feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

TLS 1.3: PSK only

Browse Source 
Support building with only TLS 1.3 and PSK without code for (EC)DHE and
certificates.
Minimise build size for this configuration.
This commit is contained in:
Sean Parkinson
2020-10-28 11:47:31 +10:00
parent fa08930921
commit d8b58286d1
14 changed files with 398 additions and 197 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
configure.ac
View File

@@ -131,6 +131,11 @@ AS_IF([test "$ax_enable_debug" = "yes"],
[AM_CFLAGS="$AM_CFLAGS -DNDEBUG"])
# Start without certificates enabled and enable if a certificate algorithm is
# enabled
ENABLED_CERTS="no"
# FIPS
AC_ARG_ENABLE([fips],
@@ -963,7 +968,7 @@ AC_ARG_ENABLE([leanpsk],
if test "$ENABLED_LEANPSK" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LEANPSK -DWOLFSSL_STATIC_PSK -DHAVE_NULL_CIPHER -DSINGLE_THREADED -DNO_AES -DNO_FILESYSTEM -DNO_RABBIT -DNO_RSA -DNO_DSA -DNO_DH -DNO_CERTS -DNO_PWDBASED -DNO_MD4 -DNO_MD5 -DNO_ERROR_STRINGS -DNO_OLD_TLS -DNO_RC4 -DNO_WRITEV -DNO_DEV_RANDOM -DWOLFSSL_USER_IO -DNO_SHA"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LEANPSK -DWOLFSSL_STATIC_PSK -DHAVE_NULL_CIPHER -DSINGLE_THREADED -DNO_AES -DNO_FILESYSTEM -DNO_RABBIT -DNO_RSA -DNO_DSA -DNO_DH -DNO_PWDBASED -DNO_MD4 -DNO_MD5 -DNO_ERROR_STRINGS -DNO_OLD_TLS -DNO_RC4 -DNO_WRITEV -DNO_DEV_RANDOM -DWOLFSSL_USER_IO -DNO_SHA"
ENABLED_SLOWMATH="no"
ENABLED_SINGLETHREADED="yes"
enable_lowresource=yes
@@ -1808,6 +1813,8 @@ fi
if test "$ENABLED_DSA" = "no" && test "$ENABLED_OPENSSH" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_DSA"
else
ENABLED_CERTS=yes
fi
# ECC Shamir
@@ -1848,6 +1855,8 @@ then
then
AM_CFLAGS="$AM_CFLAGS -DWC_ECC_NONBLOCK"
fi
ENABLED_CERTS=yes
fi
@@ -1974,6 +1983,8 @@ then
ENABLED_FEMATH=yes
ENABLED_GEMATH=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_ED25519"
ENABLED_CERTS=yes
fi
@@ -2035,6 +2046,8 @@ then
# EdDSA448 requires SHAKE256 which requires SHA-3
ENABLED_SHAKE3=yes
ENABLED_SHAKE256=yes
ENABLED_CERTS=yes
fi
@@ -2376,6 +2389,8 @@ else
then
AM_CFLAGS="$AM_CFLAGS -DNO_RSA"
ENABLED_RSA=no
else
ENABLED_CERTS=yes
fi
fi
@@ -2501,7 +2516,7 @@ AC_ARG_ENABLE([asn],
if test "$ENABLED_ASN" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_CERTS"
AM_CFLAGS="$AM_CFLAGS -DNO_ASN"
if test "$ENABLED_DH" = "no" && test "$ENABLED_ECC" = "no"
then
# DH and ECC need bigint
@@ -2511,7 +2526,7 @@ else
# turn off ASN if leanpsk on
if test "$ENABLED_LEANPSK" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_CERTS -DNO_BIG_INT"
AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_BIG_INT"
ENABLED_ASN=no
else
if test "$ENABLED_ASN" = "nocrypt"
@@ -3535,7 +3550,7 @@ then
fi
# TLS 1.3 Requires either ECC or (RSA/DH), or CURVE25519/ED25519 or CURVE448/ED448
if test "x$ENABLED_ECC" = "xno" && \
if test "x$ENABLED_PSK" = "xno" && test "x$ENABLED_ECC" = "xno" && \
(test "x$ENABLED_RSA" = "xno" || test "x$ENABLED_DH" = "xno") && \
(test "x$ENABLED_CURVE25519" = "xno" || test "x$ENABLED_ED25519" = "xno") && \
(test "x$ENABLED_CURVE448" = "xno" || test "x$ENABLED_ED448" = "xno")
@@ -3543,9 +3558,14 @@ then
# disable TLS 1.3
ENABLED_TLS13=no
fi
if test "$ENABLED_TLS13" = "yes" && (test "x$ENABLED_ECC" = "xyes" || \
test "x$ENABLED_DH" = "xyes")
then
AM_CFLAGS="-DHAVE_SUPPORTED_CURVES $AM_CFLAGS"
fi
if test "$ENABLED_TLS13" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES $AM_CFLAGS"
AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS $AM_CFLAGS"
fi
@@ -5572,6 +5592,10 @@ if test "x$ENABLED_OPENSSLCOEXIST" = "xyes"; then
AC_MSG_ERROR([Cannot use --enable-opensslcoexist with --enable-opensslextra])
fi
fi
if test "x$ENABLED_CERTS" = "xno" || test "x$ENABLED_LEANPSK" = "xyes" || test "x$ENABLED_ASN" = "xno"; then
AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_CERTS"
fi
################################################################################
# USER SETTINGS

