feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fix to calc BuildSHA_CertVerify if WOLFSSL_ALLOW_TLS_SHA1. Fix to add check for DTLS to not allow stream ciphers. Removed the RC4 tests from the test-dtls.conf. Added support for using default suites on client side. Switched the arg to “-H”. Cleanup of the example server/client args list. Fixes for build with “--disable-sha”.

Browse Source
This commit is contained in:
David Garske
2017-04-05 11:21:11 -07:00
parent 6a1ae7ee5b
commit eb40175cc6
7 changed files with 92 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
examples/client/client.c
View File

@ -594,6 +594,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
char* alpnList = NULL; char* alpnList = NULL;
unsigned char alpn_opt = 0; unsigned char alpn_opt = 0;
char* cipherList = NULL; char* cipherList = NULL;
int useDefCipherList = 0;
const char* verifyCert = caCertFile; const char* verifyCert = caCertFile;
const char* ourCert = cliCertFile; const char* ourCert = cliCertFile;
const char* ourKey = cliKeyFile; const char* ourKey = cliKeyFile;
@ -662,9 +663,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
StackTrap(); StackTrap();
#ifndef WOLFSSL_VXWORKS #ifndef WOLFSSL_VXWORKS
while ((ch = mygetopt(argc, argv, /* Not used: j, y, I, J, K, Q, Y */
"?gdeDuGsmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:F:L:TnoO:aB:W:E:M:q:")) while ((ch = mygetopt(argc, argv, "?"
!= -1) { "ab:c:defgh:ik:l:mnop:q:rstuv:wxz"
"A:B:CDE:F:GHL:M:NO:PRS:TUVW:XZ:")) != -1) {
switch (ch) { switch (ch) {
case '?' : case '?' :
Usage(); Usage();
@ -777,6 +779,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
cipherList = myoptarg; cipherList = myoptarg;
break; break;
case 'H' :
useDefCipherList = 1;
break;
case 'A' : case 'A' :
verifyCert = myoptarg; verifyCert = myoptarg;
break; break;
@ -1097,7 +1103,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
} }
#endif #endif
if (cipherList) { if (cipherList && !useDefCipherList) {
if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS) { if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS) {
wolfSSL_CTX_free(ctx); wolfSSL_CTX_free(ctx);
err_sys("client can't set cipher list 1"); err_sys("client can't set cipher list 1");

8
examples/server/server.c
View File

@ -392,8 +392,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#ifdef WOLFSSL_VXWORKS #ifdef WOLFSSL_VXWORKS
useAnyAddr = 1; useAnyAddr = 1;
#else #else
while ((ch = mygetopt(argc, argv, /* Not Used: h, m, x, y, z, F, J, K, M, Q, T, U, V, W, X, Y */
"?jdbstnNuGfrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:E:q:gC:U")) != -1) { while ((ch = mygetopt(argc, argv, "?"
"abc:defgijk:l:nop:q:rstuv:w"
"A:B:C:D:E:GHIL:NO:PR:S:YZ:")) != -1) {
switch (ch) { switch (ch) {
case '?' : case '?' :
Usage(); Usage();
@ -477,7 +479,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
cipherList = myoptarg; cipherList = myoptarg;
break; break;
case 'U' : case 'H' :
useDefCipherList = 1; useDefCipherList = 1;
break; break;

