From b2ebfe900428d7e980c93ebfd9607ee33bedd28b Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 31 Jan 2014 10:37:11 -0800 Subject: [PATCH 01/14] determine if openssl command line tool available for testing with ocsp, if so, HAVE_OPENSSL_CMD define is set --- configure.ac | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/configure.ac b/configure.ac index eda0bd416..bea2e0e05 100644 --- a/configure.ac +++ b/configure.ac @@ -1105,6 +1105,20 @@ fi AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"]) +if test "$ENABLED_OCSP" = "yes" +then + # check openssl command tool for testing ocsp + AC_CHECK_PROG([HAVE_OPENSSL_CMD],[openssl],[yes],[no]) + + if test "$HAVE_OPENSSL_CMD" = "yes" + then + AM_CFLAGS="$AM_CFLAGS -DHAVE_OPENSSL_CMD" + else + AC_MSG_WARN([openssl command line tool not available for testing ocsp]) + fi +fi + + # CRL AC_ARG_ENABLE([crl], [ --enable-crl Enable CRL (default: disabled)], From 75ae9dc973d84e216078239caa8d8edc4dab6453 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Mon, 26 Aug 2013 12:27:58 -0300 Subject: [PATCH 02/14] added external api for Elliptic Curves Extension. --- cyassl/internal.h | 22 ++++++++++++++++++---- cyassl/ssl.h | 43 +++++++++++++++++++++++++++++++++++++++++++ src/ssl.c | 24 ++++++++++++++++++++++++ 3 files changed, 85 insertions(+), 4 deletions(-) diff --git a/cyassl/internal.h b/cyassl/internal.h index 085d2a393..f2e9558ec 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -1109,11 +1109,13 @@ typedef struct CYASSL_DTLS_CTX { typedef enum { SERVER_NAME_INDICATION = 0, MAX_FRAGMENT_LENGTH = 1, - /*CLIENT_CERTIFICATE_URL = 2, - TRUSTED_CA_KEYS = 3,*/ + /*CLIENT_CERTIFICATE_URL = 2,*/ + /*TRUSTED_CA_KEYS = 3,*/ TRUNCATED_HMAC = 4, - /*STATUS_REQUEST = 5, - SIGNATURE_ALGORITHMS = 13,*/ + /*STATUS_REQUEST = 5,*/ + ELLIPTIC_CURVES = 10, + /*EC_POINT_FORMATS = 11,*/ + /*SIGNATURE_ALGORITHMS = 13,*/ } TLSX_Type; typedef struct TLSX { @@ -1180,6 +1182,18 @@ CYASSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions); #endif /* HAVE_TRUNCATED_HMAC */ +#ifdef HAVE_ELLIPTIC_CURVES + +typedef struct EllipticCurve { + word16 name; /* CurveNames */ + struct EllipticCurve* next; /* List Behavior */ + +} EllipticCurve; + +CYASSL_LOCAL int TLSX_UseEllipticCurve(TLSX** extensions, word16 name); + +#endif + #endif /* HAVE_TLS_EXTENSIONS */ /* CyaSSL context type */ diff --git a/cyassl/ssl.h b/cyassl/ssl.h index 049e0d5eb..678c1934f 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -1231,6 +1231,7 @@ CYASSL_API int CyaSSL_CTX_UseMaxFragment(CYASSL_CTX* ctx, unsigned char mfl); #endif /* NO_CYASSL_CLIENT */ #endif /* HAVE_MAX_FRAGMENT */ +/* Truncated HMAC */ #ifdef HAVE_TRUNCATED_HMAC #ifndef NO_CYASSL_CLIENT @@ -1240,6 +1241,48 @@ CYASSL_API int CyaSSL_CTX_UseTruncatedHMAC(CYASSL_CTX* ctx); #endif /* NO_CYASSL_CLIENT */ #endif /* HAVE_TRUNCATED_HMAC */ +/* Elliptic Curves */ +#ifdef HAVE_ELLIPTIC_CURVES + +enum { + /*CYASSL_ECC_SECT163K1 = 1,*/ + /*CYASSL_ECC_SECT163R1 = 2,*/ + /*CYASSL_ECC_SECT163R2 = 3,*/ + /*CYASSL_ECC_SECT193R1 = 4,*/ + /*CYASSL_ECC_SECT193R2 = 5,*/ + /*CYASSL_ECC_SECT233K1 = 6,*/ + /*CYASSL_ECC_SECT233R1 = 7,*/ + /*CYASSL_ECC_SECT239K1 = 8,*/ + /*CYASSL_ECC_SECT283K1 = 9,*/ + /*CYASSL_ECC_SECT283R1 = 10,*/ + /*CYASSL_ECC_SECT409K1 = 11,*/ + /*CYASSL_ECC_SECT409R1 = 12,*/ + /*CYASSL_ECC_SECT571K1 = 13,*/ + /*CYASSL_ECC_SECT571R1 = 14,*/ + /*CYASSL_ECC_SECP160K1 = 15,*/ + CYASSL_ECC_SECP160R1 = 16, + /*CYASSL_ECC_SECP160R2 = 17,*/ + /*CYASSL_ECC_SECP192K1 = 18,*/ + CYASSL_ECC_SECP192R1 = 19, + /*CYASSL_ECC_SECP224K1 = 20,*/ + CYASSL_ECC_SECP224R1 = 21, + /*CYASSL_ECC_SECP256K1 = 22,*/ + CYASSL_ECC_SECP256R1 = 23, + CYASSL_ECC_SECP384R1 = 24, + CYASSL_ECC_SECP521R1 = 25, + /*CYASSL_ECC_ARBITRARY_EXPLICIT_PRIME_CURVES = 0xFF01,*/ + /*CYASSL_ECC_ARBITRARY_EXPLICIT_CHAR2_CURVES = 0xFF02*/ +}; + +#ifndef NO_CYASSL_CLIENT + +CYASSL_API int CyaSSL_UseEllipticCurve(CYASSL* ssl, unsigned short name); +CYASSL_API int CyaSSL_CTX_UseEllipticCurve(CYASSL_CTX* ctx, + unsigned short name); + +#endif /* NO_CYASSL_CLIENT */ +#endif /* HAVE_ELLIPTIC_CURVES */ + #define CYASSL_CRL_MONITOR 0x01 /* monitor this dir flag */ #define CYASSL_CRL_START_MON 0x02 /* start monitoring flag */ diff --git a/src/ssl.c b/src/ssl.c index e12e66f9e..b1d309db2 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -622,6 +622,30 @@ int CyaSSL_CTX_UseTruncatedHMAC(CYASSL_CTX* ctx) #endif /* NO_CYASSL_CLIENT */ #endif /* HAVE_TRUNCATED_HMAC */ +/* Elliptic Curves */ +#ifdef HAVE_ELLIPTIC_CURVES +#ifndef NO_CYASSL_CLIENT + +int CyaSSL_UseEllipticCurve(CYASSL* ssl, word16 name) +{ + if (ssl == NULL) + return BAD_FUNC_ARG; + + return TLSX_UseEllipticCurve(&ssl->extensions, name); +} + +int CyaSSL_CTX_UseEllipticCurve(CYASSL_CTX* ctx, word16 name) +{ + if (ctx == NULL) + return BAD_FUNC_ARG; + + return TLSX_UseEllipticCurve(&ctx->extensions, name); +} + +#endif /* NO_CYASSL_CLIENT */ +#endif /* HAVE_ELLIPTIC_CURVES */ + + #ifndef CYASSL_LEANPSK int CyaSSL_send(CYASSL* ssl, const void* data, int sz, int flags) { From 179836ad436f3ec9804aa5836b4891a98de60579 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Mon, 26 Aug 2013 12:39:27 -0300 Subject: [PATCH 03/14] added api tests for Elliptic Curves Extensions. --- tests/api.c | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/tests/api.c b/tests/api.c index 3dadad7a1..176b08abf 100644 --- a/tests/api.c +++ b/tests/api.c @@ -56,6 +56,9 @@ static void test_CyaSSL_UseMaxFragment(void); #ifdef HAVE_TRUNCATED_HMAC static void test_CyaSSL_UseTruncatedHMAC(void); #endif /* HAVE_TRUNCATED_HMAC */ +#ifdef HAVE_ELLIPTIC_CURVES +static void test_CyaSSL_UseEllipticCurve(void); +#endif /* HAVE_ELLIPTIC_CURVES */ /* test function helpers */ static int test_method(CYASSL_METHOD *method, const char *name); @@ -116,6 +119,9 @@ int ApiTest(void) #ifdef HAVE_TRUNCATED_HMAC test_CyaSSL_UseTruncatedHMAC(); #endif /* HAVE_TRUNCATED_HMAC */ +#ifdef HAVE_ELLIPTIC_CURVES + test_CyaSSL_UseEllipticCurve(); +#endif /* HAVE_ELLIPTIC_CURVES */ test_CyaSSL_Cleanup(); printf(" End API Tests\n"); @@ -236,7 +242,6 @@ int test_CyaSSL_CTX_new(CYASSL_METHOD *method) return TEST_SUCCESS; } -#ifdef HAVE_TLS_EXTENSIONS #ifdef HAVE_SNI static void use_SNI_at_ctx(CYASSL_CTX* ctx) { @@ -537,7 +542,32 @@ static void test_CyaSSL_UseTruncatedHMAC(void) } #endif /* HAVE_TRUNCATED_HMAC */ -#endif /* HAVE_TLS_EXTENSIONS */ +#ifdef HAVE_ELLIPTIC_CURVES +static void test_CyaSSL_UseEllipticCurve(void) +{ + CYASSL_CTX *ctx = CyaSSL_CTX_new(CyaSSLv23_client_method()); + CYASSL *ssl = CyaSSL_new(ctx); + + AssertNotNull(ctx); + AssertNotNull(ssl); + +#ifndef NO_CYASSL_CLIENT + /* error cases */ + AssertIntNE(0, CyaSSL_CTX_UseEllipticCurve(NULL, CYASSL_ECC_SECP160R1)); + AssertIntNE(0, CyaSSL_CTX_UseEllipticCurve(ctx, 0)); + + AssertIntNE(0, CyaSSL_UseEllipticCurve(NULL, CYASSL_ECC_SECP160R1)); + AssertIntNE(0, CyaSSL_UseEllipticCurve(ssl, 