreamcatcher cosby sweater magna scenester nisi.\n" + "Sed pork belly skateboard mollit, labore proident eiusmod. Sriracha\n" + "excepteur cosby sweater, anim deserunt laborum eu aliquip ethical et\n" + "neutra PBR selvage.\n" + "\n" + "Raw denim pork belly truffaut, irony plaid sustainable put a bird on it\n" + "next level jean shorts exercitation. Hashtag keytar whatever, nihil\n" + "authentic aliquip disrupt laborum. Tattooed selfies deserunt trust fund\n" + "wayfarers. 3 wolf moon synth church-key sartorial, gastropub leggings\n" + "tattooed. Labore high life commodo, meggings raw denim fingerstache pug\n" + "trust fund leggings seitan forage. Nostrud ullamco duis, reprehenderit\n" + "incididunt flannel sustainable helvetica pork belly pug banksy you\n" + "probably haven't heard of them nesciunt farm-to-table. Disrupt nostrud\n" + "mollit magna, sriracha sartorial helvetica.\n" + "\n" + "Nulla kogi reprehenderit, skateboard sustainable duis adipisicing viral\n" + "ad fanny pack salvia. Fanny pack trust fund you probably haven't heard\n" + "of them YOLO vice nihil. Keffiyeh cray lo-fi pinterest cardigan aliqua,\n" + "reprehenderit aute. Culpa tousled williamsburg, marfa lomo actually anim\n" + "skateboard. Iphone aliqua ugh, semiotics pariatur vero readymade\n" + "organic. Marfa squid nulla, in laborum disrupt laboris irure gastropub.\n" + "Veniam sunt food truck leggings, sint vinyl fap.\n" + "\n" + "Hella dolore pork belly, truffaut carles you probably haven't heard of\n" + "them PBR helvetica in sapiente. Fashion axe ugh bushwick american\n" + "apparel. Fingerstache sed iphone, jean shorts blue bottle nisi bushwick\n" + "flexitarian officia veniam plaid bespoke fap YOLO lo-fi. Blog\n" + "letterpress mumblecore, food truck id cray brooklyn cillum ad sed.\n" + "Assumenda chambray wayfarers vinyl mixtape sustainable. VHS vinyl\n" + "delectus, culpa williamsburg polaroid cliche swag church-key synth kogi\n" + "magna pop-up literally. Swag thundercats ennui shoreditch vegan\n" + "pitchfork neutra truffaut etsy, sed single-origin coffee craft beer.\n" + "\n" + "Odio letterpress brooklyn elit. Nulla single-origin coffee in occaecat\n" + "meggings. Irony meggings 8-bit, chillwave lo-fi adipisicing cred\n" + "dreamcatcher veniam. Put a bird on it irony umami, trust fund bushwick\n" + "locavore kale chips. Sriracha swag thundercats, chillwave disrupt\n" + "tousled beard mollit mustache leggings portland next level. Nihil esse\n" + "est, skateboard art party etsy thundercats sed dreamcatcher ut iphone\n" + "swag consectetur et. Irure skateboard banjo, nulla deserunt messenger\n" + "bag dolor terry richardson sapiente.\n"; + + +int compress_test(void) +{ + int ret = 0; + word32 dSz = sizeof(sample_text); + word32 cSz = (dSz + (word32)(dSz * 0.001) + 12); + byte *c = NULL; + byte *d = NULL; + + c = calloc(cSz, sizeof(byte)); + d = calloc(dSz, sizeof(byte)); + + if (c == NULL || d == NULL) + ret = -300; + + if (ret == 0 && (ret = Compress(c, cSz, sample_text, dSz, 0)) < 0) + ret = -301; + + if (ret > 0) { + cSz = (word32)ret; + ret = 0; + } + + if (ret == 0 && DeCompress(d, dSz, c, cSz) != (int)dSz) + ret = -302; + + if (ret == 0 && memcmp(d, sample_text, dSz)) + ret = -303; + + if (c) free(c); + if (d) free(d); + + return ret; +} + +#endif /* HAVE_LIBZ */ + diff --git a/cyassl-ios.xcodeproj/project.pbxproj b/cyassl-ios.xcodeproj/project.pbxproj new file mode 100644 index 000000000..154aa6352 --- /dev/null +++ b/cyassl-ios.xcodeproj/project.pbxproj @@ -0,0 +1,379 @@ +// !$*UTF8*$! +{ + archiveVersion = 1; + classes = { + }; + objectVersion = 46; + objects = { + +/* Begin PBXBuildFile section */ + 52B1348216F3CCC400C07B32 /* tls.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1347B16F3CCC400C07B32 /* tls.c */; }; + 52B1348316F3CCC400C07B32 /* ssl.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1347C16F3CCC400C07B32 /* ssl.c */; }; + 52B1348416F3CCC400C07B32 /* ocsp.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1347D16F3CCC400C07B32 /* ocsp.c */; }; + 52B1348516F3CCC400C07B32 /* keys.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1347E16F3CCC400C07B32 /* keys.c */; }; + 52B1348616F3CCC400C07B32 /* io.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1347F16F3CCC400C07B32 /* io.c */; }; + 52B1348716F3CCC400C07B32 /* internal.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1348016F3CCC400C07B32 /* internal.c */; }; + 52B1348816F3CCC400C07B32 /* crl.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1348116F3CCC400C07B32 /* crl.c */; }; + 52B134A316F3CDF300C07B32 /* tfm.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1348916F3CDF300C07B32 /* tfm.c */; }; + 52B134A416F3CDF300C07B32 /* sha256.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1348A16F3CDF300C07B32 /* sha256.c */; }; + 52B134A516F3CDF300C07B32 /* sha.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1348B16F3CDF300C07B32 /* sha.c */; }; + 52B134A616F3CDF300C07B32 /* rsa.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1348C16F3CDF300C07B32 /* rsa.c */; }; + 52B134A716F3CDF300C07B32 /* ripemd.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1348D16F3CDF300C07B32 /* ripemd.c */; }; + 52B134A816F3CDF300C07B32 /* random.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1348E16F3CDF300C07B32 /* random.c */; }; + 52B134A916F3CDF300C07B32 /* rabbit.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1348F16F3CDF300C07B32 /* rabbit.c */; }; + 52B134AA16F3CDF300C07B32 /* pwdbased.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349016F3CDF300C07B32 /* pwdbased.c */; }; + 52B134AB16F3CDF300C07B32 /* misc.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349116F3CDF300C07B32 /* misc.c */; }; + 52B134AC16F3CDF300C07B32 /* memory.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349216F3CDF300C07B32 /* memory.c */; }; + 52B134AD16F3CDF300C07B32 /* md5.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349316F3CDF300C07B32 /* md5.c */; }; + 52B134AE16F3CDF300C07B32 /* md4.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349416F3CDF300C07B32 /* md4.c */; }; + 52B134AF16F3CDF300C07B32 /* logging.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349516F3CDF300C07B32 /* logging.c */; }; + 52B134B016F3CDF300C07B32 /* integer.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349616F3CDF300C07B32 /* integer.c */; }; + 52B134B116F3CDF300C07B32 /* hmac.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349716F3CDF300C07B32 /* hmac.c */; }; + 52B134B216F3CDF300C07B32 /* hc128.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349816F3CDF300C07B32 /* hc128.c */; }; + 52B134B316F3CDF300C07B32 /* error.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349916F3CDF300C07B32 /* error.c */; }; + 52B134B416F3CDF300C07B32 /* ecc.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349A16F3CDF300C07B32 /* ecc.c */; }; + 52B134B516F3CDF300C07B32 /* dsa.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349B16F3CDF300C07B32 /* dsa.c */; }; + 52B134B616F3CDF300C07B32 /* dh.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349C16F3CDF300C07B32 /* dh.c */; }; + 52B134B716F3CDF300C07B32 /* des3.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349D16F3CDF300C07B32 /* des3.c */; }; + 52B134B816F3CDF300C07B32 /* coding.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349E16F3CDF300C07B32 /* coding.c */; }; + 52B134B916F3CDF300C07B32 /* camellia.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B1349F16F3CDF300C07B32 /* camellia.c */; }; + 52B134BA16F3CDF300C07B32 /* asn.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B134A016F3CDF300C07B32 /* asn.c */; }; + 52B134BB16F3CDF300C07B32 /* arc4.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B134A116F3CDF300C07B32 /* arc4.c */; }; + 52B134BC16F3CDF300C07B32 /* aes.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B134A216F3CDF300C07B32 /* aes.c */; }; +/* End PBXBuildFile section */ + +/* Begin PBXCopyFilesBuildPhase section */ + 52B1344B16F3C9E800C07B32 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 2147483647; + dstPath = "include/${PRODUCT_NAME}"; + dstSubfolderSpec = 16; + files = ( + ); + runOnlyForDeploymentPostprocessing = 0; + }; +/* End PBXCopyFilesBuildPhase section */ + +/* Begin PBXFileReference section */ + 52B1344D16F3C9E800C07B32 /* libcyassl-ios.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libcyassl-ios.a"; sourceTree = BUILT_PRODUCTS_DIR; }; + 52B1347B16F3CCC400C07B32 /* tls.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = tls.c; path = src/tls.c; sourceTree = SOURCE_ROOT; }; + 52B1347C16F3CCC400C07B32 /* ssl.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = ssl.c; path = src/ssl.c; sourceTree = SOURCE_ROOT; }; + 52B1347D16F3CCC400C07B32 /* ocsp.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = ocsp.c; path = src/ocsp.c; sourceTree = SOURCE_ROOT; }; + 52B1347E16F3CCC400C07B32 /* keys.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = keys.c; path = src/keys.c; sourceTree = SOURCE_ROOT; }; + 52B1347F16F3CCC400C07B32 /* io.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = io.c; path = src/io.c; sourceTree = SOURCE_ROOT; }; + 52B1348016F3CCC400C07B32 /* internal.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = internal.c; path = src/internal.c; sourceTree = SOURCE_ROOT; }; + 52B1348116F3CCC400C07B32 /* crl.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = crl.c; path = src/crl.c; sourceTree = SOURCE_ROOT; }; + 52B1348916F3CDF300C07B32 /* tfm.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = tfm.c; path = ctaocrypt/src/tfm.c; sourceTree = SOURCE_ROOT; }; + 52B1348A16F3CDF300C07B32 /* sha256.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = sha256.c; path = ctaocrypt/src/sha256.c; sourceTree = SOURCE_ROOT; }; + 52B1348B16F3CDF300C07B32 /* sha.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = sha.c; path = ctaocrypt/src/sha.c; sourceTree = SOURCE_ROOT; }; + 52B1348C16F3CDF300C07B32 /* rsa.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = rsa.c; path = ctaocrypt/src/rsa.c; sourceTree = SOURCE_ROOT; }; + 52B1348D16F3CDF300C07B32 /* ripemd.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = ripemd.c; path = ctaocrypt/src/ripemd.c; sourceTree = SOURCE_ROOT; }; + 52B1348E16F3CDF300C07B32 /* random.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = random.c; path = ctaocrypt/src/random.c; sourceTree = SOURCE_ROOT; }; + 52B1348F16F3CDF300C07B32 /* rabbit.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = rabbit.c; path = ctaocrypt/src/rabbit.c; sourceTree = SOURCE_ROOT; }; + 52B1349016F3CDF300C07B32 /* pwdbased.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = pwdbased.c; path = ctaocrypt/src/pwdbased.c; sourceTree = SOURCE_ROOT; }; + 52B1349116F3CDF300C07B32 /* misc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = misc.c; path = ctaocrypt/src/misc.c; sourceTree = SOURCE_ROOT; }; + 52B1349216F3CDF300C07B32 /* memory.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = memory.c; path = ctaocrypt/src/memory.c; sourceTree = SOURCE_ROOT; }; + 52B1349316F3CDF300C07B32 /* md5.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = md5.c; path = ctaocrypt/src/md5.c; sourceTree = SOURCE_ROOT; }; + 52B1349416F3CDF300C07B32 /* md4.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = md4.c; path = ctaocrypt/src/md4.c; sourceTree = SOURCE_ROOT; }; + 52B1349516F3CDF300C07B32 /* logging.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = logging.c; path = ctaocrypt/src/logging.c; sourceTree = SOURCE_ROOT; }; + 52B1349616F3CDF300C07B32 /* integer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = integer.c; path = ctaocrypt/src/integer.c; sourceTree = SOURCE_ROOT; }; + 52B1349716F3CDF300C07B32 /* hmac.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = hmac.c; path = ctaocrypt/src/hmac.c; sourceTree = SOURCE_ROOT; }; + 52B1349816F3CDF300C07B32 /* hc128.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = hc128.c; path = ctaocrypt/src/hc128.c; sourceTree = SOURCE_ROOT; }; + 52B1349916F3CDF300C07B32 /* error.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = error.c; path = ctaocrypt/src/error.c; sourceTree = SOURCE_ROOT; }; + 52B1349A16F3CDF300C07B32 /* ecc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = ecc.c; path = ctaocrypt/src/ecc.c; sourceTree = SOURCE_ROOT; }; + 52B1349B16F3CDF300C07B32 /* dsa.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = dsa.c; path = ctaocrypt/src/dsa.c; sourceTree = SOURCE_ROOT; }; + 52B1349C16F3CDF300C07B32 /* dh.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = dh.c; path = ctaocrypt/src/dh.c; sourceTree = SOURCE_ROOT; }; + 52B1349D16F3CDF300C07B32 /* des3.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = des3.c; path = ctaocrypt/src/des3.c; sourceTree = SOURCE_ROOT; }; + 52B1349E16F3CDF300C07B32 /* coding.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = coding.c; path = ctaocrypt/src/coding.c; sourceTree = SOURCE_ROOT; }; + 52B1349F16F3CDF300C07B32 /* camellia.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = camellia.c; path = ctaocrypt/src/camellia.c; sourceTree = SOURCE_ROOT; }; + 52B134A016F3CDF300C07B32 /* asn.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = asn.c; path = ctaocrypt/src/asn.c; sourceTree = SOURCE_ROOT; }; + 52B134A116F3CDF300C07B32 /* arc4.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = arc4.c; path = ctaocrypt/src/arc4.c; sourceTree = SOURCE_ROOT; }; + 52B134A216F3CDF300C07B32 /* aes.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = aes.c; path = ctaocrypt/src/aes.c; sourceTree = SOURCE_ROOT; }; +/* End PBXFileReference section */ + +/* Begin PBXFrameworksBuildPhase section */ + 52B1344A16F3C9E800C07B32 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + runOnlyForDeploymentPostprocessing = 0; + }; +/* End PBXFrameworksBuildPhase section */ + +/* Begin PBXGroup section */ + 52B1344416F3C9E800C07B32 = { + isa = PBXGroup; + children = ( + 52B1347816F3CC0400C07B32 /* Source */, + 52B1344E16F3C9E800C07B32 /* Products */, + ); + sourceTree = ""; + }; + 52B1344E16F3C9E800C07B32 /* Products */ = { + isa = PBXGroup; + children = ( + 52B1344D16F3C9E800C07B32 /* libcyassl-ios.a */, + ); + name = Products; + sourceTree = ""; + }; + 52B1347816F3CC0400C07B32 /* Source */ = { + isa = PBXGroup; + children = ( + 52B1347916F3CC9200C07B32 /* cyaSSL */, + 52B1347A16F3CC9A00C07B32 /* wolfCrypt */, + ); + name = Source; + path = "cyassl-ios"; + sourceTree = ""; + }; + 52B1347916F3CC9200C07B32 /* cyaSSL */ = { + isa = PBXGroup; + children = ( + 52B1347B16F3CCC400C07B32 /* tls.c */, + 52B1347C16F3CCC400C07B32 /* ssl.c */, + 52B1347D16F3CCC400C07B32 /* ocsp.c */, + 52B1347E16F3CCC400C07B32 /* keys.c */, + 52B1347F16F3CCC400C07B32 /* io.c */, + 52B1348016F3CCC400C07B32 /* internal.c */, + 52B1348116F3CCC400C07B32 /* crl.c */, + ); + name = cyaSSL; + sourceTree = ""; + }; + 52B1347A16F3CC9A00C07B32 /* wolfCrypt */ = { + isa = PBXGroup; + children = ( + 52B1348916F3CDF300C07B32 /* tfm.c */, + 52B1348A16F3CDF300C07B32 /* sha256.c */, + 52B1348B16F3CDF300C07B32 /* sha.c */, + 52B1348C16F3CDF300C07B32 /* rsa.c */, + 52B1348D16F3CDF300C07B32 /* ripemd.c */, + 52B1348E16F3CDF300C07B32 /* random.c */, + 52B1348F16F3CDF300C07B32 /* rabbit.c */, + 52B1349016F3CDF300C07B32 /* pwdbased.c */, + 52B1349116F3CDF300C07B32 /* misc.c */, + 52B1349216F3CDF300C07B32 /* memory.c */, + 52B1349316F3CDF300C07B32 /* md5.c */, + 52B1349416F3CDF300C07B32 /* md4.c */, + 52B1349516F3CDF300C07B32 /* logging.c */, + 52B1349616F3CDF300C07B32 /* integer.c */, + 52B1349716F3CDF300C07B32 /* hmac.c */, + 52B1349816F3CDF300C07B32 /* hc128.c */, + 52B1349916F3CDF300C07B32 /* error.c */, + 52B1349A16F3CDF300C07B32 /* ecc.c */, + 52B1349B16F3CDF300C07B32 /* dsa.c */, + 52B1349C16F3CDF300C07B32 /* dh.c */, + 52B1349D16F3CDF300C07B32 /* des3.c */, + 52B1349E16F3CDF300C07B32 /* coding.c */, + 52B1349F16F3CDF300C07B32 /* camellia.c */, + 52B134A016F3CDF300C07B32 /* asn.c */, + 52B134A116F3CDF300C07B32 /* arc4.c */, + 52B134A216F3CDF300C07B32 /* aes.c */, + ); + name = wolfCrypt; + sourceTree = ""; + }; +/* End PBXGroup section */ + +/* Begin PBXNativeTarget section */ + 52B1344C16F3C9E800C07B32 /* cyassl-ios */ = { + isa = PBXNativeTarget; + buildConfigurationList = 52B1347216F3C9E800C07B32 /* Build configuration list for PBXNativeTarget "cyassl-ios" */; + buildPhases = ( + 52B1344916F3C9E800C07B32 /* Sources */, + 52B1344A16F3C9E800C07B32 /* Frameworks */, + 52B1344B16F3C9E800C07B32 /* CopyFiles */, + ); + buildRules = ( + ); + dependencies = ( + ); + name = "cyassl-ios"; + productName = "cyassl-ios"; + productReference = 52B1344D16F3C9E800C07B32 /* libcyassl-ios.a */; + productType = "com.apple.product-type.library.static"; + }; +/* End PBXNativeTarget section */ + +/* Begin PBXProject section */ + 52B1344516F3C9E800C07B32 /* Project object */ = { + isa = PBXProject; + attributes = { + LastUpgradeCheck = 0460; + ORGANIZATIONNAME = "wolfSSL Inc"; + }; + buildConfigurationList = 52B1344816F3C9E800C07B32 /* Build configuration list for PBXProject "cyassl-ios" */; + compatibilityVersion = "Xcode 3.2"; + developmentRegion = English; + hasScannedForEncodings = 0; + knownRegions = ( + en, + ); + mainGroup = 52B1344416F3C9E800C07B32; + productRefGroup = 52B1344E16F3C9E800C07B32 /* Products */; + projectDirPath = ""; + projectRoot = ""; + targets = ( + 52B1344C16F3C9E800C07B32 /* cyassl-ios */, + ); + }; +/* End PBXProject section */ + +/* Begin PBXSourcesBuildPhase section */ + 52B1344916F3C9E800C07B32 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 52B1348216F3CCC400C07B32 /* tls.c in Sources */, + 52B1348316F3CCC400C07B32 /* ssl.c in Sources */, + 52B1348416F3CCC400C07B32 /* ocsp.c in Sources */, + 52B1348516F3CCC400C07B32 /* keys.c in Sources */, + 52B1348616F3CCC400C07B32 /* io.c in Sources */, + 52B1348716F3CCC400C07B32 /* internal.c in Sources */, + 52B1348816F3CCC400C07B32 /* crl.c in Sources */, + 52B134A316F3CDF300C07B32 /* tfm.c in Sources */, + 52B134A416F3CDF300C07B32 /* sha256.c in Sources */, + 52B134A516F3CDF300C07B32 /* sha.c in Sources */, + 52B134A616F3CDF300C07B32 /* rsa.c in Sources */, + 52B134A716F3CDF300C07B32 /* ripemd.c in Sources */, + 52B134A816F3CDF300C07B32 /* random.c in Sources */, + 52B134A916F3CDF300C07B32 /* rabbit.c in Sources */, + 52B134AA16F3CDF300C07B32 /* pwdbased.c in Sources */, + 52B134AB16F3CDF300C07B32 /* misc.c in Sources */, + 52B134AC16F3CDF300C07B32 /* memory.c in Sources */, + 52B134AD16F3CDF300C07B32 /* md5.c in Sources */, + 52B134AE16F3CDF300C07B32 /* md4.c in Sources */, + 52B134AF16F3CDF300C07B32 /* logging.c in Sources */, + 52B134B016F3CDF300C07B32 /* integer.c in Sources */, + 52B134B116F3CDF300C07B32 /* hmac.c in Sources */, + 52B134B216F3CDF300C07B32 /* hc128.c in Sources */, + 52B134B316F3CDF300C07B32 /* error.c in Sources */, + 52B134B416F3CDF300C07B32 /* ecc.c in Sources */, + 52B134B516F3CDF300C07B32 /* dsa.c in Sources */, + 52B134B616F3CDF300C07B32 /* dh.c in Sources */, + 52B134B716F3CDF300C07B32 /* des3.c in Sources */, + 52B134B816F3CDF300C07B32 /* coding.c in Sources */, + 52B134B916F3CDF300C07B32 /* camellia.c in Sources */, + 52B134BA16F3CDF300C07B32 /* asn.c in Sources */, + 52B134BB16F3CDF300C07B32 /* arc4.c in Sources */, + 52B134BC16F3CDF300C07B32 /* aes.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; +/* End PBXSourcesBuildPhase section */ + +/* Begin XCBuildConfiguration section */ + 52B1347016F3C9E800C07B32 /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + COPY_PHASE_STRIP = NO; + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_DYNAMIC_NO_PIC = NO; + GCC_OPTIMIZATION_LEVEL = 0; + GCC_PREPROCESSOR_DEFINITIONS = ( + "DEBUG=1", + "$(inherited)", + ); + GCC_SYMBOLS_PRIVATE_EXTERN = NO; + GCC_WARN_ABOUT_RETURN_TYPE = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + IPHONEOS_DEPLOYMENT_TARGET = 6.1; + ONLY_ACTIVE_ARCH = YES; + SDKROOT = iphoneos; + USER_HEADER_SEARCH_PATHS = "cyassl/ctaocrypt cyassl include"; + }; + name = Debug; + }; + 52B1347116F3C9E800C07B32 /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + COPY_PHASE_STRIP = YES; + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_WARN_ABOUT_RETURN_TYPE = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + IPHONEOS_DEPLOYMENT_TARGET = 6.1; + SDKROOT = iphoneos; + USER_HEADER_SEARCH_PATHS = "cyassl/ctaocrypt cyassl include"; + VALIDATE_PRODUCT = NO; + }; + name = Release; + }; + 52B1347316F3C9E800C07B32 /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = YES; + CLANG_LINK_OBJC_RUNTIME = NO; + DSTROOT = /tmp/cyassl_ios.dst; + GCC_PRECOMPILE_PREFIX_HEADER = NO; + GCC_PREFIX_HEADER = ""; + HEADER_SEARCH_PATHS = $SRCROOT; + OTHER_LDFLAGS = ""; + PRODUCT_NAME = "$(TARGET_NAME)"; + SKIP_INSTALL = YES; + TARGETED_DEVICE_FAMILY = "1,2"; + USER_HEADER_SEARCH_PATHS = "cyassl/ctaocrypt cyassl"; + }; + name = Debug; + }; + 52B1347416F3C9E800C07B32 /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = YES; + CLANG_LINK_OBJC_RUNTIME = NO; + DSTROOT = /tmp/cyassl_ios.dst; + GCC_PRECOMPILE_PREFIX_HEADER = NO; + GCC_PREFIX_HEADER = ""; + HEADER_SEARCH_PATHS = $SRCROOT; + OTHER_LDFLAGS = ""; + PRODUCT_NAME = "$(TARGET_NAME)"; + SKIP_INSTALL = YES; + TARGETED_DEVICE_FAMILY = "1,2"; + USER_HEADER_SEARCH_PATHS = "cyassl/ctaocrypt cyassl"; + }; + name = Release; + }; +/* End XCBuildConfiguration section */ + +/* Begin XCConfigurationList section */ + 52B1344816F3C9E800C07B32 /* Build configuration list for PBXProject "cyassl-ios" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 52B1347016F3C9E800C07B32 /* Debug */, + 52B1347116F3C9E800C07B32 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 52B1347216F3C9E800C07B32 /* Build configuration list for PBXNativeTarget "cyassl-ios" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 52B1347316F3C9E800C07B32 /* Debug */, + 52B1347416F3C9E800C07B32 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; +/* End XCConfigurationList section */ + }; + rootObject = 52B1344516F3C9E800C07B32 /* Project object */; +} diff --git a/cyassl/crl.h b/cyassl/crl.h index 4b350164f..62a35ffec 100644 --- a/cyassl/crl.h +++ b/cyassl/crl.h @@ -23,6 +23,9 @@ #ifndef CYASSL_CRL_H #define CYASSL_CRL_H + +#ifdef HAVE_CRL + #include #include @@ -44,4 +47,5 @@ CYASSL_LOCAL int CheckCertCRL(CYASSL_CRL*, DecodedCert*); } /* extern "C" */ #endif +#endif /* HAVE_CRL */ #endif /* CYASSL_CRL_H */ diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index 99854207c..b21ede088 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -273,6 +273,11 @@ struct DecodedCert { #endif /* CYASSL_CERT_GEN */ }; +#ifdef SHA_DIGEST_SIZE +#define SIGNER_DIGEST_SIZE SHA_DIGEST_SIZE +#else +#define SIGNER_DIGEST_SIZE 160 +#endif /* CA Signers */ struct Signer { @@ -280,7 +285,7 @@ struct Signer { word32 pubKeySize; word32 keyOID; /* key type */ char* name; /* common name */ - byte hash[SHA_DIGEST_SIZE]; /* sha hash of names in certificate */ + byte hash[SIGNER_DIGEST_SIZE];/* sha hash of names in certificate */ Signer* next; }; diff --git a/cyassl/ctaocrypt/compress.h b/cyassl/ctaocrypt/compress.h new file mode 100644 index 000000000..60ebed7fd --- /dev/null +++ b/cyassl/ctaocrypt/compress.h @@ -0,0 +1,52 @@ +/* compress.h + * + * Copyright (C) 2006-2013 wolfSSL Inc. + * + * This file is part of CyaSSL. + * + * CyaSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * CyaSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + + +#ifdef HAVE_LIBZ + +#ifndef CTAO_CRYPT_COMPRESS_H +#define CTAO_CRYPT_COMPRESS_H + + +#include + + +#ifdef __cplusplus + extern "C" { +#endif + + +#define COMPRESS_FIXED 1 + + +CYASSL_API int Compress(byte*, word32, const byte*, word32, word32); +CYASSL_API int DeCompress(byte*, word32, const byte*, word32); + + +#ifdef __cplusplus + } /* extern "C" */ +#endif + + +#endif /* CTAO_CRYPT_COMPRESS_H */ + +#endif /* HAVE_LIBZ */ + diff --git a/cyassl/ctaocrypt/error.h b/cyassl/ctaocrypt/error.h index 204600721..265019822 100644 --- a/cyassl/ctaocrypt/error.h +++ b/cyassl/ctaocrypt/error.h @@ -103,11 +103,16 @@ enum { CAVIUM_INIT_E = -182, /* Cavium Init type error */ + COMPRESS_INIT_E = -183, /* Compress init error */ + COMPRESS_E = -184, /* Compress error */ + DECOMPRESS_INIT_E = -185, /* DeCompress init error */ + DECOMPRESS_E = -186, /* DeCompress error */ + MIN_CODE_E = -200 /* errors -101 - -199 */ }; -CYASSL_API void CTaoCryptErrorString(int error, char* buffer); +CYASSL_API void CTaoCryptErrorString(int err, char* buff); #ifdef __cplusplus diff --git a/cyassl/ctaocrypt/hmac.h b/cyassl/ctaocrypt/hmac.h index 7d71522be..7b8105a2f 100644 --- a/cyassl/ctaocrypt/hmac.h +++ b/cyassl/ctaocrypt/hmac.h @@ -57,17 +57,22 @@ enum { #ifdef NO_MD5 MD5 = 0, #endif -#if defined(CYASSL_SHA384) +#if defined(CYASSL_SHA512) + INNER_HASH_SIZE = SHA512_DIGEST_SIZE, + HMAC_BLOCK_SIZE = SHA512_BLOCK_SIZE +#elif defined(CYASSL_SHA384) INNER_HASH_SIZE = SHA384_DIGEST_SIZE, HMAC_BLOCK_SIZE = SHA384_BLOCK_SIZE #elif !defined(NO_SHA256) INNER_HASH_SIZE = SHA256_DIGEST_SIZE, HMAC_BLOCK_SIZE = SHA256_BLOCK_SIZE, + SHA512 = 4, SHA384 = 5 #else INNER_HASH_SIZE = SHA_DIGEST_SIZE, HMAC_BLOCK_SIZE = SHA_BLOCK_SIZE, SHA256 = 2, /* hash type unique */ + SHA512 = 4, SHA384 = 5 #endif }; @@ -78,13 +83,18 @@ typedef union { #ifndef NO_MD5 Md5 md5; #endif - Sha sha; + #ifndef NO_SHA + Sha sha; + #endif #ifndef NO_SHA256 Sha256 sha256; #endif #ifdef CYASSL_SHA384 Sha384 sha384; #endif + #ifdef CYASSL_SHA512 + Sha512 sha512; + #endif } Hash; /* Hmac digest */ diff --git a/cyassl/ctaocrypt/include.am b/cyassl/ctaocrypt/include.am index d7b54990b..18c3c0d9c 100644 --- a/cyassl/ctaocrypt/include.am +++ b/cyassl/ctaocrypt/include.am @@ -8,6 +8,7 @@ nobase_include_HEADERS+= \ cyassl/ctaocrypt/asn_public.h \ cyassl/ctaocrypt/camellia.h \ cyassl/ctaocrypt/coding.h \ + cyassl/ctaocrypt/compress.h \ cyassl/ctaocrypt/des3.h \ cyassl/ctaocrypt/dh.h \ cyassl/ctaocrypt/dsa.h \ diff --git a/cyassl/ctaocrypt/integer.h b/cyassl/ctaocrypt/integer.h index 9b4b6db16..fdad4773a 100644 --- a/cyassl/ctaocrypt/integer.h +++ b/cyassl/ctaocrypt/integer.h @@ -82,9 +82,9 @@ extern "C" { #ifdef MP_8BIT typedef unsigned char mp_digit; typedef unsigned short mp_word; -#elif defined(MP_16BIT) +#elif defined(MP_16BIT) || defined(NO_64BIT) typedef unsigned short mp_digit; - typedef unsigned long mp_word; + typedef unsigned int mp_word; #elif defined(MP_64BIT) /* for GCC only on supported platforms */ #ifndef CRYPT @@ -238,7 +238,6 @@ int mp_count_bits (mp_int * a); int mp_init_copy (mp_int * a, mp_int * b); int mp_copy (mp_int * a, mp_int * b); int mp_grow (mp_int * a, int size); -void bn_reverse (unsigned char *s, int len); int mp_div_2d (mp_int * a, int b, mp_int * c, mp_int * d); void mp_zero (mp_int * a); void mp_clamp (mp_int * a); @@ -314,7 +313,7 @@ int mp_init_multi(mp_int* a, mp_int* b, mp_int* c, mp_int* d, mp_int* e, int mp_lcm (mp_int * a, mp_int * b, mp_int * c); #endif -#if defined(CYASSL_KEY_GEN) || defined(HAVE_ECC) || !defined(NO_PWDBASED) +#if defined(CYASSL_KEY_GEN) || defined(HAVE_ECC) || defined(OPENSSL_EXTRA) int mp_sub_d (mp_int * a, mp_digit b, mp_int * c); #endif diff --git a/cyassl/ctaocrypt/settings.h b/cyassl/ctaocrypt/settings.h index b80bcc13f..9b42b6e1f 100644 --- a/cyassl/ctaocrypt/settings.h +++ b/cyassl/ctaocrypt/settings.h @@ -115,20 +115,39 @@ #endif -#ifdef CYASSL_LEANPSK +#if defined(CYASSL_LEANPSK) && !defined(XMALLOC_USER) #include #define XMALLOC(s, h, type) malloc((s)) #define XFREE(p, h, type) free((p)) #define XREALLOC(p, n, h, t) realloc((p), (n)) #endif +#if defined(XMALLOC_USER) && defined(SSN_BUILDING_LIBYASSL) + #undef XMALLOC + #define XMALLOC yaXMALLOC + #undef XFREE + #define XFREE yaXFREE + #undef XREALLOC + #define XREALLOC yaXREALLOC +#endif + #ifdef FREERTOS - #define NO_WRITEV - #define NO_SHA512 - #define NO_DH - #define NO_DSA - #define NO_HC128 + #ifndef NO_WRITEV + #define NO_WRITEV + #endif + #ifndef NO_SHA512 + #define NO_SHA512 + #endif + #ifndef NO_DH + #define NO_DH + #endif + #ifndef NO_DSA + #define NO_DSA + #endif + #ifndef NO_HC128 + #define NO_HC128 + #endif #ifndef SINGLE_THREADED #include "FreeRTOS.h" @@ -448,10 +467,17 @@ #if !defined(XMALLOC_USER) && !defined(MICRIUM_MALLOC) && \ - !defined(CYASSL_LEANPSK) + !defined(CYASSL_LEANPSK) && !defined(NO_CYASSL_MEMORY) #define USE_CYASSL_MEMORY #endif + +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) + #undef KEEP_PEER_CERT + #define KEEP_PEER_CERT +#endif + + /* Place any other flags or defines here */ diff --git a/cyassl/ctaocrypt/tfm.h b/cyassl/ctaocrypt/tfm.h index 314feb608..b42dfdeaf 100644 --- a/cyassl/ctaocrypt/tfm.h +++ b/cyassl/ctaocrypt/tfm.h @@ -54,6 +54,7 @@ #endif +#ifndef NO_64BIT /* autodetect x86-64 and make sure we are using 64-bit digits with x86-64 asm */ #if defined(__x86_64__) #if defined(TFM_X86) || defined(TFM_SSE2) || defined(TFM_ARM) @@ -72,6 +73,7 @@ #if defined(__x86_64__) && !defined(FP_64BIT) #define FP_64BIT #endif +#endif /* NO_64BIT */ /* try to detect x86-32 */ #if defined(__i386__) && !defined(TFM_SSE2) @@ -214,8 +216,15 @@ typedef signed long long long64; #endif #endif - typedef unsigned int fp_digit; - typedef ulong64 fp_word; + #ifndef NO_64BIT + typedef unsigned int fp_digit; + typedef ulong64 fp_word; + #else + /* some procs like coldfire prefer not to place multiply into 64bit type + even though it exists */ + typedef unsigned short fp_digit; + typedef unsigned int fp_word; + #endif #endif /* # of digits this is */ diff --git a/cyassl/ctaocrypt/types.h b/cyassl/ctaocrypt/types.h index 43d7717f4..adf69fdf1 100644 --- a/cyassl/ctaocrypt/types.h +++ b/cyassl/ctaocrypt/types.h @@ -74,6 +74,10 @@ #define WORD64_AVAILABLE #define W64LIT(x) x##LL typedef unsigned long long word64; +#elif defined(__SIZEOF_LONG_LONG__) && __SIZEOF_LONG_LONG__ == 8 + #define WORD64_AVAILABLE + #define W64LIT(x) x##LL + typedef unsigned long long word64; #else #define MP_16BIT /* for mp_int, mp_word needs to be twice as big as mp_digit, no 64 bit type so make mp_digit 16 bit */ @@ -93,9 +97,9 @@ enum { - WORD_SIZE = sizeof(word), - BIT_SIZE = 8, - WORD_BITS = WORD_SIZE * BIT_SIZE + CYASSL_WORD_SIZE = sizeof(word), + CYASSL_BIT_SIZE = 8, + CYASSL_WORD_BITS = CYASSL_WORD_SIZE * CYASSL_BIT_SIZE }; #define CYASSL_MAX_16BIT 0xffffU @@ -145,16 +149,22 @@ enum { /* default to libc stuff */ /* XREALLOC is used once in normal math lib, not in fast math lib */ /* XFREE on some embeded systems doesn't like free(0) so test */ -#ifdef XMALLOC_USER +#if defined(XMALLOC_USER) /* prototypes for user heap override functions */ #include /* for size_t */ extern void *XMALLOC(size_t n, void* heap, int type); extern void *XREALLOC(void *p, size_t n, void* heap, int type); extern void XFREE(void *p, void* heap, int type); +#elif defined(NO_CYASSL_MEMORY) + /* just use plain C stdlib stuff if desired */ + #include + #define XMALLOC(s, h, t) ((void)h, (void)t, malloc((s))) + #define XFREE(p, h, t) {void* xp = (p); if((xp)) free((xp));} + #define XREALLOC(p, n, h, t) realloc((p), (n)) #elif !defined(MICRIUM_MALLOC) && !defined(EBSNET) \ && !defined(CYASSL_SAFERTOS) && !defined(FREESCALE_MQX) \ && !defined(CYASSL_LEANPSK) - /* default C runtime, can install different routines at runtime */ + /* default C runtime, can install different routines at runtime via cbs */ #include #define XMALLOC(s, h, t) ((void)h, (void)t, CyaSSL_Malloc((s))) #define XFREE(p, h, t) {void* xp = (p); if((xp)) CyaSSL_Free((xp));} diff --git a/cyassl/error.h b/cyassl/error.h index 2f222051a..04bb689a8 100644 --- a/cyassl/error.h +++ b/cyassl/error.h @@ -130,7 +130,7 @@ enum CyaSSL_ErrorCodes { CYASSL_LOCAL -void SetErrorString(int error, char* buffer); +void SetErrorString(int err, char* buff); #ifdef __cplusplus diff --git a/cyassl/internal.h b/cyassl/internal.h index 0c3a76114..60ba02e8f 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include @@ -111,6 +112,7 @@ #define SHA256_DIGEST_SIZE 32 #endif + #ifdef __cplusplus extern "C" { #endif @@ -134,27 +136,35 @@ void c32to24(word32 in, word24 out); When adding cipher suites, add name to cipher_names, idx to cipher_name_idx */ #if !defined(NO_RSA) && !defined(NO_RC4) + #if !defined(NO_SHA) #define BUILD_SSL_RSA_WITH_RC4_128_SHA - #define BUILD_SSL_RSA_WITH_RC4_128_MD5 - #if !defined(NO_TLS) && defined(HAVE_NTRU) + #endif + #if !defined(NO_MD5) + #define BUILD_SSL_RSA_WITH_RC4_128_MD5 + #endif + #if !defined(NO_TLS) && defined(HAVE_NTRU) && !defined(NO_SHA) #define BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA #endif #endif #if !defined(NO_RSA) && !defined(NO_DES3) + #if !defined(NO_SHA) #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA #if !defined(NO_TLS) && defined(HAVE_NTRU) #define BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA #endif + #endif #endif #if !defined(NO_RSA) && !defined(NO_AES) && !defined(NO_TLS) + #if !defined(NO_SHA) #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA #if defined(HAVE_NTRU) #define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA #endif + #endif #if !defined (NO_SHA256) #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 @@ -171,15 +181,19 @@ void c32to24(word32 in, word24 out); #if defined(HAVE_CAMELLIA) && !defined(NO_TLS) #ifndef NO_RSA + #if !defined(NO_SHA) #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA + #endif #ifndef NO_SHA256 #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 #endif #if !defined(NO_DH) && defined(OPENSSL_EXTRA) + #if !defined(NO_SHA) #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA + #endif #ifndef NO_SHA256 #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 @@ -189,8 +203,10 @@ void c32to24(word32 in, word24 out); #endif #if !defined(NO_PSK) && !defined(NO_AES) && !defined(NO_TLS) + #if !defined(NO_SHA) #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA + #endif #ifndef NO_SHA256 #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 #endif @@ -198,11 +214,17 @@ void c32to24(word32 in, word24 out); #if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER) #if !defined(NO_RSA) + #if !defined(NO_SHA) #define BUILD_TLS_RSA_WITH_NULL_SHA + #endif + #ifndef NO_SHA256 #define BUILD_TLS_RSA_WITH_NULL_SHA256 + #endif #endif #if !defined(NO_PSK) + #if !defined(NO_SHA) #define BUILD_TLS_PSK_WITH_NULL_SHA + #endif #ifndef NO_SHA256 #define BUILD_TLS_PSK_WITH_NULL_SHA256 #endif @@ -211,17 +233,23 @@ void c32to24(word32 in, word24 out); #if !defined(NO_HC128) && !defined(NO_RSA) && !defined(NO_TLS) #define BUILD_TLS_RSA_WITH_HC_128_CBC_MD5 + #if !defined(NO_SHA) #define BUILD_TLS_RSA_WITH_HC_128_CBC_SHA + #endif #endif #if !defined(NO_RABBIT) && !defined(NO_TLS) && !defined(NO_RSA) + #if !defined(NO_SHA) #define BUILD_TLS_RSA_WITH_RABBIT_CBC_SHA + #endif #endif #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ !defined(NO_RSA) && defined(OPENSSL_EXTRA) + #if !defined(NO_SHA) #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA + #endif #if !defined (NO_SHA256) #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 @@ -234,25 +262,50 @@ void c32to24(word32 in, word24 out); #if defined(HAVE_ECC) && !defined(NO_TLS) #if !defined(NO_AES) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + #if !defined(NO_SHA) + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA + #endif + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA + #ifndef NO_SHA256 + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 + #endif + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 + #endif + + #ifdef CYASSL_SHA384 + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 + #endif + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 + #endif + #if defined (HAVE_AESGCM) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + #define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 + #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + #define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + #endif + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 #endif #if defined (HAVE_AESCCM) @@ -261,19 +314,26 @@ void c32to24(word32 in, word24 out); #endif #endif #if !defined(NO_RC4) - #define BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA - #define BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA + #if !defined(NO_SHA) + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA + #define BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA + #endif - #define BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA - #define BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA + #define BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA + #define BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA + #endif #endif #if !defined(NO_DES3) - #define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - #define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + #define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + #endif - #define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + #define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA #define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA #endif + #endif #endif @@ -287,11 +347,14 @@ void c32to24(word32 in, word24 out); #endif #if defined(BUILD_TLS_RSA_WITH_AES_128_CBC_SHA) || \ - defined(BUILD_TLS_RSA_WITH_AES_256_CBC_SHA) + defined(BUILD_TLS_RSA_WITH_AES_256_CBC_SHA) || \ + defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) + #undef BUILD_AES #define BUILD_AES #endif -#if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) +#if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) || \ + defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) #define BUILD_AESGCM #endif @@ -306,12 +369,25 @@ void c32to24(word32 in, word24 out); #ifdef NO_DES3 #define DES_BLOCK_SIZE 8 +#else + #undef BUILD_DES3 + #define BUILD_DES3 #endif #ifdef NO_AES #define AES_BLOCK_SIZE 16 +#else + #undef BUILD_AES + #define BUILD_AES #endif +#ifndef NO_RC4 + #undef BUILD_ARC4 + #define BUILD_ARC4 +#endif + + + #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) #define HAVE_AEAD #endif @@ -342,8 +418,12 @@ enum { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0x07, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x12, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0x08, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0x27, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0x23, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0x28, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0x24, - /* static ECDH, first byte is 0xC0 (ECC_BYTE) */ + /* static ECDH, first byte is 0xC0 (ECC_BYTE) */ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0x0F, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0x0E, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0x05, @@ -352,6 +432,10 @@ enum { TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0x02, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0D, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0x03, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0x29, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0x25, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0x2A, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0x26, /* CyaSSL extension - eSTREAM */ TLS_RSA_WITH_HC_128_CBC_MD5 = 0xFB, @@ -408,6 +492,17 @@ enum { }; +#if defined(CYASSL_SHA384) + #define MAX_DIGEST_SIZE SHA384_DIGEST_SIZE +#elif !defined(NO_SHA256) + #define MAX_DIGEST_SIZE SHA256_DIGEST_SIZE +#elif !defined(NO_MD5) && !defined(NO_SHA) + #define MAX_DIGEST_SIZE (SHA_DIGEST_SIZE + MD5_DIGEST_SIZE) +#else + #error "You have configured the build so there isn't any hashing." +#endif + + enum Misc { SERVER_END = 0, CLIENT_END, @@ -419,6 +514,7 @@ enum Misc { DTLS_MAJOR = 0xfe, /* DTLS major version number */ DTLS_MINOR = 0xff, /* DTLS minor version number */ + DTLSv1_2_MINOR = 0xfd, /* DTLS minor version number */ SSLv3_MAJOR = 3, /* SSLv3 and TLSv1+ major version number */ SSLv3_MINOR = 0, /* TLSv1 minor version number */ TLSv1_MINOR = 1, /* TLSv1 minor version number */ @@ -431,14 +527,11 @@ enum Misc { SECRET_LEN = 48, /* pre RSA and all master */ ENCRYPT_LEN = 512, /* allow 4096 bit static buffer */ SIZEOF_SENDER = 4, /* clnt or srvr */ -#ifndef NO_MD5 - FINISHED_SZ = MD5_DIGEST_SIZE + SHA_DIGEST_SIZE, -#else - FINISHED_SZ = 36, -#endif + FINISHED_SZ = 36, /* MD5_DIGEST_SIZE + SHA_DIGEST_SIZE */ MAX_RECORD_SIZE = 16384, /* 2^14, max size by standard */ - MAX_MSG_EXTRA = 70, /* max added to msg, mac + pad from */ - /* RECORD_HEADER_SZ + BLOCK_SZ (pad) + SHA_256 + MAX_MSG_EXTRA = 38 + MAX_DIGEST_SIZE, + /* max added to msg, mac + pad from */ + /* RECORD_HEADER_SZ + BLOCK_SZ (pad) + Max digest sz + BLOC_SZ (iv) + pad byte (1) */ MAX_COMP_EXTRA = 1024, /* max compression extra */ MAX_MTU = 1500, /* max expected MTU */ @@ -610,12 +703,17 @@ enum states { }; +#if defined(__GNUC__) + #define CYASSL_PACK __attribute__ ((packed)) +#else + #define CYASSL_PACK +#endif /* SSL Version */ typedef struct ProtocolVersion { byte major; byte minor; -} ProtocolVersion; +} CYASSL_PACK ProtocolVersion; CYASSL_LOCAL ProtocolVersion MakeSSLv3(void); @@ -625,6 +723,7 @@ CYASSL_LOCAL ProtocolVersion MakeTLSv1_2(void); #ifdef CYASSL_DTLS CYASSL_LOCAL ProtocolVersion MakeDTLSv1(void); + CYASSL_LOCAL ProtocolVersion MakeDTLSv1_2(void); #endif @@ -730,7 +829,7 @@ enum { The length (in bytes) of the following TLSPlaintext.fragment. The length should not exceed 2^14. */ -#if defined(LARGE_STATIC_BUFFERS) || defined(CYASSL_DTLS) +#if defined(LARGE_STATIC_BUFFERS) #define STATIC_BUFFER_LEN RECORD_HEADER_SZ + RECORD_SIZE + COMP_EXTRA + \ MTU_EXTRA + MAX_MSG_EXTRA #else @@ -786,18 +885,18 @@ int SetCipherList(Suites*, const char* list); CYASSL_LOCAL void EmbedOcspRespFree(void*, byte*); #endif -#endif -#ifdef CYASSL_DTLS - CYASSL_LOCAL - int EmbedReceiveFrom(CYASSL *ssl, char *buf, int sz, void *ctx); - CYASSL_LOCAL - int EmbedSendTo(CYASSL *ssl, char *buf, int sz, void *ctx); - CYASSL_LOCAL - int EmbedGenerateCookie(byte *buf, int sz, void *ctx); - CYASSL_LOCAL - int IsUDP(void*); -#endif + #ifdef CYASSL_DTLS + CYASSL_LOCAL + int EmbedReceiveFrom(CYASSL *ssl, char *buf, int sz, void *ctx); + CYASSL_LOCAL + int EmbedSendTo(CYASSL *ssl, char *buf, int sz, void *ctx); + CYASSL_LOCAL + int EmbedGenerateCookie(CYASSL* ssl, byte *buf, int sz, void *ctx); + CYASSL_LOCAL + int IsUDP(void*); + #endif /* CYASSL_DTLS */ +#endif /* CYASSL_USER_IO */ /* CyaSSL Cipher type just points back to SSL */ @@ -839,14 +938,23 @@ CYASSL_LOCAL int FreeMutex(CyaSSL_Mutex*); CYASSL_LOCAL int LockMutex(CyaSSL_Mutex*); CYASSL_LOCAL int UnLockMutex(CyaSSL_Mutex*); - - typedef struct OCSP_Entry OCSP_Entry; +#ifdef SHA_DIGEST_SIZE + #define OCSP_DIGEST_SIZE SHA_DIGEST_SIZE +#else + #define OCSP_DIGEST_SIZE 160 +#endif + +#ifdef NO_ASN + /* no_asn won't have */ + typedef struct CertStatus CertStatus; +#endif + struct OCSP_Entry { OCSP_Entry* next; /* next entry */ - byte issuerHash[SHA_DIGEST_SIZE]; /* issuer hash */ - byte issuerKeyHash[SHA_DIGEST_SIZE]; /* issuer public key hash */ + byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ + byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */ CertStatus* status; /* OCSP response list */ int totalStatus; /* number on list */ }; @@ -864,14 +972,27 @@ struct CYASSL_OCSP { CallbackIOOcspRespFree CBIOOcspRespFree; }; +#ifndef MAX_DATE_SIZE +#define MAX_DATE_SIZE 32 +#endif typedef struct CRL_Entry CRL_Entry; +#ifdef SHA_DIGEST_SIZE + #define CRL_DIGEST_SIZE SHA_DIGEST_SIZE +#else + #define CRL_DIGEST_SIZE 160 +#endif + +#ifdef NO_ASN + typedef struct RevokedCert RevokedCert; +#endif + /* Complete CRL */ struct CRL_Entry { CRL_Entry* next; /* next entry */ - byte issuerHash[SHA_DIGEST_SIZE]; /* issuer hash */ - /* byte crlHash[SHA_DIGEST_SIZE]; raw crl data hash */ + byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ + /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ /* restore the hash here if needed for optimized comparisons */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */ byte nextDate[MAX_DATE_SIZE]; /* next update date */ @@ -891,6 +1012,10 @@ struct CRL_Monitor { }; +#ifndef HAVE_CRL + typedef struct CYASSL_CRL CYASSL_CRL; +#endif + /* CyaSSL CRL controller */ struct CYASSL_CRL { CYASSL_CERT_MANAGER* cm; /* pointer back to cert manager */ @@ -903,6 +1028,11 @@ struct CYASSL_CRL { }; +#ifdef NO_ASN + typedef struct Signer Signer; +#endif + + /* CyaSSL Certificate Manager */ struct CYASSL_CERT_MANAGER { Signer* caList; /* the CA signer list */ @@ -960,6 +1090,9 @@ struct CYASSL_CTX { byte groupMessages; /* group handshake messages before sending */ CallbackIORecv CBIORecv; CallbackIOSend CBIOSend; +#ifdef CYASSL_DTLS + CallbackGenCookie CBIOCookie; /* gen cookie callback */ +#endif VerifyCallback verifyCallback; /* cert verification callback */ word32 timeout; /* session timeout */ #ifdef HAVE_ECC @@ -1110,8 +1243,8 @@ enum CipherType { stream, block, aead }; /* keys and secrets */ typedef struct Keys { - byte client_write_MAC_secret[SHA256_DIGEST_SIZE]; /* max sizes */ - byte server_write_MAC_secret[SHA256_DIGEST_SIZE]; + byte client_write_MAC_secret[MAX_DIGEST_SIZE]; /* max sizes */ + byte server_write_MAC_secret[MAX_DIGEST_SIZE]; byte client_write_key[AES_256_KEY_SIZE]; /* max sizes */ byte server_write_key[AES_256_KEY_SIZE]; byte client_write_IV[AES_IV_SIZE]; /* max sizes */ @@ -1173,7 +1306,7 @@ CYASSL_LOCAL void FreeCiphers(CYASSL* ssl); /* hashes type */ typedef struct Hashes { - #ifndef NO_MD5 + #ifndef NO_OLD_TLS byte md5[MD5_DIGEST_SIZE]; #endif byte sha[SHA_DIGEST_SIZE]; @@ -1284,7 +1417,6 @@ typedef struct Buffers { #endif } Buffers; - typedef struct Options { byte sessionCacheOff; byte sessionCacheFlushOff; @@ -1335,7 +1467,6 @@ typedef struct Options { #endif /* NO_PSK */ } Options; - typedef struct Arrays { byte clientRandom[RAN_LEN]; byte serverRandom[RAN_LEN]; @@ -1355,12 +1486,22 @@ typedef struct Arrays { word32 preMasterSz; /* differs for DH, actual size */ } Arrays; +#ifndef ASN_NAME_MAX +#define ASN_NAME_MAX 256 +#endif struct CYASSL_X509_NAME { char name[ASN_NAME_MAX]; int sz; }; +#ifndef EXTERNAL_SERIAL_SIZE + #define EXTERNAL_SERIAL_SIZE 32 +#endif + +#ifdef NO_ASN + typedef struct DNS_entry DNS_entry; +#endif struct CYASSL_X509 { CYASSL_X509_NAME issuer; @@ -1430,10 +1571,14 @@ struct CYASSL { void* IOCB_ReadCtx; void* IOCB_WriteCtx; RNG* rng; +#ifndef NO_OLD_TLS +#ifndef NO_SHA Sha hashSha; /* sha hash of handshake msgs */ +#endif #ifndef NO_MD5 Md5 hashMd5; /* md5 hash of handshake msgs */ #endif +#endif #ifndef NO_SHA256 Sha256 hashSha256; /* sha256 hash of handshake msgs */ #endif @@ -1482,6 +1627,7 @@ struct CYASSL { int dtls_timeout; DtlsPool* dtls_pool; DtlsMsg* dtls_msg_list; + void* IOCB_CookieCtx; /* gen cookie ctx */ #endif #ifdef CYASSL_CALLBACKS HandShakeInfo handShakeInfo; /* info saved during handshake */ @@ -1489,7 +1635,7 @@ struct CYASSL { byte hsInfoOn; /* track handshake info */ byte toInfoOn; /* track timeout info */ #endif -#ifdef OPENSSL_EXTRA +#ifdef KEEP_PEER_CERT CYASSL_X509 peerCert; /* X509 peer cert */ #endif #ifdef FORTRESS @@ -1498,6 +1644,7 @@ struct CYASSL { #ifdef HAVE_CAVIUM int devId; /* cavium device id to use */ #endif + CYASSL_ALERT_HISTORY alert_history; }; @@ -1722,8 +1869,6 @@ CYASSL_LOCAL int GrowInputBuffer(CYASSL* ssl, int size, int usedLength); #endif /* NO_TLS */ - - typedef double timer_d; CYASSL_LOCAL timer_d Timer(void); diff --git a/cyassl/ocsp.h b/cyassl/ocsp.h index 8ce560a43..f47f671b1 100644 --- a/cyassl/ocsp.h +++ b/cyassl/ocsp.h @@ -25,6 +25,7 @@ #ifndef CYASSL_OCSP_H #define CYASSL_OCSP_H +#ifdef HAVE_OCSP #include #include @@ -47,6 +48,7 @@ CYASSL_LOCAL int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP*, DecodedCert*); #endif +#endif /* HAVE_OCSP */ #endif /* CYASSL_OCSP_H */ diff --git a/cyassl/openssl/sha.h b/cyassl/openssl/sha.h index 0b37a9bbf..9545795e2 100644 --- a/cyassl/openssl/sha.h +++ b/cyassl/openssl/sha.h @@ -54,7 +54,7 @@ CYASSL_API void CyaSSL_SHA256_Update(CYASSL_SHA256_CTX*, const void*, CYASSL_API void CyaSSL_SHA256_Final(unsigned char*, CYASSL_SHA256_CTX*); enum { - SHA256_DIGEST_LENGTH = 20 + SHA256_DIGEST_LENGTH = 32 }; diff --git a/cyassl/openssl/ssl.h b/cyassl/openssl/ssl.h index b5070d18f..840954f00 100644 --- a/cyassl/openssl/ssl.h +++ b/cyassl/openssl/ssl.h @@ -92,6 +92,8 @@ typedef CYASSL_X509_STORE_CTX X509_STORE_CTX; #ifdef CYASSL_DTLS #define DTLSv1_client_method CyaDTLSv1_client_method #define DTLSv1_server_method CyaDTLSv1_server_method + #define DTLSv1_2_client_method CyaDTLSv1_2_client_method + #define DTLSv1_2_server_method CyaDTLSv1_2_server_method #endif diff --git a/cyassl/ssl.h b/cyassl/ssl.h index f9876fb23..8f0eafc85 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -59,7 +59,6 @@ extern "C" { #endif - typedef struct CYASSL CYASSL; typedef struct CYASSL_SESSION CYASSL_SESSION; typedef struct CYASSL_METHOD CYASSL_METHOD; @@ -112,6 +111,15 @@ typedef struct CYASSL_X509_STORE { int cache; /* stunnel dereference */ } CYASSL_X509_STORE; +typedef struct CYASSL_ALERT { + int code; + int level; +} CYASSL_ALERT; + +typedef struct CYASSL_ALERT_HISTORY { + CYASSL_ALERT last_rx; + CYASSL_ALERT last_tx; +} CYASSL_ALERT_HISTORY; typedef struct CYASSL_X509_REVOKED { CYASSL_ASN1_INTEGER* serialNumber; /* stunnel dereference */ @@ -149,6 +157,8 @@ CYASSL_API CYASSL_METHOD *CyaTLSv1_2_client_method(void); #ifdef CYASSL_DTLS CYASSL_API CYASSL_METHOD *CyaDTLSv1_client_method(void); CYASSL_API CYASSL_METHOD *CyaDTLSv1_server_method(void); + CYASSL_API CYASSL_METHOD *CyaDTLSv1_2_client_method(void); + CYASSL_API CYASSL_METHOD *CyaDTLSv1_2_server_method(void); #endif #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) @@ -202,6 +212,7 @@ CYASSL_API void CyaSSL_CTX_set_quiet_shutdown(CYASSL_CTX*, int); CYASSL_API void CyaSSL_set_quiet_shutdown(CYASSL*, int); CYASSL_API int CyaSSL_get_error(CYASSL*, int); +CYASSL_API int CyaSSL_get_alert_history(CYASSL*, CYASSL_ALERT_HISTORY *); CYASSL_API int CyaSSL_set_session(CYASSL* ssl,CYASSL_SESSION* session); CYASSL_API CYASSL_SESSION* CyaSSL_get_session(CYASSL* ssl); @@ -256,6 +267,7 @@ CYASSL_API void CyaSSL_SESSION_free(CYASSL_SESSION* session); CYASSL_API int CyaSSL_is_init_finished(CYASSL*); CYASSL_API const char* CyaSSL_get_version(CYASSL*); +CYASSL_API int CyaSSL_get_current_cipher_suite(CYASSL* ssl); CYASSL_API CYASSL_CIPHER* CyaSSL_get_current_cipher(CYASSL*); CYASSL_API char* CyaSSL_CIPHER_description(CYASSL_CIPHER*, char*, int); CYASSL_API const char* CyaSSL_CIPHER_get_name(const CYASSL_CIPHER* cipher); @@ -423,7 +435,6 @@ CYASSL_API long CyaSSL_CTX_sess_timeouts(CYASSL_CTX*); CYASSL_API long CyaSSL_CTX_sess_number(CYASSL_CTX*); CYASSL_API long CyaSSL_CTX_sess_get_cache_size(CYASSL_CTX*); - #define CYASSL_DEFAULT_CIPHER_LIST "" /* default all */ #define CYASSL_RSA_F4 0x10001L @@ -798,6 +809,11 @@ CYASSL_API void CyaSSL_SetIOWriteCtx(CYASSL* ssl, void *ctx); CYASSL_API void CyaSSL_SetIOReadFlags( CYASSL* ssl, int flags); CYASSL_API void CyaSSL_SetIOWriteFlags(CYASSL* ssl, int flags); +typedef int (*CallbackGenCookie)(CYASSL* ssl, unsigned char* buf, int sz, + void* ctx); +CYASSL_API void CyaSSL_CTX_SetGenCookie(CYASSL_CTX*, CallbackGenCookie); +CYASSL_API void CyaSSL_SetCookieCtx(CYASSL* ssl, void *ctx); + typedef int (*CallbackIOOcsp)(void*, const char*, int, unsigned char*, int, unsigned char**); typedef void (*CallbackIOOcspRespFree)(void*,unsigned char*); diff --git a/cyassl/test.h b/cyassl/test.h index d4a2b986f..4a0f943a1 100644 --- a/cyassl/test.h +++ b/cyassl/test.h @@ -20,6 +20,8 @@ #define SOCKET_T unsigned int #else #include + #include +#ifndef CYASSL_LEANPSK #include #include #include @@ -27,13 +29,13 @@ #include #include #include - #include #include #include #include #ifdef TEST_IPV6 #include #endif +#endif #define SOCKET_T int #ifndef SO_NOSIGPIPE #include /* ignore SIGPIPE */ @@ -106,7 +108,11 @@ #define SERVER_DEFAULT_VERSION 3 +#define SERVER_DTLS_DEFAULT_VERSION (-2) +#define SERVER_INVALID_VERSION (-99) #define CLIENT_DEFAULT_VERSION 3 +#define CLIENT_DTLS_DEFAULT_VERSION (-2) +#define CLIENT_INVALID_VERSION (-99) /* all certs relative to CyaSSL home directory now */ #define caCert "./certs/ca-cert.pem" @@ -247,11 +253,12 @@ static INLINE int PasswordCallBack(char* passwd, int sz, int rw, void* userdata) static INLINE void showPeer(CYASSL* ssl) { -#ifdef OPENSSL_EXTRA CYASSL_CIPHER* cipher; +#ifdef KEEP_PEER_CERT CYASSL_X509* peer = CyaSSL_get_peer_certificate(ssl); if (peer) { +#ifdef OPENSSL_EXTRA char* altName; char* issuer = CyaSSL_X509_NAME_oneline( CyaSSL_X509_get_issuer_name(peer), 0, 0); @@ -283,14 +290,17 @@ static INLINE void showPeer(CYASSL* ssl) XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL); XFREE(issuer, 0, DYNAMIC_TYPE_OPENSSL); +#else + printf("peer has a cert!\n"); +#endif } else printf("peer has no cert!\n"); +#endif printf("SSL version is %s\n", CyaSSL_get_version(ssl)); cipher = CyaSSL_get_current_cipher(ssl); printf("SSL cipher suite is %s\n", CyaSSL_CIPHER_get_name(cipher)); -#endif #if defined(SESSION_CERTS) && defined(SHOW_CERTS) { @@ -931,5 +941,125 @@ static INLINE int CurrentDir(const char* str) #endif /* USE_WINDOWS_API */ + +#ifdef USE_CYASSL_MEMORY + + typedef struct memoryStats { + size_t totalAllocs; /* number of allocations */ + size_t totalBytes; /* total number of bytes allocated */ + size_t peakBytes; /* concurrent max bytes */ + size_t currentBytes; /* total current bytes in use */ + } memoryStats; + + typedef struct memHint { + size_t thisSize; /* size of this memory */ + void* thisMemory; /* actual memory for user */ + } memHint; + + typedef struct memoryTrack { + union { + memHint hint; + byte alignit[16]; /* make sure we have strong alignment */ + } u; + } memoryTrack; + + #if defined(CYASSL_TRACK_MEMORY) + #define DO_MEM_STATS + static memoryStats ourMemStats; + #endif + + static INLINE void* TrackMalloc(size_t sz) + { + memoryTrack* mt; + + if (sz == 0) + return NULL; + + mt = (memoryTrack*)malloc(sizeof(memoryTrack) + sz); + if (mt == NULL) + return NULL; + + mt->u.hint.thisSize = sz; + mt->u.hint.thisMemory = (byte*)mt + sizeof(memoryTrack); + +#ifdef DO_MEM_STATS + ourMemStats.totalAllocs++; + ourMemStats.totalBytes += sz; + ourMemStats.currentBytes += sz; + if (ourMemStats.currentBytes > ourMemStats.peakBytes) + ourMemStats.peakBytes = ourMemStats.currentBytes; +#endif + + return mt->u.hint.thisMemory; + } + + + static INLINE void TrackFree(void* ptr) + { + memoryTrack* mt; + + if (ptr == NULL) + return; + + mt = (memoryTrack*)((byte*)ptr - sizeof(memoryTrack)); + +#ifdef DO_MEM_STATS + ourMemStats.currentBytes -= mt->u.hint.thisSize; +#endif + + free(mt); + } + + + static INLINE void* TrackRealloc(void* ptr, size_t sz) + { + void* ret = TrackMalloc(sz); + + if (ptr) { + /* if realloc is bigger, don't overread old ptr */ + memoryTrack* mt = (memoryTrack*)((byte*)ptr - sizeof(memoryTrack)); + + if (mt->u.hint.thisSize < sz) + sz = mt->u.hint.thisSize; + } + + if (ret && ptr) + memcpy(ret, ptr, sz); + + if (ret) + TrackFree(ptr); + + return ret; + } + + static INLINE void InitMemoryTracker(void) + { + if (CyaSSL_SetAllocators(TrackMalloc, TrackFree, TrackRealloc) != 0) + err_sys("CyaSSL SetAllocators failed for track memory"); + + #ifdef DO_MEM_STATS + ourMemStats.totalAllocs = 0; + ourMemStats.totalBytes = 0; + ourMemStats.peakBytes = 0; + ourMemStats.currentBytes = 0; + #endif + } + + static INLINE void ShowMemoryTracker(void) + { + #ifdef DO_MEM_STATS + printf("total Allocs = %9lu\n", + (unsigned long)ourMemStats.totalAllocs); + printf("total Bytes = %9lu\n", + (unsigned long)ourMemStats.totalBytes); + printf("peak Bytes = %9lu\n", + (unsigned long)ourMemStats.peakBytes); + printf("current Bytes = %9lu\n", + (unsigned long)ourMemStats.currentBytes); + #endif + } + +#endif /* USE_CYASSL_MEMORY */ + #endif /* CyaSSL_TEST_H */ diff --git a/cyassl/version.h b/cyassl/version.h index 403c3725a..209b456c6 100644 --- a/cyassl/version.h +++ b/cyassl/version.h @@ -26,8 +26,8 @@ extern "C" { #endif -#define LIBCYASSL_VERSION_STRING "2.5.1" -#define LIBCYASSL_VERSION_HEX 0x02005001 +#define LIBCYASSL_VERSION_STRING "2.5.4" +#define LIBCYASSL_VERSION_HEX 0x02005004 #ifdef __cplusplus } diff --git a/examples/client/client.c b/examples/client/client.c index fa9f2dae9..d44f7100b 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -23,6 +23,11 @@ #include #endif +#if !defined(CYASSL_TRACK_MEMORY) && !defined(NO_MAIN_DRIVER) + /* in case memory tracker wants stats */ + #define CYASSL_TRACK_MEMORY +#endif + #include #include @@ -35,6 +40,7 @@ Timeval timeout; #endif + static void NonBlockingSSL_Connect(CYASSL* ssl) { #ifndef CYASSL_CALLBACKS @@ -97,9 +103,11 @@ static void Usage(void) printf("-A Certificate Authority file, default %s\n", caCert); printf("-b Benchmark connections and print stats\n"); printf("-s Use pre Shared keys\n"); + printf("-t Track CyaSSL memory use\n"); printf("-d Disable peer checks\n"); printf("-g Send server HTTP GET\n"); - printf("-u Use UDP DTLS\n"); + printf("-u Use UDP DTLS," + " add -v 2 for DTLSv1 (default), -v 3 for DTLSv1.2\n"); printf("-m Match domain name in cert\n"); printf("-N Use Non-blocking sockets\n"); printf("-r Resume session\n"); @@ -129,7 +137,7 @@ void client_test(void* args) char* domain = (char*)"www.yassl.com"; int ch; - int version = CLIENT_DEFAULT_VERSION; + int version = CLIENT_INVALID_VERSION; int usePsk = 0; int sendGET = 0; int benchmark = 0; @@ -138,6 +146,7 @@ void client_test(void* args) int doPeerCheck = 1; int nonBlocking = 0; int resumeSession = 0; + int trackMemory = 0; char* cipherList = NULL; char* verifyCert = (char*)caCert; char* ourCert = (char*)cliCert; @@ -148,7 +157,17 @@ void client_test(void* args) ((func_args*)args)->return_code = -1; /* error state */ - while ((ch = mygetopt(argc, argv, "?gdusmNrh:p:v:l:A:c:k:b:")) != -1) { +#ifdef NO_RSA + verifyCert = (char*)eccCert; + ourCert = (char*)cliEccCert; + ourKey = (char*)cliEccKey; +#endif + (void)resumeSz; + (void)session; + (void)sslResume; + (void)trackMemory; + + while ((ch = mygetopt(argc, argv, "?gdusmNrth:p:v:l:A:c:k:b:")) != -1) { switch (ch) { case '?' : Usage(); @@ -164,13 +183,18 @@ void client_test(void* args) case 'u' : doDTLS = 1; - version = -1; /* DTLS flag */ break; case 's' : usePsk = 1; break; + case 't' : + #ifdef USE_CYASSL_MEMORY + trackMemory = 1; + #endif + break; + case 'm' : matchName = 1; break; @@ -190,8 +214,6 @@ void client_test(void* args) Usage(); exit(MY_EX_USAGE); } - if (doDTLS) - version = -1; /* DTLS flag */ break; case 'l' : @@ -234,6 +256,27 @@ void client_test(void* args) myoptind = 0; /* reset for test cases */ + /* sort out DTLS versus TLS versions */ + if (version == CLIENT_INVALID_VERSION) { + if (doDTLS) + version = CLIENT_DTLS_DEFAULT_VERSION; + else + version = CLIENT_DEFAULT_VERSION; + } + else { + if (doDTLS) { + if (version == 3) + version = -2; + else + version = -1; + } + } + +#ifdef USE_CYASSL_MEMORY + if (trackMemory) + InitMemoryTracker(); +#endif + switch (version) { #ifndef NO_OLD_TLS case 0: @@ -257,6 +300,10 @@ void client_test(void* args) case -1: method = CyaDTLSv1_client_method(); break; + + case -2: + method = CyaDTLSv1_2_client_method(); + break; #endif default: @@ -278,15 +325,19 @@ void client_test(void* args) usePsk = 1; #endif +#if defined(NO_RSA) && !defined(HAVE_ECC) + usePsk = 1; +#endif + if (usePsk) { #ifndef NO_PSK CyaSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb); if (cipherList == NULL) { const char *defaultCipherList; #ifdef HAVE_NULL_CIPHER - defaultCipherList = "PSK-NULL-SHA"; + defaultCipherList = "PSK-NULL-SHA256"; #else - defaultCipherList = "PSK-AES256-CBC-SHA"; + defaultCipherList = "PSK-AES128-CBC-SHA256"; #endif if (CyaSSL_CTX_set_cipher_list(ctx,defaultCipherList) !=SSL_SUCCESS) err_sys("client can't set cipher list 2"); @@ -301,7 +352,7 @@ void client_test(void* args) #if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC) if (cipherList == NULL) { /* don't use EDH, can't sniff tmp keys */ - if (CyaSSL_CTX_set_cipher_list(ctx, "AES256-SHA") != SSL_SUCCESS) { + if (CyaSSL_CTX_set_cipher_list(ctx, "AES256-SHA256") != SSL_SUCCESS) { err_sys("client can't set cipher list 3"); } } @@ -314,7 +365,7 @@ void client_test(void* args) #ifdef VERIFY_CALLBACK CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify); #endif -#ifndef NO_FILESYSTEM +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) if (!usePsk){ if (CyaSSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM) != SSL_SUCCESS) @@ -323,15 +374,17 @@ void client_test(void* args) if (CyaSSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM) != SSL_SUCCESS) - err_sys("can't load client cert file, check file and run from" - " CyaSSL home dir"); + err_sys("can't load client private key file, check file and run " + "from CyaSSL home dir"); if (CyaSSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS) err_sys("can't load ca file, Please run from CyaSSL home dir"); } #endif +#if !defined(NO_CERTS) if (!usePsk && doPeerCheck == 0) CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); +#endif #ifdef HAVE_CAVIUM CyaSSL_CTX_UseCavium(ctx, CAVIUM_DEV_ID); @@ -443,6 +496,7 @@ void client_test(void* args) err_sys("CyaSSL_read failed"); } +#ifndef NO_SESSION_CACHE if (resumeSession) { if (doDTLS) { strncpy(msg, "break", 6); @@ -453,12 +507,14 @@ void client_test(void* args) session = CyaSSL_get_session(ssl); sslResume = CyaSSL_new(ctx); } +#endif if (doDTLS == 0) /* don't send alert after "break" command */ CyaSSL_shutdown(ssl); /* echoserver will interpret as new conn */ CyaSSL_free(ssl); CloseSocket(sockfd); +#ifndef NO_SESSION_CACHE if (resumeSession) { if (doDTLS) { SOCKADDR_IN_T addr; @@ -492,13 +548,11 @@ void client_test(void* args) NonBlockingSSL_Connect(ssl); /* will keep retrying on timeout */ #endif -#ifdef OPENSSL_EXTRA if (CyaSSL_session_reused(sslResume)) printf("reused session id\n"); else printf("didn't reuse session id!!!\n"); -#endif - + if (CyaSSL_write(sslResume, resumeMsg, resumeSz) != resumeSz) err_sys("SSL_write failed"); @@ -524,10 +578,16 @@ void client_test(void* args) CyaSSL_free(sslResume); CloseSocket(sockfd); } +#endif /* NO_SESSION_CACHE */ CyaSSL_CTX_free(ctx); ((func_args*)args)->return_code = 0; + +#ifdef USE_CYASSL_MEMORY + if (trackMemory) + ShowMemoryTracker(); +#endif /* USE_CYASSL_MEMORY */ } @@ -589,4 +649,3 @@ void client_test(void* args) #endif - diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c index 9f9ce0a85..12bbc6a38 100644 --- a/examples/echoclient/echoclient.c +++ b/examples/echoclient/echoclient.c @@ -46,7 +46,7 @@ void echoclient_test(void* args) SSL* ssl = 0; int doDTLS = 0; - int doLeanPSK = 0; + int doPSK = 0; int sendSz; int argc = 0; char** argv = 0; @@ -72,7 +72,11 @@ void echoclient_test(void* args) #endif #ifdef CYASSL_LEANPSK - doLeanPSK = 1; + doPSK = 1; +#endif + +#if defined(NO_RSA) && !defined(HAVE_ECC) + doPSK = 1; #endif #if defined(CYASSL_DTLS) @@ -85,14 +89,16 @@ void echoclient_test(void* args) ctx = SSL_CTX_new(method); #ifndef NO_FILESYSTEM + #ifndef NO_RSA if (SSL_CTX_load_verify_locations(ctx, caCert, 0) != SSL_SUCCESS) err_sys("can't load ca file, Please run from CyaSSL home dir"); + #endif #ifdef HAVE_ECC if (SSL_CTX_load_verify_locations(ctx, eccCert, 0) != SSL_SUCCESS) err_sys("can't load ca file, Please run from CyaSSL home dir"); #endif #elif !defined(NO_CERTS) - if (!doLeanPSK) + if (!doPSK) load_buffer(ctx, caCert, CYASSL_CA); #endif @@ -100,10 +106,18 @@ void echoclient_test(void* args) /* don't use EDH, can't sniff tmp keys */ SSL_CTX_set_cipher_list(ctx, "AES256-SHA"); #endif - if (doLeanPSK) { -#ifdef CYASSL_LEANPSK + if (doPSK) { +#ifndef NO_PSK + const char *defaultCipherList; + CyaSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb); - SSL_CTX_set_cipher_list(ctx, "PSK-NULL-SHA"); + #ifdef HAVE_NULL_CIPHER + defaultCipherList = "PSK-NULL-SHA256"; + #else + defaultCipherList = "PSK-AES128-CBC-SHA256"; + #endif + if (CyaSSL_CTX_set_cipher_list(ctx,defaultCipherList) !=SSL_SUCCESS) + err_sys("client can't set cipher list 2"); #endif } diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 364527607..cc4dbd07e 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -60,7 +60,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) CYASSL_CTX* ctx = 0; int doDTLS = 0; - int doLeanPSK = 0; + int doPSK = 0; int outCreated = 0; int shutDown = 0; int useAnyAddr = 0; @@ -86,7 +86,11 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) #endif #ifdef CYASSL_LEANPSK - doLeanPSK = 1; + doPSK = 1; +#endif + +#if defined(NO_RSA) && !defined(HAVE_ECC) + doPSK = 1; #endif tcp_listen(&sockfd, yasslPort, useAnyAddr, doDTLS); @@ -106,6 +110,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) #endif #ifndef NO_FILESYSTEM + if (doPSK == 0) { #ifdef HAVE_NTRU /* ntru */ if (CyaSSL_CTX_use_certificate_file(ctx, ntruCert, SSL_FILETYPE_PEM) @@ -128,6 +133,8 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) != SSL_SUCCESS) err_sys("can't load server key file, " "Please run from CyaSSL home dir"); + #elif defined(NO_CERTS) + /* do nothing, just don't load cert files */ #else /* normal */ if (CyaSSL_CTX_use_certificate_file(ctx, svrCert, SSL_FILETYPE_PEM) @@ -140,8 +147,9 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) err_sys("can't load server key file, " "Please run from CyaSSL home dir"); #endif + } /* doPSK */ #elif !defined(NO_CERTS) - if (!doLeanPSK) { + if (!doPSK) { load_buffer(ctx, svrCert, CYASSL_CERT); load_buffer(ctx, svrKey, CYASSL_KEY); } @@ -152,10 +160,19 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) CyaSSL_CTX_set_cipher_list(ctx, "AES256-SHA"); #endif - if (doLeanPSK) { -#ifdef CYASSL_LEANPSK + if (doPSK) { +#ifndef NO_PSK + const char *defaultCipherList; + CyaSSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb); - CyaSSL_CTX_set_cipher_list(ctx, "PSK-NULL-SHA"); + CyaSSL_CTX_use_psk_identity_hint(ctx, "cyassl server"); + #ifdef HAVE_NULL_CIPHER + defaultCipherList = "PSK-NULL-SHA256"; + #else + defaultCipherList = "PSK-AES128-CBC-SHA256"; + #endif + if (CyaSSL_CTX_set_cipher_list(ctx, defaultCipherList) != SSL_SUCCESS) + err_sys("server can't set cipher list 2"); #endif } diff --git a/examples/server/server.c b/examples/server/server.c index fc22537ad..3b06d0687 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -23,6 +23,11 @@ #include #endif +#if !defined(CYASSL_TRACK_MEMORY) && !defined(NO_MAIN_DRIVER) + /* in case memory tracker wants stats */ + #define CYASSL_TRACK_MEMORY +#endif + #include #include @@ -98,7 +103,9 @@ static void Usage(void) printf("-d Disable client cert check\n"); printf("-b Bind to any interface instead of localhost only\n"); printf("-s Use pre Shared keys\n"); - printf("-u Use UDP DTLS\n"); + printf("-t Track CyaSSL memory use\n"); + printf("-u Use UDP DTLS," + " add -v 2 for DTLSv1 (default), -v 3 for DTLSv1.2\n"); printf("-N Use Non-blocking sockets\n"); } @@ -124,6 +131,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int doDTLS = 0; int useNtruKey = 0; int nonBlocking = 0; + int trackMemory = 0; char* cipherList = NULL; char* verifyCert = (char*)cliCert; char* ourCert = (char*)svrCert; @@ -133,7 +141,14 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) ((func_args*)args)->return_code = -1; /* error state */ - while ((ch = mygetopt(argc, argv, "?dbsnNup:v:l:A:c:k:")) != -1) { +#ifdef NO_RSA + verifyCert = (char*)cliEccCert; + ourCert = (char*)eccCert; + ourKey = (char*)eccKey; +#endif + (void)trackMemory; + + while ((ch = mygetopt(argc, argv, "?dbstnNup:v:l:A:c:k:")) != -1) { switch (ch) { case '?' : Usage(); @@ -151,13 +166,18 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) usePsk = 1; break; + case 't' : + #ifdef USE_CYASSL_MEMORY + trackMemory = 1; + #endif + break; + case 'n' : useNtruKey = 1; break; case 'u' : doDTLS = 1; - version = -1; /* DTLS flag */ break; case 'p' : @@ -170,8 +190,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) Usage(); exit(MY_EX_USAGE); } - if (doDTLS) - version = -1; /* stay with DTLS */ break; case 'l' : @@ -202,6 +220,27 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) myoptind = 0; /* reset for test cases */ + /* sort out DTLS versus TLS versions */ + if (version == CLIENT_INVALID_VERSION) { + if (doDTLS) + version = CLIENT_DTLS_DEFAULT_VERSION; + else + version = CLIENT_DEFAULT_VERSION; + } + else { + if (doDTLS) { + if (version == 3) + version = -2; + else + version = -1; + } + } + +#ifdef USE_CYASSL_MEMORY + if (trackMemory) + InitMemoryTracker(); +#endif + switch (version) { #ifndef NO_OLD_TLS case 0: @@ -225,6 +264,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) case -1: method = DTLSv1_server_method(); break; + + case -2: + method = DTLSv1_2_server_method(); + break; #endif default: @@ -246,7 +289,11 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) usePsk = 1; #endif -#ifndef NO_FILESYSTEM +#if defined(NO_RSA) && !defined(HAVE_ECC) + usePsk = 1; +#endif + +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) if (!usePsk) { if (SSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM) != SSL_SUCCESS) @@ -264,7 +311,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) } #endif -#ifndef NO_FILESYSTEM +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) if (!useNtruKey && !usePsk) { if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM) != SSL_SUCCESS) @@ -280,9 +327,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) if (cipherList == NULL) { const char *defaultCipherList; #ifdef HAVE_NULL_CIPHER - defaultCipherList = "PSK-NULL-SHA"; + defaultCipherList = "PSK-NULL-SHA256"; #else - defaultCipherList = "PSK-AES256-CBC-SHA"; + defaultCipherList = "PSK-AES128-CBC-SHA256"; #endif if (SSL_CTX_set_cipher_list(ctx, defaultCipherList) != SSL_SUCCESS) err_sys("server can't set cipher list 2"); @@ -290,7 +337,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #endif } -#ifndef NO_FILESYSTEM +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) /* if not using PSK, verify peer with certs */ if (doCliCertCheck && usePsk == 0) { SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | @@ -307,7 +354,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC) /* don't use EDH, can't sniff tmp keys */ if (cipherList == NULL) { - if (SSL_CTX_set_cipher_list(ctx, "AES256-SHA") != SSL_SUCCESS) + if (SSL_CTX_set_cipher_list(ctx, "AES256-SHA256") != SSL_SUCCESS) err_sys("server can't set cipher list 3"); } #endif @@ -372,6 +419,12 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) CloseSocket(clientfd); ((func_args*)args)->return_code = 0; + +#ifdef USE_CYASSL_MEMORY + if (trackMemory) + ShowMemoryTracker(); +#endif /* USE_CYASSL_MEMORY */ + return 0; } diff --git a/mcapi/crypto.c b/mcapi/crypto.c new file mode 100644 index 000000000..32aa43adf --- /dev/null +++ b/mcapi/crypto.c @@ -0,0 +1,751 @@ +/* crypto.c + * + * Copyright (C) 2006-2013 wolfSSL Inc. + * + * This file is part of CyaSSL. + * + * CyaSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * CyaSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + + +/* Implements Microchip CRYPTO API layer */ + + + +#include "crypto.