59
src/internal.c
View File

@ -10348,12 +10348,15 @@ static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes)
#endif #endif
} }
} }
#if !defined(NO_OLD_TLS)
else { else {
#if !defined(NO_MD5) && !defined(NO_OLD_TLS)
BuildMD5_CertVerify(ssl, hashes->md5); BuildMD5_CertVerify(ssl, hashes->md5);
#endif
#if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
defined(WOLFSSL_ALLOW_TLS_SHA1))
BuildSHA_CertVerify(ssl, hashes->sha); BuildSHA_CertVerify(ssl, hashes->sha);
#endif
} }
#endif
return ret; return ret;
} }
@ -13466,7 +13469,7 @@ Set the enabled cipher suites.
@return true on success, else false. @return true on success, else false.
*/ */
int SetCipherList(Suites* suites, const char* list) int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
{ {
int ret = 0; int ret = 0;
int idx = 0; int idx = 0;
@ -13500,12 +13503,25 @@ int SetCipherList(Suites* suites, const char* list)
for (i = 0; i < suiteSz; i++) { for (i = 0; i < suiteSz; i++) {
if (XSTRNCMP(name, cipher_names[i], sizeof(name)) == 0) { if (XSTRNCMP(name, cipher_names[i], sizeof(name)) == 0) {
#ifdef WOLFSSL_DTLS
/* don't allow stream ciphers with DTLS */
if (ctx->method->version.major == DTLS_MAJOR) {
if (XSTRSTR(name, "RC4") ||
XSTRSTR(name, "HC128") ||
XSTRSTR(name, "RABBIT"))
{
WOLFSSL_MSG("Stream ciphers not supported with DTLS");
continue;
}
}
#endif /* WOLFSSL_DTLS */
suites->suites[idx++] = (XSTRSTR(name, "CHACHA")) ? CHACHA_BYTE suites->suites[idx++] = (XSTRSTR(name, "CHACHA")) ? CHACHA_BYTE
: (XSTRSTR(name, "QSH")) ? QSH_BYTE : (XSTRSTR(name, "QSH")) ? QSH_BYTE
: (XSTRSTR(name, "EC")) ? ECC_BYTE : (XSTRSTR(name, "EC")) ? ECC_BYTE
: (XSTRSTR(name, "CCM")) ? ECC_BYTE : (XSTRSTR(name, "CCM")) ? ECC_BYTE
: 0x00; /* normal */ : 0x00; /* normal */
suites->suites[idx++] = (byte)cipher_name_idx[i]; suites->suites[idx++] = (byte)cipher_name_idx[i];
/* The suites are either ECDSA, RSA, PSK, or Anon. The RSA /* The suites are either ECDSA, RSA, PSK, or Anon. The RSA
@ -13530,6 +13546,8 @@ int SetCipherList(Suites* suites, const char* list)
InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig, haveAnon); InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig, haveAnon);
} }
(void)ctx;
return ret; return ret;
} }
@ -19687,11 +19705,26 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#ifdef HAVE_ECC #ifdef HAVE_ECC
if (ssl->peerEccDsaKeyPresent) { if (ssl->peerEccDsaKeyPresent) {
ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha;
ssl->buffers.digest.length = SHA_DIGEST_SIZE;
WOLFSSL_MSG("Doing ECC peer cert verify"); WOLFSSL_MSG("Doing ECC peer cert verify");
/* make sure a default is defined */
#if !defined(NO_SHA)
ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha;
ssl->buffers.digest.length = SHA_DIGEST_SIZE;
#elif !defined(NO_SHA256)
ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha256;
ssl->buffers.digest.length = SHA256_DIGEST_SIZE;
#elif defined(WOLFSSL_SHA384)
ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha384;
ssl->buffers.digest.length = SHA384_DIGEST_SIZE;
#elif defined(WOLFSSL_SHA512)
ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha512;
ssl->buffers.digest.length = SHA512_DIGEST_SIZE;
#else
#error No digest enabled for ECC sig verify
#endif
if (IsAtLeastTLSv1_2(ssl)) { if (IsAtLeastTLSv1_2(ssl)) {
if (sigAlgo != ecc_dsa_sa_algo) { if (sigAlgo != ecc_dsa_sa_algo) {
WOLFSSL_MSG("Oops, peer sent ECC key but not in verify"); WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
@ -19788,8 +19821,22 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif #endif
int typeH = SHAh; int typeH = SHAh;
/* make sure a default is defined */
#if !defined(NO_SHA)
ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha; ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha;
ssl->buffers.digest.length = SHA_DIGEST_SIZE; ssl->buffers.digest.length = SHA_DIGEST_SIZE;
#elif !defined(NO_SHA256)
ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha256;
ssl->buffers.digest.length = SHA256_DIGEST_SIZE;
#elif defined(WOLFSSL_SHA384)
ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha384;
ssl->buffers.digest.length = SHA384_DIGEST_SIZE;
#elif defined(WOLFSSL_SHA512)
ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha512;
ssl->buffers.digest.length = SHA512_DIGEST_SIZE;
#else
#error No digest enabled for RSA sig verify
#endif
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,