51
examples/client/client.c
View File

@@ -273,7 +273,7 @@ static void ShowVersions(void)
printf("\n");
}
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
#define MAX_GROUP_NUMBER 4
static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
int useX448)
@@ -443,7 +443,7 @@ static int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
if (benchResume)
wolfSSL_set_session(ssl, benchSession);
#endif
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
else if (version >= 4) {
if (!helloRetry)
SetKeyShare(ssl, onlyKeyShare, useX25519, useX448);
@@ -546,7 +546,7 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port,
(void)useX25519;
(void)useX448;
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
#ifdef HAVE_CURVE25519
if (useX25519) {
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519)
@@ -983,9 +983,11 @@ static const char* client_usage_msg[][66] = {
" SSLv3(0) - TLS1.3(4)\n", /* 7 */
#endif
"-l <str> Cipher suite list (: delimited)\n", /* 8 */
#ifndef NO_CERTS
"-c <file> Certificate file, default", /* 9 */
"-k <file> Key file, default", /* 10 */
"-A <file> Certificate Authority file, default", /* 11 */
#endif
#ifndef NO_DH
"-Z <num> Minimum DH key bits, default", /* 12 */
#endif
@@ -1009,7 +1011,9 @@ static const char* client_usage_msg[][66] = {
"-G Use SCTP DTLS,"
" add -v 2 for DTLSv1, -v 3 for DTLSv1.2 (default)\n", /* 22 */
#endif
#ifndef NO_CERTS
"-m Match domain name in cert\n", /* 23 */
#endif
"-N Use Non-blocking sockets\n", /* 24 */
#ifndef NO_SESSION_CACHE
"-r Resume session\n", /* 25 */
@@ -1025,7 +1029,9 @@ static const char* client_usage_msg[][66] = {
" The string parameter is optional.\n", /* 29 */
#endif
"-f Fewer packets/group messages\n", /* 30 */
#ifndef NO_CERTS
"-x Disable client cert/key loading\n", /* 31 */
#endif
"-X Driven by eXternal test case\n", /* 32 */
"-j Use verify callback override\n", /* 33 */
#ifdef SHOW_SIZES
@@ -1153,9 +1159,11 @@ static const char* client_usage_msg[][66] = {
" TLS1.3(4)\n", /* 7 */
#endif
"-l <str> 暗号スイートリスト (区切り文字 :)\n", /* 8 */
#ifndef NO_CERTS
"-c <file> 証明書ファイル, 既定値", /* 9 */
"-k <file> 鍵ファイル, 既定値", /* 10 */
"-A <file> 認証局ファイル, 既定値", /* 11 */
#endif
#ifndef NO_DH
"-Z <num> 最小 DH 鍵 ビット, 既定値", /* 12 */
#endif
@@ -1179,7 +1187,9 @@ static const char* client_usage_msg[][66] = {
"-G SCTP DTLSを使用する。-v 2 を追加指定すると"
" DTLSv1, -v 3 を追加指定すると DTLSv1.2 (既定値)\n", /* 22 */
#endif
#ifndef NO_CERTS
"-m 証明書内のドメイン名一致を確認する\n", /* 23 */
#endif
"-N ノンブロッキング・ソケットを使用する\n", /* 24 */
#ifndef NO_SESSION_CACHE
"-r セッションを継続する\n", /* 25 */
@@ -1192,7 +1202,9 @@ static const char* client_usage_msg[][66] = {
"-i <str> クライアント主導のネゴシエーションを強制する\n", /* 29 */
#endif
"-f より少ないパケット/グループメッセージを使用する\n",/* 30 */
#ifndef NO_CERTS
"-x クライアントの証明書/鍵のロードを無効する\n", /* 31 */
#endif
"-X 外部テスト・ケースにより動作する\n", /* 32 */
"-j コールバック・オーバーライドの検証を使用する\n", /* 33 */
#ifdef SHOW_SIZES
@@ -1326,9 +1338,11 @@ static void Usage(void)
printf("%s", msg[++msgid]); /* -V */
#endif
printf("%s", msg[++msgid]); /* -l */
#ifndef NO_CERTS
printf("%s %s\n", msg[++msgid], cliCertFile); /* -c */
printf("%s %s\n", msg[++msgid], cliKeyFile); /* -k */
printf("%s %s\n", msg[++msgid], caCertFile); /* -A */
#endif
#ifndef NO_DH
printf("%s %d\n", msg[++msgid], DEFAULT_MIN_DHKEY_BITS);
#endif
@@ -1348,7 +1362,9 @@ static void Usage(void)
#ifdef WOLFSSL_SCTP
printf("%s", msg[++msgid]); /* -G */
#endif
#ifndef NO_CERTS
printf("%s", msg[++msgid]); /* -m */
#endif
printf("%s", msg[++msgid]); /* -N */
#ifndef NO_SESSION_CACHE
printf("%s", msg[++msgid]); /* -r */
@@ -1360,7 +1376,9 @@ static void Usage(void)
printf("%s", msg[++msgid]); /* -i */
#endif
printf("%s", msg[++msgid]); /* -f */
#ifndef NO_CERTS
printf("%s", msg[++msgid]); /* -x */
#endif
printf("%s", msg[++msgid]); /* -X */
printf("%s", msg[++msgid]); /* -j */
#ifdef SHOW_SIZES
@@ -2041,13 +2059,15 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
break;
case 'y' :
#if defined(WOLFSSL_TLS13) && !defined(NO_DH)
#if defined(WOLFSSL_TLS13) && \
defined(HAVE_SUPPORTED_CURVES) && !defined(NO_DH)
onlyKeyShare = 1;
#endif
break;
case 'Y' :
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECC)
#if defined(WOLFSSL_TLS13) && \
defined(HAVE_SUPPORTED_CURVES) && defined(HAVE_ECC)
onlyKeyShare = 2;
#endif
break;
@@ -2061,7 +2081,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
useX25519 = 1;
#ifdef HAVE_ECC
useSupCurve = 1;
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && \
defined(HAVE_SUPPORTED_CURVES)
onlyKeyShare = 2;
#endif
#endif
@@ -2121,7 +2142,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
useX448 = 1;
#ifdef HAVE_ECC
useSupCurve = 1;
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && \
defined(HAVE_SUPPORTED_CURVES)
onlyKeyShare = 2;
#endif
#endif
@@ -2435,11 +2457,20 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
if (defaultCipherList == NULL) {
#if defined(HAVE_AESGCM) && !defined(NO_DH)
#ifdef WOLFSSL_TLS13
defaultCipherList = "TLS13-AES128-GCM-SHA256:"
"DHE-PSK-AES128-GCM-SHA256:";
defaultCipherList = "TLS13-AES128-GCM-SHA256"
#ifndef WOLFSSL_NO_TLS12
":DHE-PSK-AES128-GCM-SHA256"
#endif
;
#else
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
#endif
#elif defined(HAVE_AESGCM) && defined(WOLFSSL_TLS13)
defaultCipherList = "TLS13-AES128-GCM-SHA256"
#ifndef WOLFSSL_NO_TLS12
":PSK-AES128-GCM-SHA256"
#endif
;
#elif defined(HAVE_NULL_CIPHER)
defaultCipherList = "PSK-NULL-SHA256";
#else
@@ -2851,7 +2882,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
err_sys("error printing out memory stats");
#endif
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
if (!helloRetry) {
#if defined(WOLFSSL_TLS13) && (!defined(NO_DH) || defined(HAVE_ECC) || \
defined(HAVE_CURVE25519) || defined(HAVE_CURVE448))

13
examples/echoclient/echoclient.c
View File

@@ -181,11 +181,20 @@ void echoclient_test(void* args)
defaultCipherList = "PSK-NULL-SHA256";
#elif defined(HAVE_AESGCM) && !defined(NO_DH)
#ifdef WOLFSSL_TLS13
defaultCipherList = "TLS13-AES128-GCM-SHA256:"
"DHE-PSK-AES128-GCM-SHA256:";
defaultCipherList = "TLS13-AES128-GCM-SHA256"
#ifndef WOLFSSL_NO_TLS12
":DHE-PSK-AES128-GCM-SHA256"
#endif
;
#else
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
#endif
#elif defined(HAVE_AESGCM) && defined(WOLFSSL_TLS13)
defaultCipherList = "TLS13-AES128-GCM-SHA256"
#ifndef WOLFSSL_NO_TLS12
":DHE-PSK-AES128-GCM-SHA256"
#endif
;
#else
defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif

13
examples/echoserver/echoserver.c
View File

@@ -265,11 +265,20 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
defaultCipherList = "PSK-NULL-SHA256";
#elif defined(HAVE_AESGCM) && !defined(NO_DH)
#ifdef WOLFSSL_TLS13
defaultCipherList = "TLS13-AES128-GCM-SHA256:"
"DHE-PSK-AES128-GCM-SHA256";
defaultCipherList = "TLS13-AES128-GCM-SHA256"
#ifndef WOLFSSL_NO_TLS12
":DHE-PSK-AES128-GCM-SHA256"
#endif
;
#else
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
#endif
#elif defined(HAVE_AESGCM) && defined(WOLFSSL_TLS13)
defaultCipherList = "TLS13-AES128-GCM-SHA256"
#ifndef WOLFSSL_NO_TLS12
":PSK-AES128-GCM-SHA256"
#endif
;
#else
defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif

13
examples/server/server.c
View File

@@ -1869,12 +1869,21 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
if (defaultCipherList == NULL && !usePskPlus) {
#if defined(HAVE_AESGCM) && !defined(NO_DH)
#ifdef WOLFSSL_TLS13
defaultCipherList = "TLS13-AES128-GCM-SHA256:"
"DHE-PSK-AES128-GCM-SHA256";
defaultCipherList = "TLS13-AES128-GCM-SHA256"
#ifndef WOLFSSL_NO_TLS12
":DHE-PSK-AES128-GCM-SHA256"
#endif
;
#else
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
#endif
needDH = 1;
#elif defined(HAVE_AESGCM) && defined(WOLFSSL_TLS13)
defaultCipherList = "TLS13-AES128-GCM-SHA256"
#ifndef WOLFSSL_NO_TLS12
":PSK-AES128-GCM-SHA256"
#endif
;
#elif defined(HAVE_NULL_CIPHER)
defaultCipherList = "PSK-NULL-SHA256";
#else

110
scripts/openssl.test
View File

@@ -133,11 +133,11 @@ start_openssl_server() {
if [ "$cert_file" != "" ]
then
echo "# " $OPENSSL s_server -accept $server_port -cert $cert_file -key $key_file -quiet -CAfile $ca_file -www -dhparam ./certs/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL"
$OPENSSL s_server -accept $server_port -cert $cert_file -key $key_file -quiet -CAfile $ca_file -www -dhparam ./certs/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" &
echo "# " $OPENSSL s_server -accept $server_port -cert $cert_file -key $key_file -quiet -CAfile $ca_file -www -dhparam ./certs/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe
$OPENSSL s_server -accept $server_port -cert $cert_file -key $key_file -quiet -CAfile $ca_file -www -dhparam ./certs/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe &
else
echo "# " $OPENSSL s_server -accept $server_port -quiet -nocert -www -dhparam ./certs/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL"
$OPENSSL s_server -accept $server_port -quiet -nocert -www -dhparam ./certs/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" &
echo "# " $OPENSSL s_server -accept $server_port -quiet -nocert -www -dhparam ./certs/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe
$OPENSSL s_server -accept $server_port -quiet -nocert -www -dhparam ./certs/dh2048.pem -verify 10 -verify_return_error -psk $psk_hex -cipher "ALL:eNULL" $openssl_nodhe &
fi
server_pid=$!
# wait to see if s_server successfully starts before continuing
@@ -438,51 +438,64 @@ IFS=$OIFS #restore separator
# Start OpenSSL servers
#
# Check if ECC certificates supported in wolfSSL
wolf_ecc=`$WOLFSSL_CLIENT -A ./certs/ed25519/ca-ecc-cert.pem 2>&1`
case $wolf_ecc in
*"ca file"*)
# Check for cerificate support in wolfSSL
wolf_certs=`$WOLFSSL_CLIENT -help 2>&1`
case $wolf_certs in
*"cert"*)
;;
*)
wolf_certs=""
;;
esac
if [ "$wolf_certs" != "" ]
then
# Check if ECC certificates supported in wolfSSL
wolf_ecc=`$WOLFSSL_CLIENT -A ./certs/ed25519/ca-ecc-cert.pem 2>&1`
case $wolf_ecc in
*"ca file"*)
wolf_ecc=""
;;
*)
*)
;;
esac
# Check if Ed25519 certificates supported in wolfSSL
wolf_ed25519=`$WOLFSSL_CLIENT -A ./certs/ed25519/root-ed25519.pem 2>&1`
case $wolf_ed25519 in
*"ca file"*)
esac
# Check if Ed25519 certificates supported in wolfSSL
wolf_ed25519=`$WOLFSSL_CLIENT -A ./certs/ed25519/root-ed25519.pem 2>&1`
case $wolf_ed25519 in
*"ca file"*)
wolf_ed25519=""
;;
*)
*)
;;
esac
# Check if Ed25519 certificates supported in OpenSSL
openssl_ed25519=`$OPENSSL s_client -cert ./certs/ed25519/client-ed25519.pem -key ./certs/ed25519/client-ed25519-priv.pem 2>&1`
case $openssl_ed25519 in
*"unable to load"*)
esac
# Check if Ed25519 certificates supported in OpenSSL
openssl_ed25519=`$OPENSSL s_client -cert ./certs/ed25519/client-ed25519.pem -key ./certs/ed25519/client-ed25519-priv.pem 2>&1`
case $openssl_ed25519 in
*"unable to load"*)
wolf_ed25519=""
;;
*)
*)
;;
esac
# Check if Ed448 certificates supported in wolfSSL
wolf_ed448=`$WOLFSSL_CLIENT -A ./certs/ed448/root-ed448.pem 2>&1`
case $wolf_ed448 in
*"ca file"*)
esac
# Check if Ed448 certificates supported in wolfSSL
wolf_ed448=`$WOLFSSL_CLIENT -A ./certs/ed448/root-ed448.pem 2>&1`
case $wolf_ed448 in
*"ca file"*)
wolf_ed448=""
;;
*)
*)
;;
esac
# Check if Ed448 certificates supported in OpenSSL
openssl_ed448=`$OPENSSL s_client -cert ./certs/ed448/client-ed448.pem -key ./certs/ed448/client-ed448-priv.pem 2>&1`
case $openssl_ed448 in
*"unable to load"*)
esac
# Check if Ed448 certificates supported in OpenSSL
openssl_ed448=`$OPENSSL s_client -cert ./certs/ed448/client-ed448.pem -key ./certs/ed448/client-ed448-priv.pem 2>&1`
case $openssl_ed448 in
*"unable to load"*)
wolf_ed448=""
;;
*)
*)
;;
esac
esac
fi
openssl_tls13=`$OPENSSL s_client -help 2>&1`
case $openssl_tls13 in
@@ -493,6 +506,17 @@ case $openssl_tls13 in
;;
esac
# Not all openssl versions support -allow_no_dhe_kex
openssl_nodhe=`$OPENSSL s_client -help 2>&1`
case $openssl_nodhe in
*allow_no_dhe_kex*)
openssl_nodhe=-allow_no_dhe_kex
;;
*)
openssl_nodhe=
;;
esac
# Check suites to determine support in wolfSSL
OIFS=$IFS # store old separator to reset
IFS=$'\:' # set delimiter
@@ -651,8 +675,7 @@ fi
if [ "$wolf_tls13" != "" -a "$wolf_psk" != "" ]
then
cert_file="./certs/server-cert.pem"
key_file="./certs/server-key.pem"
cert_file=
psk_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
openssl_suite="TLSv1.3_PSK"
@@ -1015,17 +1038,24 @@ do
do_openssl_client
fi
# PSK
if [ "$wolf_psk" != "" -a $wolfSuite = "TLS13-AES128-GCM-SHA256" ]
if [ "$wolf_psk" != "" -a $wolfSuite = "TLS13-AES128-GCM-SHA256" -a "$wolf_ecc" != "" -a $openssl_nodhe != "" ]
then
cert="./certs/client-cert.pem"
key="./certs/client-key.pem"
caCert="./certs/ca-cert.pem"
cert=""
key=""
caCert=""
wolf_temp_cases_total=$((wolf_temp_cases_total + 1))
port=$tls13_psk_openssl_port
psk="-s"
# OpenSSL doesn't support DH for key exchange so do no PSK
# DHE when ECC not supported
if [ "$wolf_ecc" = "" ]
then
adh="-K"
fi
do_wolfssl_client
psk=""
adh=""
openssl_psk="-psk 0123456789abcdef0123456789abcdef"
open_temp_cases_total=$((open_temp_cases_total + 1))
port=$wolfssl_port

