diff --git a/CMakeLists.txt b/CMakeLists.txt index 0ce88a0dca..82bd11d9e4 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -182,7 +182,7 @@ find_package(Threads) # Support for disabling all ASM set(WOLFSSL_ASM_HELP_STRING "Enables option for assembly (default: enabled)") -option(WOLFSSL_ASM ${WOLFSSL_ASM_HELP_STRING} "yes") +add_option("WOLFSSL_ASM" ${WOLFSSL_ASM_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_ASM) list(APPEND WOLFSSL_DEFINITIONS @@ -192,7 +192,7 @@ endif() # Single threaded set(WOLFSSL_SINGLE_THREADED_HELP_STRING "Enable wolfSSL single threaded (default: disabled)") -option(WOLFSSL_SINGLE_THREADED ${WOLFSSL_SINGLE_THREADED_HELP_STRING} "no") +add_option("WOLFSSL_SINGLE_THREADED" ${WOLFSSL_SINGLE_THREADED_HELP_STRING} "no" "yes;no") # TODO: Logic here isn't complete, yet (see AX_PTHREAD) if(NOT WOLFSSL_SINGLE_THREADED) @@ -209,7 +209,7 @@ endif() # TLS v1.3 set(WOLFSSL_TLS13_HELP_STRING "Enable wolfSSL TLS v1.3 (default: enabled)") -option(WOLFSSL_TLS13 ${WOLFSSL_TLS13_HELP_STRING} "yes") +add_option("WOLFSSL_TLS13" ${WOLFSSL_TLS13_HELP_STRING} "yes" "yes;no") if("${FIPS_VERSION}" STREQUAL "v1") override_cache(WOLFSSL_TLS13 "no") @@ -220,7 +220,7 @@ endif() # RNG set(WOLFSSL_RNG_HELP_STRING "Enable compiling and using RNG (default: enabled)") -option(WOLFSSL_RNG ${WOLFSSL_RNG_HELP_STRING} "yes") +add_option("WOLFSSL_RNG" ${WOLFSSL_RNG_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_RNG) list(APPEND WOLFSSL_DEFINITIONS "-DWC_NO_RNG") @@ -247,7 +247,7 @@ endif() # Harden, enable Timing Resistance and Blinding by default set(WOLFSSL_HARDEN_HELP_STRING "Enable Hardened build, Enables Timing Resistance and Blinding (default: enabled)") -option(WOLFSSL_HARDEN ${WOLFSSL_HARDEN_HELP_STRING} "yes") +add_option("WOLFSSL_HARDEN" ${WOLFSSL_HARDEN_HELP_STRING} "yes" "yes;no") if(WOLFSSL_HARDEN) list(APPEND WOLFSSL_DEFINITIONS "-DTFM_TIMING_RESISTANT" "-DECC_TIMING_RESISTANT") @@ -279,7 +279,7 @@ set(WOLFSSL_SLOW_MATH "yes") # AES-CBC set(WOLFSSL_AESCBC_HELP_STRING "Enable wolfSSL AES-CBC support (default: enabled)") -option(WOLFSSL_AESCBC ${WOLFSSL_AESCBC_HELP_STRING} "yes") +add_option("WOLFSSL_AESCBC" ${WOLFSSL_AESCBC_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_AESCBC) list(APPEND WOLFSSL_DEFINITIONS "-DNO_AES_CBC") @@ -287,8 +287,7 @@ endif() # AES-GCM set(WOLFSSL_AESGCM_HELP_STRING "Enable wolfSSL AES-GCM support (default: enabled)") -set(WOLFSSL_AESGCM "yes" CACHE STRING ${WOLFSSL_AESGCM_HELP_STRING}) -set_property(CACHE WOLFSSL_AESGCM PROPERTY STRINGS "yes" "no" "table" "small" "word32") +add_option("WOLFSSL_AESGCM" ${WOLFSSL_AESGCM_HELP_STRING} "yes" "yes;no;table;small;word32") # leanpsk and leantls don't need gcm if(WOLFSSL_LEAN_PSK OR (WOLFSSL_LEAN_TLS AND NOT WOLFSSL_TLS13)) @@ -331,9 +330,37 @@ endif() # - RIPEMD # - BLAKE2 + +# SHA224 +set(SHA224_DEFAULT "no") +if(("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64") OR + ("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "aarch64")) + if(NOT WOLFSSL_AFALG AND NOT WOLFSSL_DEVCRYPTO AND + (NOT WOLFSSL_FIPS OR ("${FIPS_VERSION}" STREQUAL "v2"))) + set(SHA224_DEFAULT "yes") + endif() +endif() +set(WOLFSSL_SHA224_HELP_STRING "Enable wolfSSL SHA-224 support (default: enabled on x86_64/aarch64)") +add_option("WOLFSSL_SHA224" ${WOLFSSL_SHA224_HELP_STRING} ${SHA224_DEFAULT} "yes;no") + +# SHA3 +set(SHA3_DEFAULT "no") +if(("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64") OR + ("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "aarch64")) + if(NOT WOLFSSL_FIPS OR ("${FIPS_VERSION}" STREQUAL "v2")) + set(SHA3_DEFAULT "yes") + endif() +endif() +set(WOLFSSL_SHA3_HELP_STRING "Enable wolfSSL SHA-3 support (default: enabled on x86_64/aarch64)") +add_option("WOLFSSL_SHA3" ${WOLFSSL_SHA3_HELP_STRING} ${SHA3_DEFAULT} "yes;no;small") + +# SHAKE256 +set(WOLFSSL_SHAKE256_HELP_STRING "Enable wolfSSL SHAKE256 support (default: enabled on x86_64/aarch64)") +add_option("WOLFSSL_SHAKE256" ${WOLFSSL_SHAKE256_HELP_STRING} "no" "yes;no;small") + # SHA512 set(WOLFSSL_SHA512_HELP_STRING "Enable wolfSSL SHA-512 support (default: enabled)") -option(WOLFSSL_SHA512 ${WOLFSSL_SHA512_HELP_STRING} "yes") +add_option("WOLFSSL_SHA512" ${WOLFSSL_SHA512_HELP_STRING} "yes" "yes;no") # options that don't require sha512 if(WOLFSSL_LEAN_PSK OR @@ -356,7 +383,7 @@ endif() # SHA384 set(WOLFSSL_SHA384_HELP_STRING "Enable wolfSSL SHA-384 support (default: enabled)") -option(WOLFSSL_SHA384 ${WOLFSSL_SHA384_HELP_STRING} "yes") +add_option("WOLFSSL_SHA384" ${WOLFSSL_SHA384_HELP_STRING} "yes" "yes;no") # options that don't require sha384 if(WOLFSSL_LEAN_PSK OR @@ -387,7 +414,7 @@ endif() # HKDF set(WOLFSSL_HKDF_HELP_STRING "Enable HKDF (HMAC-KDF) support (default: disabled)") -option(WOLFSSL_HKDF ${WOLFSSL_HKDF_HELP_STRING} "no") +add_option("WOLFSSL_HKDF" ${WOLFSSL_HKDF_HELP_STRING} "no" "yes;no") if(WOLFSSL_TLS13) override_cache(WOLFSSL_HKDF "yes") @@ -401,7 +428,7 @@ endif() # DSA set(WOLFSSL_DSA_HELP_STRING "Enable DSA (default: disabled)") -option(WOLFSSL_DSA ${WOLFSSL_DSA_HELP_STRING} "no") +add_option("WOLFSSL_DSA" ${WOLFSSL_DSA_HELP_STRING} "no" "yes;no") if(NOT WOLFSSL_DSA AND NOT WOLFSSL_OPENSSH) list(APPEND WOLFSSL_DEFINITIONS "-DNO_DSA") @@ -409,12 +436,11 @@ endif() # ECC Shamir set(WOLFSSL_ECCSHAMIR_HELP_STRING "Enable ECC Shamir (default: enabled)") -option(WOLFSSL_ECCSHAMIR ${WOLFSSL_ECCSHAMIR_HELP_STRING} "yes") +add_option("WOLFSSL_ECCSHAMIR" ${WOLFSSL_ECCSHAMIR_HELP_STRING} "yes" "yes;no") # ECC set(WOLFSSL_ECC_HELP_STRING "Enable ECC (default: enabled)") -set(WOLFSSL_ECC "yes" CACHE STRING ${WOLFSSL_ECC_HELP_STRING}) -set_property(CACHE WOLFSSL_ECC PROPERTY STRINGS "yes" "no" "nonblock") +add_option("WOLFSSL_ECC" ${WOLFSSL_ECC_HELP_STRING} "yes" "yes;no;nonblock") # lean psk doesn't need ecc if(WOLFSSL_LEAN_PSK) @@ -441,18 +467,105 @@ endif() # TODO: - ECC custom curves # - Compressed key -# - CURVE25519 -# - ED25519 -# - CURVE448 -# - ED448 # - FP ECC, fixed point cache ECC # - ECC encrypt # - PSK # - Single PSK identity +# CURVE25519 +set(WOLFSSL_CURVE25519_SMALL "no") +set(WOLFSSL_CURVE25519_HELP_STRING "Enable Curve25519 (default: disabled)") +add_option("WOLFSSL_CURVE25519" ${WOLFSSL_CURVE25519_HELP_STRING} "no" "yes;no;small;no128bit") + +if(WOLFSSL_OPENSSH) + override_cache(WOLFSSL_CURVE25519 "yes") +endif() + +if(WOLFSSL_CURVE25519) + if("${WOLFSSL_CURVE25519}" STREQUAL "small" OR WOLFSSL_LOW_RESOURCE) + list(APPEND WOLFSSL_DEFINITIONS "-DCURVE25519_SMALL") + set(WOLFSSL_CURVE25519_SMALL "yes") + endif() + + if("${WOLFSSL_CURVE25519}" STREQUAL "no128bit" OR WOLFSSL_32BIT) + list(APPEND WOLFSSL_DEFINITIONS "-DNO_CURVED25519_128BIT") + endif() + + list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_CURVE25519") + set(WOLFSSL_FEMATH "yes") +endif() + +# ED25519 +set(WOLFSSL_ED25519_SMALL "no") +set(WOLFSSL_ED25519_HELP_STRING "Enable ED25519 (default: disabled)") +add_option("WOLFSSL_ED25519" ${WOLFSSL_ED25519_HELP_STRING} "no" "yes;no") + +if(WOLFSSL_OPENSSH) + override_cache(WOLFSSL_ED25519 "yes") +endif() + +if(WOLFSSL_ED25519 AND NOT WOLFSSL_32BIT) + if("${WOLFSSL_ED25519}" STREQUAL "small" OR WOLFSSL_LOW_RESOURCE) + list(APPEND WOLFSSL_DEFINITIONS "-DED25519_SMALL") + set(WOLFSSL_ED25519_SMALL "yes") + set(WOLFSSL_CURVE25519_SMALL "yes") + endif() + + if(NOT WOLFSSL_SHA512) + message(FATAL_ERROR "cannot enable ed25519 without enabling sha512.") + endif() + + set(WOLFSSL_FEMATH "yes") + set(WOLFSSL_GEMATH "yes") + list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_ED25519") +endif() + +# CURVE448 +set(WOLFSSL_CURVE448_SMALL "no") +set(WOLFSSL_CURVE448_HELP_STRING "Enable Curve448 (default: disabled)") +add_option("WOLFSSL_CURVE448" ${WOLFSSL_CURVE448_HELP_STRING} "no" "yes;no;small") + +if(WOLFSSL_CURVE448) + if("${WOLFSSL_CURVE448}" STREQUAL "small" OR WOLFSSL_LOW_RESOURCE) + list(APPEND WOLFSSL_DEFINITIONS "-DCURVE448_SMALL") + set(WOLFSSL_CURVE448_SMALL "yes") + endif() + + if("${WOLFSSL_CURVE448}" STREQUAL "no128bit" OR WOLFSSL_32BIT) + list(APPEND WOLFSSL_DEFINITIONS "-DNO_CURVED448_128BIT") + endif() + + list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_CURVE448") + set(WOLFSSL_FE448 "yes") +endif() + +# ED448 +set(WOLFSSL_ED448_SMALL "no") +set(WOLFSSL_ED448_HELP_STRING "Enable ED448 (default: disabled)") +add_option("WOLFSSL_ED448" ${WOLFSSL_ED448_HELP_STRING} "no" "yes;no;small") + +if(WOLFSSL_ED448 AND NOT WOLFSSL_32BIT) + if("${WOLFSSL_ED448}" STREQUAL "small" OR WOLFSSL_LOW_RESOURCE) + list(APPEND WOLFSSL_DEFINITIONS "-DED448_SMALL") + set(WOLFSSL_ED448_SMALL "yes") + set(WOLFSSL_CURVE448_SMALL "yes") + endif() + + if(NOT WOLFSSL_SHA512) + message(FATAL_ERROR "cannot enable ed448 without enabling sha512.") + endif() + + set(WOLFSSL_FE448 "yes") + set(WOLFSSL_GE448 "yes") + list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_ED448") + + # EdDSA448 requires SHAKE256 which requires SHA-3 + override_cache(WOLFSSL_SHAKE256 "yes") +endif() + # Error strings set(WOLFSSL_ERROR_STRINGS_HELP_STRING "Enable error strings table (default: enabled)") -option(WOLFSSL_ERROR_STRINGS ${WOLFSSL_ERROR_STRINGS_HELP_STRING} "yes") +add_option("WOLFSSL_ERROR_STRINGS" ${WOLFSSL_ERROR_STRINGS_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_ERROR_STRINGS) list(APPEND WOLFSSL_DEFINITIONS "-DNO_ERROR_STRINGS") @@ -466,7 +579,7 @@ endif() # Error queue set(WOLFSSL_ERROR_QUEUE_HELP_STRING "Enables adding nodes to error queue when compiled with OPENSSL_EXTRA (default: enabled)") -option(WOLFSSL_ERROR_QUEUE ${WOLFSSL_DISABLE_ERROR_QUEUE_HELP_STRING} "yes") +add_option("WOLFSSL_ERROR_QUEUE" ${WOLFSSL_ERROR_QUEUE_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_ERROR_QUEUE) list(APPEND WOLFSSL_DEFINITIONS "-DNO_ERROR_QUEUE") @@ -474,7 +587,7 @@ endif() # Old TLS set(WOLFSSL_OLD_TLS_HELP_STRING "Enable old TLS versions < 1.2 (default: enabled)") -option(WOLFSSL_OLD_TLS ${WOLFSSL_OLD_TLS_HELP_STRING} "yes") +add_option("WOLFSSL_OLD_TLS" ${WOLFSSL_OLD_TLS_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_OLD_TLS) list(APPEND WOLFSSL_DEFINITIONS "-DNO_OLD_TLS") @@ -488,7 +601,7 @@ endif() # TLSv1.2 set(WOLFSSL_TLSV12_HELP_STRING "Enable TLS versions 1.2 (default: enabled)") -option(WOLFSSL_TLSV12 ${WOLFSSL_TLSV12_HELP_STRING} "yes") +add_option("WOLFSSL_TLSV12" ${WOLFSSL_TLSV12_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_TLSV12) list(APPEND WOLFSSL_DEFINITIONS @@ -503,7 +616,7 @@ endif() # Memory set(WOLFSSL_MEMORY_HELP_STRING "Enable memory callbacks (default: enabled)") -option(WOLFSSL_MEMORY ${WOLFSSL_MEMORY_HELP_STRING} "yes") +add_option("WOLFSSL_MEMORY" ${WOLFSSL_MEMORY_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_MEMORY) list(APPEND WOLFSSL_DEFINITIONS "-DNO_WOLFSSL_MEMORY") @@ -521,7 +634,7 @@ endif() # RSA set(WOLFSSL_RSA_HELP_STRING "Enable RSA (default: enabled)") -option(WOLFSSL_RSA ${WOLFSSL_RSA_HELP_STRING} "yes") +add_option("WOLFSSL_RSA" ${WOLFSSL_RSA_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_RSA) list(APPEND WOLFSSL_DEFINITIONS "-DNO_RSA") @@ -534,7 +647,7 @@ endif() # OAEP set(WOLFSSL_OAEP_HELP_STRING "Enable RSA OAEP (default: enabled)") -option(WOLFSSL_OAEP ${WOLFSSL_OAEP_HELP_STRING} "yes") +add_option("WOLFSSL_OAEP" ${WOLFSSL_OAEP_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_OAEP) list(APPEND WOLFSSL_DEFINITIONS "-DWC_NO_RSA_OAEP") @@ -545,7 +658,7 @@ endif() # RSA-PSS set(WOLFSSL_RSA_PSS_HELP_STRING "Enable RSA-PSS (default: disabled)") -option(WOLFSSL_RSA_PSS ${WOLFSSL_RSA_PSS_HELP_STRING} "no") +add_option("WOLFSSL_RSA_PSS" ${WOLFSSL_RSA_PSS_HELP_STRING} "no" "yes;no") if(NOT WOLFSSL_RSA) override_cache(WOLFSSL_RSA_PSS "no") @@ -560,7 +673,7 @@ endif() # DH set(WOLFSSL_DH_HELP_STRING "Enable DH (default: enabled)") -option(WOLFSSL_DH ${WOLFSSL_DH_HELP_STRING} "yes") +add_option("WOLFSSL_DH" ${WOLFSSL_DH_HELP_STRING} "yes" "yes;no") if(WOLFSSL_OPENSSH) override_cache(WOLFSSL_DH "yes") @@ -581,7 +694,7 @@ endif() # turn off asn, which means no certs, no rsa, no dsa, no ecc, # and no big int (unless dh is on) set(WOLFSSL_ASN_HELP_STRING "Enable ASN (default: enabled)") -option(WOLFSSL_ASN ${WOLFSSL_ASN_HELP_STRING} "yes") +add_option("WOLFSSL_ASN" ${WOLFSSL_ASN_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_ASN) list(APPEND WOLFSSL_DEFINITIONS "-DNO_ASN" "-DNO_CERTS") @@ -626,7 +739,7 @@ endif() # AES set(WOLFSSL_AES_HELP_STRING "Enable AES (default: enabled)") -option(WOLFSSL_AES ${WOLFSSL_AES_HELP_STRING} "yes") +add_option("WOLFSSL_AES" ${WOLFSSL_AES_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_AES) list(APPEND WOLFSSL_DEFINITIONS "-DNO_AES") @@ -655,7 +768,7 @@ endif() # Coding set(WOLFSSL_CODING_HELP_STRING "Enable coding base 16/64 (default: enabled)") -option(WOLFSSL_CODING ${WOLFSSL_CODING_HELP_STRING} "yes") +add_option("WOLFSSL_CODING" ${WOLFSSL_CODING_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_CODING) list(APPEND WOLFSSL_DEFINITIONS "-DNO_CODING") @@ -674,7 +787,7 @@ if("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64") endif() set(WOLFSSL_BASE64_ENCODE_HELP_STRING "Enable Base64 encoding (default: enabled on x86_64)") -option(WOLFSSL_BASE64_ENCODE ${WOLFSSL_BASE64_ENCODE_HELP_STRING} ${BASE64_ENCODE_DEFAULT}) +add_option("WOLFSSL_BASE64_ENCODE" ${WOLFSSL_BASE64_ENCODE_HELP_STRING} ${BASE64_ENCODE_DEFAULT} "yes;no") if(WOLFSSL_BASE64_ENCODE) list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_BASE64_ENCODE") @@ -684,7 +797,7 @@ endif() # DES3 set(WOLFSSL_DES3_HELP_STRING "Enable DES3 (default: disabled)") -option(WOLFSSL_DES3 ${WOLFSSL_DES3_HELP_STRING} "no") +add_option("WOLFSSL_DES3" ${WOLFSSL_DES3_HELP_STRING} "no" "yes;no") if(WOLFSSL_OPENSSH OR WOLFSSL_QT OR @@ -697,7 +810,7 @@ endif() # ARC4 set(WOLFSSL_ARC4_HELP_STRING "Enable ARC4 (default: disabled)") -option(WOLFSSL_ARC4 ${WOLFSSL_ARC4_HELP_STRING} "no") +add_option("WOLFSSL_ARC4" ${WOLFSSL_ARC4_HELP_STRING} "no" "yes;no") if(WOLFSSL_OPENSSH OR WOLFSSL_WPAS) override_cache(WOLFSSL_ARC4 "yes") @@ -715,7 +828,7 @@ endif() # MD5 set(WOLFSSL_MD5_HELP_STRING "Enable MD5 (default: enabled)") -option(WOLFSSL_MD5 ${WOLFSSL_MD5_HELP_STRING} "yes") +add_option("WOLFSSL_MD5" ${WOLFSSL_MD5_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_MD5) list(APPEND WOLFSSL_DEFINITIONS "-DNO_MD5" "-DNO_OLD_TLS") @@ -729,7 +842,7 @@ endif() # SHA set(WOLFSSL_SHA_HELP_STRING "Enable SHA (default: enabled)") -option(WOLFSSL_SHA ${WOLFSSL_SHA_HELP_STRING} "yes") +add_option("WOLFSSL_SHA" ${WOLFSSL_SHA_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_SHA) list(APPEND WOLFSSL_DEFINITIONS "-DNO_SHA" "-DNO_OLD_TLS") @@ -748,7 +861,7 @@ endif() # HC128 set(WOLFSSL_HC128_HELP_STRING "Enable HC-128 (default: disabled)") -option(WOLFSSL_HC128 ${WOLFSSL_HC128_HELP_STRING} "no") +add_option("WOLFSSL_HC128" ${WOLFSSL_HC128_HELP_STRING} "no" "yes;no") if(NOT WOLFSSL_HC128) list(APPEND WOLFSSL_DEFINITIONS "-DNO_HC128") @@ -768,35 +881,11 @@ endif() # - Selftest # SHA224 -set(SHA224_DEFAULT "no") -if(("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64") OR - ("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "aarch64")) - if(NOT WOLFSSL_AFALG AND NOT WOLFSSL_DEVCRYPTO AND - (NOT WOLFSSL_FIPS OR ("${FIPS_VERSION}" STREQUAL "v2"))) - set(SHA224_DEFAULT "yes") - endif() -endif() - -set(WOLFSSL_SHA224_HELP_STRING "Enable wolfSSL SHA-224 support (default: enabled on x86_64/aarch64)") -option(WOLFSSL_SHA224 ${WOLFSSL_SHA224_HELP_STRING} ${SHA224_DEFAULT}) - if(WOLFSSL_SHA224) list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHA224") endif() # SHA3 -set(SHA3_DEFAULT "no") -if(("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64") OR - ("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "aarch64")) - if(NOT WOLFSSL_FIPS OR ("${FIPS_VERSION}" STREQUAL "v2")) - set(SHA3_DEFAULT "yes") - endif() -endif() - -set(WOLFSSL_SHA3_HELP_STRING "Enable wolfSSL SHA-3 support (default: enabled on x86_64/aarch64)") -set(WOLFSSL_SHA3 ${SHA3_DEFAULT} CACHE STRING ${WOLFSSL_SHA3_HELP_STRING}) -set_property(CACHE WOLFSSL_SHA3 PROPERTY STRINGS "yes" "no" "small") - if("${WOLFSSL_SHA3}" STREQUAL "small") list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHA3_SMALL") override_cache(WOLFSSL_SHA3 "yes") @@ -807,10 +896,6 @@ if(WOLFSSL_SHA3 AND NOT WOLFSSL_32BIT) endif() # SHAKE256 -set(WOLFSSL_SHAKE256_HELP_STRING "Enable wolfSSL SHAKE256 support (default: enabled on x86_64/aarch64)") -set(WOLFSSL_SHAKE256 "no" CACHE STRING ${WOLFSSL_SHAKE256_HELP_STRING}) -set_property(CACHE WOLFSSL_SHAKE256 PROPERTY STRINGS "yes" "no" "small") - if(NOT WOLFSSL_SHAKE256) override_cache(WOLFSSL_SHAKE256 ${WOLFSSL_SHA3}) endif() @@ -832,7 +917,7 @@ if(WOLFSSL_FIPS) endif() set(WOLFSSL_POLY1305_HELP_STRING "Enable wolfSSL POLY1305 support (default: enabled)") -option(WOLFSSL_POLY1305 ${WOLFSSL_POLY1305_HELP_STRING} ${POLY1305_DEFAULT}) +add_option("WOLFSSL_POLY1305" ${WOLFSSL_POLY1305_HELP_STRING} ${POLY1305_DEFAULT} "yes;no") # leanpsk and leantls don't need poly1305 if(WOLFSSL_LEAN_PSK OR WOLFSSL_LEAN_TLS) @@ -852,8 +937,7 @@ if(WOLFSSL_FIPS) endif() set(WOLFSSL_CHACHA_HELP_STRING "Enable CHACHA (default: enabled). Use `=noasm` to disable ASM AVX/AVX2 speedups") -set(WOLFSSL_CHACHA ${CHACHA_DEFAULT} CACHE STRING ${WOLFSSL_CHACHA_HELP_STRING}) -set_property(CACHE WOLFSSL_CHACHA PROPERTY STRINGS "yes" "no" "noasm") +add_option("WOLFSSL_CHACHA" ${WOLFSSL_CHACHA_HELP_STRING} ${CHACHA_DEFAULT} "yes;no;noasm") # leanpsk and leantls don't need chacha if(WOLFSSL_LEAN_PSK OR WOLFSSL_LEAN_TLS) @@ -872,7 +956,7 @@ endif() # Hash DRBG set(WOLFSSL_HASH_DRBG_HELP_STRING "Enable Hash DRBG support (default: enabled)") -option(WOLFSSL_HASH_DRBG ${WOLFSSL_HASH_DRBG_HELP_STRING} "yes") +add_option("WOLFSSL_HASH_DRBG" ${WOLFSSL_HASH_DRBG_HELP_STRING} "yes" "yes;no") if(WOLFSSL_HASH_DRBG) list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_HASHDRBG") @@ -894,7 +978,7 @@ else() endif() set(WOLFSSL_FILESYSTEM_HELP_STRING "Enable Filesystem support (default: enabled)") -option(WOLFSSL_FILESYSTEM ${WOLFSSL_FILESYSTEM_HELP_STRING} ${FILESYSTEM_DEFAULT}) +add_option("WOLFSSL_FILESYSTEM" ${WOLFSSL_FILESYSTEM_HELP_STRING} ${FILESYSTEM_DEFAULT} "yes;no") if(NOT WOLFSSL_FILESYSTEM) list(APPEND WOLFSSL_DEFINITIONS "-DNO_FILESYSTEM") @@ -907,7 +991,7 @@ endif() # Inline function support set(WOLFSSL_INLINE_HELP_STRING "Enable inline functions (default: enabled)") -option(WOLFSSL_INLINE ${WOLFSSL_INLINE_HELP_STRING} "yes") +add_option("WOLFSSL_INLINE" ${WOLFSSL_INLINE_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_INLINE) list(APPEND WOLFSSL_DEFINITIONS "-DNO_INLINE") @@ -933,7 +1017,7 @@ endif() # Supported elliptic curves extensions set(WOLFSSL_SUPPORTED_CURVES_HELP_STRING "Enable Supported Elliptic Curves (default: enabled)") -option(WOLFSSL_SUPPORTED_CURVES ${WOLFSSL_SUPPORTED_CURVES_HELP_STRING} "yes") +add_option("WOLFSSL_SUPPORTED_CURVES" ${WOLFSSL_SUPPORTED_CURVES_HELP_STRING} "yes" "yes;no") if(WOLFSSL_SUPPORTED_CURVES) if(NOT WOLFSSL_ECC AND NOT WOLFSSL_CURVE25519 AND NOT WOLFSSL_CURVE448) @@ -972,7 +1056,7 @@ endif() # Extended master secret extension set(WOLFSSL_EXTENDED_MASTER_HELP_STRING "Enable Extended Master Secret (default: enabled)") -option(WOLFSSL_EXTENDED_MASTER ${WOLFSSL_EXTENDED_MASTER_HELP_STRING} "yes") +add_option("WOLFSSL_EXTENDED_MASTER" ${WOLFSSL_EXTENDED_MASTER_HELP_STRING} "yes" "yes;no") if(WOLFSSL_EXTENDED_MASTER) list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_EXTENDED_MASTER") @@ -998,7 +1082,7 @@ endif() # Encrypt-then-mac set(WOLFSSL_ENC_THEN_MAC_HELP_STRING "Enable Encryptr-Then-Mac extension (default: enabled)") -option(WOLFSSL_ENC_THEN_MAC ${WOLFSSL_ENC_THEN_MAC_HELP_STRING} "yes") +add_option("WOLFSSL_ENC_THEN_MAC" ${WOLFSSL_ENC_THEN_MAC_HELP_STRING} "yes" "yes;no") if(WOLFSSL_APACHE_HTTPD) override_cache(WOLFSSL_ENC_THEN_MAC "no") @@ -1015,7 +1099,7 @@ endif() # stunnel Support # TODO: rest of stunnel support set(WOLFSSL_STUNNEL_HELP_STRING "Enable stunnel (default: disabled)") -option(WOLFSSL_STUNNEL ${WOLFSSL_STUNNEL_HELP_STRING} "no") +add_option("WOLFSSL_STUNNEL" ${WOLFSSL_STUNNEL_HELP_STRING} "no" "yes;no") if(NOT WOLFSSL_PSK AND NOT WOLFSSL_LEAN_PSK AND @@ -1029,7 +1113,7 @@ endif() # MD4 set(WOLFSSL_MD4_HELP_STRING "Enable MD4 (default: disabled)") -option(WOLFSSL_MD4 ${WOLFSSL_MD4_HELP_STRING} "no") +add_option("WOLFSSL_MD4" ${WOLFSSL_MD4_HELP_STRING} "no" "yes;no") if(NOT WOLFSSL_MD4) # turn on MD4 if using stunnel @@ -1045,7 +1129,7 @@ endif() # PWDBASED has to come after certservice since we want it on w/o explicit on # PWDBASED set(WOLFSSL_PWDBASED_HELP_STRING "Enable PWDBASED (default: disabled)") -option(WOLFSSL_PWDBASED ${WOLFSSL_PWDBASED_HELP_STRING} "no") +add_option("WOLFSSL_PWDBASED" ${WOLFSSL_PWDBASED_HELP_STRING} "no" "yes;no") if(NOT WOLFSSL_PWDBASED) if(WOLFSSL_OPENSSLEXTRA OR @@ -1079,7 +1163,7 @@ if(WOLFSSL_SP_MATH) endif() set(WOLFSSL_FAST_MATH_HELP_STRING "Enable fast math ops (default: enabled on x86_64/aarch64)") -option(WOLFSSL_FAST_MATH ${WOLFSSL_FAST_MATH_HELP_STRING} ${FASTMATH_DEFAULT}) +add_option("WOLFSSL_FAST_MATH" ${WOLFSSL_FAST_MATH_HELP_STRING} ${FASTMATH_DEFAULT} "yes;no") if(WOLFSSL_FAST_MATH) # turn off fastmath if leanpsk on or asn off (w/o DH and ECC) @@ -1113,7 +1197,7 @@ else() endif() set(WOLFSSL_EXAMPLES_HELP_STRING "Enable examples (default: enabled)") -option(WOLFSSL_EXAMPLES ${WOLFSSL_EXAMPLES_HELP_STRING} ${EXAMPLES_DEFAULT}) +add_option("WOLFSSL_EXAMPLES" ${WOLFSSL_EXAMPLES_HELP_STRING} ${EXAMPLES_DEFAULT} "yes;no") if(NOT WOLFSSL_FILESYSTEM OR NOT WOLFSSL_INLINE OR @@ -1129,7 +1213,7 @@ else() endif() set(WOLFSSL_CRYPT_TESTS_HELP_STRING "Enable Crypt Bench/Test (default: enabled)") -option(WOLFSSL_CRYPT_TESTS ${WOLFSSL_CRYPT_TESTS_HELP_STRING} ${CRYPT_TESTS_DEFAULT}) +add_option("WOLFSSL_CRYPT_TESTS" ${WOLFSSL_CRYPT_TESTS_HELP_STRING} ${CRYPT_TESTS_DEFAULT} "yes;no") # TODO: - LIBZ # - PKCS#11 @@ -1146,7 +1230,7 @@ option(WOLFSSL_CRYPT_TESTS ${WOLFSSL_CRYPT_TESTS_HELP_STRING} ${CRYPT_TESTS_DEFA # Asynchronous threading set(WOLFSSL_ASYNC_THREADS_HELP_STRING "Enable Asynchronous Threading (default: enabled)") -option(WOLFSSL_ASYNC_THREADS ${WOLFSSL_ASYNC_THREADS_HELP_STRING} "yes") +add_option("WOLFSSL_ASYNC_THREADS" ${WOLFSSL_ASYNC_THREADS_HELP_STRING} "yes" "yes;no") if(WOLFSSL_ASYNC_CRYPT AND WOLFSSL_ASYNC_THREADS) if(CMAKE_USE_PTHREADS_INIT) @@ -1171,7 +1255,7 @@ endif() # - AES key wrap set(WOLFSSL_OLD_NAMES_HELP_STRING "Keep backwards compat with old names (default: enabled)") -option(WOLFSSL_OLD_NAMES ${WOLFSSL_OLD_NAMES_HELP_STRING} "yes") +add_option("WOLFSSL_OLD_NAMES" ${WOLFSSL_OLD_NAMES_HELP_STRING} "yes" "yes;no") if(NOT WOLFSSL_OLD_NAMES AND NOT WOLFSSL_OPENSSL_COEXIST) list(APPEND WOLFSSL_DEFINITIONS @@ -1186,7 +1270,7 @@ endif() # Support for enabling setting default DH parameters set(WOLFSSL_DH_DEFAULT_PARAMS_HELP_STRING "Enables option for default dh parameters (default: disabled)") -option(WOLFSSL_DH_DEFAULT_PARAMS ${WOLFSSL_DH_DEFAULT_PARAMS_HELP_STRING} "no") +add_option("WOLFSSL_DH_DEFAULT_PARAMS" ${WOLFSSL_DH_DEFAULT_PARAMS_HELP_STRING} "no" "yes;no") if(WOLFSSL_DH_DEFAULT_PARAMS OR NOT WOLFSSL_QT) override_cache(WOLFSSL_DH_DEFAULT_PARAMS "yes") @@ -1204,10 +1288,10 @@ else() endif() set(WOLFSSL_USER_SETTINGS_HELP_STRING "Use your own user_settings.h and do not add Makefile CFLAGS (default: disabled)") -option(WOLFSSL_USER_SETTINGS ${WOLFSSL_USER_SETTINGS_HELP_STRING} "no") +add_option("WOLFSSL_USER_SETTINGS" ${WOLFSSL_USER_SETTINGS_HELP_STRING} "no" "yes;no") set(WOLFSSL_OPTFLAGS_HELP_STRING "Enable default optimization CFLAGS for the compiler (default: enabled)") -option(WOLFSSL_OPTFLAGS ${WOLFSSL_OPTFLAGS_HELP_STRING} "yes") +add_option("WOLFSSL_OPTFLAGS" ${WOLFSSL_OPTFLAGS_HELP_STRING} "yes" "yes;no") # Generates the BUILD_* flags. These control what source files are included in # the library. A series of AM_CONDITIONALs handle this in configure.ac. @@ -1227,7 +1311,7 @@ endif() add_definitions(${WOLFSSL_DEFINITIONS}) set(WOLFSSL_CONFIG_H_HELP_STRING "Enable generation of config.h and define HAVE_CONFIG_H (default: enabled)") -option(WOLFSSL_CONFIG_H ${WOLFSSL_CONFIG_H_HELP_STRING} "yes") +add_option("WOLFSSL_CONFIG_H" ${WOLFSSL_CONFIG_H_HELP_STRING} "yes" "yes;no") if(WOLFSSL_CONFIG_H) add_definitions("-DHAVE_CONFIG_H") diff --git a/IDE/CRYPTOCELL/user_settings.h b/IDE/CRYPTOCELL/user_settings.h index bbc3bab28a..78087f11be 100644 --- a/IDE/CRYPTOCELL/user_settings.h +++ b/IDE/CRYPTOCELL/user_settings.h @@ -41,6 +41,7 @@ extern "C" { #endif #if defined(WOLFSSL_CRYPTOCELL) + /* see SASI_AES_KEY_MAX_SIZE_IN_BYTES in the nRF5 SDK */ #define AES_MAX_KEY_SIZE 128 #endif /* WOLFSSL_CRYPTOCELL*/ @@ -137,6 +138,9 @@ extern "C" { #if 1 #define HAVE_ECC + #include + /* strings.h required for strncasecmp */ + /* Manually define enabled curves */ #undef ECC_USER_CURVES #define ECC_USER_CURVES