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +/* Initialize MD5 */ +int CRYPT_MD5_Initialize(CRYPT_MD5_CTX* md5) +{ + typedef char md5_test[sizeof(CRYPT_MD5_CTX) >= sizeof(Md5) ? 1 : -1]; + (void)sizeof(md5_test); + + if (md5 == NULL) + return BAD_FUNC_ARG; + + InitMd5((Md5*)md5); + + return 0; +} + + +/* Add data to MD5 */ +int CRYPT_MD5_DataAdd(CRYPT_MD5_CTX* md5, const unsigned char* input, + unsigned int sz) +{ + if (md5 == NULL || input == NULL) + return BAD_FUNC_ARG; + + Md5Update((Md5*)md5, input, sz); + + return 0; +} + + +/* Get MD5 Final into digest */ +int CRYPT_MD5_Finalize(CRYPT_MD5_CTX* md5, unsigned char* digest) +{ + if (md5 == NULL || digest == NULL) + return BAD_FUNC_ARG; + + Md5Final((Md5*)md5, digest); + + return 0; +} + + +/* Initialize SHA */ +int CRYPT_SHA_Initialize(CRYPT_SHA_CTX* sha) +{ + typedef char sha_test[sizeof(CRYPT_SHA_CTX) >= sizeof(Sha) ? 1 : -1]; + (void)sizeof(sha_test); + + if (sha == NULL) + return BAD_FUNC_ARG; + + InitSha((Sha*)sha); + + return 0; +} + + +/* Add data to SHA */ +int CRYPT_SHA_DataAdd(CRYPT_SHA_CTX* sha, const unsigned char* input, + unsigned int sz) +{ + if (sha == NULL || input == NULL) + return BAD_FUNC_ARG; + + ShaUpdate((Sha*)sha, input, sz); + + return 0; +} + + +/* Get SHA Final into digest */ +int CRYPT_SHA_Finalize(CRYPT_SHA_CTX* sha, unsigned char* digest) +{ + if (sha == NULL || digest == NULL) + return BAD_FUNC_ARG; + + ShaFinal((Sha*)sha, digest); + + return 0; +} + + +/* Initialize SHA-256 */ +int CRYPT_SHA256_Initialize(CRYPT_SHA256_CTX* sha256) +{ + typedef char sha_test[sizeof(CRYPT_SHA256_CTX) >= sizeof(Sha256) ? 1 : -1]; + (void)sizeof(sha_test); + + if (sha256 == NULL) + return BAD_FUNC_ARG; + + InitSha256((Sha256*)sha256); + + return 0; +} + + +/* Add data to SHA-256 */ +int CRYPT_SHA256_DataAdd(CRYPT_SHA256_CTX* sha256, const unsigned char* input, + unsigned int sz) +{ + if (sha256 == NULL || input == NULL) + return BAD_FUNC_ARG; + + Sha256Update((Sha256*)sha256, input, sz); + + return 0; +} + + +/* Get SHA-256 Final into digest */ +int CRYPT_SHA256_Finalize(CRYPT_SHA256_CTX* sha256, unsigned char* digest) +{ + if (sha256 == NULL || digest == NULL) + return BAD_FUNC_ARG; + + Sha256Final((Sha256*)sha256, digest); + + return 0; +} + + +/* Initialize SHA-384 */ +int CRYPT_SHA384_Initialize(CRYPT_SHA384_CTX* sha384) +{ + typedef char sha_test[sizeof(CRYPT_SHA384_CTX) >= sizeof(Sha384) ? 1 : -1]; + (void)sizeof(sha_test); + + if (sha384 == NULL) + return BAD_FUNC_ARG; + + InitSha384((Sha384*)sha384); + + return 0; +} + + +/* Add data to SHA-384 */ +int CRYPT_SHA384_DataAdd(CRYPT_SHA384_CTX* sha384, const unsigned char* input, + unsigned int sz) +{ + if (sha384 == NULL || input == NULL) + return BAD_FUNC_ARG; + + Sha384Update((Sha384*)sha384, input, sz); + + return 0; +} + + +/* Get SHA-384 Final into digest */ +int CRYPT_SHA384_Finalize(CRYPT_SHA384_CTX* sha384, unsigned char* digest) +{ + if (sha384 == NULL || digest == NULL) + return BAD_FUNC_ARG; + + Sha384Final((Sha384*)sha384, digest); + + return 0; +} + + +/* Initialize SHA-512 */ +int CRYPT_SHA512_Initialize(CRYPT_SHA512_CTX* sha512) +{ + typedef char sha_test[sizeof(CRYPT_SHA512_CTX) >= sizeof(Sha512) ? 1 : -1]; + (void)sizeof(sha_test); + + if (sha512 == NULL) + return BAD_FUNC_ARG; + + InitSha512((Sha512*)sha512); + + return 0; +} + + +/* Add data to SHA-512 */ +int CRYPT_SHA512_DataAdd(CRYPT_SHA512_CTX* sha512, const unsigned char* input, + unsigned int sz) +{ + if (sha512 == NULL || input == NULL) + return BAD_FUNC_ARG; + + Sha512Update((Sha512*)sha512, input, sz); + + return 0; +} + + +/* Get SHA-512 Final into digest */ +int CRYPT_SHA512_Finalize(CRYPT_SHA512_CTX* sha512, unsigned char* digest) +{ + if (sha512 == NULL || digest == NULL) + return BAD_FUNC_ARG; + + Sha512Final((Sha512*)sha512, digest); + + return 0; +} + + +/* Set HMAC key with type */ +int CRYPT_HMAC_SetKey(CRYPT_HMAC_CTX* hmac, int type, const unsigned char* key, + unsigned int sz) +{ + typedef char hmac_test[sizeof(CRYPT_HMAC_CTX) >= sizeof(Hmac) ? 1 : -1]; + (void)sizeof(hmac_test); + + if (hmac == NULL || key == NULL) + return BAD_FUNC_ARG; + + if (type != CRYPT_HMAC_SHA && type != CRYPT_HMAC_SHA256 && + type != CRYPT_HMAC_SHA384 && type != CRYPT_HMAC_SHA512) { + return BAD_FUNC_ARG; /* bad hmac type */ + } + + HmacSetKey((Hmac*)hmac, type, key, sz); + + return 0; +} + + +int CRYPT_HMAC_DataAdd(CRYPT_HMAC_CTX* hmac, const unsigned char* input, + unsigned int sz) +{ + if (hmac == NULL || input == NULL) + return BAD_FUNC_ARG; + + HmacUpdate((Hmac*)hmac, input, sz); + + return 0; +} + + +/* Get HMAC Final into digest */ +int CRYPT_HMAC_Finalize(CRYPT_HMAC_CTX* hmac, unsigned char* digest) +{ + if (hmac == NULL || digest == NULL) + return BAD_FUNC_ARG; + + HmacFinal((Hmac*)hmac, digest); + + return 0; +} + + +/* Huffman Compression, set flag to do static, otherwise dynamic */ +/* return compressed size, otherwise < 0 for error */ +int CRYPT_HUFFMAN_Compress(unsigned char* out, unsigned int outSz, + const unsigned char* in, unsigned int inSz, + unsigned int flags) +{ + if (out == NULL || in == NULL) + return BAD_FUNC_ARG; + + return Compress(out, outSz, in, inSz, flags); +} + + +/* Huffman DeCompression, self determines type */ +/* return decompressed size, otherwise < 0 for error */ +int CRYPT_HUFFMAN_DeCompress(unsigned char* out, unsigned int outSz, + const unsigned char* in, unsigned int inSz) +{ + if (out == NULL || in == NULL) + return BAD_FUNC_ARG; + + return DeCompress(out, outSz, in, inSz); +} + + +/* RNG Initialize, < 0 on error */ +int CRYPT_RNG_Initialize(CRYPT_RNG_CTX* rng) +{ + typedef char rng_test[sizeof(CRYPT_RNG_CTX) >= sizeof(RNG) ? 1 : -1]; + (void)sizeof(rng_test); + + if (rng == NULL) + return BAD_FUNC_ARG; + + return InitRng((RNG*)rng); +} + + +/* RNG Get single bytes, < 0 on error */ +int CRYPT_RNG_Get(CRYPT_RNG_CTX* rng, unsigned char* b) +{ + if (rng == NULL || b == NULL) + return BAD_FUNC_ARG; + + *b = RNG_GenerateByte((RNG*)rng); + + return 0; +} + + +/* RNG Block Generation of sz bytes, < 0 on error */ +int CRYPT_RNG_BlockGenerate(CRYPT_RNG_CTX* rng, unsigned char* b, + unsigned int sz) +{ + if (rng == NULL || b == NULL) + return BAD_FUNC_ARG; + + RNG_GenerateBlock((RNG*)rng, b, sz); + + return 0; +} + + +/* Triple DES Key Set, may have iv, will have direction */ +int CRYPT_TDES_KeySet(CRYPT_TDES_CTX* tdes, const unsigned char* key, + const unsigned char* iv, int dir) +{ + typedef char tdes_test[sizeof(CRYPT_TDES_CTX) >= sizeof(Des3) ? 1 : -1]; + (void)sizeof(tdes_test); + + if (tdes == NULL || key == NULL) + return BAD_FUNC_ARG; + + Des3_SetKey((Des3*)tdes, key, iv, dir); + + return 0; +} + + +/* Triple DES Iv Set, sometimes added later */ +int CRYPT_TDES_IvSet(CRYPT_TDES_CTX* tdes, const unsigned char* iv) +{ + if (tdes == NULL || iv == NULL) + return BAD_FUNC_ARG; + + Des3_SetIV((Des3*)tdes, iv); + + return 0; +} + + +/* Triple DES CBC Encrypt */ +int CRYPT_TDES_CBC_Encrypt(CRYPT_TDES_CTX* tdes, unsigned char* out, + const unsigned char* in, unsigned int inSz) +{ + if (tdes == NULL || out == NULL || in == NULL) + return BAD_FUNC_ARG; + + Des3_CbcEncrypt((Des3*)tdes, out, in, inSz); + + return 0; +} + + +/* Triple DES CBC Decrypt */ +int CRYPT_TDES_CBC_Decrypt(CRYPT_TDES_CTX* tdes, unsigned char* out, + const unsigned char* in, unsigned int inSz) +{ + if (tdes == NULL || out == NULL || in == NULL) + return BAD_FUNC_ARG; + + Des3_CbcDecrypt((Des3*)tdes, out, in, inSz); + + return 0; +} + + +/* AES Key Set, may have iv, will have direction */ +int CRYPT_AES_KeySet(CRYPT_AES_CTX* aes, const unsigned char* key, + unsigned int keyLen, const unsigned char* iv, int dir) +{ + typedef char aes_test[sizeof(CRYPT_AES_CTX) >= sizeof(Aes) ? 1 : -1]; + (void)sizeof(aes_test); + + if (aes == NULL || key == NULL) + return BAD_FUNC_ARG; + + return AesSetKey((Aes*)aes, key, keyLen, iv, dir); +} + + +/* AES Iv Set, sometimes added later */ +int CRYPT_AES_IvSet(CRYPT_AES_CTX* aes, const unsigned char* iv) +{ + if (aes == NULL || iv == NULL) + return BAD_FUNC_ARG; + + AesSetIV((Aes*)aes, iv); + + return 0; +} + + +/* AES CBC Encrypt */ +int CRYPT_AES_CBC_Encrypt(CRYPT_AES_CTX* aes, unsigned char* out, + const unsigned char* in, unsigned int inSz) +{ + if (aes == NULL || out == NULL || in == NULL) + return BAD_FUNC_ARG; + + AesCbcEncrypt((Aes*)aes, out, in, inSz); + + return 0; +} + + +/* AES CBC Decrypt */ +int CRYPT_AES_CBC_Decrypt(CRYPT_AES_CTX* aes, unsigned char* out, + const unsigned char* in, unsigned int inSz) +{ + if (aes == NULL || out == NULL || in == NULL) + return BAD_FUNC_ARG; + + AesCbcDecrypt((Aes*)aes, out, in, inSz); + + return 0; +} + + +/* AES CTR Encrypt (used for decrypt too, with ENCRYPT key setup) */ +int CRYPT_AES_CTR_Encrypt(CRYPT_AES_CTX* aes, unsigned char* out, + const unsigned char* in, unsigned int inSz) +{ + if (aes == NULL || out == NULL || in == NULL) + return BAD_FUNC_ARG; + + AesCtrEncrypt((Aes*)aes, out, in, inSz); + + return 0; +} + + +/* AES Direct mode encrypt, one block at a time */ +int CRYPT_AES_DIRECT_Encrypt(CRYPT_AES_CTX* aes, unsigned char* out, + const unsigned char* in) +{ + if (aes == NULL || out == NULL || in == NULL) + return BAD_FUNC_ARG; + + AesEncryptDirect((Aes*)aes, out, in); + + return 0; +} + + +/* AES Direct mode decrypt, one block at a time */ +int CRYPT_AES_DIRECT_Decrypt(CRYPT_AES_CTX* aes, unsigned char* out, + const unsigned char* in) +{ + if (aes == NULL || out == NULL || in == NULL) + return BAD_FUNC_ARG; + + AesDecryptDirect((Aes*)aes, out, in); + + return 0; +} + + +/* RSA Initialize */ +int CRYPT_RSA_Initialize(CRYPT_RSA_CTX* rsa) +{ + if (rsa == NULL) + return BAD_FUNC_ARG; + + rsa->holder = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA); + if (rsa->holder == NULL) + return -1; + + InitRsaKey((RsaKey*)rsa->holder, NULL); + + return 0; +} + + +/* RSA Free resources */ +int CRYPT_RSA_Free(CRYPT_RSA_CTX* rsa) +{ + if (rsa == NULL) + return BAD_FUNC_ARG; + + FreeRsaKey((RsaKey*)rsa->holder); + XFREE(rsa->holder, NULL, DYNAMIC_TYPE_RSA); + rsa->holder = NULL; + + return 0; +} + + +/* RSA Public key decode ASN.1 */ +int CRYPT_RSA_PublicKeyDecode(CRYPT_RSA_CTX* rsa, const unsigned char* in, + unsigned int inSz) +{ + unsigned int idx = 0; + (void)idx; + + if (rsa == NULL || in == NULL) + return BAD_FUNC_ARG; + + return RsaPublicKeyDecode(in, &idx, (RsaKey*)rsa->holder, inSz); +} + + +/* RSA Private key decode ASN.1 */ +int CRYPT_RSA_PrivateKeyDecode(CRYPT_RSA_CTX* rsa, const unsigned char* in, + unsigned int inSz) +{ + unsigned int idx = 0; + (void)idx; + + if (rsa == NULL || in == NULL) + return BAD_FUNC_ARG; + + return RsaPrivateKeyDecode(in, &idx, (RsaKey*)rsa->holder, inSz); +} + + +/* RSA Public Encrypt */ +int CRYPT_RSA_PublicEncrypt(CRYPT_RSA_CTX* rsa, unsigned char* out, + unsigned int outSz, const unsigned char* in, + unsigned int inSz, CRYPT_RNG_CTX* rng) +{ + if (rsa == NULL || in == NULL || out == NULL || rng == NULL) + return BAD_FUNC_ARG; + + return RsaPublicEncrypt(in, inSz, out, outSz, (RsaKey*)rsa->holder, + (RNG*)rng); +} + + +/* RSA Private Decrypt */ +int CRYPT_RSA_PrivateDecrypt(CRYPT_RSA_CTX* rsa, unsigned char* out, + unsigned int outSz, const unsigned char* in, + unsigned int inSz) +{ + if (rsa == NULL || in == NULL || out == NULL) + return BAD_FUNC_ARG; + + return RsaPrivateDecrypt(in, inSz, out, outSz, (RsaKey*)rsa->holder); +} + + +/* RSA Get Encrypt size helper */ +int CRYPT_RSA_EncryptSizeGet(CRYPT_RSA_CTX* rsa) +{ + if (rsa == NULL) + return BAD_FUNC_ARG; + + return RsaEncryptSize((RsaKey*)rsa->holder); +} + + +/* ECC init */ +int CRYPT_ECC_Initialize(CRYPT_ECC_CTX* ecc) +{ + if (ecc == NULL) + return BAD_FUNC_ARG; + + ecc->holder = (ecc_key*)XMALLOC(sizeof(ecc_key), NULL, DYNAMIC_TYPE_ECC); + if (ecc->holder == NULL) + return -1; + + ecc_init((ecc_key*)ecc->holder); + + return 0; +} + + +/* ECC free resources */ +int CRYPT_ECC_Free(CRYPT_ECC_CTX* ecc) +{ + if (ecc == NULL) + return BAD_FUNC_ARG; + + ecc_free((ecc_key*)ecc->holder); + XFREE(ecc->holder, NULL, DYNAMIC_TYPE_ECC); + ecc->holder = NULL; + + return 0; +} + + +/* ECC Public x963 Export */ +int CRYPT_ECC_PublicExport(CRYPT_ECC_CTX* ecc, unsigned char* out, + unsigned int outSz, unsigned int* usedSz) +{ + int ret; + unsigned int inOut = outSz; + + if (ecc == NULL || out == NULL) + return BAD_FUNC_ARG; + + ret = ecc_export_x963((ecc_key*)ecc->holder, out, &inOut); + *usedSz = inOut; + + return ret; +} + + +/* ECC Public x963 Import */ +int CRYPT_ECC_PublicImport(CRYPT_ECC_CTX* ecc, const unsigned char* in, + unsigned int inSz) +{ + if (ecc == NULL || in == NULL) + return BAD_FUNC_ARG; + + return ecc_import_x963(in, inSz, (ecc_key*)ecc->holder); +} + + +/* ECC Private x963 Import */ +int CRYPT_ECC_PrivateImport(CRYPT_ECC_CTX* ecc, const unsigned char* priv, + unsigned int privSz, const unsigned char* pub, unsigned int pubSz) +{ + if (ecc == NULL || priv == NULL || pub == NULL) + return BAD_FUNC_ARG; + + return ecc_import_private_key(priv, privSz, pub, pubSz, + (ecc_key*)ecc->holder); +} + + +/* ECC DHE Make key */ +int CRYPT_ECC_DHE_KeyMake(CRYPT_ECC_CTX* ecc, CRYPT_RNG_CTX* rng, int keySz) +{ + if (ecc == NULL || rng == NULL) + return BAD_FUNC_ARG; + + return ecc_make_key((RNG*)rng, keySz, (ecc_key*)ecc->holder); +} + + +/* ECC DHE Make shared secret with our private and peer public */ +int CRYPT_ECC_DHE_SharedSecretMake(CRYPT_ECC_CTX* priv, CRYPT_ECC_CTX* pub, + unsigned char* out, unsigned int outSz, unsigned int* usedSz) +{ + int ret; + unsigned int inOut = outSz; + + if (priv == NULL || pub == NULL || out == NULL || usedSz == NULL) + return BAD_FUNC_ARG; + + ret = ecc_shared_secret((ecc_key*)priv->holder, (ecc_key*)pub->holder, + out, &inOut); + *usedSz = inOut; + + return ret; +} + + +/* ECC DSA Hash Sign */ +int CRYPT_ECC_DSA_HashSign(CRYPT_ECC_CTX* ecc, CRYPT_RNG_CTX* rng, + unsigned char* sig, unsigned int sigSz, + unsigned int* usedSz, const unsigned char* in, + unsigned int inSz) +{ + int ret; + unsigned int inOut = sigSz; + + if (ecc == NULL || rng == NULL || sig == NULL || usedSz == NULL || + in == NULL) + return BAD_FUNC_ARG; + + ret = ecc_sign_hash(in, inSz, sig, &inOut, (RNG*)rng, + (ecc_key*)ecc->holder); + *usedSz = inOut; + + return ret; +} + + +/* ECC DSA Hash Verify */ +int CRYPT_ECC_DSA_HashVerify(CRYPT_ECC_CTX* ecc, const unsigned char* sig, + unsigned int sigSz, unsigned char* hash, + unsigned int hashSz, int* status) +{ + if (ecc == NULL || sig == NULL || hash == NULL || status == NULL) + return BAD_FUNC_ARG; + + return ecc_verify_hash(sig, sigSz, hash, hashSz, status, + (ecc_key*)ecc->holder); +} + + +/* ECC get key size helper */ +int CRYPT_ECC_KeySizeGet(CRYPT_ECC_CTX* ecc) +{ + if (ecc == NULL) + return BAD_FUNC_ARG; + + return ecc_size((ecc_key*)ecc->holder); +} + + +/* ECC get signature size helper */ +int CRYPT_ECC_SignatureSizeGet(CRYPT_ECC_CTX* ecc) +{ + if (ecc == NULL) + return BAD_FUNC_ARG; + + return ecc_sig_size((ecc_key*)ecc->holder); +} + + +/* Save error string from err to str which needs to be >= 80 chars */ +int CRYPT_ERROR_StringGet(int err, char* str) +{ + if (str == NULL) + return BAD_FUNC_ARG; + + CTaoCryptErrorString(err, str); + + return 0; +} + diff --git a/mcapi/crypto.h b/mcapi/crypto.h new file mode 100644 index 000000000..cff24bbdc --- /dev/null +++ b/mcapi/crypto.h @@ -0,0 +1,268 @@ +/* crypto.h + * + * Copyright (C) 2006-2013 wolfSSL Inc. + * + * This file is part of CyaSSL. + * + * CyaSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * CyaSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + + +/* Defines Microchip CRYPTO API layer */ + + +#ifndef MC_CRYPTO_API_H +#define MC_CRYPTO_API_H + + +#ifdef __cplusplus + extern "C" { +#endif + +/* MD5 */ +typedef struct CRYPT_MD5_CTX { + int holder[24]; /* big enough to hold internal, but check on init */ +} CRYPT_MD5_CTX; + +int CRYPT_MD5_Initialize(CRYPT_MD5_CTX*); +int CRYPT_MD5_DataAdd(CRYPT_MD5_CTX*, const unsigned char*, unsigned int); +int CRYPT_MD5_Finalize(CRYPT_MD5_CTX*, unsigned char*); + +enum { + CRYPT_MD5_DIGEST_SIZE = 16 +}; + + +/* SHA */ +typedef struct CRYPT_SHA_CTX { + int holder[24]; /* big enough to hold internal, but check on init */ +} CRYPT_SHA_CTX; + +int CRYPT_SHA_Initialize(CRYPT_SHA_CTX*); +int CRYPT_SHA_DataAdd(CRYPT_SHA_CTX*, const unsigned char*, unsigned int); +int CRYPT_SHA_Finalize(CRYPT_SHA_CTX*, unsigned char*); + +enum { + CRYPT_SHA_DIGEST_SIZE = 20 +}; + + +/* SHA-256 */ +typedef struct CRYPT_SHA256_CTX { + int holder[28]; /* big enough to hold internal, but check on init */ +} CRYPT_SHA256_CTX; + +int CRYPT_SHA256_Initialize(CRYPT_SHA256_CTX*); +int CRYPT_SHA256_DataAdd(CRYPT_SHA256_CTX*, const unsigned char*, unsigned int); +int CRYPT_SHA256_Finalize(CRYPT_SHA256_CTX*, unsigned char*); + +enum { + CRYPT_SHA256_DIGEST_SIZE = 32 +}; + + +/* SHA-384 */ +typedef struct CRYPT_SHA384_CTX { + long long holder[32]; /* big enough to hold internal, but check on init */ +} CRYPT_SHA384_CTX; + +int CRYPT_SHA384_Initialize(CRYPT_SHA384_CTX*); +int CRYPT_SHA384_DataAdd(CRYPT_SHA384_CTX*, const unsigned char*, unsigned int); +int CRYPT_SHA384_Finalize(CRYPT_SHA384_CTX*, unsigned char*); + +enum { + CRYPT_SHA384_DIGEST_SIZE = 48 +}; + + +/* SHA-512 */ +typedef struct CRYPT_SHA512_CTX { + long long holder[36]; /* big enough to hold internal, but check on init */ +} CRYPT_SHA512_CTX; + +int CRYPT_SHA512_Initialize(CRYPT_SHA512_CTX*); +int CRYPT_SHA512_DataAdd(CRYPT_SHA512_CTX*, const unsigned char*, unsigned int); +int CRYPT_SHA512_Finalize(CRYPT_SHA512_CTX*, unsigned char*); + +enum { + CRYPT_SHA512_DIGEST_SIZE = 64 +}; + + +/* HMAC */ +typedef struct CRYPT_HMAC_CTX { + long long holder[67]; /* big enough to hold internal, but check on init */ +} CRYPT_HMAC_CTX; + +int CRYPT_HMAC_SetKey(CRYPT_HMAC_CTX*, int, const unsigned char*, unsigned int); +int CRYPT_HMAC_DataAdd(CRYPT_HMAC_CTX*, const unsigned char*, unsigned int); +int CRYPT_HMAC_Finalize(CRYPT_HMAC_CTX*, unsigned char*); + +/* HMAC types */ +enum { + CRYPT_HMAC_SHA = 1, + CRYPT_HMAC_SHA256 = 2, + CRYPT_HMAC_SHA384 = 5, + CRYPT_HMAC_SHA512 = 4 +}; + + +/* Huffman */ +int CRYPT_HUFFMAN_Compress(unsigned char*, unsigned int, const unsigned char*, + unsigned int, unsigned int); +int CRYPT_HUFFMAN_DeCompress(unsigned char*, unsigned int, const unsigned char*, + unsigned int); + +/* flag to use static huffman */ +enum { + CRYPT_HUFFMAN_COMPRESS_STATIC = 1 +}; + + +/* RNG */ +typedef struct CRYPT_RNG_CTX { + int holder[66]; /* big enough to hold internal, but check on init */ +} CRYPT_RNG_CTX; + +int CRYPT_RNG_Initialize(CRYPT_RNG_CTX*); +int CRYPT_RNG_Get(CRYPT_RNG_CTX*, unsigned char*); +int CRYPT_RNG_BlockGenerate(CRYPT_RNG_CTX*, unsigned char*, unsigned int); + + +/* TDES */ +typedef struct CRYPT_TDES_CTX { + int holder[100]; /* big enough to hold internal, but check on init */ +} CRYPT_TDES_CTX; + +int CRYPT_TDES_KeySet(CRYPT_TDES_CTX*, const unsigned char*, + const unsigned char*, int); +int CRYPT_TDES_IvSet(CRYPT_TDES_CTX*, const unsigned char*); +int CRYPT_TDES_CBC_Encrypt(CRYPT_TDES_CTX*, unsigned char*, + const unsigned char*, unsigned int); +int CRYPT_TDES_CBC_Decrypt(CRYPT_TDES_CTX*, unsigned char*, + const unsigned char*, unsigned int); + +/* key direction flags for setup */ +enum { + CRYPT_TDES_ENCRYPTION = 0, + CRYPT_TDES_DECRYPTION = 1 +}; + + +/* AES */ +typedef struct CRYPT_AES_CTX { + int holder[69]; /* big enough to hold internal, but check on init */ +} CRYPT_AES_CTX; + +/* key */ +int CRYPT_AES_KeySet(CRYPT_AES_CTX*, const unsigned char*, unsigned int, + const unsigned char*, int); +int CRYPT_AES_IvSet(CRYPT_AES_CTX*, const unsigned char*); + +/* cbc */ +int CRYPT_AES_CBC_Encrypt(CRYPT_AES_CTX*, unsigned char*, + const unsigned char*, unsigned int); +int CRYPT_AES_CBC_Decrypt(CRYPT_AES_CTX*, unsigned char*, + const unsigned char*, unsigned int); + +/* ctr (counter), use Encrypt both ways with ENCRYPT key setup */ +int CRYPT_AES_CTR_Encrypt(CRYPT_AES_CTX*, unsigned char*, + const unsigned char*, unsigned int); + +/* direct, one block at a time */ +int CRYPT_AES_DIRECT_Encrypt(CRYPT_AES_CTX*, unsigned char*, + const unsigned char*); +int CRYPT_AES_DIRECT_Decrypt(CRYPT_AES_CTX*, unsigned char*, + const unsigned char*); + +/* key direction flags for setup, ctr always uses ENCRYPT flag */ +enum { + CRYPT_AES_ENCRYPTION = 0, + CRYPT_AES_DECRYPTION = 1, + CRYPT_AES_BLOCK_SIZE = 16 +}; + + + +/* RSA */ +typedef struct CRYPT_RSA_CTX { + void* holder; +} CRYPT_RSA_CTX; + +/* init/free */ +int CRYPT_RSA_Initialize(CRYPT_RSA_CTX*); +int CRYPT_RSA_Free(CRYPT_RSA_CTX*); + +/* key decode */ +int CRYPT_RSA_PublicKeyDecode(CRYPT_RSA_CTX*, const unsigned char*, + unsigned int); +int CRYPT_RSA_PrivateKeyDecode(CRYPT_RSA_CTX*, const unsigned char*, + unsigned int); + +/* encrypt/decrypt */ +int CRYPT_RSA_PublicEncrypt(CRYPT_RSA_CTX*, unsigned char*, + unsigned int, const unsigned char*, unsigned int, + CRYPT_RNG_CTX*); +int CRYPT_RSA_PrivateDecrypt(CRYPT_RSA_CTX*, unsigned char*, + unsigned int, const unsigned char*, unsigned int); + +/* helpers */ +int CRYPT_RSA_EncryptSizeGet(CRYPT_RSA_CTX*); + + + +/* ECC */ +typedef struct CRYPT_ECC_CTX { + void* holder; +} CRYPT_ECC_CTX; + +/* init/free */ +int CRYPT_ECC_Initialize(CRYPT_ECC_CTX*); +int CRYPT_ECC_Free(CRYPT_ECC_CTX*); + +/* key coders */ +int CRYPT_ECC_PublicExport(CRYPT_ECC_CTX*, unsigned char*, unsigned int, + unsigned int*); +int CRYPT_ECC_PublicImport(CRYPT_ECC_CTX*, const unsigned char*, unsigned int); +int CRYPT_ECC_PrivateImport(CRYPT_ECC_CTX*, const unsigned char*, unsigned int, + const unsigned char*, unsigned int); + +/* dhe */ +int CRYPT_ECC_DHE_KeyMake(CRYPT_ECC_CTX*, CRYPT_RNG_CTX*, int); +int CRYPT_ECC_DHE_SharedSecretMake(CRYPT_ECC_CTX*, CRYPT_ECC_CTX*, + unsigned char*, unsigned int, unsigned int*); + +/* dsa */ +int CRYPT_ECC_DSA_HashSign(CRYPT_ECC_CTX*, CRYPT_RNG_CTX*, unsigned char*, + unsigned int, unsigned int*, const unsigned char*, unsigned int); +int CRYPT_ECC_DSA_HashVerify(CRYPT_ECC_CTX*, const unsigned char*, + unsigned int, unsigned char*, unsigned int, int*); + +/* helpers */ +int CRYPT_ECC_KeySizeGet(CRYPT_ECC_CTX*); +int CRYPT_ECC_SignatureSizeGet(CRYPT_ECC_CTX*); + + +/* Error string helper, string needs to be >= 80 chars */ +int CRYPT_ERROR_StringGet(int, char*); + + +#ifdef __cplusplus + } /* extern "C" */ +#endif + + +#endif /* MC_CRYPTO_API_H */ + diff --git a/mcapi/include.am b/mcapi/include.am new file mode 100644 index 000000000..7486c0fd5 --- /dev/null +++ b/mcapi/include.am @@ -0,0 +1,14 @@ +# vim:ft=automake +# included from Top Level Makefile.am +# All paths should be given relative to the root + +if BUILD_MCAPI +check_PROGRAMS += mcapi/test +noinst_PROGRAMS += mcapi/test +mcapi_test_SOURCES = mcapi/crypto.c \ + mcapi/test.c +mcapi_test_LDADD = src/libcyassl.la +mcapi_test_DEPENDENCIES = src/libcyassl.la +endif + +noinst_HEADERS += mcapi/crypto.h diff --git a/mcapi/test.c b/mcapi/test.c new file mode 100644 index 000000000..ab9fdebc1 --- /dev/null +++ b/mcapi/test.c @@ -0,0 +1,1359 @@ +/* test.c + * + * Copyright (C) 2006-2013 wolfSSL Inc. + * + * This file is part of CyaSSL. + * + * CyaSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * CyaSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + + +/* Tests Microchip CRYPTO API layer */ + + + +/* mc api header */ +#include "crypto.h" + +/* sanity test against our default implementation, cyassl headers */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#define USE_CERT_BUFFERS_1024 +#include + +/* c stdlib headers */ +#include + +/* pic32 specific */ +#ifdef MICROCHIP_PIC32 + #define PIC32_STARTER_KIT + #include + #include +#endif + +#define OUR_DATA_SIZE 1024 +static byte ourData[OUR_DATA_SIZE]; +static byte* key = NULL; +static byte* iv = NULL; +static CRYPT_RNG_CTX mcRng; +static RNG defRng; + +static int check_md5(void); +static int check_sha(void); +static int check_sha256(void); +static int check_sha384(void); +static int check_sha512(void); +static int check_hmac(void); +static int check_compress(void); +static int check_rng(void); +static int check_des3(void); +static int check_aescbc(void); +static int check_aesctr(void); +static int check_aesdirect(void); +static int check_rsa(void); +static int check_ecc(void); + + +int main(int argc, char** argv) +{ + int ret; + int i; + + (void)argc; + (void)argv; + +#ifdef MICROCHIP_PIC32 + SYSTEMConfigPerformance(80000000); + DBINIT(); +#endif + + /* align key, iv pointers */ + key = (byte*)XMALLOC(32, NULL, DYNAMIC_TYPE_KEY); + if (key == NULL) { + printf("mcapi key alloc failed\n"); + return -1; + } + + iv = (byte*)XMALLOC(16, NULL, DYNAMIC_TYPE_KEY); + if (iv == NULL) { + printf("mcapi iv alloc failed\n"); + return -1; + } + + for (i = 0; i < OUR_DATA_SIZE; i++) + ourData[i] = (byte)i; + + ret = check_md5(); + if (ret != 0) { + printf("mcapi check_md5 failed\n"); + return -1; + } + + ret = check_sha(); + if (ret != 0) { + printf("mcapi check_sha failed\n"); + return -1; + } + + ret = check_sha256(); + if (ret != 0) { + printf("mcapi check_sha256 failed\n"); + return -1; + } + + ret = check_sha384(); + if (ret != 0) { + printf("mcapi check_sha384 failed\n"); + return -1; + } + + ret = check_sha512(); + if (ret != 0) { + printf("mcapi check_sha512 failed\n"); + return -1; + } + + ret = check_hmac(); + if (ret != 0) { + printf("mcapi check_hmac failed\n"); + return -1; + } + + ret = check_compress(); + if (ret != 0) { + printf("mcapi check_compress failed\n"); + return -1; + } + + ret = check_rng(); + if (ret != 0) { + printf("mcapi check_rng failed\n"); + return -1; + } + + ret = check_des3(); + if (ret != 0) { + printf("mcapi check_des3 failed\n"); + return -1; + } + + ret = check_aescbc(); + if (ret != 0) { + printf("mcapi check_aes cbc failed\n"); + return -1; + } + + ret = check_aesctr(); + if (ret != 0) { + printf("mcapi check_aes ctr failed\n"); + return -1; + } + + ret = check_aesdirect(); + if (ret != 0) { + printf("mcapi check_aes direct failed\n"); + return -1; + } + + ret = check_rsa(); + if (ret != 0) { + printf("mcapi check_rsa failed\n"); + return -1; + } + + ret = check_ecc(); + if (ret != 0) { + printf("mcapi check_ecc failed\n"); + return -1; + } + + XFREE(iv, NULL, DYNAMIC_TYPE_KEY); + XFREE(key, NULL, DYNAMIC_TYPE_KEY); + + return 0; +} + + +/* check mcapi md5 against internal */ +static int check_md5(void) +{ + CRYPT_MD5_CTX mcMd5; + Md5 defMd5; + byte mcDigest[CRYPT_MD5_DIGEST_SIZE]; + byte defDigest[MD5_DIGEST_SIZE]; + + CRYPT_MD5_Initialize(&mcMd5); + InitMd5(&defMd5); + + CRYPT_MD5_DataAdd(&mcMd5, ourData, OUR_DATA_SIZE); + Md5Update(&defMd5, ourData, OUR_DATA_SIZE); + + CRYPT_MD5_Finalize(&mcMd5, mcDigest); + Md5Final(&defMd5, defDigest); + + if (memcmp(mcDigest, defDigest, CRYPT_MD5_DIGEST_SIZE) != 0) { + printf("md5 final memcmp fialed\n"); + return -1; + } + printf("md5 mcapi test passed\n"); + + return 0; +} + + +/* check mcapi sha against internal */ +static int check_sha(void) +{ + CRYPT_SHA_CTX mcSha; + Sha defSha; + byte mcDigest[CRYPT_SHA_DIGEST_SIZE]; + byte defDigest[SHA_DIGEST_SIZE]; + + CRYPT_SHA_Initialize(&mcSha); + InitSha(&defSha); + + CRYPT_SHA_DataAdd(&mcSha, ourData, OUR_DATA_SIZE); + ShaUpdate(&defSha, ourData, OUR_DATA_SIZE); + + CRYPT_SHA_Finalize(&mcSha, mcDigest); + ShaFinal(&defSha, defDigest); + + if (memcmp(mcDigest, defDigest, CRYPT_SHA_DIGEST_SIZE) != 0) { + printf("sha final memcmp fialed\n"); + return -1; + } + printf("sha mcapi test passed\n"); + + return 0; +} + + +/* check mcapi sha256 against internal */ +static int check_sha256(void) +{ + CRYPT_SHA256_CTX mcSha256; + Sha256 defSha256; + byte mcDigest[CRYPT_SHA256_DIGEST_SIZE]; + byte defDigest[SHA256_DIGEST_SIZE]; + + CRYPT_SHA256_Initialize(&mcSha256); + InitSha256(&defSha256); + + CRYPT_SHA256_DataAdd(&mcSha256, ourData, OUR_DATA_SIZE); + Sha256Update(&defSha256, ourData, OUR_DATA_SIZE); + + CRYPT_SHA256_Finalize(&mcSha256, mcDigest); + Sha256Final(&defSha256, defDigest); + + if (memcmp(mcDigest, defDigest, CRYPT_SHA256_DIGEST_SIZE) != 0) { + printf("sha256 final memcmp fialed\n"); + return -1; + } + printf("sha256 mcapi test passed\n"); + + return 0; +} + + +/* check mcapi sha384 against internal */ +static int check_sha384(void) +{ + CRYPT_SHA384_CTX mcSha384; + Sha384 defSha384; + byte mcDigest[CRYPT_SHA384_DIGEST_SIZE]; + byte defDigest[SHA384_DIGEST_SIZE]; + + CRYPT_SHA384_Initialize(&mcSha384); + InitSha384(&defSha384); + + CRYPT_SHA384_DataAdd(&mcSha384, ourData, OUR_DATA_SIZE); + Sha384Update(&defSha384, ourData, OUR_DATA_SIZE); + + CRYPT_SHA384_Finalize(&mcSha384, mcDigest); + Sha384Final(&defSha384, defDigest); + + if (memcmp(mcDigest, defDigest, CRYPT_SHA384_DIGEST_SIZE) != 0) { + printf("sha384 final memcmp fialed\n"); + return -1; + } + printf("sha384 mcapi test passed\n"); + + return 0; +} + + +/* check mcapi sha512 against internal */ +static int check_sha512(void) +{ + CRYPT_SHA512_CTX mcSha512; + Sha512 defSha512; + byte mcDigest[CRYPT_SHA512_DIGEST_SIZE]; + byte defDigest[SHA512_DIGEST_SIZE]; + + CRYPT_SHA512_Initialize(&mcSha512); + InitSha512(&defSha512); + + CRYPT_SHA512_DataAdd(&mcSha512, ourData, OUR_DATA_SIZE); + Sha512Update(&defSha512, ourData, OUR_DATA_SIZE); + + CRYPT_SHA512_Finalize(&mcSha512, mcDigest); + Sha512Final(&defSha512, defDigest); + + if (memcmp(mcDigest, defDigest, CRYPT_SHA512_DIGEST_SIZE) != 0) { + printf("sha512 final memcmp fialed\n"); + return -1; + } + printf("sha512 mcapi test passed\n"); + + return 0; +} + + +/* check mcapi hmac against internal */ +static int check_hmac(void) +{ + CRYPT_HMAC_CTX mcHmac; + Hmac defHmac; + byte mcDigest[CRYPT_SHA512_DIGEST_SIZE]; + byte defDigest[SHA512_DIGEST_SIZE]; + + strncpy((char*)key, "Jefe", 4); + + /* SHA1 */ + CRYPT_HMAC_SetKey(&mcHmac, CRYPT_HMAC_SHA, key, 4); + HmacSetKey(&defHmac, SHA, key, 4); + + CRYPT_HMAC_DataAdd(&mcHmac, ourData, OUR_DATA_SIZE); + HmacUpdate(&defHmac, ourData, OUR_DATA_SIZE); + + CRYPT_HMAC_Finalize(&mcHmac, mcDigest); + HmacFinal(&defHmac, defDigest); + + if (memcmp(mcDigest, defDigest, CRYPT_SHA_DIGEST_SIZE) != 0) { + printf("hmac sha final memcmp fialed\n"); + return -1; + } + printf("hmac sha mcapi test passed\n"); + + /* SHA-256 */ + CRYPT_HMAC_SetKey(&mcHmac, CRYPT_HMAC_SHA256, key, 4); + HmacSetKey(&defHmac, SHA256, key, 4); + + CRYPT_HMAC_DataAdd(&mcHmac, ourData, OUR_DATA_SIZE); + HmacUpdate(&defHmac, ourData, OUR_DATA_SIZE); + + CRYPT_HMAC_Finalize(&mcHmac, mcDigest); + HmacFinal(&defHmac, defDigest); + + if (memcmp(mcDigest, defDigest, CRYPT_SHA256_DIGEST_SIZE) != 0) { + printf("hmac sha256 final memcmp fialed\n"); + return -1; + } + printf("hmac sha256 mcapi test passed\n"); + + /* SHA-384 */ + CRYPT_HMAC_SetKey(&mcHmac, CRYPT_HMAC_SHA384, key, 4); + HmacSetKey(&defHmac, SHA384, key, 4); + + CRYPT_HMAC_DataAdd(&mcHmac, ourData, OUR_DATA_SIZE); + HmacUpdate(&defHmac, ourData, OUR_DATA_SIZE); + + CRYPT_HMAC_Finalize(&mcHmac, mcDigest); + HmacFinal(&defHmac, defDigest); + + if (memcmp(mcDigest, defDigest, CRYPT_SHA384_DIGEST_SIZE) != 0) { + printf("hmac sha384 final memcmp fialed\n"); + return -1; + } + printf("hmac sha384 mcapi test passed\n"); + + /* SHA-512 */ + CRYPT_HMAC_SetKey(&mcHmac, CRYPT_HMAC_SHA512, key, 4); + HmacSetKey(&defHmac, SHA512, key, 4); + + CRYPT_HMAC_DataAdd(&mcHmac, ourData, OUR_DATA_SIZE); + HmacUpdate(&defHmac, ourData, OUR_DATA_SIZE); + + CRYPT_HMAC_Finalize(&mcHmac, mcDigest); + HmacFinal(&defHmac, defDigest); + + if (memcmp(mcDigest, defDigest, CRYPT_SHA512_DIGEST_SIZE) != 0) { + printf("hmac sha512 final memcmp fialed\n"); + return -1; + } + printf("hmac sha512 mcapi test passed\n"); + + return 0; +} + + +/* check mcapi compress against internal */ +static int check_compress(void) +{ + const unsigned char text[] = + "Biodiesel cupidatat marfa, cliche aute put a bird on it incididunt elit\n" + "polaroid. Sunt tattooed bespoke reprehenderit. Sint twee organic id\n" + "marfa. Commodo veniam ad esse gastropub. 3 wolf moon sartorial vero,\n" + "plaid delectus biodiesel squid +1 vice. Post-ironic keffiyeh leggings\n" + "selfies cray fap hoodie, forage anim. Carles cupidatat shoreditch, VHS\n" + "small batch meggings kogi dolore food truck bespoke gastropub.\n" + "\n" + "Terry richardson adipisicing actually typewriter tumblr, twee whatever\n" + "four loko you probably haven't heard of them high life. Messenger bag\n" + "whatever tattooed deep v mlkshk. Brooklyn pinterest assumenda chillwave\n" + "et, banksy ullamco messenger bag umami pariatur direct trade forage.\n" + "Typewriter culpa try-hard, pariatur sint brooklyn meggings. Gentrify\n" + "food truck next level, tousled irony non semiotics PBR ethical anim cred\n" + "readymade. Mumblecore brunch lomo odd future, portland organic terry\n" + "four loko whatever street art yr farm-to-table.