4
src/ssl.c
View File

@ -7774,14 +7774,14 @@ int wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list)
XMEMSET(ctx->suites, 0, sizeof(Suites)); XMEMSET(ctx->suites, 0, sizeof(Suites));
} }
return (SetCipherList(ctx->suites, list)) ? SSL_SUCCESS : SSL_FAILURE; return (SetCipherList(ctx, ctx->suites, list)) ? SSL_SUCCESS : SSL_FAILURE;
} }
int wolfSSL_set_cipher_list(WOLFSSL* ssl, const char* list) int wolfSSL_set_cipher_list(WOLFSSL* ssl, const char* list)
{ {
WOLFSSL_ENTER("wolfSSL_set_cipher_list"); WOLFSSL_ENTER("wolfSSL_set_cipher_list");
return (SetCipherList(ssl->suites, list)) ? SSL_SUCCESS : SSL_FAILURE; return (SetCipherList(ssl->ctx, ssl->suites, list)) ? SSL_SUCCESS : SSL_FAILURE;
} }

32
tests/suites.c
View File

@ -54,7 +54,7 @@ static char flagSep[] = " ";
static char portFlag[] = "-p"; static char portFlag[] = "-p";
static char svrPort[] = "0"; static char svrPort[] = "0";
#endif #endif
static char forceDefCipherListFlag[] = "-U"; static char forceDefCipherListFlag[] = "-H";
#ifndef WOLFSSL_ALLOW_SSLV3 #ifndef WOLFSSL_ALLOW_SSLV3
@ -156,7 +156,8 @@ static int IsValidCipherSuite(const char* line, char* suite)
static int execute_test_case(int svr_argc, char** svr_argv, static int execute_test_case(int svr_argc, char** svr_argv,
int cli_argc, char** cli_argv, int cli_argc, char** cli_argv,
int addNoVerify, int addNonBlocking, int addNoVerify, int addNonBlocking,
int addDisableEMS, int forceSrvDefCipherList) int addDisableEMS, int forceSrvDefCipherList,
int forceCliDefCipherList)
{ {
#ifdef WOLFSSL_TIRTOS #ifdef WOLFSSL_TIRTOS
func_args cliArgs = {0}; func_args cliArgs = {0};
@ -300,6 +301,12 @@ static int execute_test_case(int svr_argc, char** svr_argv,
} }
} }
#endif #endif
if (forceCliDefCipherList) {
if (cliArgs.argc >= MAX_ARGS)
printf("cannot add the force def cipher list flag to client\n");
else
cli_argv[cliArgs.argc++] = forceDefCipherListFlag;
}
commandLine[0] = '\0'; commandLine[0] = '\0';
added = 0; added = 0;
@ -456,28 +463,31 @@ static void test_harness(void* vargs)
if (do_it) { if (do_it) {
ret = execute_test_case(svrArgsSz, svrArgs, ret = execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 0, 0, 0); cliArgsSz, cliArgs, 0, 0, 0, 0, 0);
/* don't repeat if not supported in build */ /* don't repeat if not supported in build */
if (ret == 0) { if (ret == 0) {
/* test with default cipher list on server side */ /* test with default cipher list on server side */
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 0, 0, 1); cliArgsSz, cliArgs, 0, 0, 0, 1, 0);
/* test with default cipher list on client side */
execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 0, 0, 0, 1);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 1, 0, 0); cliArgsSz, cliArgs, 0, 1, 0, 0, 0);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 0, 0, 0); cliArgsSz, cliArgs, 1, 0, 0, 0, 0);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 1, 0, 0); cliArgsSz, cliArgs, 1, 1, 0, 0, 0);
#ifdef HAVE_EXTENDED_MASTER #ifdef HAVE_EXTENDED_MASTER
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 0, 1, 0); cliArgsSz, cliArgs, 0, 0, 1, 0, 0);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 1, 1, 0); cliArgsSz, cliArgs, 0, 1, 1, 0, 0);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 0, 1, 0); cliArgsSz, cliArgs, 1, 0, 1, 0, 0);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 1, 1, 0); cliArgsSz, cliArgs, 1, 1, 1, 0, 0);
#endif #endif
} }
svrArgsSz = 1; svrArgsSz = 1;