diff --git a/certs/crl/crl.der b/certs/crl/crl.der new file mode 100644 index 0000000000..f8726dd52d Binary files /dev/null and b/certs/crl/crl.der differ diff --git a/certs/crl/crl2.der b/certs/crl/crl2.der new file mode 100644 index 0000000000..f8726dd52d Binary files /dev/null and b/certs/crl/crl2.der differ diff --git a/certs/crl/gencrls.sh b/certs/crl/gencrls.sh index 7cf4bf6e45..4f2e22ad05 100755 --- a/certs/crl/gencrls.sh +++ b/certs/crl/gencrls.sh @@ -177,4 +177,9 @@ echo "Step 22" openssl ca -config ./wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem check_result $? +# create crl and crl2 der files for unit test +echo "Step 23" +openssl crl -in crl.pem -inform PEM -out crl.der -outform DER +openssl crl -in crl2.pem -inform PEM -out crl2.der -outform DER + exit 0 diff --git a/certs/crl/include.am b/certs/crl/include.am index c5da8de99f..6d6d9b2c6d 100644 --- a/certs/crl/include.am +++ b/certs/crl/include.am @@ -10,7 +10,9 @@ EXTRA_DIST += \ certs/crl/crl2.pem \ certs/crl/caEccCrl.pem \ certs/crl/caEcc384Crl.pem \ - certs/crl/wolfssl.cnf + certs/crl/wolfssl.cnf \ + certs/crl/crl.der \ + certs/crl/crl2.der EXTRA_DIST += \ certs/crl/crl.revoked diff --git a/cmake/functions.cmake b/cmake/functions.cmake index abb0e5a2b2..1869c50c10 100644 --- a/cmake/functions.cmake +++ b/cmake/functions.cmake @@ -1,3 +1,22 @@ +function(add_option NAME HELP_STRING DEFAULT VALUES) + list(FIND VALUES ${DEFAULT} IDX) + if (${IDX} EQUAL -1) + message(FATAL_ERROR "Failed to add option ${NAME}. Default value " + "${DEFAULT} is not in list of possible values: ${VALUES}.") + endif() + + if(DEFINED ${NAME}) + list(FIND VALUES ${${NAME}} IDX) + if (${IDX} EQUAL -1) + message(FATAL_ERROR "Failed to set option ${NAME}. Value " + "${${NAME}} is not in list of possible values: ${VALUES}.") + endif() + endif() + + set(${NAME} ${DEFAULT} CACHE STRING ${HELP_STRING}) + set_property(CACHE ${NAME} PROPERTY STRINGS ${VALUES}) +endfunction() + function(override_cache VAR VAL) get_property(VAR_TYPE CACHE ${VAR} PROPERTY TYPE) set(${VAR} ${VAL} CACHE ${VAR_TYPE} ${${VAR}_HELP_STRING} FORCE) diff --git a/configure.ac b/configure.ac index a45af9c2ce..08414bb7d5 100644 --- a/configure.ac +++ b/configure.ac @@ -14,30 +14,10 @@ AC_CONFIG_AUX_DIR([build-aux]) # want the default "-g -O2" that AC_PROG_CC sets automatically. : ${CFLAGS=""} -# For reproducible builds, gate out from the build anything that might -# introduce semantically frivolous jitter, maximizing chance of -# identical object files. -AC_ARG_ENABLE([reproducible-build], - [AS_HELP_STRING([--enable-reproducible-builds],[Enable maximally reproducible build (default: disabled)])], - [ ENABLED_REPRODUCIBLE_BUILD=$enableval ], - [ ENABLED_REPRODUCIBLE_BUILD=no ] - ) - -# Test ar for the "U" or "D" options. Should be checked before the libtool macros. -xxx_ar_flags=$(ar --help 2>&1) -if test "$ENABLED_REPRODUCIBLE_BUILD" = "yes" -then - AS_CASE([$xxx_ar_flags],[*'use zero for timestamps and uids/gids'*],[: ${AR_FLAGS="Dcr"}]) -else - AS_CASE([$xxx_ar_flags],[*'use actual timestamps and uids/gids'*],[: ${AR_FLAGS="Ucru"}]) -fi -xxx_ranlib_flags=$(ranlib --help 2>&1) -if test "$ENABLED_REPRODUCIBLE_BUILD" = "yes" -then - AS_CASE([$xxx_ranlib_flags],[*'Use zero for symbol map timestamp'*],[: ${RANLIB="ranlib -D"}]) -else - AS_CASE([$xxx_ranlib_flags],[*'Use actual symbol map timestamp'*],[: ${RANLIB="ranlib -U"}]) -fi +# Capture user C_EXTRA_FLAGS from configure line. +# Use of C_EXTRA_FLAGS is deprecated because CFLAGS was fixed but someone +# might still be using it. +CFLAGS="$CFLAGS $C_EXTRA_FLAGS $C_FLAGS" AC_PROG_CC AM_PROG_CC_C_O @@ -69,11 +49,6 @@ WOLFSSL_LIBRARY_VERSION=28:1:4 # +- increment if interfaces have been added, removed or changed AC_SUBST([WOLFSSL_LIBRARY_VERSION]) -# Capture user C_EXTRA_FLAGS from configure line. -# Use of C_EXTRA_FLAGS is deprecated because CFLAGS was fixed but someone -# might still be using it. -CFLAGS="$CFLAGS $C_EXTRA_FLAGS $C_FLAGS" - gl_VISIBILITY AS_IF([ test -n "$CFLAG_VISIBILITY" ], [ AM_CFLAGS="$AM_CPPFLAGS $CFLAG_VISIBILITY" @@ -89,6 +64,49 @@ AC_CHECK_SIZEOF([long]) AC_CHECK_SIZEOF([time_t]) AC_CHECK_TYPES([__uint128_t]) + +# Distro build feature subset (Debian, Ubuntu, etc.) +AC_ARG_ENABLE([distro], + [AS_HELP_STRING([--enable-distro],[Enable wolfSSL distro build (default: disabled)])], + [ ENABLED_DISTRO=$enableval ], + [ ENABLED_DISTRO=no ] + ) +if test "$ENABLED_DISTRO" = "yes" +then + enable_shared=yes + enable_static=yes + enable_all=yes + REPRODUCIBLE_BUILD_DEFAULT=yes +else + REPRODUCIBLE_BUILD_DEFAULT=no +fi + +# For reproducible build, gate out from the build anything that might +# introduce semantically frivolous jitter, maximizing chance of +# identical object files. +AC_ARG_ENABLE([reproducible-build], + [AS_HELP_STRING([--enable-reproducible-build],[Enable maximally reproducible build (default: disabled)])], + [ ENABLED_REPRODUCIBLE_BUILD=$enableval ], + [ ENABLED_REPRODUCIBLE_BUILD=$REPRODUCIBLE_BUILD_DEFAULT ] + ) + +# Test ar for the "U" or "D" options. Should be checked before the libtool macros. +xxx_ar_flags=$(ar --help 2>&1) +if test "$ENABLED_REPRODUCIBLE_BUILD" = "yes" +then + AS_CASE([$xxx_ar_flags],[*'use zero for timestamps and uids/gids'*],[: ${AR_FLAGS="Dcr"}]) +else + AS_CASE([$xxx_ar_flags],[*'use actual timestamps and uids/gids'*],[: ${AR_FLAGS="Ucru"}]) +fi +xxx_ranlib_flags=$(ranlib --help 2>&1) +if test "$ENABLED_REPRODUCIBLE_BUILD" = "yes" +then + AS_CASE([$xxx_ranlib_flags],[*'Use zero for symbol map timestamp'*],[: ${RANLIB="ranlib -D"}]) +else + AS_CASE([$xxx_ranlib_flags],[*'Use actual symbol map timestamp'*],[: ${RANLIB="ranlib -U"}]) +fi + + AC_CHECK_HEADERS([arpa/inet.h fcntl.h limits.h netdb.h netinet/in.h stddef.h time.h sys/ioctl.h sys/socket.h sys/time.h errno.h]) AC_CHECK_LIB([network],[socket]) AC_C_BIGENDIAN @@ -165,57 +183,45 @@ AC_ARG_ENABLE([fips], [ENABLED_FIPS="no"]) AS_CASE([$ENABLED_FIPS], - ["ready"],[ + [ready],[ ENABLED_FIPS="yes" FIPS_VERSION="v2" FIPS_READY="yes" ], - ["v2"],[ - # FIPS v2 - ENABLED_FIPS="yes" - FIPS_VERSION="v2" + [no],[ + FIPS_VERSION="none" + ENABLED_FIPS="no" ], - ["rand"],[ - # FIPS Rand + [rand|v1|v2],[ + FIPS_VERSION="$ENABLED_FIPS" ENABLED_FIPS="yes" - FIPS_VERSION="rand" ], - ["no"],[FIPS_VERSION="none"], + [yes], [ # FIPS v1 ENABLED_FIPS="yes" FIPS_VERSION="v1" + ], + [ + AC_MSG_ERROR([Invalid value for --enable-fips \"$ENABLED_FIPS\" (allowed: ready, rand, v1, v2)]) ]) -case "$FIPS_VERSION" in -none) if test -s wolfcrypt/src/fips.c || test -s ctaocrypt/src/fips.c; then - AC_MSG_ERROR([FIPS source tree is incompatible with non-FIPS build (requires --enable-fips)]) - fi - ;; -v1) if ! test -s ctaocrypt/src/fips.c; then - AC_MSG_ERROR([non-FIPS-v1 source tree is incompatible with --enable-fips=$enableval]) - fi - ;; -*) if ! test -s wolfcrypt/src/fips.c; then - AC_MSG_ERROR([non-FIPS source tree is incompatible with --enable-fips=$enableval]) - fi - ;; -esac - - -# Distro build feature subset (Debian, Ubuntu, etc.) -AC_ARG_ENABLE([distro], - [AS_HELP_STRING([--enable-distro],[Enable wolfSSL distro build (default: disabled)])], - [ ENABLED_DISTRO=$enableval ], - [ ENABLED_DISTRO=no ] - ) -if test "$ENABLED_DISTRO" = "yes" -then - enable_shared=yes - enable_static=yes - enable_all=yes -fi - +AS_CASE([$FIPS_VERSION], + [none], + [ + AS_IF([ test -s $srcdir/wolfcrypt/src/fips.c -o -s $srcdir/ctaocrypt/src/fips.c ], + [AC_MSG_ERROR([FIPS source tree is incompatible with non-FIPS build (requires --enable-fips)])]) + ], + [v1], + [ + AS_IF([ ! test -s $srcdir/ctaocrypt/src/fips.c], + [AC_MSG_ERROR([non-FIPS-v1 source tree is incompatible with --enable-fips=$enableval])]) + ], + [ + AS_IF([ ! test -s $srcdir/wolfcrypt/src/fips.c], + [AC_MSG_ERROR([non-FIPS source tree is incompatible with --enable-fips=$enableval])]) + ] +) # Linux Kernel Module AC_ARG_ENABLE([linuxkm], @@ -383,6 +389,7 @@ then test "$enable_enckeys" = "" && enable_enckeys=yes test "$enable_hashflags" = "" && enable_hashflags=yes test "$enable_defaultdhparams" = "" && enable_defaultdhparams=yes + test "$enable_base64encode" = "" && enable_base64encode=yes test "$enable_arc4" = "" && enable_arc4=yes test "$enable_des3" = "" && enable_des3=yes test "$enable_nullcipher" = "" && enable_nullcipher=yes @@ -2595,7 +2602,7 @@ AC_ARG_ENABLE([anon], [ ENABLED_ANON=no ] ) -if test "x$ENABLED_WPAS" = "xyes" +if test "x$ENABLED_WPAS" = "xyes" || test "$ENABLED_NGINX" = "yes" then ENABLED_ANON=yes fi @@ -5259,7 +5266,7 @@ if test "$ENABLED_SP_ASM" = "yes"; then fi fi ;; - *x86_64*) + *x86_64*|*amd64*) AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_X86_64_ASM" AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_X86_64_ASM" ENABLED_SP_X86_64_ASM=yes @@ -5618,7 +5625,7 @@ AC_ARG_ENABLE([oldnames], if test "x$ENABLED_OLDNAMES" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno" then AM_CFLAGS="$AM_CFLAGS -DNO_OLD_RNGNAME -DNO_OLD_WC_NAMES -DNO_OLD_SSL_NAMES" - AM_CFLAGS="$AM_CFLAGS -DNO_OLD_SHA_NAMES" + AM_CFLAGS="$AM_CFLAGS -DNO_OLD_SHA_NAMES -DNO_OLD_MD5_NAME" fi @@ -6525,13 +6532,16 @@ echo " * Fast RSA: $ENABLED_FAST_RSA" echo " * Single Precision: $ENABLED_SP" if test "$ENABLED_SP_MATH_ALL" != "no" then - echo " * SP math implementation: all" -elif test "$ENABLED_SP_MATH" != "no" -then - echo " * SP math implementation: restricted" + ENABLED_SP_MATH_DESC="all" else - echo " * SP math implementation: no" + if test "$ENABLED_SP_MATH" != "no" + then + ENABLED_SP_MATH_DESC="restricted" + else + ENABLED_SP_MATH_DESC="no" + fi fi +echo " * SP math implementation: $ENABLED_SP_MATH_DESC" echo " * Async Crypto: $ENABLED_ASYNCCRYPT" echo " * PKCS#11: $ENABLED_PKCS11" echo " * PKCS#12: $ENABLED_PKCS12" diff --git a/examples/client/client.c b/examples/client/client.c index 79aece83e6..729aacdee0 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -466,6 +466,9 @@ static int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port, do { err = 0; /* reset error */ ret = wolfSSL_connect(ssl); +#ifdef WOLFSSL_EARLY_DATA + EarlyDataStatus(ssl); +#endif if (ret != WOLFSSL_SUCCESS) { err = wolfSSL_get_error(ssl, 0); #ifdef WOLFSSL_ASYNC_CRYPT diff --git a/examples/server/server.c b/examples/server/server.c index 05b6f2f548..00e17e80ee 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -2501,6 +2501,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) do { err = 0; /* reset error */ ret = SSL_accept(ssl); +#ifdef WOLFSSL_EARLY_DATA + EarlyDataStatus(ssl); +#endif if (ret != WOLFSSL_SUCCESS) { err = SSL_get_error(ssl, 0); #ifdef WOLFSSL_ASYNC_CRYPT diff --git a/scripts/tls13.test b/scripts/tls13.test index 7f4c927d39..70f0072655 100755 --- a/scripts/tls13.test +++ b/scripts/tls13.test @@ -257,7 +257,7 @@ if [ "$early_data" = "yes" ]; then grep 'Session Ticket' $client_out_file session_ticket=$? early_data_cnt=`grep 'Early Data' $server_out_file | wc -l` - if [ $session_ticket -eq 0 -a $early_data_cnt -ne 2 ]; then + if [ $session_ticket -eq 0 -a $early_data_cnt -ne 4 ]; then RESULT=1 fi if [ $RESULT -ne 0 ]; then @@ -280,11 +280,11 @@ if [ "$early_data" = "yes" -a "$psk" = "yes" ]; then RESULT=$? remove_ready_file early_data_cnt=`grep 'Early Data' $server_out_file | wc -l` - if [ $early_data_cnt -ne 2 -a $early_data_cnt -ne 4 ]; then + if [ $early_data_cnt -ne 3 -a $early_data_cnt -ne 4 ]; then RESULT=1 fi if [ $RESULT -ne 0 ]; then - echo -e "\n\nIssue with TLS v1.3 Early Data - session ticket" + echo -e "\n\nIssue with TLS v1.3 Early Data - PSK" do_cleanup exit 1 fi diff --git a/src/bio.c b/src/bio.c index d80b7c0960..17541ea2d6 100644 --- a/src/bio.c +++ b/src/bio.c @@ -1439,6 +1439,31 @@ int wolfSSL_BIO_seek(WOLFSSL_BIO *bio, int ofs) return 0; } +/* wolfSSL_BIO_tell is provided as compatible API with + * BIO_tell which returns the current file position of a file related BIO. + * Returns the current file position on success and -1 for failure. + * Returns 0 for a BIOs except file related BIO. + */ +int wolfSSL_BIO_tell(WOLFSSL_BIO* bio) +{ + int pos; + + WOLFSSL_ENTER("wolfSSL_BIO_tell"); + + if (bio == NULL) { + return -1; + } + + if (bio->type != WOLFSSL_BIO_FILE) { + return 0; + } + + pos = (int)XFTELL((XFILE)bio->ptr); + if (pos < 0) + return -1; + else + return pos; +} #endif /* NO_FILESYSTEM */ diff --git a/src/internal.c b/src/internal.c index 73f51ad72f..20df4f998c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1800,6 +1800,15 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) #ifdef OPENSSL_EXTRA /* setup WOLFSSL_X509_STORE */ ctx->x509_store.cm = ctx->cm; + + /* WOLFSSL_X509_VERIFY_PARAM */ + if ((ctx->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), + heap, DYNAMIC_TYPE_OPENSSL)) == NULL) { + WOLFSSL_MSG("ctx->param memory error"); + return MEMORY_E; + } + XMEMSET(ctx->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); #endif #endif @@ -1828,7 +1837,8 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) #endif #ifdef HAVE_WOLF_EVENT - ret = wolfEventQueue_Init(&ctx->event_queue); + if (ret == 0) + ret = wolfEventQueue_Init(&ctx->event_queue); #endif /* HAVE_WOLF_EVENT */ #ifdef WOLFSSL_EARLY_DATA @@ -1947,6 +1957,9 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) XFREE((void *)ctx->alpn_cli_protos, NULL, DYNAMIC_TYPE_OPENSSL); ctx->alpn_cli_protos = NULL; } + if (ctx->param) { + XFREE(ctx->param, ctx->heap, DYNAMIC_TYPE_OPENSSL); + } #endif #ifdef WOLFSSL_STATIC_EPHEMERAL #ifndef NO_DH @@ -2291,7 +2304,7 @@ void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig, void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, word16 havePSK, word16 haveDH, word16 haveNTRU, word16 haveECDSAsig, word16 haveECC, - word16 haveStaticECC, int side) + word16 haveStaticECC, word16 haveAnon, int side) { word16 idx = 0; int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR; @@ -2313,6 +2326,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, (void)side; (void)haveRSA; /* some builds won't read */ (void)haveRSAsig; /* non ecc builds won't read */ + (void)haveAnon; /* anon ciphers optional */ if (suites == NULL) { WOLFSSL_MSG("InitSuites pointer error"); @@ -2532,14 +2546,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, #endif #ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA - if (tls1_2 && haveDH) { + if (tls1_2 && haveDH && haveAnon) { suites->suites[idx++] = CIPHER_BYTE; suites->suites[idx++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; } #endif #ifdef BUILD_TLS_DH_anon_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveDH) { + if (tls1_2 && haveDH && haveAnon) { suites->suites[idx++] = CIPHER_BYTE; suites->suites[idx++] = TLS_DH_anon_WITH_AES_256_GCM_SHA384; } @@ -3393,15 +3407,9 @@ void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag, void* heap) (void)heap; if (name != NULL) { + XMEMSET(name, 0, sizeof(WOLFSSL_X509_NAME)); name->name = name->staticName; - name->dynamicName = 0; - name->sz = 0; name->heap = heap; -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) - XMEMSET(name->entry, 0, sizeof(name->entry)); - name->x509 = NULL; - name->entrySz = 0; -#endif /* OPENSSL_EXTRA */ } } @@ -5209,13 +5217,15 @@ int InitSSL_Suites(WOLFSSL* ssl) InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } else { InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, TRUE, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } #if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT) @@ -18917,6 +18927,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case NO_CERT_ERROR: return "TLS1.3 No Certificate Set Error"; + case TOO_MUCH_EARLY_DATA: + return "Too much early data"; + default : return "unknown error number"; } @@ -27529,7 +27542,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } /* suite size */ @@ -27859,7 +27873,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } #ifdef OPENSSL_EXTRA @@ -27921,7 +27936,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } } #endif @@ -31122,16 +31138,22 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], #ifdef HAVE_SNI int SNI_Callback(WOLFSSL* ssl) { + int ad = 0; + int sniRet = 0; /* Stunnel supports a custom sni callback to switch an SSL's ctx * when SNI is received. Call it now if exists */ if(ssl && ssl->ctx && ssl->ctx->sniRecvCb) { WOLFSSL_MSG("Calling custom sni callback"); - if(ssl->ctx->sniRecvCb(ssl, NULL, ssl->ctx->sniRecvCbArg) - == alert_fatal) { + sniRet = ssl->ctx->sniRecvCb(ssl, &ad, ssl->ctx->sniRecvCbArg); + if (sniRet == alert_fatal) { WOLFSSL_MSG("Error in custom sni callback. Fatal alert"); - SendAlert(ssl, alert_fatal, unrecognized_name); + SendAlert(ssl, alert_fatal, ad); return FATAL_ERROR; } + else if (sniRet == alert_warning) { + WOLFSSL_MSG("Error in custom sni callback. Warning alert"); + SendAlert(ssl, alert_warning, ad); + } } return 0; } diff --git a/src/ocsp.c b/src/ocsp.c index 4862cf9392..07eefb7317 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -75,7 +75,7 @@ static void FreeOcspEntry(OcspEntry* entry, void* heap) { CertStatus *status, *next; - if (entry == NULL) + if (entry == NULL || !entry->ownStatus) return; WOLFSSL_ENTER("FreeOcspEntry"); @@ -371,6 +371,7 @@ WOLFSSL_LOCAL int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int resp XMEMCPY(status, newSingle->status, sizeof(CertStatus)); status->next = entry->status; entry->status = status; + entry->ownStatus = 1; entry->totalStatus++; } } @@ -598,7 +599,9 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id( (void)dgst; cm = wolfSSL_CertManagerNew(); - if (cm == NULL) + if (cm == NULL + || subject == NULL || subject->derCert == NULL + || issuer == NULL || issuer->derCert == NULL) return NULL; ret = AllocDer(&derCert, issuer->derCert->length, @@ -628,6 +631,7 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id( XMEMSET(certStatus, 0, sizeof(CertStatus)); certId->status = certStatus; + certId->ownStatus = 1; InitDecodedCert(&cert, subject->derCert->buffer, subject->derCert->length, NULL); @@ -797,6 +801,7 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response, XMEMSET(resp->single, 0, sizeof(OcspEntry)); resp->single->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, DYNAMIC_TYPE_OCSP_STATUS); + resp->single->ownStatus = 1; if (resp->single->status == NULL) { XFREE(resp->source, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(resp, NULL, DYNAMIC_TYPE_OCSP_REQUEST); @@ -876,6 +881,7 @@ WOLFSSL_OCSP_BASICRESP* wolfSSL_OCSP_response_get1_basic(OcspResponse* response) else { XMEMCPY(bs->single, response->single, sizeof(OcspEntry)); XMEMCPY(bs->source, response->source, response->maxIdx); + bs->single->ownStatus = 0; } return bs; } @@ -912,11 +918,19 @@ int wolfSSL_i2d_OCSP_REQUEST(OcspRequest* request, unsigned char** data) WOLFSSL_OCSP_ONEREQ* wolfSSL_OCSP_request_add0_id(OcspRequest *req, WOLFSSL_OCSP_CERTID *cid) { - if (req == NULL || cid == NULL) + if (req == NULL || cid == NULL || cid->status == NULL) return NULL; XMEMCPY(req->issuerHash, cid->issuerHash, KEYID_SIZE); XMEMCPY(req->issuerKeyHash, cid->issuerKeyHash, KEYID_SIZE); + if (cid->status->serialSz > req->serialSz) { + if (req->serial != NULL) + XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP); + req->serial = (byte*)XMALLOC(cid->status->serialSz, + req->heap, DYNAMIC_TYPE_OCSP_REQUEST); + if (req->serial == NULL) + return NULL; + } XMEMCPY(req->serial, cid->status->serial, cid->status->serialSz); req->serialSz = cid->status->serialSz; diff --git a/src/ssl.c b/src/ssl.c index 41cf5e01e8..bc4f620ab4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1792,7 +1792,8 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0); @@ -2271,7 +2272,7 @@ int wolfSSL_UseMaxFragment(WOLFSSL* ssl, byte mfl) #ifdef WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST /* The following is a non-standard way to reconfigure the max packet size - post-handshake for wolfSSL_write/woflSSL_read */ + post-handshake for wolfSSL_write/wolfSSL_read */ if (ssl->options.handShakeState == HANDSHAKE_DONE) { switch (mfl) { case WOLFSSL_MFL_2_8 : ssl->max_fragment = 256; break; @@ -3791,97 +3792,101 @@ int wolfSSL_CertManager_up_ref(WOLFSSL_CERT_MANAGER* cm) WOLFSSL_STACK* wolfSSL_CertManagerGetCerts(WOLFSSL_CERT_MANAGER* cm) { WOLFSSL_STACK* sk = NULL; + int numCerts = 0; + DerBuffer** certBuffers = NULL; + const byte* derBuffer = NULL; Signer* signers = NULL; word32 row = 0; - DecodedCert* dCert = NULL; WOLFSSL_X509* x509 = NULL; - int found = 0; + int i = 0; + int ret = 0; if (cm == NULL) return NULL; sk = wolfSSL_sk_X509_new(); + if (sk == NULL) + goto error; - if (sk == NULL) { - return NULL; - } - - if (wc_LockMutex(&cm->caLock) != 0) { - goto error_init; - } + if (wc_LockMutex(&cm->caLock) != 0) + goto error; + /* Iterate once to get the number of certs, for memory allocation + purposes. */ for (row = 0; row < CA_TABLE_SIZE; row++) { signers = cm->caTable[row]; while (signers && signers->derCert && signers->derCert->buffer) { - - dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), cm->heap, - DYNAMIC_TYPE_DCERT); - if (dCert == NULL) { - goto error; - } - - XMEMSET(dCert, 0, sizeof(DecodedCert)); - - InitDecodedCert(dCert, signers->derCert->buffer, - signers->derCert->length, cm->heap); - - /* Parse Certificate */ - if (ParseCert(dCert, CERT_TYPE, NO_VERIFY, cm)) { - goto error; - } - - x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), cm->heap, - DYNAMIC_TYPE_X509); - - if (x509 == NULL) { - goto error; - } - - InitX509(x509, 1, NULL); - - if (CopyDecodedToX509(x509, dCert) == 0) { - - if (wolfSSL_sk_X509_push(sk, x509) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Unable to load x509 into stack"); - FreeX509(x509); - XFREE(x509, cm->heap, DYNAMIC_TYPE_X509); - goto error; - } - } - else { - goto error; - } - - found = 1; - + ++numCerts; signers = signers->next; - - FreeDecodedCert(dCert); - XFREE(dCert, cm->heap, DYNAMIC_TYPE_DCERT); - dCert = NULL; } } + + if (numCerts == 0) { + wc_UnLockMutex(&cm->caLock); + goto error; + } + + certBuffers = (DerBuffer**)XMALLOC(sizeof(DerBuffer*) * numCerts, cm->heap, + DYNAMIC_TYPE_TMP_BUFFER); + if (certBuffers == NULL) { + wc_UnLockMutex(&cm->caLock); + goto error; + } + XMEMSET(certBuffers, 0, sizeof(DerBuffer*) * numCerts); + + /* Copy the certs locally so that we can release the caLock. If the lock is + held when wolfSSL_d2i_X509 is called, GetCA will also try to get the + lock, leading to deadlock. */ + for (row = 0; row < CA_TABLE_SIZE; row++) { + signers = cm->caTable[row]; + while (signers && signers->derCert && signers->derCert->buffer) { + ret = AllocDer(&certBuffers[i], signers->derCert->length, CA_TYPE, + cm->heap); + if (ret < 0) { + wc_UnLockMutex(&cm->caLock); + goto error; + } + + XMEMCPY(certBuffers[i]->buffer, signers->derCert->buffer, + signers->derCert->length); + certBuffers[i]->length = signers->derCert->length; + + ++i; + signers = signers->next; + } + } + wc_UnLockMutex(&cm->caLock); - if (!found) { - goto error_init; + for (i = 0; i < numCerts; ++i) { + derBuffer = certBuffers[i]->buffer; + wolfSSL_d2i_X509(&x509, &derBuffer, certBuffers[i]->length); + if (x509 == NULL) + goto error; + + if (wolfSSL_sk_X509_push(sk, x509) != WOLFSSL_SUCCESS) + goto error; } + for (i = 0; i < numCerts && certBuffers[i] != NULL; ++i) { + FreeDer(&certBuffers[i]); + } + + XFREE(certBuffers, cm->heap, DYNAMIC_TYPE_TMP_BUFFER); + return sk; error: - wc_UnLockMutex(&cm->caLock); - -error_init: - - if (dCert) { - FreeDecodedCert(dCert); - XFREE(dCert, cm->heap, DYNAMIC_TYPE_DCERT); - } - if (sk) wolfSSL_sk_X509_free(sk); + for (i = 0; i < numCerts && certBuffers[i] != NULL; ++i) { + FreeDer(&certBuffers[i]); + } + + if (certBuffers) + XFREE(certBuffers, cm->heap, DYNAMIC_TYPE_TMP_BUFFER); + return NULL; } #endif /* WOLFSSL_SIGNER_DER_CERT */ @@ -4260,7 +4265,8 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version) InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); return WOLFSSL_SUCCESS; } @@ -5939,7 +5945,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } return WOLFSSL_SUCCESS; @@ -10408,6 +10415,29 @@ int wolfSSL_X509_digest(const WOLFSSL_X509* x509, const WOLFSSL_EVP_MD* digest, WOLFSSL_LEAVE("wolfSSL_X509_digest", ret); return ret; } + +int wolfSSL_X509_pubkey_digest(const WOLFSSL_X509 *x509, + const WOLFSSL_EVP_MD *digest, unsigned char* buf, unsigned int* len) +{ + int ret; + + WOLFSSL_ENTER("wolfSSL_X509_pubkey_digest"); + + if (x509 == NULL || digest == NULL) { + WOLFSSL_MSG("Null argument found"); + return WOLFSSL_FAILURE; + } + + if (x509->pubKey.buffer == NULL || x509->pubKey.length == 0) { + WOLFSSL_MSG("No DER public key stored in X509"); + return WOLFSSL_FAILURE; + } + + ret = wolfSSL_EVP_Digest(x509->pubKey.buffer, x509->pubKey.length, buf, + len, digest, NULL); + WOLFSSL_LEAVE("wolfSSL_X509_pubkey_digest", ret); + return ret; +} #endif int wolfSSL_use_PrivateKey(WOLFSSL* ssl, WOLFSSL_EVP_PKEY* pkey) @@ -14467,7 +14497,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } void wolfSSL_CTX_set_psk_server_callback(WOLFSSL_CTX* ctx, @@ -14501,7 +14532,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } const char* wolfSSL_get_psk_identity_hint(const WOLFSSL* ssl) @@ -15689,6 +15721,15 @@ int wolfSSL_set_compression(WOLFSSL* ssl) ctx->mask = wolf_set_options(ctx->mask, opt); +#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) && \ + defined(OPENSSL_EXTRA) + if (ctx->mask & SSL_OP_NO_TICKET) { + ctx->ticketEncCb = NULL; + ctx->ticketEncCtx = NULL; + WOLFSSL_MSG("\tSSL_OP_NO_TICKET"); + } +#endif + return ctx->mask; } @@ -16626,6 +16667,62 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver) return sanityCheckProtoVersion(ctx); } +static int GetMinProtoVersion(int minDowngrade) +{ + int ret; + + switch (minDowngrade) { +#ifndef NO_OLD_TLS + #ifdef WOLFSSL_ALLOW_SSLV3 + case SSLv3_MINOR: + ret = SSL3_VERSION; + break; + #endif + #ifdef WOLFSSL_ALLOW_TLSV10 + case TLSv1_MINOR: + ret = TLS1_VERSION; + break; + #endif + case TLSv1_1_MINOR: + ret = TLS1_1_VERSION; + break; +#endif +#ifndef WOLFSSL_NO_TLS12 + case TLSv1_2_MINOR: + ret = TLS1_2_VERSION; + break; +#endif +#ifdef WOLFSSL_TLS13 + case TLSv1_3_MINOR: + ret = TLS1_3_VERSION; + break; +#endif + default: + ret = 0; + break; + } + + return ret; +} + +WOLFSSL_API int wolfSSL_CTX_get_min_proto_version(WOLFSSL_CTX* ctx) +{ + int ret = 0; + + WOLFSSL_ENTER("wolfSSL_CTX_get_min_proto_version"); + + if (ctx != NULL) { + ret = GetMinProtoVersion(ctx->minDowngrade); + } + if (ret == 0) { + ret = GetMinProtoVersion(WOLFSSL_MIN_DOWNGRADE); + } + + WOLFSSL_LEAVE("wolfSSL_CTX_get_min_proto_version", ret); + + return ret; +} + #endif /* OPENSSL_EXTRA */ #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) @@ -16735,6 +16832,31 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } + /* Apply MD5 transformation to the data */ + int wolfSSL_MD5_Transform(WOLFSSL_MD5_CTX* md5, const unsigned char* data) + { + int ret; + + WOLFSSL_ENTER("MD5_Transform"); + + /* sanity check */ + if (md5 == NULL || data == NULL) { + return 0; + } + #if defined(BIG_ENDIAN_ORDER) + { + ByteReverseWords((word32*)data, (word32*)data, WC_MD5_BLOCK_SIZE); + } + #endif + + ret = wc_Md5Transform((wc_Md5*)md5, data); + + /* return 1 on success, 0 otherwise */ + if (ret == 0) + return 1; + else + return 0; + } #endif /* !NO_MD5 */ @@ -16787,7 +16909,36 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } + #if defined(OPENSSL_EXTRA) + #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + /* Apply SHA1 transformation to the data */ + int wolfSSL_SHA_Transform(WOLFSSL_SHA_CTX* sha, + const unsigned char* data) + { + int ret; + + WOLFSSL_ENTER("SHA_Transform"); + /* sanity check */ + if (sha == NULL || data == NULL) { + return 0; + } + #if defined(LITTLE_ENDIAN_ORDER) + { + ByteReverseWords((word32*)data, (word32*)data, WC_SHA_BLOCK_SIZE); + } + #endif + ret = wc_ShaTransform((wc_Sha*)sha, data); + /* return 1 on success, 0 otherwise */ + if (ret == 0) + return 1; + else + return 0; + } + #endif + #endif + int wolfSSL_SHA1_Init(WOLFSSL_SHA_CTX* sha) { WOLFSSL_ENTER("SHA1_Init"); @@ -16808,6 +16959,18 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, WOLFSSL_ENTER("SHA1_Final"); return SHA_Final(input, sha); } + #if defined(OPENSSL_EXTRA) + #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + /* Apply SHA1 transformation to the data */ + int wolfSSL_SHA1_Transform(WOLFSSL_SHA_CTX* sha, + const unsigned char* data) + { + WOLFSSL_ENTER("SHA1_Transform"); + return (wolfSSL_SHA_Transform(sha, data)); + } + #endif + #endif #endif /* !NO_SHA */ #ifdef WOLFSSL_SHA224 @@ -16910,8 +17073,37 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } + + #if defined(OPENSSL_EXTRA) + #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + /* Apply SHA256 transformation to the data */ + int wolfSSL_SHA256_Transform(WOLFSSL_SHA256_CTX* sha256, + const unsigned char* data) + { + int ret; + + WOLFSSL_ENTER("SHA256_Transform"); + /* sanity check */ + if (sha256 == NULL || data == NULL) { + return 0; + } + #if defined(LITTLE_ENDIAN_ORDER) + { + ByteReverseWords((word32*)data, (word32*)data, WC_SHA256_BLOCK_SIZE); + } + #endif + ret = wc_Sha256Transform((wc_Sha256*)sha256, data); - + /* return 1 on success, 0 otherwise */ + if (ret == 0) + return 1; + else + return 0; + } + #endif + #endif + #ifdef WOLFSSL_SHA384 int wolfSSL_SHA384_Init(WOLFSSL_SHA384_CTX* sha) @@ -17015,6 +17207,30 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } + #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + /* Apply SHA512 transformation to the data */ + int wolfSSL_SHA512_Transform(WOLFSSL_SHA512_CTX* sha512, + const unsigned char* data) + { + int ret = WOLFSSL_SUCCESS; + + WOLFSSL_ENTER("SHA512_Transform"); + /* sanity check */ + if (sha512 == NULL || data == NULL) { + return 0; + } + + ret = wc_Sha512Transform((wc_Sha512*)sha512, data); + + /* return 1 on success, 0 otherwise */ + if (ret == 0) + return 1; + else + return 0; + } + #endif /* !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2)) */ #endif /* WOLFSSL_SHA512 */ #ifdef WOLFSSL_SHA3 @@ -18248,39 +18464,68 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, #endif /* KEEP_PEER_CERT */ -#if defined(SESSION_CERTS) -/* Return stack of peer certs. - * If Qt or OPENSSL_ALL is defined then return ssl->peerCertChain. - * All other cases return &ssl->session.chain - * ssl->peerCertChain is type WOLFSSL_STACK* - * ssl->session.chain is type WOLFSSL_X509_CHAIN +#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) +/* Return stack of peer certs. * Caller does not need to free return. The stack is Free'd when WOLFSSL* ssl is. */ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL* ssl) { - WOLFSSL_STACK* sk; WOLFSSL_ENTER("wolfSSL_get_peer_cert_chain"); if (ssl == NULL) return NULL; - #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - if (ssl->peerCertChain == NULL) - wolfSSL_set_peer_cert_chain((WOLFSSL*) ssl); - sk = ssl->peerCertChain; - #else - sk = (WOLF_STACK_OF(WOLFSSL_X509)* )&ssl->session.chain; - #endif + if (ssl->peerCertChain == NULL) + wolfSSL_set_peer_cert_chain((WOLFSSL*) ssl); + return ssl->peerCertChain; +} - if (sk == NULL) { - WOLFSSL_MSG("Error: Null Peer Cert Chain"); +static int x509GetIssuerFromCM(WOLFSSL_X509 **issuer, WOLFSSL_CERT_MANAGER* cm, + WOLFSSL_X509 *x); +/** + * Recursively push the issuer CA chain onto the stack + * @param cm The cert manager that is queried for the issuer + * @param x This cert's issuer will be queried in cm + * @param sk The issuer is pushed onto this stack + * @return WOLFSSL_SUCCESS on success + * WOLFSSL_FAILURE on no issuer found + * WOLFSSL_FATAL_ERROR on a fatal error + */ +static int pushCAx509Chain(WOLFSSL_CERT_MANAGER* cm, + WOLFSSL_X509 *x, WOLFSSL_STACK* sk) +{ + WOLFSSL_X509* issuer[MAX_CHAIN_DEPTH]; + int i; + int push = 1; + int ret = WOLFSSL_SUCCESS; + + for (i = 0; i < MAX_CHAIN_DEPTH; i++) { + if (x509GetIssuerFromCM(&issuer[i], cm, x) + != WOLFSSL_SUCCESS) + break; + x = issuer[i]; + } + if (i == 0) /* No further chain found */ + return WOLFSSL_FAILURE; + i--; + for (; i >= 0; i--) { + if (push) { + if (wolfSSL_sk_X509_push(sk, issuer[i]) != WOLFSSL_SUCCESS) { + wolfSSL_X509_free(issuer[i]); + ret = WOLFSSL_FATAL_ERROR; + push = 0; /* Free the rest of the unpushed certs */ + } + } + else { + wolfSSL_X509_free(issuer[i]); + } } - return sk; + return ret; } -#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) /* Builds up and creates a stack of peer certificates for ssl->peerCertChain - based off of the ssl session chain. Returns stack of WOLFSSL_X509 certs or + based off of the ssl session chain. Attempts to place CA certificates + at the bottom of the stack. Returns stack of WOLFSSL_X509 certs or NULL on failure */ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl) { @@ -18296,10 +18541,6 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl) sk = wolfSSL_sk_X509_new(); i = ssl->session.chain.count-1; for (; i >= 0; i--) { - /* For servers, the peer certificate chain does not include the peer - certificate, so do not add it to the stack */ - if (ssl->options.side == WOLFSSL_SERVER_END && i == 0) - continue; x509 = wolfSSL_X509_new(); if (x509 == NULL) { WOLFSSL_MSG("Error Creating X509"); @@ -18307,6 +18548,14 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl) } ret = DecodeToX509(x509, ssl->session.chain.certs[i].buffer, ssl->session.chain.certs[i].length); + if (ret == 0 && i == ssl->session.chain.count-1) { + /* On the last element in the chain try to add the CA chain + * first if we have one for this cert */ + if (pushCAx509Chain(ssl->ctx->cm, x509, sk) + == WOLFSSL_FATAL_ERROR) { + ret = WOLFSSL_FATAL_ERROR; + } + } if (ret != 0 || wolfSSL_sk_X509_push(sk, x509) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Error decoding cert"); @@ -18323,8 +18572,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl) ssl->peerCertChain = sk; return sk; } -#endif /* OPENSSL_ALL || WOLFSSL_QT */ -#endif /* SESSION_CERTS */ +#endif /* SESSION_CERTS && OPENSSL_EXTRA */ #ifndef NO_CERTS #if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \ @@ -21463,7 +21711,7 @@ WOLFSSL_SESSION* wolfSSL_SESSION_new(void) } /* add one to session reference count - * return WOFLSSL_SUCCESS on success and WOLFSSL_FAILURE on error */ + * return WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on error */ int wolfSSL_SESSION_up_ref(WOLFSSL_SESSION* session) { if (session == NULL) @@ -25851,12 +26099,106 @@ WOLFSSL_X509 *wolfSSL_d2i_X509_fp(XFILE fp, WOLFSSL_X509 **x509) #ifdef HAVE_CRL + +#ifndef NO_BIO +WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_bio(WOLFSSL_BIO *bp, + WOLFSSL_X509_CRL **x) +{ + int derSz; + byte* der = NULL; + WOLFSSL_X509_CRL* crl = NULL; + + if (bp == NULL) + return NULL; + + if ((derSz = wolfSSL_BIO_get_len(bp)) > 0) { + der = (byte*)XMALLOC(derSz, 0, DYNAMIC_TYPE_DER); + if (der != NULL) { + if (wolfSSL_BIO_read(bp, der, derSz) == derSz) { + crl = wolfSSL_d2i_X509_CRL(x, der, derSz); + } + } + } + + if (der != NULL) { + XFREE(der, 0, DYNAMIC_TYPE_DER); + } + + return crl; +} +#endif + #ifndef NO_FILESYSTEM WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_fp(XFILE fp, WOLFSSL_X509_CRL **crl) { WOLFSSL_ENTER("wolfSSL_d2i_X509_CRL_fp"); return (WOLFSSL_X509_CRL *)wolfSSL_d2i_X509_fp_ex(fp, (void **)crl, CRL_TYPE); } + +/* Read CRL file, and add it to store and corresponding cert manager */ +/* @param ctx a pointer of X509_LOOKUP back to the X509_STORE */ +/* @param file a file to read */ +/* @param type WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1 */ +/* @return WOLFSSL_SUCCESS(1) on successful, othewise WOLFSSL_FAILURE(0)*/ +WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, + const char *file, int type) +{ + int ret = WOLFSSL_FAILURE; + int count = 0; + WOLFSSL_BIO *bio = NULL; + WOLFSSL_X509_CRL *crl =NULL; + + WOLFSSL_ENTER("wolfSSL_X509_load_crl_file"); + + bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); + + if ((bio == NULL) || (wolfSSL_BIO_read_filename(bio, file) <= 0)) { + return ret; + } + + if (type == WOLFSSL_FILETYPE_PEM) { + do { + crl = wolfSSL_PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL); + if (crl == NULL) { + if (count <= 0) { + WOLFSSL_MSG("Load crl failed"); + } + break; + } + + ret = wolfSSL_X509_STORE_add_crl(ctx->store, crl); + if (ret == WOLFSSL_FAILURE) { + WOLFSSL_MSG("Adding crl failed"); + break; + } + count++; + wolfSSL_X509_CRL_free(crl); + crl = NULL; + } while(crl == NULL); + + ret = count; + } else if (type == WOLFSSL_FILETYPE_ASN1) { + crl = wolfSSL_d2i_X509_CRL_bio(bio, NULL); + if (crl == NULL) { + WOLFSSL_MSG("Load crl failed"); + } else { + ret = wolfSSL_X509_STORE_add_crl(ctx->store, crl); + if (ret == WOLFSSL_FAILURE) { + WOLFSSL_MSG("Adding crl failed"); + } else { + ret = 1;/* handled a file */ + } + } + } else { + WOLFSSL_MSG("Invalid file type"); + } + + wolfSSL_X509_CRL_free(crl); + wolfSSL_BIO_free(bio); + + WOLFSSL_LEAVE("wolfSSL_X509_load_crl_file", ret); + return ret; +} #endif /* !NO_FILESYSTEM */ @@ -26066,6 +26408,69 @@ int wolfSSL_X509_VERIFY_PARAM_clear_flags(WOLFSSL_X509_VERIFY_PARAM *param, } +/* inherits properties of param "to" to param "from" +* +* WOLFSSL_VPARAM_DEFAULT any values in "src" is copied +* if "src" value is new for "to". +* WOLFSSL_VPARAM_OVERWRITE all values of "form" are copied to "to" +* WOLFSSL_VPARAM_RESET_FLAGS the flag values are copied, not Ored +* WOLFSSL_VPARAM_LOCKED don't copy any values +* WOLFSSL_VPARAM_ONCE the current inherit_flags is zerroed +*/ +static int wolfSSL_X509_VERIFY_PARAM_inherit(WOLFSSL_X509_VERIFY_PARAM *to, + const WOLFSSL_X509_VERIFY_PARAM *from) +{ + int ret = WOLFSSL_FAILURE; + int isOverWrite = 0; + int isDefault = 0; + unsigned int flags; + + /* sanity check */ + if (!to || !from) { + /* be compatible to openssl return value */ + return WOLFSSL_SUCCESS; + } + flags = to->inherit_flags | from->inherit_flags; + + if (flags & WOLFSSL_VPARAM_LOCKED) { + return WOLFSSL_SUCCESS; + } + + if (flags & WOLFSSL_VPARAM_ONCE) { + to->inherit_flags = 0; + } + + isOverWrite = (flags & WOLFSSL_VPARAM_OVERWRITE); + isDefault = (flags & WOLFSSL_VPARAM_DEFAULT); + + /* copy check_time if check time is not set */ + if ((to->flags & WOLFSSL_USE_CHECK_TIME) == 0 || isOverWrite) { + to->check_time = from->check_time; + to->flags &= ~WOLFSSL_USE_CHECK_TIME; + } + /* host name */ + if (isOverWrite || + (from->hostName[0] != 0 && (to->hostName[0] == 0 || isDefault))) { + if (!(ret = wolfSSL_X509_VERIFY_PARAM_set1_host(to, from->hostName, + (int)XSTRLEN(from->hostName)))) + return ret; + to->hostFlags = from->hostFlags; + } + /* ip ascii */ + if (isOverWrite || + (from->ipasc[0] != 0 && (to->ipasc[0] == 0 || isDefault))) { + + if (!(ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(to, from->ipasc))) + return ret; + } + + if (flags & WOLFSSL_VPARAM_RESET_FLAGS) + to->flags = 0; + + to->flags |= from->flags; + + return ret; +} /****************************************************************************** * wolfSSL_X509_VERIFY_PARAM_set1_host - sets the DNS hostname to name * hostnames is cleared if name is NULL or empty. @@ -26107,12 +26512,32 @@ int wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam, return WOLFSSL_SUCCESS; } /****************************************************************************** -* wolfSSL_get0_param - return a pointer to the SSL verification parameters +* wolfSSL_CTX_set1_param - set a pointer to the SSL verification parameters +* +* RETURNS: +* WOLFSSL_SUCCESS on success, otherwise returns WOLFSSL_FAILURE +*/ +int wolfSSL_CTX_set1_param(WOLFSSL_CTX* ctx, WOLFSSL_X509_VERIFY_PARAM *vpm) +{ + return wolfSSL_X509_VERIFY_PARAM_set1(ctx->param, vpm); +} + +/****************************************************************************** +* wolfSSL_CTX/_get0_param - return a pointer to the SSL verification parameters * * RETURNS: * returns pointer to the SSL verification parameters on success, * otherwise returns NULL */ +WOLFSSL_X509_VERIFY_PARAM* wolfSSL_CTX_get0_param(WOLFSSL_CTX* ctx) +{ + if (ctx == NULL) { + return NULL; + } + + return ctx->param; +} + WOLFSSL_X509_VERIFY_PARAM* wolfSSL_get0_param(WOLFSSL* ssl) { if (ssl == NULL) { @@ -26121,6 +26546,32 @@ WOLFSSL_X509_VERIFY_PARAM* wolfSSL_get0_param(WOLFSSL* ssl) return ssl->param; } +/* Set VERIFY PARAM from "from" pointer to "to" pointer */ +int wolfSSL_X509_VERIFY_PARAM_set1(WOLFSSL_X509_VERIFY_PARAM *to, + const WOLFSSL_X509_VERIFY_PARAM *from) +{ + int ret = WOLFSSL_FAILURE; + unsigned int _inherit_flags; + + if (!to) { + return ret; + } + /* keeps the inherit flags for save */ + _inherit_flags = to->inherit_flags; + + /* Ored DEFAULT inherit flag proerty to copy "from" contents to "to" + * contents + */ + to->inherit_flags |= WOLFSSL_VPARAM_DEFAULT; + + ret = wolfSSL_X509_VERIFY_PARAM_inherit(to, from); + + /* restore inherit flag */ + to->inherit_flags = _inherit_flags; + + return ret; +} + /* Set the host flag in the X509_VERIFY_PARAM structure */ void wolfSSL_X509_VERIFY_PARAM_set_hostflags(WOLFSSL_X509_VERIFY_PARAM* param, unsigned int flags) @@ -27542,9 +27993,10 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op) if (ssl->suites != NULL && ssl->options.side != WOLFSSL_NEITHER_END) InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveDH, ssl->options.haveNTRU, + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); return ssl->options.mask; } @@ -29587,6 +30039,7 @@ WOLFSSL_ASN1_TIME *wolfSSL_ASN1_TIME_set(WOLFSSL_ASN1_TIME *s, time_t t) (void)t; return s; } +#endif /* !NO_WOLFSSL_STUB */ int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *s, const char *str) { @@ -29609,7 +30062,6 @@ int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *s, const char *str) } return WOLFSSL_SUCCESS; } -#endif /* !NO_WOLFSSL_STUB */ #ifndef NO_BIO @@ -29754,6 +30206,8 @@ WOLFSSL_STACK* wolfSSL_sk_dup(WOLFSSL_STACK* sk) switch (sk->type) { case STACK_TYPE_X509: + if (!sk->data.x509) + break; cur->data.x509 = wolfSSL_X509_dup(sk->data.x509); if (!cur->data.x509) { WOLFSSL_MSG("wolfSSL_X509_dup error"); @@ -29764,6 +30218,8 @@ WOLFSSL_STACK* wolfSSL_sk_dup(WOLFSSL_STACK* sk) wolfSSL_CIPHER_copy(&sk->data.cipher, &cur->data.cipher); break; case STACK_TYPE_GEN_NAME: + if (!sk->data.gn) + break; cur->data.gn = wolfSSL_GENERAL_NAME_dup(sk->data.gn); if (!cur->data.gn) { WOLFSSL_MSG("wolfSSL_GENERAL_NAME_new error"); @@ -29771,6 +30227,8 @@ WOLFSSL_STACK* wolfSSL_sk_dup(WOLFSSL_STACK* sk) } break; case STACK_TYPE_OBJ: + if (!sk->data.obj) + break; cur->data.obj = wolfSSL_ASN1_OBJECT_dup(sk->data.obj); if (!cur->data.obj) { WOLFSSL_MSG("wolfSSL_ASN1_OBJECT_dup error"); @@ -40727,7 +41185,177 @@ cleanup: return wolfSSL_X509_sign(x509, ctx->pctx->pkey, wolfSSL_EVP_MD_CTX_md(ctx)); } #endif /* OPENSSL_EXTRA */ + +/* Guarded by either + * A) WOLFSSL_WPAS_SMALL is on or + * B) (OPENSSL_EXTRA or OPENSSL_EXTRA_X509_SMALL) + WOLFSSL_CERT_GEN + + * (WOLFSSL_CERT_REQ or WOLFSSL_CERT_EXT or OPENSSL_EXTRA) has been + * defined + */ +#if defined(WOLFSSL_WPAS_SMALL) || \ + (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ + defined(WOLFSSL_CERT_GEN) && \ + (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT) || \ + defined(OPENSSL_EXTRA)) +/* Converts from NID_* value to wolfSSL value if needed */ +static int ConvertNIDToWolfSSL(int nid) +{ + switch (nid) { + case NID_commonName : return ASN_COMMON_NAME; + case NID_surname : return ASN_SUR_NAME; + case NID_countryName: return ASN_COUNTRY_NAME; + case NID_localityName: return ASN_LOCALITY_NAME; + case NID_stateOrProvinceName: return ASN_STATE_NAME; + case NID_organizationName: return ASN_ORG_NAME; + case NID_organizationalUnitName: return ASN_ORGUNIT_NAME; + case NID_emailAddress: return ASN_EMAIL_NAME; + case NID_serialNumber: return ASN_SERIAL_NUMBER; + case NID_businessCategory: return ASN_BUS_CAT; + case NID_domainComponent: return ASN_DOMAIN_COMPONENT; + default: + WOLFSSL_MSG("Attribute NID not found"); + return -1; + } +} + +/* Converts the x509 name structure into DER format. + * + * out pointer to either a pre setup buffer or a pointer to null for + * creating a dynamic buffer. In the case that a pre-existing buffer is + * used out will be incremented the size of the DER buffer on success. + * + * returns the size of the buffer on success, or negative value with failure + */ +int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) +{ + int totalBytes = 0, i, idx; + byte temp[MAX_SEQ_SZ]; + byte *output, *local = NULL; +#ifdef WOLFSSL_SMALL_STACK + EncodedName* names = NULL; +#else + EncodedName names[MAX_NAME_ENTRIES]; +#endif + + if (out == NULL || name == NULL) + return BAD_FUNC_ARG; + +#ifdef WOLFSSL_SMALL_STACK + names = (EncodedName*)XMALLOC(sizeof(EncodedName) * MAX_NAME_ENTRIES, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (names == NULL) + return MEMORY_E; +#endif + + XMEMSET(names, 0, sizeof(EncodedName) * MAX_NAME_ENTRIES); + + for (i = 0; i < MAX_NAME_ENTRIES; i++) { + WOLFSSL_X509_NAME_ENTRY* entry; + int ret; + + entry = wolfSSL_X509_NAME_get_entry(name, i); + if (entry != NULL && entry->set == 1) { + const char* nameStr; + int type; + WOLFSSL_ASN1_STRING* data; + + data = wolfSSL_X509_NAME_ENTRY_get_data(entry); + if (data == NULL) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + WOLFSSL_MSG("Error getting entry data"); + return WOLFSSL_FATAL_ERROR; + } + + nameStr = (const char*)wolfSSL_ASN1_STRING_data(data); + type = wolfSSL_ASN1_STRING_type(data); + + switch (type) { + case MBSTRING_UTF8: + type = CTC_UTF8; + break; + case V_ASN1_PRINTABLESTRING: + type = CTC_PRINTABLE; + break; + default: + WOLFSSL_MSG("Unknown encoding type conversion UTF8 by default"); + type = CTC_UTF8; + } + ret = wc_EncodeName(&names[i], nameStr, type, + ConvertNIDToWolfSSL(entry->nid)); + if (ret < 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + WOLFSSL_MSG("EncodeName failed"); + return WOLFSSL_FATAL_ERROR; + } + totalBytes += ret; + } + } + + /* header */ + idx = SetSequence(totalBytes, temp); + if (totalBytes + idx > ASN_NAME_MAX) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + WOLFSSL_MSG("Total Bytes is greater than ASN_NAME_MAX"); + return BUFFER_E; + } + + /* check if using buffer passed in */ + if (*out == NULL) { + *out = local = (unsigned char*)XMALLOC(totalBytes + idx, NULL, + DYNAMIC_TYPE_OPENSSL); + if (*out == NULL) { + return MEMORY_E; + } + } + output = *out; + /* header */ + idx = SetSequence(totalBytes, temp); + if (totalBytes + idx > ASN_NAME_MAX) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + WOLFSSL_MSG("Total Bytes is greater than ASN_NAME_MAX"); + return BUFFER_E; + } + + /* check if using buffer passed in */ + if (*out == NULL) { + *out = local = (unsigned char*)XMALLOC(totalBytes + idx, NULL, + DYNAMIC_TYPE_OPENSSL); + if (*out == NULL) { + return MEMORY_E; + } + } + output = *out; + + idx = SetSequence(totalBytes, output); + totalBytes += idx; + for (i = 0; i < MAX_NAME_ENTRIES; i++) { + if (names[i].used) { + XMEMCPY(output + idx, names[i].encoded, names[i].totalLen); + idx += names[i].totalLen; + } + } + +#ifdef WOLFSSL_SMALL_STACK + XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + + /* used existing buffer passed in, so increment pointer */ + if (local == NULL) { + *out += totalBytes; + } + return totalBytes; +} +#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ #endif /* WOLFSSL_CERT_GEN */ + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) WOLFSSL_X509_NAME *wolfSSL_d2i_X509_NAME(WOLFSSL_X509_NAME **name, @@ -42431,6 +43059,53 @@ err: } #endif /* ! NO_SHA */ +#ifdef WOLFSSL_SHA224 + /* One shot SHA224 hash of message. + * + * d message to hash + * n size of d buffer + * md buffer to hold digest. Should be WC_SHA224_DIGEST_SIZE. + * + * Note: if md is null then a static buffer of WC_SHA256_DIGEST_SIZE is used. + * When the static buffer is used this function is not thread safe. + * + * Returns a pointer to the message digest on success and NULL on failure. + */ + unsigned char *wolfSSL_SHA224(const unsigned char *d, size_t n, + unsigned char *md) + { + static byte dig[WC_SHA224_DIGEST_SIZE]; + byte* ret = md; + wc_Sha256 sha; + + WOLFSSL_ENTER("wolfSSL_SHA224"); + + if (wc_InitSha224_ex(&sha, NULL, 0) != 0) { + WOLFSSL_MSG("SHA224 Init failed"); + return NULL; + } + + if (wc_Sha224Update(&sha, (const byte*)d, (word32)n) != 0) { + WOLFSSL_MSG("SHA224 Update failed"); + return NULL; + } + + if (md == NULL) { + WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA224 IS NOT " + "THREAD SAFE WHEN md == NULL"); + ret = dig; + } + if (wc_Sha224Final(&sha, ret) != 0) { + WOLFSSL_MSG("SHA224 Final failed"); + wc_Sha224Free(&sha); + return NULL; + } + wc_Sha224Free(&sha); + + return ret; + } +#endif + #ifndef NO_SHA256 /* One shot SHA256 hash of message. * @@ -47579,10 +48254,6 @@ int wolfSSL_i2a_ASN1_INTEGER(BIO *bp, const WOLFSSL_ASN1_INTEGER *a) #define TICKET_KEY_CB_RET_OK 1 #define TICKET_KEY_CB_RET_RENEW 2 -/* The ticket key callback as used in OpenSSL is stored here. */ -static int (*ticketKeyCb)(WOLFSSL *ssl, unsigned char *name, unsigned char *iv, - WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc) = NULL; - /* Implementation of session ticket encryption/decryption using OpenSSL * callback to initialize the cipher and HMAC. * @@ -47600,11 +48271,11 @@ static int (*ticketKeyCb)(WOLFSSL *ssl, unsigned char *name, unsigned char *iv, * WOLFSSL_TICKET_RET_FATAL on error. */ static int wolfSSL_TicketKeyCb(WOLFSSL* ssl, - unsigned char keyName[WOLFSSL_TICKET_NAME_SZ], - unsigned char iv[WOLFSSL_TICKET_IV_SZ], - unsigned char mac[WOLFSSL_TICKET_MAC_SZ], - int enc, unsigned char* encTicket, - int encTicketLen, int* encLen, void* ctx) + unsigned char keyName[WOLFSSL_TICKET_NAME_SZ], + unsigned char iv[WOLFSSL_TICKET_IV_SZ], + unsigned char mac[WOLFSSL_TICKET_MAC_SZ], + int enc, unsigned char* encTicket, + int encTicketLen, int* encLen, void* ctx) { byte digest[WC_MAX_DIGEST_SIZE]; WOLFSSL_EVP_CIPHER_CTX evpCtx; @@ -47616,14 +48287,25 @@ static int wolfSSL_TicketKeyCb(WOLFSSL* ssl, (void)ctx; - if (ticketKeyCb == NULL) - return WOLFSSL_TICKET_RET_FATAL; + WOLFSSL_ENTER("wolfSSL_TicketKeyCb"); - wolfSSL_EVP_CIPHER_CTX_init(&evpCtx); - /* Initialize the cipher and HMAC. */ - res = ticketKeyCb(ssl, keyName, iv, &evpCtx, &hmacCtx, enc); - if (res != TICKET_KEY_CB_RET_OK && res != TICKET_KEY_CB_RET_RENEW) + if (ssl == NULL || ssl->ctx == NULL || ssl->ctx->ticketEncCtx == NULL) { + WOLFSSL_MSG("Bad parameter"); return WOLFSSL_TICKET_RET_FATAL; + } + + /* Initialize the cipher and HMAC. */ + wolfSSL_EVP_CIPHER_CTX_init(&evpCtx); + if (wolfSSL_HMAC_CTX_Init(&hmacCtx) != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("wolfSSL_HMAC_CTX_Init error"); + return WOLFSSL_TICKET_RET_FATAL; + } + res = ((ticketCompatCb)ssl->ctx->ticketEncCtx)(ssl, keyName, + iv, &evpCtx, &hmacCtx, enc); + if (res != TICKET_KEY_CB_RET_OK && res != TICKET_KEY_CB_RET_RENEW) { + WOLFSSL_MSG("Ticket callback error"); + return WOLFSSL_TICKET_RET_FATAL; + } if (enc) { @@ -47682,16 +48364,13 @@ end: * cb The OpenSSL session ticket callback. * returns WOLFSSL_SUCCESS to indicate success. */ -int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *ctx, int (*cb)( - WOLFSSL *ssl, unsigned char *name, unsigned char *iv, - WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc)) +int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *ctx, ticketCompatCb cb) { - /* Store callback in a global. */ - ticketKeyCb = cb; /* Set the ticket encryption callback to be a wrapper around OpenSSL * callback. */ ctx->ticketEncCb = wolfSSL_TicketKeyCb; + ctx->ticketEncCtx = (void*)cb; return WOLFSSL_SUCCESS; } @@ -47924,10 +48603,18 @@ int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx, return WOLFSSL_SUCCESS; } -int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer, - WOLFSSL_X509_STORE_CTX *ctx, WOLFSSL_X509 *x) +/** + * Find the issuing cert of the input cert. On a self-signed cert this + * function will return an error. + * @param issuer The issuer x509 struct is returned here + * @param cm The cert manager that is queried for the issuer + * @param x This cert's issuer will be queried in cm + * @return WOLFSSL_SUCCESS on success + * WOLFSSL_FAILURE on error + */ +static int x509GetIssuerFromCM(WOLFSSL_X509 **issuer, WOLFSSL_CERT_MANAGER* cm, + WOLFSSL_X509 *x) { - WOLFSSL_STACK* node; Signer* ca = NULL; #ifdef WOLFSSL_SMALL_STACK DecodedCert* cert = NULL; @@ -47935,6 +48622,56 @@ int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer, DecodedCert cert[1]; #endif +#ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT); + if (cert == NULL) + return WOLFSSL_FAILURE; +#endif + + /* Use existing CA retrieval APIs that use DecodedCert. */ + InitDecodedCert(cert, x->derCert->buffer, x->derCert->length, NULL); + if (ParseCertRelative(cert, CERT_TYPE, 0, NULL) == 0 + && !cert->selfSigned) { + #ifndef NO_SKID + if (cert->extAuthKeyIdSet) + ca = GetCA(cm, cert->extAuthKeyId); + if (ca == NULL) + ca = GetCAByName(cm, cert->issuerHash); + #else /* NO_SKID */ + ca = GetCA(cm, cert->issuerHash); + #endif /* NO SKID */ + } + FreeDecodedCert(cert); +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); +#endif + + if (ca == NULL) + return WOLFSSL_FAILURE; + +#ifdef WOLFSSL_SIGNER_DER_CERT + /* populate issuer with Signer DER */ + if (wolfSSL_X509_d2i(issuer, ca->derCert->buffer, + ca->derCert->length) == NULL) + return WOLFSSL_FAILURE; +#else + /* Create an empty certificate as CA doesn't have a certificate. */ + *issuer = (WOLFSSL_X509 *)XMALLOC(sizeof(WOLFSSL_X509), 0, + DYNAMIC_TYPE_OPENSSL); + if (*issuer == NULL) + return WOLFSSL_FAILURE; + + InitX509((*issuer), 1, NULL); +#endif + + return WOLFSSL_SUCCESS; +} + +int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer, + WOLFSSL_X509_STORE_CTX *ctx, WOLFSSL_X509 *x) +{ + WOLFSSL_STACK* node; + if (issuer == NULL || ctx == NULL || x == NULL) return WOLFSSL_FATAL_ERROR; @@ -47947,52 +48684,9 @@ int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer, } } - -#ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT); - if (cert == NULL) - return WOLFSSL_FAILURE; -#endif - - /* Use existing CA retrieval APIs that use DecodedCert. */ - InitDecodedCert(cert, x->derCert->buffer, x->derCert->length, NULL); - if (ParseCertRelative(cert, CERT_TYPE, 0, NULL) == 0) { - #ifndef NO_SKID - if (cert->extAuthKeyIdSet) - ca = GetCA(ctx->store->cm, cert->extAuthKeyId); - if (ca == NULL) - ca = GetCAByName(ctx->store->cm, cert->issuerHash); - #else /* NO_SKID */ - ca = GetCA(ctx->store->cm, cert->issuerHash); - #endif /* NO SKID */ - } - FreeDecodedCert(cert); -#ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); -#endif - - if (ca == NULL) - return WOLFSSL_FAILURE; - -#ifdef WOLFSSL_SIGNER_DER_CERT - /* populate issuer with Signer DER */ - *issuer = wolfSSL_X509_d2i(issuer, ca->derCert->buffer, - ca->derCert->length); - if (*issuer == NULL) - return WOLFSSL_FAILURE; -#else - /* Create an empty certificate as CA doesn't have a certificate. */ - *issuer = (WOLFSSL_X509 *)XMALLOC(sizeof(WOLFSSL_X509), 0, - DYNAMIC_TYPE_OPENSSL); - if (*issuer == NULL) - return WOLFSSL_FAILURE; - - InitX509((*issuer), 1, NULL); -#endif - /* Result is ignored when passed to wolfSSL_OCSP_cert_to_id(). */ - return WOLFSSL_SUCCESS; + return x509GetIssuerFromCM(issuer, ctx->store->cm, x); } void wolfSSL_X509_email_free(WOLF_STACK_OF(WOLFSSL_STRING) *sk) @@ -48012,7 +48706,7 @@ WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x) WOLFSSL_STACK* list = NULL; char* url; - if (x->authInfoSz == 0) + if (x == NULL || x->authInfoSz == 0) return NULL; list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + x->authInfoSz + 1, @@ -52921,6 +53615,17 @@ int wolfSSL_X509_NAME_copy(WOLFSSL_X509_NAME* from, WOLFSSL_X509_NAME* to) return BAD_FUNC_ARG; } +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY) + if (from->rawLen > 0) { + if (from->rawLen > ASN_NAME_MAX) { + WOLFSSL_MSG("Bad raw size"); + return BAD_FUNC_ARG; + } + XMEMCPY(to->raw, from->raw, from->rawLen); + to->rawLen = from->rawLen; + } +#endif + if (from->dynamicName) { to->name = (char*)XMALLOC(from->sz, to->heap, DYNAMIC_TYPE_SUBJECT_CN); if (to->name == NULL) diff --git a/src/tls.c b/src/tls.c index 0df44fc9b0..33e0fbaf6b 100644 --- a/src/tls.c +++ b/src/tls.c @@ -9107,9 +9107,17 @@ static int TLSX_EarlyData_Parse(WOLFSSL* ssl, byte* input, word16 length, if (length != 0) return BUFFER_E; - if (ssl->earlyData == expecting_early_data) + if (ssl->earlyData == expecting_early_data) { + + if (ssl->options.maxEarlyDataSz != 0) + ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_ACCEPTED; + else + ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED; + return TLSX_EarlyData_Use(ssl, 0); + } ssl->earlyData = early_data_ext; + return 0; } if (msgType == encrypted_extensions) { @@ -9122,6 +9130,11 @@ static int TLSX_EarlyData_Parse(WOLFSSL* ssl, byte* input, word16 length, if (ssl->options.pskIdIndex != 1) return PSK_KEY_ERROR; + if (ssl->options.side == WOLFSSL_CLIENT_END) { + /* the extension from server comes in */ + ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_ACCEPTED; + } + return TLSX_EarlyData_Use(ssl, 1); } if (msgType == session_ticket) { diff --git a/src/tls13.c b/src/tls13.c index f8621977f5..16b449f913 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8132,7 +8132,7 @@ int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count) for (i = 0; i < count; i++) { /* Call to wolfSSL_CTX_UseSupportedCurve also checks if input groups * are valid */ - if ((ret = wolfSSL_CTX_UseSupportedCurve(ctx, groups[i])) + if ((ret = wolfSSL_CTX_UseSupportedCurve(ctx, (word16)groups[i])) != WOLFSSL_SUCCESS) { TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap); return ret; @@ -8167,7 +8167,7 @@ int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count) for (i = 0; i < count; i++) { /* Call to wolfSSL_UseSupportedCurve also checks if input groups * are valid */ - if ((ret = wolfSSL_UseSupportedCurve(ssl, groups[i])) + if ((ret = wolfSSL_UseSupportedCurve(ssl, (word16)groups[i])) != WOLFSSL_SUCCESS) { TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap); return ret; @@ -8217,7 +8217,8 @@ void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } @@ -8254,7 +8255,8 @@ void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl, InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveStaticECC, ssl->options.haveAnon, + ssl->options.side); } #endif @@ -8654,11 +8656,25 @@ int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz) ret = wolfSSL_connect_TLSv13(ssl); if (ret != WOLFSSL_SUCCESS) return WOLFSSL_FATAL_ERROR; + /* on client side, status is set to rejected */ + /* until sever accepts the early data extension. */ + ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED; } if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) { +#ifdef OPENSSL_EXTRA + /* when processed early data exceeds max size */ + if (ssl->session.maxEarlyDataSz > 0 && + (ssl->earlyDataSz + sz > ssl->session.maxEarlyDataSz)) { + ssl->error = TOO_MUCH_EARLY_DATA; + return WOLFSSL_FATAL_ERROR; + } +#endif ret = SendData(ssl, data, sz); - if (ret > 0) + if (ret > 0) { *outSz = ret; + /* store amount of processed early data from client */ + ssl->earlyDataSz += ret; + } } #else return SIDE_ERROR; @@ -8722,6 +8738,21 @@ int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz) ret = WOLFSSL_FATAL_ERROR; return ret; } + +/* Returns early data status + * + * ssl The SSL/TLS object. + * returns WOLFSSL_EARLY_DATA_ACCEPTED if the data was accepted + * WOLFSSL_EARLY_DATA_REJECTED if the data was rejected + * WOLFSSL_EARLY_DATA_NOT_SENT if no early data was sent + */ +int wolfSSL_get_early_data_status(const WOLFSSL* ssl) +{ + if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) + return BAD_FUNC_ARG; + + return ssl->earlyDataStatus; +} #endif #ifdef HAVE_SECRET_CALLBACK diff --git a/tests/api.c b/tests/api.c index 48b40a0df7..f869f27af3 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2625,6 +2625,75 @@ static int nonblocking_accept_read(void* args, WOLFSSL* ssl, SOCKET_T* sockfd) } #endif /* WOLFSSL_SESSION_EXPORT */ +/* TODO: Expand and enable this when EVP_chacha20_poly1305 is supported */ +#if defined(HAVE_SESSION_TICKET) && \ + defined(HAVE_AESGCM) && \ + defined(OPENSSL_EXTRA) + + typedef struct openssl_key_ctx { + byte name[WOLFSSL_TICKET_NAME_SZ]; /* server name */ + byte key[WOLFSSL_TICKET_KEY_SZ]; /* cipher key */ + byte hmacKey[WOLFSSL_TICKET_NAME_SZ]; /* hmac key */ + byte iv[WOLFSSL_TICKET_IV_SZ]; /* cipher iv */ + } openssl_key_ctx; + + static THREAD_LS_T openssl_key_ctx myOpenSSLKey_ctx; + static THREAD_LS_T WC_RNG myOpenSSLKey_rng; + + static WC_INLINE int OpenSSLTicketInit(void) + { + int ret = wc_InitRng(&myOpenSSLKey_rng); + if (ret != 0) return ret; + + ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.name, + sizeof(myOpenSSLKey_ctx.name)); + if (ret != 0) return ret; + + ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.key, + sizeof(myOpenSSLKey_ctx.key)); + if (ret != 0) return ret; + + ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.hmacKey, + sizeof(myOpenSSLKey_ctx.hmacKey)); + if (ret != 0) return ret; + + ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.iv, + sizeof(myOpenSSLKey_ctx.iv)); + if (ret != 0) return ret; + + return 0; + } + + static WC_INLINE int myTicketEncCbOpenSSL(WOLFSSL* ssl, + byte name[WOLFSSL_TICKET_NAME_SZ], + byte iv[WOLFSSL_TICKET_IV_SZ], + WOLFSSL_EVP_CIPHER_CTX *ectx, + WOLFSSL_HMAC_CTX *hctx, int enc) { + (void)ssl; + if (enc) { + XMEMCPY(name, myOpenSSLKey_ctx.name, sizeof(myOpenSSLKey_ctx.name)); + XMEMCPY(iv, myOpenSSLKey_ctx.iv, sizeof(myOpenSSLKey_ctx.iv)); + } + else if (XMEMCMP(name, myOpenSSLKey_ctx.name, + sizeof(myOpenSSLKey_ctx.name)) != 0 || + XMEMCMP(iv, myOpenSSLKey_ctx.iv, + sizeof(myOpenSSLKey_ctx.iv)) != 0) { + return 0; + } + HMAC_Init_ex(hctx, myOpenSSLKey_ctx.hmacKey, WOLFSSL_TICKET_NAME_SZ, EVP_sha256(), NULL); + if (enc) + EVP_EncryptInit_ex(ectx, EVP_aes_256_cbc(), NULL, myOpenSSLKey_ctx.key, iv); + else + EVP_DecryptInit_ex(ectx, EVP_aes_256_cbc(), NULL, myOpenSSLKey_ctx.key, iv); + return 1; + } + + static WC_INLINE void OpenSSLTicketCleanup(void) + { + wc_FreeRng(&myOpenSSLKey_rng); + } +#endif + static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) { SOCKET_T sockfd = 0; @@ -2666,11 +2735,16 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) ctx = wolfSSL_CTX_new(method); } -#if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \ +#if defined(HAVE_SESSION_TICKET) && \ ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) +#if defined(OPENSSL_EXTRA) && defined(HAVE_AESGCM) + OpenSSLTicketInit(); + wolfSSL_CTX_set_tlsext_ticket_key_cb(ctx, myTicketEncCbOpenSSL); +#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) TicketInit(); wolfSSL_CTX_set_TicketEncCb(ctx, myTicketEncCb); #endif +#endif #if defined(USE_WINDOWS_API) port = ((func_args*)args)->signal->port; @@ -2853,10 +2927,14 @@ done: wc_ecc_fp_free(); /* free per thread cache */ #endif -#if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \ +#if defined(HAVE_SESSION_TICKET) && \ ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) +#if defined(OPENSSL_EXTRA) && defined(HAVE_AESGCM) + OpenSSLTicketCleanup(); +#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) TicketCleanup(); #endif +#endif #ifndef WOLFSSL_TIRTOS return 0; @@ -4287,7 +4365,7 @@ static void test_wolfSSL_UseSNI_connection(void) static void test_wolfSSL_SNI_GetFromBuffer(void) { - byte buffer[] = { /* www.paypal.com */ + byte buff[] = { /* www.paypal.com */ 0x00, 0x00, 0x00, 0x00, 0xff, 0x01, 0x00, 0x00, 0x60, 0x03, 0x03, 0x5c, 0xc4, 0xb3, 0x8c, 0x87, 0xef, 0xa4, 0x09, 0xe0, 0x02, 0xab, 0x86, 0xca, 0x76, 0xf0, 0x9e, 0x01, 0x65, 0xf6, 0xa6, 0x06, 0x13, 0x1d, 0x0f, 0xa5, @@ -4299,7 +4377,7 @@ static void test_wolfSSL_SNI_GetFromBuffer(void) 0x0d, 0x00, 0x06, 0x00, 0x04, 0x04, 0x01, 0x02, 0x01 }; - byte buffer2[] = { /* api.textmate.org */ + byte buff2[] = { /* api.textmate.org */ 0x16, 0x03, 0x01, 0x00, 0xc6, 0x01, 0x00, 0x00, 0xc2, 0x03, 0x03, 0x52, 0x8b, 0x7b, 0xca, 0x69, 0xec, 0x97, 0xd5, 0x08, 0x03, 0x50, 0xfe, 0x3b, 0x99, 0xc3, 0x20, 0xce, 0xa5, 0xf6, 0x99, 0xa5, 0x71, 0xf9, 0x57, 0x7f, @@ -4319,7 +4397,7 @@ static void test_wolfSSL_SNI_GetFromBuffer(void) 0x0a, 0x05, 0x01, 0x04, 0x01, 0x02, 0x01, 0x04, 0x03, 0x02, 0x03 }; - byte buffer3[] = { /* no sni extension */ + byte buff3[] = { /* no sni extension */ 0x16, 0x03, 0x03, 0x00, 0x4d, 0x01, 0x00, 0x00, 0x49, 0x03, 0x03, 0xea, 0xa1, 0x9f, 0x60, 0xdd, 0x52, 0x12, 0x13, 0xbd, 0x84, 0x34, 0xd5, 0x1c, 0x38, 0x25, 0xa8, 0x97, 0xd2, 0xd5, 0xc6, 0x45, 0xaf, 0x1b, 0x08, 0xe4, @@ -4329,7 +4407,7 @@ static void test_wolfSSL_SNI_GetFromBuffer(void) 0x00, 0x0d, 0x00, 0x06, 0x00, 0x04, 0x04, 0x01, 0x02, 0x01 }; - byte buffer4[] = { /* last extension has zero size */ + byte buff4[] = { /* last extension has zero size */ 0x16, 0x03, 0x01, 0x00, 0xba, 0x01, 0x00, 0x00, 0xb6, 0x03, 0x03, 0x83, 0xa3, 0xe6, 0xdc, 0x16, 0xa1, 0x43, 0xe9, 0x45, 0x15, 0xbd, 0x64, 0xa9, 0xb6, 0x07, 0xb4, 0x50, 0xc6, 0xdd, 0xff, 0xc2, @@ -4349,7 +4427,7 @@ static void test_wolfSSL_SNI_GetFromBuffer(void) 0x12, 0x00, 0x00 }; - byte buffer5[] = { /* SSL v2.0 client hello */ + byte buff5[] = { /* SSL v2.0 client hello */ 0x00, 0x2b, 0x01, 0x03, 0x01, 0x00, 0x09, 0x00, 0x00, /* dummy bytes bellow, just to pass size check */ 0xb6, 0x03, 0x03, 0x83, 0xa3, 0xe6, 0xdc, 0x16, 0xa1, 0x43, 0xe9, 0x45, @@ -4360,58 +4438,58 @@ static void test_wolfSSL_SNI_GetFromBuffer(void) byte result[32] = {0}; word32 length = 32; - AssertIntEQ(0, wolfSSL_SNI_GetFromBuffer(buffer4, sizeof(buffer4), + AssertIntEQ(0, wolfSSL_SNI_GetFromBuffer(buff4, sizeof(buff4), 0, result, &length)); - AssertIntEQ(0, wolfSSL_SNI_GetFromBuffer(buffer3, sizeof(buffer3), + AssertIntEQ(0, wolfSSL_SNI_GetFromBuffer(buff3, sizeof(buff3), 0, result, &length)); - AssertIntEQ(0, wolfSSL_SNI_GetFromBuffer(buffer2, sizeof(buffer2), + AssertIntEQ(0, wolfSSL_SNI_GetFromBuffer(buff2, sizeof(buff2), 1, result, &length)); - AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buffer, sizeof(buffer), + AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buff, sizeof(buff), 0, result, &length)); - buffer[0] = 0x16; + buff[0] = 0x16; - AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buffer, sizeof(buffer), + AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buff, sizeof(buff), 0, result, &length)); - buffer[1] = 0x03; + buff[1] = 0x03; - AssertIntEQ(SNI_UNSUPPORTED, wolfSSL_SNI_GetFromBuffer(buffer, - sizeof(buffer), 0, result, &length)); - buffer[2] = 0x03; + AssertIntEQ(SNI_UNSUPPORTED, wolfSSL_SNI_GetFromBuffer(buff, + sizeof(buff), 0, result, &length)); + buff[2] = 0x03; - AssertIntEQ(INCOMPLETE_DATA, wolfSSL_SNI_GetFromBuffer(buffer, - sizeof(buffer), 0, result, &length)); - buffer[4] = 0x64; + AssertIntEQ(INCOMPLETE_DATA, wolfSSL_SNI_GetFromBuffer(buff, + sizeof(buff), 0, result, &length)); + buff[4] = 0x64; - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_SNI_GetFromBuffer(buffer, sizeof(buffer), + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_SNI_GetFromBuffer(buff, sizeof(buff), 0, result, &length)); result[length] = 0; AssertStrEQ("www.paypal.com", (const char*) result); length = 32; - AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_SNI_GetFromBuffer(buffer2, sizeof(buffer2), + AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_SNI_GetFromBuffer(buff2, sizeof(buff2), 0, result, &length)); result[length] = 0; AssertStrEQ("api.textmate.org", (const char*) result); /* SSL v2.0 tests */ - AssertIntEQ(SNI_UNSUPPORTED, wolfSSL_SNI_GetFromBuffer(buffer5, - sizeof(buffer5), 0, result, &length)); + AssertIntEQ(SNI_UNSUPPORTED, wolfSSL_SNI_GetFromBuffer(buff5, + sizeof(buff5), 0, result, &length)); - buffer5[2] = 0x02; - AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buffer5, - sizeof(buffer5), 0, result, &length)); + buff5[2] = 0x02; + AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buff5, + sizeof(buff5), 0, result, &length)); - buffer5[2] = 0x01; buffer5[6] = 0x08; - AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buffer5, - sizeof(buffer5), 0, result, &length)); + buff5[2] = 0x01; buff5[6] = 0x08; + AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buff5, + sizeof(buff5), 0, result, &length)); - buffer5[6] = 0x09; buffer5[8] = 0x01; - AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buffer5, - sizeof(buffer5), 0, result, &length)); + buff5[6] = 0x09; buff5[8] = 0x01; + AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buff5, + sizeof(buff5), 0, result, &length)); } #endif /* HAVE_SNI */ @@ -5312,7 +5390,7 @@ static void test_wolfSSL_no_password_cb(void) #if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) \ && defined(HAVE_ECC) && defined(WOLFSSL_ENCRYPTED_KEYS) WOLFSSL_CTX* ctx; - byte buffer[FOURK_BUF]; + byte buff[FOURK_BUF]; const char eccPkcs8PrivKeyDerFile[] = "./certs/ecc-privkeyPkcs8.der"; const char eccPkcs8PrivKeyPemFile[] = "./certs/ecc-privkeyPkcs8.pem"; XFILE f; @@ -5328,17 +5406,17 @@ static void test_wolfSSL_no_password_cb(void) wolfSSL_CTX_set_default_passwd_cb(ctx, FailTestCallBack); AssertTrue((f = XFOPEN(eccPkcs8PrivKeyDerFile, "rb")) != XBADFILE); - bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); + bytes = (int)XFREAD(buff, 1, sizeof(buff), f); XFCLOSE(f); - AssertIntLE(bytes, sizeof(buffer)); - AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + AssertIntLE(bytes, sizeof(buff)); + AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); AssertTrue((f = XFOPEN(eccPkcs8PrivKeyPemFile, "rb")) != XBADFILE); - bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); + bytes = (int)XFREAD(buff, 1, sizeof(buff), f); XFCLOSE(f); - AssertIntLE(bytes, sizeof(buffer)); - AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + AssertIntLE(bytes, sizeof(buff)); + AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); wolfSSL_CTX_free(ctx); @@ -5381,7 +5459,7 @@ static int PKCS8TestCallBack(char* passwd, int sz, int rw, void* userdata) static void test_wolfSSL_PKCS8(void) { #if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) - byte buffer[FOURK_BUF]; + byte buff[FOURK_BUF]; byte der[FOURK_BUF]; #ifndef NO_RSA const char serverKeyPkcs8PemFile[] = "./certs/server-keyPkcs8.pem"; @@ -5436,36 +5514,36 @@ static void test_wolfSSL_PKCS8(void) /* test loading PEM PKCS8 encrypted file */ f = XFOPEN(serverKeyPkcs8EncPemFile, "rb"); AssertTrue((f != XBADFILE)); - bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); + bytes = (int)XFREAD(buff, 1, sizeof(buff), f); XFCLOSE(f); - AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); /* this next case should fail because of password callback return code */ flag = 0; /* used by password callback as return code */ - AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); /* decrypt PKCS8 PEM to key in DER format with not using WOLFSSL_CTX */ - AssertIntGT(wc_KeyPemToDer(buffer, bytes, der, (word32)sizeof(der), + AssertIntGT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), "yassl123"), 0); /* test that error value is returned with a bad password */ - AssertIntLT(wc_KeyPemToDer(buffer, bytes, der, (word32)sizeof(der), + AssertIntLT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), "bad"), 0); /* test loading PEM PKCS8 encrypted file */ f = XFOPEN(serverKeyPkcs8EncDerFile, "rb"); AssertTrue((f != XBADFILE)); - bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); + bytes = (int)XFREAD(buff, 1, sizeof(buff), f); XFCLOSE(f); flag = 1; /* used by password callback as return code */ - AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); /* this next case should fail because of password callback return code */ flag = 0; /* used by password callback as return code */ - AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); #endif /* !NO_RSA && !NO_SHA */ @@ -5473,37 +5551,37 @@ static void test_wolfSSL_PKCS8(void) /* test loading PEM PKCS8 encrypted ECC Key file */ f = XFOPEN(eccPkcs8EncPrivKeyPemFile, "rb"); AssertTrue((f != XBADFILE)); - bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); + bytes = (int)XFREAD(buff, 1, sizeof(buff), f); XFCLOSE(f); flag = 1; /* used by password callback as return code */ - AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); /* this next case should fail because of password callback return code */ flag = 0; /* used by password callback as return code */ - AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); /* decrypt PKCS8 PEM to key in DER format with not using WOLFSSL_CTX */ - AssertIntGT(wc_KeyPemToDer(buffer, bytes, der, (word32)sizeof(der), + AssertIntGT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), "yassl123"), 0); /* test that error value is returned with a bad password */ - AssertIntLT(wc_KeyPemToDer(buffer, bytes, der, (word32)sizeof(der), + AssertIntLT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), "bad"), 0); /* test loading DER PKCS8 encrypted ECC Key file */ f = XFOPEN(eccPkcs8EncPrivKeyDerFile, "rb"); AssertTrue((f != XBADFILE)); - bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); + bytes = (int)XFREAD(buff, 1, sizeof(buff), f); XFCLOSE(f); flag = 1; /* used by password callback as return code */ - AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); /* this next case should fail because of password callback return code */ flag = 0; /* used by password callback as return code */ - AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); /* leave flag as "okay" */ @@ -5516,32 +5594,32 @@ static void test_wolfSSL_PKCS8(void) /* test loading ASN.1 (DER) PKCS8 private key file (not encrypted) */ f = XFOPEN(serverKeyPkcs8DerFile, "rb"); AssertTrue((f != XBADFILE)); - bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); + bytes = (int)XFREAD(buff, 1, sizeof(buff), f); XFCLOSE(f); - AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); /* test loading PEM PKCS8 private key file (not encrypted) */ f = XFOPEN(serverKeyPkcs8PemFile, "rb"); AssertTrue((f != XBADFILE)); - bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); + bytes = (int)XFREAD(buff, 1, sizeof(buff), f); XFCLOSE(f); - AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); #endif /* !NO_RSA */ /* Test PKCS8 PEM ECC key no crypt */ f = XFOPEN(eccPkcs8PrivKeyPemFile, "rb"); AssertTrue((f != XBADFILE)); - bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); + bytes = (int)XFREAD(buff, 1, sizeof(buff), f); XFCLOSE(f); #ifdef HAVE_ECC /* Test PKCS8 PEM ECC key no crypt */ - AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); /* decrypt PKCS8 PEM to key in DER format */ - AssertIntGT((bytes = wc_KeyPemToDer(buffer, bytes, der, + AssertIntGT((bytes = wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), NULL)), 0); ret = wc_ecc_init(&key); if (ret == 0) { @@ -5553,15 +5631,15 @@ static void test_wolfSSL_PKCS8(void) /* Test PKCS8 DER ECC key no crypt */ f = XFOPEN(eccPkcs8PrivKeyDerFile, "rb"); AssertTrue((f != XBADFILE)); - bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); + bytes = (int)XFREAD(buff, 1, sizeof(buff), f); XFCLOSE(f); /* Test using a PKCS8 ECC PEM */ - AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes, + AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); #else /* if HAVE_ECC is not defined then BEGIN EC PRIVATE KEY is not found */ - AssertIntEQ((bytes = wc_KeyPemToDer(buffer, bytes, der, + AssertIntEQ((bytes = wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der), NULL)), ASN_NO_PEM_HEADER); #endif /* HAVE_ECC */ @@ -5722,7 +5800,7 @@ static void test_wolfSSL_X509_verify(void) #if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) \ && defined(OPENSSL_EXTRA) WOLFSSL_X509* ca; - WOLFSSL_X509* server; + WOLFSSL_X509* serv; WOLFSSL_EVP_PKEY* pkey; unsigned char buf[2048]; const unsigned char* pt = NULL; @@ -5746,7 +5824,7 @@ static void test_wolfSSL_X509_verify(void) AssertIntEQ(wolfSSL_X509_get_pubkey_type(ca), RSAk); - AssertNotNull(server = + AssertNotNull(serv = wolfSSL_X509_load_certificate_file(svrCertFile, WOLFSSL_FILETYPE_PEM)); /* success case */ @@ -5755,23 +5833,23 @@ static void test_wolfSSL_X509_verify(void) AssertIntEQ(i2d_PUBKEY(pkey, NULL), bufSz); - AssertIntEQ(wolfSSL_X509_verify(server, pkey), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_X509_verify(serv, pkey), WOLFSSL_SUCCESS); wolfSSL_EVP_PKEY_free(pkey); /* fail case */ bufSz = 2048; - AssertIntEQ(wolfSSL_X509_get_pubkey_buffer(server, buf, &bufSz), + AssertIntEQ(wolfSSL_X509_get_pubkey_buffer(serv, buf, &bufSz), WOLFSSL_SUCCESS); pt = buf; AssertNotNull(pkey = wolfSSL_d2i_PUBKEY(NULL, &pt, bufSz)); - AssertIntEQ(wolfSSL_X509_verify(server, pkey), WOLFSSL_FAILURE); + AssertIntEQ(wolfSSL_X509_verify(serv, pkey), WOLFSSL_FAILURE); AssertIntEQ(wolfSSL_X509_verify(NULL, pkey), WOLFSSL_FATAL_ERROR); - AssertIntEQ(wolfSSL_X509_verify(server, NULL), WOLFSSL_FATAL_ERROR); + AssertIntEQ(wolfSSL_X509_verify(serv, NULL), WOLFSSL_FATAL_ERROR); wolfSSL_EVP_PKEY_free(pkey); wolfSSL_FreeX509(ca); - wolfSSL_FreeX509(server); + wolfSSL_FreeX509(serv); printf(resultFmt, passed); #endif @@ -26865,7 +26943,7 @@ static void test_wolfSSL_tmp_dh(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \ !defined(NO_DSA) && !defined(NO_RSA) && !defined(NO_DH) && !defined(NO_BIO) - byte buffer[6000]; + byte buff[6000]; char file[] = "./certs/dsaparams.pem"; XFILE f; int bytes; @@ -26891,10 +26969,10 @@ static void test_wolfSSL_tmp_dh(void) f = XFOPEN(file, "rb"); AssertTrue((f != XBADFILE)); - bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f); + bytes = (int)XFREAD(buff, 1, sizeof(buff), f); XFCLOSE(f); - bio = BIO_new_mem_buf((void*)buffer, bytes); + bio = BIO_new_mem_buf((void*)buff, bytes); AssertNotNull(bio); dsa = wolfSSL_PEM_read_bio_DSAparams(bio, NULL, NULL, NULL); @@ -27967,6 +28045,51 @@ static void test_wolfSSL_X509_STORE_CTX_set_time(void) #endif /* OPENSSL_EXTRA */ } +static void test_wolfSSL_CTX_get0_set1_param(void) +{ +#if defined(OPENSSL_EXTRA) + int ret; + SSL_CTX* ctx; + WOLFSSL_X509_VERIFY_PARAM* pParam; + WOLFSSL_X509_VERIFY_PARAM* pvpm; + char testIPv4[] = "127.0.0.1"; + char testhostName[] = "foo.hoge.com"; + + printf(testingFmt, "wolfSSL_CTX_get0_set1_param()"); + + #ifndef NO_WOLFSSL_SERVER + AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + #else + AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); + #endif + + AssertNotNull(pParam = SSL_CTX_get0_param(ctx)); + + pvpm = (WOLFSSL_X509_VERIFY_PARAM *)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), NULL, DYNAMIC_TYPE_OPENSSL); + AssertNotNull(pvpm); + XMEMSET(pvpm, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); + + wolfSSL_X509_VERIFY_PARAM_set1_host(pvpm, testhostName, + (int)XSTRLEN(testhostName)); + wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(pvpm, testIPv4); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(pvpm, 0x01); + + ret = SSL_CTX_set1_param(ctx, pvpm); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(pParam->hostName, testhostName, + (int)XSTRLEN(testhostName))); + AssertIntEQ(0x01, pParam->hostFlags); + AssertIntEQ(0, XSTRNCMP(pParam->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); + + SSL_CTX_free(ctx); + + XFREE(pvpm, NULL, DYNAMIC_TYPE_OPENSSL); + + printf(resultFmt, passed); +#endif /* OPENSSL_EXTRA && !defined(NO_RSA)*/ +} + static void test_wolfSSL_get0_param(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) @@ -28567,7 +28690,7 @@ static int msgCb(SSL_CTX *ctx, SSL *ssl) { (void) ctx; (void) ssl; - #ifdef WOLFSSL_QT + #ifdef OPENSSL_ALL STACK_OF(X509)* sk; X509* x509; int i, num; @@ -28576,10 +28699,10 @@ static int msgCb(SSL_CTX *ctx, SSL *ssl) printf("\n===== msgcb called ====\n"); #if defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN) AssertTrue(SSL_get_peer_cert_chain(ssl) != NULL); - AssertIntEQ(((WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl))->count, 1); + AssertIntEQ(((WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl))->count, 2); #endif - #ifdef WOLFSSL_QT + #ifdef OPENSSL_ALL bio = BIO_new(BIO_s_file()); BIO_set_fp(bio, stdout, BIO_NOCLOSE); sk = SSL_get_peer_cert_chain(ssl); @@ -29222,12 +29345,18 @@ static void test_wolfSSL_BIO(void) WOLFSSL_SUCCESS); AssertIntEQ(BIO_read(f_bio1, cert, sizeof(cert)), sizeof(cert)); + AssertIntEQ(BIO_tell(f_bio1),sizeof(cert)); AssertIntEQ(BIO_write(f_bio2, msg, sizeof(msg)), sizeof(msg)); + AssertIntEQ(BIO_tell(f_bio2),sizeof(msg)); AssertIntEQ(BIO_write(f_bio2, cert, sizeof(cert)), sizeof(cert)); + AssertIntEQ(BIO_tell(f_bio2),sizeof(cert) + sizeof(msg)); AssertIntEQ((int)BIO_get_fp(f_bio2, &f2), WOLFSSL_SUCCESS); AssertIntEQ(BIO_reset(f_bio2), 0); + AssertIntEQ(BIO_tell(NULL),-1); + AssertIntEQ(BIO_tell(f_bio2),0); AssertIntEQ(BIO_seek(f_bio2, 4), 0); + AssertIntEQ(BIO_tell(f_bio2),4); BIO_free(f_bio1); BIO_free(f_bio2); @@ -29825,50 +29954,128 @@ static void test_wolfSSL_X509_ALGOR_get0(void) static void test_wolfSSL_X509_VERIFY_PARAM(void) { #if defined(OPENSSL_EXTRA) - WOLFSSL_X509_VERIFY_PARAM *param; + WOLFSSL_X509_VERIFY_PARAM *paramTo; + WOLFSSL_X509_VERIFY_PARAM *paramFrom; int ret; char testIPv4[] = "127.0.0.1"; char testIPv6[] = "0001:0000:0000:0000:0000:0000:0000:0000/32"; - + char testhostName1[] = "foo.hoge.com"; + char testhostName2[] = "foobar.hoge.com"; + printf(testingFmt, "wolfSSL_X509()"); - param = wolfSSL_X509_VERIFY_PARAM_new(); - AssertNotNull(param); + paramTo = wolfSSL_X509_VERIFY_PARAM_new(); + AssertNotNull(paramTo); + XMEMSET(paramTo, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM )); - XMEMSET(param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM )); + paramFrom = wolfSSL_X509_VERIFY_PARAM_new(); + AssertNotNull(paramFrom); + XMEMSET(paramFrom, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM )); + ret = wolfSSL_X509_VERIFY_PARAM_set1_host(paramFrom, testhostName1, + (int)XSTRLEN(testhostName1)); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(paramFrom->hostName, testhostName1, + (int)XSTRLEN(testhostName1))); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(NULL, 0x00); - wolfSSL_X509_VERIFY_PARAM_set_hostflags(param, 0x01); - AssertIntEQ(0x01, param->hostFlags); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(paramFrom, 0x01); + AssertIntEQ(0x01, paramFrom->hostFlags); ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(NULL, testIPv4); AssertIntEQ(0, ret); - ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, testIPv4); + ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramFrom, testIPv4); AssertIntEQ(1, ret); - AssertIntEQ(0, XSTRNCMP(param->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); + AssertIntEQ(0, XSTRNCMP(paramFrom->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); - ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, NULL); + ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramFrom, NULL); AssertIntEQ(1, ret); - ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, testIPv6); + ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramFrom, testIPv6); AssertIntEQ(1, ret); - AssertIntEQ(0, XSTRNCMP(param->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + AssertIntEQ(0, XSTRNCMP(paramFrom->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); - ret = wolfSSL_X509_VERIFY_PARAM_set_flags(param, WOLFSSL_CRL_CHECKALL); + /* null pointer */ + ret = wolfSSL_X509_VERIFY_PARAM_set1(NULL, paramFrom); + AssertIntEQ(WOLFSSL_FAILURE, ret); + /* in the case of "from" null, returns success */ + ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, NULL); + AssertIntEQ(WOLFSSL_SUCCESS, ret); + + ret = wolfSSL_X509_VERIFY_PARAM_set1(NULL, NULL); + AssertIntEQ(WOLFSSL_FAILURE, ret); + + /* inherit flags test : VPARAM_DEFAULT */ + ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, + (int)XSTRLEN(testhostName1))); + AssertIntEQ(0x01, paramTo->hostFlags); + AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + + /* inherit flags test : VPARAM OVERWRITE */ + wolfSSL_X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, + (int)XSTRLEN(testhostName2)); + wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(paramTo, 0x00); + + paramTo->inherit_flags = WOLFSSL_VPARAM_OVERWRITE; + + ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, + (int)XSTRLEN(testhostName1))); + AssertIntEQ(0x01, paramTo->hostFlags); + AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + + /* inherit flags test : VPARAM_RESET_FLAGS */ + wolfSSL_X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, + (int)XSTRLEN(testhostName2)); + wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(paramTo, 0x10); + + paramTo->inherit_flags = WOLFSSL_VPARAM_RESET_FLAGS; + + ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, + (int)XSTRLEN(testhostName1))); + AssertIntEQ(0x01, paramTo->hostFlags); + AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + + /* inherit flags test : VPARAM_LOCKED */ + wolfSSL_X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, + (int)XSTRLEN(testhostName2)); + wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(paramTo, 0x00); + + paramTo->inherit_flags = WOLFSSL_VPARAM_LOCKED; + + ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName2, + (int)XSTRLEN(testhostName2))); + AssertIntEQ(0x00, paramTo->hostFlags); + AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); + + /* inherit flags test : VPARAM_ONCE, not testable yet */ + + ret = wolfSSL_X509_VERIFY_PARAM_set_flags(paramTo, WOLFSSL_CRL_CHECKALL); AssertIntEQ(1, ret); - ret = wolfSSL_X509_VERIFY_PARAM_get_flags(param); + ret = wolfSSL_X509_VERIFY_PARAM_get_flags(paramTo); AssertIntEQ(WOLFSSL_CRL_CHECKALL, ret); - ret = wolfSSL_X509_VERIFY_PARAM_clear_flags(param, WOLFSSL_CRL_CHECKALL); + ret = wolfSSL_X509_VERIFY_PARAM_clear_flags(paramTo, WOLFSSL_CRL_CHECKALL); AssertIntEQ(1, ret); - ret = wolfSSL_X509_VERIFY_PARAM_get_flags(param); + ret = wolfSSL_X509_VERIFY_PARAM_get_flags(paramTo); AssertIntEQ(0, ret); - wolfSSL_X509_VERIFY_PARAM_free(param); + wolfSSL_X509_VERIFY_PARAM_free(paramTo); + wolfSSL_X509_VERIFY_PARAM_free(paramFrom); printf(resultFmt, passed); @@ -32584,7 +32791,7 @@ static void test_wolfSSL_SHA(void) #if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) printf(testingFmt, "wolfSSL_SHA()"); - #if !defined(NO_SHA) + #if !defined(NO_SHA) && defined(NO_OLD_SHA_NAMES) { const unsigned char in[] = "abc"; unsigned char expected[] = "\xA9\x99\x3E\x36\x47\x06\x81\x6A\xBA\x3E" @@ -32594,6 +32801,11 @@ static void test_wolfSSL_SHA(void) XMEMSET(out, 0, WC_SHA_DIGEST_SIZE); AssertNotNull(SHA1(in, XSTRLEN((char*)in), out)); AssertIntEQ(XMEMCMP(out, expected, WC_SHA_DIGEST_SIZE), 0); + + /* SHA interface test */ + XMEMSET(out, 0, WC_SHA_DIGEST_SIZE); + AssertNotNull(SHA(in, XSTRLEN((char*)in), out)); + AssertIntEQ(XMEMCMP(out, expected, WC_SHA_DIGEST_SIZE), 0); } #endif @@ -32803,6 +33015,229 @@ static void test_wolfSSL_AES_ecb_encrypt(void) #endif } +static void test_wolfSSL_MD5(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_MD5) + byte input1[] = ""; + byte input2[] = "message digest"; + byte hash[WC_MD5_DIGEST_SIZE]; + unsigned char output1[] = + "\xd4\x1d\x8c\xd9\x8f\x00\xb2\x04\xe9\x80\x09\x98\xec\xf8\x42\x7e"; + unsigned char output2[] = + "\xf9\x6b\x69\x7d\x7c\xb7\x93\x8d\x52\x5a\x2f\x31\xaa\xf1\x61\xd0"; + WOLFSSL_MD5_CTX md5; + + printf(testingFmt, "wolfSSL_MD5()"); + + XMEMSET(&md5, 0, sizeof(md5)); + + /* Init MD5 CTX */ + AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); + AssertIntEQ(wolfSSL_MD5_Update(&md5, input1, + XSTRLEN((const char*)&input1)), 1); + AssertIntEQ(wolfSSL_MD5_Final(hash, &md5), 1); + AssertIntEQ(XMEMCMP(&hash, output1, WC_MD5_DIGEST_SIZE), 0); + + /* Init MD5 CTX */ + AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); + AssertIntEQ(wolfSSL_MD5_Update(&md5, input2, + (int)XSTRLEN((const char*)input2)), 1); + AssertIntEQ(wolfSSL_MD5_Final(hash, &md5), 1); + AssertIntEQ(XMEMCMP(&hash, output2, WC_MD5_DIGEST_SIZE), 0); +#if !defined(NO_OLD_NAMES) && \ + (!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2))) + AssertIntEQ(MD5(input1, (int)XSTRLEN((const char*)&input1), (byte*)&hash), 0); + AssertIntEQ(XMEMCMP(&hash, output1, WC_MD5_DIGEST_SIZE), 0); + + AssertIntEQ(MD5(input2, (int)XSTRLEN((const char*)&input2), (byte*)&hash), 0); + AssertIntEQ(XMEMCMP(&hash, output2, WC_MD5_DIGEST_SIZE), 0); +#endif + + printf(resultFmt, passed); +#endif +} + +static void test_wolfSSL_MD5_Transform(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_MD5) + byte input1[] = ""; + byte input2[] = "abc"; + byte local[WC_MD5_BLOCK_SIZE]; + word32 sLen = 0; + unsigned char output1[] = + "\xac\x1d\x1f\x03\xd0\x8e\xa5\x6e\xb7\x67\xab\x1f\x91\x77\x31\x74"; + unsigned char output2[] = + "\x8d\x79\xd3\xef\x90\x25\x17\x67\xc7\x79\x13\xa4\xbc\x7b\xa7\xe3"; + + WOLFSSL_MD5_CTX md5; + + printf(testingFmt, "wolfSSL_MD5_Transform()"); + + XMEMSET(&md5, 0, sizeof(md5)); + XMEMSET(&local, 0, sizeof(local)); + + /* sanity check */ + AssertIntEQ(wolfSSL_MD5_Transform(NULL, NULL), 0); + AssertIntEQ(wolfSSL_MD5_Transform(NULL, (const byte*)&input1), 0); + AssertIntEQ(wolfSSL_MD5_Transform(&md5, NULL), 0); + AssertIntEQ(wc_Md5Transform(NULL, NULL), BAD_FUNC_ARG); + AssertIntEQ(wc_Md5Transform(NULL, (const byte*)&input1), BAD_FUNC_ARG); + AssertIntEQ(wc_Md5Transform((wc_Md5*)&md5, NULL), BAD_FUNC_ARG); + + /* Init MD5 CTX */ + AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); + /* Do Transform*/ + sLen = (word32)XSTRLEN((char*)input1); + XMEMCPY(local, input1, sLen); + AssertIntEQ(wolfSSL_MD5_Transform(&md5, (const byte*)&local[0]), 1); + + AssertIntEQ(XMEMCMP(&((wc_Md5*)&md5)->digest[0], output1, + WC_MD5_DIGEST_SIZE), 0); + + /* Init MD5 CTX */ + AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); + sLen = (word32)XSTRLEN((char*)input2); + XMEMSET(local, 0, WC_MD5_BLOCK_SIZE); + XMEMCPY(local, input2, sLen); + AssertIntEQ(wolfSSL_MD5_Transform(&md5, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Md5*)&md5)->digest[0], output2, + WC_MD5_DIGEST_SIZE), 0); + + printf(resultFmt, passed); +#endif +} + +static void test_wolfSSL_SHA224(void) +{ +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA224) && \ + !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) + unsigned char input[] = + "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"; + unsigned char output[] = + "\x75\x38\x8b\x16\x51\x27\x76\xcc\x5d\xba\x5d\xa1\xfd\x89\x01" + "\x50\xb0\xc6\x45\x5c\xb4\xf5\x8b\x19\x52\x52\x25\x25"; + size_t inLen; + byte hash[WC_SHA224_DIGEST_SIZE]; + + printf(testingFmt, "wolfSSL_SHA224()"); + inLen = XSTRLEN((char*)input); + + XMEMSET(hash, 0, WC_SHA224_DIGEST_SIZE); + AssertNotNull(SHA224(input, inLen, hash)); + AssertIntEQ(XMEMCMP(hash, output, WC_SHA224_DIGEST_SIZE), 0); + + printf(resultFmt, passed); +#endif +} +static void test_wolfSSL_SHA_Transform(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA) +#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + byte input1[] = ""; + byte input2[] = "abc"; + byte local[WC_SHA_BLOCK_SIZE]; + word32 sLen = 0; + unsigned char output1[] = + "\xe5\x04\xb4\x92\xed\x8c\x58\x56\x4e\xcd\x1a\x6c\x68\x3f\x05\xbf" + "\x93\x3a\xf7\x09"; + unsigned char output2[] = + "\x8b\x74\xb2\x97\xca\xbc\x5b\x4f\xea\xe6\xc0\x5b\xa0\xb4\x40\x2d" + "\xb8\x08\x6e\x7c"; + + WOLFSSL_SHA_CTX sha; + + printf(testingFmt, "wolfSSL_SHA_Transform()"); + + XMEMSET(&sha, 0, sizeof(sha)); + XMEMSET(&local, 0, sizeof(local)); + + /* sanity check */ + AssertIntEQ(wolfSSL_SHA_Transform(NULL, NULL), 0); + AssertIntEQ(wolfSSL_SHA_Transform(NULL, (const byte*)&input1), 0); + AssertIntEQ(wolfSSL_SHA_Transform(&sha, NULL), 0); + AssertIntEQ(wc_ShaTransform(NULL, NULL), BAD_FUNC_ARG); + AssertIntEQ(wc_ShaTransform(NULL, (const byte*)&input1), BAD_FUNC_ARG); + AssertIntEQ(wc_ShaTransform((wc_Sha*)&sha, NULL), BAD_FUNC_ARG); + + /* Init SHA CTX */ + AssertIntEQ(wolfSSL_SHA_Init(&sha), 1); + /* Do Transform*/ + sLen = (word32)XSTRLEN((char*)input1); + XMEMCPY(local, input1, sLen); + AssertIntEQ(wolfSSL_SHA_Transform(&sha, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha*)&sha)->digest[0], output1, + WC_SHA_DIGEST_SIZE), 0); + + /* Init SHA256 CTX */ + AssertIntEQ(wolfSSL_SHA_Init(&sha), 1); + sLen = (word32)XSTRLEN((char*)input2); + XMEMSET(local, 0, WC_SHA_BLOCK_SIZE); + XMEMCPY(local, input2, sLen); + AssertIntEQ(wolfSSL_SHA_Transform(&sha, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha*)&sha)->digest[0], output2, + WC_SHA_DIGEST_SIZE), 0); + + printf(resultFmt, passed); +#endif +#endif +} + +static void test_wolfSSL_SHA256_Transform(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) +#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + byte input1[] = ""; + byte input2[] = "abc"; + byte local[WC_SHA256_BLOCK_SIZE]; + word32 sLen = 0; + unsigned char output1[] = + "\xbe\x98\x56\xda\x69\xb4\xb9\x17\x99\x57\x33\x62\xca\xbe\x9f\x77" + "\x91\xd4\xe5\x8c\x43\x62\xd2\xc0\xea\xf9\xfe\xba\xd8\xa9\x37\x18"; + unsigned char output2[] = + "\x67\xd4\x4e\x1d\x67\x61\x7c\x67\x26\x76\x10\x44\xb8\xff\x10\x78" + "\x39\x9a\xc8\x40\x8c\x60\x16\x73\x05\xd6\x61\xa6\x35\x8c\xf2\x91"; + + WOLFSSL_SHA256_CTX sha256; + + printf(testingFmt, "wolfSSL_SHA256_Transform()"); + + XMEMSET(&sha256, 0, sizeof(sha256)); + XMEMSET(&local, 0, sizeof(local)); + + /* sanity check */ + AssertIntEQ(wolfSSL_SHA256_Transform(NULL, NULL), 0); + AssertIntEQ(wolfSSL_SHA256_Transform(NULL, (const byte*)&input1), 0); + AssertIntEQ(wolfSSL_SHA256_Transform(&sha256, NULL), 0); + AssertIntEQ(wc_Sha256Transform(NULL, NULL), BAD_FUNC_ARG); + AssertIntEQ(wc_Sha256Transform(NULL, (const byte*)&input1), BAD_FUNC_ARG); + AssertIntEQ(wc_Sha256Transform((wc_Sha256*)&sha256, NULL), BAD_FUNC_ARG); + + /* Init SHA256 CTX */ + AssertIntEQ(wolfSSL_SHA256_Init(&sha256), 1); + /* Do Transform*/ + sLen = (word32)XSTRLEN((char*)input1); + XMEMCPY(local, input1, sLen); + AssertIntEQ(wolfSSL_SHA256_Transform(&sha256, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha256*)&sha256)->digest[0], output1, + WC_SHA256_DIGEST_SIZE), 0); + + /* Init SHA256 CTX */ + AssertIntEQ(wolfSSL_SHA256_Init(&sha256), 1); + sLen = (word32)XSTRLEN((char*)input2); + XMEMSET(local, 0, WC_SHA256_BLOCK_SIZE); + XMEMCPY(local, input2, sLen); + AssertIntEQ(wolfSSL_SHA256_Transform(&sha256, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha256*)&sha256)->digest[0], output2, + WC_SHA256_DIGEST_SIZE), 0); + + printf(resultFmt, passed); +#endif +#endif +} + static void test_wolfSSL_SHA256(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && \ @@ -32827,6 +33262,65 @@ static void test_wolfSSL_SHA256(void) #endif } +static void test_wolfSSL_SHA512_Transform(void) +{ +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA512) +#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + byte input1[] = ""; + byte input2[] = "abc"; + byte local[WC_SHA512_BLOCK_SIZE]; + word32 sLen = 0; + unsigned char output1[] = + "\xe8\xcb\x4a\x77\xd5\x81\x78\xcf\x70\x80\xc7\xfb\xe0\x62\x33\x53" + "\xda\x0e\x46\x87\x9d\x63\x67\x02\xb0\x31\x59\xe8\x40\xcb\x86\x30" + "\xa3\x23\xa0\x88\x52\xc9\x7d\x71\xe0\xb5\xe0\x4c\xc1\xb2\xba\x96" + "\x0b\x3e\xe3\xea\x04\xfe\xc4\x6f\xee\x8b\x66\xbd\x0c\xd8\xf4\x91"; + unsigned char output2[] = + "\x0d\xcc\xa0\xeb\x4e\x93\x10\x11\x21\xc8\x04\xfb\x9c\x43\x33\xfd" + "\x41\x31\xab\xca\x3d\x26\xb4\xa9\xab\xd7\x67\xe1\xaf\xaa\xc6\xe2" + "\x83\x4e\xba\x2c\x54\x2e\x8f\x31\x98\x38\x2b\x8f\x9d\xec\x88\xbe" + "\x4d\x5e\x8b\x53\x9d\x4e\xd2\x14\xf0\x96\x20\xaf\x69\x6c\x68\xde"; + + WOLFSSL_SHA512_CTX sha512; + + printf(testingFmt, "wolfSSL_SHA512_Transform()"); + + XMEMSET(&sha512, 0, sizeof(sha512)); + XMEMSET(&local, 0, sizeof(local)); + + /* sanity check */ + AssertIntEQ(wolfSSL_SHA512_Transform(NULL, NULL), 0); + AssertIntEQ(wolfSSL_SHA512_Transform(NULL, (const byte*)&input1), 0); + AssertIntEQ(wolfSSL_SHA512_Transform(&sha512, NULL), 0); + AssertIntEQ(wc_Sha512Transform(NULL, NULL), BAD_FUNC_ARG); + AssertIntEQ(wc_Sha512Transform(NULL, (const byte*)&input1), BAD_FUNC_ARG); + AssertIntEQ(wc_Sha512Transform((wc_Sha512*)&sha512, NULL), BAD_FUNC_ARG); + + /* Init SHA512 CTX */ + AssertIntEQ(wolfSSL_SHA512_Init(&sha512), 1); + + /* Do Transform*/ + sLen = (word32)XSTRLEN((char*)input1); + XMEMCPY(local, input1, sLen); + AssertIntEQ(wolfSSL_SHA512_Transform(&sha512, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha512*)&sha512)->digest[0], output1, + WC_SHA512_DIGEST_SIZE), 0); + + /* Init SHA512 CTX */ + AssertIntEQ(wolfSSL_SHA512_Init(&sha512), 1); + sLen = (word32)XSTRLEN((char*)input2); + XMEMSET(local, 0, WC_SHA512_BLOCK_SIZE); + XMEMCPY(local, input2, sLen); + AssertIntEQ(wolfSSL_SHA512_Transform(&sha512, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha512*)&sha512)->digest[0], output2, + WC_SHA512_DIGEST_SIZE), 0); + (void)input1; + printf(resultFmt, passed); +#endif +#endif +} + static void test_wolfSSL_X509_get_serialNumber(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) @@ -34481,7 +34975,7 @@ static void test_wolfSSL_EVP_PKEY_keygen_init(void) } static void test_wolfSSL_EVP_PKEY_missing_parameters(void) { -#if defined(OPENSSL_ALL) +#if defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB) WOLFSSL_EVP_PKEY* pkey; printf(testingFmt, "wolfSSL_EVP_PKEY_missing_parameters"); @@ -34766,7 +35260,7 @@ static void test_wolfSSL_EVP_aes_192_gcm(void) } static void test_wolfSSL_EVP_ripemd160(void) { -#if defined(OPENSSL_ALL) +#if defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB) printf(testingFmt, "wolfSSL_EVP_ripemd160"); @@ -38589,6 +39083,90 @@ static void test_wolfSSL_X509_CRL(void) return; } +static void test_wolfSSL_X509_load_crl_file(void) +{ +#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_FILESYSTEM) + int i; + char pem[][100] = { + "./certs/crl/crl.pem", + "./certs/crl/crl2.pem", + "./certs/crl/caEccCrl.pem", + "./certs/crl/eccCliCRL.pem", + "./certs/crl/eccSrvCRL.pem", + "" + }; + char der[][100] = { + "./certs/crl/crl.der", + "./certs/crl/crl2.der", + "" + }; + WOLFSSL_X509_STORE* store; + WOLFSSL_X509_LOOKUP* lookup; + + printf(testingFmt, "wolfSSL_X509_laod_crl_file"); + + AssertNotNull(store = wolfSSL_X509_STORE_new()); + AssertNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); + + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", + X509_FILETYPE_PEM), 1); + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem", + X509_FILETYPE_PEM), 1); + if (store) { + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, + WOLFSSL_FILETYPE_PEM), 1); + /* since store hasn't yet known the revoked cert*/ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM), 1); + } + + for (i = 0; pem[i][0] != '\0'; i++) + { + AssertIntEQ(wolfSSL_X509_load_crl_file(lookup, pem[i], WOLFSSL_FILETYPE_PEM), 1); + } + + if (store) { + /* since store knows crl list */ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM ), CRL_CERT_REVOKED); + } + /* once feeing store */ + wolfSSL_X509_STORE_free(store); + store = NULL; + + AssertNotNull(store = wolfSSL_X509_STORE_new()); + AssertNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); + + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", + X509_FILETYPE_PEM), 1); + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem", + X509_FILETYPE_PEM), 1); + if (store) { + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, + WOLFSSL_FILETYPE_PEM), 1); + /* since store hasn't yet known the revoked cert*/ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM), 1); + } + + for (i = 0; der[i][0] != '\0'; i++) + { + AssertIntEQ(wolfSSL_X509_load_crl_file(lookup, der[i], WOLFSSL_FILETYPE_ASN1), 