\n"; + + unsigned int inSz = sizeof(text); + unsigned int outSz; + unsigned char cBuffer[1024]; + unsigned char dBuffer[1024]; + + int ret1, ret2; + + /* dynamic */ + ret1 = CRYPT_HUFFMAN_Compress(cBuffer, sizeof(cBuffer), text, inSz, 0); + ret2 = Compress(dBuffer, sizeof(dBuffer), text, inSz, 0); + + if (ret1 != ret2 || ret1 < 0) { + printf("compress dynamic ret failed\n"); + return -1; + } + + if (memcmp(cBuffer, dBuffer, ret1) != 0) { + printf("compress dynamic cmp failed\n"); + return -1; + } + + outSz = ret1; + + ret1 = CRYPT_HUFFMAN_DeCompress(dBuffer, sizeof(dBuffer), cBuffer, outSz); + + if (memcmp(dBuffer, text, inSz) != 0) { + printf("mcapi decompress dynamic cmp failed\n"); + return -1; + } + + memset(dBuffer, 0, sizeof(dBuffer)); + + ret1 = DeCompress(dBuffer, sizeof(dBuffer), cBuffer, outSz); + + if (memcmp(dBuffer, text, inSz) != 0) { + printf("decompress dynamic cmp failed\n"); + return -1; + } + + memset(cBuffer, 0, sizeof(cBuffer)); + memset(dBuffer, 0, sizeof(dBuffer)); + + /* static */ + ret1 = CRYPT_HUFFMAN_Compress(cBuffer, sizeof(cBuffer), text, inSz, 1); + ret2 = Compress(dBuffer, sizeof(dBuffer), text, inSz, 1); + + if (ret1 != ret2 || ret1 < 0) { + printf("compress static ret failed\n"); + return -1; + } + + if (memcmp(cBuffer, dBuffer, ret1) != 0) { + printf("compress static cmp failed\n"); + return -1; + } + + outSz = ret1; + + ret1 = CRYPT_HUFFMAN_DeCompress(dBuffer, sizeof(dBuffer), cBuffer, outSz); + + if (memcmp(dBuffer, text, inSz) != 0) { + printf("mcapi decompress static cmp failed\n"); + return -1; + } + + memset(dBuffer, 0, sizeof(dBuffer)); + + ret1 = DeCompress(dBuffer, sizeof(dBuffer), cBuffer, outSz); + + if (memcmp(dBuffer, text, inSz) != 0) { + printf("decompress static cmp failed\n"); + return -1; + } + + printf("huffman mcapi test passed\n"); + + return 0; +} + + +#define RANDOM_BYTE_SZ 32 + +/* check mcapi rng */ +static int check_rng(void) +{ + int ret; + int i; + byte in[RANDOM_BYTE_SZ]; + byte out[RANDOM_BYTE_SZ]; + + for (i = 0; i < RANDOM_BYTE_SZ; i++) + in[i] = (byte)i; + + for (i = 0; i < RANDOM_BYTE_SZ; i++) + out[i] = (byte)i; + + ret = InitRng(&defRng); + if (ret != 0) { + printf("default rng init failed\n"); + return -1; + } + + ret = CRYPT_RNG_Initialize(&mcRng); + if (ret != 0) { + printf("mcapi rng init failed\n"); + return -1; + } + + ret = CRYPT_RNG_Get(&mcRng, &out[0]); + if (ret != 0) { + printf("mcapi rng get failed\n"); + return -1; + } + + ret = CRYPT_RNG_BlockGenerate(&mcRng, out, RANDOM_BYTE_SZ); + if (ret != 0) { + printf("mcapi rng block gen failed\n"); + return -1; + } + + if (memcmp(in, out, RANDOM_BYTE_SZ) == 0) { + printf("mcapi rng block gen output failed\n"); + return -1; + } + + printf("rng mcapi test passed\n"); + + return 0; +} + + +#define TDES_TEST_SIZE 32 + +/* check mcapi des3 */ +static int check_des3(void) +{ + CRYPT_TDES_CTX mcDes3; + Des3 defDes3; + int ret; + byte out1[TDES_TEST_SIZE]; + byte out2[TDES_TEST_SIZE]; + + strncpy((char*)key, "1234567890abcdefghijklmn", 24); + strncpy((char*)iv, "12345678", 8); + + /* cbc encrypt */ + ret = CRYPT_TDES_KeySet(&mcDes3, key, iv, CRYPT_TDES_ENCRYPTION); + if (ret != 0) { + printf("mcapi tdes key set failed\n"); + return -1; + } + Des3_SetKey(&defDes3, key, iv, DES_ENCRYPTION); + + ret = CRYPT_TDES_CBC_Encrypt(&mcDes3, out1, ourData, TDES_TEST_SIZE); + if (ret != 0) { + printf("mcapi tdes cbc encrypt failed\n"); + return -1; + } + Des3_CbcEncrypt(&defDes3, out2, ourData, TDES_TEST_SIZE); + + if (memcmp(out1, out2, TDES_TEST_SIZE) != 0) { + printf("mcapi tdes cbc encrypt cmp failed\n"); + return -1; + } + + /* cbc decrypt */ + ret = CRYPT_TDES_KeySet(&mcDes3, key, iv, CRYPT_TDES_DECRYPTION); + if (ret != 0) { + printf("mcapi tdes key set failed\n"); + return -1; + } + Des3_SetKey(&defDes3, key, iv, DES_DECRYPTION); + + ret = CRYPT_TDES_CBC_Decrypt(&mcDes3, out2, out1, TDES_TEST_SIZE); + if (ret != 0) { + printf("mcapi tdes cbc decrypt failed\n"); + return -1; + } + Des3_CbcDecrypt(&defDes3, out1, out1, TDES_TEST_SIZE); + + if (memcmp(out1, out2, TDES_TEST_SIZE) != 0) { + printf("mcapi tdes cbc decrypt cmp failed\n"); + return -1; + } + + if (memcmp(out1, ourData, TDES_TEST_SIZE) != 0) { + printf("mcapi tdes cbc decrypt orig cmp failed\n"); + return -1; + } + + printf("tdes mcapi test passed\n"); + + return 0; +} + + +#define AES_TEST_SIZE 32 + +/* check mcapi aes cbc */ +static int check_aescbc(void) +{ + CRYPT_AES_CTX mcAes; + Aes defAes; + int ret; + byte out1[AES_TEST_SIZE]; + byte out2[AES_TEST_SIZE]; + + strncpy((char*)key, "1234567890abcdefghijklmnopqrstuv", 32); + strncpy((char*)iv, "1234567890abcdef", 16); + + /* 128 cbc encrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 16, iv, CRYPT_AES_ENCRYPTION); + if (ret != 0) { + printf("mcapi aes-128 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 16, iv, AES_ENCRYPTION); + if (ret != 0) { + printf("default aes-128 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_CBC_Encrypt(&mcAes, out1, ourData, AES_TEST_SIZE); + if (ret != 0) { + printf("mcapi aes-128 cbc encrypt failed\n"); + return -1; + } + AesCbcEncrypt(&defAes, out2, ourData, AES_TEST_SIZE); + + if (memcmp(out1, out2, AES_TEST_SIZE) != 0) { + printf("mcapi aes-128 cbc encrypt cmp failed\n"); + return -1; + } + + /* 128 cbc decrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 16, iv, CRYPT_AES_DECRYPTION); + if (ret != 0) { + printf("mcapi aes-128 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 16, iv, DES_DECRYPTION); + if (ret != 0) { + printf("default aes-128 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_CBC_Decrypt(&mcAes, out2, out1, AES_TEST_SIZE); + if (ret != 0) { + printf("mcapi aes-128 cbc decrypt failed\n"); + return -1; + } + AesCbcDecrypt(&defAes, out1, out1, AES_TEST_SIZE); + + if (memcmp(out1, out2, AES_TEST_SIZE) != 0) { + printf("mcapi aes-128 cbc decrypt cmp failed\n"); + return -1; + } + + if (memcmp(out1, ourData, AES_TEST_SIZE) != 0) { + printf("mcapi aes-128 cbc decrypt orig cmp failed\n"); + return -1; + } + + /* 192 cbc encrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 24, iv, CRYPT_AES_ENCRYPTION); + if (ret != 0) { + printf("mcapi aes-192 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 24, iv, AES_ENCRYPTION); + if (ret != 0) { + printf("default aes-192 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_CBC_Encrypt(&mcAes, out1, ourData, AES_TEST_SIZE); + if (ret != 0) { + printf("mcapi aes-192 cbc encrypt failed\n"); + return -1; + } + AesCbcEncrypt(&defAes, out2, ourData, AES_TEST_SIZE); + + if (memcmp(out1, out2, AES_TEST_SIZE) != 0) { + printf("mcapi aes-192 cbc encrypt cmp failed\n"); + return -1; + } + + /* 192 cbc decrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 24, iv, CRYPT_AES_DECRYPTION); + if (ret != 0) { + printf("mcapi aes-192 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 24, iv, AES_DECRYPTION); + if (ret != 0) { + printf("default aes-192 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_CBC_Decrypt(&mcAes, out2, out1, AES_TEST_SIZE); + if (ret != 0) { + printf("mcapi aes-192 cbc decrypt failed\n"); + return -1; + } + AesCbcDecrypt(&defAes, out1, out1, AES_TEST_SIZE); + + if (memcmp(out1, out2, AES_TEST_SIZE) != 0) { + printf("mcapi aes-192 cbc decrypt cmp failed\n"); + return -1; + } + + if (memcmp(out1, ourData, AES_TEST_SIZE) != 0) { + printf("mcapi aes-192 cbc decrypt orig cmp failed\n"); + return -1; + } + + /* 256 cbc encrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 32, iv, CRYPT_AES_ENCRYPTION); + if (ret != 0) { + printf("mcapi aes-256 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 32, iv, AES_ENCRYPTION); + if (ret != 0) { + printf("default aes-256 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_CBC_Encrypt(&mcAes, out1, ourData, AES_TEST_SIZE); + if (ret != 0) { + printf("mcapi aes-256 cbc encrypt failed\n"); + return -1; + } + AesCbcEncrypt(&defAes, out2, ourData, AES_TEST_SIZE); + + if (memcmp(out1, out2, AES_TEST_SIZE) != 0) { + printf("mcapi aes-256 cbc encrypt cmp failed\n"); + return -1; + } + + /* 256 cbc decrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 32, iv, CRYPT_AES_DECRYPTION); + if (ret != 0) { + printf("mcapi aes-256 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 32, iv, AES_DECRYPTION); + if (ret != 0) { + printf("default aes-256 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_CBC_Decrypt(&mcAes, out2, out1, AES_TEST_SIZE); + if (ret != 0) { + printf("mcapi aes-256 cbc decrypt failed\n"); + return -1; + } + AesCbcDecrypt(&defAes, out1, out1, AES_TEST_SIZE); + + if (memcmp(out1, out2, AES_TEST_SIZE) != 0) { + printf("mcapi aes-256 cbc decrypt cmp failed\n"); + return -1; + } + + if (memcmp(out1, ourData, AES_TEST_SIZE) != 0) { + printf("mcapi aes-256 cbc decrypt orig cmp failed\n"); + return -1; + } + + printf("aes-cbc mcapi test passed\n"); + + return 0; +} + + +/* check mcapi aes ctr */ +static int check_aesctr(void) +{ + CRYPT_AES_CTX mcAes; + Aes defAes; + int ret; + byte out1[AES_TEST_SIZE]; + byte out2[AES_TEST_SIZE]; + + strncpy((char*)key, "1234567890abcdefghijklmnopqrstuv", 32); + strncpy((char*)iv, "1234567890abcdef", 16); + + /* 128 ctr encrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 16, iv, CRYPT_AES_ENCRYPTION); + if (ret != 0) { + printf("mcapi aes-128 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 16, iv, AES_ENCRYPTION); + if (ret != 0) { + printf("default aes-128 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_CTR_Encrypt(&mcAes, out1, ourData, AES_TEST_SIZE); + if (ret != 0) { + printf("mcapi aes-128 ctr encrypt failed\n"); + return -1; + } + AesCtrEncrypt(&defAes, out2, ourData, AES_TEST_SIZE); + + if (memcmp(out1, out2, AES_TEST_SIZE) != 0) { + printf("mcapi aes-128 ctr encrypt cmp failed\n"); + return -1; + } + + /* 128 ctr decrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 16, iv, CRYPT_AES_ENCRYPTION); + if (ret != 0) { + printf("mcapi aes-128 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 16, iv, AES_ENCRYPTION); + if (ret != 0) { + printf("default aes-128 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_CTR_Encrypt(&mcAes, out2, out1, AES_TEST_SIZE); + if (ret != 0) { + printf("mcapi aes-128 ctr decrypt failed\n"); + return -1; + } + + if (memcmp(out2, ourData, AES_TEST_SIZE) != 0) { + printf("mcapi aes-128 ctr decrypt orig cmp failed\n"); + return -1; + } + + /* 192 ctr encrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 24, iv, CRYPT_AES_ENCRYPTION); + if (ret != 0) { + printf("mcapi aes-192 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 24, iv, AES_ENCRYPTION); + if (ret != 0) { + printf("default aes-192 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_CTR_Encrypt(&mcAes, out1, ourData, AES_TEST_SIZE); + if (ret != 0) { + printf("mcapi aes-192 ctr encrypt failed\n"); + return -1; + } + AesCtrEncrypt(&defAes, out2, ourData, AES_TEST_SIZE); + + if (memcmp(out1, out2, AES_TEST_SIZE) != 0) { + printf("mcapi aes-192 ctr encrypt cmp failed\n"); + return -1; + } + + /* 192 ctr decrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 24, iv, CRYPT_AES_ENCRYPTION); + if (ret != 0) { + printf("mcapi aes-192 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 24, iv, AES_DECRYPTION); + if (ret != 0) { + printf("default aes-192 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_CTR_Encrypt(&mcAes, out2, out1, AES_TEST_SIZE); + if (ret != 0) { + printf("mcapi aes-192 ctr decrypt failed\n"); + return -1; + } + + if (memcmp(out2, ourData, AES_TEST_SIZE) != 0) { + printf("mcapi aes-192 ctr decrypt orig cmp failed\n"); + return -1; + } + + /* 256 ctr encrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 32, iv, CRYPT_AES_ENCRYPTION); + if (ret != 0) { + printf("mcapi aes-256 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 32, iv, AES_ENCRYPTION); + if (ret != 0) { + printf("default aes-256 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_CTR_Encrypt(&mcAes, out1, ourData, AES_TEST_SIZE); + if (ret != 0) { + printf("mcapi aes-256 ctr encrypt failed\n"); + return -1; + } + AesCtrEncrypt(&defAes, out2, ourData, AES_TEST_SIZE); + + if (memcmp(out1, out2, AES_TEST_SIZE) != 0) { + printf("mcapi aes-256 ctr encrypt cmp failed\n"); + return -1; + } + + /* 256 ctr decrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 32, iv, CRYPT_AES_ENCRYPTION); + if (ret != 0) { + printf("mcapi aes-256 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 32, iv, AES_ENCRYPTION); + if (ret != 0) { + printf("default aes-256 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_CTR_Encrypt(&mcAes, out2, out1, AES_TEST_SIZE); + if (ret != 0) { + printf("mcapi aes-256 ctr decrypt failed\n"); + return -1; + } + + if (memcmp(out2, ourData, AES_TEST_SIZE) != 0) { + printf("mcapi aes-256 ctr decrypt orig cmp failed\n"); + return -1; + } + + printf("aes-ctr mcapi test passed\n"); + + return 0; +} + + +/* check mcapi aes direct */ +static int check_aesdirect(void) +{ + CRYPT_AES_CTX mcAes; + Aes defAes; + int ret; + byte out1[CRYPT_AES_BLOCK_SIZE]; + byte out2[16]; /* one block at a time */ + + strncpy((char*)key, "1234567890abcdefghijklmnopqrstuv", 32); + strncpy((char*)iv, "1234567890abcdef", 16); + + /* 128 direct encrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 16, iv, CRYPT_AES_ENCRYPTION); + if (ret != 0) { + printf("mcapi aes-128 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 16, iv, AES_ENCRYPTION); + if (ret != 0) { + printf("default aes-128 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_DIRECT_Encrypt(&mcAes, out1, ourData); + if (ret != 0) { + printf("mcapi aes-128 direct encrypt failed\n"); + return -1; + } + AesEncryptDirect(&defAes, out2, ourData); + + if (memcmp(out1, out2, CRYPT_AES_BLOCK_SIZE) != 0) { + printf("mcapi aes-128 direct encrypt cmp failed\n"); + return -1; + } + + /* 128 direct decrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 16, iv, CRYPT_AES_DECRYPTION); + if (ret != 0) { + printf("mcapi aes-128 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 16, iv, DES_DECRYPTION); + if (ret != 0) { + printf("default aes-128 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_DIRECT_Decrypt(&mcAes, out2, out1); + if (ret != 0) { + printf("mcapi aes-128 direct decrypt failed\n"); + return -1; + } + AesDecryptDirect(&defAes, out1, out1); + + if (memcmp(out1, out2, CRYPT_AES_BLOCK_SIZE) != 0) { + printf("mcapi aes-128 direct decrypt cmp failed\n"); + return -1; + } + + if (memcmp(out1, ourData, CRYPT_AES_BLOCK_SIZE) != 0) { + printf("mcapi aes-128 direct decrypt orig cmp failed\n"); + return -1; + } + + /* 192 direct encrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 24, iv, CRYPT_AES_ENCRYPTION); + if (ret != 0) { + printf("mcapi aes-192 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 24, iv, AES_ENCRYPTION); + if (ret != 0) { + printf("default aes-192 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_DIRECT_Encrypt(&mcAes, out1, ourData); + if (ret != 0) { + printf("mcapi aes-192 direct encrypt failed\n"); + return -1; + } + AesEncryptDirect(&defAes, out2, ourData); + + if (memcmp(out1, out2, CRYPT_AES_BLOCK_SIZE) != 0) { + printf("mcapi aes-192 direct encrypt cmp failed\n"); + return -1; + } + + /* 192 direct decrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 24, iv, CRYPT_AES_DECRYPTION); + if (ret != 0) { + printf("mcapi aes-192 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 24, iv, AES_DECRYPTION); + if (ret != 0) { + printf("default aes-192 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_DIRECT_Decrypt(&mcAes, out2, out1); + if (ret != 0) { + printf("mcapi aes-192 direct decrypt failed\n"); + return -1; + } + AesDecryptDirect(&defAes, out1, out1); + + if (memcmp(out1, out2, CRYPT_AES_BLOCK_SIZE) != 0) { + printf("mcapi aes-192 direct decrypt cmp failed\n"); + return -1; + } + + if (memcmp(out1, ourData, CRYPT_AES_BLOCK_SIZE) != 0) { + printf("mcapi aes-192 direct decrypt orig cmp failed\n"); + return -1; + } + + /* 256 direct encrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 32, iv, CRYPT_AES_ENCRYPTION); + if (ret != 0) { + printf("mcapi aes-256 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 32, iv, AES_ENCRYPTION); + if (ret != 0) { + printf("default aes-256 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_DIRECT_Encrypt(&mcAes, out1, ourData); + if (ret != 0) { + printf("mcapi aes-256 direct encrypt failed\n"); + return -1; + } + AesEncryptDirect(&defAes, out2, ourData); + + if (memcmp(out1, out2, CRYPT_AES_BLOCK_SIZE) != 0) { + printf("mcapi aes-256 direct encrypt cmp failed\n"); + return -1; + } + + /* 256 direct decrypt */ + ret = CRYPT_AES_KeySet(&mcAes, key, 32, iv, CRYPT_AES_DECRYPTION); + if (ret != 0) { + printf("mcapi aes-256 key set failed\n"); + return -1; + } + ret = AesSetKey(&defAes, key, 32, iv, AES_DECRYPTION); + if (ret != 0) { + printf("default aes-256 key set failed\n"); + return -1; + } + + ret = CRYPT_AES_DIRECT_Decrypt(&mcAes, out2, out1); + if (ret != 0) { + printf("mcapi aes-256 direct decrypt failed\n"); + return -1; + } + AesDecryptDirect(&defAes, out1, out1); + + if (memcmp(out1, out2, CRYPT_AES_BLOCK_SIZE) != 0) { + printf("mcapi aes-256 direct decrypt cmp failed\n"); + return -1; + } + + if (memcmp(out1, ourData, CRYPT_AES_BLOCK_SIZE) != 0) { + printf("mcapi aes-256 direct decrypt orig cmp failed\n"); + return -1; + } + + printf("aes-direct mcapi test passed\n"); + + return 0; +} + + +#define RSA_TEST_SIZE 64 + +/* check mcapi rsa */ +static int check_rsa(void) +{ + CRYPT_RSA_CTX mcRsa; + RsaKey defRsa; + int ret; + int ret2; + unsigned int keySz = (unsigned int)sizeof(client_key_der_1024); + unsigned int idx = 0; + byte out1[256]; + byte out2[256]; + + InitRsaKey(&defRsa, NULL); + ret = CRYPT_RSA_Initialize(&mcRsa); + if (ret != 0) { + printf("mcapi rsa init failed\n"); + return -1; + } + + ret = CRYPT_RSA_PrivateKeyDecode(&mcRsa, client_key_der_1024, keySz); + if (ret != 0) { + printf("mcapi rsa private key decode failed\n"); + return -1; + } + + ret = RsaPrivateKeyDecode(client_key_der_1024, &idx, &defRsa, keySz); + if (ret != 0) { + printf("default rsa private key decode failed\n"); + return -1; + } + + ret = CRYPT_RSA_PublicEncrypt(&mcRsa, out1, sizeof(out1), ourData, + RSA_TEST_SIZE, &mcRng); + if (ret < 0) { + printf("mcapi rsa public encrypt failed\n"); + return -1; + } + + ret2 = RsaPublicEncrypt(ourData, RSA_TEST_SIZE, out2, sizeof(out2), + &defRsa, &defRng); + if (ret2 < 0) { + printf("default rsa public encrypt failed\n"); + return -1; + } + + if (ret != ret2) { + printf("default rsa public encrypt sz != mcapi sz\n"); + return -1; + } + + if (ret != CRYPT_RSA_EncryptSizeGet(&mcRsa)) { + printf("mcapi encrypt sz get != mcapi sz\n"); + return -1; + } + + ret = CRYPT_RSA_PrivateDecrypt(&mcRsa, out2, sizeof(out2), out1, ret); + if (ret < 0) { + printf("mcapi rsa private derypt failed\n"); + return -1; + } + + if (ret != RSA_TEST_SIZE) { + printf("mcapi rsa private derypt plain size wrong\n"); + return -1; + } + + if (memcmp(out2, ourData, ret) != 0) { + printf("mcapi rsa private derypt plain text bad\n"); + return -1; + } + + FreeRsaKey(&defRsa); + ret = CRYPT_RSA_Free(&mcRsa); + if (ret != 0) { + printf("mcapi rsa free failed\n"); + return -1; + } + + printf("rsa mcapi test passed\n"); + + return 0; +} + + +/* check mcapi ecc */ +static int check_ecc(void) +{ + CRYPT_ECC_CTX userA; + CRYPT_ECC_CTX userB; + int ret; + byte sharedA[100]; + byte sharedB[100]; + byte sig[100]; + unsigned int aSz = (unsigned int)sizeof(sharedA); + unsigned int bSz = (unsigned int)sizeof(sharedB); + unsigned int sigSz = (unsigned int)sizeof(sig); + unsigned int usedA = 0; + unsigned int usedB = 0; + int verifyStatus = 0; + + /* init */ + ret = CRYPT_ECC_Initialize(&userA); + if (ret != 0) { + printf("mcapi ecc init failed\n"); + return -1; + } + + ret = CRYPT_ECC_Initialize(&userB); + if (ret != 0) { + printf("mcapi ecc init b failed\n"); + return -1; + } + + /* dhe + helpers */ + ret = CRYPT_ECC_DHE_KeyMake(&userA, &mcRng, 32); + if (ret != 0) { + printf("mcapi ecc make key failed\n"); + return -1; + } + + ret = CRYPT_ECC_DHE_KeyMake(&userB, &mcRng, 32); + if (ret != 0) { + printf("mcapi ecc make key b failed\n"); + return -1; + } + + ret = CRYPT_ECC_KeySizeGet(&userA); + if (ret <= 0) { + printf("mcapi ecc key size get failed\n"); + return -1; + } + + ret = CRYPT_ECC_SignatureSizeGet(&userA); + if (ret <= 0) { + printf("mcapi ecc signature size get failed\n"); + return -1; + } + + ret = CRYPT_ECC_DHE_SharedSecretMake(&userA, &userB, sharedA, aSz, &usedA); + if (ret != 0) { + printf("mcapi ecc make shared secret failed\n"); + return -1; + } + + ret = CRYPT_ECC_DHE_SharedSecretMake(&userB, &userA, sharedB, bSz, &usedB); + if (ret != 0) { + printf("mcapi ecc make shared secret failed\n"); + return -1; + } + + if (usedA != usedB || usedA <= 0) { + printf("mcapi ecc make shared secret output size match failed\n"); + return -1; + } + + if (memcmp(sharedA, sharedB, usedA) != 0) { + printf("mcapi ecc make shared secret output match cmp failed\n"); + return -1; + } + + /* dsa */ + ret = CRYPT_ECC_DSA_HashSign(&userA, &mcRng, sig, sigSz, &usedA, ourData, + CRYPT_SHA_DIGEST_SIZE); + if (ret != 0) { + printf("mcapi ecc sign hash failed\n"); + return -1; + } + + sigSz = usedA; + if (sigSz <= 0) { + printf("mcapi ecc sign hash bad sig size\n"); + return -1; + } + + ret = CRYPT_ECC_DSA_HashVerify(&userA, sig, sigSz, ourData, + CRYPT_SHA_DIGEST_SIZE, &verifyStatus); + if (ret != 0) { + printf("mcapi ecc verify hash failed\n"); + return -1; + } + if (verifyStatus != 1) { + printf("mcapi ecc verify hash status failed\n"); + return -1; + } + + /* import / export */ + usedA = 0; + ret = CRYPT_ECC_PublicExport(&userA, sharedA, aSz, &usedA); + if (ret != 0) { + printf("mcapi ecc public export failed\n"); + return -1; + } + + ret = CRYPT_ECC_PublicImport(&userB, sharedA, usedA); + if (ret != 0) { + printf("mcapi ecc public import failed\n"); + return -1; + } + + ret = CRYPT_ECC_Free(&userA); + if (ret != 0) { + printf("mcapi ecc free failed\n"); + return -1; + } + + ret = CRYPT_ECC_Free(&userB); + if (ret != 0) { + printf("mcapi ecc free b failed\n"); + return -1; + } + + printf("ecc mcapi test passed\n"); + + return 0; +} + diff --git a/mplabx/ctaocrypt_test.X/main.c b/mplabx/ctaocrypt_test.X/main.c index 1ecfc2ada..5edccecad 100644 --- a/mplabx/ctaocrypt_test.X/main.c +++ b/mplabx/ctaocrypt_test.X/main.c @@ -24,6 +24,7 @@ #include #include #include +#include #include /* func_args from test.h, so don't have to pull in other junk */ @@ -38,6 +39,8 @@ typedef struct func_args { */ int main(int argc, char** argv) { + SYSTEMConfigPerformance(80000000); + DBINIT(); printf("CTaoCrypt Test:\n"); diff --git a/src/crl.c b/src/crl.c index 38487eb67..e65cc3236 100644 --- a/src/crl.c +++ b/src/crl.c @@ -30,6 +30,7 @@ #include #include +#include #include @@ -532,8 +533,19 @@ int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor) return BAD_PATH_ERROR; } while ( (entry = readdir(dir)) != NULL) { - if (entry->d_type & DT_REG) { - char name[MAX_FILENAME_SZ]; + char name[MAX_FILENAME_SZ]; + struct stat s; + + XMEMSET(name, 0, sizeof(name)); + XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2); + XSTRNCAT(name, "/", 1); + XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2); + + if (stat(name, &s) != 0) { + CYASSL_MSG("stat on name failed"); + continue; + } + if (s.st_mode & S_IFREG) { if (type == SSL_FILETYPE_PEM) { if (strstr(entry->d_name, ".pem") == NULL) { @@ -550,11 +562,6 @@ int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor) } } - XMEMSET(name, 0, sizeof(name)); - XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2); - XSTRNCAT(name, "/", 1); - XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2); - if (ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl) != SSL_SUCCESS) { CYASSL_MSG("CRL file load failed, continuing"); diff --git a/src/include.am b/src/include.am index eb0937663..ce61e0331 100644 --- a/src/include.am +++ b/src/include.am @@ -11,7 +11,6 @@ src_libcyassl_la_SOURCES = \ src/tls.c \ ctaocrypt/src/hmac.c \ ctaocrypt/src/random.c \ - ctaocrypt/src/sha.c \ ctaocrypt/src/sha256.c \ ctaocrypt/src/logging.c \ ctaocrypt/src/error.c @@ -20,19 +19,56 @@ src_libcyassl_la_LIBADD = $(LIBM) src_libcyassl_la_CFLAGS = -DBUILDING_CYASSL $(AM_CFLAGS) src_libcyassl_la_CPPFLAGS = -DBUILDING_CYASSL $(AM_CPPFLAGS) -if !BUILD_LEANPSK -src_libcyassl_la_SOURCES += ctaocrypt/src/rsa.c \ - ctaocrypt/src/des3.c \ - ctaocrypt/src/coding.c \ - ctaocrypt/src/arc4.c \ - ctaocrypt/src/md4.c \ - ctaocrypt/src/md5.c \ - ctaocrypt/src/asn.c \ - ctaocrypt/src/dh.c \ - ctaocrypt/src/dsa.c \ - ctaocrypt/src/pwdbased.c \ - ctaocrypt/src/aes.c \ - ctaocrypt/src/memory.c +if BUILD_MEMORY +src_libcyassl_la_SOURCES += ctaocrypt/src/memory.c +endif + +if BUILD_RSA +src_libcyassl_la_SOURCES += ctaocrypt/src/rsa.c +endif + +if BUILD_DH +src_libcyassl_la_SOURCES += ctaocrypt/src/dh.c +endif + +if BUILD_ASN +src_libcyassl_la_SOURCES += ctaocrypt/src/asn.c +endif + +if BUILD_CODING +src_libcyassl_la_SOURCES += ctaocrypt/src/coding.c +endif + +if BUILD_AES +src_libcyassl_la_SOURCES += ctaocrypt/src/aes.c +endif + +if BUILD_DES3 +src_libcyassl_la_SOURCES += ctaocrypt/src/des3.c +endif + +if BUILD_SHA +src_libcyassl_la_SOURCES += ctaocrypt/src/sha.c +endif + +if BUILD_RC4 +src_libcyassl_la_SOURCES += ctaocrypt/src/arc4.c +endif + +if BUILD_MD4 +src_libcyassl_la_SOURCES += ctaocrypt/src/md4.c +endif + +if BUILD_MD5 +src_libcyassl_la_SOURCES += ctaocrypt/src/md5.c +endif + +if BUILD_PWDBASED +src_libcyassl_la_SOURCES += ctaocrypt/src/pwdbased.c +endif + +if BUILD_DSA +src_libcyassl_la_SOURCES += ctaocrypt/src/dsa.c endif if BUILD_AESNI @@ -71,7 +107,7 @@ if BUILD_RABBIT src_libcyassl_la_SOURCES += ctaocrypt/src/rabbit.c endif -if BUILD_NOINLINE +if !BUILD_INLINE src_libcyassl_la_SOURCES += ctaocrypt/src/misc.c endif @@ -100,3 +136,7 @@ src_libcyassl_la_CFLAGS += $(PTHREAD_CFLAGS) src_libcyassl_la_LIBADD += $(PTHREAD_LIBS) endif +if BUILD_LIBZ +src_libcyassl_la_SOURCES += ctaocrypt/src/compress.c +endif + diff --git a/src/internal.c b/src/internal.c index 01610c56c..a7467d732 100644 --- a/src/internal.c +++ b/src/internal.c @@ -90,10 +90,13 @@ typedef enum { runProcessingOneMessage } processReply; -#ifndef NO_MD5 +#ifndef NO_OLD_TLS static void Hmac(CYASSL* ssl, byte* digest, const byte* buffer, word32 sz, int content, int verify); +#endif + +#ifndef NO_CERTS static void BuildCertHashes(CYASSL* ssl, Hashes* hashes); #endif @@ -123,6 +126,8 @@ int IsAtLeastTLSv1_2(const CYASSL* ssl) { if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor >=TLSv1_2_MINOR) return 1; + if (ssl->version.major == DTLS_MAJOR && ssl->version.minor <= DTLSv1_2_MINOR) + return 1; return 0; } @@ -217,12 +222,16 @@ static INLINE void ato16(const byte* c, word16* u16) } +#ifdef CYASSL_DTLS + /* convert opaque to 32 bit integer */ static INLINE void ato32(const byte* c, word32* u32) { *u32 = (c[0] << 24) | (c[1] << 16) | (c[2] << 8) | c[3]; } +#endif /* CYASSL_DTLS */ + #ifdef HAVE_LIBZ @@ -273,7 +282,7 @@ static INLINE void ato32(const byte* c, word32* u32) /* compress in to out, return out size or error */ - static int Compress(CYASSL* ssl, byte* in, int inSz, byte* out, int outSz) + static int myCompress(CYASSL* ssl, byte* in, int inSz, byte* out, int outSz) { int err; int currTotal = (int)ssl->c_stream.total_out; @@ -291,7 +300,7 @@ static INLINE void ato32(const byte* c, word32* u32) /* decompress in to out, returnn out size or error */ - static int DeCompress(CYASSL* ssl, byte* in, int inSz, byte* out, int outSz) + static int myDeCompress(CYASSL* ssl, byte* in,int inSz, byte* out,int outSz) { int err; int currTotal = (int)ssl->d_stream.total_out; @@ -357,15 +366,19 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method) ctx->CBIOSend = EmbedSend; #ifdef CYASSL_DTLS if (method->version.major == DTLS_MAJOR - && method->version.minor == DTLS_MINOR) { - ctx->CBIORecv = EmbedReceiveFrom; - ctx->CBIOSend = EmbedSendTo; + && method->version.minor >= DTLSv1_2_MINOR) { + ctx->CBIORecv = EmbedReceiveFrom; + ctx->CBIOSend = EmbedSendTo; + ctx->CBIOCookie = EmbedGenerateCookie; } #endif #else /* user will set */ - ctx->CBIORecv = NULL; - ctx->CBIOSend = NULL; + ctx->CBIORecv = NULL; + ctx->CBIOSend = NULL; + #ifdef CYASSL_DTLS + ctx->CBIOCookie = NULL; + #endif #endif ctx->partialWrite = 0; ctx->verifyCallback = 0; @@ -591,8 +604,10 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK, } #ifdef CYASSL_DTLS - if (pv.major == DTLS_MAJOR && pv.minor == DTLS_MINOR) - tls = 1; + if (pv.major == DTLS_MAJOR) { + tls = 1; + tls1_2 = pv.minor <= DTLSv1_2_MINOR; + } #endif #ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA @@ -623,6 +638,62 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK, } #endif +#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + if (tls1_2 && haveRSAsig) { + suites->suites[idx++] = ECC_BYTE; + suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256; + } +#endif + +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + if (tls1_2 && haveECDSAsig) { + suites->suites[idx++] = ECC_BYTE; + suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256; + } +#endif + +#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 + if (tls1_2 && haveRSAsig && haveStaticECC) { + suites->suites[idx++] = ECC_BYTE; + suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256; + } +#endif + +#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 + if (tls1_2 && haveECDSAsig && haveStaticECC) { + suites->suites[idx++] = ECC_BYTE; + suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256; + } +#endif + +#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + if (tls1_2 && haveRSAsig) { + suites->suites[idx++] = ECC_BYTE; + suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384; + } +#endif + +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + if (tls1_2 && haveECDSAsig) { + suites->suites[idx++] = ECC_BYTE; + suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384; + } +#endif + +#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 + if (tls1_2 && haveRSAsig && haveStaticECC) { + suites->suites[idx++] = ECC_BYTE; + suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384; + } +#endif + +#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 + if (tls1_2 && haveECDSAsig && haveStaticECC) { + suites->suites[idx++] = ECC_BYTE; + suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384; + } +#endif + #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 if (tls1_2 && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; @@ -939,14 +1010,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK, #endif #ifdef BUILD_TLS_PSK_WITH_NULL_SHA256 - if (tls & havePSK) { + if (tls && havePSK) { suites->suites[idx++] = 0; suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA256; } #endif #ifdef BUILD_TLS_PSK_WITH_NULL_SHA - if (tls & havePSK) { + if (tls && havePSK) { suites->suites[idx++] = 0; suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA; } @@ -1064,8 +1135,10 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK, suites->hashSigAlgo[idx++] = sha256_mac; suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; #endif - suites->hashSigAlgo[idx++] = sha_mac; - suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; + #ifndef NO_SHA + suites->hashSigAlgo[idx++] = sha_mac; + suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; + #endif } if (haveRSAsig) { @@ -1077,8 +1150,10 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK, suites->hashSigAlgo[idx++] = sha256_mac; suites->hashSigAlgo[idx++] = rsa_sa_algo; #endif - suites->hashSigAlgo[idx++] = sha_mac; - suites->hashSigAlgo[idx++] = rsa_sa_algo; + #ifndef NO_SHA + suites->hashSigAlgo[idx++] = sha_mac; + suites->hashSigAlgo[idx++] = rsa_sa_algo; + #endif } suites->hashSigAlgoSz = idx; @@ -1132,7 +1207,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->buffers.prevSent = 0; ssl->buffers.plainSz = 0; -#ifdef OPENSSL_EXTRA +#ifdef KEEP_PEER_CERT ssl->peerCert.derCert.buffer = NULL; ssl->peerCert.altNames = NULL; ssl->peerCert.altNamesNext = NULL; @@ -1160,11 +1235,18 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->IOCB_ReadCtx = &ssl->rfd; /* prevent invalid pointer access if not */ ssl->IOCB_WriteCtx = &ssl->wfd; /* correctly set */ +#ifdef CYASSL_DTLS + ssl->IOCB_CookieCtx = NULL; /* we don't use for default cb */ +#endif +#ifndef NO_OLD_TLS #ifndef NO_MD5 InitMd5(&ssl->hashMd5); #endif +#ifndef NO_SHA InitSha(&ssl->hashSha); +#endif +#endif #ifndef NO_SHA256 InitSha256(&ssl->hashSha256); #endif @@ -1243,7 +1325,8 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->heap = ctx->heap; /* defaults to self */ ssl->options.tls = 0; ssl->options.tls1_1 = 0; - if (ssl->version.major == DTLS_MAJOR && ssl->version.minor == DTLS_MINOR) + if (ssl->version.major == DTLS_MAJOR + && ssl->version.minor >= DTLSv1_2_MINOR) ssl->options.dtls = 1; else ssl->options.dtls = 0; @@ -1274,7 +1357,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->buffers.dtlsCtx.peer.sz = 0; #endif -#ifdef OPENSSL_EXTRA +#ifdef KEEP_PEER_CERT ssl->peerCert.issuer.sz = 0; ssl->peerCert.subject.sz = 0; #endif @@ -1302,6 +1385,13 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->rng = NULL; ssl->arrays = NULL; + + /* default alert state (none) */ + ssl->alert_history.last_rx.code = -1; + ssl->alert_history.last_rx.level = -1; + ssl->alert_history.last_tx.code = -1; + ssl->alert_history.last_tx.level = -1; + InitCiphers(ssl); InitCipherSpecs(&ssl->specs); /* all done with init, now can return errors, call other stuff */ @@ -1479,10 +1569,12 @@ void SSL_ResourceFree(CYASSL* ssl) XFREE(ssl->buffers.dtlsCtx.peer.sa, ssl->heap, DYNAMIC_TYPE_SOCKADDR); ssl->buffers.dtlsCtx.peer.sa = NULL; #endif -#if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS) +#if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS) XFREE(ssl->peerCert.derCert.buffer, ssl->heap, DYNAMIC_TYPE_CERT); if (ssl->peerCert.altNames) FreeAltNames(ssl->peerCert.altNames, ssl->heap); +#endif +#if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS) CyaSSL_BIO_free(ssl->biord); if (ssl->biord != ssl->biowr) /* in case same as write */ CyaSSL_BIO_free(ssl->biowr); @@ -1895,6 +1987,15 @@ ProtocolVersion MakeDTLSv1(void) return pv; } +ProtocolVersion MakeDTLSv1_2(void) +{ + ProtocolVersion pv; + pv.major = DTLS_MAJOR; + pv.minor = DTLSv1_2_MINOR; + + return pv; +} + #endif /* CYASSL_DTLS */ @@ -1948,7 +2049,7 @@ ProtocolVersion MakeDTLSv1(void) } #elif defined(USER_TICKS) - +#if 0 word32 LowResTimer(void) { /* @@ -1956,7 +2057,7 @@ ProtocolVersion MakeDTLSv1(void) needs second accuracy but doesn't have to correlated to EPOCH */ } - +#endif #else /* !USE_WINDOWS_API && !THREADX && !MICRIUM && !USER_TICKS */ #include @@ -1982,10 +2083,13 @@ static void HashOutput(CYASSL* ssl, const byte* output, int sz, int ivSz) sz -= DTLS_RECORD_EXTRA; } #endif - +#ifndef NO_OLD_TLS +#ifndef NO_SHA ShaUpdate(&ssl->hashSha, adj, sz); +#endif #ifndef NO_MD5 Md5Update(&ssl->hashMd5, adj, sz); +#endif #endif if (IsAtLeastTLSv1_2(ssl)) { @@ -2012,9 +2116,13 @@ static void HashInput(CYASSL* ssl, const byte* input, int sz) } #endif +#ifndef NO_OLD_TLS +#ifndef NO_SHA ShaUpdate(&ssl->hashSha, adj, sz); +#endif #ifndef NO_MD5 Md5Update(&ssl->hashMd5, adj, sz); +#endif #endif if (IsAtLeastTLSv1_2(ssl)) { @@ -2101,6 +2209,11 @@ static int Receive(CYASSL* ssl, byte* buf, word32 sz) { int recvd; + if (ssl->ctx->CBIORecv == NULL) { + CYASSL_MSG("Your IO Recv callback is null, please set"); + return -1; + } + retry: recvd = ssl->ctx->CBIORecv(ssl, (char *)buf, (int)sz, ssl->IOCB_ReadCtx); if (recvd < 0) @@ -2141,13 +2254,13 @@ retry: ssl->options.isClosed = 1; return -1; -#ifdef CYASSL_DTLS case IO_ERR_TIMEOUT: +#ifdef CYASSL_DTLS if (DtlsPoolTimeout(ssl) == 0 && DtlsPoolSend(ssl) == 0) goto retry; else - return -1; #endif + return -1; default: return recvd; @@ -2195,6 +2308,11 @@ void ShrinkInputBuffer(CYASSL* ssl, int forcedFree) int SendBuffered(CYASSL* ssl) { + if (ssl->ctx->CBIOSend == NULL) { + CYASSL_MSG("Your IO Send callback is null, please set"); + return SOCKET_ERROR_E; + } + while (ssl->buffers.outputBuffer.length > 0) { int sent = ssl->ctx->CBIOSend(ssl, (char*)ssl->buffers.outputBuffer.buffer + @@ -2435,7 +2553,7 @@ static int GetDtlsHandShakeHeader(CYASSL* ssl, const byte* input, #endif -#ifndef NO_MD5 +#ifndef NO_OLD_TLS /* fill with MD5 pad size since biggest required */ static const byte PAD1[PAD_MD5] = { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, @@ -2498,31 +2616,24 @@ static void BuildSHA(CYASSL* ssl, Hashes* hashes, const byte* sender) static void BuildFinished(CYASSL* ssl, Hashes* hashes, const byte* sender) { /* store current states, building requires get_digest which resets state */ +#ifndef NO_OLD_TLS #ifndef NO_MD5 Md5 md5 = ssl->hashMd5; #endif +#ifndef NO_SHA Sha sha = ssl->hashSha; +#endif +#endif #ifndef NO_SHA256 - Sha256 sha256; + Sha256 sha256 = ssl->hashSha256; #endif #ifdef CYASSL_SHA384 - Sha384 sha384; + Sha384 sha384 = ssl->hashSha384; #endif - if (IsAtLeastTLSv1_2(ssl)) { - #ifndef NO_SHA256 - InitSha256(&sha256); - sha256 = ssl->hashSha256; - #endif - #ifdef CYASSL_SHA384 - InitSha384(&sha384); - sha384 = ssl->hashSha384; - #endif - } - if (ssl->options.tls) BuildTlsFinished(ssl, hashes, sender); -#ifndef NO_MD5 +#ifndef NO_OLD_TLS else { BuildMD5(ssl, hashes, sender); BuildSHA(ssl, hashes, sender); @@ -2530,16 +2641,20 @@ static void BuildFinished(CYASSL* ssl, Hashes* hashes, const byte* sender) #endif /* restore */ +#ifndef NO_OLD_TLS #ifndef NO_MD5 ssl->hashMd5 = md5; #endif + #ifndef NO_SHA ssl->hashSha = sha; + #endif +#endif if (IsAtLeastTLSv1_2(ssl)) { #ifndef NO_SHA256 - ssl->hashSha256 = sha256; + ssl->hashSha256 = sha256; #endif #ifdef CYASSL_SHA384 - ssl->hashSha384 = sha384; + ssl->hashSha384 = sha384; #endif } } @@ -2722,7 +2837,7 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) #endif /* HAVE_CRL */ -#ifdef OPENSSL_EXTRA +#ifdef KEEP_PEER_CERT /* set X509 format for peer cert even if fatal */ XSTRNCPY(ssl->peerCert.issuer.name, dCert.issuer, ASN_NAME_MAX); ssl->peerCert.issuer.name[ASN_NAME_MAX - 1] = '\0'; @@ -2846,7 +2961,7 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) store.error = ret; store.error_depth = totalCerts; store.domain = domain; -#ifdef