0)); + + /* success case */ + AssertIntEQ(0, CyaSSL_CTX_UseEllipticCurve(ctx, CYASSL_ECC_SECP160R1)); + AssertIntEQ(0, CyaSSL_UseEllipticCurve(ssl, CYASSL_ECC_SECP160R1)); +#endif + + CyaSSL_free(ssl); + CyaSSL_CTX_free(ctx); +} +#endif /* HAVE_ELLIPTIC_CURVES */ #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) /* Helper for testing CyaSSL_CTX_use_certificate_file() */ From 7d2a6800f70f701a81a9c4d9408512fdef994cd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Mon, 26 Aug 2013 12:44:50 -0300 Subject: [PATCH 04/14] added Elliptic Curves Extensions implementation and configuration. --- configure.ac | 13 +++ src/tls.c | 233 +++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 239 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index bea2e0e05..f749db2cf 100644 --- a/configure.ac +++ b/configure.ac @@ -1226,6 +1226,18 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_RENEGOTIATION_INDICATION" fi +# Elliptic Curves Extensions +AC_ARG_ENABLE([ellipticcurves], + [ --enable-ellipticcurves Enable Elliptic Curves (default: disabled)], + [ ENABLED_ELLIPTIC_CURVES=$enableval ], + [ ENABLED_ELLIPTIC_CURVES=no ] + ) + +if test "x$ENABLED_ELLIPTIC_CURVES" = "xyes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_ELLIPTIC_CURVES" +fi + # TLS Extensions AC_ARG_ENABLE([tlsx], [ --enable-tlsx Enable all TLS Extensions (default: disabled)], @@ -1676,6 +1688,7 @@ echo " * SNI: $ENABLED_SNI" echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT" echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC" echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" +echo " * Elliptic Curves: $ENABLED_ELLIPTIC_CURVES" echo " * All TLS Extensions: $ENABLED_TLSX" echo " * PKCS#7 $ENABLED_PKCS7" echo " * wolfSCEP $ENABLED_WOLFSCEP" diff --git a/src/tls.c b/src/tls.c index 482271ba6..f96bc1035 100644 --- a/src/tls.c +++ b/src/tls.c @@ -515,6 +515,12 @@ void TLS_hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz, #ifdef HAVE_TLS_EXTENSIONS +#define IS_OFF(semaphore, light) \ + ((semaphore)[(light) / 8] ^ (byte) (0x01 << ((light) % 8))) + +#define TURN_ON(semaphore, light) \ + ((semaphore)[(light) / 8] |= (byte) (0x01 << ((light) % 8))) + static int TLSX_Append(TLSX** list, TLSX_Type type) { TLSX* extension; @@ -536,7 +542,9 @@ static int TLSX_Append(TLSX** list, TLSX_Type type) #ifndef NO_CYASSL_SERVER -static void TLSX_SetResponse(CYASSL* ssl, TLSX_Type type) +void TLSX_SetResponse(CYASSL* ssl, TLSX_Type type); + +void TLSX_SetResponse(CYASSL* ssl, TLSX_Type type) { TLSX *ext = TLSX_Find(ssl->extensions, type); @@ -1152,6 +1160,200 @@ static int TLSX_THM_Parse(CYASSL* ssl, byte* input, word16 length, #endif /* HAVE_TRUNCATED_HMAC */ +#ifdef HAVE_ELLIPTIC_CURVES + +#ifndef HAVE_ECC +#error "Elliptic Curves Extension requires Elliptic Curve Cryptography. \ +Use --enable-ecc in the configure script or define HAVE_ECC." +#endif + +static void TLSX_EllipticCurve_FreeAll(EllipticCurve* list) +{ + EllipticCurve* curve; + + while ((curve = list)) { + list = curve->next; + XFREE(curve, 0, DYNAMIC_TYPE_TLSX); + } +} + +static int TLSX_EllipticCurve_Append(EllipticCurve** list, word16 name) +{ + EllipticCurve* curve; + + if (list == NULL) + return BAD_FUNC_ARG; + + if ((curve = XMALLOC(sizeof(EllipticCurve), 0, DYNAMIC_TYPE_TLSX)) == NULL) + return MEMORY_E; + + curve->name = name; + curve->next = *list; + + *list = curve; + + return 0; +} + +#ifndef NO_CYASSL_CLIENT + +static void TLSX_EllipticCurve_ValidateRequest(CYASSL* ssl, byte* semaphore) +{ + int i; + + for (i = 0; i < ssl->suites->suiteSz; i+= 2) + if (ssl->suites->suites[i] == ECC_BYTE) + return; + + /* No elliptic curve suite found */ + TURN_ON(semaphore, ELLIPTIC_CURVES); +} + +static word16 TLSX_EllipticCurve_GetSize(EllipticCurve* list) +{ + EllipticCurve* curve; + word16 length = OPAQUE16_LEN; /* list length */ + + while ((curve = list)) { + list = curve->next; + length += OPAQUE16_LEN; /* curve length */ + } + + return length; +} + +static word16 TLSX_EllipticCurve_Write(EllipticCurve* list, byte* output) +{ + EllipticCurve* curve; + word16 offset = OPAQUE16_LEN; /* list length offset */ + + while ((curve = list)) { + list = curve->next; + + c16toa(curve->name, output + offset); /* curve name */ + offset += OPAQUE16_LEN; + } + + c16toa(offset - OPAQUE16_LEN, output); /* writing list length */ + + return offset; +} + +#endif /* NO_CYASSL_CLIENT */ +#ifndef NO_CYASSL_SERVER + +static int TLSX_EllipticCurve_Parse(CYASSL* ssl, byte* input, word16 length, + byte isRequest) +{ + word16 offset; + word16 name; + int r; + + (void) isRequest; /* shut up compiler! */ + + if (OPAQUE16_LEN > length || length % OPAQUE16_LEN) + return INCOMPLETE_DATA; + + ato16(input, &offset); + + /* validating curve list length */ + if (length != OPAQUE16_LEN + offset) + return INCOMPLETE_DATA; + + while (offset) { + ato16(input + offset, &name); + offset -= OPAQUE16_LEN; + + r = TLSX_UseEllipticCurve(&ssl->extensions, name); + + if (r) return r; /* throw error */ + } + + return 0; +} + +#endif /* NO_CYASSL_SERVER */ + +int TLSX_UseEllipticCurve(TLSX** extensions, word16 name) +{ + TLSX* extension = NULL; + EllipticCurve* curve = NULL; + int ret = 0; + + if (extensions == NULL) + return BAD_FUNC_ARG; + + if ( name != CYASSL_ECC_SECP160R1 && + name != CYASSL_ECC_SECP192R1 && + name != CYASSL_ECC_SECP224R1 && + (name < CYASSL_ECC_SECP256R1 || name > CYASSL_ECC_SECP521R1)) + return BAD_FUNC_ARG; + + if ((ret = TLSX_EllipticCurve_Append(&curve, name)) != 0) + return ret; + + extension = *extensions; + + /* find EllipticCurve extension if it already exists. */ + while (extension && extension->type != ELLIPTIC_CURVES) + extension = extension->next; + + /* push new EllipticCurve extension if it doesn't exists. */ + if (!extension) { + if ((ret = TLSX_Append(extensions, ELLIPTIC_CURVES)) != 0) { + XFREE(curve, 0, DYNAMIC_TYPE_TLSX); + return ret; + } + + extension = *extensions; + } + + /* push new EllipticCurve object to extension data. */ + curve->next = (EllipticCurve*) extension->data; + extension->data = (void*) curve; + + /* look for another curve of the same name to remove (replacement) */ + do { + if (curve->next && curve->next->name == name) { + EllipticCurve *next = curve->next; + + curve->next = next->next; + XFREE(next, 0, DYNAMIC_TYPE_TLSX); + + break; + } + } while ((curve = curve->next)); + + return 0; +} + +#define EC_FREE_ALL TLSX_EllipticCurve_FreeAll +#define EC_VALIDATE_REQUEST TLSX_EllipticCurve_ValidateRequest + +#ifndef NO_CYASSL_CLIENT +#define EC_GET_SIZE TLSX_EllipticCurve_GetSize +#define EC_WRITE TLSX_EllipticCurve_Write +#else +#define EC_GET_SIZE(list) 0 +#define EC_WRITE(a, b) 0 +#endif + +#ifndef NO_CYASSL_SERVER +#define EC_PARSE TLSX_EllipticCurve_Parse +#else +#define EC_PARSE(a, b, c, d) 0 +#endif + +#else + +#define EC_FREE_ALL(list) +#define EC_GET_SIZE(list) 0 +#define EC_WRITE(a, b) 0 +#define EC_PARSE(a, b, c, d) 0 +#define EC_VALIDATE_REQUEST(a, b) + +#endif /* HAVE_ELLIPTIC_CURVES */ + TLSX* TLSX_Find(TLSX* list, TLSX_Type type) { TLSX* extension = list; @@ -1181,18 +1383,16 @@ void TLSX_FreeAll(TLSX* list) case TRUNCATED_HMAC: /* Nothing to do. */ break; + + case ELLIPTIC_CURVES: + EC_FREE_ALL(extension->data); + break; } XFREE(extension, 0, DYNAMIC_TYPE_TLSX); } } -#define IS_OFF(semaphore, light) \ - ((semaphore)[(light) / 8] ^ (byte) (0x01 << ((light) % 8))) - -#define TURN_ON(semaphore, light) \ - ((semaphore)[(light) / 8] |= (byte) (0x01 << ((light) % 8))) - static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest) { TLSX* extension; @@ -1220,6 +1420,10 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest) case TRUNCATED_HMAC: /* empty extension. */ break; + + case ELLIPTIC_CURVES: + length += EC_GET_SIZE((EllipticCurve *) extension->data); + break; } TURN_ON(semaphore, extension->type); @@ -1264,6 +1468,11 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, case TRUNCATED_HMAC: /* empty extension. */ break; + + case ELLIPTIC_CURVES: + offset += EC_WRITE((EllipticCurve *) extension->data, + output + offset); + break; } /* writing extension data length */ @@ -1286,6 +1495,8 @@ word16 TLSX_GetRequestSize(CYASSL* ssl) if (ssl && IsTLS(ssl)) { byte semaphore[16] = {0}; + EC_VALIDATE_REQUEST(ssl, semaphore); + if (ssl->extensions) length += TLSX_GetSize(ssl->extensions, semaphore, 1); @@ -1311,6 +1522,8 @@ word16 TLSX_WriteRequest(CYASSL* ssl, byte* output) offset += OPAQUE16_LEN; /* extensions length */ + EC_VALIDATE_REQUEST(ssl, semaphore); + if (ssl->extensions) offset += TLSX_Write(ssl->extensions, output + offset, semaphore, 1); @@ -1430,6 +1643,12 @@ int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest, ret = THM_PARSE(ssl, input + offset, size, isRequest); break; + case ELLIPTIC_CURVES: + CYASSL_MSG("Elliptic Curves extension received"); + + ret = EC_PARSE(ssl, input + offset, size, isRequest); + break; + case HELLO_EXT_SIG_ALGO: if (isRequest) { /* do not mess with offset inside the switch! */ From ae6d5930966ed9f467805895f8ba4a8b937f7ddd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Mon, 6 Jan 2014 10:52:22 -0300 Subject: [PATCH 05/14] added curve names extension to all extensions --- configure.ac | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index f749db2cf..36c82960d 100644 --- a/configure.ac +++ b/configure.ac @@ -1251,7 +1251,8 @@ then ENABLED_MAX_FRAGMENT=yes ENABLED_TRUNCATED_HMAC=yes ENABLED_RENEGOTIATION_INDICATION=yes - AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_RENEGOTIATION_INDICATION" + ENABLED_ELLIPTIC_CURVES=yes + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_RENEGOTIATION_INDICATION -DHAVE_ELLIPTIC_CURVES" fi # PKCS7 From afd38d11cd044953704ea9c206149c93ba933b1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Wed, 8 Jan 2014 11:57:57 -0300 Subject: [PATCH 06/14] removing unused curve names. --- cyassl/ssl.h | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/cyassl/ssl.h b/cyassl/ssl.h index 678c1934f..8acebf25e 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -1245,33 +1245,12 @@ CYASSL_API int CyaSSL_CTX_UseTruncatedHMAC(CYASSL_CTX* ctx); #ifdef HAVE_ELLIPTIC_CURVES enum { - /*CYASSL_ECC_SECT163K1 = 1,*/ - /*CYASSL_ECC_SECT163R1 = 2,*/ - /*CYASSL_ECC_SECT163R2 = 3,*/ - /*CYASSL_ECC_SECT193R1 = 4,*/ - /*CYASSL_ECC_SECT193R2 = 5,*/ - /*CYASSL_ECC_SECT233K1 = 6,*/ - /*CYASSL_ECC_SECT233R1 = 7,*/ - /*CYASSL_ECC_SECT239K1 = 8,*/ - /*CYASSL_ECC_SECT283K1 = 9,*/ - /*CYASSL_ECC_SECT283R1 = 10,*/ - /*CYASSL_ECC_SECT409K1 = 11,*/ - /*CYASSL_ECC_SECT409R1 = 12,*/ - /*CYASSL_ECC_SECT571K1 = 13,*/ - /*CYASSL_ECC_SECT571R1 = 14,*/ - /*CYASSL_ECC_SECP160K1 = 15,*/ CYASSL_ECC_SECP160R1 = 16, - /*CYASSL_ECC_SECP160R2 = 17,*/ - /*CYASSL_ECC_SECP192K1 = 18,*/ CYASSL_ECC_SECP192R1 = 19, - /*CYASSL_ECC_SECP224K1 = 20,*/ CYASSL_ECC_SECP224R1 = 21, - /*CYASSL_ECC_SECP256K1 = 22,*/ CYASSL_ECC_SECP256R1 = 23, CYASSL_ECC_SECP384R1 = 24, - CYASSL_ECC_SECP521R1 = 25, - /*CYASSL_ECC_ARBITRARY_EXPLICIT_PRIME_CURVES = 0xFF01,*/ - /*CYASSL_ECC_ARBITRARY_EXPLICIT_CHAR2_CURVES = 0xFF02*/ + CYASSL_ECC_SECP521R1 = 25 }; #ifndef NO_CYASSL_CLIENT From 70e3d6ddb093be6a537c95369058a0eb8aafdac4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Wed, 8 Jan 2014 12:15:48 -0300 Subject: [PATCH 07/14] removing missing extensions --- cyassl/internal.h | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/cyassl/internal.h b/cyassl/internal.h index f2e9558ec..956e84c3b 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -1109,13 +1109,8 @@ typedef struct CYASSL_DTLS_CTX { typedef enum { SERVER_NAME_INDICATION = 0, MAX_FRAGMENT_LENGTH = 1, - /*CLIENT_CERTIFICATE_URL = 2,*/ - /*TRUSTED_CA_KEYS = 3,*/ TRUNCATED_HMAC = 4, - /*STATUS_REQUEST = 5,*/ - ELLIPTIC_CURVES = 10, - /*EC_POINT_FORMATS = 11,*/ - /*SIGNATURE_ALGORITHMS = 13,*/ + ELLIPTIC_CURVES = 10 } TLSX_Type; typedef struct TLSX { From de6a5378965aa889fa4abf3bcd6f4498cf100d27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Tue, 14 Jan 2014 14:20:34 -0300 Subject: [PATCH 08/14] exporting pkCurve info to ctx and ssl --- ctaocrypt/src/asn.c | 9 +++------ cyassl/internal.h | 2 ++ src/internal.c | 1 + src/ssl.c | 7 +++++++ 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index d1c82f8e1..fa4552e9f 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -1522,7 +1522,6 @@ static int GetKey(DecodedCert* cert) #ifdef HAVE_ECC case ECDSAk: { - word32 oid = 0; int oidSz = 0; byte b = cert->source[cert->srcIdx++]; @@ -1533,12 +1532,10 @@ static int GetKey(DecodedCert* cert) return ASN_PARSE_E; while(oidSz--) - oid += cert->source[cert->srcIdx++]; - if (CheckCurve(oid) < 0) + cert->pkCurveOID += cert->source[cert->srcIdx++]; + + if (CheckCurve(cert->pkCurveOID) < 0) return ECC_CURVE_OID_E; - #ifdef OPENSSL_EXTRA - cert->pkCurveOID = oid; - #endif /* OPENSSL_EXTRA */ /* key header */ b = cert->source[cert->srcIdx++]; diff --git a/cyassl/internal.h b/cyassl/internal.h index 956e84c3b..c7e4d431a 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -1230,6 +1230,7 @@ struct CYASSL_CTX { word32 timeout; /* session timeout */ #ifdef HAVE_ECC word16 eccTempKeySz; /* in octets 20 - 66 */ + word32 pkCurveOID; /* curve Ecc_Sum */ #endif #ifndef NO_PSK byte havePSK; /* psk key set by user */ @@ -1849,6 +1850,7 @@ struct CYASSL { ecc_key* eccTempKey; /* private ECDHE key */ ecc_key* eccDsaKey; /* private ECDSA key */ word16 eccTempKeySz; /* in octets 20 - 66 */ + word32 pkCurveOID; /* curve Ecc_Sum */ byte peerEccKeyPresent; byte peerEccDsaKeyPresent; byte eccTempKeyPresent; diff --git a/src/internal.c b/src/internal.c index 0f438dd1b..7423b59a9 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1400,6 +1400,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) #ifdef HAVE_ECC ssl->eccTempKeySz = ctx->eccTempKeySz; + ssl->pkCurveOID = ctx->pkCurveOID; ssl->peerEccKeyPresent = 0; ssl->peerEccDsaKeyPresent = 0; ssl->eccDsaKeyPresent = 0; diff --git a/src/ssl.c b/src/ssl.c index b1d309db2..902ebd042 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2137,6 +2137,13 @@ int CyaSSL_Init(void) break; } +#ifdef HAVE_ECC + if (ctx) + ctx->pkCurveOID = cert.pkCurveOID; + if (ssl) + ssl->pkCurveOID = cert.pkCurveOID; +#endif + FreeDecodedCert(&cert); } From 9490c0dbafc6da343d680e2d0bcb8b40429b7a42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Tue, 14 Jan 2014 15:39:06 -0300 Subject: [PATCH 09/14] validating curves --- cyassl/internal.h | 5 +++ cyassl/ssl.h | 12 +++---- src/internal.c | 7 ++++ src/tls.c | 84 ++++++++++++++++++++++++++++++++++++++++++++--- 4 files changed, 97 insertions(+), 11 deletions(-) diff --git a/cyassl/internal.h b/cyassl/internal.h index c7e4d431a..104a9c1cd 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -1187,8 +1187,13 @@ typedef struct EllipticCurve { CYASSL_LOCAL int TLSX_UseEllipticCurve(TLSX** extensions, word16 name); +#ifndef NO_CYASSL_SERVER +CYASSL_LOCAL int TLSX_ValidateEllipticCurves(CYASSL* ssl, byte first, + byte second); #endif +#endif /* HAVE_ELLIPTIC_CURVES */ + #endif /* HAVE_TLS_EXTENSIONS */ /* CyaSSL context type */ diff --git a/cyassl/ssl.h b/cyassl/ssl.h index 8acebf25e..aa7056246 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -1245,12 +1245,12 @@ CYASSL_API int CyaSSL_CTX_UseTruncatedHMAC(CYASSL_CTX* ctx); #ifdef HAVE_ELLIPTIC_CURVES enum { - CYASSL_ECC_SECP160R1 = 16, - CYASSL_ECC_SECP192R1 = 19, - CYASSL_ECC_SECP224R1 = 21, - CYASSL_ECC_SECP256R1 = 23, - CYASSL_ECC_SECP384R1 = 24, - CYASSL_ECC_SECP521R1 = 25 + CYASSL_ECC_SECP160R1 = 0x10, + CYASSL_ECC_SECP192R1 = 0x13, + CYASSL_ECC_SECP224R1 = 0x15, + CYASSL_ECC_SECP256R1 = 0x17, + CYASSL_ECC_SECP384R1 = 0x18, + CYASSL_ECC_SECP521R1 = 0x19 }; #ifndef NO_CYASSL_CLIENT diff --git a/src/internal.c b/src/internal.c index 7423b59a9..08f7cefa1 100644 --- a/src/internal.c +++ b/src/internal.c @@ -9765,6 +9765,13 @@ static void PickHashSigAlgo(CYASSL* ssl, } } +#ifdef HAVE_ELLIPTIC_CURVES + if (!TLSX_ValidateEllipticCurves(ssl, first, second)) { + CYASSL_MSG("Don't have matching curves"); + return 0; + } +#endif + /* ECCDHE is always supported if ECC on */ return 1; diff --git a/src/tls.c b/src/tls.c index f96bc1035..1a59e6386 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1272,6 +1272,73 @@ static int TLSX_EllipticCurve_Parse(CYASSL* ssl, byte* input, word16 length, return 0; } +int TLSX_ValidateEllipticCurves(CYASSL* ssl, byte first, byte second) { + TLSX* extension = (first == ECC_BYTE) + ? TLSX_Find(ssl->extensions, ELLIPTIC_CURVES) + : NULL; + EllipticCurve* curve = NULL; + word32 oid = 0; + word16 octets = 0; /* acording to 'ecc_set_type ecc_sets[];' */ + + if (!extension) + return 1; /* no suite restriction */ + + for (curve = extension->data; curve; curve = curve->next) { + switch (curve->name) { + case CYASSL_ECC_SECP160R1: oid = ECC_160R1; octets = 20; break; + case CYASSL_ECC_SECP192R1: oid = ECC_192R1; octets = 24; break; + case CYASSL_ECC_SECP224R1: oid = ECC_224R1; octets = 28; break; + case CYASSL_ECC_SECP256R1: oid = ECC_256R1; octets = 32; break; + case CYASSL_ECC_SECP384R1: oid = ECC_384R1; octets = 48; break; + case CYASSL_ECC_SECP521R1: oid = ECC_521R1; octets = 66; break; + } + } + + /* ECDSA */ + switch (second) { + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: + case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: + case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: + case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: + case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: + if (ssl->pkCurveOID != oid) + return 0; + } + + switch (second) { + /* ECDHE */ +#ifndef NO_RSA + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: + case TLS_ECDHE_RSA_WITH_RC4_128_SHA: + case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: +#endif + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: + case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: + case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: + if (ssl->eccTempKeySz != octets) + return 0; + + /* ECDH */ + default: + ; /* not sure how to check yet... */ + } + + return 1; +} + #endif /* NO_CYASSL_SERVER */ int TLSX_UseEllipticCurve(TLSX** extensions, word16 name) @@ -1283,11 +1350,18 @@ int TLSX_UseEllipticCurve(TLSX** extensions, word16 name) if (extensions == NULL) return BAD_FUNC_ARG; - if ( name != CYASSL_ECC_SECP160R1 && - name != CYASSL_ECC_SECP192R1 && - name != CYASSL_ECC_SECP224R1 && - (name < CYASSL_ECC_SECP256R1 || name > CYASSL_ECC_SECP521R1)) - return BAD_FUNC_ARG; + switch (name) { + case CYASSL_ECC_SECP160R1: + case CYASSL_ECC_SECP192R1: + case CYASSL_ECC_SECP224R1: + case CYASSL_ECC_SECP256R1: + case CYASSL_ECC_SECP384R1: + case CYASSL_ECC_SECP521R1: + break; + + default: + return BAD_FUNC_ARG; + } if ((ret = TLSX_EllipticCurve_Append(&curve, name)) != 0) return ret; From 30e2b4aa114d0e621b4a8a945bf44da9d13f5bd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Tue, 28 Jan 2014 16:53:59 -0300 Subject: [PATCH 10/14] writing curves in the right order. (reverse) improved curve validation. --- src/tls.c | 132 +++++++++++++++++++++++++++++++++--------------------- 1 file changed, 81 insertions(+), 51 deletions(-) diff --git a/src/tls.c b/src/tls.c index 1a59e6386..00c229473 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1222,21 +1222,27 @@ static word16 TLSX_EllipticCurve_GetSize(EllipticCurve* list) return length; } +static word16 TLSX_EllipticCurve_WriteR(EllipticCurve* curve, byte* output); +static word16 TLSX_EllipticCurve_WriteR(EllipticCurve* curve, byte* output) +{ + word16 offset = 0; + + if (!curve) + return offset; + + offset = TLSX_EllipticCurve_WriteR(curve->next, output); + c16toa(curve->name, output + offset); + + return OPAQUE16_LEN + offset; +} + static word16 TLSX_EllipticCurve_Write(EllipticCurve* list, byte* output) { - EllipticCurve* curve; - word16 offset = OPAQUE16_LEN; /* list length offset */ + word16 length = TLSX_EllipticCurve_WriteR(list, output + OPAQUE16_LEN); - while ((curve = list)) { - list = curve->next; + c16toa(length, output); /* writing list length */ - c16toa(curve->name, output + offset); /* curve name */ - offset += OPAQUE16_LEN; - } - - c16toa(offset - OPAQUE16_LEN, output); /* writing list length */ - - return offset; + return OPAQUE16_LEN + length; } #endif /* NO_CYASSL_CLIENT */ @@ -1279,11 +1285,14 @@ int TLSX_ValidateEllipticCurves(CYASSL* ssl, byte first, byte second) { EllipticCurve* curve = NULL; word32 oid = 0; word16 octets = 0; /* acording to 'ecc_set_type ecc_sets[];' */ + int sig = 0; /* valitade signature */ + int key = 0; /* validate key */ if (!extension) return 1; /* no suite restriction */ - for (curve = extension->data; curve; curve = curve->next) { + for (curve = extension->data; curve && !