9
src/internal.c
View File

@@ -1782,6 +1782,10 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
ctx->maxEarlyDataSz = MAX_EARLY_DATA_SZ;
#endif
#if defined(WOLFSSL_TLS13) && !defined(HAVE_SUPPORTED_CURVES)
ctx->noPskDheKe = 1;
#endif
ctx->heap = heap; /* wolfSSL_CTX_load_static_memory sets */
ctx->verifyDepth = MAX_CHAIN_DEPTH;
@@ -15826,6 +15830,8 @@ int ProcessReply(WOLFSSL* ssl)
}
#if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS) || \
(defined(WOLFSSL_TLS13) && defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT))
int SendChangeCipher(WOLFSSL* ssl)
{
byte *output;
@@ -15918,6 +15924,7 @@ int SendChangeCipher(WOLFSSL* ssl)
else
return SendBuffered(ssl);
}
#endif
#if !defined(NO_OLD_TLS) && !defined(WOLFSSL_AEAD_ONLY)
@@ -26856,12 +26863,14 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version) &&
ssl->options.side == WOLFSSL_SERVER_END) {
#ifdef HAVE_SUPPORTED_CURVES
/* Try to establish a key share. */
int ret = TLSX_KeyShare_Establish(ssl);
if (ret == KEY_SHARE_ERROR)
ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
else if (ret != 0)
return 0;
#endif
}
else if (first == TLS13_BYTE || (first == ECC_BYTE &&
(second == TLS_SHA256_SHA256 || second == TLS_SHA384_SHA384))) {

18
src/ssl.c
View File

@@ -12072,6 +12072,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
WOLFSSL_MSG("connect state: FIRST_REPLY_SECOND");
FALL_THROUGH;
#if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
case FIRST_REPLY_SECOND :
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
if (ssl->options.sendVerify) {
@@ -12119,7 +12120,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
FALL_THROUGH;
case SECOND_REPLY_DONE:
#ifndef NO_HANDSHAKE_DONE_CB
#ifndef NO_HANDSHAKE_DONE_CB
if (ssl->hsDoneCb) {
int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
if (cbret < 0) {
@@ -12128,35 +12129,36 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
return WOLFSSL_FATAL_ERROR;
}
}
#endif /* NO_HANDSHAKE_DONE_CB */
#endif /* NO_HANDSHAKE_DONE_CB */
if (!ssl->options.dtls) {
if (!ssl->options.keepResources) {
FreeHandshakeResources(ssl);
}
}
#ifdef WOLFSSL_DTLS
#ifdef WOLFSSL_DTLS
else {
ssl->options.dtlsHsRetain = 1;
}
#endif /* WOLFSSL_DTLS */
#endif /* WOLFSSL_DTLS */
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(HAVE_SECURE_RENEGOTIATION)
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(HAVE_SECURE_RENEGOTIATION)
/* This may be necessary in async so that we don't try to
* renegotiate again */
if (ssl->secure_renegotiation && ssl->secure_renegotiation->startScr) {
ssl->secure_renegotiation->startScr = 0;
}
#endif /* WOLFSSL_ASYNC_CRYPT && HAVE_SECURE_RENEGOTIATION */
#endif /* WOLFSSL_ASYNC_CRYPT && HAVE_SECURE_RENEGOTIATION */
WOLFSSL_LEAVE("SSL_connect()", WOLFSSL_SUCCESS);
return WOLFSSL_SUCCESS;
#endif /* !WOLFSSL_NO_TLS12 || !NO_OLD_TLS */
default:
WOLFSSL_MSG("Unknown connect state ERROR");
return WOLFSSL_FATAL_ERROR; /* unknown connect state */
}
#endif /* !WOLFSSL_NO_TLS12 */
#endif /* !WOLFSSL_NO_TLS12 || !NO_OLD_TLS || !WOLFSSL_TLS13 */
}
#endif /* NO_WOLFSSL_CLIENT */
@@ -32654,7 +32656,7 @@ const char* wolfSSL_EC_curve_nid2nist(int nid)
return NULL;
}
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
static int populate_groups(int* groups, int max_count, char *list)
{
char *end;