OPENSSL_EXTRA +#ifdef KEEP_PEER_CERT store.current_cert = &ssl->peerCert; #else store.current_cert = NULL; @@ -2934,7 +3049,6 @@ static int DoHelloRequest(CYASSL* ssl, const byte* input, word32* inOutIdx) int DoFinished(CYASSL* ssl, const byte* input, word32* inOutIdx, int sniff) { - byte verifyMAC[SHA256_DIGEST_SIZE]; int finishedSz = ssl->options.tls ? TLS_FINISHED_SZ : FINISHED_SZ; int headerSz = HANDSHAKE_HEADER_SZ; word32 macSz = finishedSz + HANDSHAKE_HEADER_SZ, @@ -2963,6 +3077,7 @@ int DoFinished(CYASSL* ssl, const byte* input, word32* inOutIdx, int sniff) } if (ssl->specs.cipher_type != aead) { + byte verifyMAC[MAX_DIGEST_SIZE]; ssl->hmac(ssl, verifyMAC, input + idx - headerSz, macSz, handshake, 1); idx += finishedSz; @@ -3316,6 +3431,7 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz) { byte additional[AES_BLOCK_SIZE]; byte nonce[AEAD_NONCE_SZ]; + const byte* additionalSrc = input - 5; XMEMSET(additional, 0, AES_BLOCK_SIZE); @@ -3325,7 +3441,11 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz) /* Store the type, version. Unfortunately, they are in * the input buffer ahead of the plaintext. */ - XMEMCPY(additional + AEAD_TYPE_OFFSET, input - 5, 3); + #ifdef CYASSL_DTLS + if (ssl->options.dtls) + additionalSrc -= DTLS_HANDSHAKE_EXTRA; + #endif + XMEMCPY(additional + AEAD_TYPE_OFFSET, additionalSrc, 3); /* Store the length of the plain text minus the explicit * IV length minus the authentication tag size. */ @@ -3352,6 +3472,7 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz) { byte additional[AES_BLOCK_SIZE]; byte nonce[AEAD_NONCE_SZ]; + const byte* additionalSrc = input - 5; XMEMSET(additional, 0, AES_BLOCK_SIZE); @@ -3361,7 +3482,11 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz) /* Store the type, version. Unfortunately, they are in * the input buffer ahead of the plaintext. */ - XMEMCPY(additional + AEAD_TYPE_OFFSET, input - 5, 3); + #ifdef CYASSL_DTLS + if (ssl->options.dtls) + additionalSrc -= DTLS_HANDSHAKE_EXTRA; + #endif + XMEMCPY(additional + AEAD_TYPE_OFFSET, additionalSrc, 3); /* Store the length of the plain text minus the explicit * IV length minus the authentication tag size. */ @@ -3636,7 +3761,7 @@ static int DecryptMessage(CYASSL* ssl, byte* input, word32 sz, word32* idx) } -#ifndef NO_MD5 +#ifndef NO_OLD_TLS static INLINE void Md5Rounds(int rounds, const byte* data, int sz) { @@ -3649,7 +3774,6 @@ static INLINE void Md5Rounds(int rounds, const byte* data, int sz) Md5Update(&md5, data, sz); } -#endif static INLINE void ShaRounds(int rounds, const byte* data, int sz) @@ -3662,6 +3786,7 @@ static INLINE void ShaRounds(int rounds, const byte* data, int sz) for (i = 0; i < rounds; i++) ShaUpdate(&sha, data, sz); } +#endif #ifndef NO_SHA256 @@ -3735,15 +3860,19 @@ static INLINE void DoRounds(int type, int rounds, const byte* data, int sz) case no_mac : break; +#ifndef NO_OLD_TLS #ifndef NO_MD5 case md5_mac : Md5Rounds(rounds, data, sz); break; #endif +#ifndef NO_SHA case sha_mac : ShaRounds(rounds, data, sz); break; +#endif +#endif #ifndef NO_SHA256 case sha256_mac : @@ -3857,7 +3986,7 @@ static INLINE int GetRounds(int pLen, int padLen, int t) static int TimingPadVerify(CYASSL* ssl, const byte* input, int padLen, int t, int pLen) { - byte verify[SHA256_DIGEST_SIZE]; + byte verify[MAX_DIGEST_SIZE]; byte dummy[MAX_PAD_SIZE]; XMEMSET(dummy, 1, sizeof(dummy)); @@ -3907,7 +4036,7 @@ int DoApplicationData(CYASSL* ssl, byte* input, word32* inOutIdx) #ifdef HAVE_LIBZ byte decomp[MAX_RECORD_SIZE + MAX_COMP_EXTRA]; #endif - byte verify[SHA256_DIGEST_SIZE]; + byte verify[MAX_DIGEST_SIZE]; if (ssl->options.handShakeState != HANDSHAKE_DONE) { CYASSL_MSG("Received App data before handshake complete"); @@ -3958,7 +4087,7 @@ int DoApplicationData(CYASSL* ssl, byte* input, word32* inOutIdx) #ifdef HAVE_LIBZ if (ssl->options.usingCompression) { - dataSz = DeCompress(ssl, rawData, dataSz, decomp, sizeof(decomp)); + dataSz = myDeCompress(ssl, rawData, dataSz, decomp, sizeof(decomp)); if (dataSz < 0) return dataSz; } #endif @@ -3988,6 +4117,7 @@ int DoApplicationData(CYASSL* ssl, byte* input, word32* inOutIdx) static int DoAlert(CYASSL* ssl, byte* input, word32* inOutIdx, int* type) { byte level; + byte code; #ifdef CYASSL_CALLBACKS if (ssl->hsInfoOn) @@ -3998,7 +4128,10 @@ static int DoAlert(CYASSL* ssl, byte* input, word32* inOutIdx, int* type) RECORD_HEADER_SZ, 2 + RECORD_HEADER_SZ, ssl->heap); #endif level = input[(*inOutIdx)++]; - *type = (int)input[(*inOutIdx)++]; + code = (int)input[(*inOutIdx)++]; + ssl->alert_history.last_rx.code = code; + ssl->alert_history.last_rx.level = level; + *type = code; CYASSL_MSG("Got alert"); if (*type == close_notify) { @@ -4011,7 +4144,7 @@ static int DoAlert(CYASSL* ssl, byte* input, word32* inOutIdx, int* type) if (ssl->specs.cipher_type != aead) { int aSz = ALERT_SIZE; const byte* mac; - byte verify[SHA256_DIGEST_SIZE]; + byte verify[MAX_DIGEST_SIZE]; int padSz = ssl->keys.encryptSz - aSz - ssl->specs.hash_size; ssl->hmac(ssl, verify, input + *inOutIdx - aSz, aSz, alert, 1); @@ -4040,6 +4173,7 @@ static int GetInputData(CYASSL *ssl, word32 size) int inSz; int maxLength; int usedLength; + int dtlsExtra = 0; /* check max input length */ @@ -4048,12 +4182,15 @@ static int GetInputData(CYASSL *ssl, word32 size) inSz = (int)(size - usedLength); /* from last partial read */ #ifdef CYASSL_DTLS - if (ssl->options.dtls) + if (ssl->options.dtls) { + if (size < MAX_MTU) + dtlsExtra = (int)(MAX_MTU - size); inSz = MAX_MTU; /* read ahead up to MTU */ + } #endif if (inSz > maxLength) { - if (GrowInputBuffer(ssl, size, usedLength) < 0) + if (GrowInputBuffer(ssl, size + dtlsExtra, usedLength) < 0) return MEMORY_E; } @@ -4235,12 +4372,16 @@ int ProcessReply(CYASSL* ssl) /* the record layer is here */ case runProcessingOneMessage: - if (ssl->keys.encryptionOn && ssl->keys.decryptedCur == 0) - if (DecryptMessage(ssl, ssl->buffers.inputBuffer.buffer + - ssl->buffers.inputBuffer.idx, - ssl->curSize, - &ssl->buffers.inputBuffer.idx) < 0) + if (ssl->keys.encryptionOn && ssl->keys.decryptedCur == 0) { + ret = DecryptMessage(ssl, ssl->buffers.inputBuffer.buffer + + ssl->buffers.inputBuffer.idx, + ssl->curSize, + &ssl->buffers.inputBuffer.idx); + if (ret < 0) { + CYASSL_ERROR(ret); return DECRYPT_ERROR; + } + } CYASSL_MSG("received record layer msg"); @@ -4441,7 +4582,7 @@ static INLINE const byte* GetMacSecret(CYASSL* ssl, int verify) static void Hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz, int content, int verify) { - byte result[SHA256_DIGEST_SIZE]; /* max possible sizes */ + byte result[MAX_DIGEST_SIZE]; word32 digestSz = ssl->specs.hash_size; /* actual sizes */ word32 padSz = ssl->specs.pad_size; @@ -4492,7 +4633,7 @@ static void Hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz, } } - +#ifndef NO_CERTS static void BuildMD5_CertVerify(CYASSL* ssl, byte* digest) { byte md5_result[MD5_DIGEST_SIZE]; @@ -4527,34 +4668,31 @@ static void BuildSHA_CertVerify(CYASSL* ssl, byte* digest) ShaFinal(&ssl->hashSha, digest); } +#endif /* NO_CERTS */ +#endif /* NO_OLD_TLS */ +#ifndef NO_CERTS + static void BuildCertHashes(CYASSL* ssl, Hashes* hashes) { /* store current states, building requires get_digest which resets state */ + #ifndef NO_OLD_TLS Md5 md5 = ssl->hashMd5; Sha sha = ssl->hashSha; + #endif #ifndef NO_SHA256 - Sha256 sha256; + Sha256 sha256 = ssl->hashSha256; #endif #ifdef CYASSL_SHA384 - Sha384 sha384; + Sha384 sha384 = ssl->hashSha384; #endif - if (IsAtLeastTLSv1_2(ssl)) { - #ifndef NO_SHA256 - InitSha256(&sha256); - sha256 = ssl->hashSha256; - #endif - #ifdef CYASSL_SHA384 - InitSha384(&sha384); - sha384 = ssl->hashSha384; - #endif - } - if (ssl->options.tls) { +#if ! defined( NO_OLD_TLS ) Md5Final(&ssl->hashMd5, hashes->md5); ShaFinal(&ssl->hashSha, hashes->sha); +#endif if (IsAtLeastTLSv1_2(ssl)) { #ifndef NO_SHA256 Sha256Final(&ssl->hashSha256, hashes->sha256); @@ -4564,6 +4702,7 @@ static void BuildCertHashes(CYASSL* ssl, Hashes* hashes) #endif } } +#if ! defined( NO_OLD_TLS ) else { BuildMD5_CertVerify(ssl, hashes->md5); BuildSHA_CertVerify(ssl, hashes->sha); @@ -4572,6 +4711,7 @@ static void BuildCertHashes(CYASSL* ssl, Hashes* hashes) /* restore */ ssl->hashMd5 = md5; ssl->hashSha = sha; +#endif if (IsAtLeastTLSv1_2(ssl)) { #ifndef NO_SHA256 ssl->hashSha256 = sha256; @@ -4581,7 +4721,8 @@ static void BuildCertHashes(CYASSL* ssl, Hashes* hashes) #endif } } -#endif + +#endif /* CYASSL_LEANPSK */ /* Build SSL Message, encrypted */ static int BuildMessage(CYASSL* ssl, byte* output, const byte* input, int inSz, @@ -4960,7 +5101,7 @@ int SendData(CYASSL* ssl, const void* data, int sz) #ifdef HAVE_LIBZ if (ssl->options.usingCompression) { - buffSz = Compress(ssl, sendBuffer, buffSz, comp, sizeof(comp)); + buffSz = myCompress(ssl, sendBuffer, buffSz, comp, sizeof(comp)); if (buffSz < 0) { return buffSz; } @@ -5017,7 +5158,7 @@ int ReceiveData(CYASSL* ssl, byte* output, int sz, int peek) CYASSL_ERROR(ssl->error); if (ssl->error == ZERO_RETURN) { CYASSL_MSG("Zero return, no more data coming"); - ssl->options.isClosed = 1; + ssl->options.isClosed = 1; /* Don't send close_notify */ return 0; /* no more data coming */ } if (ssl->error == SOCKET_ERROR_E) { @@ -5057,6 +5198,7 @@ int SendAlert(CYASSL* ssl, int severity, int type) byte *output; int sendSz; int ret; + int dtlsExtra = 0; /* if sendalert is called again for nonbloking */ if (ssl->options.sendAlertState != 0) { @@ -5066,8 +5208,14 @@ int SendAlert(CYASSL* ssl, int severity, int type) return ret; } + #ifdef CYASSL_DTLS + if (ssl->options.dtls) + dtlsExtra = DTLS_RECORD_EXTRA; + #endif + /* check for avalaible size */ - if ((ret = CheckAvalaibleSize(ssl, ALERT_SIZE + MAX_MSG_EXTRA)) != 0) + if ((ret = CheckAvalaibleSize(ssl, + ALERT_SIZE + MAX_MSG_EXTRA + dtlsExtra)) != 0) return ret; /* get ouput buffer */ @@ -5076,6 +5224,8 @@ int SendAlert(CYASSL* ssl, int severity, int type) input[0] = (byte)severity; input[1] = (byte)type; + ssl->alert_history.last_tx.code = type; + ssl->alert_history.last_tx.level = severity; /* only send encrypted alert if handshake actually complete, otherwise other side may not be able to handle it */ @@ -5722,7 +5872,39 @@ const char* const cipher_names[] = #endif #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - "DHE-RSA-CAMELLIA256-SHA256" + "DHE-RSA-CAMELLIA256-SHA256", +#endif + +#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + "ECDHE-RSA-AES128-SHA256", +#endif + +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + "ECDHE-ECDSA-AES128-SHA256", +#endif + +#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 + "ECDH-RSA-AES128-SHA256", +#endif + +#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 + "ECDH-ECDSA-AES128-SHA256", +#endif + +#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + "ECDHE-RSA-AES256-SHA384", +#endif + +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + "ECDHE-ECDSA-AES256-SHA384", +#endif + +#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 + "ECDH-RSA-AES256-SHA384", +#endif + +#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 + "ECDH-ECDSA-AES256-SHA384", #endif }; @@ -5990,9 +6172,40 @@ int cipher_name_idx[] = #endif #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, #endif +#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, +#endif + +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, +#endif + +#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, +#endif + +#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, +#endif + +#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, +#endif + +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, +#endif + +#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, +#endif + +#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 +#endif }; @@ -6092,7 +6305,7 @@ int SetCipherList(Suites* s, const char* list) s->hashSigAlgo[idx++] = rsa_sa_algo; } - s->hashSigAlgoSz = idx; + s->hashSigAlgoSz = (word16)idx; } return ret; @@ -6681,8 +6894,10 @@ int SetCipherList(Suites* s, const char* list) #if defined(OPENSSL_EXTRA) || defined(HAVE_ECC) { +#ifndef NO_OLD_TLS Md5 md5; Sha sha; +#endif byte hash[FINISHED_SZ]; #ifndef NO_SHA256 Sha256 sha256; @@ -6720,7 +6935,7 @@ int SetCipherList(Suites* s, const char* list) sigLen = length; /* verify signature */ - +#ifndef NO_OLD_TLS /* md5 */ InitMd5(&md5); Md5Update(&md5, ssl->arrays->clientRandom, RAN_LEN); @@ -6734,7 +6949,7 @@ int SetCipherList(Suites* s, const char* list) ShaUpdate(&sha, ssl->arrays->serverRandom, RAN_LEN); ShaUpdate(&sha, messageVerify, verifySz); ShaFinal(&sha, &hash[MD5_DIGEST_SIZE]); - +#endif #ifndef NO_SHA256 InitSha256(&sha256); Sha256Update(&sha256, ssl->arrays->clientRandom, RAN_LEN); @@ -6750,7 +6965,7 @@ int SetCipherList(Suites* s, const char* list) Sha384Update(&sha384, messageVerify, verifySz); Sha384Final(&sha384, hash384); #endif - +#ifndef NO_RSA /* rsa */ if (sigAlgo == rsa_sa_algo) { @@ -6765,11 +6980,24 @@ int SetCipherList(Suites* s, const char* list) if (IsAtLeastTLSv1_2(ssl)) { byte encodedSig[MAX_ENCODED_SIG_SZ]; word32 encSigSz; +#ifndef NO_OLD_TLS byte* digest = &hash[MD5_DIGEST_SIZE]; int typeH = SHAh; int digestSz = SHA_DIGEST_SIZE; +#else + byte* digest = hash256; + int typeH = SHA256h; + int digestSz = SHA256_DIGEST_SIZE; +#endif - if (hashAlgo == sha256_mac) { + if (hashAlgo == sha_mac) { + #ifndef NO_SHA + digest = &hash[MD5_DIGEST_SIZE]; + typeH = SHAh; + digestSz = SHA_DIGEST_SIZE; + #endif + } + else if (hashAlgo == sha256_mac) { #ifndef NO_SHA256 digest = hash256; typeH = SHA256h; @@ -6794,18 +7022,30 @@ int SetCipherList(Suites* s, const char* list) if (ret != sizeof(hash) || XMEMCMP(out, hash,sizeof(hash)) != 0) return VERIFY_SIGN_ERROR; } - } + } else +#endif #ifdef HAVE_ECC /* ecdsa */ - else if (sigAlgo == ecc_dsa_sa_algo) { + if (sigAlgo == ecc_dsa_sa_algo) { int verify = 0, ret; +#ifndef NO_OLD_TLS byte* digest = &hash[MD5_DIGEST_SIZE]; word32 digestSz = SHA_DIGEST_SIZE; +#else + byte* digest = hash256; + word32 digestSz = SHA256_DIGEST_SIZE; +#endif if (!ssl->peerEccDsaKeyPresent) return NO_PEER_KEY; if (IsAtLeastTLSv1_2(ssl)) { - if (hashAlgo == sha256_mac) { + if (hashAlgo == sha_mac) { + #ifndef NO_SHA + digest = &hash[MD5_DIGEST_SIZE]; + digestSz = SHA_DIGEST_SIZE; + #endif + } + else if (hashAlgo == sha256_mac) { #ifndef NO_SHA256 digest = hash256; digestSz = SHA256_DIGEST_SIZE; @@ -6824,8 +7064,8 @@ int SetCipherList(Suites* s, const char* list) if (ret != 0 || verify == 0) return VERIFY_SIGN_ERROR; } -#endif /* HAVE_ECC */ else +#endif /* HAVE_ECC */ return ALGO_ID_E; ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE; @@ -6921,6 +7161,8 @@ int SetCipherList(Suites* s, const char* list) pms += 2; XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); ssl->arrays->preMasterSz = ssl->arrays->psk_keySz * 2 + 4; + XMEMSET(ssl->arrays->psk_key, 0, ssl->arrays->psk_keySz); + ssl->arrays->psk_keySz = 0; /* No further need */ } break; #endif /* NO_PSK */ @@ -7077,23 +7319,30 @@ int SetCipherList(Suites* s, const char* list) ret = tmpRet; /* save WANT_WRITE unless more serious */ ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; } + /* No further need for PMS */ + XMEMSET(ssl->arrays->preMasterSecret, 0, ssl->arrays->preMasterSz); + ssl->arrays->preMasterSz = 0; return ret; } -#ifndef NO_RSA +#ifndef NO_CERTS int SendCertificateVerify(CYASSL* ssl) { byte *output; int sendSz = 0, length, ret; word32 idx = 0; word32 sigOutSz = 0; +#ifndef NO_RSA RsaKey key; +#endif int usingEcc = 0; #ifdef HAVE_ECC ecc_key eccKey; #endif + (void)idx; + if (ssl->options.sendVerify == SEND_BLANK_CERT) return 0; /* sent blank cert, can't verify */ @@ -7110,12 +7359,15 @@ int SetCipherList(Suites* s, const char* list) #ifdef HAVE_ECC ecc_init(&eccKey); #endif +#ifndef NO_RSA InitRsaKey(&key, ssl->heap); ret = RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx, &key, ssl->buffers.key.length); if (ret == 0) sigOutSz = RsaEncryptSize(&key); - else { + else +#endif + { #ifdef HAVE_ECC CYASSL_MSG("Trying ECC client cert, RSA didn't work"); @@ -7125,7 +7377,7 @@ int SetCipherList(Suites* s, const char* list) if (ret == 0) { CYASSL_MSG("Using ECC client cert"); usingEcc = 1; - sigOutSz = ecc_sig_size(&eccKey); + sigOutSz = MAX_ENCODED_SIG_SZ; } else { CYASSL_MSG("Bad client cert type"); @@ -7135,11 +7387,19 @@ int SetCipherList(Suites* s, const char* list) if (ret == 0) { byte* verify = (byte*)&output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ]; +#ifndef NO_OLD_TLS byte* signBuffer = ssl->certHashes.md5; +#else + byte* signBuffer = NULL; +#endif word32 signSz = FINISHED_SZ; byte encodedSig[MAX_ENCODED_SIG_SZ]; word32 extraSz = 0; /* tls 1.2 hash/sig */ + (void)encodedSig; + (void)signSz; + (void)signBuffer; + #ifdef CYASSL_DTLS if (ssl->options.dtls) verify += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; @@ -7150,16 +7410,30 @@ int SetCipherList(Suites* s, const char* list) verify[1] = usingEcc ? ecc_dsa_sa_algo : rsa_sa_algo; extraSz = HASH_SIG_SIZE; } - c16toa((word16)length, verify + extraSz); /* prepend verify header*/ if (usingEcc) { #ifdef HAVE_ECC - word32 localSz = sigOutSz; - word32 digestSz = SHA_DIGEST_SIZE; - byte* digest = ssl->certHashes.sha; + word32 localSz = MAX_ENCODED_SIG_SZ; + word32 digestSz; + byte* digest; +#ifndef NO_OLD_TLS + /* old tls default */ + digestSz = SHA_DIGEST_SIZE; + digest = ssl->certHashes.sha; +#else + /* new tls default */ + digestSz = SHA256_DIGEST_SIZE; + digest = ssl->certHashes.sha256; +#endif if (IsAtLeastTLSv1_2(ssl)) { - if (ssl->suites->hashAlgo == sha256_mac) { + if (ssl->suites->hashAlgo == sha_mac) { + #ifndef NO_SHA + digest = ssl->certHashes.sha; + digestSz = SHA_DIGEST_SIZE; + #endif + } + else if (ssl->suites->hashAlgo == sha256_mac) { #ifndef NO_SHA256 digest = ssl->certHashes.sha256; digestSz = SHA256_DIGEST_SIZE; @@ -7173,18 +7447,36 @@ int SetCipherList(Suites* s, const char* list) } } - ret = ecc_sign_hash(digest, digestSz, - verify + extraSz + VERIFY_HEADER, - &localSz, ssl->rng, &eccKey); + ret = ecc_sign_hash(digest, digestSz, encodedSig, + &localSz, ssl->rng, &eccKey); + if (ret == 0) { + length = localSz; + c16toa((word16)length, verify + extraSz); /* prepend hdr */ + XMEMCPY(verify + extraSz + VERIFY_HEADER,encodedSig,length); + } #endif } +#ifndef NO_RSA else { if (IsAtLeastTLSv1_2(ssl)) { +#ifndef NO_OLD_TLS byte* digest = ssl->certHashes.sha; int digestSz = SHA_DIGEST_SIZE; int typeH = SHAh; +#else + byte* digest = ssl->certHashes.sha256; + int digestSz = SHA256_DIGEST_SIZE; + int typeH = SHA256h; +#endif - if (ssl->suites->hashAlgo == sha256_mac) { + if (ssl->suites->hashAlgo == sha_mac) { + #ifndef NO_SHA + digest = ssl->certHashes.sha; + typeH = SHAh; + digestSz = SHA_DIGEST_SIZE; + #endif + } + else if (ssl->suites->hashAlgo == sha256_mac) { #ifndef NO_SHA256 digest = ssl->certHashes.sha256; typeH = SHA256h; @@ -7203,13 +7495,14 @@ int SetCipherList(Suites* s, const char* list) signBuffer = encodedSig; } + c16toa((word16)length, verify + extraSz); /* prepend hdr */ ret = RsaSSL_Sign(signBuffer, signSz, verify + extraSz + VERIFY_HEADER, ENCRYPT_LEN, &key, ssl->rng); if (ret > 0) ret = 0; /* RSA reset */ } - +#endif if (ret == 0) { AddHeaders(output, length + extraSz + VERIFY_HEADER, certificate_verify, ssl); @@ -7226,8 +7519,9 @@ int SetCipherList(Suites* s, const char* list) HashOutput(ssl, output, sendSz, 0); } } - +#ifndef NO_RSA FreeRsaKey(&key); +#endif #ifdef HAVE_ECC ecc_free(&eccKey); #endif @@ -7249,7 +7543,7 @@ int SetCipherList(Suites* s, const char* list) else return ret; } -#endif /* NO_RSA */ +#endif /* NO_CERTS */ #endif /* NO_CYASSL_CLIENT */ @@ -7449,7 +7743,9 @@ int SetCipherList(Suites* s, const char* list) word32 expSz = sizeof(exportBuf); word32 sigSz; word32 preSigSz, preSigIdx; +#ifndef NO_RSA RsaKey rsaKey; +#endif ecc_key dsaKey; if (ssl->specs.static_ecdh) { @@ -7468,18 +7764,23 @@ int SetCipherList(Suites* s, const char* list) preSigSz = length; preSigIdx = idx; +#ifndef NO_RSA InitRsaKey(&rsaKey, ssl->heap); +#endif ecc_init(&dsaKey); /* sig length */ length += LENGTH_SZ; if (!ssl->buffers.key.buffer) { +#ifndef NO_RSA FreeRsaKey(&rsaKey); +#endif ecc_free(&dsaKey); return NO_PRIVATE_KEY; } +#ifndef NO_RSA if (ssl->specs.sig_algo == rsa_sa_algo) { /* rsa sig size */ word32 i = 0; @@ -7487,17 +7788,20 @@ int SetCipherList(Suites* s, const char* list) &rsaKey, ssl->buffers.key.length); if (ret != 0) return ret; sigSz = RsaEncryptSize(&rsaKey); - } - else if (ssl->specs.sig_algo == ecc_dsa_sa_algo) { + } else +#endif + if (ssl->specs.sig_algo == ecc_dsa_sa_algo) { /* ecdsa sig size */ word32 i = 0; ret = EccPrivateKeyDecode(ssl->buffers.key.buffer, &i, &dsaKey, ssl->buffers.key.length); if (ret != 0) return ret; - sigSz = ecc_sig_size(&dsaKey); + sigSz = ecc_sig_size(&dsaKey) + 2; /* worst case estimate */ } else { +#ifndef NO_RSA FreeRsaKey(&rsaKey); +#endif ecc_free(&dsaKey); return ALGO_ID_E; /* unsupported type */ } @@ -7517,7 +7821,9 @@ int SetCipherList(Suites* s, const char* list) #endif /* check for avalaible size */ if ((ret = CheckAvalaibleSize(ssl, sendSz)) != 0) { +#ifndef NO_RSA FreeRsaKey(&rsaKey); +#endif ecc_free(&dsaKey); return ret; } @@ -7526,7 +7832,8 @@ int SetCipherList(Suites* s, const char* list) output = ssl->buffers.outputBuffer.buffer + ssl->buffers.outputBuffer.length; - AddHeaders(output, length, server_key_exchange, ssl); + /* record and message headers will be added below, when we're sure + of the sig length */ /* key exchange data */ output[idx++] = named_curve; @@ -7539,13 +7846,16 @@ int SetCipherList(Suites* s, const char* list) output[idx++] = ssl->suites->hashAlgo; output[idx++] = ssl->suites->sigAlgo; } - c16toa((word16)sigSz, output + idx); - idx += LENGTH_SZ; + + /* Signtaure length will be written later, when we're sure what it + is */ /* do signature */ { +#ifndef NO_OLD_TLS Md5 md5; Sha sha; +#endif byte hash[FINISHED_SZ]; #ifndef NO_SHA256 Sha256 sha256; @@ -7556,6 +7866,7 @@ int SetCipherList(Suites* s, const char* list) byte hash384[SHA384_DIGEST_SIZE]; #endif +#ifndef NO_OLD_TLS /* md5 */ InitMd5(&md5); Md5Update(&md5, ssl->arrays->clientRandom, RAN_LEN); @@ -7569,6 +7880,7 @@ int SetCipherList(Suites* s, const char* list) ShaUpdate(&sha, ssl->arrays->serverRandom, RAN_LEN); ShaUpdate(&sha, output + preSigIdx, preSigSz); ShaFinal(&sha, &hash[MD5_DIGEST_SIZE]); +#endif #ifndef NO_SHA256 InitSha256(&sha256); @@ -7585,7 +7897,7 @@ int SetCipherList(Suites* s, const char* list) Sha384Update(&sha384, output + preSigIdx, preSigSz); Sha384Final(&sha384, hash384); #endif - +#ifndef NO_RSA if (ssl->suites->sigAlgo == rsa_sa_algo) { byte* signBuffer = hash; word32 signSz = sizeof(hash); @@ -7614,6 +7926,10 @@ int SetCipherList(Suites* s, const char* list) typeH); signBuffer = encodedSig; } + /* write sig size here */ + c16toa((word16)sigSz, output + idx); + idx += LENGTH_SZ; + ret = RsaSSL_Sign(signBuffer, signSz, output + idx, sigSz, &rsaKey, ssl->rng); FreeRsaKey(&rsaKey); @@ -7622,14 +7938,26 @@ int SetCipherList(Suites* s, const char* list) ret = 0; /* reset on success */ else return ret; - } - else if (ssl->suites->sigAlgo == ecc_dsa_sa_algo) { + } else +#endif + if (ssl->suites->sigAlgo == ecc_dsa_sa_algo) { +#ifndef NO_OLD_TLS byte* digest = &hash[MD5_DIGEST_SIZE]; word32 digestSz = SHA_DIGEST_SIZE; +#else + byte* digest = hash256; + word32 digestSz = SHA256_DIGEST_SIZE; +#endif word32 sz = sigSz; if (IsAtLeastTLSv1_2(ssl)) { - if (ssl->suites->hashAlgo == sha256_mac) { + if (ssl->suites->hashAlgo == sha_mac) { + #ifndef NO_SHA + digest = &hash[MD5_DIGEST_SIZE]; + digestSz = SHA_DIGEST_SIZE; + #endif + } + else if (ssl->suites->hashAlgo == sha256_mac) { #ifndef NO_SHA256 digest = hash256; digestSz = SHA256_DIGEST_SIZE; @@ -7644,13 +7972,23 @@ int SetCipherList(Suites* s, const char* list) } ret = ecc_sign_hash(digest, digestSz, - output + idx, &sz, ssl->rng, &dsaKey); + output + LENGTH_SZ + idx, &sz, ssl->rng, &dsaKey); +#ifndef NO_RSA FreeRsaKey(&rsaKey); +#endif ecc_free(&dsaKey); if (ret < 0) return ret; + + /* Now that we know the real sig size, write it. */ + c16toa((word16)sz, output + idx); + + /* And adjust length and sendSz from estimates */ + length += sz - sigSz; + sendSz += sz - sigSz; } } + AddHeaders(output, length, server_key_exchange, ssl); HashOutput(ssl, output, sendSz, 0); #ifdef CYASSL_CALLBACKS @@ -7797,8 +8135,10 @@ int SetCipherList(Suites* s, const char* list) /* do signature */ { +#ifndef NO_OLD_TLS Md5 md5; Sha sha; +#endif byte hash[FINISHED_SZ]; #ifndef NO_SHA256 Sha256 sha256; @@ -7809,6 +8149,7 @@ int SetCipherList(Suites* s, const char* list) byte hash384[SHA384_DIGEST_SIZE]; #endif +#ifndef NO_OLD_TLS /* md5 */ InitMd5(&md5); Md5Update(&md5, ssl->arrays->clientRandom, RAN_LEN); @@ -7822,6 +8163,7 @@ int SetCipherList(Suites* s, const char* list) ShaUpdate(&sha, ssl->arrays->serverRandom, RAN_LEN); ShaUpdate(&sha, output + preSigIdx, preSigSz); ShaFinal(&sha, &hash[MD5_DIGEST_SIZE]); +#endif #ifndef NO_SHA256 InitSha256(&sha256); @@ -7838,7 +8180,7 @@ int SetCipherList(Suites* s, const char* list) Sha384Update(&sha384, output + preSigIdx, preSigSz); Sha384Final(&sha384, hash384); #endif - +#ifndef NO_RSA if (ssl->suites->sigAlgo == rsa_sa_algo) { byte* signBuffer = hash; word32 signSz = sizeof(hash); @@ -7873,6 +8215,7 @@ int SetCipherList(Suites* s, const char* list) if (ret <= 0) return ret; } +#endif } #ifdef CYASSL_DTLS @@ -7927,6 +8270,7 @@ int SetCipherList(Suites* s, const char* list) switch (second) { +#ifndef NO_RSA case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA : if (requirement == REQUIRES_RSA) return 1; @@ -7939,6 +8283,7 @@ int SetCipherList(Suites* s, const char* list) return 1; break; +#ifndef NO_3DES case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA : if (requirement == REQUIRES_RSA) return 1; @@ -7950,7 +8295,9 @@ int SetCipherList(Suites* s, const char* list) if (requirement == REQUIRES_RSA_SIG) return 1; break; +#endif +#ifndef NO_RC4 case TLS_ECDHE_RSA_WITH_RC4_128_SHA : if (requirement == REQUIRES_RSA) return 1; @@ -7962,7 +8309,10 @@ int SetCipherList(Suites* s, const char* list) if (requirement == REQUIRES_RSA_SIG) return 1; break; +#endif +#endif /* NO_RSA */ +#ifndef NO_3DES case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : if (requirement == REQUIRES_ECC_DSA) return 1; @@ -7972,7 +8322,8 @@ int SetCipherList(Suites* s, const char* list) if (requirement == REQUIRES_ECC_STATIC) return 1; break; - +#endif +#ifndef NO_RC4 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : if (requirement == REQUIRES_ECC_DSA) return 1; @@ -7982,7 +8333,8 @@ int SetCipherList(Suites* s, const char* list) if (requirement == REQUIRES_ECC_STATIC) return 1; break; - +#endif +#ifndef NO_RSA case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA : if (requirement == REQUIRES_RSA) return 1; @@ -7994,6 +8346,7 @@ int SetCipherList(Suites* s, const char* list) if (requirement == REQUIRES_RSA_SIG) return 1; break; +#endif case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : if (requirement == REQUIRES_ECC_DSA) @@ -8035,6 +8388,7 @@ int SetCipherList(Suites* s, const char* list) return 1; break; +#ifndef NO_RSA case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : if (requirement == REQUIRES_RSA) return 1; @@ -8073,6 +8427,37 @@ int SetCipherList(Suites* s, const char* list) return 1; break; + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : + if (requirement == REQUIRES_RSA) + return 1; + if (requirement == REQUIRES_RSA_SIG) + return 1; + break; + + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : + if (requirement == REQUIRES_ECC_DSA) + return 1; + break; + + case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 : + case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 : + if (requirement == REQUIRES_RSA_SIG) + return 1; + if (requirement == REQUIRES_ECC_STATIC) + return 1; + break; + + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : + if (requirement == REQUIRES_ECC_DSA) + return 1; + if (requirement == REQUIRES_ECC_STATIC) + return 1; + break; +#endif + default: CYASSL_MSG("Unsupported cipher suite, CipherRequires ECC"); return 0; @@ -8081,6 +8466,7 @@ int SetCipherList(Suites* s, const char* list) if (first != ECC_BYTE) { /* normal suites */ switch (second) { +#ifndef NO_RSA case SSL_RSA_WITH_RC4_128_SHA : if (requirement == REQUIRES_RSA) return 1; @@ -8141,6 +8527,7 @@ int SetCipherList(Suites* s, const char* list) if (requirement == REQUIRES_NTRU) return 1; break; +#endif case TLS_PSK_WITH_AES_128_CBC_SHA256 : if (requirement == REQUIRES_PSK) @@ -8167,6 +8554,7 @@ int SetCipherList(Suites* s, const char* list) return 1; break; +#ifndef NO_RSA case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 : if (requirement == REQUIRES_RSA) return 1; @@ -8243,6 +8631,7 @@ int SetCipherList(Suites* s, const char* list) if (requirement == REQUIRES_DHE) return 1; break; +#endif default: CYASSL_MSG("Unsupported cipher suite, CipherRequires"); @@ -8433,10 +8822,14 @@ int SetCipherList(Suites* s, const char* list) #endif /* manually hash input since different format */ +#ifndef NO_OLD_TLS #ifndef NO_MD5 Md5Update(&ssl->hashMd5, input + idx, sz); #endif +#ifndef NO_SHA ShaUpdate(&ssl->hashSha, input + idx, sz); +#endif +#endif #ifndef NO_SHA256 if (IsAtLeastTLSv1_2(ssl)) Sha256Update(&ssl->hashSha256, input + idx, sz); @@ -8662,8 +9055,12 @@ int SetCipherList(Suites* s, const char* list) return BUFFER_ERROR; if (i + b > totalSz) return INCOMPLETE_DATA; - if ((EmbedGenerateCookie(cookie, COOKIE_SZ, ssl) - != COOKIE_SZ) + if (ssl->ctx->CBIORecv == NULL) { + CYASSL_MSG("Your Cookie callback is null, please set"); + return COOKIE_ERROR; + } + if ((ssl->ctx->CBIOCookie(ssl, cookie, COOKIE_SZ, + ssl->IOCB_CookieCtx) != COOKIE_SZ) || (b != COOKIE_SZ) || (XMEMCMP(cookie, input + i, b) != 0)) { return COOKIE_ERROR; @@ -8794,6 +9191,9 @@ int SetCipherList(Suites* s, const char* list) byte hashAlgo = sha_mac; byte sigAlgo = anonymous_sa_algo; + (void)out; + (void)outLen; + #ifdef CYASSL_CALLBACKS if (ssl->hsInfoOn) AddPacketName("CertificateVerify", &ssl->handShakeInfo); @@ -8970,7 +9370,12 @@ int SetCipherList(Suites* s, const char* list) output[idx++] = ssl->chVersion.minor; output[idx++] = cookieSz; - if ((ret = EmbedGenerateCookie(output + idx, cookieSz, ssl)) < 0) + if (ssl->ctx->CBIORecv == NULL) { + CYASSL_MSG("Your Cookie callback is null, please set"); + return COOKIE_ERROR; + } + if ((ret = ssl->ctx->CBIOCookie(ssl, output + idx, cookieSz, + ssl->IOCB_CookieCtx)) < 0) return ret; HashOutput(ssl, output, sendSz, 0); @@ -9117,6 +9522,9 @@ int SetCipherList(Suites* s, const char* list) ssl->arrays->preMasterSz = ssl->arrays->psk_keySz * 2 + 4; ret = MakeMasterSecret(ssl); + /* No further need for PSK */ + XMEMSET(ssl->arrays->psk_key, 0, ssl->arrays->psk_keySz); + ssl->arrays->psk_keySz = 0; } break; #endif /* NO_PSK */ @@ -9224,6 +9632,9 @@ int SetCipherList(Suites* s, const char* list) } break; } + /* No further need for PMS */ + XMEMSET(ssl->arrays->preMasterSecret, 0, ssl->arrays->preMasterSz); + ssl->arrays->preMasterSz = 0; if (ret == 0) { ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; diff --git a/src/io.c b/src/io.c index 624f5742c..7fe4f0260 100644 --- a/src/io.c +++ b/src/io.c @@ -96,6 +96,7 @@ #define SOCKET_EINTR WSAEINTR #define SOCKET_EPIPE WSAEPIPE #define SOCKET_ECONNREFUSED WSAENOTCONN + #define SOCKET_ECONNABORTED WSAECONNABORTED #elif defined(__PPU) #define SOCKET_EWOULDBLOCK SYS_NET_EWOULDBLOCK #define SOCKET_EAGAIN SYS_NET_EAGAIN @@ -103,6 +104,7 @@ #define SOCKET_EINTR SYS_NET_EINTR #define SOCKET_EPIPE SYS_NET_EPIPE #define SOCKET_ECONNREFUSED SYS_NET_ECONNREFUSED + #define SOCKET_ECONNABORTED SYS_NET_ECONNABORTED #elif defined(FREESCALE_MQX) /* RTCS doesn't have an EWOULDBLOCK error */ #define SOCKET_EWOULDBLOCK EAGAIN @@ -111,6 +113,7 @@ #define SOCKET_EINTR EINTR #define SOCKET_EPIPE EPIPE #define SOCKET_ECONNREFUSED RTCSERR_TCP_CONN_REFUSED + #define SOCKET_ECONNABORTED RTCSERR_TCP_CONN_ABORTED #else #define SOCKET_EWOULDBLOCK EWOULDBLOCK #define SOCKET_EAGAIN EAGAIN @@ -118,6 +121,7 @@ #define SOCKET_EINTR EINTR #define SOCKET_EPIPE EPIPE #define SOCKET_ECONNREFUSED ECONNREFUSED + #define SOCKET_ECONNABORTED ECONNABORTED #endif /* USE_WINDOWS_API */ @@ -136,16 +140,6 @@ #endif -#ifdef CYASSL_DTLS - /* sizeof(struct timeval) will pass uninit bytes to setsockopt if padded */ - #ifdef USE_WINDOWS_API - #define TIMEVAL_BYTES sizeof(timeout) - #else - #define TIMEVAL_BYTES sizeof(timeout.tv_sec) + sizeof(timeout.tv_usec) - #endif -#endif - - /* Translates return codes returned from * send() and recv() if need be. */ @@ -198,10 +192,12 @@ int EmbedReceive(CYASSL *ssl, char *buf, int sz, void *ctx) #ifdef USE_WINDOWS_API DWORD timeout = dtls_timeout * 1000; #else - struct timeval timeout = {dtls_timeout, 0}; + struct timeval timeout; + XMEMSET(&timeout, 0, sizeof(timeout)); + timeout.tv_sec = dtls_timeout; #endif if (setsockopt(sd, SOL_SOCKET, SO_RCVTIMEO, (char*)&timeout, - TIMEVAL_BYTES) != 0) { + sizeof(timeout)) != 0) { CYASSL_MSG("setsockopt rcvtimeo failed"); } } @@ -238,6 +234,10 @@ int EmbedReceive(CYASSL *ssl, char *buf, int sz, void *ctx) CYASSL_MSG(" Connection refused"); return IO_ERR_WANT_READ; } + else if (err == SOCKET_ECONNABORTED) { + CYASSL_MSG(" Connection aborted"); + return IO_ERR_CONN_CLOSE; + } else { CYASSL_MSG(" General error"); return IO_ERR_GENERAL; @@ -326,10 +326,12 @@ int EmbedReceiveFrom(CYASSL *ssl, char *buf, int sz, void *ctx) #ifdef USE_WINDOWS_API DWORD timeout = dtls_timeout * 1000; #else - struct timeval timeout = { dtls_timeout, 0 }; + struct timeval timeout; + XMEMSET(&timeout, 0, sizeof(timeout)); + timeout.tv_sec = dtls_timeout; #endif if (setsockopt(sd, SOL_SOCKET, SO_RCVTIMEO, (char*)&timeout, - TIMEVAL_BYTES) != 0) { + sizeof(timeout)) != 0) { CYASSL_MSG("setsockopt rcvtimeo failed"); } } @@ -431,9 +433,8 @@ int EmbedSendTo(CYASSL* ssl, char *buf, int sz, void *ctx) /* The DTLS Generate Cookie callback * return : number of bytes copied into buf, or error */ -int EmbedGenerateCookie(byte *buf, int sz, void *ctx) +int EmbedGenerateCookie(CYASSL* ssl, byte *buf, int sz, void *ctx) { - CYASSL* ssl = (CYASSL*)ctx; int sd = ssl->wfd; struct sockaddr_in peer; XSOCKLENT peerSz = sizeof(peer); @@ -441,6 +442,8 @@ int EmbedGenerateCookie(byte *buf, int sz, void *ctx) int cookieSrcSz = 0; Sha sha; + (void)ctx; + if (getpeername(sd, (struct sockaddr*)&peer, &peerSz) != 0) { CYASSL_MSG("getpeername failed in EmbedGenerateCookie"); return GEN_COOKIE_E; @@ -785,6 +788,23 @@ CYASSL_API void CyaSSL_SetIOWriteFlags(CYASSL* ssl, int flags) ssl->wflags = flags; } + +#ifdef CYASSL_DTLS + +CYASSL_API void CyaSSL_CTX_SetGenCookie(CYASSL_CTX* ctx, CallbackGenCookie cb) +{ + ctx->CBIOCookie = cb; +} + + +CYASSL_API void CyaSSL_SetCookieCtx(CYASSL* ssl, void *ctx) +{ + ssl->IOCB_CookieCtx = ctx; +} + +#endif /* CYASSL_DTLS */ + + #ifdef HAVE_OCSP CYASSL_API void CyaSSL_SetIOOcsp(CYASSL_CTX* ctx, CallbackIOOcsp cb) diff --git a/src/keys.c b/src/keys.c index 75866cf16..97f2f5b2e 100644 --- a/src/keys.c +++ b/src/keys.c @@ -44,6 +44,134 @@ int SetCipherSpecs(CYASSL* ssl) #ifdef HAVE_ECC +#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : + ssl->specs.bulk_cipher_algorithm = aes; + ssl->specs.cipher_type = block; + ssl->specs.mac_algorithm = sha256_mac; + ssl->specs.kea = ecc_diffie_hellman_kea; + ssl->specs.sig_algo = rsa_sa_algo; + ssl->specs.hash_size = SHA256_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 