From eb40175cc6604a47d272d4cfa56d0f12ef4a0829 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 5 Apr 2017 11:21:11 -0700 Subject: [PATCH] =?UTF-8?q?Fix=20to=20calc=20BuildSHA=5FCertVerify=20if=20?= =?UTF-8?q?WOLFSSL=5FALLOW=5FTLS=5FSHA1.=20Fix=20to=20add=20check=20for=20?= =?UTF-8?q?DTLS=20to=20not=20allow=20stream=20ciphers.=20Removed=20the=20R?= =?UTF-8?q?C4=20tests=20from=20the=20test-dtls.conf.=20Added=20support=20f?= =?UTF-8?q?or=20using=20default=20suites=20on=20client=20side.=20Switched?= =?UTF-8?q?=20the=20arg=20to=20=E2=80=9C-H=E2=80=9D.=20Cleanup=20of=20the?= =?UTF-8?q?=20example=20server/client=20args=20list.=20Fixes=20for=20build?= =?UTF-8?q?=20with=20=E2=80=9C--disable-sha=E2=80=9D.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- examples/client/client.c | 14 +++-- examples/server/server.c | 8 ++- src/internal.c | 59 ++++++++++++++++++-- src/ssl.c | 4 +- tests/suites.c | 32 +++++++---- tests/test-dtls.conf | 116 --------------------------------------- wolfssl/internal.h | 2 +- 7 files changed, 92 insertions(+), 143 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index af6ff4e2d..1ca1c5fe2 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -594,6 +594,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) char* alpnList = NULL; unsigned char alpn_opt = 0; char* cipherList = NULL; + int useDefCipherList = 0; const char* verifyCert = caCertFile; const char* ourCert = cliCertFile; const char* ourKey = cliKeyFile; @@ -662,9 +663,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) StackTrap(); #ifndef WOLFSSL_VXWORKS - while ((ch = mygetopt(argc, argv, - "?gdeDuGsmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:F:L:TnoO:aB:W:E:M:q:")) - != -1) { + /* Not used: j, y, I, J, K, Q, Y */ + while ((ch = mygetopt(argc, argv, "?" + "ab:c:defgh:ik:l:mnop:q:rstuv:wxz" + "A:B:CDE:F:GHL:M:NO:PRS:TUVW:XZ:")) != -1) { switch (ch) { case '?' : Usage(); @@ -777,6 +779,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) cipherList = myoptarg; break; + case 'H' : + useDefCipherList = 1; + break; + case 'A' : verifyCert = myoptarg; break; @@ -1097,7 +1103,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } #endif - if (cipherList) { + if (cipherList && !useDefCipherList) { if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS) { wolfSSL_CTX_free(ctx); err_sys("client can't set cipher list 1"); diff --git a/examples/server/server.c b/examples/server/server.c index aa0e147a0..82d17ad8b 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -392,8 +392,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #ifdef WOLFSSL_VXWORKS useAnyAddr = 1; #else - while ((ch = mygetopt(argc, argv, - "?jdbstnNuGfrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:E:q:gC:U")) != -1) { + /* Not Used: h, m, x, y, z, F, J, K, M, Q, T, U, V, W, X, Y */ + while ((ch = mygetopt(argc, argv, "?" + "abc:defgijk:l:nop:q:rstuv:w" + "A:B:C:D:E:GHIL:NO:PR:S:YZ:")) != -1) { switch (ch) { case '?' : Usage(); @@ -477,7 +479,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) cipherList = myoptarg; break; - case 'U' : + case 'H' : useDefCipherList = 1; break; diff --git a/src/internal.c b/src/internal.c index 752aaef4c..80a97d374 100644 --- a/src/internal.c +++ b/src/internal.c @@ -10348,12 +10348,15 @@ static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes) #endif } } -#if !defined(NO_OLD_TLS) else { + #if !defined(NO_MD5) && !defined(NO_OLD_TLS) BuildMD5_CertVerify(ssl, hashes->md5); + #endif + #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ + defined(WOLFSSL_ALLOW_TLS_SHA1)) BuildSHA_CertVerify(ssl, hashes->sha); + #endif } -#endif return ret; } @@ -13466,7 +13469,7 @@ Set the enabled cipher suites. @return true on success, else false. */ -int SetCipherList(Suites* suites, const char* list) +int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list) { int ret = 0; int idx = 0; @@ -13500,12 +13503,25 @@ int SetCipherList(Suites* suites, const char* list) for (i = 0; i < suiteSz; i++) { if (XSTRNCMP(name, cipher_names[i], sizeof(name)) == 0) { + #ifdef WOLFSSL_DTLS + /* don't allow stream ciphers with DTLS */ + if (ctx->method->version.major == DTLS_MAJOR) { + if (XSTRSTR(name, "RC4") || + XSTRSTR(name, "HC128") || + XSTRSTR(name, "RABBIT")) + { + WOLFSSL_MSG("Stream ciphers not supported with DTLS"); + continue; + } + + } + #endif /* WOLFSSL_DTLS */ + suites->suites[idx++] = (XSTRSTR(name, "CHACHA")) ? CHACHA_BYTE : (XSTRSTR(name, "QSH")) ? QSH_BYTE : (XSTRSTR(name, "EC")) ? ECC_BYTE : (XSTRSTR(name, "CCM")) ? ECC_BYTE : 0x00; /* normal */ - suites->suites[idx++] = (byte)cipher_name_idx[i]; /* The suites are either ECDSA, RSA, PSK, or Anon. The RSA @@ -13530,6 +13546,8 @@ int SetCipherList(Suites* suites, const char* list) InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig, haveAnon); } + (void)ctx; + return ret; } @@ -19687,11 +19705,26 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #ifdef HAVE_ECC if (ssl->peerEccDsaKeyPresent) { - ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha; - ssl->buffers.digest.length = SHA_DIGEST_SIZE; WOLFSSL_MSG("Doing ECC peer cert verify"); + /* make sure a default is defined */ + #if !defined(NO_SHA) + ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha; + ssl->buffers.digest.length = SHA_DIGEST_SIZE; + #elif !defined(NO_SHA256) + ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha256; + ssl->buffers.digest.length = SHA256_DIGEST_SIZE; + #elif defined(WOLFSSL_SHA384) + ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha384; + ssl->buffers.digest.length = SHA384_DIGEST_SIZE; + #elif defined(WOLFSSL_SHA512) + ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha512; + ssl->buffers.digest.length = SHA512_DIGEST_SIZE; + #else + #error No digest enabled for ECC sig verify + #endif + if (IsAtLeastTLSv1_2(ssl)) { if (sigAlgo != ecc_dsa_sa_algo) { WOLFSSL_MSG("Oops, peer sent ECC key but not in verify"); @@ -19788,8 +19821,22 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif int typeH = SHAh; + /* make sure a default is defined */ + #if !defined(NO_SHA) ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha; ssl->buffers.digest.length = SHA_DIGEST_SIZE; + #elif !defined(NO_SHA256) + ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha256; + ssl->buffers.digest.length = SHA256_DIGEST_SIZE; + #elif defined(WOLFSSL_SHA384) + ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha384; + ssl->buffers.digest.length = SHA384_DIGEST_SIZE; + #elif defined(WOLFSSL_SHA512) + ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha512; + ssl->buffers.digest.length = SHA512_DIGEST_SIZE; + #else + #error No digest enabled for RSA sig verify + #endif #ifdef WOLFSSL_SMALL_STACK encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, diff --git a/src/ssl.c b/src/ssl.c index ac602dd26..e13c6604c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -7774,14 +7774,14 @@ int wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list) XMEMSET(ctx->suites, 0, sizeof(Suites)); } - return (SetCipherList(ctx->suites, list)) ? SSL_SUCCESS : SSL_FAILURE; + return (SetCipherList(ctx, ctx->suites, list)) ? SSL_SUCCESS : SSL_FAILURE; } int wolfSSL_set_cipher_list(WOLFSSL* ssl, const char* list) { WOLFSSL_ENTER("wolfSSL_set_cipher_list"); - return (SetCipherList(ssl->suites, list)) ? SSL_SUCCESS : SSL_FAILURE; + return (SetCipherList(ssl->ctx, ssl->suites, list)) ? SSL_SUCCESS : SSL_FAILURE; } diff --git a/tests/suites.c b/tests/suites.c index 0197f4349..8192ed3a1 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -54,7 +54,7 @@ static char flagSep[] = " "; static char portFlag[] = "-p"; static char svrPort[] = "0"; #endif -static char forceDefCipherListFlag[] = "-U"; +static char forceDefCipherListFlag[] = "-H"; #ifndef WOLFSSL_ALLOW_SSLV3 @@ -156,7 +156,8 @@ static int IsValidCipherSuite(const char* line, char* suite) static int execute_test_case(int svr_argc, char** svr_argv, int cli_argc, char** cli_argv, int addNoVerify, int addNonBlocking, - int addDisableEMS, int forceSrvDefCipherList) + int addDisableEMS, int forceSrvDefCipherList, + int forceCliDefCipherList) { #ifdef WOLFSSL_TIRTOS func_args cliArgs = {0}; @@ -300,6 +301,12 @@ static int execute_test_case(int svr_argc, char** svr_argv, } } #endif + if (forceCliDefCipherList) { + if (cliArgs.argc >= MAX_ARGS) + printf("cannot add the force def cipher list flag to client\n"); + else + cli_argv[cliArgs.argc++] = forceDefCipherListFlag; + } commandLine[0] = '\0'; added = 0; @@ -456,28 +463,31 @@ static void test_harness(void* vargs) if (do_it) { ret = execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 0, 0, 0, 0); + cliArgsSz, cliArgs, 0, 0, 0, 0, 0); /* don't repeat if not supported in build */ if (ret == 0) { /* test with default cipher list on server side */ execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 0, 0, 0, 1); + cliArgsSz, cliArgs, 0, 0, 0, 1, 0); + /* test with default cipher list on client side */ + execute_test_case(svrArgsSz, svrArgs, + cliArgsSz, cliArgs, 0, 0, 0, 0, 1); execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 0, 1, 0, 0); + cliArgsSz, cliArgs, 0, 1, 0, 0, 0); execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 1, 0, 0, 0); + cliArgsSz, cliArgs, 1, 0, 0, 0, 0); execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 1, 1, 0, 0); + cliArgsSz, cliArgs, 1, 1, 0, 0, 0); #ifdef HAVE_EXTENDED_MASTER execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 0, 0, 1, 0); + cliArgsSz, cliArgs, 0, 0, 1, 0, 0); execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 0, 1, 1, 0); + cliArgsSz, cliArgs, 0, 1, 1, 0, 0); execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 1, 0, 1, 0); + cliArgsSz, cliArgs, 1, 0, 1, 0, 0); execute_test_case(svrArgsSz, svrArgs, - cliArgsSz, cliArgs, 1, 1, 1, 