(sig && key); curve = curve->next) { + switch (curve->name) { case CYASSL_ECC_SECP160R1: oid = ECC_160R1; octets = 20; break; case CYASSL_ECC_SECP192R1: oid = ECC_192R1; octets = 24; break; @@ -1292,51 +1301,72 @@ int TLSX_ValidateEllipticCurves(CYASSL* ssl, byte first, byte second) { case CYASSL_ECC_SECP384R1: oid = ECC_384R1; octets = 48; break; case CYASSL_ECC_SECP521R1: oid = ECC_521R1; octets = 66; break; } - } - /* ECDSA */ - switch (second) { - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: - case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: - case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: - case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: - case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: - if (ssl->pkCurveOID != oid) - return 0; - } + switch (second) { +#ifndef NO_DSA + /* ECDHE_ECDSA */ + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: + case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: + case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: + case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: + case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: + case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8: + sig |= ssl->pkCurveOID == oid; + key |= ssl->eccTempKeySz == octets; + break; - switch (second) { - /* ECDHE */ -#ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: - case TLS_ECDHE_RSA_WITH_RC4_128_SHA: - case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: + /* ECDH_ECDSA */ + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: + case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: + case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: + case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: + case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: + sig |= ssl->pkCurveOID == oid; + key |= ssl->pkCurveOID == oid; + break; #endif - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: - case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: - case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: - if (ssl->eccTempKeySz != octets) - return 0; +#ifndef NO_RSA + /* ECDHE_RSA */ + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: + case TLS_ECDHE_RSA_WITH_RC4_128_SHA: + case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: + case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: + sig = 1; + key |= ssl->eccTempKeySz == octets; + break; - /* ECDH */ - default: - ; /* not sure how to check yet... */ + /* ECDH_RSA */ + case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: + case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: + case TLS_ECDH_RSA_WITH_RC4_128_SHA: + case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: + case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: + case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: + case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: + sig = 1; + key |= ssl->pkCurveOID == oid; + break; +#endif + default: + sig = 1; + key = 1; + break; + } } - return 1; + return sig && key; } #endif /* NO_CYASSL_SERVER */ From 5616450a4bbc9320ad51d2005cc967a2d146bad7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Thu, 30 Jan 2014 16:59:29 -0300 Subject: [PATCH 11/14] fixed return codes added protection for missing HAVE_TLS_EXTENSIONS --- IDE/MDK5-ARM/Projects/CyaSSL-Full/client.c | 3 +- IDE/MDK5-ARM/Projects/CyaSSL-Full/server.c | 2 +- IDE/MDK5-ARM/Projects/SimpleClient/client.c | 3 +- IDE/MDK5-ARM/Projects/SimpleServer/server.c | 2 +- examples/client/client.c | 7 +- examples/server/server.c | 2 +- src/tls.c | 21 ++++-- tests/api.c | 74 ++++++++++----------- 8 files changed, 62 insertions(+), 52 deletions(-) diff --git a/IDE/MDK5-ARM/Projects/CyaSSL-Full/client.c b/IDE/MDK5-ARM/Projects/CyaSSL-Full/client.c index 2fd81fe2a..608a32457 100644 --- a/IDE/MDK5-ARM/Projects/CyaSSL-Full/client.c +++ b/IDE/MDK5-ARM/Projects/CyaSSL-Full/client.c @@ -469,7 +469,8 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) #ifdef HAVE_SNI if (sniHostName) - if (CyaSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName))) + if (CyaSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName)) + != SSL_SUCCESS) err_sys("UseSNI failed"); #endif diff --git a/IDE/MDK5-ARM/Projects/CyaSSL-Full/server.c b/IDE/MDK5-ARM/Projects/CyaSSL-Full/server.c index 88a6064b4..aeecd62fb 100644 --- a/IDE/MDK5-ARM/Projects/CyaSSL-Full/server.c +++ b/IDE/MDK5-ARM/Projects/CyaSSL-Full/server.c @@ -419,7 +419,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #ifdef HAVE_SNI if (sniHostName) { if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName, - XSTRLEN(sniHostName))) + XSTRLEN(sniHostName)) != SSL_SUCCESS) err_sys("UseSNI failed"); else CyaSSL_CTX_SNI_SetOptions(ctx, CYASSL_SNI_HOST_NAME, diff --git a/IDE/MDK5-ARM/Projects/SimpleClient/client.c b/IDE/MDK5-ARM/Projects/SimpleClient/client.c index 07cf20bea..e6f6a56e3 100644 --- a/IDE/MDK5-ARM/Projects/SimpleClient/client.c +++ b/IDE/MDK5-ARM/Projects/SimpleClient/client.c @@ -471,7 +471,8 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) #ifdef HAVE_SNI if (sniHostName) - if (CyaSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName))) + if (CyaSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName)) + != SSL_SUCCESS) err_sys("UseSNI failed"); #endif diff --git a/IDE/MDK5-ARM/Projects/SimpleServer/server.c b/IDE/MDK5-ARM/Projects/SimpleServer/server.c index de53738e8..ecc9b510b 100644 --- a/IDE/MDK5-ARM/Projects/SimpleServer/server.c +++ b/IDE/MDK5-ARM/Projects/SimpleServer/server.c @@ -418,7 +418,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #ifdef HAVE_SNI if (sniHostName) { if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName, - XSTRLEN(sniHostName))) + XSTRLEN(sniHostName)) != SSL_SUCCESS) err_sys("UseSNI failed"); else CyaSSL_CTX_SNI_SetOptions(ctx, CYASSL_SNI_HOST_NAME, diff --git a/examples/client/client.c b/examples/client/client.c index ff0e9848f..ac6f935a8 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -550,17 +550,18 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) #ifdef HAVE_SNI if (sniHostName) - if (CyaSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName))) + if (CyaSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName)) + != SSL_SUCCESS) err_sys("UseSNI failed"); #endif #ifdef HAVE_MAX_FRAGMENT if (maxFragment) - if (CyaSSL_CTX_UseMaxFragment(ctx, maxFragment)) + if (CyaSSL_CTX_UseMaxFragment(ctx, maxFragment) != SSL_SUCCESS) err_sys("UseMaxFragment failed"); #endif #ifdef HAVE_TRUNCATED_HMAC if (truncatedHMAC) - if (CyaSSL_CTX_UseTruncatedHMAC(ctx)) + if (CyaSSL_CTX_UseTruncatedHMAC(ctx) != SSL_SUCCESS) err_sys("UseTruncatedHMAC failed"); #endif diff --git a/examples/server/server.c b/examples/server/server.c index 365418d5d..f99be0aa2 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -443,7 +443,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #ifdef HAVE_SNI