153
src/tls.c
View File

@@ -59,19 +59,11 @@
#endif
#endif /* HAVE_QSH */
#if (!defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_TLS13) && \
!defined(WOLFSSL_NO_SERVER_GROUPS_EXT)) || \
(defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES))
#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
static int TLSX_KeyShare_IsSupported(int namedGroup);
#endif
#if ((!defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_TLS13) && \
!defined(WOLFSSL_NO_SERVER_GROUPS_EXT)) || \
(defined(WOLFSSL_TLS13) && !defined(HAVE_ECC) && !defined(HAVE_CURVE25519) \
&& !defined(HAVE_CURVE448) && defined(HAVE_SUPPORTED_CURVES)) || \
((defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
defined(HAVE_CURVE448)) && defined(HAVE_SUPPORTED_CURVES))) && \
defined(HAVE_TLS_EXTENSIONS)
#ifdef HAVE_SUPPORTED_CURVES
static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions);
#endif
@@ -6193,7 +6185,7 @@ static int TLSX_SetSupportedVersions(TLSX** extensions, const void* data,
#endif /* WOLFSSL_TLS13 */
#if defined(WOLFSSL_TLS13)
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
/******************************************************************************/
/* Cookie */
@@ -6359,7 +6351,7 @@ int TLSX_Cookie_Use(WOLFSSL* ssl, byte* data, word16 len, byte* mac,
#define CKE_PARSE(a, b, c, d) 0
#endif
#if !defined(WOLFSSL_NO_SIGALG)
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
/******************************************************************************/
/* Signature Algorithms */
/******************************************************************************/
@@ -6495,7 +6487,7 @@ static int TLSX_SetSignatureAlgorithms(TLSX** extensions, const void* data,
/* Signature Algorithms Certificate */
/******************************************************************************/
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
/* Return the size of the SignatureAlgorithms extension's data.
*
* data Unused
@@ -6589,7 +6581,7 @@ static int TLSX_SetSignatureAlgorithmsCert(TLSX** extensions, const void* data,
/* Key Share */
/******************************************************************************/
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
/* Create a key share entry using named Diffie-Hellman parameters group.
* Generates a key pair.
*
@@ -9235,7 +9227,7 @@ void TLSX_FreeAll(TLSX* list, void* heap)
case TLSX_APPLICATION_LAYER_PROTOCOL:
ALPN_FREE_ALL((ALPN*)extension->data, heap);
break;
#if !defined(WOLFSSL_NO_SIGALG)
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
case TLSX_SIGNATURE_ALGORITHMS:
break;
#endif
@@ -9247,9 +9239,11 @@ void TLSX_FreeAll(TLSX* list, void* heap)
case TLSX_SUPPORTED_VERSIONS:
break;
#ifdef WOLFSSL_SEND_HRR_COOKIE
case TLSX_COOKIE:
CKE_FREE_ALL((Cookie*)extension->data, heap);
break;
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
case TLSX_PRE_SHARED_KEY:
@@ -9270,8 +9264,10 @@ void TLSX_FreeAll(TLSX* list, void* heap)
break;
#endif
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
case TLSX_SIGNATURE_ALGORITHMS_CERT:
break;
#endif
case TLSX_KEY_SHARE:
KS_FREE_ALL((KeyShareEntry*)extension->data, heap);
@@ -9373,7 +9369,7 @@ static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType,
case TLSX_APPLICATION_LAYER_PROTOCOL:
length += ALPN_GET_SIZE((ALPN*)extension->data);
break;
#if !defined(WOLFSSL_NO_SIGALG)
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
case TLSX_SIGNATURE_ALGORITHMS:
length += SA_GET_SIZE(extension->data);
break;
@@ -9388,9 +9384,11 @@ static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType,
ret = SV_GET_SIZE(extension->data, msgType, &length);
break;
#ifdef WOLFSSL_SEND_HRR_COOKIE
case TLSX_COOKIE:
ret = CKE_GET_SIZE((Cookie*)extension->data, msgType, &length);
break;
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
case TLSX_PRE_SHARED_KEY:
@@ -9415,9 +9413,11 @@ static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType,
break;
#endif
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
case TLSX_SIGNATURE_ALGORITHMS_CERT:
length += SAC_GET_SIZE(extension->data);
break;
#endif
case TLSX_KEY_SHARE:
length += KS_GET_SIZE((KeyShareEntry*)extension->data, msgType);
@@ -9543,7 +9543,7 @@ static int TLSX_Write(TLSX* list, byte* output, byte* semaphore,
WOLFSSL_MSG("ALPN extension to write");
offset += ALPN_WRITE((ALPN*)extension->data, output + offset);
break;
#if !defined(WOLFSSL_NO_SIGALG)
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
case TLSX_SIGNATURE_ALGORITHMS:
WOLFSSL_MSG("Signature Algorithms extension to write");
offset += SA_WRITE(extension->data, output + offset);
@@ -9561,11 +9561,13 @@ static int TLSX_Write(TLSX* list, byte* output, byte* semaphore,
ret = SV_WRITE(extension->data, output + offset, msgType, &offset);
break;
#ifdef WOLFSSL_SEND_HRR_COOKIE
case TLSX_COOKIE:
WOLFSSL_MSG("Cookie extension to write");
ret = CKE_WRITE((Cookie*)extension->data, output + offset,
msgType, &offset);
break;
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
case TLSX_PRE_SHARED_KEY:
@@ -9596,10 +9598,12 @@ static int TLSX_Write(TLSX* list, byte* output, byte* semaphore,
break;
#endif
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
case TLSX_SIGNATURE_ALGORITHMS_CERT:
WOLFSSL_MSG("Signature Algorithms extension to write");
offset += SAC_WRITE(extension->data, output + offset);
break;
#endif
case TLSX_KEY_SHARE:
WOLFSSL_MSG("Key Share extension to write");
@@ -9813,12 +9817,7 @@ static byte* TLSX_QSHKeyFind_Pub(QSHKey* qsh, word16* pubLen, word16 name)
}
#endif /* HAVE_QSH */
#if (!defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_TLS13) && \
!defined(WOLFSSL_NO_SERVER_GROUPS_EXT)) || \
(defined(WOLFSSL_TLS13) && !defined(HAVE_ECC) && !defined(HAVE_CURVE25519) \
&& !defined(HAVE_CURVE448) && defined(HAVE_SUPPORTED_CURVES)) || \
((defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
defined(HAVE_CURVE448)) && defined(HAVE_SUPPORTED_CURVES))
#ifdef HAVE_SUPPORTED_CURVES
/* Populates the default supported groups / curves */
static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
@@ -9832,7 +9831,6 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
}
#endif
#ifdef HAVE_SUPPORTED_CURVES
if (ssl->numGroups != 0) {
int i;
for (i = 0; i < ssl->numGroups; i++) {
@@ -9842,10 +9840,9 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
}
return WOLFSSL_SUCCESS;
}
#endif /* HAVE_SUPPORTED_CURVES */
#endif /* WOLFSSL_TLS13 */
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
#if defined(HAVE_ECC)
/* list in order by strength, since not all servers choose by strength */
#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
#ifndef NO_ECC_SECP
@@ -9873,7 +9870,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#endif /* HAVE_ECC && HAVE_SUPPORTED_CURVES */
#endif /* HAVE_ECC */
#ifndef HAVE_FIPS
#if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
@@ -9901,7 +9898,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
if (ret != WOLFSSL_SUCCESS) return ret;
#endif
#endif
#endif /* HAVE_ECC && HAVE_SUPPORTED_CURVES */
#endif /* HAVE_ECC */
#ifndef HAVE_FIPS
#if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
@@ -9956,7 +9953,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
#endif
#endif
#endif /* HAVE_FIPS */
#endif /* HAVE_ECC && HAVE_SUPPORTED_CURVES */
#endif /* HAVE_ECC */
/* Add FFDHE supported groups. */
#ifdef HAVE_FFDHE_8192
@@ -10011,7 +10008,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
return ret;
}
#endif
#endif /* HAVE_SUPPORTED_CURVES */
int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
{
@@ -10133,7 +10130,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
#endif /* (HAVE_ECC || CURVE25519 || CURVE448) && HAVE_SUPPORTED_CURVES */
} /* is not server */
#if !defined(WOLFSSL_NO_SIGALG)
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
WOLFSSL_MSG("Adding signature algorithms extension");
if ((ret = TLSX_SetSignatureAlgorithms(&ssl->extensions, ssl, ssl->heap))
!= 0) {
@@ -10160,8 +10157,9 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
return ret;
ret = 0;
}
#endif /* (HAVE_ECC || CURVE25519 || CURVE448) && HAVE_SUPPORTED_CURVES */
#endif /* !(HAVE_ECC || CURVE25519 || CURVE448) && HAVE_SUPPORTED_CURVES */
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
if (ssl->certHashSigAlgoSz > 0) {
WOLFSSL_MSG("Adding signature algorithms cert extension");
if ((ret = TLSX_SetSignatureAlgorithmsCert(&ssl->extensions,
@@ -10169,7 +10167,9 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
return ret;
}
}
#endif
#if defined(HAVE_SUPPORTED_CURVES)
if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) {
word16 namedGroup;
@@ -10210,6 +10210,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
if (ret != 0)
return ret;
}
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
TLSX_Remove(&ssl->extensions, TLSX_PRE_SHARED_KEY, ssl->heap);
@@ -10272,7 +10273,6 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
return PSK_KEY_ERROR;
}
ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0';
/* TODO: Callback should be able to change ciphersuite. */
ssl->options.cipherSuite0 = cipherSuite0;
ssl->options.cipherSuite = cipherSuite;
ret = SetCipherSpecs(ssl);
@@ -10343,13 +10343,14 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength)
PF_VALIDATE_REQUEST(ssl, semaphore);
QSH_VALIDATE_REQUEST(ssl, semaphore);
WOLF_STK_VALIDATE_REQUEST(ssl);
#if !defined(WOLFSSL_NO_SIGALG)
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
if (ssl->suites->hashSigAlgoSz == 0)
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
#endif
#if defined(WOLFSSL_TLS13)
if (!IsAtLeastTLSv1_2(ssl))
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
if (!IsAtLeastTLSv1_3(ssl->version)) {
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
@@ -10359,11 +10360,14 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength)
#ifdef WOLFSSL_EARLY_DATA
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA));
#endif
#ifdef WOLFSSL_SEND_HRR_COOKIE
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
#endif
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_POST_HANDSHAKE_AUTH));
#endif
}
#endif
#endif
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