116
tests/test-dtls.conf
View File

@ -100,26 +100,6 @@
-l ECDHE-ECDSA-CHACHA20-POLY1305-OLD -l ECDHE-ECDSA-CHACHA20-POLY1305-OLD
-A ./certs/server-ecc.pem -A ./certs/server-ecc.pem
# server DTLSv1 RC4-SHA
-u
-v 2
-l RC4-SHA
# client DTLSv1 RC4-SHA
-u
-v 2
-l RC4-SHA
# server DTLSv1.2 RC4-SHA
-u
-v 3
-l RC4-SHA
# client DTLSv1.2 RC4-SHA
-u
-v 3
-l RC4-SHA
# server DTLSv1 IDEA-CBC-SHA # server DTLSv1 IDEA-CBC-SHA
-u -u
-v 2 -v 2
@ -230,16 +210,6 @@
-v 3 -v 3
-l AES256-SHA256 -l AES256-SHA256
# server DTLSv1 ECDHE-RSA-RC4
-u
-v 2
-l ECDHE-RSA-RC4-SHA
# client DTLSv1 ECDHE-RSA-RC4
-u
-v 2
-l ECDHE-RSA-RC4-SHA
# server DTLSv1.1 ECDHE-RSA-DES3 # server DTLSv1.1 ECDHE-RSA-DES3
-u -u
-v 2 -v 2
@ -270,16 +240,6 @@
-v 2 -v 2
-l ECDHE-RSA-AES256-SHA -l ECDHE-RSA-AES256-SHA
# server DTLSv1.2 ECDHE-RSA-RC4
-u
-v 3
-l ECDHE-RSA-RC4-SHA
# client DTLSv1.2 ECDHE-RSA-RC4
-u
-v 3
-l ECDHE-RSA-RC4-SHA
# server DTLSv1.2 ECDHE-RSA-DES3 # server DTLSv1.2 ECDHE-RSA-DES3
-u -u
-v 3 -v 3
@ -359,19 +319,6 @@
-l ECDHE-ECDSA-NULL-SHA -l ECDHE-ECDSA-NULL-SHA
-A ./certs/server-ecc.pem -A ./certs/server-ecc.pem
# server DTLSv1.1 ECDHE-EDCSA-RC4
-u
-v 2
-l ECDHE-ECDSA-RC4-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client DTLSv1.1 ECDHE-ECDSA-RC4
-u
-v 2
-l ECDHE-ECDSA-RC4-SHA
-A ./certs/server-ecc.pem
# server DTLSv1.1 ECDHE-ECDSA-DES3 # server DTLSv1.1 ECDHE-ECDSA-DES3
-u -u
-v 2 -v 2
@ -411,19 +358,6 @@
-l ECDHE-ECDSA-AES256-SHA -l ECDHE-ECDSA-AES256-SHA
-A ./certs/server-ecc.pem -A ./certs/server-ecc.pem
# server DTLSv1.2 ECDHE-ECDSA-RC4
-u
-v 3
-l ECDHE-ECDSA-RC4-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client DTLSv1.2 ECDHE-ECDSA-RC4
-u
-v 3
-l ECDHE-ECDSA-RC4-SHA
-A ./certs/server-ecc.pem
# server DTLSv1.2 ECDHE-ECDSA-DES3 # server DTLSv1.2 ECDHE-ECDSA-DES3
-u -u
-v 3 -v 3
@ -476,18 +410,6 @@
-l ECDHE-ECDSA-AES256-SHA -l ECDHE-ECDSA-AES256-SHA
-A ./certs/server-ecc.pem -A ./certs/server-ecc.pem