0; + ssl->specs.key_size = AES_128_KEY_SIZE; + ssl->specs.iv_size = AES_IV_SIZE; + ssl->specs.block_size = AES_BLOCK_SIZE; + break; +#endif + +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : + ssl->specs.bulk_cipher_algorithm = aes; + ssl->specs.cipher_type = block; + ssl->specs.mac_algorithm = sha256_mac; + ssl->specs.kea = ecc_diffie_hellman_kea; + ssl->specs.sig_algo = ecc_dsa_sa_algo; + ssl->specs.hash_size = SHA256_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 0; + ssl->specs.key_size = AES_128_KEY_SIZE; + ssl->specs.iv_size = AES_IV_SIZE; + ssl->specs.block_size = AES_BLOCK_SIZE; + break; +#endif + +#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 + case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 : + ssl->specs.bulk_cipher_algorithm = aes; + ssl->specs.cipher_type = block; + ssl->specs.mac_algorithm = sha256_mac; + ssl->specs.kea = ecc_diffie_hellman_kea; + ssl->specs.sig_algo = rsa_sa_algo; + ssl->specs.hash_size = SHA256_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 1; + ssl->specs.key_size = AES_128_KEY_SIZE; + ssl->specs.iv_size = AES_IV_SIZE; + ssl->specs.block_size = AES_BLOCK_SIZE; + break; +#endif + +#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : + ssl->specs.bulk_cipher_algorithm = aes; + ssl->specs.cipher_type = block; + ssl->specs.mac_algorithm = sha256_mac; + ssl->specs.kea = ecc_diffie_hellman_kea; + ssl->specs.sig_algo = ecc_dsa_sa_algo; + ssl->specs.hash_size = SHA256_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 1; + ssl->specs.key_size = AES_128_KEY_SIZE; + ssl->specs.iv_size = AES_IV_SIZE; + ssl->specs.block_size = AES_BLOCK_SIZE; + break; +#endif + +#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : + ssl->specs.bulk_cipher_algorithm = aes; + ssl->specs.cipher_type = block; + ssl->specs.mac_algorithm = sha384_mac; + ssl->specs.kea = ecc_diffie_hellman_kea; + ssl->specs.sig_algo = rsa_sa_algo; + ssl->specs.hash_size = SHA384_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 0; + ssl->specs.key_size = AES_256_KEY_SIZE; + ssl->specs.iv_size = AES_IV_SIZE; + ssl->specs.block_size = AES_BLOCK_SIZE; + break; +#endif + +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : + ssl->specs.bulk_cipher_algorithm = aes; + ssl->specs.cipher_type = block; + ssl->specs.mac_algorithm = sha384_mac; + ssl->specs.kea = ecc_diffie_hellman_kea; + ssl->specs.sig_algo = ecc_dsa_sa_algo; + ssl->specs.hash_size = SHA384_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 0; + ssl->specs.key_size = AES_256_KEY_SIZE; + ssl->specs.iv_size = AES_IV_SIZE; + ssl->specs.block_size = AES_BLOCK_SIZE; + break; +#endif + +#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 + case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 : + ssl->specs.bulk_cipher_algorithm = aes; + ssl->specs.cipher_type = block; + ssl->specs.mac_algorithm = sha384_mac; + ssl->specs.kea = ecc_diffie_hellman_kea; + ssl->specs.sig_algo = rsa_sa_algo; + ssl->specs.hash_size = SHA384_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 1; + ssl->specs.key_size = AES_256_KEY_SIZE; + ssl->specs.iv_size = AES_IV_SIZE; + ssl->specs.block_size = AES_BLOCK_SIZE; + break; +#endif + +#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : + ssl->specs.bulk_cipher_algorithm = aes; + ssl->specs.cipher_type = block; + ssl->specs.mac_algorithm = sha384_mac; + ssl->specs.kea = ecc_diffie_hellman_kea; + ssl->specs.sig_algo = ecc_dsa_sa_algo; + ssl->specs.hash_size = SHA384_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 1; + ssl->specs.key_size = AES_256_KEY_SIZE; + ssl->specs.iv_size = AES_IV_SIZE; + ssl->specs.block_size = AES_BLOCK_SIZE; + break; +#endif + #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA : ssl->specs.bulk_cipher_algorithm = aes; @@ -1617,7 +1745,7 @@ static int MakeSslMasterSecret(CYASSL* ssl) #ifdef SHOW_SECRETS { - int j; + word32 j; printf("pre master secret: "); for (j = 0; j < pmsSz; j++) printf("%02x", ssl->arrays->preMasterSecret[j]); @@ -1658,10 +1786,10 @@ static int MakeSslMasterSecret(CYASSL* ssl) #ifdef SHOW_SECRETS { - int i; + word32 j; printf("master secret: "); - for (i = 0; i < SECRET_LEN; i++) - printf("%02x", ssl->arrays->masterSecret[i]); + for (j = 0; j < SECRET_LEN; j++) + printf("%02x", ssl->arrays->masterSecret[j]); printf("\n"); } #endif diff --git a/src/ssl.c b/src/ssl.c index d096e324b..90e73ff47 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -27,8 +27,6 @@ #include #endif -#define TRUE 1 -#define FALSE 0 #include #include @@ -64,6 +62,7 @@ #if !defined(USE_WINDOWS_API) && !defined(NO_CYASSL_DIR) \ && !defined(EBSNET) #include + #include #endif #ifdef EBSNET #include "vfapi.h" @@ -71,6 +70,12 @@ #endif #endif /* NO_FILESYSTEM */ +#ifndef TRUE + #define TRUE 1 +#endif +#ifndef FALSE + #define FALSE 0 +#endif #ifndef min @@ -175,7 +180,6 @@ void CyaSSL_free(CYASSL* ssl) } -#ifndef CYASSL_LEANPSK int CyaSSL_set_fd(CYASSL* ssl, int fd) { CYASSL_ENTER("SSL_set_fd"); @@ -204,7 +208,6 @@ int CyaSSL_get_fd(const CYASSL* ssl) CYASSL_LEAVE("SSL_get_fd", ssl->rfd); return ssl->rfd; } -#endif #ifndef CYASSL_LEANPSK @@ -545,6 +548,13 @@ int CyaSSL_get_error(CYASSL* ssl, int ret) return ssl->error; } +int CyaSSL_get_alert_history(CYASSL* ssl, CYASSL_ALERT_HISTORY *h) +{ + if (ssl && h) { + *h = ssl->alert_history; + } + return 0; +} int CyaSSL_want_read(CYASSL* ssl) { @@ -910,6 +920,8 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify) SMALL_SESSION_CACHE only stores 6 sessions, good for embedded clients or systems where the default of nearly 3kB is too much RAM, this define uses less than 500 bytes RAM + + default SESSION_CACHE stores 33 sessions (no XXX_SESSION_CACHE defined) */ #ifdef HUGE_SESSION_CACHE #define SESSIONS_PER_ROW 11 @@ -1136,7 +1148,7 @@ int CyaSSL_Init(void) if (pkcs8) return ToTraditional(der->buffer, der->length); -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) && !defined(NO_PWDBASED) if (pkcs8Enc) { int passwordSz; char password[80]; @@ -1166,6 +1178,7 @@ int CyaSSL_Init(void) int ret; int dynamicType = 0; int eccKey = 0; + int rsaKey = 0; void* heap = ctx ? ctx->heap : NULL; info.set = 0; @@ -1404,12 +1417,14 @@ int CyaSSL_Init(void) FreeRsaKey(&key); return SSL_BAD_FILE; } + } else { + rsaKey = 1; } FreeRsaKey(&key); } #endif #ifdef HAVE_ECC - if (eccKey ) { + if (!rsaKey) { /* make sure ECC key can be used */ word32 idx = 0; ecc_key key; @@ -1420,6 +1435,7 @@ int CyaSSL_Init(void) return SSL_BAD_FILE; } ecc_free(&key); + eccKey = 1; ctx->haveStaticECC = 1; if (ssl) ssl->options.haveStaticECC = 1; @@ -1664,14 +1680,20 @@ int CyaSSL_CTX_load_verify_locations(CYASSL_CTX* ctx, const char* file, return BAD_PATH_ERROR; } while ( ret == SSL_SUCCESS && (entry = readdir(dir)) != NULL) { - if (entry->d_type & DT_REG) { - char name[MAX_FILENAME_SZ]; + char name[MAX_FILENAME_SZ]; + struct stat s; - XMEMSET(name, 0, sizeof(name)); - XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2); - XSTRNCAT(name, "/", 1); - XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2); - + XMEMSET(name, 0, sizeof(name)); + XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2); + XSTRNCAT(name, "/", 1); + XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2); + + if (stat(name, &s) != 0) { + CYASSL_MSG("stat on name failed"); + closedir(dir); + return BAD_PATH_ERROR; + } + if (s.st_mode & S_IFREG) { ret = ProcessFile(ctx, name, SSL_FILETYPE_PEM, CA_TYPE, NULL,0, NULL); } @@ -1786,7 +1808,13 @@ int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER* cm, const char* file, CYASSL_MSG("No CertManager error"); return ret; } - tmp = CyaSSL_CTX_new(CyaSSLv3_client_method()); + tmp = CyaSSL_CTX_new( +#ifdef NO_OLD_TLS + CyaTLSv1_2_client_method() +#else + CyaSSLv3_client_method() +#endif + ); if (tmp == NULL) { CYASSL_MSG("CTX new failed"); @@ -2562,6 +2590,17 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) InitSSL_Method(method, MakeDTLSv1()); return method; } + + CYASSL_METHOD* CyaDTLSv1_2_client_method(void) + { + CYASSL_METHOD* method = + (CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0, + DYNAMIC_TYPE_METHOD); + CYASSL_ENTER("DTLSv1_2_client_method"); + if (method) + InitSSL_Method(method, MakeDTLSv1_2()); + return method; + } #endif @@ -2583,7 +2622,7 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) #ifdef CYASSL_DTLS if (ssl->version.major == DTLS_MAJOR && - ssl->version.minor == DTLS_MINOR) { + ssl->version.minor >= DTLSv1_2_MINOR) { ssl->options.dtls = 1; ssl->options.tls = 1; ssl->options.tls1_1 = 1; @@ -2654,12 +2693,18 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) #ifdef CYASSL_DTLS if (ssl->options.dtls) { /* re-init hashes, exclude first hello and verify request */ +#ifndef NO_OLD_TLS InitMd5(&ssl->hashMd5); InitSha(&ssl->hashSha); - #ifndef NO_SHA256 - if (IsAtLeastTLSv1_2(ssl)) +#endif + if (IsAtLeastTLSv1_2(ssl)) { + #ifndef NO_SHA256 InitSha256(&ssl->hashSha256); - #endif + #endif + #ifdef CYASSL_SHA384 + InitSha384(&ssl->hashSha384); + #endif + } if ( (ssl->error = SendClientHello(ssl)) != 0) { CYASSL_ERROR(ssl->error); return SSL_FATAL_ERROR; @@ -2695,31 +2740,38 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) case FIRST_REPLY_DONE : #ifndef NO_CERTS - if (ssl->options.sendVerify) + if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificate(ssl)) != 0) { CYASSL_ERROR(ssl->error); return SSL_FATAL_ERROR; } + CYASSL_MSG("sent: certificate"); + } + #endif ssl->options.connectState = FIRST_REPLY_FIRST; CYASSL_MSG("connect state: FIRST_REPLY_FIRST"); case FIRST_REPLY_FIRST : - if (!ssl->options.resuming) + if (!ssl->options.resuming) { if ( (ssl->error = SendClientKeyExchange(ssl)) != 0) { CYASSL_ERROR(ssl->error); return SSL_FATAL_ERROR; } + CYASSL_MSG("sent: client key exchange"); + } ssl->options.connectState = FIRST_REPLY_SECOND; CYASSL_MSG("connect state: FIRST_REPLY_SECOND"); case FIRST_REPLY_SECOND : #ifndef NO_CERTS - if (ssl->options.sendVerify) + if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificateVerify(ssl)) != 0) { CYASSL_ERROR(ssl->error); return SSL_FATAL_ERROR; + } + CYASSL_MSG("sent: certificate verify"); } #endif ssl->options.connectState = FIRST_REPLY_THIRD; @@ -2730,6 +2782,7 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) CYASSL_ERROR(ssl->error); return SSL_FATAL_ERROR; } + CYASSL_MSG("sent: change cipher spec"); ssl->options.connectState = FIRST_REPLY_FOURTH; CYASSL_MSG("connect state: FIRST_REPLY_FOURTH"); @@ -2738,7 +2791,7 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) CYASSL_ERROR(ssl->error); return SSL_FATAL_ERROR; } - + CYASSL_MSG("sent: finished"); ssl->options.connectState = FINISHED_DONE; CYASSL_MSG("connect state: FINISHED_DONE"); @@ -2799,6 +2852,19 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) } return method; } + + CYASSL_METHOD* CyaDTLSv1_2_server_method(void) + { + CYASSL_METHOD* method = + (CYASSL_METHOD*) XMALLOC(sizeof(CYASSL_METHOD), 0, + DYNAMIC_TYPE_METHOD); + CYASSL_ENTER("DTLSv1_2_server_method"); + if (method) { + InitSSL_Method(method, MakeDTLSv1_2()); + method->side = SERVER_END; + } + return method; + } #endif @@ -2814,6 +2880,7 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) #ifndef NO_PSK havePSK = ssl->options.havePSK; #endif + (void)havePSK; if (ssl->options.side != SERVER_END) { CYASSL_ERROR(ssl->error = SIDE_ERROR); @@ -2846,7 +2913,7 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) #ifdef CYASSL_DTLS if (ssl->version.major == DTLS_MAJOR && - ssl->version.minor == DTLS_MINOR) { + ssl->version.minor >= DTLSv1_2_MINOR) { ssl->options.dtls = 1; ssl->options.tls = 1; ssl->options.tls1_1 = 1; @@ -2898,12 +2965,18 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) if (ssl->options.dtls) { ssl->options.clientState = NULL_STATE; /* get again */ /* re-init hashes, exclude first hello and verify request */ +#ifndef NO_OLD_TLS InitMd5(&ssl->hashMd5); InitSha(&ssl->hashSha); - #ifndef NO_SHA256 - if (IsAtLeastTLSv1_2(ssl)) - InitSha256(&ssl->hashSha256); - #endif +#endif + if (IsAtLeastTLSv1_2(ssl)) { + #ifndef NO_SHA256 + InitSha256(&ssl->hashSha256); + #endif + #ifdef CYASSL_SHA384 + InitSha384(&ssl->hashSha384); + #endif + } while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) if ( (ssl->error = ProcessReply(ssl)) < 0) { @@ -3052,13 +3125,64 @@ int CyaSSL_Cleanup(void) #ifndef NO_SESSION_CACHE +/* Make a work from the front of random hash */ +static INLINE word32 MakeWordFromHash(const byte* hashID) +{ + return (hashID[0] << 24) | (hashID[1] << 16) | (hashID[2] << 8) | + hashID[3]; +} + + +#ifndef NO_MD5 + +/* some session IDs aren't random afterall, let's make them random */ + static INLINE word32 HashSession(const byte* sessionID) { - /* id is random, just make 32 bit number from first 4 bytes for now */ - return (sessionID[0] << 24) | (sessionID[1] << 16) | (sessionID[2] << 8) | - sessionID[3]; + byte digest[MD5_DIGEST_SIZE]; + Md5 md5; + + InitMd5(&md5); + Md5Update(&md5, sessionID, ID_LEN); + Md5Final(&md5, digest); + + return MakeWordFromHash(digest); } +#elif !defined(NO_SHA) + +static INLINE word32 HashSession(const byte* sessionID) +{ + byte digest[SHA_DIGEST_SIZE]; + Sha sha; + + InitSha(&sha); + ShaUpdate(&sha, sessionID, ID_LEN); + ShaFinal(&sha, digest); + + return MakeWordFromHash(digest); +} + +#elif !defined(NO_SHA256) + +static INLINE word32 HashSession(const byte* sessionID) +{ + byte digest[SHA256_DIGEST_SIZE]; + Sha256 sha256; + + InitSha256(&sha256); + Sha256Update(&sha256, sessionID, ID_LEN); + Sha256Final(&sha256, digest); + + return MakeWordFromHash(digest); +} + +#else + +#error "We need a digest to hash the session IDs" + +#endif /* NO_MD5 */ + void CyaSSL_flush_sessions(CYASSL_CTX* ctx, long tm) { @@ -3840,8 +3964,8 @@ int CyaSSL_set_compression(CYASSL* ssl) ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); } +#endif - /* return true if connection established */ int CyaSSL_is_init_finished(CYASSL* ssl) { @@ -3854,7 +3978,7 @@ int CyaSSL_set_compression(CYASSL* ssl) return 0; } - +#if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS) void CyaSSL_CTX_set_tmp_rsa_callback(CYASSL_CTX* ctx, CYASSL_RSA*(*f)(CYASSL*, int, int)) { @@ -5332,8 +5456,8 @@ int CyaSSL_set_compression(CYASSL* ssl) (void)flags; return 0; } - - +#endif +#ifdef KEEP_PEER_CERT CYASSL_X509* CyaSSL_get_peer_certificate(CYASSL* ssl) { CYASSL_ENTER("SSL_get_peer_certificate"); @@ -5342,9 +5466,9 @@ int CyaSSL_set_compression(CYASSL* ssl) else return 0; } +#endif - - +#ifdef OPENSSL_EXTRA int CyaSSL_set_ex_data(CYASSL* ssl, int idx, void* data) { #ifdef FORTRESS @@ -5384,19 +5508,19 @@ int CyaSSL_set_compression(CYASSL* ssl) (void)ssl; /* client by default */ } - +#endif int CyaSSL_session_reused(CYASSL* ssl) { return ssl->options.resuming; } - +#ifdef OPENSSL_EXTRA void CyaSSL_SESSION_free(CYASSL_SESSION* session) { (void)session; } - +#endif const char* CyaSSL_get_version(CYASSL* ssl) { @@ -5415,11 +5539,26 @@ int CyaSSL_set_compression(CYASSL* ssl) return "unknown"; } } - else if (ssl->version.major == DTLS_MAJOR) - return "DTLS"; + else if (ssl->version.major == DTLS_MAJOR) { + switch (ssl->version.minor) { + case DTLS_MINOR : + return "DTLS"; + case DTLSv1_2_MINOR : + return "DTLSv1.2"; + default: + return "unknown"; + } + } return "unknown"; } + int CyaSSL_get_current_cipher_suite(CYASSL* ssl) + { + CYASSL_ENTER("SSL_get_current_cipher_suite"); + if (ssl) + return (ssl->options.cipherSuite0 << 8) | ssl->options.cipherSuite; + return 0; + } CYASSL_CIPHER* CyaSSL_get_current_cipher(CYASSL* ssl) { @@ -5433,130 +5572,228 @@ int CyaSSL_set_compression(CYASSL* ssl) const char* CyaSSL_CIPHER_get_name(const CYASSL_CIPHER* cipher) { + (void)cipher; + CYASSL_ENTER("SSL_CIPHER_get_name"); +#ifndef NO_ERROR_STRINGS if (cipher) { #ifdef HAVE_ECC if (cipher->ssl->options.cipherSuite0 == ECC_BYTE) { /* ECC suites */ switch (cipher->ssl->options.cipherSuite) { +#ifndef NO_RSA + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : + return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"; +#endif + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : + return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"; +#ifndef NO_RSA + case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 : + return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"; +#endif + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : + return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"; +#ifndef NO_RSA + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : + return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"; +#endif + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : + return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"; +#ifndef NO_RSA + case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 : + return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"; +#endif + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : + return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"; +#ifndef NO_SHA + #ifndef NO_RSA case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA : return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"; case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA : return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"; + #endif case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"; case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"; + #ifndef NO_RC4 + #ifndef NO_RSA case TLS_ECDHE_RSA_WITH_RC4_128_SHA : return "TLS_ECDHE_RSA_WITH_RC4_128_SHA"; + #endif case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : return "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"; + #endif + #ifndef NO_DES3 + #ifndef NO_RSA case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA : return "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"; + #endif case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : return "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"; + #endif + #ifndef NO_RSA case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA : return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"; case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA : return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"; + #endif case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA : return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"; case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA : return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"; + #ifndef NO_RC4 + #ifndef NO_RSA case TLS_ECDH_RSA_WITH_RC4_128_SHA : return "TLS_ECDH_RSA_WITH_RC4_128_SHA"; + #endif case TLS_ECDH_ECDSA_WITH_RC4_128_SHA : return "TLS_ECDH_ECDSA_WITH_RC4_128_SHA"; + #endif + #ifndef NO_DES3 + #ifndef NO_RSA case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA : return "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"; + #endif case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA : return "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"; + #endif +#endif /* NO_SHA */ +#ifdef HAVE_AESGCM + #ifndef NO_RSA case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : return "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 : return "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; + #endif case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 : return "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"; case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 : return "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"; + #ifndef NO_RSA case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 : return "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"; case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 : return "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"; + #endif case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 : return "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"; case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 : return "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"; +#endif +#ifdef HAVE_AESCCM + #ifndef NO_RSA case TLS_RSA_WITH_AES_128_CCM_8_SHA256 : return "TLS_RSA_WITH_AES_128_CCM_8_SHA256"; case TLS_RSA_WITH_AES_256_CCM_8_SHA384 : return "TLS_RSA_WITH_AES_256_CCM_8_SHA384"; + #endif case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256 : return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256"; case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA384 : return "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA384"; +#endif default: return "NONE"; } } -#endif +#endif /* ECC */ if (cipher->ssl->options.cipherSuite0 != ECC_BYTE) { /* normal suites */ switch (cipher->ssl->options.cipherSuite) { +#ifndef NO_RSA + #ifndef NO_RC4 + #ifndef NO_SHA case SSL_RSA_WITH_RC4_128_SHA : return "SSL_RSA_WITH_RC4_128_SHA"; + #endif + #ifndef NO_MD5 case SSL_RSA_WITH_RC4_128_MD5 : return "SSL_RSA_WITH_RC4_128_MD5"; + #endif + #endif + #ifndef NO_SHA + #ifndef NO_DES3 case SSL_RSA_WITH_3DES_EDE_CBC_SHA : return "SSL_RSA_WITH_3DES_EDE_CBC_SHA"; + #endif case TLS_RSA_WITH_AES_128_CBC_SHA : return "TLS_RSA_WITH_AES_128_CBC_SHA"; case TLS_RSA_WITH_AES_256_CBC_SHA : return "TLS_RSA_WITH_AES_256_CBC_SHA"; + #endif case TLS_RSA_WITH_AES_128_CBC_SHA256 : return "TLS_RSA_WITH_AES_128_CBC_SHA256"; case TLS_RSA_WITH_AES_256_CBC_SHA256 : return "TLS_RSA_WITH_AES_256_CBC_SHA256"; + #ifndef NO_SHA case TLS_RSA_WITH_NULL_SHA : return "TLS_RSA_WITH_NULL_SHA"; + #endif case TLS_RSA_WITH_NULL_SHA256 : return "TLS_RSA_WITH_NULL_SHA256"; +#endif /* NO_RSA */ +#ifndef NO_PSK case TLS_PSK_WITH_AES_128_CBC_SHA256 : return "TLS_PSK_WITH_AES_128_CBC_SHA256"; + #ifndef NO_SHA case TLS_PSK_WITH_AES_128_CBC_SHA : return "TLS_PSK_WITH_AES_128_CBC_SHA"; case TLS_PSK_WITH_AES_256_CBC_SHA : return "TLS_PSK_WITH_AES_256_CBC_SHA"; + #endif case TLS_PSK_WITH_NULL_SHA256 : return "TLS_PSK_WITH_NULL_SHA256"; + #ifndef NO_SHA case TLS_PSK_WITH_NULL_SHA : return "TLS_PSK_WITH_NULL_SHA"; + #endif +#endif /* NO_PSK */ +#ifndef NO_RSA case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 : return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"; case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 : return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"; + #ifndef NO_SHA case TLS_DHE_RSA_WITH_AES_128_CBC_SHA : return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"; case TLS_DHE_RSA_WITH_AES_256_CBC_SHA : return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"; + #endif + #ifndef NO_HC128 + #ifndef NO_MD5 case TLS_RSA_WITH_HC_128_CBC_MD5 : return "TLS_RSA_WITH_HC_128_CBC_MD5"; + #endif + #ifndef NO_SHA case TLS_RSA_WITH_HC_128_CBC_SHA : return "TLS_RSA_WITH_HC_128_CBC_SHA"; + #endif + #endif /* NO_HC128 */ + #ifndef NO_SHA + #ifndef NO_RABBIT case TLS_RSA_WITH_RABBIT_CBC_SHA : return "TLS_RSA_WITH_RABBIT_CBC_SHA"; + #endif + #ifdef HAVE_NTRU + #ifndef NO_RC4 case TLS_NTRU_RSA_WITH_RC4_128_SHA : return "TLS_NTRU_RSA_WITH_RC4_128_SHA"; + #endif + #ifndef NO_DES3 case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA : return "TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA"; + #endif case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA : return "TLS_NTRU_RSA_WITH_AES_128_CBC_SHA"; case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA : return "TLS_NTRU_RSA_WITH_AES_256_CBC_SHA"; + #endif /* HAVE_NTRU */ + #endif /* NO_SHA */ case TLS_RSA_WITH_AES_128_GCM_SHA256 : return "TLS_RSA_WITH_AES_128_GCM_SHA256"; case TLS_RSA_WITH_AES_256_GCM_SHA384 : @@ -5565,28 +5802,33 @@ int CyaSSL_set_compression(CYASSL* ssl) return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"; case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 : return "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"; + #ifndef NO_SHA case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA : return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"; case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA : return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"; + #endif case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 : return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256"; case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 : return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"; + #ifndef NO_SHA case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA : return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA"; case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA : return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA"; + #endif case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 : return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"; case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 : return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"; +#endif /* NO_RSA */ default: return "NONE"; } /* switch */ } /* normal / ECC */ } - +#endif /* NO_ERROR_STRINGS */ return "NONE"; } @@ -5597,6 +5839,7 @@ int CyaSSL_set_compression(CYASSL* ssl) return CyaSSL_CIPHER_get_name(CyaSSL_get_current_cipher(ssl)); } +#ifdef OPENSSL_EXTRA /* XXX shuld be NO_DH */ #ifndef NO_CERTS @@ -7164,6 +7407,7 @@ static int initGlobalRNG = 0; } +#ifndef NO_DSA static void InitCyaSSL_DSA(CYASSL_DSA* dsa) { if (dsa) { @@ -7256,7 +7500,7 @@ static int initGlobalRNG = 0; return 0; /* key gen not needed by server */ } - +#endif /* NO_DSA */ static void InitCyaSSL_Rsa(CYASSL_RSA* rsa) { @@ -7356,6 +7600,7 @@ static int initGlobalRNG = 0; } +#ifndef NO_DSA static int SetDsaExternal(CYASSL_DSA* dsa) { DsaKey* key; @@ -7397,6 +7642,7 @@ static int initGlobalRNG = 0; return 0; } +#endif /* NO_DSA */ static int SetRsaExternal(CYASSL_RSA* rsa) @@ -7548,6 +7794,7 @@ static int initGlobalRNG = 0; } +#ifndef NO_DSA /* return 0 on success, < 0 otherwise */ int CyaSSL_DSA_do_sign(const unsigned char* d, unsigned char* sigRet, CYASSL_DSA* dsa) @@ -7583,6 +7830,7 @@ static int initGlobalRNG = 0; return 0; } +#endif /* NO_DSA */ /* return 1 on success, 0 otherwise */ @@ -8154,6 +8402,7 @@ int CyaSSL_RSA_LoadDer(CYASSL_RSA* rsa, const unsigned char* der, int derSz) } +#ifndef NO_DSA /* Load DSA from Der, 0 on success < 0 on error */ int CyaSSL_DSA_LoadDer(CYASSL_DSA* dsa, const unsigned char* der, int derSz) { @@ -8182,7 +8431,7 @@ int CyaSSL_DSA_LoadDer(CYASSL_DSA* dsa, const unsigned char* der, int derSz) return 0; } - +#endif /* NO_DSA */ diff --git a/src/tls.c b/src/tls.c index acb44e9c5..4a89be320 100644 --- a/src/tls.c +++ b/src/tls.c @@ -53,7 +53,7 @@ static void p_hash(byte* result, word32 resLen, const byte* secret, word32 secLen, const byte* seed, word32 seedLen, int hash) { - word32 len = SHA_DIGEST_SIZE; + word32 len = PHASH_MAX_DIGEST_SIZE; word32 times; word32 lastLen; word32 lastTime; @@ -89,6 +89,7 @@ static void p_hash(byte* result, word32 resLen, const byte* secret, } break; #endif +#ifndef NO_SHA case sha_mac: default: { @@ -96,6 +97,7 @@ static void p_hash(byte* result, word32 resLen, const byte* secret, hash = SHA; } break; +#endif } times = resLen / len; @@ -121,11 +123,14 @@ static void p_hash(byte* result, word32 resLen, const byte* secret, HmacFinal(&hmac, previous); } } + XMEMSET(previous, 0, sizeof previous); + XMEMSET(current, 0, sizeof current); + XMEMSET(&hmac, 0, sizeof hmac); } -#ifndef NO_MD5 +#ifndef NO_OLD_TLS /* calculate XOR for TLSv1 PRF */ static INLINE void get_xor(byte *digest, word32 digLen, byte* md5, byte* sha) @@ -194,7 +199,7 @@ static void PRF(byte* digest, word32 digLen, const byte* secret, word32 secLen, p_hash(digest, digLen, secret, secLen, labelSeed, labLen + seedLen, hash_type); } -#ifndef NO_MD5 +#ifndef NO_OLD_TLS else doPRF(digest, digLen, secret, secLen, label, labLen, seed, seedLen); #endif @@ -214,7 +219,7 @@ void BuildTlsFinished(CYASSL* ssl, Hashes* hashes, const byte* sender) byte handshake_hash[HSHASH_SZ]; word32 hashSz = FINISHED_SZ; -#ifndef NO_MD5 +#ifndef NO_OLD_TLS Md5Final(&ssl->hashMd5, handshake_hash); ShaFinal(&ssl->hashSha, &handshake_hash[MD5_DIGEST_SIZE]); #endif @@ -423,12 +428,21 @@ void TLS_hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz, } break; #endif + #ifdef CYASSL_SHA384 + case sha384_mac: + { + type = SHA384; + } + break; + #endif +#ifndef NO_SHA case sha_mac: default: { type = SHA; } break; +#endif } HmacSetKey(&hmac, type, GetMacSecret(ssl, verify), ssl->specs.hash_size); diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c index 6cb141b77..1ddf1e538 100755 --- a/sslSniffer/sslSnifferTest/snifftest.c +++ b/sslSniffer/sslSnifferTest/snifftest.c @@ -214,6 +214,9 @@ int main(int argc, char** argv) ret = ssl_SetPrivateKey(server, port, "../../certs/server-key.pem", FILETYPE_PEM, NULL, err); + if (ret != 0) { + printf("Please run directly from sslSniffer/sslSnifferTest dir\n"); + } } else if (argc >= 3) { saveFile = 1; diff --git a/tests/api.c b/tests/api.c index 7db26fc68..f97c306a8 100644 --- a/tests/api.c +++ b/tests/api.c @@ -35,7 +35,7 @@ static int test_CyaSSL_Init(void); static int test_CyaSSL_Cleanup(void); static int test_CyaSSL_Method_Allocators(void); static int test_CyaSSL_CTX_new(CYASSL_METHOD *method); -#ifndef NO_FILESYSTEM +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) static int test_CyaSSL_CTX_use_certificate_file(void); static int test_CyaSSL_CTX_use_PrivateKey_file(void); static int test_CyaSSL_CTX_load_verify_locations(void); @@ -51,7 +51,7 @@ static int test_method(CYASSL_METHOD *method, const char *name); #ifdef OPENSSL_EXTRA static int test_method2(CYASSL_METHOD *method, const char *name); #endif -#ifndef NO_FILESYSTEM +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) static int test_ucf(CYASSL_CTX *ctx, const char* file, int type, int cond, const char* name); static int test_upkf(CYASSL_CTX *ctx, const char* file, int type, @@ -79,7 +79,7 @@ int ApiTest(void) test_CyaSSL_Init(); test_CyaSSL_Method_Allocators(); test_CyaSSL_CTX_new(CyaSSLv23_server_method()); -#ifndef NO_FILESYSTEM +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) test_CyaSSL_CTX_use_certificate_file(); test_CyaSSL_CTX_use_PrivateKey_file(); test_CyaSSL_CTX_load_verify_locations(); @@ -209,7 +209,7 @@ int test_CyaSSL_CTX_new(CYASSL_METHOD *method) return TEST_SUCCESS; } -#ifndef NO_FILESYSTEM +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) /* Helper for testing CyaSSL_CTX_use_certificate_file() */ int test_ucf(CYASSL_CTX *ctx, const char* file, int type, int cond, const char* name) diff --git a/tests/hash.c b/tests/hash.c index 420dc36cb..1a124e098 100644 --- a/tests/hash.c +++ b/tests/hash.c @@ -76,11 +76,13 @@ int HashTest(void) printf( " MD5 test passed!\n"); #endif +#ifndef NO_SHA if ( (ret = sha_test()) ) { printf( " SHA test failed!\n"); return ret; } else printf( " SHA test passed!\n"); +#endif #ifndef NO_SHA256 if ( (ret = sha256_test()) ) { @@ -290,6 +292,7 @@ int md5_test(void) #endif /* NO_MD5 */ +#ifndef NO_SHA int sha_test(void) { Sha sha; @@ -343,6 +346,7 @@ int sha_test(void) return 0; } +#endif /* NO_SHA */ #ifndef NO_SHA256 int sha256_test(void) diff --git a/tests/include.am b/tests/include.am index c061320c1..0065f4006 100644 --- a/tests/include.am +++ b/tests/include.am @@ -19,21 +19,5 @@ tests_unit_DEPENDENCIES = src/libcyassl.la endif EXTRA_DIST += tests/unit.h EXTRA_DIST += tests/test.conf \ - tests/test-openssl.conf \ - tests/test-hc128.conf \ - tests/test-psk.conf \ - tests/test-ntru.conf \ - tests/test-ecc.conf \ - tests/test-aesgcm.conf \ - tests/test-aesgcm-ecc.conf \ - tests/test-aesgcm-openssl.conf \ - tests/test-aesccm.conf \ - tests/test-aesccm-ecc.conf \ - tests/test-camellia.conf \ - tests/test-camellia-openssl.conf \ - tests/test-dtls.conf \ - tests/test-rabbit.conf \ - tests/test-null.conf \ - tests/test-psk-null.conf \ - tests/test-leanpsk.conf + tests/test-dtls.conf DISTCLEANFILES+= tests/.libs/unit diff --git a/tests/suites.c b/tests/suites.c index 00df11a55..053873779 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -32,12 +32,85 @@ #define MAX_ARGS 40 #define MAX_COMMAND_SZ 240 +#define MAX_SUITE_SZ 80 +#define NOT_BUILT_IN -123 +#define VERSION_TOO_OLD -124 #include "examples/client/client.h" #include "examples/server/server.h" -static void execute_test_case(int svr_argc, char** svr_argv, - int cli_argc, char** cli_argv, int addNoVerify) + +CYASSL_CTX* cipherSuiteCtx = NULL; + + +#ifdef NO_OLD_TLS +/* if the protocol version is less than tls 1.2 return 1, else 0 */ +static int IsOldTlsVersion(const char* line) +{ + const char* find = "-v "; + char* begin = strstr(line, find); + + if (begin) { + int version = -1; + + begin += 3; + + version = atoi(begin); + + if (version < 3) + return 1; + } + + return 0; +} +#endif /* NO_OLD_TLS */ + + +/* if the cipher suite on line is valid store in suite and return 1, else 0 */ +static int IsValidCipherSuite(const char* line, char* suite) +{ + int found = 0; + int valid = 0; + + const char* find = "-l "; + char* begin = strstr(line, find); + char* end; + + suite[0] = '\0'; + + if (begin) { + begin += 3; + + end = strstr(begin, " "); + + if (end) { + long len = end - begin; + if (len > MAX_SUITE_SZ) { + printf("suite too long!