@@ -10380,7 +10384,7 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength)
else if (msgType == certificate_request) {
/* Don't send out any extension except those that are turned off. */
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
#if !defined(WOLFSSL_NO_SIGALG)
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
#endif
/* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,
@@ -10433,13 +10437,14 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset)
PF_VALIDATE_REQUEST(ssl, semaphore);
WOLF_STK_VALIDATE_REQUEST(ssl);
QSH_VALIDATE_REQUEST(ssl, semaphore);
#if !defined(WOLFSSL_NO_SIGALG)
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
if (ssl->suites->hashSigAlgoSz == 0)
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
#endif
#ifdef WOLFSSL_TLS13
if (!IsAtLeastTLSv1_2(ssl))
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
if (!IsAtLeastTLSv1_3(ssl->version)) {
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
@@ -10448,11 +10453,14 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset)
#ifdef WOLFSSL_EARLY_DATA
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA));
#endif
#ifdef WOLFSSL_SEND_HRR_COOKIE
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
#endif
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_POST_HANDSHAKE_AUTH));
#endif
}
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
/* Must write Pre-shared Key extension at the end in TLS v1.3.
* Must not write out Pre-shared Key extension in earlier versions of
@@ -10475,7 +10483,7 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset)
else if (msgType == certificate_request) {
/* Don't send out any extension except those that are turned off. */
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
#if !defined(WOLFSSL_NO_SIGALG)
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
#endif
/* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,
@@ -10550,18 +10558,24 @@ int TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType, word16* pLength)
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
TURN_OFF(semaphore,
TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#ifdef HAVE_SUPPORTED_CURVES
if (!ssl->options.noPskDheKe)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
#endif
}
#if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
else {
#ifdef HAVE_SUPPORTED_CURVES
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
#endif
}
#endif
#endif
break;
@@ -10569,19 +10583,29 @@ int TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType, word16* pLength)
case hello_retry_request:
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#ifdef HAVE_SUPPORTED_CURVES
if (!ssl->options.noPskDheKe)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
#endif
#ifdef WOLFSSL_SEND_HRR_COOKIE
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
#endif
break;
#endif
#ifdef WOLFSSL_TLS13
case encrypted_extensions:
/* Send out all extension except those that are turned on. */
#ifdef HAVE_ECC
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
#endif
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#ifdef HAVE_SESSION_TICKET
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SESSION_TICKET));
#endif
#ifdef HAVE_SUPPORTED_CURVES
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
#endif
@@ -10671,18 +10695,24 @@ int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
TURN_OFF(semaphore,
TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#ifdef HAVE_SUPPORTED_CURVES
if (!ssl->options.noPskDheKe)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
#endif
}
#if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
else {
#ifdef HAVE_SUPPORTED_CURVES
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
#endif
}
#endif
#endif
break;
@@ -10690,8 +10720,10 @@ int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset
case hello_retry_request:
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#ifdef HAVE_SUPPORTED_CURVES
if (!ssl->options.noPskDheKe)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
#endif
/* Cookie is written below as last extension. */
break;
#endif
@@ -10699,10 +10731,16 @@ int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset
#ifdef WOLFSSL_TLS13
case encrypted_extensions:
/* Send out all extension except those that are turned on. */
#ifdef HAVE_ECC
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
#endif
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#ifdef HAVE_SESSION_TICKET
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SESSION_TICKET));
#endif
#ifdef HAVE_SUPPORTED_CURVES
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
#endif
@@ -10750,7 +10788,7 @@ int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset
if (ret != 0)
return ret;
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
if (msgType == hello_retry_request) {
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
@@ -10875,7 +10913,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_BUFFER(input + offset, size);
#endif
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_SNI)
if (IsAtLeastTLSv1_3(ssl->version) &&
msgType != client_hello &&
msgType != server_hello &&
@@ -10896,7 +10934,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_BUFFER(input + offset, size);
#endif
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_TRUSTED_CA)
if (IsAtLeastTLSv1_3(ssl->version) &&
msgType != client_hello &&
msgType != encrypted_extensions) {
@@ -10912,7 +10950,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_BUFFER(input + offset, size);
#endif
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_MAX_FRAGMENT)
if (IsAtLeastTLSv1_3(ssl->version) &&
msgType != client_hello &&
msgType != encrypted_extensions) {
@@ -10932,7 +10970,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_BUFFER(input + offset, size);
#endif
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_TRUNCATED_HMAC)
if (IsAtLeastTLSv1_3(ssl->version))
break;
#endif
@@ -10945,7 +10983,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_BUFFER(input + offset, size);
#endif
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
if (IsAtLeastTLSv1_3(ssl->version) &&
msgType != client_hello &&
msgType != server_hello &&
@@ -10966,7 +11004,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_BUFFER(input + offset, size);
#endif
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
if (IsAtLeastTLSv1_3(ssl->version))
break;
#endif
@@ -10979,7 +11017,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_BUFFER(input + offset, size);
#endif
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_CERTIFICATE_STATUS_REQUEST)
if (IsAtLeastTLSv1_3(ssl->version) &&
msgType != client_hello &&
msgType != certificate_request &&
@@ -10996,7 +11034,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_BUFFER(input + offset, size);
#endif
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
if (IsAtLeastTLSv1_3(ssl->version) &&
msgType != client_hello &&
msgType != certificate_request &&
@@ -11014,7 +11052,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_BUFFER(input + offset, size);
#endif
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13)
if (IsAtLeastTLSv1_3(ssl->version))
break;
#endif
@@ -11035,7 +11073,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_BUFFER(input + offset, size);
#endif
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_SECURE_RENEGOTIATION)
if (IsAtLeastTLSv1_3(ssl->version))
break;
#endif
@@ -11048,7 +11086,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_BUFFER(input + offset, size);
#endif
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)
if (IsAtLeastTLSv1_3(ssl->version) &&
msgType != client_hello) {
return EXT_NOT_ALLOWED;
@@ -11063,7 +11101,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_BUFFER(input + offset, size);
#endif
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_QSH)
if (IsAtLeastTLSv1_3(ssl->version))
break;
#endif
@@ -11077,7 +11115,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_BUFFER(input + offset, size);
#endif
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13) && defined(HAVE_ALPN)
if (IsAtLeastTLSv1_3(ssl->version) &&
msgType != client_hello &&
msgType != server_hello &&
@@ -11091,7 +11129,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
#endif
ret = ALPN_PARSE(ssl, input + offset, size, isRequest);
break;
#if !defined(WOLFSSL_NO_SIGALG)
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
case TLSX_SIGNATURE_ALGORITHMS:
WOLFSSL_MSG("Signature Algorithms extension received");
#ifdef WOLFSSL_DEBUG_TLS
@@ -11100,13 +11138,13 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
if (!IsAtLeastTLSv1_2(ssl))
break;
#ifdef WOLFSSL_TLS13
#ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version) &&
msgType != client_hello &&
msgType != certificate_request) {
return EXT_NOT_ALLOWED;
}
#endif
#endif
ret = SA_PARSE(ssl, input + offset, size, isRequest, suites);
break;
#endif
@@ -11132,6 +11170,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
break;
#ifdef WOLFSSL_SEND_HRR_COOKIE
case TLSX_COOKIE:
WOLFSSL_MSG("Cookie extension received");
#ifdef WOLFSSL_DEBUG_TLS
@@ -11148,6 +11187,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
ret = CKE_PARSE(ssl, input + offset, size, msgType);
break;
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
case TLSX_PRE_SHARED_KEY:
@@ -11222,6 +11262,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
break;
#endif
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
case TLSX_SIGNATURE_ALGORITHMS_CERT:
WOLFSSL_MSG("Signature Algorithms extension received");
#ifdef WOLFSSL_DEBUG_TLS
@@ -11242,6 +11283,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
ret = SAC_PARSE(ssl, input + offset, size, isRequest);
break;
#endif
case TLSX_KEY_SHARE:
WOLFSSL_MSG("Key Share extension received");
@@ -11249,6 +11291,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
WOLFSSL_BUFFER(input + offset, size);
#endif
#ifdef HAVE_SUPPORTED_CURVES
if (!IsAtLeastTLSv1_3(ssl->version))
break;
@@ -11256,6 +11299,8 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
msgType != hello_retry_request) {
return EXT_NOT_ALLOWED;
}
#endif
ret = KS_PARSE(ssl, input + offset, size, msgType);
break;
#endif