# server DTLSv1.1 ECDH-RSA-RC4
-u
-v 2
-l ECDH-RSA-RC4-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client DTLSv1.1 ECDH-RSA-RC4
-u
-v 2
-l ECDH-RSA-RC4-SHA
# server DTLSv1.1 ECDH-RSA-DES3 # server DTLSv1.1 ECDH-RSA-DES3
-u -u
-v 2 -v 2
@ -524,18 +446,6 @@
-v 2 -v 2
-l ECDH-RSA-AES256-SHA -l ECDH-RSA-AES256-SHA
# server DTLSv1.2 ECDH-RSA-RC4
-u
-v 3
-l ECDH-RSA-RC4-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client DTLSv1.2 ECDH-RSA-RC4
-u
-v 3
-l ECDH-RSA-RC4-SHA
# server DTLSv1.2 ECDH-RSA-DES3 # server DTLSv1.2 ECDH-RSA-DES3
-u -u
-v 3 -v 3
@ -584,19 +494,6 @@
-v 3 -v 3
-l ECDH-RSA-AES256-SHA -l ECDH-RSA-AES256-SHA
# server DTLSv1.1 ECDH-EDCSA-RC4
-u
-v 2
-l ECDH-ECDSA-RC4-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client DTLSv1.1 ECDH-ECDSA-RC4
-u
-v 2
-l ECDH-ECDSA-RC4-SHA
-A ./certs/server-ecc.pem
# server DTLSv1.1 ECDH-ECDSA-DES3 # server DTLSv1.1 ECDH-ECDSA-DES3
-u -u
-v 2 -v 2
@ -636,19 +533,6 @@
-l ECDH-ECDSA-AES256-SHA -l ECDH-ECDSA-AES256-SHA
-A ./certs/server-ecc.pem -A ./certs/server-ecc.pem
# server DTLSv1.2 ECDHE-ECDSA-RC4
-u
-v 3
-l ECDH-ECDSA-RC4-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client DTLSv1.2 ECDH-ECDSA-RC4
-u
-v 3
-l ECDH-ECDSA-RC4-SHA
-A ./certs/server-ecc.pem
# server DTLSv1.2 ECDH-ECDSA-DES3 # server DTLSv1.2 ECDH-ECDSA-DES3
-u -u
-v 3 -v 3

2
wolfssl/internal.h
View File

@ -1401,7 +1401,7 @@ WOLFSSL_LOCAL
void InitSuites(Suites*, ProtocolVersion, word16, word16, word16, word16, void InitSuites(Suites*, ProtocolVersion, word16, word16, word16, word16,
word16, word16, word16, int); word16, word16, word16, int);
WOLFSSL_LOCAL WOLFSSL_LOCAL
int SetCipherList(Suites*, const char* list); int SetCipherList(WOLFSSL_CTX*, Suites*, const char* list);
#ifndef PSK_TYPES_DEFINED #ifndef PSK_TYPES_DEFINED
typedef unsigned int (*wc_psk_client_callback)(WOLFSSL*, const char*, char*, typedef unsigned int (*wc_psk_client_callback)(WOLFSSL*, const char*, char*,