\n"); + return 0; + } + memcpy(suite, begin, len); + suite[len] = '\0'; + } + else + strncpy(suite, begin, MAX_SUITE_SZ); + + suite[MAX_SUITE_SZ] = '\0'; + found = 1; + } + + if (found) { + if (CyaSSL_CTX_set_cipher_list(cipherSuiteCtx, suite) == SSL_SUCCESS) + valid = 1; + } + + return valid; +} + + +static int execute_test_case(int svr_argc, char** svr_argv, + int cli_argc, char** cli_argv, + int addNoVerify, int addNonBlocking) { func_args cliArgs = {cli_argc, cli_argv, 0, NULL}; func_args svrArgs = {svr_argc, svr_argv, 0, NULL}; @@ -45,6 +118,7 @@ static void execute_test_case(int svr_argc, char** svr_argv, tcp_ready ready; THREAD_TYPE serverThread; char commandLine[MAX_COMMAND_SZ]; + char cipherSuite[MAX_SUITE_SZ+1]; int i; size_t added = 0; static int tests = 1; @@ -59,13 +133,38 @@ static void execute_test_case(int svr_argc, char** svr_argv, strcat(commandLine, svr_argv[i]); strcat(commandLine, " "); } + + if (IsValidCipherSuite(commandLine, cipherSuite) == 0) { + #ifdef DEBUG_SUITE_TESTS + printf("cipher suite %s not supported in build\n", cipherSuite); + #endif + return NOT_BUILT_IN; + } + +#ifdef NO_OLD_TLS + if (IsOldTlsVersion(commandLine) == 1) { + #ifdef DEBUG_SUITE_TESTS + printf("protocol version on line %s is too old\n", commandLine); + #endif + return VERSION_TOO_OLD; + } +#endif + if (addNoVerify) { printf("repeating test with client cert request off\n"); - added += 3; /* -d plus terminator */ + added += 4; /* -d plus space plus terminator */ if (added >= MAX_COMMAND_SZ) printf("server command line too long\n"); else - strcat(commandLine, "-d"); + strcat(commandLine, "-d "); + } + if (addNonBlocking) { + printf("repeating test with non blocking on\n"); + added += 4; /* -N plus terminator */ + if (added >= MAX_COMMAND_SZ) + printf("server command line too long\n"); + else + strcat(commandLine, "-N "); } printf("trying server command line[%d]: %s\n", tests, commandLine); @@ -80,6 +179,13 @@ static void execute_test_case(int svr_argc, char** svr_argv, strcat(commandLine, cli_argv[i]); strcat(commandLine, " "); } + if (addNonBlocking) { + added += 4; /* -N plus space plus terminator */ + if (added >= MAX_COMMAND_SZ) + printf("client command line too long\n"); + else + strcat(commandLine, "-N "); + } printf("trying client command line[%d]: %s\n", tests++, commandLine); InitTcpReady(&ready); @@ -105,7 +211,8 @@ static void execute_test_case(int svr_argc, char** svr_argv, } FreeTcpReady(&ready); - + + return 0; } static void test_harness(void* vargs) @@ -114,6 +221,7 @@ static void test_harness(void* vargs) char* script; long sz, len; int cliMode = 0; /* server or client command flag, server first */ + int ret; FILE* file; char* svrArgs[MAX_ARGS]; int svrArgsSz; @@ -193,7 +301,11 @@ static void test_harness(void* vargs) case '#': /* Ignore lines that start with a #. */ comment = strsep(&cursor, "\n"); +#ifdef DEBUG_SUITE_TESTS printf("%s\n", comment); +#else + (void)comment; +#endif break; case '-': /* Parameters start with a -. They end in either a newline @@ -221,8 +333,13 @@ static void test_harness(void* vargs) } if (do_it) { - execute_test_case(svrArgsSz, svrArgs, cliArgsSz, cliArgs, 0); - execute_test_case(svrArgsSz, svrArgs, cliArgsSz, cliArgs, 1); + ret = execute_test_case(svrArgsSz, svrArgs, cliArgsSz, cliArgs,0,0); + /* don't repeat if not supported in build */ + if (ret == 0) { + execute_test_case(svrArgsSz, svrArgs, cliArgsSz, cliArgs, 0, 1); + execute_test_case(svrArgsSz, svrArgs, cliArgsSz, cliArgs, 1, 0); + execute_test_case(svrArgsSz, svrArgs, cliArgsSz, cliArgs, 1, 1); + } svrArgsSz = 1; cliArgsSz = 1; cliMode = 0; @@ -248,7 +365,14 @@ int SuiteTest(void) args.argv = myArgv; strcpy(argv0[0], "SuiteTest"); -#if !defined(NO_RSA) + (void)test_harness; + + cipherSuiteCtx = CyaSSL_CTX_new(CyaTLSv1_2_client_method()); + if (cipherSuiteCtx == NULL) { + printf("can't get cipher suite ctx\n"); + exit(EXIT_FAILURE); + } + /* default case */ args.argc = 1; printf("starting default cipher suite tests\n"); @@ -257,184 +381,10 @@ int SuiteTest(void) printf("error from script %d\n", args.return_code); exit(EXIT_FAILURE); } -#endif /* any extra cases will need another argument */ args.argc = 2; -#ifdef OPENSSL_EXTRA - /* add openssl extra suites */ - strcpy(argv0[1], "tests/test-openssl.conf"); - printf("starting openssl extra cipher suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } -#endif - -#if !defined(NO_RSA) && defined(HAVE_NULL_CIPHER) - /* add rsa null cipher suites */ - strcpy(argv0[1], "tests/test-null.conf"); - printf("starting null cipher suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } -#endif - -#ifdef HAVE_HC128 - /* add hc128 extra suites */ - strcpy(argv0[1], "tests/test-hc128.conf"); - printf("starting hc128 extra cipher suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } -#endif - -#ifdef HAVE_RABBIT - /* add rabbit extra suites */ - strcpy(argv0[1], "tests/test-rabbit.conf"); - printf("starting rabbit extra cipher suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } -#endif - -#if !defined(NO_PSK) && !defined(NO_AES) - /* add psk extra suites */ - strcpy(argv0[1], "tests/test-psk.conf"); - printf("starting psk extra cipher suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } -#endif - -#if !defined(NO_PSK) && defined(HAVE_NULL_CIPHER) && !defined(NO_OLD_TLS) - strcpy(argv0[1], "tests/test-psk-null.conf"); - printf("starting psk extra null cipher suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } -#endif - -#ifdef CYASSL_LEANPSK - strcpy(argv0[1], "tests/test-leanpsk.conf"); - printf("starting lean-psk cipher suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } -#endif - -#ifdef HAVE_NTRU - /* add ntru extra suites */ - strcpy(argv0[1], "tests/test-ntru.conf"); - printf("starting ntru extra cipher suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } -#endif - -#ifdef HAVE_ECC - /* add ecc extra suites */ - strcpy(argv0[1], "tests/test-ecc.conf"); - printf("starting ecc extra cipher suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } -#endif - -#ifdef HAVE_AESGCM - /* add aesgcm extra suites */ - strcpy(argv0[1], "tests/test-aesgcm.conf"); - printf("starting aesgcm extra cipher suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } -#endif - -#if defined(HAVE_AESGCM) && defined(OPENSSL_EXTRA) - /* add aesgcm openssl extra suites */ - strcpy(argv0[1], "tests/test-aesgcm-openssl.conf"); - printf("starting aesgcm openssl extra cipher suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } -#endif - -#if defined(HAVE_AESGCM) && defined(HAVE_ECC) - /* add aesgcm ecc extra suites */ - strcpy(argv0[1], "tests/test-aesgcm-ecc.conf"); - printf("starting aesgcm ecc extra cipher suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } -#endif - -#if defined(HAVE_AESCCM) - /* add aesccm extra suites */ - strcpy(argv0[1], "tests/test-aesccm.conf"); - printf("starting aesccm cipher suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } - #ifdef HAVE_ECC - /* add aesccm ecc extra suites */ - strcpy(argv0[1], "tests/test-aesccm-ecc.conf"); - printf("starting aesccm ecc cipher suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } - #endif -#endif - -#ifdef HAVE_CAMELLIA - /* add camellia suites */ - strcpy(argv0[1], "tests/test-camellia.conf"); - printf("starting camellia suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } - #ifdef OPENSSL_EXTRA - /* add camellia openssl extra suites */ - strcpy(argv0[1], "tests/test-camellia-openssl.conf"); - printf("starting camellia openssl extra suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - exit(EXIT_FAILURE); - } - - #endif -#endif - #ifdef CYASSL_DTLS /* add dtls extra suites */ strcpy(argv0[1], "tests/test-dtls.conf"); @@ -448,6 +398,8 @@ int SuiteTest(void) printf(" End Cipher Suite Tests\n"); + CyaSSL_CTX_free(cipherSuiteCtx); + return args.return_code; } diff --git a/tests/test-aesccm-ecc.conf b/tests/test-aesccm-ecc.conf deleted file mode 100644 index 8cfcb9846..000000000 --- a/tests/test-aesccm-ecc.conf +++ /dev/null @@ -1,48 +0,0 @@ -# server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 --v 3 --l ECDHE-ECDSA-AES128-CCM-8-SHA256 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 --v 3 --l ECDHE-ECDSA-AES128-CCM-8-SHA256 --A ./certs/server-ecc.pem - -# server TLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 --v 3 --l ECDHE-ECDSA-AES256-CCM-8-SHA384 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 --v 3 --l ECDHE-ECDSA-AES256-CCM-8-SHA384 --A ./certs/server-ecc.pem - -# server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 NON-BLOCKING --v 3 --l ECDHE-ECDSA-AES128-CCM-8-SHA256 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem --N - -# client TLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 NON-BLOCKING --v 3 --l ECDHE-ECDSA-AES128-CCM-8-SHA256 --A ./certs/server-ecc.pem --N - -# server TLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 NON-BLOCKING --v 3 --l ECDHE-ECDSA-AES256-CCM-8-SHA384 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem --N - -# client TLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 NON-BLOCKING --v 3 --l ECDHE-ECDSA-AES256-CCM-8-SHA384 --A ./certs/server-ecc.pem --N - diff --git a/tests/test-aesccm.conf b/tests/test-aesccm.conf deleted file mode 100644 index a86643120..000000000 --- a/tests/test-aesccm.conf +++ /dev/null @@ -1,36 +0,0 @@ -# server TLSv1.2 AES128-CCM-8-SHA256 --v 3 --l AES128-CCM-8-SHA256 - -# client TLSv1.2 AES128-CCM-8-SHA256 --v 3 --l AES128-CCM-8-SHA256 - -# server TLSv1.2 AES256-CCM-8-SHA384 --v 3 --l AES256-CCM-8-SHA384 - -# client TLSv1.2 AES256-CCM-8-SHA384 --v 3 --l AES256-CCM-8-SHA384 - -# server TLSv1.2 AES128-CCM-8-SHA256 NON-BLOCKING --v 3 --l AES128-CCM-8-SHA256 --N - -# client TLSv1.2 AES128-CCM-8-SHA256 NON-BLOCKING --v 3 --l AES128-CCM-8-SHA256 --N - -# server TLSv1.2 AES256-CCM-8-SHA384 NON-BLOCKING --v 3 --l AES256-CCM-8-SHA384 --N - -# client TLSv1.2 AES256-CCM-8-SHA384 NON-BLOCKING --v 3 --l AES256-CCM-8-SHA384 --N - diff --git a/tests/test-aesgcm-ecc.conf b/tests/test-aesgcm-ecc.conf deleted file mode 100644 index 7aff47f9a..000000000 --- a/tests/test-aesgcm-ecc.conf +++ /dev/null @@ -1,80 +0,0 @@ -# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 --v 3 --l ECDHE-ECDSA-AES128-GCM-SHA256 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 --v 3 --l ECDHE-ECDSA-AES128-GCM-SHA256 --A ./certs/server-ecc.pem - -# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 --v 3 --l ECDHE-ECDSA-AES256-GCM-SHA384 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 --v 3 --l ECDHE-ECDSA-AES256-GCM-SHA384 --A ./certs/server-ecc.pem - -# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 --v 3 --l ECDH-ECDSA-AES128-GCM-SHA256 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 --v 3 --l ECDH-ECDSA-AES128-GCM-SHA256 --A ./certs/server-ecc.pem - -# server TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 --v 3 --l ECDH-ECDSA-AES256-GCM-SHA384 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 --v 3 --l ECDH-ECDSA-AES256-GCM-SHA384 --A ./certs/server-ecc.pem - -# server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 --v 3 --l ECDHE-RSA-AES128-GCM-SHA256 - -# client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 --v 3 --l ECDHE-RSA-AES128-GCM-SHA256 - -# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 --v 3 --l ECDHE-RSA-AES256-GCM-SHA384 - -# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 --v 3 --l ECDHE-RSA-AES256-GCM-SHA384 - -# server TLSv1.2 ECDH-RSA-AES128-GCM-SHA256 --v 3 --l ECDH-RSA-AES128-GCM-SHA256 --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-RSA-AES128-GCM-SHA256 --v 3 --l ECDH-RSA-AES128-GCM-SHA256 - -# server TLSv1.2 ECDH-RSA-AES256-GCM-SHA384 --v 3 --l ECDH-RSA-AES256-GCM-SHA384 --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-RSA-AES256-GCM-SHA384 --v 3 --l ECDH-RSA-AES256-GCM-SHA384 - diff --git a/tests/test-aesgcm-openssl.conf b/tests/test-aesgcm-openssl.conf deleted file mode 100644 index 006e27216..000000000 --- a/tests/test-aesgcm-openssl.conf +++ /dev/null @@ -1,16 +0,0 @@ -# server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 --v 3 --l DHE-RSA-AES128-GCM-SHA256 - -# client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 --v 3 --l DHE-RSA-AES128-GCM-SHA256 - -# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384 --v 3 --l DHE-RSA-AES256-GCM-SHA384 - -# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384 --v 3 --l DHE-RSA-AES256-GCM-SHA384 - diff --git a/tests/test-aesgcm.conf b/tests/test-aesgcm.conf deleted file mode 100644 index 9efc5a578..000000000 --- a/tests/test-aesgcm.conf +++ /dev/null @@ -1,16 +0,0 @@ -# server TLSv1.2 RSA-AES128-GCM-SHA256 --v 3 --l AES128-GCM-SHA256 - -# client TLSv1.2 RSA-AES128-GCM-SHA256 --v 3 --l AES128-GCM-SHA256 - -# server TLSv1.2 RSA-AES256-GCM-SHA384 --v 3 --l AES256-GCM-SHA384 - -# client TLSv1.2 RSA-AES256-GCM-SHA384 --v 3 --l AES256-GCM-SHA384 - diff --git a/tests/test-camellia-openssl.conf b/tests/test-camellia-openssl.conf deleted file mode 100644 index 2b9ff8919..000000000 --- a/tests/test-camellia-openssl.conf +++ /dev/null @@ -1,216 +0,0 @@ -# server TLSv1 DHE-RSA-CAMELLIA128-SHA --v 1 --l DHE-RSA-CAMELLIA128-SHA - -# client TLSv1 DHE-RSA-CAMELLIA128-SHA --v 1 --l DHE-RSA-CAMELLIA128-SHA - -# server TLSv1 DHE-RSA-CAMELLIA256-SHA --v 1 --l DHE-RSA-CAMELLIA256-SHA - -# client TLSv1 DHE-RSA-CAMELLIA256-SHA --v 1 --l DHE-RSA-CAMELLIA256-SHA - -# server TLSv1 DHE-RSA-CAMELLIA128-SHA256 --v 1 --l DHE-RSA-CAMELLIA128-SHA256 - -# client TLSv1 DHE-RSA-CAMELLIA128-SHA256 --v 1 --l DHE-RSA-CAMELLIA128-SHA256 - -# server TLSv1 DHE-RSA-CAMELLIA256-SHA256 --v 1 --l DHE-RSA-CAMELLIA256-SHA256 - -# client TLSv1 DHE-RSA-CAMELLIA256-SHA256 --v 1 --l DHE-RSA-CAMELLIA256-SHA256 - -# server TLSv1.1 DHE-RSA-CAMELLIA128-SHA --v 2 --l DHE-RSA-CAMELLIA128-SHA - -# client TLSv1.1 DHE-RSA-CAMELLIA128-SHA --v 2 --l DHE-RSA-CAMELLIA128-SHA - -# server TLSv1.1 DHE-RSA-CAMELLIA256-SHA --v 2 --l DHE-RSA-CAMELLIA256-SHA - -# client TLSv1.1 DHE-RSA-CAMELLIA256-SHA --v 2 --l DHE-RSA-CAMELLIA256-SHA - -# server TLSv1.1 DHE-RSA-CAMELLIA128-SHA256 --v 2 --l DHE-RSA-CAMELLIA128-SHA256 - -# client TLSv1.1 DHE-RSA-CAMELLIA128-SHA256 --v 2 --l DHE-RSA-CAMELLIA128-SHA256 - -# server TLSv1.1 DHE-RSA-CAMELLIA256-SHA256 --v 2 --l DHE-RSA-CAMELLIA256-SHA256 - -# client TLSv1.1 DHE-RSA-CAMELLIA256-SHA256 --v 2 --l DHE-RSA-CAMELLIA256-SHA256 - -# server TLSv1.2 DHE-RSA-CAMELLIA128-SHA --v 3 --l DHE-RSA-CAMELLIA128-SHA - -# client TLSv1.2 DHE-RSA-CAMELLIA128-SHA --v 3 --l DHE-RSA-CAMELLIA128-SHA - -# server TLSv1.2 DHE-RSA-CAMELLIA256-SHA --v 3 --l DHE-RSA-CAMELLIA256-SHA - -# client TLSv1.2 DHE-RSA-CAMELLIA256-SHA --v 3 --l DHE-RSA-CAMELLIA256-SHA - -# server TLSv1.2 DHE-RSA-CAMELLIA128-SHA256 --v 3 --l DHE-RSA-CAMELLIA128-SHA256 - -# client TLSv1.2 DHE-RSA-CAMELLIA128-SHA256 --v 3 --l DHE-RSA-CAMELLIA128-SHA256 - -# server TLSv1.2 DHE-RSA-CAMELLIA256-SHA256 --v 3 --l DHE-RSA-CAMELLIA256-SHA256 - -# client TLSv1.2 DHE-RSA-CAMELLIA256-SHA256 --v 3 --l DHE-RSA-CAMELLIA256-SHA256 - -# server TLSv1 DHE-RSA-CAMELLIA128-SHA NON-BLOCKING --v 1 --l DHE-RSA-CAMELLIA128-SHA --N - -# client TLSv1 DHE-RSA-CAMELLIA128-SHA NON-BLOCKING --v 1 --l DHE-RSA-CAMELLIA128-SHA --N - -# server TLSv1 DHE-RSA-CAMELLIA256-SHA NON-BLOCKING --v 1 --l DHE-RSA-CAMELLIA256-SHA --N - -# client TLSv1 DHE-RSA-CAMELLIA256-SHA NON-BLOCKING --v 1 --l DHE-RSA-CAMELLIA256-SHA --N - -# server TLSv1 DHE-RSA-CAMELLIA128-SHA256 NON-BLOCKING --v 1 --l DHE-RSA-CAMELLIA128-SHA256 --N - -# client TLSv1 DHE-RSA-CAMELLIA128-SHA256 NON-BLOCKING --v 1 --l DHE-RSA-CAMELLIA128-SHA256 --N - -# server TLSv1 DHE-RSA-CAMELLIA256-SHA256 NON-BLOCKING --v 1 --l DHE-RSA-CAMELLIA256-SHA256 --N - -# client TLSv1 DHE-RSA-CAMELLIA256-SHA256 NON-BLOCKING --v 1 --l DHE-RSA-CAMELLIA256-SHA256 --N - -# server TLSv1.1 DHE-RSA-CAMELLIA128-SHA NON-BLOCKING --v 2 --l DHE-RSA-CAMELLIA128-SHA --N - -# client TLSv1.1 DHE-RSA-CAMELLIA128-SHA NON-BLOCKING --v 2 --l DHE-RSA-CAMELLIA128-SHA --N - -# server TLSv1.1 DHE-RSA-CAMELLIA256-SHA NON-BLOCKING --v 2 --l DHE-RSA-CAMELLIA256-SHA --N - -# client TLSv1.1 DHE-RSA-CAMELLIA256-SHA NON-BLOCKING --v 2 --l DHE-RSA-CAMELLIA256-SHA --N - -# server TLSv1.1 DHE-RSA-CAMELLIA128-SHA256 NON-BLOCKING --v 2 --l DHE-RSA-CAMELLIA128-SHA256 --N - -# client TLSv1.1 DHE-RSA-CAMELLIA128-SHA256 NON-BLOCKING --v 2 --l DHE-RSA-CAMELLIA128-SHA256 --N - -# server TLSv1.1 DHE-RSA-CAMELLIA256-SHA256 NON-BLOCKING --v 2 --l DHE-RSA-CAMELLIA256-SHA256 --N - -# client TLSv1.1 DHE-RSA-CAMELLIA256-SHA256 NON-BLOCKING --v 2 --l DHE-RSA-CAMELLIA256-SHA256 --N - -# server TLSv1.2 DHE-RSA-CAMELLIA128-SHA NON-BLOCKING --v 3 --l DHE-RSA-CAMELLIA128-SHA --N - -# client TLSv1.2 DHE-RSA-CAMELLIA128-SHA NON-BLOCKING --v 3 --l DHE-RSA-CAMELLIA128-SHA --N - -# server TLSv1.2 DHE-RSA-CAMELLIA256-SHA NON-BLOCKING --v 3 --l DHE-RSA-CAMELLIA256-SHA --N - -# client TLSv1.2 DHE-RSA-CAMELLIA256-SHA NON-BLOCKING --v 3 --l DHE-RSA-CAMELLIA256-SHA --N - -# server TLSv1.2 DHE-RSA-CAMELLIA128-SHA256 NON-BLOCKING --v 3 --l DHE-RSA-CAMELLIA128-SHA256 --N - -# client TLSv1.2 DHE-RSA-CAMELLIA128-SHA256 NON-BLOCKING --v 3 --l DHE-RSA-CAMELLIA128-SHA256 --N - -# server TLSv1.2 DHE-RSA-CAMELLIA256-SHA256 NON-BLOCKING --v 3 --l DHE-RSA-CAMELLIA256-SHA256 --N - -# client TLSv1.2 DHE-RSA-CAMELLIA256-SHA256 NON-BLOCKING --v 3 --l DHE-RSA-CAMELLIA256-SHA256 --N - diff --git a/tests/test-camellia.conf b/tests/test-camellia.conf deleted file mode 100644 index f0ed3cc4f..000000000 --- a/tests/test-camellia.conf +++ /dev/null @@ -1,216 +0,0 @@ -# server TLSv1 CAMELLIA128-SHA --v 1 --l CAMELLIA128-SHA - -# client TLSv1 CAMELLIA128-SHA --v 1 --l CAMELLIA128-SHA - -# server TLSv1 CAMELLIA256-SHA --v 1 --l CAMELLIA256-SHA - -# client TLSv1 CAMELLIA256-SHA --v 1 --l CAMELLIA256-SHA - -# server TLSv1 CAMELLIA128-SHA256 --v 1 --l CAMELLIA128-SHA256 - -# client TLSv1 CAMELLIA128-SHA256 --v 1 --l CAMELLIA128-SHA256 - -# server TLSv1 CAMELLIA256-SHA256 --v 1 --l CAMELLIA256-SHA256 - -# client TLSv1 CAMELLIA256-SHA256 --v 1 --l CAMELLIA256-SHA256 - -# server TLSv1.1 CAMELLIA128-SHA --v 2 --l CAMELLIA128-SHA - -# client TLSv1.1 CAMELLIA128-SHA --v 2 --l CAMELLIA128-SHA - -# server TLSv1.1 CAMELLIA256-SHA --v 2 --l CAMELLIA256-SHA - -# client TLSv1.1 CAMELLIA256-SHA --v 2 --l CAMELLIA256-SHA - -# server TLSv1.1 CAMELLIA128-SHA256 --v 2 --l CAMELLIA128-SHA256 - -# client TLSv1.1 CAMELLIA128-SHA256 --v 2 --l CAMELLIA128-SHA256 - -# server TLSv1.1 CAMELLIA256-SHA256 --v 2 --l CAMELLIA256-SHA256 - -# client TLSv1.1 CAMELLIA256-SHA256 --v 2 --l CAMELLIA256-SHA256 - -# server TLSv1.2 CAMELLIA128-SHA --v 3 --l CAMELLIA128-SHA - -# client TLSv1.2 CAMELLIA128-SHA --v 3 --l CAMELLIA128-SHA - -# server TLSv1.2 CAMELLIA256-SHA --v 3 --l CAMELLIA256-SHA - -# client TLSv1.2 CAMELLIA256-SHA --v 3 --l CAMELLIA256-SHA - -# server TLSv1.2 CAMELLIA128-SHA256 --v 3 --l CAMELLIA128-SHA256 - -# client TLSv1.2 CAMELLIA128-SHA256 --v 3 --l CAMELLIA128-SHA256 - -# server TLSv1.2 CAMELLIA256-SHA256 --v 3 --l CAMELLIA256-SHA256 - -# client TLSv1.2 CAMELLIA256-SHA256 --v 3 --l CAMELLIA256-SHA256 - -# server TLSv1 CAMELLIA128-SHA NON-BLOCKING --v 1 --l CAMELLIA128-SHA --N - -# client TLSv1 CAMELLIA128-SHA NON-BLOCKING --v 1 --l CAMELLIA128-SHA --N - -# server TLSv1 CAMELLIA256-SHA NON-BLOCKING --v 1 --l CAMELLIA256-SHA --N - -# client TLSv1 CAMELLIA256-SHA NON-BLOCKING --v 1 --l CAMELLIA256-SHA --N - -# server TLSv1 CAMELLIA128-SHA256 NON-BLOCKING --v 1 --l CAMELLIA128-SHA256 --N - -# client TLSv1 CAMELLIA128-SHA256 NON-BLOCKING --v 1 --l CAMELLIA128-SHA256 --N - -# server TLSv1 CAMELLIA256-SHA256 NON-BLOCKING --v 1 --l CAMELLIA256-SHA256 --N - -# client TLSv1 CAMELLIA256-SHA256 NON-BLOCKING --v 1 --l CAMELLIA256-SHA256 --N - -# server TLSv1.1 CAMELLIA128-SHA NON-BLOCKING --v 2 --l CAMELLIA128-SHA --N - -# client TLSv1.1 CAMELLIA128-SHA NON-BLOCKING --v 2 --l CAMELLIA128-SHA --N - -# server TLSv1.1 CAMELLIA256-SHA NON-BLOCKING --v 2 --l CAMELLIA256-SHA --N - -# client TLSv1.1 CAMELLIA256-SHA NON-BLOCKING --v 2 --l CAMELLIA256-SHA --N - -# server TLSv1.1 CAMELLIA128-SHA256 NON-BLOCKING --v 2 --l CAMELLIA128-SHA256 --N - -# client TLSv1.1 CAMELLIA128-SHA256 NON-BLOCKING --v 2 --l CAMELLIA128-SHA256 --N - -# server TLSv1.1 CAMELLIA256-SHA256 NON-BLOCKING --v 2 --l CAMELLIA256-SHA256 --N - -# client TLSv1.1 CAMELLIA256-SHA256 NON-BLOCKING --v 2 --l CAMELLIA256-SHA256 --N - -# server TLSv1.2 CAMELLIA128-SHA NON-BLOCKING --v 3 --l CAMELLIA128-SHA --N - -# client TLSv1.2 CAMELLIA128-SHA NON-BLOCKING --v 3 --l CAMELLIA128-SHA --N - -# server TLSv1.2 CAMELLIA256-SHA NON-BLOCKING --v 3 --l CAMELLIA256-SHA --N - -# client TLSv1.2 CAMELLIA256-SHA NON-BLOCKING --v 3 --l CAMELLIA256-SHA --N - -# server TLSv1.2 CAMELLIA128-SHA256 NON-BLOCKING --v 3 --l CAMELLIA128-SHA256 --N - -# client TLSv1.2 CAMELLIA128-SHA256 NON-BLOCKING --v 3 --l CAMELLIA128-SHA256 --N - -# server TLSv1.2 CAMELLIA256-SHA256 NON-BLOCKING --v 3 --l CAMELLIA256-SHA256 --N - -# client TLSv1.2 CAMELLIA256-SHA256 NON-BLOCKING --v 3 --l CAMELLIA256-SHA256 --N - diff --git a/tests/test-dtls.conf b/tests/test-dtls.conf index d733e0ecf..95739f0ed 100644 --- a/tests/test-dtls.conf +++ b/tests/test-dtls.conf @@ -1,98 +1,782 @@ # server DTLSv1 RC4-SHA -u +-v 2 -l RC4-SHA # client DTLSv1 RC4-SHA -u +-v 2 +-l RC4-SHA + +# server DTLSv1.2 RC4-SHA +-u +-v 3 +-l RC4-SHA + +# client DTLSv1.2 RC4-SHA +-u +-v 3 -l RC4-SHA # server DTLSv1 DES-CBC3-SHA -u +-v 2 -l DES-CBC3-SHA # client DTLSv1 DES-CBC3-SHA -u +-v 2 +-l DES-CBC3-SHA + +# server DTLSv1.2 DES-CBC3-SHA +-u +-v 3 +-l DES-CBC3-SHA + +# client DTLSv1.2 DES-CBC3-SHA +-u +-v 3 -l DES-CBC3-SHA # server DTLSv1 AES128-SHA -u +-v 2 -l AES128-SHA # client DTLSv1 AES128-SHA -u +-v 2 +-l AES128-SHA + +# server DTLSv1.2 AES128-SHA +-u +-v 3 +-l AES128-SHA + +# client DTLSv1.2 AES128-SHA +-u +-v 3 -l AES128-SHA # server DTLSv1 AES256-SHA -u +-v 2 -l AES256-SHA # client DTLSv1 AES256-SHA -u +-v 2 +-l AES256-SHA + +# server DTLSv1.2 AES256-SHA +-u +-v 3 +-l AES256-SHA + +# client DTLSv1.2 AES256-SHA +-u +-v 3 -l AES256-SHA # server DTLSv1 AES128-SHA256 -u +-v 2 -l AES128-SHA256 # client DTLSv1 AES128-SHA256 -u +-v 2 +-l AES128-SHA256 + +# server DTLSv1.2 AES128-SHA256 +-u +-v 3 +-l AES128-SHA256 + +# client DTLSv1.2 AES128-SHA256 +-u +-v 3 -l AES128-SHA256 # server DTLSv1 AES256-SHA256 -u +-v 2 -l AES256-SHA256 # client DTLSv1 AES256-SHA256 -u +-v 2 -l AES256-SHA256 -# server DTLSv1 DES-CBC3-SHA NON-BLOCKING --u --l DES-CBC3-SHA --N - -# client DTLSv1 DES-CBC3-SHA NON-BLOCKING --u --l DES-CBC3-SHA --N - -# server DTLSv1 AES128-SHA NON-BLOCKING --u --l AES128-SHA --N - -# client DTLSv1 AES128-SHA NON-BLOCKING --u --l AES128-SHA --N - -# server DTLSv1 AES256-SHA NON-BLOCKING --u --l AES256-SHA --N - -# client DTLSv1 AES256-SHA NON-BLOCKING --u --l AES256-SHA --N - -# server DTLSv1 AES128-SHA256 NON-BLOCKING --u --l AES128-SHA256 --N - -# client DTLSv1 AES128-SHA256 NON-BLOCKING --u --l AES128-SHA256 --N - -# server DTLSv1 AES256-SHA256 NON-BLOCKING +# server DTLSv1.2 AES256-SHA256 -u +-v 3 -l AES256-SHA256 --N -# client DTLSv1 AES256-SHA256 NON-BLOCKING +# client DTLSv1.2 AES256-SHA256 -u +-v 3 -l AES256-SHA256 --N + +# server DTLSv1 ECDHE-RSA-RC4 +-u +-v 2 +-l ECDHE-RSA-RC4-SHA + +# client DTLSv1 ECDHE-RSA-RC4 +-u +-v 2 +-l ECDHE-RSA-RC4-SHA + +# server DTLSv1.1 ECDHE-RSA-DES3 +-u +-v 2 +-l ECDHE-RSA-DES-CBC3-SHA + +# client DTLSv1.1 ECDHE-RSA-DES3 +-u +-v 2 +-l ECDHE-RSA-DES-CBC3-SHA + +# server DTLSv1.1 ECDHE-RSA-AES128 +-u +-v 2 +-l ECDHE-RSA-AES128-SHA + +# client DTLSv1.1 ECDHE-RSA-AES128 +-u +-v 2 +-l ECDHE-RSA-AES128-SHA + +# server DTLSv1.1 ECDHE-RSA-AES256 +-u +-v 2 +-l ECDHE-RSA-AES256-SHA + +# client DTLSv1.1 ECDHE-RSA-AES256 +-u +-v 2 +-l ECDHE-RSA-AES256-SHA + +# server DTLSv1.2 ECDHE-RSA-RC4 +-u +-v 3 +-l ECDHE-RSA-RC4-SHA + +# client DTLSv1.2 ECDHE-RSA-RC4 +-u +-v 3 +-l ECDHE-RSA-RC4-SHA + +# server DTLSv1.2 ECDHE-RSA-DES3 +-u +-v 3 +-l ECDHE-RSA-DES-CBC3-SHA + +# client DTLSv1.2 ECDHE-RSA-DES3 +-u +-v 3 +-l ECDHE-RSA-DES-CBC3-SHA + +# server DTLSv1.2 ECDHE-RSA-AES128 +-u +-v 3 +-l ECDHE-RSA-AES128-SHA + +# client DTLSv1.2 ECDHE-RSA-AES128 +-u +-v 3 +-l ECDHE-RSA-AES128-SHA + +# server DTLSv1.2 ECDHE-RSA-AES128-SHA256 +-u +-v 3 +-l ECDHE-RSA-AES128-SHA256 + +# client DTLSv1.2 ECDHE-RSA-AES128-SHA256 +-u +-v 3 +-l ECDHE-RSA-AES128-SHA256 + +# server DTLSv1.2 ECDHE-RSA-AES256 +-u +-v 3 +-l ECDHE-RSA-AES256-SHA + +# client DTLSv1.2 ECDHE-RSA-AES256 +-u +-v 3 +-l ECDHE-RSA-AES256-SHA + +# server DTLSv1.1 ECDHE-EDCSA-RC4 +-u +-v 2 +-l ECDHE-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.1 ECDHE-ECDSA-RC4 +-u +-v 2 +-l ECDHE-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.1 ECDHE-ECDSA-DES3 +-u +-v 2 +-l ECDHE-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.1 ECDHE-ECDSA-DES3 +-u +-v 2 +-l ECDHE-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.1 ECDHE-ECDSA-AES128 +-u +-v 2 +-l ECDHE-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.1 ECDHE-ECDSA-AES128 +-u +-v 2 +-l ECDHE-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.1 ECDHE-ECDSA-AES256 +-u +-v 2 +-l ECDHE-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.1 ECDHE-ECDSA-AES256 +-u +-v 2 +-l ECDHE-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDHE-ECDSA-RC4 +-u +-v 3 +-l ECDHE-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-RC4 +-u +-v 3 +-l ECDHE-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDHE-ECDSA-DES3 +-u +-v 3 +-l ECDHE-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-DES3 +-u +-v 3 +-l ECDHE-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDHE-ECDSA-AES128 +-u +-v 3 +-l ECDHE-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES128 +-u +-v 3 +-l ECDHE-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDHE-ECDSA-AES128-SHA256 +-u +-v 3 +-l ECDHE-ECDSA-AES128-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES128-SHA256 +-u +-v 3 +-l ECDHE-ECDSA-AES128-SHA256 +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDHE-ECDSA-AES256 +-u +-v 3 +-l ECDHE-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256 +-u +-v 3 +-l ECDHE-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.1 ECDH-RSA-RC4 +-u +-v 2 +-l ECDH-RSA-RC4-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.1 ECDH-RSA-RC4 +-u +-v 2 +-l ECDH-RSA-RC4-SHA + +# server DTLSv1.1 ECDH-RSA-DES3 +-u +-v 2 +-l ECDH-RSA-DES-CBC3-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.1 ECDH-RSA-DES3 +-u +-v 2 +-l ECDH-RSA-DES-CBC3-SHA + +# server DTLSv1.1 ECDH-RSA-AES128 +-u +-v 2 +-l ECDH-RSA-AES128-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.1 ECDH-RSA-AES128 +-u +-v 2 +-l ECDH-RSA-AES128-SHA + +# server DTLSv1.1 ECDH-RSA-AES256 +-u +-v 2 +-l ECDH-RSA-AES256-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.1 ECDH-RSA-AES256 +-u +-v 2 +-l ECDH-RSA-AES256-SHA + +# server DTLSv1.2 ECDH-RSA-RC4 +-u +-v 3 +-l ECDH-RSA-RC4-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-RSA-RC4 +-u +-v 3 +-l ECDH-RSA-RC4-SHA + +# server DTLSv1.2 ECDH-RSA-DES3 +-u +-v 3 +-l ECDH-RSA-DES-CBC3-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-RSA-DES3 +-u +-v 3 +-l ECDH-RSA-DES-CBC3-SHA + +# server DTLSv1.2 ECDH-RSA-AES128 +-u +-v 3 +-l ECDH-RSA-AES128-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-RSA-AES128 +-u +-v 3 +-l ECDH-RSA-AES128-SHA + +# server DTLSv1.2 ECDH-RSA-AES128-SHA256 +-u +-v 3 +-l ECDH-RSA-AES128-SHA256 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-RSA-AES128-SHA256 +-u +-v 3 +-l ECDH-RSA-AES128-SHA256 + +# server DTLSv1.2 ECDH-RSA-AES256 +-u +-v 3 +-l ECDH-RSA-AES256-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-RSA-AES256 +-u +-v 3 +-l ECDH-RSA-AES256-SHA + +# server DTLSv1.1 ECDH-EDCSA-RC4 +-u +-v 2 +-l ECDH-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.1 ECDH-ECDSA-RC4 +-u +-v 2 +-l ECDH-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.1 ECDH-ECDSA-DES3 +-u +-v 2 +-l ECDH-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.1 ECDH-ECDSA-DES3 +-u +-v 2 +-l ECDH-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.1 ECDH-ECDSA-AES128 +-u +-v 2 +-l ECDH-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.1 ECDH-ECDSA-AES128 +-u +-v 2 +-l ECDH-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.1 ECDH-ECDSA-AES256 +-u +-v 2 +-l ECDH-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.1 ECDH-ECDSA-AES256 +-u +-v 2 +-l ECDH-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDHE-ECDSA-RC4 +-u +-v 3 +-l ECDH-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-ECDSA-RC4 +-u +-v 3 +-l ECDH-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDH-ECDSA-DES3 +-u +-v 3 +-l ECDH-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-ECDSA-DES3 +-u +-v 3 +-l ECDH-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDH-ECDSA-AES128 +-u +-v 3 +-l ECDH-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-ECDSA-AES128 +-u +-v 3 +-l ECDH-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDH-ECDSA-AES128-SHA256 +-u +-v 3 +-l ECDH-ECDSA-AES128-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-ECDSA-AES128-SHA256 +-u +-v 3 +-l ECDH-ECDSA-AES128-SHA256 +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDH-ECDSA-AES256 +-u +-v 3 +-l ECDH-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-ECDSA-AES256 +-u +-v 3 +-l ECDH-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDHE-RSA-AES256-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-SHA384 + +# client DTLSv1.2 ECDHE-RSA-AES256-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-SHA384 + +# server DTLSv1.2 ECDHE-ECDSA-AES256-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-SHA384 +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDH-RSA-AES256-SHA384 +-u +-v 3 +-l ECDH-RSA-AES256-SHA384 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-RSA-AES256-SHA384 +-u +-v 3 +-l ECDH-RSA-AES256-SHA384 + +# server DTLSv1.2 ECDH-ECDSA-AES256-SHA384 +-u +-v 3 +-l ECDH-ECDSA-AES256-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-ECDSA-AES256-SHA384 +-u +-v 3 +-l ECDH-ECDSA-AES256-SHA384 +-A ./certs/server-ecc.pem + +# server DTLSv1 PSK-AES128 +-s +-u +-v 2 +-l PSK-AES128-CBC-SHA + +# client DTLSv1 PSK-AES128 +-s +-u +-v 2 +-l PSK-AES128-CBC-SHA + +# server DTLSv1 PSK-AES256 +-s +-u +-v 2 +-l PSK-AES256-CBC-SHA + +# client DTLSv1 PSK-AES256 +-s +-u +-v 2 +-l PSK-AES256-CBC-SHA + +# server DTLSv1.2 PSK-AES128 +-s +-u +-v 3 +-l PSK-AES128-CBC-SHA + +# client DTLSv1.2 PSK-AES128 +-s +-u +-v 3 +-l PSK-AES128-CBC-SHA + +# server DTLSv1.2 PSK-AES256 +-s +-u +-v 3 +-l PSK-AES256-CBC-SHA + +# client DTLSv1.2 PSK-AES256 +-s +-u +-v 3 +-l PSK-AES256-CBC-SHA + +# server DTLSv1.2 PSK-AES128-SHA256 +-s +-u +-v 3 +-l PSK-AES128-CBC-SHA256 + +# client DTLSv1.2 PSK-AES128-SHA256 +-s +-u +-v 3 +-l PSK-AES128-CBC-SHA256 + +# server DTLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDH-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDH-ECDSA-AES256-GCM-SHA384 +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 + +# client DTLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 + +# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# server DTLSv1.2 ECDH-RSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDH-RSA-AES128-GCM-SHA256 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-RSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDH-RSA-AES128-GCM-SHA256 + +# server DTLSv1.2 ECDH-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDH-RSA-AES256-GCM-SHA384 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDH-RSA-AES256-GCM-SHA384 + +# server DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 +-u +-v 3 +-l ECDHE-ECDSA-AES128-CCM-8-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 +-u +-v 3 +-l ECDHE-ECDSA-AES128-CCM-8-SHA256 +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-CCM-8-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-CCM-8-SHA384 +-A ./certs/server-ecc.pem diff --git a/tests/test-ecc.conf b/tests/test-ecc.conf deleted file mode 100644 index ca1bc56f5..000000000 --- a/tests/test-ecc.conf +++ /dev/null @@ -1,480 +0,0 @@ -# server TLSv1 ECDHE-RSA-RC4 --v 1 --l ECDHE-RSA-RC4-SHA - -# client TLSv1 ECDHE-RSA-RC4 --v 1 --l ECDHE-RSA-RC4-SHA - -# server TLSv1 ECDHE-RSA-DES3 --v 1 --l ECDHE-RSA-DES-CBC3-SHA - -# client TLSv1 ECDHE-RSA-DES3 --v 1 --l ECDHE-RSA-DES-CBC3-SHA - -# server TLSv1 ECDHE-RSA-AES128 --v 1 --l ECDHE-RSA-AES128-SHA - -# client TLSv1 ECDHE-RSA-AES128 --v 1 --l ECDHE-RSA-AES128-SHA - -# server TLSv1 ECDHE-RSA-AES256 --v 1 --l ECDHE-RSA-AES256-SHA - -# client TLSv1 ECDHE-RSA-AES256 --v 1 --l ECDHE-RSA-AES256-SHA - -# server TLSv1.1 ECDHE-RSA-RC4 --v 2 --l ECDHE-RSA-RC4-SHA - -# client TLSv1.1 ECDHE-RSA-RC4 --v 2 --l ECDHE-RSA-RC4-SHA - -# server TLSv1.1 ECDHE-RSA-DES3 --v 2 --l ECDHE-RSA-DES-CBC3-SHA - -# client TLSv1.1 ECDHE-RSA-DES3 --v 2 --l ECDHE-RSA-DES-CBC3-SHA - -# server TLSv1.1 ECDHE-RSA-AES128 --v 2 --l ECDHE-RSA-AES128-SHA - -# client TLSv1.1 ECDHE-RSA-AES128 --v 2 --l ECDHE-RSA-AES128-SHA - -# server TLSv1.1 ECDHE-RSA-AES256 --v 2 --l ECDHE-RSA-AES256-SHA - -# client TLSv1.1 ECDHE-RSA-AES256 --v 2 --l ECDHE-RSA-AES256-SHA - -# server TLSv1.2 ECDHE-RSA-RC4 --v 3 --l ECDHE-RSA-RC4-SHA - -# client TLSv1.2 ECDHE-RSA-RC4 --v 3 --l ECDHE-RSA-RC4-SHA - -# server TLSv1.2 ECDHE-RSA-DES3 --v 3 --l ECDHE-RSA-DES-CBC3-SHA - -# client TLSv1.2 ECDHE-RSA-DES3 --v 3 --l ECDHE-RSA-DES-CBC3-SHA - -# server TLSv1.2 ECDHE-RSA-AES128 --v 3 --l ECDHE-RSA-AES128-SHA - -# client TLSv1.2 ECDHE-RSA-AES128 --v 3 --l ECDHE-RSA-AES128-SHA - -# server TLSv1.2 ECDHE-RSA-AES256 --v 3 --l ECDHE-RSA-AES256-SHA - -# client TLSv1.2 ECDHE-RSA-AES256 --v 3 --l ECDHE-RSA-AES256-SHA - -# server TLSv1 ECDHE-ECDSA-RC4 --v 1 --l ECDHE-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDHE-ECDSA-RC4 --v 1 --l ECDHE-ECDSA-RC4-SHA --A ./certs/server-ecc.pem - -# server TLSv1 ECDHE-ECDSA-DES3 --v 1 --l ECDHE-ECDSA-DES-CBC3-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDHE-ECDSA-DES3 --v 1 --l ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem - -# server TLSv1 ECDHE-ECDSA-AES128 --v 1 --l ECDHE-ECDSA-AES128-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDHE-ECDSA-AES128 --v 1 --l ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem - -# server TLSv1 ECDHE-ECDSA-AES256 --v 1 --l ECDHE-ECDSA-AES256-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDHE-ECDSA-AES256 --v 1 --l ECDHE-ECDSA-AES256-SHA --A ./certs/server-ecc.pem - -# server TLSv1.1 ECDHE-EDCSA-RC4 --v 2 --l ECDHE-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDHE-ECDSA-RC4 --v 2 --l ECDHE-ECDSA-RC4-SHA --A ./certs/server-ecc.pem - -# server TLSv1.1 ECDHE-ECDSA-DES3 --v 2 --l ECDHE-ECDSA-DES-CBC3-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDHE-ECDSA-DES3 --v 2 --l ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem - -# server TLSv1.1 ECDHE-ECDSA-AES128 --v 2 --l ECDHE-ECDSA-AES128-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDHE-ECDSA-AES128 --v 2 --l ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem - -# server TLSv1.1 ECDHE-ECDSA-AES256 --v 2 --l ECDHE-ECDSA-AES256-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDHE-ECDSA-AES256 --v 2 --l ECDHE-ECDSA-AES256-SHA --A ./certs/server-ecc.pem - -# server TLSv1.2 ECDHE-ECDSA-RC4 --v 3 --l ECDHE-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-RC4 --v 3 --l ECDHE-ECDSA-RC4-SHA --A ./certs/server-ecc.pem - -# server TLSv1.2 ECDHE-ECDSA-DES3 --v 3 --l ECDHE-ECDSA-DES-CBC3-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-DES3 --v 3 --l ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem - -# server TLSv1.2 ECDHE-ECDSA-AES128 --v 3 --l ECDHE-ECDSA-AES128-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES128 --v 3 --l ECDHE-ECDSA-AES128-SHA --A ./certs/server-ecc.pem - -# server TLSv1.2 ECDHE-ECDSA-AES256 --v 3 --l ECDHE-ECDSA-AES256-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES256 --v 3 --l ECDHE-ECDSA-AES256-SHA --A ./certs/server-ecc.pem - -# server TLSv1 ECDH-RSA-RC4 --v 1 --l ECDH-RSA-RC4-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-RSA-RC4 --v 1 --l ECDH-RSA-RC4-SHA - -# server TLSv1 ECDH-RSA-DES3 --v 1 --l ECDH-RSA-DES-CBC3-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-RSA-DES3 --v 1 --l ECDH-RSA-DES-CBC3-SHA - -# server TLSv1 ECDH-RSA-AES128 --v 1 --l ECDH-RSA-AES128-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-RSA-AES128 --v 1 --l ECDH-RSA-AES128-SHA - -# server TLSv1 ECDH-RSA-AES256 --v 1 --l ECDH-RSA-AES256-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-RSA-AES256 --v 1 --l ECDH-RSA-AES256-SHA - -# server TLSv1.1 ECDH-RSA-RC4 --v 2 --l ECDH-RSA-RC4-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-RSA-RC4 --v 2 --l ECDH-RSA-RC4-SHA - -# server TLSv1.1 ECDH-RSA-DES3 --v 2 --l ECDH-RSA-DES-CBC3-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-RSA-DES3 --v 2 --l ECDH-RSA-DES-CBC3-SHA - -# server TLSv1.1 ECDH-RSA-AES128 --v 2 --l ECDH-RSA-AES128-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-RSA-AES128 --v 2 --l ECDH-RSA-AES128-SHA - -# server TLSv1.1 ECDH-RSA-AES256 --v 2 --l ECDH-RSA-AES256-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-RSA-AES256 --v 2 --l ECDH-RSA-AES256-SHA - -# server TLSv1.2 ECDH-RSA-RC4 --v 3 --l ECDH-RSA-RC4-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-RSA-RC4 --v 3 --l ECDH-RSA-RC4-SHA - -# server TLSv1.2 ECDH-RSA-DES3 --v 3 --l ECDH-RSA-DES-CBC3-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-RSA-DES3 --v 3 --l ECDH-RSA-DES-CBC3-SHA - -# server TLSv1.2 ECDH-RSA-AES128 --v 3 --l ECDH-RSA-AES128-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-RSA-AES128 --v 3 --l ECDH-RSA-AES128-SHA - -# server TLSv1.2 ECDH-RSA-AES256 --v 3 --l ECDH-RSA-AES256-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-RSA-AES256 --v 3 --l ECDH-RSA-AES256-SHA - -# server TLSv1 ECDH-ECDSA-RC4 --v 1 --l ECDH-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-ECDSA-RC4 --v 1 --l ECDH-ECDSA-RC4-SHA --A ./certs/server-ecc.pem - -# server TLSv1 ECDH-ECDSA-DES3 --v 1 --l ECDH-ECDSA-DES-CBC3-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-ECDSA-DES3 --v 1 --l