58
src/tls13.c
View File

@@ -2524,8 +2524,9 @@ static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk)
}
#endif
if (ssl->options.noPskDheKe)
if (ssl->options.noPskDheKe) {
ssl->arrays->preMasterSz = 0;
}
/* Derive the early secret using the PSK. */
return DeriveEarlySecret(ssl);
@@ -2994,7 +2995,7 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
return ret;
}
#ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
#ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
if (sessIdSz == 0)
return INVALID_PARAMETER;
if (ssl->session.sessionIDSz != 0) {
@@ -3005,13 +3006,13 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
}
else if (XMEMCMP(ssl->arrays->clientRandom, sessId, sessIdSz) != 0)
return INVALID_PARAMETER;
#else
#else
if (sessIdSz != ssl->session.sessionIDSz || (sessIdSz > 0 &&
XMEMCMP(ssl->session.sessionID, sessId, sessIdSz) != 0)) {
WOLFSSL_MSG("Server sent different session id");
return INVALID_PARAMETER;
}
#endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */
#endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */
ret = SetCipherSpecs(ssl);
if (ret != 0)
@@ -3535,6 +3536,7 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
return MISSING_HANDSHAKE_DATA;
modes = ext->val;
#ifdef HAVE_SUPPORTED_CURVES
ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
/* Use (EC)DHE for forward-security if possible. */
if ((modes & (1 << PSK_DHE_KE)) != 0 && !ssl->options.noPskDheKe &&
@@ -3554,7 +3556,9 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
/* Send new public key to client. */
ext->resp = 1;
}
else {
else
#endif
{
if ((modes & (1 << PSK_KE)) == 0)
return PSK_KEY_ERROR;
ssl->options.noPskDheKe = 1;
@@ -3902,6 +3906,8 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif
}
/* From here on we are a TLS 1.3 ClientHello. */
/* Client random */
XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN);
i += RAN_LEN;
@@ -3939,26 +3945,6 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
i += clSuites.suiteSz;
clSuites.hashSigAlgoSz = 0;
#ifdef HAVE_SERVER_RENEGOTIATION_INFO
ret = FindSuite(&clSuites, 0, TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
if (ret == SUITES_ERROR)
return BUFFER_ERROR;
if (ret >= 0) {
TLSX* extension;
/* check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV suite */
ret = TLSX_AddEmptyRenegotiationInfo(&ssl->extensions, ssl->heap);
if (ret != WOLFSSL_SUCCESS)
return ret;
extension = TLSX_Find(ssl->extensions, TLSX_RENEGOTIATION_INFO);
if (extension) {
ssl->secure_renegotiation = (SecureRenegotiation*)extension->data;
ssl->secure_renegotiation->enabled = 1;
}
}
#endif /* HAVE_SERVER_RENEGOTIATION_INFO */
/* Compression */
b = input[i++];
if ((i - begin) + b > helloSz)
@@ -4050,6 +4036,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
}
if (!usingPSK) {
#ifndef NO_CERTS
if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) {
WOLFSSL_MSG("Client did not send a KeyShare extension");
SendAlert(ssl, alert_fatal, missing_extension);
@@ -4067,14 +4054,14 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
return ret;
}
#ifdef HAVE_NULL_CIPHER
#ifdef HAVE_NULL_CIPHER
if (ssl->options.cipherSuite0 == ECC_BYTE &&
(ssl->options.cipherSuite == TLS_SHA256_SHA256 ||
ssl->options.cipherSuite == TLS_SHA384_SHA384)) {
;
}
else
#endif
#endif
/* Check that the negotiated ciphersuite matches protocol version. */
if (ssl->options.cipherSuite0 != TLS13_BYTE) {
WOLFSSL_MSG("Negotiated ciphersuite from lesser version than "
@@ -4083,16 +4070,19 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
return VERSION_ERROR;
}
#ifdef HAVE_SESSION_TICKET
#ifdef HAVE_SESSION_TICKET
if (ssl->options.resuming) {
ssl->options.resuming = 0;
XMEMSET(ssl->arrays->psk_key, 0, ssl->specs.hash_size);
}
#endif
#endif
/* Derive early secret for handshake secret. */
if ((ret = DeriveEarlySecret(ssl)) != 0)
return ret;
#else
ret = INVALID_PARAMETER;
#endif
}
WOLFSSL_LEAVE("DoTls13ClientHello", ret);
@@ -7692,6 +7682,7 @@ int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret,
}
#endif
#ifdef HAVE_SUPPORTED_CURVES
/* Create a key share entry from group.
* Generates a key pair.
*
@@ -7733,6 +7724,7 @@ int wolfSSL_NoKeyShares(WOLFSSL* ssl)
return WOLFSSL_SUCCESS;
}
#endif
/* Do not send a ticket after TLS v1.3 handshake for resumption.
*
@@ -7934,14 +7926,19 @@ int wolfSSL_preferred_group(WOLFSSL* ssl)
if (ssl->options.handShakeState != HANDSHAKE_DONE)
return NOT_READY_ERROR;
#ifdef HAVE_SUPPORTED_CURVES
/* Return supported groups only. */
return TLSX_SupportedCurve_Preferred(ssl, 1);
#else
return 0;
#endif
#else
return SIDE_ERROR;
#endif
}
#endif
#ifdef HAVE_SUPPORTED_CURVES
/* Sets the key exchange groups in rank order on a context.
*
* ctx SSL/TLS context object.
@@ -7989,6 +7986,7 @@ int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count)
return WOLFSSL_SUCCESS;
}
#endif
#ifndef NO_PSK
void wolfSSL_CTX_set_psk_client_tls13_callback(WOLFSSL_CTX* ctx,
@@ -8243,11 +8241,13 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
FALL_THROUGH;
case TLS13_ACCEPT_THIRD_REPLY_DONE :
#ifdef HAVE_SUPPORTED_CURVES
if (!ssl->options.noPskDheKe) {
ssl->error = TLSX_KeyShare_DeriveSecret(ssl);
if (ssl->error != 0)
return WOLFSSL_FATAL_ERROR;
}
#endif
if ((ssl->error = SendTls13EncryptedExtensions(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);