if (sniHostName) if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName, - XSTRLEN(sniHostName))) + XSTRLEN(sniHostName)) != SSL_SUCCESS) err_sys("UseSNI failed"); #endif diff --git a/src/tls.c b/src/tls.c index 00c229473..872016460 100644 --- a/src/tls.c +++ b/src/tls.c @@ -776,7 +776,7 @@ static int TLSX_SNI_Parse(CYASSL* ssl, byte* input, word16 length, int r = TLSX_UseSNI(&ssl->extensions, type, input + offset, size); - if (r) return r; /* throw error */ + if (r != SSL_SUCCESS) return r; /* throw error */ TLSX_SNI_SetStatus(ssl->extensions, type, matched ? CYASSL_SNI_REAL_MATCH : CYASSL_SNI_FAKE_MATCH); @@ -842,7 +842,7 @@ int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size) } } while ((sni = sni->next)); - return 0; + return SSL_SUCCESS; } #ifndef NO_CYASSL_SERVER @@ -1047,7 +1047,7 @@ static int TLSX_MFL_Parse(CYASSL* ssl, byte* input, word16 length, if (isRequest) { int r = TLSX_UseMaxFragment(&ssl->extensions, *input); - if (r) return r; /* throw error */ + if (r != SSL_SUCCESS) return r; /* throw error */ TLSX_SetResponse(ssl, MAX_FRAGMENT_LENGTH); } @@ -1097,7 +1097,7 @@ int TLSX_UseMaxFragment(TLSX** extensions, byte mfl) } } while ((extension = extension->next)); - return 0; + return SSL_SUCCESS; } @@ -1128,7 +1128,7 @@ int TLSX_UseTruncatedHMAC(TLSX** extensions) if ((ret = TLSX_Append(extensions, TRUNCATED_HMAC)) != 0) return ret; - return 0; + return SSL_SUCCESS; } static int TLSX_THM_Parse(CYASSL* ssl, byte* input, word16 length, @@ -1141,7 +1141,7 @@ static int TLSX_THM_Parse(CYASSL* ssl, byte* input, word16 length, if (isRequest) { int r = TLSX_UseTruncatedHMAC(&ssl->extensions); - if (r) return r; /* throw error */ + if (r != SSL_SUCCESS) return r; /* throw error */ TLSX_SetResponse(ssl, TRUNCATED_HMAC); } @@ -1428,7 +1428,7 @@ int TLSX_UseEllipticCurve(TLSX** extensions, word16 name) } } while ((curve = curve->next)); - return 0; + return SSL_SUCCESS; } #define EC_FREE_ALL TLSX_EllipticCurve_FreeAll @@ -1785,6 +1785,13 @@ int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest, #undef IS_OFF #undef TURN_ON +#elif defined(HAVE_SNI) \ + || defined(HAVE_MAX_FRAGMENT) \ + || defined(HAVE_TRUNCATED_HMAC) \ + || defined(HAVE_ELLIPTIC_CURVES) + +#error "Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined." + #endif /* HAVE_TLS_EXTENSIONS */ diff --git a/tests/api.c b/tests/api.c index 176b08abf..9de246eb0 100644 --- a/tests/api.c +++ b/tests/api.c @@ -248,7 +248,7 @@ static void use_SNI_at_ctx(CYASSL_CTX* ctx) byte type = CYASSL_SNI_HOST_NAME; char name[] = "www.yassl.com"; - AssertIntEQ(0, CyaSSL_CTX_UseSNI(ctx, type, (void *) name, XSTRLEN(name))); + AssertIntEQ(1, CyaSSL_CTX_UseSNI(ctx, type, (void *) name, XSTRLEN(name))); } static void use_SNI_at_ssl(CYASSL* ssl) @@ -256,7 +256,7 @@ static void use_SNI_at_ssl(CYASSL* ssl) byte type = CYASSL_SNI_HOST_NAME; char name[] = "www.yassl.com"; - AssertIntEQ(0, CyaSSL_UseSNI(ssl, type, (void *) name, XSTRLEN(name))); + AssertIntEQ(1, CyaSSL_UseSNI(ssl, type, (void *) name, XSTRLEN(name))); } static void different_SNI_at_ssl(CYASSL* ssl) @@ -264,7 +264,7 @@ static void different_SNI_at_ssl(CYASSL* ssl) byte type = CYASSL_SNI_HOST_NAME; char name[] = "ww2.yassl.com"; - AssertIntEQ(0, CyaSSL_UseSNI(ssl, type, (void *) name, XSTRLEN(name))); + AssertIntEQ(1, CyaSSL_UseSNI(ssl, type, (void *) name, XSTRLEN(name))); } static void use_SNI_WITH_CONTINUE_at_ssl(CYASSL* ssl) @@ -431,16 +431,16 @@ void test_CyaSSL_UseSNI(void) AssertNotNull(ssl); /* error cases */ - AssertIntNE(0, CyaSSL_CTX_UseSNI(NULL, 0, (void *) "ctx", XSTRLEN("ctx"))); - AssertIntNE(0, CyaSSL_UseSNI( NULL, 0, (void *) "ssl", XSTRLEN("ssl"))); - AssertIntNE(0, CyaSSL_CTX_UseSNI(ctx, -1, (void *) "ctx", XSTRLEN("ctx"))); - AssertIntNE(0, CyaSSL_UseSNI( ssl, -1, (void *) "ssl", XSTRLEN("ssl"))); - AssertIntNE(0, CyaSSL_CTX_UseSNI(ctx, 0, (void *) NULL, XSTRLEN("ctx"))); - AssertIntNE(0, CyaSSL_UseSNI( ssl, 0, (void *) NULL, XSTRLEN("ssl"))); + AssertIntNE(1, CyaSSL_CTX_UseSNI(NULL, 0, (void *) "ctx", XSTRLEN("ctx"))); + AssertIntNE(1, CyaSSL_UseSNI( NULL, 0, (void *) "ssl", XSTRLEN("ssl"))); + AssertIntNE(1, CyaSSL_CTX_UseSNI(ctx, -1, (void *) "ctx", XSTRLEN("ctx"))); + AssertIntNE(1, CyaSSL_UseSNI( ssl, -1, (void *) "ssl", XSTRLEN("ssl"))); + AssertIntNE(1, CyaSSL_CTX_UseSNI(ctx, 0, (void *) NULL, XSTRLEN("ctx"))); + AssertIntNE(1, CyaSSL_UseSNI( ssl, 0, (void *) NULL, XSTRLEN("ssl"))); /* success case */ - AssertIntEQ(0, CyaSSL_CTX_UseSNI(ctx, 0, (void *) "ctx", XSTRLEN("ctx"))); - AssertIntEQ(0, CyaSSL_UseSNI( ssl, 0, (void *) "ssl", XSTRLEN("ssl"))); + AssertIntEQ(1, CyaSSL_CTX_UseSNI(ctx, 0, (void *) "ctx", XSTRLEN("ctx"))); + AssertIntEQ(1, CyaSSL_UseSNI( ssl, 0, (void *) "ssl", XSTRLEN("ssl"))); CyaSSL_free(ssl); CyaSSL_CTX_free(ctx); @@ -496,24 +496,24 @@ static void test_CyaSSL_UseMaxFragment(void) AssertNotNull(ssl); /* error cases */ - AssertIntNE(0, CyaSSL_CTX_UseMaxFragment(NULL, CYASSL_MFL_2_9)); - AssertIntNE(0, CyaSSL_UseMaxFragment( NULL, CYASSL_MFL_2_9)); - AssertIntNE(0, CyaSSL_CTX_UseMaxFragment(ctx, 0)); - AssertIntNE(0, CyaSSL_CTX_UseMaxFragment(ctx, 6)); - AssertIntNE(0, CyaSSL_UseMaxFragment(ssl, 0)); - AssertIntNE(0, CyaSSL_UseMaxFragment(ssl, 6)); + AssertIntNE(1, CyaSSL_CTX_UseMaxFragment(NULL, CYASSL_MFL_2_9)); + AssertIntNE(1, CyaSSL_UseMaxFragment( NULL, CYASSL_MFL_2_9)); + AssertIntNE(1, CyaSSL_CTX_UseMaxFragment(ctx, 0)); + AssertIntNE(1, CyaSSL_CTX_UseMaxFragment(ctx, 6)); + AssertIntNE(1, CyaSSL_UseMaxFragment(ssl, 0)); + AssertIntNE(1, CyaSSL_UseMaxFragment(ssl, 6)); /* success case */ - AssertIntEQ(0, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_9)); - AssertIntEQ(0, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_10)); - AssertIntEQ(0, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_11)); - AssertIntEQ(0, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_12)); - AssertIntEQ(0, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_13)); - AssertIntEQ(0, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_9)); - AssertIntEQ(0, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_10)); - AssertIntEQ(0, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_11)); - AssertIntEQ(0, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_12)); - AssertIntEQ(0, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_13)); + AssertIntEQ(1, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_9)); + AssertIntEQ(1, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_10)); + AssertIntEQ(1, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_11)); + AssertIntEQ(1, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_12)); + AssertIntEQ(1, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_13)); + AssertIntEQ(1, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_9)); + AssertIntEQ(1, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_10)); + AssertIntEQ(1, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_11)); + AssertIntEQ(1, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_12)); + AssertIntEQ(1, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_13)); CyaSSL_free(ssl); CyaSSL_CTX_free(ctx); @@ -530,12 +530,12 @@ static void test_CyaSSL_UseTruncatedHMAC(void) AssertNotNull(ssl); /* error cases */ - AssertIntNE(0, CyaSSL_CTX_UseTruncatedHMAC(NULL)); - AssertIntNE(0, CyaSSL_UseTruncatedHMAC(NULL)); + AssertIntNE(1, CyaSSL_CTX_UseTruncatedHMAC(NULL)); + AssertIntNE(1, CyaSSL_UseTruncatedHMAC(NULL)); /* success case */ - AssertIntEQ(0, CyaSSL_CTX_UseTruncatedHMAC(ctx)); - AssertIntEQ(0, CyaSSL_UseTruncatedHMAC(ssl)); + AssertIntEQ(1, CyaSSL_CTX_UseTruncatedHMAC(ctx)); + AssertIntEQ(1, CyaSSL_UseTruncatedHMAC(ssl)); CyaSSL_free(ssl); CyaSSL_CTX_free(ctx); @@ -553,15 +553,15 @@ static void test_CyaSSL_UseEllipticCurve(void) #ifndef NO_CYASSL_CLIENT /* error cases */ - AssertIntNE(0, CyaSSL_CTX_UseEllipticCurve(NULL, CYASSL_ECC_SECP160R1)); - AssertIntNE(0, CyaSSL_CTX_UseEllipticCurve(ctx, 0)); + AssertIntNE(1, CyaSSL_CTX_UseEllipticCurve(NULL, CYASSL_ECC_SECP160R1)); + AssertIntNE(1, CyaSSL_CTX_UseEllipticCurve(ctx, 0)); - AssertIntNE(0, CyaSSL_UseEllipticCurve(NULL, CYASSL_ECC_SECP160R1)); - AssertIntNE(0, CyaSSL_UseEllipticCurve(ssl, 0)); + AssertIntNE(1, CyaSSL_UseEllipticCurve(NULL, CYASSL_ECC_SECP160R1)); + AssertIntNE(1, CyaSSL_UseEllipticCurve(ssl, 0)); /* success case */ - AssertIntEQ(0, CyaSSL_CTX_UseEllipticCurve(ctx, CYASSL_ECC_SECP160R1)); - AssertIntEQ(0, CyaSSL_UseEllipticCurve(ssl, CYASSL_ECC_SECP160R1)); + AssertIntEQ(1, CyaSSL_CTX_UseEllipticCurve(ctx, CYASSL_ECC_SECP160R1)); + AssertIntEQ(1, CyaSSL_UseEllipticCurve(ssl, CYASSL_ECC_SECP160R1)); #endif CyaSSL_free(ssl); From c14bc1a45c09a38eda7fd64934bd3606674ce5ff Mon Sep 17 00:00:00 2001 From: toddouska Date: Sat, 1 Feb 2014 11:37:08 -0800 Subject: [PATCH 12/14] fix ecc w/o openssl extra --- cyassl/ctaocrypt/asn.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index 90ba8c7a1..a609a1693 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -343,10 +343,10 @@ struct DecodedCert { word32 extAuthKeyIdSz; byte* extSubjKeyIdSrc; word32 extSubjKeyIdSz; - #ifdef HAVE_ECC - word32 pkCurveOID; /* Public Key's curve OID */ - #endif /* HAVE_ECC */ #endif +#ifdef HAVE_ECC + word32 pkCurveOID; /* Public Key's curve OID */ +#endif /* HAVE_ECC */ byte* beforeDate; int beforeDateLen; byte* afterDate; From 51b3b1cb6cf35dedccd0311289d43aa8c628648d Mon Sep 17 00:00:00 2001 From: toddouska Date: Sat, 1 Feb 2014 12:14:41 -0800 Subject: [PATCH 13/14] fix pkCurveOID c files, doesn't require openssl extra --- ctaocrypt/src/asn.c | 6 +++--- src/internal.c | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index fa4552e9f..410c91e48 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -1323,10 +1323,10 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) cert->extAuthKeyIdSz = 0; cert->extSubjKeyIdSrc = NULL; cert->extSubjKeyIdSz = 0; - #ifdef HAVE_ECC - cert->pkCurveOID = 0; - #endif /* HAVE_ECC */ #endif /* OPENSSL_EXTRA */ +#ifdef HAVE_ECC + cert->pkCurveOID = 0; +#endif /* HAVE_ECC */ #ifdef CYASSL_SEP cert->deviceTypeSz = 0; cert->deviceType = NULL; diff --git a/src/internal.c b/src/internal.c index 08f7cefa1..d797d75cc 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1282,6 +1282,9 @@ void InitX509(CYASSL_X509* x509, int dynamicFlag) x509->altNamesNext = NULL; x509->dynamicMemory = (byte)dynamicFlag; x509->isCa = 0; +#ifdef HAVE_ECC + x509->pkCurveOID = 0; +#endif /* HAVE_ECC */ #ifdef OPENSSL_EXTRA x509->pathLength = 0; x509->basicConstSet = 0; @@ -1300,9 +1303,6 @@ void InitX509(CYASSL_X509* x509, int dynamicFlag) x509->keyUsageSet = 0; x509->keyUsageCrit = 0; x509->keyUsage = 0; - #ifdef HAVE_ECC - x509->pkCurveOID = 0; - #endif /* HAVE_ECC */ #ifdef CYASSL_SEP x509->certPolicySet = 0; x509->certPolicyCrit = 0; @@ -3225,14 +3225,14 @@ int CopyDecodedToX509(CYASSL_X509* x509, DecodedCert* dCert) } x509->keyUsageSet = dCert->extKeyUsageSet; x509->keyUsageCrit = dCert->extKeyUsageCrit; - #ifdef HAVE_ECC - x509->pkCurveOID = dCert->pkCurveOID; - #endif /* HAVE_ECC */ #ifdef CYASSL_SEP x509->certPolicySet = dCert->extCertPolicySet; x509->certPolicyCrit = dCert->extCertPolicyCrit; #endif /* CYASSL_SEP */ #endif /* OPENSSL_EXTRA */ +#ifdef HAVE_ECC + x509->pkCurveOID = dCert->pkCurveOID; +#endif /* HAVE_ECC */ return ret; } From 36b5bf0df1096b1c6c29530616026cccfcf92d15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Mon, 3 Feb 2014 16:11:57 -0300 Subject: [PATCH 14/14] Renaming Elliptic Curves to Supported Curves for better extension representation and avoid confusion. --- configure.ac | 20 ++++++++++---------- cyassl/internal.h | 6 +++--- cyassl/ssl.h | 8 ++++---- src/internal.c | 2 +- src/ssl.c | 12 ++++++------ src/tls.c | 10 +++++----- tests/api.c | 30 +++++++++++++++--------------- 7 files changed, 44 insertions(+), 44 deletions(-) diff --git a/configure.ac b/configure.ac index 36c82960d..a558b69f9 100644 --- a/configure.ac +++ b/configure.ac @@ -1226,16 +1226,16 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_RENEGOTIATION_INDICATION" fi -# Elliptic Curves Extensions -AC_ARG_ENABLE([ellipticcurves], - [ --enable-ellipticcurves Enable Elliptic Curves (default: disabled)], - [ ENABLED_ELLIPTIC_CURVES=$enableval ], - [ ENABLED_ELLIPTIC_CURVES=no ] +# Supported Elliptic Curves Extensions +AC_ARG_ENABLE([supportedcurves], + [ --enable-supportedcurves Enable Supported Elliptic Curves (default: disabled)], + [ ENABLED_SUPPORTED_CURVES=$enableval ], + [ ENABLED_SUPPORTED_CURVES=no ] ) -if test "x$ENABLED_ELLIPTIC_CURVES" = "xyes" +if test "x$ENABLED_SUPPORTED_CURVES" = "xyes" then - AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_ELLIPTIC_CURVES" + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES" fi # TLS Extensions @@ -1251,8 +1251,8 @@ then ENABLED_MAX_FRAGMENT=yes ENABLED_TRUNCATED_HMAC=yes ENABLED_RENEGOTIATION_INDICATION=yes - ENABLED_ELLIPTIC_CURVES=yes - AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_RENEGOTIATION_INDICATION -DHAVE_ELLIPTIC_CURVES" + ENABLED_SUPPORTED_CURVES=yes + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_RENEGOTIATION_INDICATION -DHAVE_SUPPORTED_CURVES" fi # PKCS7 @@ -1689,7 +1689,7 @@ echo " * SNI: $ENABLED_SNI" echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT" echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC" echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" -echo " * Elliptic Curves: $ENABLED_ELLIPTIC_CURVES" +echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES" echo " * All TLS Extensions: $ENABLED_TLSX" echo " * PKCS#7 $ENABLED_PKCS7" echo " * wolfSCEP $ENABLED_WOLFSCEP" diff --git a/cyassl/internal.h b/cyassl/internal.h index 104a9c1cd..f31591853 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -1177,7 +1177,7 @@ CYASSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions); #endif /* HAVE_TRUNCATED_HMAC */ -#ifdef HAVE_ELLIPTIC_CURVES +#ifdef HAVE_SUPPORTED_CURVES typedef struct EllipticCurve { word16 name; /* CurveNames */ @@ -1185,14 +1185,14 @@ typedef struct EllipticCurve { } EllipticCurve; -CYASSL_LOCAL int TLSX_UseEllipticCurve(TLSX** extensions, word16 name); +CYASSL_LOCAL int TLSX_UseSupportedCurve(TLSX** extensions, word16 name); #ifndef NO_CYASSL_SERVER CYASSL_LOCAL int TLSX_ValidateEllipticCurves(CYASSL* ssl, byte first, byte second); #endif -#endif /* HAVE_ELLIPTIC_CURVES */ +#endif /* HAVE_SUPPORTED_CURVES */ #endif /* HAVE_TLS_EXTENSIONS */ diff --git a/cyassl/ssl.h b/cyassl/ssl.h index aa7056246..9013e5345 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -1242,7 +1242,7 @@ CYASSL_API int CyaSSL_CTX_UseTruncatedHMAC(CYASSL_CTX* ctx); #endif /* HAVE_TRUNCATED_HMAC */ /* Elliptic Curves */ -#ifdef HAVE_ELLIPTIC_CURVES +#ifdef HAVE_SUPPORTED_CURVES enum { CYASSL_ECC_SECP160R1 = 0x10, @@ -1255,12 +1255,12 @@ enum { #ifndef NO_CYASSL_CLIENT -CYASSL_API int CyaSSL_UseEllipticCurve(CYASSL* ssl, unsigned short name); -CYASSL_API int CyaSSL_CTX_UseEllipticCurve(CYASSL_CTX* ctx, +CYASSL_API int CyaSSL_UseSupportedCurve(CYASSL* ssl, unsigned short name); +CYASSL_API int CyaSSL_CTX_UseSupportedCurve(CYASSL_CTX* ctx, unsigned short name); #endif /* NO_CYASSL_CLIENT */ -#endif /* HAVE_ELLIPTIC_CURVES */ +#endif /* HAVE_SUPPORTED_CURVES */ #define CYASSL_CRL_MONITOR 0x01 /* monitor this dir flag */ diff --git a/src/internal.c b/src/internal.c index d797d75cc..e56d49d37 100644 --- a/src/internal.c +++ b/src/internal.c @@ -9765,7 +9765,7 @@ static void PickHashSigAlgo(CYASSL* ssl, } } -#ifdef HAVE_ELLIPTIC_CURVES +#ifdef HAVE_SUPPORTED_CURVES if (!TLSX_ValidateEllipticCurves(ssl, first, second)) { CYASSL_MSG("Don't have matching curves"); return 0; diff --git a/src/ssl.c b/src/ssl.c index 902ebd042..55a3488a7 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -623,27 +623,27 @@ int CyaSSL_CTX_UseTruncatedHMAC(CYASSL_CTX* ctx) #endif /* HAVE_TRUNCATED_HMAC */ /* Elliptic Curves */ -#ifdef HAVE_ELLIPTIC_CURVES +#ifdef HAVE_SUPPORTED_CURVES #ifndef NO_CYASSL_CLIENT -int CyaSSL_UseEllipticCurve(CYASSL* ssl, word16 name) +int CyaSSL_UseSupportedCurve(CYASSL* ssl, word16 name) { if (ssl == NULL) return BAD_FUNC_ARG; - return TLSX_UseEllipticCurve(&ssl->extensions, name); + return TLSX_UseSupportedCurve(&ssl->extensions, name); } -int CyaSSL_CTX_UseEllipticCurve(CYASSL_CTX* ctx, word16 name) +int CyaSSL_CTX_UseSupportedCurve(CYASSL_CTX* ctx, word16 name) { if (ctx == NULL) return BAD_FUNC_ARG; - return TLSX_UseEllipticCurve(&ctx->extensions, name); + return TLSX_UseSupportedCurve(&ctx->extensions, name); } #endif /* NO_CYASSL_CLIENT */ -#endif /* HAVE_ELLIPTIC_CURVES */ +#endif /* HAVE_SUPPORTED_CURVES */ #ifndef CYASSL_LEANPSK diff --git a/src/tls.c b/src/tls.c index 872016460..f4445fb7b 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1160,7 +1160,7 @@ static int TLSX_THM_Parse(CYASSL* ssl, byte* input, word16 length, #endif /* HAVE_TRUNCATED_HMAC */ -#ifdef HAVE_ELLIPTIC_CURVES +#ifdef HAVE_SUPPORTED_CURVES #ifndef HAVE_ECC #error "Elliptic Curves Extension requires Elliptic Curve Cryptography. \ @@ -1270,7 +1270,7 @@ static int TLSX_EllipticCurve_Parse(CYASSL* ssl, byte* input, word16 length, ato16(input + offset, &name); offset -= OPAQUE16_LEN; - r = TLSX_UseEllipticCurve(&ssl->extensions, name); + r = TLSX_UseSupportedCurve(&ssl->extensions, name); if (r) return r; /* throw error */ } @@ -1371,7 +1371,7 @@ int TLSX_ValidateEllipticCurves(CYASSL* ssl, byte first, byte second) { #endif /* NO_CYASSL_SERVER */ -int TLSX_UseEllipticCurve(TLSX** extensions, word16 name) +int TLSX_UseSupportedCurve(TLSX** extensions, word16 name) { TLSX* extension = NULL; EllipticCurve* curve = NULL; @@ -1456,7 +1456,7 @@ int TLSX_UseEllipticCurve(TLSX** extensions, word16 name) #define EC_PARSE(a, b, c, d) 0 #define EC_VALIDATE_REQUEST(a, b) -#endif /* HAVE_ELLIPTIC_CURVES */ +#endif /* HAVE_SUPPORTED_CURVES */ TLSX* TLSX_Find(TLSX* list, TLSX_Type type) { @@ -1788,7 +1788,7 @@ int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest, #elif defined(HAVE_SNI) \ || defined(HAVE_MAX_FRAGMENT) \ || defined(HAVE_TRUNCATED_HMAC) \ - || defined(HAVE_ELLIPTIC_CURVES) + || defined(HAVE_SUPPORTED_CURVES) #error "Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined." diff --git a/tests/api.c b/tests/api.c index 9de246eb0..94a232f06 100644 --- a/tests/api.c +++ b/tests/api.c @@ -56,9 +56,9 @@ static void test_CyaSSL_UseMaxFragment(void); #ifdef HAVE_TRUNCATED_HMAC static void test_CyaSSL_UseTruncatedHMAC(void); #endif /* HAVE_TRUNCATED_HMAC */ -#ifdef HAVE_ELLIPTIC_CURVES -static void test_CyaSSL_UseEllipticCurve(void); -#endif /* HAVE_ELLIPTIC_CURVES */ +#ifdef HAVE_SUPPORTED_CURVES +static void test_CyaSSL_UseSupportedCurve(void); +#endif /* HAVE_SUPPORTED_CURVES */ /* test function helpers */ static int test_method(CYASSL_METHOD *method, const char *name); @@ -119,9 +119,9 @@ int ApiTest(void) #ifdef HAVE_TRUNCATED_HMAC test_CyaSSL_UseTruncatedHMAC(); #endif /* HAVE_TRUNCATED_HMAC */ -#ifdef HAVE_ELLIPTIC_CURVES - test_CyaSSL_UseEllipticCurve(); -#endif /* HAVE_ELLIPTIC_CURVES */ +#ifdef HAVE_SUPPORTED_CURVES + test_CyaSSL_UseSupportedCurve(); +#endif /* HAVE_SUPPORTED_CURVES */ test_CyaSSL_Cleanup(); printf(" End API Tests\n"); @@ -542,8 +542,8 @@ static void test_CyaSSL_UseTruncatedHMAC(void) } #endif /* HAVE_TRUNCATED_HMAC */ -#ifdef HAVE_ELLIPTIC_CURVES -static void test_CyaSSL_UseEllipticCurve(void) +#ifdef HAVE_SUPPORTED_CURVES +static void test_CyaSSL_UseSupportedCurve(void) { CYASSL_CTX *ctx = CyaSSL_CTX_new(CyaSSLv23_client_method()); CYASSL *ssl = CyaSSL_new(ctx); @@ -553,21 +553,21 @@ static void test_CyaSSL_UseEllipticCurve(void) #ifndef NO_CYASSL_CLIENT /* error cases */ - AssertIntNE(1, CyaSSL_CTX_UseEllipticCurve(NULL, CYASSL_ECC_SECP160R1)); - AssertIntNE(1, CyaSSL_CTX_UseEllipticCurve(ctx, 0)); + AssertIntNE(1, CyaSSL_CTX_UseSupportedCurve(NULL, CYASSL_ECC_SECP160R1)); + AssertIntNE(1, CyaSSL_CTX_UseSupportedCurve(ctx, 0)); - AssertIntNE(1, CyaSSL_UseEllipticCurve(NULL, CYASSL_ECC_SECP160R1)); - AssertIntNE(1, CyaSSL_UseEllipticCurve(ssl, 0)); + AssertIntNE(1, CyaSSL_UseSupportedCurve(NULL, CYASSL_ECC_SECP160R1)); + AssertIntNE(1, CyaSSL_UseSupportedCurve(ssl, 0)); /* success case */ - AssertIntEQ(1, CyaSSL_CTX_UseEllipticCurve(ctx, CYASSL_ECC_SECP160R1)); - AssertIntEQ(1, CyaSSL_UseEllipticCurve(ssl, CYASSL_ECC_SECP160R1)); + AssertIntEQ(1, CyaSSL_CTX_UseSupportedCurve(ctx, CYASSL_ECC_SECP160R1)); + AssertIntEQ(1, CyaSSL_UseSupportedCurve(ssl, CYASSL_ECC_SECP160R1)); #endif CyaSSL_free(ssl); CyaSSL_CTX_free(ctx); } -#endif /* HAVE_ELLIPTIC_CURVES */ +#endif /* HAVE_SUPPORTED_CURVES */ #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) /* Helper for testing CyaSSL_CTX_use_certificate_file() */