ECDH-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem - -# server TLSv1 ECDH-ECDSA-AES128 --v 1 --l ECDH-ECDSA-AES128-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-ECDSA-AES128 --v 1 --l ECDH-ECDSA-AES128-SHA --A ./certs/server-ecc.pem - -# server TLSv1 ECDH-ECDSA-AES256 --v 1 --l ECDH-ECDSA-AES256-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-ECDSA-AES256 --v 1 --l ECDH-ECDSA-AES256-SHA --A ./certs/server-ecc.pem - -# server TLSv1.1 ECDH-EDCSA-RC4 --v 2 --l ECDH-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-ECDSA-RC4 --v 2 --l ECDH-ECDSA-RC4-SHA --A ./certs/server-ecc.pem - -# server TLSv1.1 ECDH-ECDSA-DES3 --v 2 --l ECDH-ECDSA-DES-CBC3-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-ECDSA-DES3 --v 2 --l ECDH-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem - -# server TLSv1.1 ECDH-ECDSA-AES128 --v 2 --l ECDH-ECDSA-AES128-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-ECDSA-AES128 --v 2 --l ECDH-ECDSA-AES128-SHA --A ./certs/server-ecc.pem - -# server TLSv1.1 ECDH-ECDSA-AES256 --v 2 --l ECDH-ECDSA-AES256-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-ECDSA-AES256 --v 2 --l ECDH-ECDSA-AES256-SHA --A ./certs/server-ecc.pem - -# server TLSv1.2 ECDHE-ECDSA-RC4 --v 3 --l ECDH-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-ECDSA-RC4 --v 3 --l ECDH-ECDSA-RC4-SHA --A ./certs/server-ecc.pem - -# server TLSv1.2 ECDH-ECDSA-DES3 --v 3 --l ECDH-ECDSA-DES-CBC3-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-ECDSA-DES3 --v 3 --l ECDH-ECDSA-DES-CBC3-SHA --A ./certs/server-ecc.pem - -# server TLSv1.2 ECDH-ECDSA-AES128 --v 3 --l ECDH-ECDSA-AES128-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-ECDSA-AES128 --v 3 --l ECDH-ECDSA-AES128-SHA --A ./certs/server-ecc.pem - -# server TLSv1.2 ECDH-ECDSA-AES256 --v 3 --l ECDH-ECDSA-AES256-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-ECDSA-AES256 --v 3 --l ECDH-ECDSA-AES256-SHA --A ./certs/server-ecc.pem - diff --git a/tests/test-hc128.conf b/tests/test-hc128.conf deleted file mode 100644 index feb0b1228..000000000 --- a/tests/test-hc128.conf +++ /dev/null @@ -1,48 +0,0 @@ -# server TLSv1 HC128-SHA --v 1 --l HC128-SHA - -# client TLSv1 HC128-SHA --v 1 --l HC128-SHA - -# server TLSv1 HC128-MD5 --v 1 --l HC128-MD5 - -# client TLSv1 HC128-MD5 --v 1 --l HC128-MD5 - -# server TLSv1.1 HC128-SHA --v 2 --l HC128-SHA - -# client TLSv1.1 HC128-SHA --v 2 --l HC128-SHA - -# server TLSv1.1 HC128-MD5 --v 2 --l HC128-MD5 - -# client TLSv1.1 HC128-MD5 --v 2 --l HC128-MD5 - -# server TLSv1.2 HC128-SHA --v 3 --l HC128-SHA - -# client TLSv1.2 HC128-SHA --v 3 --l HC128-SHA - -# server TLSv1.2 HC128-MD5 --v 3 --l HC128-MD5 - -# client TLSv1.2 HC128-MD5 --v 3 --l HC128-MD5 - diff --git a/tests/test-leanpsk.conf b/tests/test-leanpsk.conf deleted file mode 100644 index b319ae19a..000000000 --- a/tests/test-leanpsk.conf +++ /dev/null @@ -1,20 +0,0 @@ -# server TLSv1.2 PSK-NULL --s --v 3 --l PSK-NULL-SHA - -# client TLSv1.2 PSK-NULL --s --v 3 --l PSK-NULL-SHA - -# server TLSv1.2 PSK-NULL-SHA256 --s --v 3 --l PSK-NULL-SHA256 - -# client TLSv1.2 PSK-NULL-SHA256 --s --v 3 --l PSK-NULL-SHA256 - diff --git a/tests/test-ntru.conf b/tests/test-ntru.conf deleted file mode 100644 index 7674fb572..000000000 --- a/tests/test-ntru.conf +++ /dev/null @@ -1,132 +0,0 @@ -# server TLSv1 NTRU_RC4 --v 1 --l NTRU-RC4-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1 NTRU_RC4 --v 1 --l NTRU-RC4-SHA - -# server TLSv1 NTRU_DES3 --v 1 --l NTRU-DES-CBC3-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1 NTRU_DES3 --v 1 --l NTRU-DES-CBC3-SHA - -# server TLSv1 NTRU_AES128 --v 1 --l NTRU-AES128-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1 NTRU_AES128 --v 1 --l NTRU-AES128-SHA - -# server TLSv1 NTRU_AES256 --v 1 --l NTRU-AES256-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1 NTRU_AES256 --v 1 --l NTRU-AES256-SHA - -# server TLSv1.1 NTRU_RC4 --v 2 --l NTRU-RC4-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.1 NTRU_RC4 --v 2 --l NTRU-RC4-SHA - -# server TLSv1.1 NTRU_DES3 --v 2 --l NTRU-DES-CBC3-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.1 NTRU_DES3 --v 2 --l NTRU-DES-CBC3-SHA - -# server TLSv1.1 NTRU_AES128 --v 2 --l NTRU-AES128-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.1 NTRU_AES128 --v 2 --l NTRU-AES128-SHA - -# server TLSv1.1 NTRU_AES256 --v 2 --l NTRU-AES256-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.1 NTRU_AES256 --v 2 --l NTRU-AES256-SHA - -# server TLSv1.2 NTRU_RC4 --v 3 --l NTRU-RC4-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.2 NTRU_RC4 --v 3 --l NTRU-RC4-SHA - -# server TLSv1.2 NTRU_DES3 --v 3 --l NTRU-DES-CBC3-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.2 NTRU_DES3 --v 3 --l NTRU-DES-CBC3-SHA - -# server TLSv1.2 NTRU_AES128 --v 3 --l NTRU-AES128-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.2 NTRU_AES128 --v 3 --l NTRU-AES128-SHA - -# server TLSv1.2 NTRU_AES256 --v 3 --l NTRU-AES256-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.2 NTRU_AES256 --v 3 --l NTRU-AES256-SHA - diff --git a/tests/test-null.conf b/tests/test-null.conf deleted file mode 100644 index cd63d4257..000000000 --- a/tests/test-null.conf +++ /dev/null @@ -1,48 +0,0 @@ -# server TLSv1.0 RSA-NULL-SHA --v 1 --l NULL-SHA - -# client TLSv1.0 RSA-NULL-SHA --v 1 --l NULL-SHA - -# server TLSv1.1 RSA-NULL-SHA --v 2 --l NULL-SHA - -# client TLSv1.1 RSA-NULL-SHA --v 2 --l NULL-SHA - -# server TLSv1.2 RSA-NULL-SHA --v 3 --l NULL-SHA - -# client TLSv1.2 RSA-NULL-SHA --v 3 --l NULL-SHA - -# server TLSv1.0 RSA-NULL-SHA256 --v 1 --l NULL-SHA256 - -# client TLSv1.0 RSA-NULL-SHA256 --v 1 --l NULL-SHA256 - -# server TLSv1.1 RSA-NULL-SHA256 --v 2 --l NULL-SHA256 - -# client TLSv1.1 RSA-NULL-SHA256 --v 2 --l NULL-SHA256 - -# server TLSv1.2 RSA-NULL-SHA256 --v 3 --l NULL-SHA256 - -# client TLSv1.2 RSA-NULL-SHA256 --v 3 --l NULL-SHA256 - diff --git a/tests/test-openssl.conf b/tests/test-openssl.conf deleted file mode 100644 index 22a287a4a..000000000 --- a/tests/test-openssl.conf +++ /dev/null @@ -1,96 +0,0 @@ -# server TLSv1 DHE AES128 --v 1 --l DHE-RSA-AES128-SHA - -# client TLSv1 DHE AES128 --v 1 --l DHE-RSA-AES128-SHA - -# server TLSv1 DHE AES256 --v 1 --l DHE-RSA-AES256-SHA - -# client TLSv1 DHE AES256 --v 1 --l DHE-RSA-AES256-SHA - -# server TLSv1 DHE AES128-SHA256 --v 1 --l DHE-RSA-AES128-SHA256 - -# client TLSv1 DHE AES128-SHA256 --v 1 --l DHE-RSA-AES128-SHA256 - -# server TLSv1 DHE AES256-SHA256 --v 1 --l DHE-RSA-AES256-SHA256 - -# client TLSv1 DHE AES256-SHA256 --v 1 --l DHE-RSA-AES256-SHA256 - -# server TLSv1.1 DHE AES128 --v 2 --l DHE-RSA-AES128-SHA - -# client TLSv1.1 DHE AES128 --v 2 --l DHE-RSA-AES128-SHA - -# server TLSv1.1 DHE AES256 --v 2 --l DHE-RSA-AES256-SHA - -# client TLSv1.1 DHE AES256 --v 2 --l DHE-RSA-AES256-SHA - -# server TLSv1.1 DHE AES128-SHA256 --v 2 --l DHE-RSA-AES128-SHA256 - -# client TLSv1.1 DHE AES128-SHA256 --v 2 --l DHE-RSA-AES128-SHA256 - -# server TLSv1.1 DHE AES256-SHA256 --v 2 --l DHE-RSA-AES256-SHA256 - -# client TLSv1.1 DHE AES256-SHA256 --v 2 --l DHE-RSA-AES256-SHA256 - -# server TLSv1.2 DHE AES128 --v 3 --l DHE-RSA-AES128-SHA - -# client TLSv1.2 DHE AES128 --v 3 --l DHE-RSA-AES128-SHA - -# server TLSv1.2 DHE AES256 --v 3 --l DHE-RSA-AES256-SHA - -# client TLSv1.2 DHE AES256 --v 3 --l DHE-RSA-AES256-SHA - -# server TLSv1.2 DHE AES128-SHA256 --v 3 --l DHE-RSA-AES128-SHA256 - -# client TLSv1.2 DHE AES128-SHA256 --v 3 --l DHE-RSA-AES128-SHA256 - -# server TLSv1.2 DHE AES256-SHA256 --v 3 --l DHE-RSA-AES256-SHA256 - -# client TLSv1.2 DHE AES256-SHA256 --v 3 --l DHE-RSA-AES256-SHA256 - diff --git a/tests/test-psk-null.conf b/tests/test-psk-null.conf deleted file mode 100644 index c29d77476..000000000 --- a/tests/test-psk-null.conf +++ /dev/null @@ -1,40 +0,0 @@ -# server TLSv1.0 PSK-NULL --s --v 1 --l PSK-NULL-SHA - -# client TLSv1.0 PSK-NULL --s --v 1 --l PSK-NULL-SHA - -# server TLSv1.1 PSK-NULL --s --v 2 --l PSK-NULL-SHA - -# client TLSv1.1 PSK-NULL --s --v 2 --l PSK-NULL-SHA - -# server TLSv1.2 PSK-NULL --s --v 3 --l PSK-NULL-SHA - -# client TLSv1.2 PSK-NULL --s --v 3 --l PSK-NULL-SHA - -# server TLSv1.2 PSK-NULL-SHA256 --s --v 3 --l PSK-NULL-SHA256 - -# client TLSv1.2 PSK-NULL-SHA256 --s --v 3 --l PSK-NULL-SHA256 - diff --git a/tests/test-psk.conf b/tests/test-psk.conf deleted file mode 100644 index 48fc77029..000000000 --- a/tests/test-psk.conf +++ /dev/null @@ -1,70 +0,0 @@ -# server TLSv1 PSK-AES128 --s --v 1 --l PSK-AES128-CBC-SHA - -# client TLSv1 PSK-AES128 --s --v 1 --l PSK-AES128-CBC-SHA - -# server TLSv1 PSK-AES256 --s --v 1 --l PSK-AES256-CBC-SHA - -# client TLSv1 PSK-AES256 --s --v 1 --l PSK-AES256-CBC-SHA - -# server TLSv1.1 PSK-AES128 --s --v 2 --l PSK-AES128-CBC-SHA - -# client TLSv1.1 PSK-AES128 --s --v 2 --l PSK-AES128-CBC-SHA - -# server TLSv1.1 PSK-AES256 --s --v 2 --l PSK-AES256-CBC-SHA - -# client TLSv1.1 PSK-AES256 --s --v 2 --l PSK-AES256-CBC-SHA - -# server TLSv1.2 PSK-AES128 --s --v 3 --l PSK-AES128-CBC-SHA - -# client TLSv1.2 PSK-AES128 --s --v 3 --l PSK-AES128-CBC-SHA - -# server TLSv1.2 PSK-AES256 --s --v 3 --l PSK-AES256-CBC-SHA - -# client TLSv1.2 PSK-AES256 --s --v 3 --l PSK-AES256-CBC-SHA - -# server TLSv1.2 PSK-AES128-SHA256 --s --v 3 --l PSK-AES128-CBC-SHA256 - -# client TLSv1.2 PSK-AES128-SHA256 --s --v 3 --l PSK-AES128-CBC-SHA256 - diff --git a/tests/test-rabbit.conf b/tests/test-rabbit.conf deleted file mode 100644 index 4e22779c8..000000000 --- a/tests/test-rabbit.conf +++ /dev/null @@ -1,24 +0,0 @@ -# server TLSv1 RABBIT-SHA --v 1 --l RABBIT-SHA - -# client TLSv1 RABBIT-SHA --v 1 --l RABBIT-SHA - -# server TLSv1.1 RABBIT-SHA --v 2 --l RABBIT-SHA - -# client TLSv1.1 RABBIT-SHA --v 2 --l RABBIT-SHA - -# server TLSv1.2 RABBIT-SHA --v 3 --l RABBIT-SHA - -# client TLSv1.2 RABBIT-SHA --v 3 --l RABBIT-SHA - diff --git a/tests/test.conf b/tests/test.conf index 04e055f08..c95f0a959 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -190,243 +190,1383 @@ -v 3 -l AES256-SHA256 -# server SSLv3 RC4-SHA NON-BLOCKING --v 0 --l RC4-SHA --N - -# client SSLv3 RC4-SHA NON-BLOCKING --v 0 --l RC4-SHA --N - -# server SSLv3 RC4-MD5 NON-BLOCKING --v 0 --l RC4-MD5 --N - -# client SSLv3 RC4-MD5 NON-BLOCKING --v 0 --l RC4-MD5 --N - -# server SSLv3 DES-CBC3-SHA NON-BLOCKING --v 0 --l DES-CBC3-SHA --N - -# client SSLv3 DES-CBC3-SHA NON-BLOCKING --v 0 --l DES-CBC3-SHA --N - -# server TLSv1 RC4-SHA NON-BLOCKING +# server TLSv1 ECDHE-RSA-RC4 -v 1 --l RC4-SHA --N +-l ECDHE-RSA-RC4-SHA -# client TLSv1 RC4-SHA NON-BLOCKING +# client TLSv1 ECDHE-RSA-RC4 -v 1 --l RC4-SHA --N +-l ECDHE-RSA-RC4-SHA -# server TLSv1 RC4-MD5 NON-BLOCKING +# server TLSv1 ECDHE-RSA-DES3 -v 1 --l RC4-MD5 --N +-l ECDHE-RSA-DES-CBC3-SHA -# client TLSv1 RC4-MD5 NON-BLOCKING +# client TLSv1 ECDHE-RSA-DES3 -v 1 --l RC4-MD5 --N +-l ECDHE-RSA-DES-CBC3-SHA -# server TLSv1 DES-CBC3-SHA NON-BLOCKING +# server TLSv1 ECDHE-RSA-AES128 -v 1 --l DES-CBC3-SHA --N +-l ECDHE-RSA-AES128-SHA -# client TLSv1 DES-CBC3-SHA NON-BLOCKING +# client TLSv1 ECDHE-RSA-AES128 -v 1 --l DES-CBC3-SHA --N +-l ECDHE-RSA-AES128-SHA -# server TLSv1 AES128-SHA NON-BLOCKING +# server TLSv1 ECDHE-RSA-AES256 -v 1 --l AES128-SHA --N +-l ECDHE-RSA-AES256-SHA -# client TLSv1 AES128-SHA NON-BLOCKING +# client TLSv1 ECDHE-RSA-AES256 -v 1 --l AES128-SHA --N +-l ECDHE-RSA-AES256-SHA -# server TLSv1 AES256-SHA NON-BLOCKING +# server TLSv1.1 ECDHE-RSA-RC4 +-v 2 +-l ECDHE-RSA-RC4-SHA + +# client TLSv1.1 ECDHE-RSA-RC4 +-v 2 +-l ECDHE-RSA-RC4-SHA + +# server TLSv1.1 ECDHE-RSA-DES3 +-v 2 +-l ECDHE-RSA-DES-CBC3-SHA + +# client TLSv1.1 ECDHE-RSA-DES3 +-v 2 +-l ECDHE-RSA-DES-CBC3-SHA + +# server TLSv1.1 ECDHE-RSA-AES128 +-v 2 +-l ECDHE-RSA-AES128-SHA + +# client TLSv1.1 ECDHE-RSA-AES128 +-v 2 +-l ECDHE-RSA-AES128-SHA + +# server TLSv1.1 ECDHE-RSA-AES256 +-v 2 +-l ECDHE-RSA-AES256-SHA + +# client TLSv1.1 ECDHE-RSA-AES256 +-v 2 +-l ECDHE-RSA-AES256-SHA + +# server TLSv1.2 ECDHE-RSA-RC4 +-v 3 +-l ECDHE-RSA-RC4-SHA + +# client TLSv1.2 ECDHE-RSA-RC4 +-v 3 +-l ECDHE-RSA-RC4-SHA + +# server TLSv1.2 ECDHE-RSA-DES3 +-v 3 +-l ECDHE-RSA-DES-CBC3-SHA + +# client TLSv1.2 ECDHE-RSA-DES3 +-v 3 +-l ECDHE-RSA-DES-CBC3-SHA + +# server TLSv1.2 ECDHE-RSA-AES128 +-v 3 +-l ECDHE-RSA-AES128-SHA + +# client TLSv1.2 ECDHE-RSA-AES128 +-v 3 +-l ECDHE-RSA-AES128-SHA + +# server TLSv1.2 ECDHE-RSA-AES128-SHA256 +-v 3 +-l ECDHE-RSA-AES128-SHA256 + +# client TLSv1.2 ECDHE-RSA-AES128-SHA256 +-v 3 +-l ECDHE-RSA-AES128-SHA256 + +# server TLSv1.2 ECDHE-RSA-AES256 +-v 3 +-l ECDHE-RSA-AES256-SHA + +# client TLSv1.2 ECDHE-RSA-AES256 +-v 3 +-l ECDHE-RSA-AES256-SHA + +# server TLSv1 ECDHE-ECDSA-RC4 -v 1 --l AES256-SHA --N +-l ECDHE-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem -# client TLSv1 AES256-SHA NON-BLOCKING +# client TLSv1 ECDHE-ECDSA-RC4 -v 1 --l AES256-SHA --N +-l ECDHE-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem -# server TLSv1 AES128-SHA256 NON-BLOCKING +# server TLSv1 ECDHE-ECDSA-DES3 -v 1 --l AES128-SHA256 --N +-l ECDHE-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem -# client TLSv1 AES128-SHA256 NON-BLOCKING +# client TLSv1 ECDHE-ECDSA-DES3 -v 1 --l AES128-SHA256 --N +-l ECDHE-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem -# server TLSv1 AES256-SHA256 NON-BLOCKING +# server TLSv1 ECDHE-ECDSA-AES128 -v 1 --l AES256-SHA256 --N +-l ECDHE-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem -# client TLSv1 AES256-SHA256 NON-BLOCKING +# client TLSv1 ECDHE-ECDSA-AES128 -v 1 --l AES256-SHA256 --N +-l ECDHE-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem -# server TLSv1.1 RC4-SHA NON-BLOCKING +# server TLSv1 ECDHE-ECDSA-AES256 +-v 1 +-l ECDHE-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDHE-ECDSA-AES256 +-v 1 +-l ECDHE-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.1 ECDHE-EDCSA-RC4 -v 2 --l RC4-SHA --N +-l ECDHE-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem -# client TLSv1.1 RC4-SHA NON-BLOCKING +# client TLSv1.1 ECDHE-ECDSA-RC4 -v 2 --l RC4-SHA --N +-l ECDHE-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem -# server TLSv1.1 RC4-MD5 NON-BLOCKING +# server TLSv1.1 ECDHE-ECDSA-DES3 -v 2 --l RC4-MD5 --N +-l ECDHE-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem -# client TLSv1.1 RC4-MD5 NON-BLOCKING +# client TLSv1.1 ECDHE-ECDSA-DES3 -v 2 --l RC4-MD5 --N +-l ECDHE-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem -# server TLSv1.1 DES-CBC3-SHA NON-BLOCKING +# server TLSv1.1 ECDHE-ECDSA-AES128 -v 2 --l DES-CBC3-SHA --N +-l ECDHE-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem -# client TLSv1.1 DES-CBC3-SHA NON-BLOCKING +# client TLSv1.1 ECDHE-ECDSA-AES128 -v 2 --l DES-CBC3-SHA --N +-l ECDHE-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem -# server TLSv1.1 AES128-SHA NON-BLOCKING +# server TLSv1.1 ECDHE-ECDSA-AES256 -v 2 --l AES128-SHA --N +-l ECDHE-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem -# client TLSv1.1 AES128-SHA NON-BLOCKING +# client TLSv1.1 ECDHE-ECDSA-AES256 -v 2 --l AES128-SHA --N +-l ECDHE-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem -# server TLSv1.1 AES256-SHA NON-BLOCKING +# server TLSv1.2 ECDHE-ECDSA-RC4 +-v 3 +-l ECDHE-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-RC4 +-v 3 +-l ECDHE-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDHE-ECDSA-DES3 +-v 3 +-l ECDHE-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-DES3 +-v 3 +-l ECDHE-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDHE-ECDSA-AES128 +-v 3 +-l ECDHE-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES128 +-v 3 +-l ECDHE-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDHE-ECDSA-AES128-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES128-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-SHA256 +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDHE-ECDSA-AES256 +-v 3 +-l ECDHE-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256 +-v 3 +-l ECDHE-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem + +# server TLSv1 ECDH-RSA-RC4 +-v 1 +-l ECDH-RSA-RC4-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-RSA-RC4 +-v 1 +-l ECDH-RSA-RC4-SHA + +# server TLSv1 ECDH-RSA-DES3 +-v 1 +-l ECDH-RSA-DES-CBC3-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-RSA-DES3 +-v 1 +-l ECDH-RSA-DES-CBC3-SHA + +# server TLSv1 ECDH-RSA-AES128 +-v 1 +-l ECDH-RSA-AES128-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-RSA-AES128 +-v 1 +-l ECDH-RSA-AES128-SHA + +# server TLSv1 ECDH-RSA-AES256 +-v 1 +-l ECDH-RSA-AES256-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-RSA-AES256 +-v 1 +-l ECDH-RSA-AES256-SHA + +# server TLSv1.1 ECDH-RSA-RC4 -v 2 --l AES256-SHA --N +-l ECDH-RSA-RC4-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem -# client TLSv1.1 AES256-SHA NON-BLOCKING +# client TLSv1.1 ECDH-RSA-RC4 -v 2 --l AES256-SHA --N +-l ECDH-RSA-RC4-SHA -# server TLSv1.1 AES128-SHA256 NON-BLOCKING +# server TLSv1.1 ECDH-RSA-DES3 -v 2 --l AES128-SHA256 --N +-l ECDH-RSA-DES-CBC3-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem -# client TLSv1.1 AES128-SHA256 NON-BLOCKING +# client TLSv1.1 ECDH-RSA-DES3 -v 2 --l AES128-SHA256 --N +-l ECDH-RSA-DES-CBC3-SHA -# server TLSv1.1 AES256-SHA256 NON-BLOCKING +# server TLSv1.1 ECDH-RSA-AES128 -v 2 --l AES256-SHA256 --N +-l ECDH-RSA-AES128-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem -# client TLSv1.1 AES256-SHA256 NON-BLOCKING +# client TLSv1.1 ECDH-RSA-AES128 -v 2 --l AES256-SHA256 --N +-l ECDH-RSA-AES128-SHA -# server TLSv1.2 RC4-SHA NON-BLOCKING +# server TLSv1.1 ECDH-RSA-AES256 +-v 2 +-l ECDH-RSA-AES256-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-RSA-AES256 +-v 2 +-l ECDH-RSA-AES256-SHA + +# server TLSv1.2 ECDH-RSA-RC4 -v 3 --l RC4-SHA --N +-l ECDH-RSA-RC4-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem -# client TLSv1.2 RC4-SHA NON-BLOCKING +# client TLSv1.2 ECDH-RSA-RC4 -v 3 --l RC4-SHA --N +-l ECDH-RSA-RC4-SHA -# server TLSv1.2 RC4-MD5 NON-BLOCKING +# server TLSv1.2 ECDH-RSA-DES3 -v 3 --l RC4-MD5 --N +-l ECDH-RSA-DES-CBC3-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem -# client TLSv1.2 RC4-MD5 NON-BLOCKING +# client TLSv1.2 ECDH-RSA-DES3 -v 3 --l RC4-MD5 --N +-l ECDH-RSA-DES-CBC3-SHA -# server TLSv1.2 DES-CBC3-SHA NON-BLOCKING +# server TLSv1.2 ECDH-RSA-AES128 -v 3 --l DES-CBC3-SHA --N +-l ECDH-RSA-AES128-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem -# client TLSv1.2 DES-CBC3-SHA NON-BLOCKING +# client TLSv1.2 ECDH-RSA-AES128 -v 3 --l DES-CBC3-SHA --N +-l ECDH-RSA-AES128-SHA -# server TLSv1.2 AES128-SHA NON-BLOCKING +# server TLSv1.2 ECDH-RSA-AES128-SHA256 -v 3 --l AES128-SHA --N +-l ECDH-RSA-AES128-SHA256 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem -# client TLSv1.2 AES128-SHA NON-BLOCKING +# client TLSv1.2 ECDH-RSA-AES128-SHA256 -v 3 --l AES128-SHA --N +-l ECDH-RSA-AES128-SHA256 -# server TLSv1.2 AES256-SHA NON-BLOCKING +# server TLSv1.2 ECDH-RSA-AES256 -v 3 --l AES256-SHA --N +-l ECDH-RSA-AES256-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem -# client TLSv1.2 AES256-SHA NON-BLOCKING +# client TLSv1.2 ECDH-RSA-AES256 -v 3 --l AES256-SHA --N +-l ECDH-RSA-AES256-SHA -# server TLSv1.2 AES128-SHA256 NON-BLOCKING +# server TLSv1 ECDH-ECDSA-RC4 +-v 1 +-l ECDH-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-ECDSA-RC4 +-v 1 +-l ECDH-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem + +# server TLSv1 ECDH-ECDSA-DES3 +-v 1 +-l ECDH-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-ECDSA-DES3 +-v 1 +-l ECDH-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem + +# server TLSv1 ECDH-ECDSA-AES128 +-v 1 +-l ECDH-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-ECDSA-AES128 +-v 1 +-l ECDH-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem + +# server TLSv1 ECDH-ECDSA-AES256 +-v 1 +-l ECDH-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-ECDSA-AES256 +-v 1 +-l ECDH-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.1 ECDH-EDCSA-RC4 +-v 2 +-l ECDH-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-ECDSA-RC4 +-v 2 +-l ECDH-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.1 ECDH-ECDSA-DES3 +-v 2 +-l ECDH-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-ECDSA-DES3 +-v 2 +-l ECDH-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.1 ECDH-ECDSA-AES128 +-v 2 +-l ECDH-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-ECDSA-AES128 +-v 2 +-l ECDH-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.1 ECDH-ECDSA-AES256 +-v 2 +-l ECDH-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-ECDSA-AES256 +-v 2 +-l ECDH-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDHE-ECDSA-RC4 -v 3 --l AES128-SHA256 --N +-l ECDH-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem -# client TLSv1.2 AES128-SHA256 NON-BLOCKING +# client TLSv1.2 ECDH-ECDSA-RC4 -v 3 --l AES128-SHA256 --N +-l ECDH-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem -# server TLSv1.2 AES256-SHA256 NON-BLOCKING +# server TLSv1.2 ECDH-ECDSA-DES3 -v 3 --l AES256-SHA256 --N +-l ECDH-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem -# client TLSv1.2 AES256-SHA256 NON-BLOCKING +# client TLSv1.2 ECDH-ECDSA-DES3 -v 3 --l AES256-SHA256 --N +-l ECDH-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDH-ECDSA-AES128 +-v 3 +-l ECDH-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-AES128 +-v 3 +-l ECDH-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDH-ECDSA-AES128-SHA256 +-v 3 +-l ECDH-ECDSA-AES128-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-AES128-SHA256 +-v 3 +-l ECDH-ECDSA-AES128-SHA256 +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDH-ECDSA-AES256 +-v 3 +-l ECDH-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-AES256 +-v 3 +-l ECDH-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDHE-RSA-AES256-SHA384 +-v 3 +-l ECDHE-RSA-AES256-SHA384 + +# client TLSv1.2 ECDHE-RSA-AES256-SHA384 +-v 3 +-l ECDHE-RSA-AES256-SHA384 + +# server TLSv1.2 ECDHE-ECDSA-AES256-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-SHA384 +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDH-RSA-AES256-SHA384 +-v 3 +-l ECDH-RSA-AES256-SHA384 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-RSA-AES256-SHA384 +-v 3 +-l ECDH-RSA-AES256-SHA384 + +# server TLSv1.2 ECDH-ECDSA-AES256-SHA384 +-v 3 +-l ECDH-ECDSA-AES256-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-AES256-SHA384 +-v 3 +-l ECDH-ECDSA-AES256-SHA384 +-A ./certs/server-ecc.pem + +# server TLSv1 HC128-SHA +-v 1 +-l HC128-SHA + +# client TLSv1 HC128-SHA +-v 1 +-l HC128-SHA + +# server TLSv1 HC128-MD5 +-v 1 +-l HC128-MD5 + +# client TLSv1 HC128-MD5 +-v 1 +-l HC128-MD5 + +# server TLSv1.1 HC128-SHA +-v 2 +-l HC128-SHA + +# client TLSv1.1 HC128-SHA +-v 2 +-l HC128-SHA + +# server TLSv1.1 HC128-MD5 +-v 2 +-l HC128-MD5 + +# client TLSv1.1 HC128-MD5 +-v 2 +-l HC128-MD5 + +# server TLSv1.2 HC128-SHA +-v 3 +-l HC128-SHA + +# client TLSv1.2 HC128-SHA +-v 3 +-l HC128-SHA + +# server TLSv1.2 HC128-MD5 +-v 3 +-l HC128-MD5 + +# client TLSv1.2 HC128-MD5 +-v 3 +-l HC128-MD5 + +# server TLSv1 RABBIT-SHA +-v 1 +-l RABBIT-SHA + +# client TLSv1 RABBIT-SHA +-v 1 +-l RABBIT-SHA + +# server TLSv1.1 RABBIT-SHA +-v 2 +-l RABBIT-SHA + +# client TLSv1.1 RABBIT-SHA +-v 2 +-l RABBIT-SHA + +# server TLSv1.2 RABBIT-SHA +-v 3 +-l RABBIT-SHA + +# client TLSv1.2 RABBIT-SHA +-v 3 +-l RABBIT-SHA + +# server TLSv1 NTRU_RC4 +-v 1 +-l NTRU-RC4-SHA +-n +-c ./certs/ntru-cert.pem +-k ./certs/ntru-key.raw + +# client TLSv1 NTRU_RC4 +-v 1 +-l NTRU-RC4-SHA + +# server TLSv1 NTRU_DES3 +-v 1 +-l NTRU-DES-CBC3-SHA +-n +-c ./certs/ntru-cert.pem +-k ./certs/ntru-key.raw + +# client TLSv1 NTRU_DES3 +-v 1 +-l NTRU-DES-CBC3-SHA + +# server TLSv1 NTRU_AES128 +-v 1 +-l NTRU-AES128-SHA +-n +-c ./certs/ntru-cert.pem +-k ./certs/ntru-key.raw + +# client TLSv1 NTRU_AES128 +-v 1 +-l NTRU-AES128-SHA + +# server TLSv1 NTRU_AES256 +-v 1 +-l NTRU-AES256-SHA +-n +-c ./certs/ntru-cert.pem +-k ./certs/ntru-key.raw + +# client TLSv1 NTRU_AES256 +-v 1 +-l NTRU-AES256-SHA + +# server TLSv1.1 NTRU_RC4 +-v 2 +-l NTRU-RC4-SHA +-n +-c ./certs/ntru-cert.pem +-k ./certs/ntru-key.raw + +# client TLSv1.1 NTRU_RC4 +-v 2 +-l NTRU-RC4-SHA + +# server TLSv1.1 NTRU_DES3 +-v 2 +-l NTRU-DES-CBC3-SHA +-n +-c ./certs/ntru-cert.pem +-k ./certs/ntru-key.raw + +# client TLSv1.1 NTRU_DES3 +-v 2 +-l NTRU-DES-CBC3-SHA + +# server TLSv1.1 NTRU_AES128 +-v 2 +-l NTRU-AES128-SHA +-n +-c ./certs/ntru-cert.pem +-k ./certs/ntru-key.raw + +# client TLSv1.1 NTRU_AES128 +-v 2 +-l NTRU-AES128-SHA + +# server TLSv1.1 NTRU_AES256 +-v 2 +-l NTRU-AES256-SHA +-n +-c ./certs/ntru-cert.pem +-k ./certs/ntru-key.raw + +# client TLSv1.1 NTRU_AES256 +-v 2 +-l NTRU-AES256-SHA + +# server TLSv1.2 NTRU_RC4 +-v 3 +-l NTRU-RC4-SHA +-n +-c ./certs/ntru-cert.pem +-k ./certs/ntru-key.raw + +# client TLSv1.2 NTRU_RC4 +-v 3 +-l NTRU-RC4-SHA + +# server TLSv1.2 NTRU_DES3 +-v 3 +-l NTRU-DES-CBC3-SHA +-n +-c ./certs/ntru-cert.pem +-k ./certs/ntru-key.raw + +# client TLSv1.2 NTRU_DES3 +-v 3 +-l NTRU-DES-CBC3-SHA + +# server TLSv1.2 NTRU_AES128 +-v 3 +-l NTRU-AES128-SHA +-n +-c ./certs/ntru-cert.pem +-k ./certs/ntru-key.raw + +# client TLSv1.2 NTRU_AES128 +-v 3 +-l NTRU-AES128-SHA + +# server TLSv1.2 NTRU_AES256 +-v 3 +-l NTRU-AES256-SHA +-n +-c ./certs/ntru-cert.pem +-k ./certs/ntru-key.raw + +# client TLSv1.2 NTRU_AES256 +-v 3 +-l NTRU-AES256-SHA + +# server TLSv1 DHE AES128 +-v 1 +-l DHE-RSA-AES128-SHA + +# client TLSv1 DHE AES128 +-v 1 +-l DHE-RSA-AES128-SHA + +# server TLSv1 DHE AES256 +-v 1 +-l DHE-RSA-AES256-SHA + +# client TLSv1 DHE AES256 +-v 1 +-l DHE-RSA-AES256-SHA + +# server TLSv1 DHE AES128-SHA256 +-v 1 +-l DHE-RSA-AES128-SHA256 + +# client TLSv1 DHE AES128-SHA256 +-v 1 +-l DHE-RSA-AES128-SHA256 + +# server TLSv1 DHE AES256-SHA256 +-v 1 +-l DHE-RSA-AES256-SHA256 + +# client TLSv1 DHE AES256-SHA256 +-v 1 +-l DHE-RSA-AES256-SHA256 + +# server TLSv1.1 DHE AES128 +-v 2 +-l DHE-RSA-AES128-SHA + +# client TLSv1.1 DHE AES128 +-v 2 +-l DHE-RSA-AES128-SHA + +# server TLSv1.1 DHE AES256 +-v 2 +-l DHE-RSA-AES256-SHA + +# client TLSv1.1 DHE AES256 +-v 2 +-l DHE-RSA-AES256-SHA + +# server TLSv1.1 DHE AES128-SHA256 +-v 2 +-l DHE-RSA-AES128-SHA256 + +# client TLSv1.1 DHE AES128-SHA256 +-v 2 +-l DHE-RSA-AES128-SHA256 + +# server TLSv1.1 DHE AES256-SHA256 +-v 2 +-l DHE-RSA-AES256-SHA256 + +# client TLSv1.1 DHE AES256-SHA256 +-v 2 +-l DHE-RSA-AES256-SHA256 + +# server TLSv1.2 DHE AES128 +-v 3 +-l DHE-RSA-AES128-SHA + +# client TLSv1.2 DHE AES128 +-v 3 +-l DHE-RSA-AES128-SHA + +# server TLSv1.2 DHE AES256 +-v 3 +-l DHE-RSA-AES256-SHA + +# client TLSv1.2 DHE AES256 +-v 3 +-l DHE-RSA-AES256-SHA + +# server TLSv1.2 DHE AES128-SHA256 +-v 3 +-l DHE-RSA-AES128-SHA256 + +# client TLSv1.2 DHE AES128-SHA256 +-v 3 +-l DHE-RSA-AES128-SHA256 + +# server TLSv1.2 DHE AES256-SHA256 +-v 3 +-l DHE-RSA-AES256-SHA256 + +# client TLSv1.2 DHE AES256-SHA256 +-v 3 +-l DHE-RSA-AES256-SHA256 + +# server TLSv1 PSK-AES128 +-s +-v 1 +-l PSK-AES128-CBC-SHA + +# client TLSv1 PSK-AES128 +-s +-v 1 +-l PSK-AES128-CBC-SHA + +# server TLSv1 PSK-AES256 +-s +-v 1 +-l PSK-AES256-CBC-SHA + +# client TLSv1 PSK-AES256 +-s +-v 1 +-l PSK-AES256-CBC-SHA + +# server TLSv1.1 PSK-AES128 +-s +-v 2 +-l PSK-AES128-CBC-SHA + +# client TLSv1.1 PSK-AES128 +-s +-v 2 +-l PSK-AES128-CBC-SHA + +# server TLSv1.1 PSK-AES256 +-s +-v 2 +-l PSK-AES256-CBC-SHA + +# client TLSv1.1 PSK-AES256 +-s +-v 2 +-l PSK-AES256-CBC-SHA + +# server TLSv1.2 PSK-AES128 +-s +-v 3 +-l PSK-AES128-CBC-SHA + +# client TLSv1.2 PSK-AES128 +-s +-v 3 +-l PSK-AES128-CBC-SHA + +# server TLSv1.2 PSK-AES256 +-s +-v 3 +-l PSK-AES256-CBC-SHA + +# client TLSv1.2 PSK-AES256 +-s +-v 3 +-l PSK-AES256-CBC-SHA + +# server TLSv1.2 PSK-AES128-SHA256 +-s +-v 3 +-l PSK-AES128-CBC-SHA256 + +# client TLSv1.2 PSK-AES128-SHA256 +-s +-v 3 +-l PSK-AES128-CBC-SHA256 + +# server TLSv1.0 PSK-NULL +-s +-v 1 +-l PSK-NULL-SHA + +# client TLSv1.0 PSK-NULL +-s +-v 1 +-l PSK-NULL-SHA + +# server TLSv1.1 PSK-NULL +-s +-v 2 +-l PSK-NULL-SHA + +# client TLSv1.1 PSK-NULL +-s +-v 2 +-l PSK-NULL-SHA + +# server TLSv1.2 PSK-NULL +-s +-v 3 +-l PSK-NULL-SHA + +# client TLSv1.2 PSK-NULL +-s +-v 3 +-l PSK-NULL-SHA + +# server TLSv1.2 PSK-NULL-SHA256 +-s +-v 3 +-l PSK-NULL-SHA256 + +# client TLSv1.2 PSK-NULL-SHA256 +-s +-v 3 +-l PSK-NULL-SHA256 + +# server TLSv1.2 PSK-NULL +-s +-v 3 +-l PSK-NULL-SHA + +# client TLSv1.2 PSK-NULL +-s +-v 3 +-l PSK-NULL-SHA + +# server TLSv1.2 PSK-NULL-SHA256 +-s +-v 3 +-l PSK-NULL-SHA256 + +# client TLSv1.2 PSK-NULL-SHA256 +-s +-v 3 +-l PSK-NULL-SHA256 + +# server TLSv1.0 RSA-NULL-SHA +-v 1 +-l NULL-SHA + +# client TLSv1.0 RSA-NULL-SHA +-v 1 +-l NULL-SHA + +# server TLSv1.1 RSA-NULL-SHA +-v 2 +-l NULL-SHA + +# client TLSv1.1 RSA-NULL-SHA +-v 2 +-l NULL-SHA + +# server TLSv1.2 RSA-NULL-SHA +-v 3 +-l NULL-SHA + +# client TLSv1.2 RSA-NULL-SHA +-v 3 +-l NULL-SHA + +# server TLSv1.0 RSA-NULL-SHA256 +-v 1 +-l NULL-SHA256 + +# client TLSv1.0 RSA-NULL-SHA256 +-v 1 +-l NULL-SHA256 + +# server TLSv1.1 RSA-NULL-SHA256 +-v 2 +-l NULL-SHA256 + +# client TLSv1.1 RSA-NULL-SHA256 +-v 2 +-l NULL-SHA256 + +# server TLSv1.2 RSA-NULL-SHA256 +-v 3 +-l NULL-SHA256 + +# client TLSv1.2 RSA-NULL-SHA256 +-v 3 +-l NULL-SHA256 + +# server TLSv1 CAMELLIA128-SHA +-v 1 +-l CAMELLIA128-SHA + +# client TLSv1 CAMELLIA128-SHA +-v 1 +-l CAMELLIA128-SHA + +# server TLSv1 CAMELLIA256-SHA +-v 1 +-l CAMELLIA256-SHA + +# client TLSv1 CAMELLIA256-SHA +-v 1 +-l CAMELLIA256-SHA + +# server TLSv1 CAMELLIA128-SHA256 +-v 1 +-l CAMELLIA128-SHA256 + +# client TLSv1 CAMELLIA128-SHA256 +-v 1 +-l CAMELLIA128-SHA256 + +# server TLSv1 CAMELLIA256-SHA256 +-v 1 +-l CAMELLIA256-SHA256 + +# client TLSv1 CAMELLIA256-SHA256 +-v 1 +-l CAMELLIA256-SHA256 + +# server TLSv1.1 CAMELLIA128-SHA +-v 2 +-l CAMELLIA128-SHA + +# client TLSv1.1 CAMELLIA128-SHA +-v 2 +-l CAMELLIA128-SHA + +# server TLSv1.1 CAMELLIA256-SHA +-v 2 +-l CAMELLIA256-SHA + +# client TLSv1.1 CAMELLIA256-SHA +-v 2 +-l CAMELLIA256-SHA + +# server TLSv1.1 CAMELLIA128-SHA256 +-v 2 +-l CAMELLIA128-SHA256 + +# client TLSv1.1 CAMELLIA128-SHA256 +-v 2 +-l CAMELLIA128-SHA256 + +# server TLSv1.1 CAMELLIA256-SHA256 +-v 2 +-l CAMELLIA256-SHA256 + +# client TLSv1.1 CAMELLIA256-SHA256 +-v 2 +-l CAMELLIA256-SHA256 + +# server TLSv1.2 CAMELLIA128-SHA +-v 3 +-l CAMELLIA128-SHA + +# client TLSv1.2 CAMELLIA128-SHA +-v 3 +-l CAMELLIA128-SHA + +# server TLSv1.2 CAMELLIA256-SHA +-v 3 +-l CAMELLIA256-SHA + +# client TLSv1.2 CAMELLIA256-SHA +-v 3 +-l CAMELLIA256-SHA + +# server TLSv1.2 CAMELLIA128-SHA256 +-v 3 +-l CAMELLIA128-SHA256 + +# client TLSv1.2 CAMELLIA128-SHA256 +-v 3 +-l CAMELLIA128-SHA256 + +# server TLSv1.2 CAMELLIA256-SHA256 +-v 3 +-l CAMELLIA256-SHA256 + +# client TLSv1.2 CAMELLIA256-SHA256 +-v 3 +-l CAMELLIA256-SHA256 + +# server TLSv1 DHE-RSA-CAMELLIA128-SHA +-v 1 +-l DHE-RSA-CAMELLIA128-SHA + +# client TLSv1 DHE-RSA-CAMELLIA128-SHA +-v 1 +-l DHE-RSA-CAMELLIA128-SHA + +# server TLSv1 DHE-RSA-CAMELLIA256-SHA +-v 1 +-l DHE-RSA-CAMELLIA256-SHA + +# client TLSv1 DHE-RSA-CAMELLIA256-SHA +-v 1 +-l DHE-RSA-CAMELLIA256-SHA + +# server TLSv1 DHE-RSA-CAMELLIA128-SHA256 +-v 1 +-l DHE-RSA-CAMELLIA128-SHA256 + +# client TLSv1 DHE-RSA-CAMELLIA128-SHA256 +-v 1 +-l DHE-RSA-CAMELLIA128-SHA256 + +# server TLSv1 DHE-RSA-CAMELLIA256-SHA256 +-v 1 +-l DHE-RSA-CAMELLIA256-SHA256 + +# client TLSv1 DHE-RSA-CAMELLIA256-SHA256 +-v 1 +-l DHE-RSA-CAMELLIA256-SHA256 + +# server TLSv1.1 DHE-RSA-CAMELLIA128-SHA +-v 2 +-l DHE-RSA-CAMELLIA128-SHA + +# client TLSv1.1 DHE-RSA-CAMELLIA128-SHA +-v 2 +-l DHE-RSA-CAMELLIA128-SHA + +# server TLSv1.1 DHE-RSA-CAMELLIA256-SHA +-v 2 +-l DHE-RSA-CAMELLIA256-SHA + +# client TLSv1.1 DHE-RSA-CAMELLIA256-SHA +-v 2 +-l DHE-RSA-CAMELLIA256-SHA + +# server TLSv1.1 DHE-RSA-CAMELLIA128-SHA256 +-v 2 +-l DHE-RSA-CAMELLIA128-SHA256 + +# client TLSv1.1 DHE-RSA-CAMELLIA128-SHA256 +-v 2 +-l DHE-RSA-CAMELLIA128-SHA256 + +# server TLSv1.1 DHE-RSA-CAMELLIA256-SHA256 +-v 2 +-l DHE-RSA-CAMELLIA256-SHA256 + +# client TLSv1.1 DHE-RSA-CAMELLIA256-SHA256 +-v 2 +-l DHE-RSA-CAMELLIA256-SHA256 + +# server TLSv1.2 DHE-RSA-CAMELLIA128-SHA +-v 3 +-l DHE-RSA-CAMELLIA128-SHA + +# client TLSv1.2 DHE-RSA-CAMELLIA128-SHA +-v 3 +-l DHE-RSA-CAMELLIA128-SHA + +# server TLSv1.2 DHE-RSA-CAMELLIA256-SHA +-v 3 +-l DHE-RSA-CAMELLIA256-SHA + +# client TLSv1.2 DHE-RSA-CAMELLIA256-SHA +-v 3 +-l DHE-RSA-CAMELLIA256-SHA + +# server TLSv1.2 DHE-RSA-CAMELLIA128-SHA256 +-v 3 +-l DHE-RSA-CAMELLIA128-SHA256 + +# client TLSv1.2 DHE-RSA-CAMELLIA128-SHA256 +-v 3 +-l DHE-RSA-CAMELLIA128-SHA256 + +# server TLSv1.2 DHE-RSA-CAMELLIA256-SHA256 +-v 3 +-l DHE-RSA-CAMELLIA256-SHA256 + +# client TLSv1.2 DHE-RSA-CAMELLIA256-SHA256 +-v 3 +-l DHE-RSA-CAMELLIA256-SHA256 + +# server TLSv1.2 RSA-AES128-GCM-SHA256 +-v 3 +-l AES128-GCM-SHA256 + +# client TLSv1.2 RSA-AES128-GCM-SHA256 +-v 3 +-l AES128-GCM-SHA256 + +# server TLSv1.2 RSA-AES256-GCM-SHA384 +-v 3 +-l AES256-GCM-SHA384 + +# client TLSv1.2 RSA-AES256-GCM-SHA384 +-v 3 +-l AES256-GCM-SHA384 + +# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDH-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDH-ECDSA-AES256-GCM-SHA384 +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 + +# client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 + +# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# server TLSv1.2 ECDH-RSA-AES128-GCM-SHA256 +-v 3 +-l ECDH-RSA-AES128-GCM-SHA256 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-RSA-AES128-GCM-SHA256 +-v 3 +-l ECDH-RSA-AES128-GCM-SHA256 + +# server TLSv1.2 ECDH-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDH-RSA-AES256-GCM-SHA384 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDH-RSA-AES256-GCM-SHA384 + +# server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 +-v 3 +-l DHE-RSA-AES128-GCM-SHA256 + +# client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 +-v 3 +-l DHE-RSA-AES128-GCM-SHA256 + +# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + +# server TLSv1.2 AES128-CCM-8-SHA256 +-v 3 +-l AES128-CCM-8-SHA256 + +# client TLSv1.2 AES128-CCM-8-SHA256 +-v 3 +-l AES128-CCM-8-SHA256 + +# server TLSv1.2 AES256-CCM-8-SHA384 +-v 3 +-l AES256-CCM-8-SHA384 + +# client TLSv1.2 AES256-CCM-8-SHA384 +-v 3 +-l AES256-CCM-8-SHA384 + +# server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-CCM-8-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-CCM-8-SHA256 +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-CCM-8-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-CCM-8-SHA384 +-A ./certs/server-ecc.pem diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index afa3e4199..cc4b4ace8 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -25,7 +25,7 @@ #include #include -#include +#include #include "ctaocrypt/test/test.h" @@ -138,8 +138,8 @@ int main(int argc, char** argv) /* validate output equals input */ { - byte input[SHA_DIGEST_SIZE]; - byte output[SHA_DIGEST_SIZE]; + byte input[SHA256_DIGEST_SIZE]; + byte output[SHA256_DIGEST_SIZE]; file_test("input", input); file_test("output", output); @@ -220,22 +220,22 @@ void file_test(const char* file, byte* check) { FILE* f; int i = 0, j; - Sha sha; + Sha256 sha256; byte buf[1024]; - byte shasum[SHA_DIGEST_SIZE]; + byte shasum[SHA256_DIGEST_SIZE]; - InitSha(&sha); + InitSha256(&sha256); if( !( f = fopen( file, "rb" ) )) { printf("Can't open %s\n", file); return; } while( ( i = (int)fread(buf, 1, sizeof(buf), f )) > 0 ) - ShaUpdate(&sha, buf, i); + Sha256Update(&sha256, buf, i); - ShaFinal(&sha, shasum); + Sha256Final(&sha256, shasum); memcpy(check, shasum, sizeof(shasum)); - for(j = 0; j < SHA_DIGEST_SIZE; ++j ) + for(j = 0; j < SHA256_DIGEST_SIZE; ++j ) printf( "%02x", shasum[j] ); printf(" %s\n", file);