6
tests/api.c
View File

@@ -36121,8 +36121,10 @@ static int test_tls13_apis(void)
#ifdef WOLFSSL_EARLY_DATA
int outSz;
#endif
#ifdef HAVE_SUPPORTED_CURVES
int groups[2] = { WOLFSSL_ECC_X25519, WOLFSSL_ECC_X448 };
int numGroups = 2;
#endif
#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC)
char groupList[] = "P-521:P-384:P-256";
#endif /* defined(OPENSSL_EXTRA) && defined(HAVE_ECC) */
@@ -36171,6 +36173,7 @@ static int test_tls13_apis(void)
#endif
#endif
#ifdef HAVE_SUPPORTED_CURVES
#ifdef HAVE_ECC
AssertIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_SECP256R1), BAD_FUNC_ARG);
#ifndef NO_WOLFSSL_SERVER
@@ -36235,6 +36238,7 @@ static int test_tls13_apis(void)
#endif
AssertIntEQ(wolfSSL_NoKeyShares(clientSsl), WOLFSSL_SUCCESS);
#endif
#endif /* HAVE_SUPPORTED_CURVES */
AssertIntEQ(wolfSSL_CTX_no_ticket_TLSv13(NULL), BAD_FUNC_ARG);
#ifndef NO_WOLFSSL_CLIENT
@@ -36342,6 +36346,7 @@ static int test_tls13_apis(void)
#endif
#endif
#ifdef HAVE_SUPPORTED_CURVES
AssertIntEQ(wolfSSL_CTX_set_groups(NULL, NULL, 0), BAD_FUNC_ARG);
#ifndef NO_WOLFSSL_CLIENT
AssertIntEQ(wolfSSL_CTX_set_groups(clientCtx, NULL, 0), BAD_FUNC_ARG);
@@ -36420,6 +36425,7 @@ static int test_tls13_apis(void)
WOLFSSL_SUCCESS);
#endif
#endif /* defined(OPENSSL_EXTRA) && defined(HAVE_ECC) */
#endif /* HAVE_SUPPORTED_CURVES */
#ifdef WOLFSSL_EARLY_DATA
AssertIntEQ(wolfSSL_CTX_set_max_early_data(NULL, 0), BAD_FUNC_ARG);

23
tests/suites.c
View File

@@ -272,6 +272,13 @@ static int IsClientAuth(const char* line, int* reqClientCert)
return 0;
}
#endif
#ifdef NO_CERTS
static int IsUsingCert(const char* line)
{
return XSTRSTR(line, "-c ") != NULL;
}
static int IsNoClientCert(const char* line)
{
@@ -378,6 +385,14 @@ static int execute_test_case(int svr_argc, char** svr_argv,
return NOT_BUILT_IN;
}
#endif
#ifdef NO_CERTS
if (IsUsingCert(commandLine)) {
#ifdef DEBUG_SUITE_TESTS
printf("certificate %s not supported in build\n", commandLine);
#endif
return NOT_BUILT_IN;
}
#endif
/* Build Server Command */
if (addNoVerify) {
@@ -511,6 +526,14 @@ static int execute_test_case(int svr_argc, char** svr_argv,
#endif
return NOT_BUILT_IN;
}
#endif
#ifdef NO_CERTS
if (IsNoClientCert(commandLine)) {
#ifdef DEBUG_SUITE_TESTS
printf("certificate %s not supported in build\n", commandLine);
#endif
return NOT_BUILT_IN;
}
#endif
printf("trying client command line[%d]: %s\n", tests, commandLine);
tests++;

4
wolfcrypt/src/wc_encrypt.c
View File

@@ -239,7 +239,7 @@ int wc_Des3_CbcDecryptWithKey(byte* out, const byte* in, word32 sz,
#endif /* !NO_DES3 */
#ifdef WOLFSSL_ENCRYPTED_KEYS
#if !defined(NO_ASN) && defined(WOLFSSL_ENCRYPTED_KEYS)
int wc_BufferKeyDecrypt(EncryptedInfo* info, byte* der, word32 derSz,
const byte* password, int passwordSz, int hashType)
@@ -361,7 +361,7 @@ int wc_BufferKeyEncrypt(EncryptedInfo* info, byte* der, word32 derSz,
return ret;
}
#endif /* WOLFSSL_ENCRYPTED_KEYS */
#endif /* !NO_ASN && WOLFSSL_ENCRYPTED_KEYS */
#if !defined(NO_PWDBASED) && !defined(NO_ASN)

6
wolfssl/internal.h
View File

@@ -2169,7 +2169,7 @@ typedef enum {
TLSX_STATUS_REQUEST = 0x0005, /* a.k.a. OCSP stapling */
TLSX_SUPPORTED_GROUPS = 0x000a, /* a.k.a. Supported Curves */
TLSX_EC_POINT_FORMATS = 0x000b,
#if !defined(WOLFSSL_NO_SIGALG)
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
TLSX_SIGNATURE_ALGORITHMS = 0x000d, /* HELLO_EXT_SIG_ALGO */
#endif
TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */
@@ -2188,14 +2188,18 @@ typedef enum {
TLSX_EARLY_DATA = 0x002a,
#endif
TLSX_SUPPORTED_VERSIONS = 0x002b,
#ifdef WOLFSSL_SEND_HRR_COOKIE
TLSX_COOKIE = 0x002c,
#endif
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
TLSX_PSK_KEY_EXCHANGE_MODES = 0x002d,
#endif
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
TLSX_POST_HANDSHAKE_AUTH = 0x0031,
#endif
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
TLSX_SIGNATURE_ALGORITHMS_CERT = 0x0032,
#endif
TLSX_KEY_SHARE = 0x0033,
#endif
TLSX_RENEGOTIATION_INFO = 0xff01