0); + cliArgsSz, cliArgs, 1, 1, 1, 0, 0); #endif } svrArgsSz = 1; diff --git a/tests/test-dtls.conf b/tests/test-dtls.conf index 2a994578b..5bd76c694 100644 --- a/tests/test-dtls.conf +++ b/tests/test-dtls.conf @@ -100,26 +100,6 @@ -l ECDHE-ECDSA-CHACHA20-POLY1305-OLD -A ./certs/server-ecc.pem -# server DTLSv1 RC4-SHA --u --v 2 --l RC4-SHA - -# client DTLSv1 RC4-SHA --u --v 2 --l RC4-SHA - -# server DTLSv1.2 RC4-SHA --u --v 3 --l RC4-SHA - -# client DTLSv1.2 RC4-SHA --u --v 3 --l RC4-SHA - # server DTLSv1 IDEA-CBC-SHA -u -v 2 @@ -230,16 +210,6 @@ -v 3 -l AES256-SHA256 -# server DTLSv1 ECDHE-RSA-RC4 --u --v 2 --l ECDHE-RSA-RC4-SHA - -# client DTLSv1 ECDHE-RSA-RC4 --u --v 2 --l ECDHE-RSA-RC4-SHA - # server DTLSv1.1 ECDHE-RSA-DES3 -u -v 2 @@ -270,16 +240,6 @@ -v 2 -l ECDHE-RSA-AES256-SHA -# server DTLSv1.2 ECDHE-RSA-RC4 --u --v 3 --l ECDHE-RSA-RC4-SHA - -# client DTLSv1.2 ECDHE-RSA-RC4 --u --v 3 --l ECDHE-RSA-RC4-SHA - # server DTLSv1.2 ECDHE-RSA-DES3 -u -v 3 @@ -359,19 +319,6 @@ -l ECDHE-ECDSA-NULL-SHA -A ./certs/server-ecc.pem -# server DTLSv1.1 ECDHE-EDCSA-RC4 --u --v 2 --l ECDHE-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client DTLSv1.1 ECDHE-ECDSA-RC4 --u --v 2 --l ECDHE-ECDSA-RC4-SHA --A ./certs/server-ecc.pem - # server DTLSv1.1 ECDHE-ECDSA-DES3 -u -v 2 @@ -411,19 +358,6 @@ -l ECDHE-ECDSA-AES256-SHA -A ./certs/server-ecc.pem -# server DTLSv1.2 ECDHE-ECDSA-RC4 --u --v 3 --l ECDHE-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client DTLSv1.2 ECDHE-ECDSA-RC4 --u --v 3 --l ECDHE-ECDSA-RC4-SHA --A ./certs/server-ecc.pem - # server DTLSv1.2 ECDHE-ECDSA-DES3 -u -v 3 @@ -476,18 +410,6 @@ -l ECDHE-ECDSA-AES256-SHA -A ./certs/server-ecc.pem -# server DTLSv1.1 ECDH-RSA-RC4 --u --v 2 --l ECDH-RSA-RC4-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client DTLSv1.1 ECDH-RSA-RC4 --u --v 2 --l ECDH-RSA-RC4-SHA - # server DTLSv1.1 ECDH-RSA-DES3 -u -v 2 @@ -524,18 +446,6 @@ -v 2 -l ECDH-RSA-AES256-SHA -# server DTLSv1.2 ECDH-RSA-RC4 --u --v 3 --l ECDH-RSA-RC4-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client DTLSv1.2 ECDH-RSA-RC4 --u --v 3 --l ECDH-RSA-RC4-SHA - # server DTLSv1.2 ECDH-RSA-DES3 -u -v 3 @@ -584,19 +494,6 @@ -v 3 -l ECDH-RSA-AES256-SHA -# server DTLSv1.1 ECDH-EDCSA-RC4 --u --v 2 --l ECDH-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client DTLSv1.1 ECDH-ECDSA-RC4 --u --v 2 --l ECDH-ECDSA-RC4-SHA --A ./certs/server-ecc.pem - # server DTLSv1.1 ECDH-ECDSA-DES3 -u -v 2 @@ -636,19 +533,6 @@ -l ECDH-ECDSA-AES256-SHA -A ./certs/server-ecc.pem -# server DTLSv1.2 ECDHE-ECDSA-RC4 --u --v 3 --l ECDH-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client DTLSv1.2 ECDH-ECDSA-RC4 --u --v 3 --l ECDH-ECDSA-RC4-SHA --A ./certs/server-ecc.pem - # server DTLSv1.2 ECDH-ECDSA-DES3 -u -v 3 diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d9b236b1d..0ee4b9c83 100755 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1401,7 +1401,7 @@ WOLFSSL_LOCAL void InitSuites(Suites*, ProtocolVersion, word16, word16, word16, word16, word16, word16, word16, int); WOLFSSL_LOCAL -int SetCipherList(Suites*, const char* list); +int SetCipherList(WOLFSSL_CTX*, Suites*, const char* list); #ifndef PSK_TYPES_DEFINED typedef unsigned int (*wc_psk_client_callback)(WOLFSSL*, const char*, char*,