1); + } + + if (store) { + /* since store knows crl list */ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM ), CRL_CERT_REVOKED); + } + + wolfSSL_X509_STORE_free(store); + store = NULL; + + printf(resultFmt, passed); +#endif +} + static void test_wolfSSL_d2i_X509_REQ(void) { #if defined(WOLFSSL_CERT_REQ) && (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) @@ -40366,6 +40944,70 @@ static int test_wolfSSL_CTX_set_ecdh_auto(void) (void)ctx; return ret; } +static void test_wolfSSL_CTX_get_min_proto_version(void) +{ +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) + WOLFSSL_CTX *ctx; + + printf(testingFmt, "wolfSSL_CTX_get_min_proto_version()"); + + #ifndef NO_OLD_TLS + #ifdef WOLFSSL_ALLOW_SSLV3 + #ifdef NO_WOLFSSL_SERVER + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + #else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + #endif + AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, SSL3_VERSION), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), SSL3_VERSION); + wolfSSL_CTX_free(ctx); + #endif + #ifdef WOLFSSL_ALLOW_TLSV10 + #ifdef NO_WOLFSSL_SERVER + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_client_method())); + #else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_server_method())); + #endif + AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_VERSION), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_VERSION); + wolfSSL_CTX_free(ctx); + #endif + + #ifdef NO_WOLFSSL_SERVER + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_1_client_method())); + #else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_1_server_method())); + #endif + AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_1_VERSION); + wolfSSL_CTX_free(ctx); + #endif + + #ifndef WOLFSSL_NO_TLS12 + #ifdef NO_WOLFSSL_SERVER + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); + #else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method())); + #endif + AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION); + wolfSSL_CTX_free(ctx); + #endif + + #ifdef WOLFSSL_TLS13 + #ifdef NO_WOLFSSL_SERVER + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); + #else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method())); + #endif + AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_3_VERSION); + wolfSSL_CTX_free(ctx); + #endif + + printf(resultFmt, passed); +#endif /* defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) */ +} /*----------------------------------------------------------------------------* | Main @@ -40526,7 +41168,9 @@ void ApiTest(void) test_wolfSSL_X509_STORE_CTX_get0_store(); test_wolfSSL_X509_STORE(); test_wolfSSL_X509_STORE_load_locations(); + test_wolfSSL_X509_load_crl_file(); test_wolfSSL_BN(); + test_wolfSSL_CTX_get0_set1_param(); #ifndef NO_BIO test_wolfSSL_PEM_read_bio(); test_wolfSSL_BIO(); @@ -40598,7 +41242,13 @@ void ApiTest(void) test_wolfSSL_DH_1536_prime(); test_wolfSSL_PEM_write_DHparams(); test_wolfSSL_AES_ecb_encrypt(); + test_wolfSSL_MD5(); + test_wolfSSL_MD5_Transform(); + test_wolfSSL_SHA_Transform(); test_wolfSSL_SHA256(); + test_wolfSSL_SHA256_Transform(); + test_wolfSSL_SHA224(); + test_wolfSSL_SHA512_Transform(); test_wolfSSL_X509_get_serialNumber(); test_wolfSSL_X509_CRL(); test_wolfSSL_d2i_X509_REQ(); @@ -40787,6 +41437,8 @@ void ApiTest(void) test_export_keying_material(); #endif /* HAVE_KEYING_MATERIAL */ + test_wolfSSL_CTX_get_min_proto_version(); + /*wolfcrypt */ printf("\n-----------------wolfcrypt unit tests------------------\n"); AssertFalse(test_wolfCrypt_Init()); diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index b480f5d946..b9e919deeb 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -5611,6 +5611,7 @@ exit: (void)times; (void)desc; (void)start; + (void)name; } diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index dcc1187af7..b08a5c69fa 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -4798,7 +4798,7 @@ static void AES_GCM_encrypt(const unsigned char *in, unsigned char *out, const unsigned char* addt, const unsigned char* ivec, unsigned char *tag, word32 nbytes, word32 abytes, word32 ibytes, - wrd32 tbytes, const unsigned char* key, int nr) + word32 tbytes, const unsigned char* key, int nr) { int i, j ,k; __m128i ctr1; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e4fe97ed11..9f847e1338 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -7121,8 +7121,6 @@ static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID, { int ret = 0; - (void)verify; - switch (sigOID) { #if defined(WOLFSSL_MD2) case CTC_MD2wRSA: @@ -7210,6 +7208,14 @@ static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID, WOLFSSL_MSG("Hash for Signature has unsupported type"); } + (void)buf; + (void)bufSz; + (void)sigOID; + (void)digest; + (void)digestSz; + (void)typeH; + (void)verify; + return ret; } #endif /* !NO_ASN_CRYPT */ @@ -12413,16 +12419,6 @@ static int CopyValidity(byte* output, Cert* cert) #endif -/* ASN Encoded Name field */ -typedef struct EncodedName { - int nameLen; /* actual string value length */ - int totalLen; /* total encoded length */ - int type; /* type of name */ - int used; /* are we actually using this one */ - byte encoded[CTC_NAME_SIZE * 2]; /* encoding */ -} EncodedName; - - /* Get Which Name from index */ const char* GetOneCertName(CertName* name, int idx) { @@ -13004,281 +13000,126 @@ int FlattenAltNames(byte* output, word32 outputSz, const DNS_entry* names) * * returns length on success */ -static int wc_EncodeName(EncodedName* name, const char* nameStr, char nameType, - byte type) +int wc_EncodeName(EncodedName* name, const char* nameStr, char nameType, + byte type) { word32 idx = 0; + /* bottom up */ + byte firstLen[1 + MAX_LENGTH_SZ]; + byte secondLen[MAX_LENGTH_SZ]; + byte sequence[MAX_SEQ_SZ]; + byte set[MAX_SET_SZ]; - if (nameStr) { - /* bottom up */ - byte firstLen[1 + MAX_LENGTH_SZ]; - byte secondLen[MAX_LENGTH_SZ]; - byte sequence[MAX_SEQ_SZ]; - byte set[MAX_SET_SZ]; + int strLen; + int thisLen; + int firstSz, secondSz, seqSz, setSz; - int strLen = (int)XSTRLEN(nameStr); - int thisLen = strLen; - int firstSz, secondSz, seqSz, setSz; - - if (strLen == 0) { /* no user data for this item */ - name->used = 0; - return 0; - } - - /* Restrict country code size */ - if (ASN_COUNTRY_NAME == type && strLen != CTC_COUNTRY_SIZE) { - WOLFSSL_MSG("Country code size error"); - return ASN_COUNTRY_SIZE_E; - } - - secondSz = SetLength(strLen, secondLen); - thisLen += secondSz; - switch (type) { - case ASN_EMAIL_NAME: /* email */ - thisLen += EMAIL_JOINT_LEN; - firstSz = EMAIL_JOINT_LEN; - break; - - case ASN_DOMAIN_COMPONENT: - thisLen += PILOT_JOINT_LEN; - firstSz = PILOT_JOINT_LEN; - break; - - default: - thisLen++; /* str type */ - thisLen += JOINT_LEN; - firstSz = JOINT_LEN + 1; - } - thisLen++; /* id type */ - firstSz = SetObjectId(firstSz, firstLen); - thisLen += firstSz; - - seqSz = SetSequence(thisLen, sequence); - thisLen += seqSz; - setSz = SetSet(thisLen, set); - thisLen += setSz; - - if (thisLen > (int)sizeof(name->encoded)) { - return BUFFER_E; - } - - /* store it */ - idx = 0; - /* set */ - XMEMCPY(name->encoded, set, setSz); - idx += setSz; - /* seq */ - XMEMCPY(name->encoded + idx, sequence, seqSz); - idx += seqSz; - /* asn object id */ - XMEMCPY(name->encoded + idx, firstLen, firstSz); - idx += firstSz; - switch (type) { - case ASN_EMAIL_NAME: - { - const byte EMAIL_OID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, - 0x01, 0x09, 0x01, 0x16 }; - /* email joint id */ - XMEMCPY(name->encoded + idx, EMAIL_OID, sizeof(EMAIL_OID)); - idx += (int)sizeof(EMAIL_OID); - } - break; - - case ASN_DOMAIN_COMPONENT: - { - const byte PILOT_OID[] = { 0x09, 0x92, 0x26, 0x89, - 0x93, 0xF2, 0x2C, 0x64, 0x01 - }; - - XMEMCPY(name->encoded + idx, PILOT_OID, - sizeof(PILOT_OID)); - idx += (int)sizeof(PILOT_OID); - /* id type */ - name->encoded[idx++] = type; - /* str type */ - name->encoded[idx++] = nameType; - } - break; - - default: - name->encoded[idx++] = 0x55; - name->encoded[idx++] = 0x04; - /* id type */ - name->encoded[idx++] = type; - /* str type */ - name->encoded[idx++] = nameType; - } - /* second length */ - XMEMCPY(name->encoded + idx, secondLen, secondSz); - idx += secondSz; - /* str value */ - XMEMCPY(name->encoded + idx, nameStr, strLen); - idx += strLen; - - name->type = type; - name->totalLen = idx; - name->used = 1; - } - else + if (nameStr == NULL) { name->used = 0; + return 0; + } + thisLen = strLen = (int)XSTRLEN(nameStr); + if (strLen == 0) { /* no user data for this item */ + name->used = 0; + return 0; + } - return idx; -} + /* Restrict country code size */ + if (ASN_COUNTRY_NAME == type && strLen != CTC_COUNTRY_SIZE) { + WOLFSSL_MSG("Country code size error"); + return ASN_COUNTRY_SIZE_E; + } + secondSz = SetLength(strLen, secondLen); + thisLen += secondSz; + switch (type) { + case ASN_EMAIL_NAME: /* email */ + thisLen += EMAIL_JOINT_LEN; + firstSz = EMAIL_JOINT_LEN; + break; + case ASN_DOMAIN_COMPONENT: + thisLen += PILOT_JOINT_LEN; + firstSz = PILOT_JOINT_LEN; + break; - -/* Guarded by either - * A) WOLFSSL_WPAS_SMALL is on or - * B) (OPENSSL_EXTRA or OPENSSL_EXTRA_X509_SMALL) + WOLFSSL_CERT_GEN + - * (WOLFSSL_CERT_REQ or WOLFSSL_CERT_EXT or OPENSSL_EXTRA) has been - * defined - */ -#if defined(WOLFSSL_WPAS_SMALL) || \ - (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ - defined(WOLFSSL_CERT_GEN) && \ - (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT) || \ - defined(OPENSSL_EXTRA)) -/* Converts from NID_* value to wolfSSL value if needed */ -static int ConvertNIDToWolfSSL(int nid) -{ - switch (nid) { - case NID_commonName : return ASN_COMMON_NAME; - case NID_surname : return ASN_SUR_NAME; - case NID_countryName: return ASN_COUNTRY_NAME; - case NID_localityName: return ASN_LOCALITY_NAME; - case NID_stateOrProvinceName: return ASN_STATE_NAME; - case NID_organizationName: return ASN_ORG_NAME; - case NID_organizationalUnitName: return ASN_ORGUNIT_NAME; - case NID_emailAddress: return ASN_EMAIL_NAME; - case NID_serialNumber: return ASN_SERIAL_NUMBER; - case NID_businessCategory: return ASN_BUS_CAT; - case NID_domainComponent: return ASN_DOMAIN_COMPONENT; default: - WOLFSSL_MSG("Attribute NID not found"); - return -1; + thisLen++; /* str type */ + thisLen += JOINT_LEN; + firstSz = JOINT_LEN + 1; } -} + thisLen++; /* id type */ + firstSz = SetObjectId(firstSz, firstLen); + thisLen += firstSz; + seqSz = SetSequence(thisLen, sequence); + thisLen += seqSz; + setSz = SetSet(thisLen, set); + thisLen += setSz; -/* Converts the x509 name structure into DER format. - * - * out pointer to either a pre setup buffer or a pointer to null for - * creating a dynamic buffer. In the case that a pre-existing buffer is - * used out will be incremented the size of the DER buffer on success. - * - * returns the size of the buffer on success, or negative value with failure - */ -int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) -{ - int totalBytes = 0, i, idx; - byte temp[MAX_SEQ_SZ]; - byte *output, *local = NULL; -#ifdef WOLFSSL_SMALL_STACK - EncodedName* names = NULL; -#else - EncodedName names[MAX_NAME_ENTRIES]; -#endif - - if (out == NULL || name == NULL) - return BAD_FUNC_ARG; - -#ifdef WOLFSSL_SMALL_STACK - names = (EncodedName*)XMALLOC(sizeof(EncodedName) * MAX_NAME_ENTRIES, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (names == NULL) - return MEMORY_E; -#endif - - XMEMSET(names, 0, sizeof(EncodedName) * MAX_NAME_ENTRIES); - - for (i = 0; i < MAX_NAME_ENTRIES; i++) { - WOLFSSL_X509_NAME_ENTRY* entry; - int ret; - - entry = wolfSSL_X509_NAME_get_entry(name, i); - if (entry != NULL && entry->set == 1) { - const char* nameStr; - int type; - WOLFSSL_ASN1_STRING* data; - - data = wolfSSL_X509_NAME_ENTRY_get_data(entry); - if (data == NULL) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - WOLFSSL_MSG("Error getting entry data"); - return WOLFSSL_FATAL_ERROR; - } - - nameStr = (const char*)wolfSSL_ASN1_STRING_data(data); - type = wolfSSL_ASN1_STRING_type(data); - - switch (type) { - case MBSTRING_UTF8: - type = CTC_UTF8; - break; - case V_ASN1_PRINTABLESTRING: - type = CTC_PRINTABLE; - break; - default: - WOLFSSL_MSG("Unknown encoding type conversion UTF8 by default"); - type = CTC_UTF8; - } - ret = wc_EncodeName(&names[i], nameStr, type, - ConvertNIDToWolfSSL(entry->nid)); - if (ret < 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - WOLFSSL_MSG("EncodeName failed"); - return WOLFSSL_FATAL_ERROR; - } - totalBytes += ret; - } - } - - /* header */ - idx = SetSequence(totalBytes, temp); - if (totalBytes + idx > ASN_NAME_MAX) { -#ifdef WOLFSSL_SMALL_STACK - XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif - WOLFSSL_MSG("Total Bytes is greater than ASN_NAME_MAX"); + if (thisLen > (int)sizeof(name->encoded)) { return BUFFER_E; } - /* check if using buffer passed in */ - if (*out == NULL) { - *out = local = (unsigned char*)XMALLOC(totalBytes + idx, NULL, - DYNAMIC_TYPE_OPENSSL); - if (*out == NULL) { - return MEMORY_E; + /* store it */ + idx = 0; + /* set */ + XMEMCPY(name->encoded, set, setSz); + idx += setSz; + /* seq */ + XMEMCPY(name->encoded + idx, sequence, seqSz); + idx += seqSz; + /* asn object id */ + XMEMCPY(name->encoded + idx, firstLen, firstSz); + idx += firstSz; + switch (type) { + case ASN_EMAIL_NAME: + { + const byte EMAIL_OID[] = { + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16 + }; + /* email joint id */ + XMEMCPY(name->encoded + idx, EMAIL_OID, sizeof(EMAIL_OID)); + idx += (int)sizeof(EMAIL_OID); + break; } - } - output = *out; - idx = SetSequence(totalBytes, output); - totalBytes += idx; - for (i = 0; i < MAX_NAME_ENTRIES; i++) { - if (names[i].used) { - XMEMCPY(output + idx, names[i].encoded, names[i].totalLen); - idx += names[i].totalLen; + case ASN_DOMAIN_COMPONENT: + { + const byte PILOT_OID[] = { + 0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01 + }; + + XMEMCPY(name->encoded + idx, PILOT_OID, sizeof(PILOT_OID)); + idx += (int)sizeof(PILOT_OID); + /* id type */ + name->encoded[idx++] = type; + /* str type */ + name->encoded[idx++] = nameType; + break; } - } -#ifdef WOLFSSL_SMALL_STACK - XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - /* used existing buffer passed in, so increment pointer */ - if (local == NULL) { - *out += totalBytes; + default: + name->encoded[idx++] = 0x55; + name->encoded[idx++] = 0x04; + /* id type */ + name->encoded[idx++] = type; + /* str type */ + name->encoded[idx++] = nameType; } - return totalBytes; + /* second length */ + XMEMCPY(name->encoded + idx, secondLen, secondSz); + idx += secondSz; + /* str value */ + XMEMCPY(name->encoded + idx, nameStr, strLen); + idx += strLen; + + name->type = type; + name->totalLen = idx; + name->used = 1; + + return idx; } -#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ - /* encode CertName into output, return total bytes written */ int SetName(byte* output, word32 outputSz, CertName* name) diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index f073f0c3a2..56acf3e159 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -1178,7 +1178,8 @@ static int wc_ecc_export_x963_compressed(ecc_key*, byte* out, word32* outLen); #if (defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || !defined(WOLFSSL_SP_MATH)) && \ - !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) + !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \ + !defined(WOLFSSL_CRYPTOCELL) static int ecc_check_pubkey_order(ecc_key* key, ecc_point* pubkey, mp_int* a, mp_int* prime, mp_int* order); #endif @@ -3799,8 +3800,8 @@ int wc_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out, } /* Verify domain params supplied */ - if (wc_ecc_is_valid_idx(private_key->idx) == 0 || - wc_ecc_is_valid_idx(public_key->idx) == 0) { + if (wc_ecc_is_valid_idx(private_key->idx) == 0 || private_key->dp == NULL || + wc_ecc_is_valid_idx(public_key->idx) == 0 || public_key->dp == NULL) { return ECC_BAD_ARG_E; } @@ -3824,7 +3825,7 @@ int wc_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out, err = CRYS_ECDH_SVDP_DH(&public_key->ctx.pubKey, &private_key->ctx.privKey, out, - outlen, + (uint32_t*)outlen, &tempBuff); if (err != SA_SILIB_RET_OK){ @@ -4101,7 +4102,7 @@ int wc_ecc_shared_secret_ex(ecc_key* private_key, ecc_point* point, } /* Verify domain params supplied */ - if (wc_ecc_is_valid_idx(private_key->idx) == 0) { + if (wc_ecc_is_valid_idx(private_key->idx) == 0 || private_key->dp == NULL) { WOLFSSL_MSG("wc_ecc_is_valid_idx failed"); return ECC_BAD_ARG_E; } @@ -4168,7 +4169,7 @@ int wc_ecc_point_is_on_curve(ecc_point *p, int curve_idx) return BAD_FUNC_ARG; /* is the IDX valid ? */ - if (wc_ecc_is_valid_idx(curve_idx) != 1) { + if (wc_ecc_is_valid_idx(curve_idx) == 0) { return ECC_BAD_ARG_E; } @@ -4542,7 +4543,7 @@ int wc_ecc_make_key_ex2(WC_RNG* rng, int keysize, ecc_key* key, int curve_id, } #elif defined(WOLFSSL_CRYPTOCELL) - pDomain = CRYS_ECPKI_GetEcDomain(cc310_mapCurve(curve_id)); + pDomain = CRYS_ECPKI_GetEcDomain(cc310_mapCurve(key->dp->id)); raw_size = (word32)(key->dp->size)*2 + 1; /* generate first key pair */ @@ -4563,7 +4564,7 @@ int wc_ecc_make_key_ex2(WC_RNG* rng, int keysize, ecc_key* key, int curve_id, err = CRYS_ECPKI_ExportPublKey(&key->ctx.pubKey, CRYS_EC_PointUncompressed, &ucompressed_key[0], - &raw_size); + (uint32_t*)&raw_size); if (err == SA_SILIB_RET_OK && key->pubkey.x && key->pubkey.y) { err = mp_read_unsigned_bin(key->pubkey.x, @@ -4577,7 +4578,7 @@ int wc_ecc_make_key_ex2(WC_RNG* rng, int keysize, ecc_key* key, int curve_id, if (err == MP_OKAY) { err = CRYS_ECPKI_ExportPrivKey(&key->ctx.privKey, ucompressed_key, - &raw_size); + (uint32_t*)&raw_size); } if (err == SA_SILIB_RET_OK) { @@ -4993,7 +4994,7 @@ static int wc_ecc_sign_hash_hw(const byte* in, word32 inlen, (byte*)in, msgLenInBytes, out, - &raw_sig_size); + (uint32_t*)&raw_sig_size); if (err != SA_SILIB_RET_OK){ WOLFSSL_MSG("CRYS_ECDSA_Sign failed"); @@ -5248,7 +5249,7 @@ int wc_ecc_sign_hash_ex(const byte* in, word32 inlen, WC_RNG* rng, } /* is the IDX valid ? */ - if (wc_ecc_is_valid_idx(key->idx) != 1) { + if (wc_ecc_is_valid_idx(key->idx) == 0 || key->dp == NULL) { return ECC_BAD_ARG_E; } @@ -6409,7 +6410,7 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash, *res = 0; /* is the IDX valid ? */ - if (wc_ecc_is_valid_idx(key->idx) != 1) { + if (wc_ecc_is_valid_idx(key->idx) == 0 || key->dp == NULL) { return ECC_BAD_ARG_E; } @@ -7209,9 +7210,7 @@ int wc_ecc_export_x963(ecc_key* key, byte* out, word32* outLen) if (key->type == ECC_PRIVATEKEY_ONLY) return ECC_PRIVATEONLY_E; - if (key->type == 0 || - wc_ecc_is_valid_idx(key->idx) == 0 || - key->dp == NULL) { + if (key->type == 0 || wc_ecc_is_valid_idx(key->idx) == 0 || key->dp == NULL){ return ECC_BAD_ARG_E; } @@ -7656,7 +7655,8 @@ int wc_ecc_check_key(ecc_key* key) #if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A) || \ defined(WOLFSSL_CRYPTOCELL) || defined(WOLFSSL_SILABS_SE_ACCEL) - err = 0; /* consider key check success on ATECC508/608A */ + err = 0; /* consider key check success on ATECC508/608A and CryptoCell */ + (void)err; #else #ifdef USE_ECC_B_PARAM @@ -7751,9 +7751,8 @@ int wc_ecc_check_key(ecc_key* key) #endif FREE_CURVE_SPECS(); - - return err; #endif /* WOLFSSL_ATECC508A */ + return err; #else return WC_KEY_SIZE_E; #endif /* !WOLFSSL_SP_MATH */ @@ -7770,7 +7769,10 @@ int wc_ecc_import_x963_ex(const byte* in, word32 inLen, ecc_key* key, #endif int keysize = 0; byte pointType; - +#ifdef WOLFSSL_CRYPTOCELL + const CRYS_ECPKI_Domain_t* pDomain; + CRYS_ECPKI_BUILD_TempData_t tempBuff; +#endif if (in == NULL || key == NULL) return BAD_FUNC_ARG; @@ -7950,7 +7952,20 @@ int wc_ecc_import_x963_ex(const byte* in, word32 inLen, ecc_key* key, #ifdef WOLFSSL_SILABS_SE_ACCEL err = silabs_ecc_import(key, keysize); #endif +#ifdef WOLFSSL_CRYPTOCELL + pDomain = CRYS_ECPKI_GetEcDomain(cc310_mapCurve(key->dp->id)); + /* create public key from external key buffer */ + err = CRYS_ECPKI_BuildPublKeyFullCheck(pDomain, + (byte*)in-1, /* re-adjust */ + inLen+1, /* original input */ + &key->ctx.pubKey, + &tempBuff); + + if (err != SA_SILIB_RET_OK){ + WOLFSSL_MSG("CRYS_ECPKI_BuildPublKeyFullCheck failed"); + } +#endif #ifdef WOLFSSL_VALIDATE_ECC_IMPORT if (err == MP_OKAY) err = wc_ecc_check_key(key); @@ -7988,7 +8003,7 @@ int wc_ecc_export_ex(ecc_key* key, byte* qx, word32* qxLen, return BAD_FUNC_ARG; } - if (wc_ecc_is_valid_idx(key->idx) == 0) { + if (wc_ecc_is_valid_idx(key->idx) == 0 || key->dp == NULL) { return ECC_BAD_ARG_E; } keySz = key->dp->size; @@ -8079,7 +8094,6 @@ int wc_ecc_import_private_key_ex(const byte* priv, word32 privSz, int ret; #ifdef WOLFSSL_CRYPTOCELL const CRYS_ECPKI_Domain_t* pDomain; - CRYS_ECPKI_BUILD_TempData_t tempBuff; #endif if (key == NULL || priv == NULL) return BAD_FUNC_ARG; @@ -8110,21 +8124,7 @@ int wc_ecc_import_private_key_ex(const byte* priv, word32 privSz, return ret; #ifdef WOLFSSL_CRYPTOCELL - pDomain = CRYS_ECPKI_GetEcDomain(cc310_mapCurve(curve_id)); - - if (pub != NULL && pub[0] != '\0') { - /* create public key from external key buffer */ - ret = CRYS_ECPKI_BuildPublKeyFullCheck(pDomain, - (byte*)pub, - pubSz, - &key->ctx.pubKey, - &tempBuff); - - if (ret != SA_SILIB_RET_OK){ - WOLFSSL_MSG("CRYS_ECPKI_BuildPublKeyFullCheck failed"); - return ret; - } - } + pDomain = CRYS_ECPKI_GetEcDomain(cc310_mapCurve(key->dp->id)); /* import private key */ if (priv != NULL && priv[0] != '\0') { @@ -8396,7 +8396,7 @@ static int wc_ecc_import_raw_private(ecc_key* key, const char* qx, } if (err == MP_OKAY) { - pDomain = CRYS_ECPKI_GetEcDomain(cc310_mapCurve(curve_id)); + pDomain = CRYS_ECPKI_GetEcDomain(cc310_mapCurve(key->dp->id)); /* create public key from external key buffer */ err = CRYS_ECPKI_BuildPublKeyFullCheck(pDomain, @@ -8552,7 +8552,7 @@ int wc_ecc_import_raw(ecc_key* key, const char* qx, const char* qy, /* key size in octets */ int wc_ecc_size(ecc_key* key) { - if (key == NULL) + if (key == NULL || key->dp == NULL) return 0; return key->dp->size; @@ -11356,9 +11356,7 @@ static int wc_ecc_export_x963_compressed(ecc_key* key, byte* out, word32* outLen if (key->type == ECC_PRIVATEKEY_ONLY) return ECC_PRIVATEONLY_E; - if (key->type == 0 || - wc_ecc_is_valid_idx(key->idx) == 0 || - key->dp == NULL) { + if (key->type == 0 || wc_ecc_is_valid_idx(key->idx) == 0 || key->dp == NULL){ return ECC_BAD_ARG_E; } diff --git a/wolfcrypt/src/integer.c b/wolfcrypt/src/integer.c index 81987f96d0..b2eafb4cce 100644 --- a/wolfcrypt/src/integer.c +++ b/wolfcrypt/src/integer.c @@ -4302,6 +4302,8 @@ int mp_add_d (mp_int* a, mp_digit b, mp_int* c) int res, ix, oldused; mp_digit *tmpa, *tmpc, mu; + if (b > MP_DIGIT_MAX) return MP_VAL; + /* grow c as required */ if (c->alloc < a->used + 1) { if ((res = mp_grow(c, a->used + 1)) != MP_OKAY) { @@ -5039,6 +5041,11 @@ int mp_lcm (mp_int * a, mp_int * b, mp_int * c) int res; mp_int t1, t2; + /* LCM of 0 and any number is undefined as 0 is not in the set of values + * being used. */ + if (mp_iszero (a) == MP_YES || mp_iszero (b) == MP_YES) { + return MP_VAL; + } if ((res = mp_init_multi (&t1, &t2, NULL, NULL, NULL, NULL)) != MP_OKAY) { return res; @@ -5083,6 +5090,10 @@ int mp_gcd (mp_int * a, mp_int * b, mp_int * c) /* either zero than gcd is the largest */ if (mp_iszero (a) == MP_YES) { + /* GCD of 0 and 0 is undefined as all integers divide 0. */ + if (mp_iszero (b) == MP_YES) { + return MP_VAL; + } return mp_abs (b, c); } if (mp_iszero (b) == MP_YES) { @@ -5218,9 +5229,11 @@ int mp_read_radix (mp_int * a, const char *str, int radix) */ if (y < radix) { if ((res = mp_mul_d (a, (mp_digit) radix, a)) != MP_OKAY) { + mp_zero(a); return res; } if ((res = mp_add_d (a, (mp_digit) y, a)) != MP_OKAY) { + mp_zero(a); return res; } } else { diff --git a/wolfcrypt/src/md5.c b/wolfcrypt/src/md5.c index 7bc2489e87..e4ffc2f09a 100644 --- a/wolfcrypt/src/md5.c +++ b/wolfcrypt/src/md5.c @@ -550,7 +550,20 @@ int wc_Md5Copy(wc_Md5* src, wc_Md5* dst) return ret; } - +#ifdef OPENSSL_EXTRA +/* Apply MD5 transformation to the data */ +/* @param md5 a pointer to wc_MD5 structure */ +/* @param data data to be applied MD5 transformation */ +/* @return 0 on successful, otherwise non-zero on failure */ +int wc_Md5Transform(wc_Md5* md5, const byte* data) +{ + /* sanity check */ + if (md5 == NULL || data == NULL) { + return BAD_FUNC_ARG; + } + return Transform(md5, data); +} +#endif #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB) int wc_Md5SetFlags(wc_Md5* md5, word32 flags) { diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 439d272b51..2e93f4b580 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -4917,16 +4917,27 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, der = pkcs7->der; pkcs7->der = NULL; #endif - contentDynamic = pkcs7->contentDynamic; version = pkcs7->version; - if (ret == 0) { byte isDynamic = pkcs7->isDynamic; #ifndef NO_PKCS7_STREAM PKCS7State* stream = pkcs7->stream; pkcs7->stream = NULL; #endif + + /* Save dynamic content before freeing PKCS7 struct */ + if (pkcs7->contentDynamic != NULL) { + contentDynamic = (byte*)XMALLOC(contentSz, + pkcs7->heap, DYNAMIC_TYPE_PKCS7); + if (contentDynamic == NULL) { + ret = MEMORY_E; + break; + } + XMEMCPY(contentDynamic, pkcs7->contentDynamic, + contentSz); + } + /* Free pkcs7 resources but not the structure itself */ pkcs7->isDynamic = 0; wc_PKCS7_Free(pkcs7); @@ -4934,11 +4945,18 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, /* This will reset PKCS7 structure and then set the * certificate */ ret = wc_PKCS7_InitWithCert(pkcs7, cert, certSz); + + /* Restore pkcs7->contentDynamic from above, will be + * freed by application with wc_PKCS7_Free() */ + if (contentDynamic != NULL) { + pkcs7->contentDynamic = contentDynamic; + contentDynamic = NULL; + } + #ifndef NO_PKCS7_STREAM pkcs7->stream = stream; #endif } - pkcs7->contentDynamic = contentDynamic; pkcs7->version = version; #ifdef ASN_BER_TO_DER pkcs7->der = der; diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index 15127b0848..bd637173f4 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -2236,19 +2236,35 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) #elif defined(INTIME_RTOS) int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) { - int ret = 0; - - (void)os; + uint32_t randval; + word32 len; if (output == NULL) { return BUFFER_E; } - /* Note: Investigate better solution */ - /* no return to check */ - arc4random_buf(output, sz); + #ifdef INTIMEVER + /* If INTIMEVER exists then it is INTIME RTOS v6 or later */ + #define INTIME_RAND_FUNC arc4random + len = 4; + #else + /* v5 and older */ + #define INTIME_RAND_FUNC rand + srand(time(0)); + len = 2; /* don't use all 31 returned bits */ + #endif - return ret; + while (sz > 0) { + if (sz < len) + len = sz; + randval = INTIME_RAND_FUNC(); + XMEMCPY(output, &randval, len); + output += len; + sz -= len; + } + (void)os; + + return 0; } #elif defined(WOLFSSL_WICED) diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index 63f4ed402c..a280704dda 100644 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -773,13 +773,31 @@ int wc_ShaFinal(wc_Sha* sha, byte* hash) return ret; } +#if defined(OPENSSL_EXTRA) +/* Apply SHA1 transformation to the data */ +/* @param sha a pointer to wc_Sha structure */ +/* @param data data to be applied SHA1 transformation */ +/* @return 0 on successful, otherwise non-zero on failure */ +int wc_ShaTransform(wc_Sha* sha, const unsigned char* data) +{ + /* sanity check */ + if (sha == NULL || data == NULL) { + return BAD_FUNC_ARG; + } + return (Transform(sha, data)); +} +#endif + #endif /* USE_SHA_SOFTWARE_IMPL */ + +#if !defined(WOLFSSL_IMXRT_DCP) int wc_InitSha(wc_Sha* sha) { return wc_InitSha_ex(sha, NULL, INVALID_DEVID); } +#endif /* !defined(WOLFSSL_IMXRT_DCP) */ void wc_ShaFree(wc_Sha* sha) { @@ -808,7 +826,8 @@ void wc_ShaFree(wc_Sha* sha) #endif /* !WOLFSSL_TI_HASH */ #endif /* HAVE_FIPS */ -#ifndef WOLFSSL_TI_HASH +#if !defined(WOLFSSL_TI_HASH) && !defined(WOLFSSL_IMXRT_DCP) + #if !defined(WOLFSSL_RENESAS_TSIP_CRYPT) || \ defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH) int wc_ShaGetHash(wc_Sha* sha, byte* hash) @@ -873,7 +892,7 @@ int wc_ShaCopy(wc_Sha* src, wc_Sha* dst) return ret; } #endif /* defined(WOLFSSL_RENESAS_TSIP_CRYPT) ... */ -#endif /* !WOLFSSL_TI_HASH */ +#endif /* !WOLFSSL_TI_HASH && !WOLFSSL_IMXRT_DCP */ #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB) diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index 50b8cf60f8..09af0f9bb7 100644 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -130,8 +130,6 @@ where 0 <= L < 2^64. #elif defined(WOLFSSL_CRYPTOCELL) /* wc_port.c includes wolfcrypt/src/port/arm/cryptoCellHash.c */ -#elif defined(WOLFSSL_IMXRT_DCP) - #elif defined(WOLFSSL_PSOC6_CRYPTO) @@ -1295,6 +1293,19 @@ static int InitSha256(wc_Sha256* sha256) return InitSha256(sha256); /* reset state */ } + #if defined(OPENSSL_EXTRA) +/* Apply SHA256 transformation to the data */ +/* @param sha a pointer to wc_Sha256 structure */ +/* @param data data to be applied SHA256 transformation */ +/* @return 0 on successful, otherwise non-zero on failure */ + int wc_Sha256Transform(wc_Sha256* sha, const unsigned char* data) + { + if (sha == NULL || data == NULL) { + return BAD_FUNC_ARG; + } + return (Transform_Sha256(sha, data)); + } + #endif #endif /* XTRANSFORM */ #ifdef WOLFSSL_SHA224 diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index ef09e54048..bc576da214 100644 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -916,7 +916,58 @@ void wc_Sha512Free(wc_Sha512* sha512) wolfAsync_DevCtxFree(&sha512->asyncDev, WOLFSSL_ASYNC_MARKER_SHA512); #endif /* WOLFSSL_ASYNC_CRYPT */ } +#if defined(OPENSSL_EXTRA) +/* Apply SHA512 transformation to the data */ +/* @param sha a pointer to wc_Sha512 structure */ +/* @param data data to be applied SHA512 transformation */ +/* @return 0 on successful, otherwise non-zero on failure */ +int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data) +{ + int ret ; + /* back up buffer */ + #if defined(WOLFSSL_SMALL_STACK) + word64* buffer; + buffer = (word64*) XMALLOC(sizeof(word64) * 16, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (buffer == NULL) + return MEMORY_E; + #else + word64 buffer[WC_SHA512_BLOCK_SIZE / sizeof(word64)]; + #endif + + /* sanity check */ + if (sha == NULL || data == NULL) { + #if defined(WOLFSSL_SMALL_STACK) + XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return BAD_FUNC_ARG; + } +#if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) + Sha512_SetTransform(); +#endif +#if defined(LITTLE_ENDIAN_ORDER) +#if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) + if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags)) +#endif + { + ByteReverseWords64((word64*)data, (word64*)data, + WC_SHA512_BLOCK_SIZE); + } +#endif + + XMEMCPY(buffer, sha->buffer, WC_SHA512_BLOCK_SIZE); + XMEMCPY(sha->buffer, data, WC_SHA512_BLOCK_SIZE); + + ret = Transform_Sha512(sha); + + XMEMCPY(sha->buffer, buffer, WC_SHA512_BLOCK_SIZE); + #if defined(WOLFSSL_SMALL_STACK) + XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; +} +#endif #endif /* WOLFSSL_SHA512 */ /* -------------------------------------------------------------------------- */ diff --git a/wolfcrypt/src/signature.c b/wolfcrypt/src/signature.c index 6e623a130a..50c8839064 100644 --- a/wolfcrypt/src/signature.c +++ b/wolfcrypt/src/signature.c @@ -48,6 +48,13 @@ /* Signature wrapper disabled check */ #ifndef NO_SIG_WRAPPER +#ifdef WOLFSSL_CRYPTOCELL +extern int cc310_RsaSSL_Verify(const byte* in, word32 inLen, byte* sig, + RsaKey* key, CRYS_RSA_HASH_OpMode_t mode); +extern int cc310_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, + word32 outLen, RsaKey* key, CRYS_RSA_HASH_OpMode_t mode); +#endif + #if !defined(NO_RSA) && !defined(NO_ASN) static int wc_SignatureDerEncode(enum wc_HashType hash_type, byte* hash_data, word32 hash_len, word32* hash_enc_len) @@ -178,12 +185,12 @@ int wc_SignatureVerifyHash( #ifndef NO_RSA #ifdef WOLFSSL_CRYPTOCELL if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) { - ret = cc310_RsaSSL_Verify(hash_data, hash_len, (byte*)sig, key, - cc310_hashModeRSA(hash_type, 0)); + ret = cc310_RsaSSL_Verify(hash_data, hash_len, (byte*)sig, + (RsaKey*)key, cc310_hashModeRSA(hash_type, 0)); } else { - ret = cc310_RsaSSL_Verify(hash_data, hash_len, (byte*)sig, key, - cc310_hashModeRSA(hash_type, 1)); + ret = cc310_RsaSSL_Verify(hash_data, hash_len, (byte*)sig, + (RsaKey*)key, cc310_hashModeRSA(hash_type, 1)); } #else @@ -400,12 +407,12 @@ int wc_SignatureGenerateHash_ex( /* use expected signature size (incoming sig_len could be larger buffer */ *sig_len = wc_SignatureGetSize(sig_type, key, key_len); if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) { - ret = cc310_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len, key, - cc310_hashModeRSA(hash_type, 0)); + ret = cc310_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len, + (RsaKey*)key, cc310_hashModeRSA(hash_type, 0)); } else { - ret = cc310_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len, key, - cc310_hashModeRSA(hash_type, 1)); + ret = cc310_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len, + (RsaKey*)key, cc310_hashModeRSA(hash_type, 1)); } #else /* Create signature using provided RSA key */ diff --git a/wolfcrypt/src/sp_int.c b/wolfcrypt/src/sp_int.c index 934037b971..77a59b3ae0 100644 --- a/wolfcrypt/src/sp_int.c +++ b/wolfcrypt/src/sp_int.c @@ -2481,7 +2481,7 @@ int sp_cond_swap_ct(sp_int * a, sp_int * b, int c, int m) } FREE_SP_INT(t, NULL); - return MP_OKAY; + return err; } #endif /* HAVE_ECC && ECC_TIMING_RESISTANT && !WC_NO_CACHE_RESISTANT */ @@ -2996,7 +2996,7 @@ int sp_cmp_d(sp_int* a, sp_int_digit d) #endif #if defined(WOLFSSL_SP_INT_NEGATIVE) || !defined(NO_PWDBASED) || \ - defined(WOLFSSL_KEY_GEN) || !defined(NO_DH) || defined(HAVE_ECC) || \ + defined(WOLFSSL_KEY_GEN) || !defined(NO_DH) || \ (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) /* Add a one digit number to the multi-precision number. * @@ -4142,7 +4142,7 @@ static int sp_cmp_mag_ct(sp_int* a, sp_int* b, int len) #if defined(WOLFSSL_SP_MATH_ALL) && defined(HAVE_ECC) /* Add two value and reduce: r = (a + b) % m * - * r = a + b (mod m) - constant time (|a| < m and |b| < m and positive) + * r = a + b (mod m) - constant time (a < m and b < m, a, b and m are positive) * * Assumes a, b, m and r are not NULL. * @@ -4193,7 +4193,7 @@ int sp_addmod_ct(sp_int* a, sp_int* b, sp_int* m, sp_int* r) /* Sub b from a and reduce: r = (a - b) % m * Result is always positive. * - * r = a - b (mod m) - constant time (a < n and b < m and positive) + * r = a - b (mod m) - constant time (a < m and b < m, a, b and m are positive) * * Assumes a, b, m and r are not NULL. * @@ -4482,7 +4482,7 @@ int sp_div(sp_int* a, sp_int* d, sp_int* r, sp_int* rem) if (r != NULL) { sp_set(r, 1); #ifdef WOLFSSL_SP_INT_NEGATIVE - r->sign = aSign; + r->sign = (aSign == dSign) ? MP_ZPOS : MP_NEG; #endif /* WOLFSSL_SP_INT_NEGATIVE */ } done = 1; @@ -4491,11 +4491,14 @@ int sp_div(sp_int* a, sp_int* d, sp_int* r, sp_int* rem) /* a is greater than d but same bit length */ if (rem != NULL) { _sp_sub_off(a, d, rem, 0); + #ifdef WOLFSSL_SP_INT_NEGATIVE + rem->sign = aSign; + #endif } if (r != NULL) { sp_set(r, 1); #ifdef WOLFSSL_SP_INT_NEGATIVE - r->sign = aSign; + r->sign = (aSign == dSign) ? MP_ZPOS : MP_NEG; #endif /* WOLFSSL_SP_INT_NEGATIVE */ } done = 1; @@ -4681,7 +4684,7 @@ int sp_mod(sp_int* a, sp_int* m, sp_int* r) { int err = MP_OKAY; #ifdef WOLFSSL_SP_INT_NEGATIVE - DECL_SP_INT(t, (m == NULL) ? 1 : m->used); + DECL_SP_INT(t, (a == NULL) ? 1 : a->used + 1); #endif /* WOLFSSL_SP_INT_NEGATIVE */ if ((a == NULL) || (m == NULL) || (r == NULL)) { @@ -4695,11 +4698,11 @@ int sp_mod(sp_int* a, sp_int* m, sp_int* r) #else ALLOC_SP_INT(t, m->used, err, NULL); if (err == MP_OKAY) { - sp_init_size(t, m->used); + sp_init_size(t, a->used + 1); err = sp_div(a, m, NULL, t); } if (err == MP_OKAY) { - if (t->sign != m->sign) { + if ((!sp_iszero(t)) && (t->sign != m->sign)) { err = sp_add(t, m, r); } else { @@ -8013,7 +8016,7 @@ static int _sp_exptmod_ex(sp_int* b, sp_int* e, int bits, sp_int* m, sp_int* r) #endif /* Ensure base is less than exponent. */ - if (_sp_cmp(b, m) != MP_LT) { + if (_sp_cmp_abs(b, m) != MP_LT) { err = sp_mod(b, m, t[0]); if ((err == MP_OKAY) && sp_iszero(t[0])) { sp_set(r, 0); @@ -8113,7 +8116,7 @@ static int _sp_exptmod_mont_ex(sp_int* b, sp_int* e, int bits, sp_int* m, sp_init_size(t[3], m->used * 2 + 1); /* Ensure base is less than exponent. */ - if (_sp_cmp(b, m) != MP_LT) { + if (_sp_cmp_abs(b, m) != MP_LT) { err = sp_mod(b, m, t[0]); if ((err == MP_OKAY) && sp_iszero(t[0])) { sp_set(r, 0); @@ -8248,7 +8251,7 @@ static int _sp_exptmod_mont_ex(sp_int* b, sp_int* e, int bits, sp_int* m, sp_init_size(tr, m->used * 2 + 1); /* Ensure base is less than exponent. */ - if (_sp_cmp(b, m) != MP_LT) { + if (_sp_cmp_abs(b, m) != MP_LT) { err = sp_mod(b, m, t[1]); if ((err == MP_OKAY) && sp_iszero(t[1])) { sp_set(r, 0); @@ -8767,7 +8770,7 @@ static int _sp_exptmod_nct(sp_int* b, sp_int* e, sp_int* m, sp_int* r) sp_init_size(bm, m->used * 2 + 1); /* Ensure base is less than exponent. */ - if (_sp_cmp(b, m) != MP_LT) { + if (_sp_cmp_abs(b, m) != MP_LT) { err = sp_mod(b, m, bm); if ((err == MP_OKAY) && sp_iszero(bm)) { sp_set(r, 0); @@ -8980,7 +8983,7 @@ static int _sp_exptmod_nct(sp_int* b, sp_int* e, sp_int* m, sp_int* r) sp_init_size(t[1], m->used * 2 + 1); /* Ensure base is less than exponent. */ - if (_sp_cmp(b, m) != MP_LT) { + if (_sp_cmp_abs(b, m) != MP_LT) { err = sp_mod(b, m, t[0]); if ((err == MP_OKAY) && sp_iszero(t[0])) { sp_set(r, 0); @@ -12491,6 +12494,7 @@ int sp_tohex(sp_int* a, char* str) i = a->used - 1; #ifndef WC_DISABLE_RADIX_ZERO_PAD + /* Find highest non-zero byte in most-significant word. */ for (j = SP_WORD_SIZE - 8; j >= 0; j -= 8) { if (((a->dp[i] >> j) & 0xff) != 0) { break; @@ -12500,8 +12504,10 @@ int sp_tohex(sp_int* a, char* str) --i; } } + /* Start with high nibble of byte. */ j += 4; #else + /* Find highest non-zero nibble in most-significant word. */ for (j = SP_WORD_SIZE - 4; j >= 0; j -= 4) { if (((a->dp[i] >> j) & 0xf) != 0) { break; @@ -12512,6 +12518,7 @@ int sp_tohex(sp_int* a, char* str) } } #endif /* WC_DISABLE_RADIX_ZERO_PAD */ + /* Most-significant word. */ for (; j >= 0; j -= 4) { *(str++) = sp_hex_char[(a->dp[i] >> j) & 0xf]; } @@ -12660,16 +12667,16 @@ int sp_radix_size(sp_int* a, int radix, int* size) } else { int nibbles = (sp_count_bits(a) + 3) / 4; - #ifdef WOLFSSL_SP_INT_NEGATIVE - if (a->sign == MP_NEG) { - nibbles++; - } - #endif /* WOLFSSL_SP_INT_NEGATIVE */ #ifndef WC_DISABLE_RADIX_ZERO_PAD if (nibbles & 1) { nibbles++; } #endif /* WC_DISABLE_RADIX_ZERO_PAD */ + #ifdef WOLFSSL_SP_INT_NEGATIVE + if (a->sign == MP_NEG) { + nibbles++; + } + #endif /* WOLFSSL_SP_INT_NEGATIVE */ /* One more for \0 */ *size = nibbles + 1; } @@ -13230,9 +13237,11 @@ int sp_prime_is_prime_ex(sp_int* a, int t, int* result, WC_RNG* rng) } #endif /* WOLFSSL_SP_MATH_ALL || WOLFSSL_HAVE_SP_DH */ -#if defined(WOLFSSL_SP_MATH_ALL) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) +#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) /* Calculates the Greatest Common Denominator (GCD) of a and b into r. + * + * a and b are positive integers. * * @param [in] a SP integer of first operand. * @param [in] b SP integer of second operand. @@ -13250,6 +13259,7 @@ int sp_gcd(sp_int* a, sp_int* b, sp_int* r) err = MP_VAL; } else if (sp_iszero(a)) { + /* GCD of 0 and 0 is undefined as all integers divide 0. */ if (sp_iszero(b)) { err = MP_VAL; } @@ -13341,6 +13351,8 @@ int sp_gcd(sp_int* a, sp_int* b, sp_int* r) #if defined(WOLFSSL_SP_MATH_ALL) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) /* Calculates the Lowest Common Multiple (LCM) of a and b and stores in r. + * + * a and b are positive integers. * * @param [in] a SP integer of first operand. * @param [in] b SP integer of second operand. @@ -13360,6 +13372,10 @@ int sp_lcm(sp_int* a, sp_int* b, sp_int* r) if ((a == NULL) || (b == NULL) || (r == NULL)) { err = MP_VAL; } + + /* LCM of 0 and any number is undefined as 0 is not in the set of values + * being used. + */ if ((err == MP_OKAY) && (mp_iszero(a) || mp_iszero(b))) { err = MP_VAL; } diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c index 8dab88207b..4352567ccb 100644 --- a/wolfcrypt/src/tfm.c +++ b/wolfcrypt/src/tfm.c @@ -990,7 +990,7 @@ int fp_mod(fp_int *a, fp_int *b, fp_int *c) fp_init(t); err = fp_div(a, b, NULL, t); if (err == FP_OKAY) { - if (t->sign != b->sign) { + if (!fp_iszero(t) && (t->sign != b->sign)) { err = fp_add(t, b, c); } else { fp_copy(t, c); @@ -5210,6 +5210,12 @@ int fp_lcm(fp_int *a, fp_int *b, fp_int *c) fp_int *t; #endif + /* LCM of 0 and any number is undefined as 0 is not in the set of values + * being used. */ + if (fp_iszero(a) == FP_YES || fp_iszero(b) == FP_YES) { + return FP_VAL; + } + #ifdef WOLFSSL_SMALL_STACK t = (fp_int*)XMALLOC(sizeof(fp_int) * 2, NULL, DYNAMIC_TYPE_BIGINT); if (t == NULL) { @@ -5249,6 +5255,11 @@ int fp_gcd(fp_int *a, fp_int *b, fp_int *c) fp_int *u, *v, *r; #endif + /* GCD of 0 and 0 is undefined as all integers divide 0. */ + if (fp_iszero(a) == FP_YES && fp_iszero(b) == FP_YES) { + return FP_VAL; + } + /* either zero than gcd is the largest */ if (fp_iszero (a) == FP_YES && fp_iszero (b) == FP_NO) { fp_abs (b, c); @@ -5317,32 +5328,26 @@ int fp_gcd(fp_int *a, fp_int *b, fp_int *c) int fp_add_d(fp_int *a, fp_digit b, fp_int *c) { #ifndef WOLFSSL_SMALL_STACK - fp_int tmp; - int err; - fp_init(&tmp); - fp_set(&tmp, b); - err = fp_add(a, &tmp, c); - return err; + fp_int tmp[1]; #else - int i; - fp_word t = b; - int err = FP_OKAY; - - fp_copy(a, c); - for (i = 0; t != 0 && i < FP_SIZE && i < c->used; i++) { - t += c->dp[i]; - c->dp[i] = (fp_digit)t; - t >>= DIGIT_BIT; - } - if (i == c->used && i < FP_SIZE && t != 0) { - c->dp[i] = t; - c->used++; - } - if (i == FP_SIZE && t != 0) { - err = FP_VAL; - } - return err; + fp_int* tmp; #endif + int err; + +#ifdef WOLFSSL_SMALL_STACK + tmp = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (tmp == NULL) + return FP_MEM; +#endif + + fp_init(tmp); + fp_set(tmp, b); + err = fp_add(a, tmp, c); + +#ifdef WOLFSSL_SMALL_STACK + XFREE(tmp, NULL, DYNAMIC_TYPE_BIGINT); +#endif + return err; } /* external compatibility */ diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 128d82cab7..0d3166bc47 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -290,7 +290,7 @@ _Pragma("GCC diagnostic ignored \"-Wunused-function\""); #include #endif -#if defined(NO_FILESYSTEM) +#if defined(NO_FILESYSTEM) || defined(WC_NO_RNG) #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \ !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096) #define USE_CERT_BUFFERS_2048 @@ -422,7 +422,8 @@ WOLFSSL_TEST_SUBROUTINE int scrypt_test(void); WOLFSSL_TEST_SUBROUTINE int ecc_encrypt_test(void); #endif #if defined(USE_CERT_BUFFERS_256) && !defined(WOLFSSL_ATECC508A) && \ - !defined(WOLFSSL_ATECC608A) && !defined(NO_ECC256) + !defined(WOLFSSL_ATECC608A) && !defined(NO_ECC256) && \ + defined(HAVE_ECC_VERIFY) && defined(HAVE_ECC_SIGN) /* skip for ATECC508/608A, cannot import private key buffers */ WOLFSSL_TEST_SUBROUTINE int ecc_test_buffers(void); #endif @@ -849,10 +850,12 @@ initDefaultName(); test_pass("SHAKE256 test passed!\n"); #endif +#ifndef NO_HASH_WRAPPER if ( (ret = hash_test()) != 0) return err_sys("Hash test failed!\n", ret); else test_pass("Hash test passed!\n"); +#endif #ifdef WOLFSSL_RIPEMD if ( (ret = ripemd_test()) != 0) @@ -1177,7 +1180,8 @@ initDefaultName(); test_pass("ECC Enc test passed!\n"); #endif #if defined(USE_CERT_BUFFERS_256) && !defined(WOLFSSL_ATECC508A) && \ - !defined(WOLFSSL_ATECC608A) && !defined(NO_ECC256) + !defined(WOLFSSL_ATECC608A) && !defined(NO_ECC256) && \ + defined(HAVE_ECC_VERIFY) && defined(HAVE_ECC_SIGN) /* skip for ATECC508/608A, cannot import private key buffers */ if ( (ret = ecc_test_buffers()) != 0) return err_sys("ECC buffer test failed!\n", ret); @@ -3384,7 +3388,7 @@ exit: } #endif - +#ifndef NO_HASH_WRAPPER WOLFSSL_TEST_SUBROUTINE int hash_test(void) { wc_HashAlg hash; @@ -3689,6 +3693,7 @@ WOLFSSL_TEST_SUBROUTINE int hash_test(void) return 0; } +#endif /* !NO_HASH_WRAPPER */ #if !defined(NO_HMAC) && !defined(NO_MD5) WOLFSSL_TEST_SUBROUTINE int hmac_md5_test(void) @@ -6249,8 +6254,8 @@ WOLFSSL_TEST_SUBROUTINE int des_test(void) sizeof(key), WC_HASH_TYPE_NONE); if (ret == 0) return -5009; - } #endif /* !NO_PWDBASED */ + } #endif return 0; @@ -7623,9 +7628,11 @@ static int aes_key_size_test(void) #endif byte key16[] = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66 }; +#ifndef WOLFSSL_CRYPTOCELL byte key24[] = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37 }; +#endif byte key32[] = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, @@ -7702,7 +7709,8 @@ static int aes_key_size_test(void) if (ret != 0 || keySize != sizeof(key16)) ERROR_OUT(-5310, out); #endif - +#ifndef WOLFSSL_CRYPTOCELL +/* Cryptocell only supports AES-128 key size */ ret = wc_AesSetKey(aes, key24, sizeof(key24), iv, AES_ENCRYPTION); #ifdef WOLFSSL_AES_192 if (ret != 0) @@ -7728,7 +7736,7 @@ static int aes_key_size_test(void) if (ret != 0 || keySize != sizeof(key32)) ERROR_OUT(-5314, out); #endif - +#endif /* !WOLFSSL_CRYPTOCELL */ out: #ifdef WOLFSSL_SMALL_STACK @@ -11823,12 +11831,11 @@ byte GetEntropy(ENTROPY_CMD cmd, byte* out) static const char* certEccRsaPemFile = CERT_WRITE_TEMP_DIR "certeccrsa.pem"; static const char* certEccRsaDerFile = CERT_WRITE_TEMP_DIR "certeccrsa.der"; #endif - #if defined(HAVE_ECC_KEY_EXPORT) + #if defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG) static const char* eccCaKeyPemFile = CERT_WRITE_TEMP_DIR "ecc-key.pem"; static const char* eccPubKeyDerFile = CERT_WRITE_TEMP_DIR "ecc-public-key.der"; static const char* eccCaKeyTempFile = CERT_WRITE_TEMP_DIR "ecc-key.der"; - - #ifdef HAVE_PKCS8 + #if defined(HAVE_PKCS8) && !defined(WC_NO_RNG) static const char* eccPkcs8KeyDerFile = CERT_WRITE_TEMP_DIR "ecc-key-pkcs8.der"; #endif #endif /* HAVE_ECC_KEY_EXPORT */ @@ -14439,7 +14446,9 @@ static int rsa_keygen_test(WC_RNG* rng) #endif int ret; byte* der = NULL; +#ifndef WOLFSSL_CRYPTOCELL word32 idx = 0; +#endif int derSz = 0; #if !defined(WOLFSSL_SP_MATH) && !defined(HAVE_FIPS) int keySz = 1024; @@ -14499,8 +14508,9 @@ static int rsa_keygen_test(WC_RNG* rng) if (ret != 0) { ERROR_OUT(-7875, exit_rsa); } + +#ifndef WOLFSSL_CRYPTOCELL idx = 0; -#if !defined(WOLFSSL_CRYPTOCELL) /* The private key part of the key gen pairs from cryptocell can't be exported */ ret = wc_RsaPrivateKeyDecode(der, &idx, genKey, derSz); if (ret != 0) { @@ -14554,21 +14564,12 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void) RsaKey caKey[1]; #endif #endif -#if !defined(NO_ASN) || !defined(WOLFSSL_RSA_PUBLIC_ONLY) \ - || defined(WOLFSSL_PUBLIC_MP) word32 idx = 0; -#endif -#if (!defined(WOLFSSL_RSA_VERIFY_ONLY) || defined(WOLFSSL_PUBLIC_MP)) && \ - !defined(WC_NO_RSA_OAEP) && !defined(WC_NO_RNG) const char inStr[] = TEST_STRING; const word32 inLen = (word32)TEST_STRING_SZ; const word32 outSz = RSA_TEST_BYTES; const word32 plainSz = RSA_TEST_BYTES; -#endif -#if (!defined(WOLFSSL_RSA_PUBLIC_ONLY) && \ - !defined(WOLFSSL_RSA_VERIFY_ONLY)) || defined(WOLFSSL_PUBLIC_MP) byte* res; -#endif #ifndef NO_SIG_WRAPPER int modLen; #endif @@ -14586,8 +14587,6 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void) #endif #endif -#if (!defined(WOLFSSL_RSA_VERIFY_ONLY) || defined(WOLFSSL_PUBLIC_MP)) && \ - !defined(WC_NO_RSA_OAEP) && !defined(WC_NO_RNG) DECLARE_VAR(in, byte, TEST_STRING_SZ, HEAP_HINT); DECLARE_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT); DECLARE_VAR(plain, byte, RSA_TEST_BYTES, HEAP_HINT); @@ -14598,7 +14597,6 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void) #endif XMEMCPY(in, inStr, inLen); -#endif #ifdef WOLFSSL_SMALL_STACK if (key == NULL) @@ -14733,7 +14731,8 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void) goto exit_rsa; #endif -#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) +#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \ + !defined(WC_NO_RNG) do { #if defined(WOLFSSL_ASYNC_CRYPT) ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); @@ -14809,9 +14808,6 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void) TEST_SLEEP(); #elif defined(WOLFSSL_PUBLIC_MP) - (void)outSz; - (void)inLen; - (void)res; { static byte signature_2048[] = { 0x07, 0x6f, 0xc9, 0x85, 0x73, 0x9e, 0x21, 0x79, @@ -14852,8 +14848,9 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void) } #endif -#if (!defined(WOLFSSL_RSA_PUBLIC_ONLY) && \ - !defined(WOLFSSL_RSA_VERIFY_ONLY)) || defined(WOLFSSL_PUBLIC_MP) +#if !defined(WC_NO_RNG) && !defined(WC_NO_RSA_OAEP) && \ + ((!defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \ + defined(WOLFSSL_PUBLIC_MP)) idx = (word32)ret; XMEMSET(plain, 0, plainSz); do { @@ -15264,8 +15261,6 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void) } FreeDecodedCert(cert); -#else - (void)bytes; #endif #ifdef WOLFSSL_CERT_EXT @@ -15628,50 +15623,52 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void) exit_rsa: #ifdef WOLFSSL_SMALL_STACK - if (key != NULL) { wc_FreeRsaKey(key); XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); } -#if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_CERT_GEN) + #if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_CERT_GEN) if (keypub != NULL) { wc_FreeRsaKey(keypub); XFREE(keypub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); } -#endif -#if defined(HAVE_NTRU) + #endif + #if defined(HAVE_NTRU) if (caKey != NULL) { wc_FreeRsaKey(caKey); XFREE(caKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); } -#endif -#ifdef WOLFSSL_TEST_CERT + #endif + #ifdef WOLFSSL_TEST_CERT if (cert != NULL) XFREE(cert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); -#endif - + #endif #else - wc_FreeRsaKey(key); -#if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_CERT_GEN) + #if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_CERT_GEN) wc_FreeRsaKey(keypub); -#endif -#if defined(HAVE_NTRU) + #endif + #if defined(HAVE_NTRU) wc_FreeRsaKey(caKey); -#endif - -#endif + #endif +#endif /* WOLFSSL_SMALL_STACK */ XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRng(&rng); -#if (!defined(WOLFSSL_RSA_VERIFY_ONLY) || defined(WOLFSSL_PUBLIC_MP)) && \ - !defined(WC_NO_RSA_OAEP) && !defined(WC_NO_RNG) FREE_VAR(in, HEAP_HINT); FREE_VAR(out, HEAP_HINT); FREE_VAR(plain, HEAP_HINT); -#endif + + (void)res; + (void)bytes; + (void)in; + (void)out; + (void)plain; + (void)inLen; + (void)outSz; + (void)plainSz; /* ret can be greater then 0 with certgen but all negative values should * be returned and treated as an error */ @@ -16056,6 +16053,7 @@ static int dh_test_check_pubvalue(void) #define FFDHE_KEY_SIZE (2048/8) #endif +#ifndef WC_NO_RNG static int dh_ffdhe_test(WC_RNG *rng, const DhParams* params) { int ret; @@ -16214,7 +16212,7 @@ done: return ret; } - +#endif /* !WC_NO_RNG */ #endif /* HAVE_FFDHE */ WOLFSSL_TEST_SUBROUTINE int dh_test(void) @@ -16222,7 +16220,9 @@ WOLFSSL_TEST_SUBROUTINE int dh_test(void) int ret; word32 bytes; word32 idx = 0, privSz, pubSz, privSz2, pubSz2; +#ifndef WC_NO_RNG WC_RNG rng; +#endif int keyInit = 0; #define DH_TEST_TMP_SIZE 1024 @@ -16231,28 +16231,34 @@ WOLFSSL_TEST_SUBROUTINE int dh_test(void) #else #define DH_TEST_BUF_SIZE 512 #endif +#ifndef WC_NO_RNG word32 agreeSz = DH_TEST_BUF_SIZE; word32 agreeSz2 = DH_TEST_BUF_SIZE; +#endif #ifdef WOLFSSL_SMALL_STACK - DhKey *key = (DhKey *)XMALLOC(sizeof *key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - DhKey *key2 = (DhKey *)XMALLOC(sizeof *key2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - byte *tmp = (byte *)XMALLOC(DH_TEST_TMP_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + DhKey *key = (DhKey *)XMALLOC(sizeof *key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + DhKey *key2 = (DhKey *)XMALLOC(sizeof *key2, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + byte *tmp = (byte *)XMALLOC(DH_TEST_TMP_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); +#else + DhKey key[1]; + DhKey key2[1]; + byte tmp[DH_TEST_TMP_SIZE]; +#endif + +#ifndef WC_NO_RNG +#ifdef WOLFSSL_SMALL_STACK byte *priv = (byte *)XMALLOC(DH_TEST_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); byte *pub = (byte *)XMALLOC(DH_TEST_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); byte *priv2 = (byte *)XMALLOC(DH_TEST_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); byte *pub2 = (byte *)XMALLOC(DH_TEST_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); byte *agree = (byte *)XMALLOC(DH_TEST_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); byte *agree2 = (byte *)XMALLOC(DH_TEST_BUF_SIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - - if ((tmp == NULL) || (priv == NULL) || (pub == NULL) || - (priv2 == NULL) || (pub2 == NULL) || (agree == NULL) || - (agree2 == NULL)) + if (priv == NULL || pub == NULL || priv2 == NULL || pub2 == NULL || + agree == NULL || agree2 == NULL) { ERROR_OUT(-8100, done); + } #else - DhKey key[1]; - DhKey key2[1]; - byte tmp[DH_TEST_TMP_SIZE]; byte priv[DH_TEST_BUF_SIZE]; byte pub[DH_TEST_BUF_SIZE]; byte priv2[DH_TEST_BUF_SIZE]; @@ -16260,6 +16266,13 @@ WOLFSSL_TEST_SUBROUTINE int dh_test(void) byte agree[DH_TEST_BUF_SIZE]; byte agree2[DH_TEST_BUF_SIZE]; #endif +#endif /* !WC_NO_RNG */ + +#ifdef WOLFSSL_SMALL_STACK + if (key == NULL || key2 == NULL || tmp == NULL) { + ERROR_OUT(-8100, done); + } +#endif #ifdef USE_CERT_BUFFERS_1024 XMEMCPY(tmp, dh_key_der_1024, (size_t)sizeof_dh_key_der_1024); @@ -16298,7 +16311,10 @@ WOLFSSL_TEST_SUBROUTINE int dh_test(void) privSz = DH_TEST_BUF_SIZE; privSz2 = DH_TEST_BUF_SIZE; +#ifndef WC_NO_RNG XMEMSET(&rng, 0, sizeof(rng)); +#endif + /* Use API for coverage. */ ret = wc_InitDhKey(key); if (ret != 0) { @@ -16339,6 +16355,7 @@ WOLFSSL_TEST_SUBROUTINE int dh_test(void) } #endif +#ifndef WC_NO_RNG #ifndef HAVE_FIPS ret = wc_InitRng_ex(&rng, HEAP_HINT, devId); #else @@ -16383,6 +16400,7 @@ WOLFSSL_TEST_SUBROUTINE int dh_test(void) if (agreeSz != agreeSz2 || XMEMCMP(agree, agree2, agreeSz)) { ERROR_OUT(-8115, done); } +#endif /* !WC_NO_RNG */ #if defined(WOLFSSL_KEY_GEN) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) if (wc_DhCheckPrivKey(NULL, NULL, 0) != BAD_FUNC_ARG) @@ -16444,6 +16462,7 @@ WOLFSSL_TEST_SUBROUTINE int dh_test(void) } #endif /* WOLFSSL_DH_EXTRA */ +#ifndef WC_NO_RNG ret = dh_generate_test(&rng); if (ret != 0) ERROR_OUT(-8126, done); @@ -16451,6 +16470,7 @@ WOLFSSL_TEST_SUBROUTINE int dh_test(void) ret = dh_fips_generate_test(&rng); if (ret != 0) ERROR_OUT(-8127, done); +#endif /* !WC_NO_RNG */ #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) ret = dh_test_check_pubvalue(); @@ -16458,6 +16478,7 @@ WOLFSSL_TEST_SUBROUTINE int dh_test(void) ERROR_OUT(-8128, done); #endif +#ifndef WC_NO_RNG /* Specialized code for key gen when using FFDHE-2048 and FFDHE-3072. */ #ifdef HAVE_FFDHE_2048 ret = dh_ffdhe_test(&rng, wc_Dh_ffdhe2048_Get()); @@ -16469,12 +16490,13 @@ WOLFSSL_TEST_SUBROUTINE int dh_test(void) if (ret != 0) ERROR_OUT(-8130, done); #endif +#endif /* !WC_NO_RNG */ wc_FreeDhKey(key); keyInit = 0; #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \ - !defined(WOLFSSL_OLD_PRIME_CHECK) + !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(WC_NO_RNG) /* Test Check Key */ ret = wc_DhSetCheckKey(key, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g), NULL, 0, 0, &rng); @@ -16485,7 +16507,9 @@ WOLFSSL_TEST_SUBROUTINE int dh_test(void) done: +#ifndef WC_NO_RNG wc_FreeRng(&rng); +#endif #ifdef WOLFSSL_SMALL_STACK if (key) { @@ -16517,6 +16541,11 @@ done: wc_FreeDhKey(key2); #endif + (void)privSz; + (void)pubSz; + (void)pubSz2; + (void)privSz2; + return ret; #undef DH_TEST_BUF_SIZE #undef DH_TEST_TMP_SIZE @@ -20646,7 +20675,7 @@ static int ecc_test_make_pub(WC_RNG* rng) byte *tmp = (byte *)XMALLOC(ECC_BUFSIZE, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); #else ecc_key key[1]; -#if defined(HAVE_ECC_DHE) && defined(HAVE_ECC_KEY_EXPORT) +#if defined(HAVE_ECC_DHE) && defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG) ecc_key pub[1]; #endif byte exportBuf[ECC_BUFSIZE]; @@ -20774,7 +20803,8 @@ static int ecc_test_make_pub(WC_RNG* rng) } #endif -#ifdef HAVE_ECC_SIGN +#if defined(HAVE_ECC_SIGN) && (!defined(ECC_TIMING_RESISTANT) || \ + (defined(ECC_TIMING_RESISTANT) && !defined(WC_NO_RNG))) tmpSz = ECC_BUFSIZE; ret = 0; do { @@ -20819,7 +20849,7 @@ static int ecc_test_make_pub(WC_RNG* rng) #endif /* HAVE_ECC_SIGN */ -#if defined(HAVE_ECC_DHE) && defined(HAVE_ECC_KEY_EXPORT) +#if defined(HAVE_ECC_DHE) && defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG) /* now test private only key with creating a shared secret */ x = ECC_BUFSIZE; ret = wc_ecc_export_private_only(key, exportBuf, &x); @@ -20875,7 +20905,7 @@ static int ecc_test_make_pub(WC_RNG* rng) ERROR_OUT(-9870, done); } TEST_SLEEP(); -#endif /* HAVE_ECC_DHE && HAVE_ECC_KEY_EXPORT */ +#endif /* HAVE_ECC_DHE && HAVE_ECC_KEY_EXPORT && !WC_NO_RNG */ ret = 0; @@ -20903,7 +20933,7 @@ done: return ret; } -#if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) +#if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG) static int ecc_test_key_decode(WC_RNG* rng, int keySize) { int ret; @@ -20984,7 +21014,7 @@ static int ecc_test_key_decode(WC_RNG* rng, int keySize) #endif /* HAVE_ECC_KEY_EXPORT && !NO_ASN_CRYPT */ #endif /* HAVE_ECC_KEY_IMPORT */ -#if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) +#if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG) static int ecc_test_key_gen(WC_RNG* rng, int keySize) { int ret = 0; @@ -21085,7 +21115,7 @@ done: static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount, int curve_id, const ecc_set_type* dp) { -#if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && \ +#if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && !defined(WC_NO_RNG) && \ !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) DECLARE_VAR(sharedA, byte, ECC_SHARED_SIZE, HEAP_HINT); DECLARE_VAR(sharedB, byte, ECC_SHARED_SIZE, HEAP_HINT); @@ -21095,7 +21125,7 @@ static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount, DECLARE_VAR(exportBuf, byte, ECC_KEY_EXPORT_BUF_SIZE, HEAP_HINT); #endif word32 x = 0; -#if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && \ +#if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && !defined(WC_NO_RNG) && \ !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) word32 y; #endif @@ -21109,18 +21139,20 @@ static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount, #endif /* HAVE_ECC_SIGN */ int ret; #ifdef WOLFSSL_SMALL_STACK - ecc_key *userA = (ecc_key *)XMALLOC(sizeof *userA, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER), - *userB = (ecc_key *)XMALLOC(sizeof *userB, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER), - *pubKey = (ecc_key *)XMALLOC(sizeof *pubKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + ecc_key *userA = (ecc_key *)XMALLOC(sizeof *userA, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + ecc_key *userB = (ecc_key *)XMALLOC(sizeof *userB, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + ecc_key *pubKey = (ecc_key *)XMALLOC(sizeof *pubKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); #else - ecc_key userA[1], - userB[1], - pubKey[1]; + ecc_key userA[1]; + ecc_key userB[1]; + ecc_key pubKey[1]; #endif +#ifndef WC_NO_RNG int curveSize; +#endif #ifdef DECLARE_VAR_IS_HEAP_ALLOC -#if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && \ +#if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && !defined(WC_NO_RNG) && \ !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) if (sharedA == NULL || sharedB == NULL) ERROR_OUT(-9900, done); @@ -21173,6 +21205,7 @@ static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount, } #endif +#ifndef WC_NO_RNG ret = wc_ecc_make_key_ex(rng, keySize, userA, curve_id); #if defined(WOLFSSL_ASYNC_CRYPT) ret = wc_AsyncWait(ret, &userA->asyncDev, WC_ASYNC_FLAG_NONE); @@ -21290,7 +21323,7 @@ static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount, wc_ecc_set_flags(userA, 0); wc_ecc_set_flags(userB, 0); #endif /* HAVE_ECC_CDH */ -#endif /* WOLFSSL_ATECC508A */ +#endif /* !WOLFSSL_ATECC508A && WOLFSSL_ATECC608A */ #ifdef HAVE_ECC_KEY_EXPORT x = ECC_KEY_EXPORT_BUF_SIZE; @@ -21367,15 +21400,20 @@ static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount, TEST_SLEEP(); #endif /* HAVE_ECC_DHE */ #endif /* HAVE_COMP_KEY */ -#endif /* WOLFSSL_ATECC508A */ + +#endif /* !WOLFSSL_ATECC508A && !WOLFSSL_ATECC608A */ +#endif /* !WC_NO_RNG */ #endif /* HAVE_ECC_KEY_IMPORT */ #endif /* HAVE_ECC_KEY_EXPORT */ +#if !defined(ECC_TIMING_RESISTANT) || (defined(ECC_TIMING_RESISTANT) && !defined(WC_NO_RNG)) #ifdef HAVE_ECC_SIGN /* ECC w/out Shamir has issue with all 0 digest */ /* WC_BIGINT doesn't have 0 len well on hardware */ -#if defined(ECC_SHAMIR) && !defined(WOLFSSL_ASYNC_CRYPT) + /* Cryptocell has issues with all 0 digest */ +#if defined(ECC_SHAMIR) && !defined(WOLFSSL_ASYNC_CRYPT) && \ + !defined(WOLFSSL_CRYPTOCELL) /* test DSA sign hash with zeros */ for (i = 0; i < (int)ECC_DIGEST_SIZE; i++) { digest[i] = 0; @@ -21412,7 +21450,7 @@ static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount, TEST_SLEEP(); } #endif /* HAVE_ECC_VERIFY */ -#endif /* ECC_SHAMIR && !WOLFSSL_ASYNC_CRYPT */ +#endif /* ECC_SHAMIR && !WOLFSSL_ASYNC_CRYPT && !WOLFSSL_CRYPTOCELL */ /* test DSA sign hash with sequence (0,1,2,3,4,...) */ for (i = 0; i < (int)ECC_DIGEST_SIZE; i++) { @@ -21451,13 +21489,16 @@ static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount, } #endif /* HAVE_ECC_VERIFY */ #endif /* HAVE_ECC_SIGN */ +#endif /* !ECC_TIMING_RESISTANT || (ECC_TIMING_RESISTANT && !WC_NO_RNG) */ -#if defined(HAVE_ECC_KEY_EXPORT) && !defined(WOLFSSL_ATECC508) && \ - !defined(WOLFSSL_ATECC608A) +#if defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG) && \ + !defined(WOLFSSL_ATECC508) && !defined(WOLFSSL_ATECC608A) x = ECC_KEY_EXPORT_BUF_SIZE; ret = wc_ecc_export_private_only(userA, exportBuf, &x); if (ret != 0) ERROR_OUT(-9942, done); +#else + (void)exportBuf; #endif /* HAVE_ECC_KEY_EXPORT */ done: @@ -21493,6 +21534,10 @@ done: FREE_VAR(digest, HEAP_HINT); #endif + (void)keySize; + (void)curve_id; + (void)rng; + return ret; } @@ -21526,7 +21571,7 @@ static int ecc_test_curve(WC_RNG* rng, int keySize) #endif #if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT) && \ - !defined(NO_ASN_CRYPT) + !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG) ret = ecc_test_key_decode(rng, keySize); if (ret < 0) { if (ret == ECC_CURVE_OID_E) { @@ -21539,7 +21584,7 @@ static int ecc_test_curve(WC_RNG* rng, int keySize) } #endif -#if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) +#if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG) ret = ecc_test_key_gen(rng, keySize); if (ret < 0) { if (ret == ECC_CURVE_OID_E) { @@ -22053,7 +22098,7 @@ done: } #endif -#ifdef HAVE_ECC_DHE +#if defined(HAVE_ECC_DHE) && !defined(WC_NO_RNG) static int ecc_ssh_test(ecc_key* key, WC_RNG* rng) { int ret; @@ -22099,7 +22144,7 @@ static int ecc_ssh_test(ecc_key* key, WC_RNG* rng) TEST_SLEEP(); return 0; } -#endif /* HAVE_ECC_DHE */ +#endif /* HAVE_ECC_DHE && !WC_NO_RNG */ #endif static int ecc_def_curve_test(WC_RNG *rng) @@ -22110,6 +22155,9 @@ static int ecc_def_curve_test(WC_RNG *rng) #else ecc_key key[1]; #endif +#ifdef WC_NO_RNG + word32 idx = 0; +#endif #ifdef WOLFSSL_SMALL_STACK if (key == NULL) @@ -22130,9 +22178,16 @@ static int ecc_def_curve_test(WC_RNG *rng) goto done; } +#ifndef WC_NO_RNG ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, key); #if defined(WOLFSSL_ASYNC_CRYPT) ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE); +#endif +#else + /* use test ECC key */ + ret = wc_EccPrivateKeyDecode(ecc_key_der_256, &idx, key, + (word32)sizeof_ecc_key_der_256); + (void)rng; #endif if (ret != 0) { ret = -10092; @@ -22158,7 +22213,7 @@ static int ecc_def_curve_test(WC_RNG *rng) if (ret < 0) goto done; #endif -#ifdef HAVE_ECC_DHE +#if defined(HAVE_ECC_DHE) && !defined(WC_NO_RNG) ret = ecc_ssh_test(key, rng); if (ret < 0) goto done; @@ -22729,16 +22784,26 @@ static int ecc_test_allocator(WC_RNG* rng) { int ret = 0; ecc_key* key; +#ifdef WC_NO_RNG + word32 idx = 0; +#endif key = wc_ecc_key_new(HEAP_HINT); if (key == NULL) { ERROR_OUT(-10150, exit); } +#ifndef WC_NO_RNG ret = wc_ecc_make_key(rng, ECC_KEYGEN_SIZE, key); if (ret != 0) { ERROR_OUT(-10151, exit); } +#else + /* use test ECC key */ + ret = wc_EccPrivateKeyDecode(ecc_key_der_256, &idx, key, + (word32)sizeof_ecc_key_der_256); + (void)rng; +#endif exit: wc_ecc_key_free(key); @@ -23599,6 +23664,7 @@ WOLFSSL_TEST_SUBROUTINE int ecc_test_buffers(void) if (ret != 0) ERROR_OUT(-10423, done); +#ifndef WC_NO_RNG #ifndef HAVE_FIPS ret = wc_InitRng_ex(&rng, HEAP_HINT, devId); #else @@ -23615,6 +23681,7 @@ WOLFSSL_TEST_SUBROUTINE int ecc_test_buffers(void) ERROR_OUT(-10425, done); } #endif +#endif /* !WC_NO_RNG */ #if defined(HAVE_ECC_ENCRYPT) && defined(HAVE_HKDF) { diff --git a/wolfssl.vcxproj b/wolfssl.vcxproj index d890f8cc9f..25c22b449d 100644 --- a/wolfssl.vcxproj +++ b/wolfssl.vcxproj @@ -295,14 +295,18 @@ + + + + diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index 88c47b9c65..68ace30531 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -170,7 +170,8 @@ enum wolfSSL_ErrorCodes { DTLS_SIZE_ERROR = -439, /* Trying to send too much data */ NO_CERT_ERROR = -440, /* TLS1.3 - no cert set error */ APP_DATA_READY = -441, /* DTLS1.2 application data ready for read */ - + TOO_MUCH_EARLY_DATA = -442, /* Too much Early data */ + /* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */ /* begin negotiation parameter errors */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d4f68a8159..7c34915463 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -59,6 +59,9 @@ #ifdef HAVE_POLY1305 #include #endif +#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && defined(OPENSSL_EXTRA) + #include +#endif #ifdef HAVE_CAMELLIA #include #endif @@ -1870,7 +1873,7 @@ WOLFSSL_LOCAL void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig, int haveAnon, int tls1_2, int keySz); WOLFSSL_LOCAL void InitSuites(Suites*, ProtocolVersion, int, word16, word16, - word16, word16, word16, word16, word16, int); + word16, word16, word16, word16, word16, word16, int); WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites); WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX*, Suites*, const char* list); @@ -2834,6 +2837,7 @@ struct WOLFSSL_CTX { byte sessionCtxSz; byte cbioFlag; /* WOLFSSL_CBIO_RECV/SEND: CBIORecv/Send is set */ CallbackInfoState* CBIS; /* used to get info about SSL state */ + WOLFSSL_X509_VERIFY_PARAM* param; /* verification parameters*/ #endif CallbackIORecv CBIORecv; CallbackIOSend CBIOSend; @@ -2931,10 +2935,10 @@ struct WOLFSSL_CTX { TicketEncCbCtx ticketKeyCtx; #endif #endif + #endif #ifdef HAVE_SUPPORTED_CURVES byte userCurves; /* indicates user called wolfSSL_CTX_UseSupportedCurve */ #endif -#endif #ifdef ATOMIC_USER CallbackMacEncrypt MacEncryptCb; /* Atomic User Mac/Encrypt Cb */ CallbackDecryptVerify DecryptVerifyCb; /* Atomic User Decrypt/Verify Cb */ @@ -3534,9 +3538,7 @@ typedef struct Options { #ifdef HAVE_POLY1305 word16 oldPoly:1; /* set when to use old rfc way of poly*/ #endif -#ifdef HAVE_ANON word16 haveAnon:1; /* User wants to allow Anon suites */ -#endif #ifdef HAVE_SESSION_TICKET word16 createTicket:1; /* Server to create new Ticket */ word16 useTicket:1; /* Use Ticket not session cache */ @@ -4365,11 +4367,12 @@ struct WOLFSSL { #ifdef WOLFSSL_EARLY_DATA EarlyDataState earlyData; word32 earlyDataSz; + byte earlyDataStatus; #endif #ifdef OPENSSL_ALL long verifyCallbackResult; #endif -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) +#if defined(OPENSSL_EXTRA) WOLFSSL_STACK* supportedCiphers; /* Used in wolfSSL_get_ciphers_compat */ WOLFSSL_STACK* peerCertChain; /* Used in wolfSSL_get_peer_cert_chain */ #endif diff --git a/wolfssl/openssl/bio.h b/wolfssl/openssl/bio.h index c5786b73a4..edafd2152b 100644 --- a/wolfssl/openssl/bio.h +++ b/wolfssl/openssl/bio.h @@ -68,6 +68,7 @@ #define BIO_set_fp wolfSSL_BIO_set_fp #define BIO_get_fp wolfSSL_BIO_get_fp #define BIO_seek wolfSSL_BIO_seek +#define BIO_tell wolfSSL_BIO_tell #define BIO_write_filename wolfSSL_BIO_write_filename #define BIO_set_mem_eof_return wolfSSL_BIO_set_mem_eof_return diff --git a/wolfssl/openssl/md5.h b/wolfssl/openssl/md5.h index 49ac1e32f7..08cbd527e7 100644 --- a/wolfssl/openssl/md5.h +++ b/wolfssl/openssl/md5.h @@ -52,13 +52,14 @@ typedef struct WOLFSSL_MD5_CTX { WOLFSSL_API int wolfSSL_MD5_Init(WOLFSSL_MD5_CTX*); WOLFSSL_API int wolfSSL_MD5_Update(WOLFSSL_MD5_CTX*, const void*, unsigned long); WOLFSSL_API int wolfSSL_MD5_Final(unsigned char*, WOLFSSL_MD5_CTX*); - +WOLFSSL_API int wolfSSL_MD5_Transform(WOLFSSL_MD5_CTX*, const unsigned char*); typedef WOLFSSL_MD5_CTX MD5_CTX; #define MD5_Init wolfSSL_MD5_Init #define MD5_Update wolfSSL_MD5_Update #define MD5_Final wolfSSL_MD5_Final +#define MD5_Transform wolfSSL_MD5_Transform #ifdef OPENSSL_EXTRA_BSD #define MD5Init wolfSSL_MD5_Init diff --git a/wolfssl/openssl/sha.h b/wolfssl/openssl/sha.h index e3a814717e..c8ee6d4c64 100644 --- a/wolfssl/openssl/sha.h +++ b/wolfssl/openssl/sha.h @@ -52,12 +52,14 @@ typedef struct WOLFSSL_SHA_CTX { WOLFSSL_API int wolfSSL_SHA_Init(WOLFSSL_SHA_CTX*); WOLFSSL_API int wolfSSL_SHA_Update(WOLFSSL_SHA_CTX*, const void*, unsigned long); WOLFSSL_API int wolfSSL_SHA_Final(unsigned char*, WOLFSSL_SHA_CTX*); - +WOLFSSL_API int wolfSSL_SHA_Transform(WOLFSSL_SHA_CTX*, + const unsigned char *data); /* SHA1 points to above, shouldn't use SHA0 ever */ WOLFSSL_API int wolfSSL_SHA1_Init(WOLFSSL_SHA_CTX*); WOLFSSL_API int wolfSSL_SHA1_Update(WOLFSSL_SHA_CTX*, const void*, unsigned long); WOLFSSL_API int wolfSSL_SHA1_Final(unsigned char*, WOLFSSL_SHA_CTX*); - +WOLFSSL_API int wolfSSL_SHA1_Transform(WOLFSSL_SHA_CTX*, + const unsigned char *data); enum { SHA_DIGEST_LENGTH = 20 }; @@ -68,6 +70,13 @@ typedef WOLFSSL_SHA_CTX SHA_CTX; #define SHA_Init wolfSSL_SHA_Init #define SHA_Update wolfSSL_SHA_Update #define SHA_Final wolfSSL_SHA_Final +#if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_SELFTEST) && \ + (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) + /* SHA is only available in non-fips mode or fips version > 2 mode + * because of SHA enum in FIPS build. */ + #define SHA wolfSSL_SHA1 +#endif #define SHA1_Init wolfSSL_SHA1_Init #define SHA1_Update wolfSSL_SHA1_Update @@ -99,6 +108,13 @@ typedef WOLFSSL_SHA224_CTX SHA224_CTX; #define SHA224_Init wolfSSL_SHA224_Init #define SHA224_Update wolfSSL_SHA224_Update #define SHA224_Final wolfSSL_SHA224_Final +#if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_SELFTEST) && \ + (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) + /* SHA224 is only available in non-fips mode or fips version > 2 mode + * because of SHA224 enum in FIPS build. */ + #define SHA224 wolfSSL_SHA224 +#endif #endif /* WOLFSSL_SHA224 */ @@ -113,9 +129,10 @@ typedef struct WOLFSSL_SHA256_CTX { WOLFSSL_API int wolfSSL_SHA256_Init(WOLFSSL_SHA256_CTX*); WOLFSSL_API int wolfSSL_SHA256_Update(WOLFSSL_SHA256_CTX*, const void*, - unsigned long); + unsigned long); WOLFSSL_API int wolfSSL_SHA256_Final(unsigned char*, WOLFSSL_SHA256_CTX*); - +WOLFSSL_API int wolfSSL_SHA256_Transform(WOLFSSL_SHA256_CTX*, + const unsigned char *data); enum { SHA256_DIGEST_LENGTH = 32 }; @@ -126,6 +143,8 @@ typedef WOLFSSL_SHA256_CTX SHA256_CTX; #define SHA256_Init wolfSSL_SHA256_Init #define SHA256_Update wolfSSL_SHA256_Update #define SHA256_Final wolfSSL_SHA256_Final +#define SHA256_Transform wolfSSL_SHA256_Transform + #if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) /* SHA256 is only available in non-fips mode because of SHA256 enum in FIPS * build. */ @@ -171,9 +190,10 @@ typedef struct WOLFSSL_SHA512_CTX { WOLFSSL_API int wolfSSL_SHA512_Init(WOLFSSL_SHA512_CTX*); WOLFSSL_API int wolfSSL_SHA512_Update(WOLFSSL_SHA512_CTX*, const void*, - unsigned long); + unsigned long); WOLFSSL_API int wolfSSL_SHA512_Final(unsigned char*, WOLFSSL_SHA512_CTX*); - +WOLFSSL_API int wolfSSL_SHA512_Transform(WOLFSSL_SHA512_CTX*, + const unsigned char*); enum { SHA512_DIGEST_LENGTH = 64 }; @@ -184,6 +204,7 @@ typedef WOLFSSL_SHA512_CTX SHA512_CTX; #define SHA512_Init wolfSSL_SHA512_Init #define SHA512_Update wolfSSL_SHA512_Update #define SHA512_Final wolfSSL_SHA512_Final +#define SHA512_Transform wolfSSL_SHA512_Transform #if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) /* SHA512 is only available in non-fips mode because of SHA512 enum in FIPS * build. */ diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 471398c0f3..fcc2df1e61 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -410,6 +410,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define X509_free wolfSSL_X509_free #define X509_load_certificate_file wolfSSL_X509_load_certificate_file #define X509_digest wolfSSL_X509_digest +#define X509_pubkey_digest wolfSSL_X509_pubkey_digest #define X509_get_ext_count wolfSSL_X509_get_ext_count #define X509_get_ext_d2i wolfSSL_X509_get_ext_d2i #define X509V3_EXT_i2d wolfSSL_X509V3_EXT_i2d @@ -558,6 +559,12 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define X509_V_FLAG_NO_CHECK_TIME WOLFSSL_NO_CHECK_TIME #define X509_CHECK_FLAG_NO_WILDCARDS WOLFSSL_NO_WILDCARDS +#define X509_VP_FLAG_DEFAULT WOLFSSL_VPARAM_DEFAULT +#define X509_VP_FLAG_OVERWRITE WOLFSSL_VPARAM_OVERWRITE +#define X509_VP_FLAG_RESET_FLAGS WOLFSSL_VPARAM_RESET_FLAGS +#define X509_VP_FLAG_LOCKED WOLFSSL_VPARAM_LOCKED +#define X509_VP_FLAG_ONCE WOLFSSL_VPARAM_ONCE + #define X509_STORE_CTX_get_current_cert wolfSSL_X509_STORE_CTX_get_current_cert #define X509_STORE_CTX_set_verify_cb wolfSSL_X509_STORE_CTX_set_verify_cb #define X509_STORE_CTX_new wolfSSL_X509_STORE_CTX_new @@ -605,6 +612,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define X509_VERIFY_PARAM_set_hostflags wolfSSL_X509_VERIFY_PARAM_set_hostflags #define X509_VERIFY_PARAM_set1_host wolfSSL_X509_VERIFY_PARAM_set1_host #define X509_VERIFY_PARAM_set1_ip_asc wolfSSL_X509_VERIFY_PARAM_set1_ip_asc +#define X509_VERIFY_PARAM_set1 wolfSSL_X509_VERIFY_PARAM_set1 #define X509_STORE_load_locations wolfSSL_X509_STORE_load_locations #define X509_LOOKUP_add_dir wolfSSL_X509_LOOKUP_add_dir @@ -622,6 +630,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define X509_CRL_get_nextUpdate wolfSSL_X509_CRL_get_nextUpdate #define X509_CRL_verify wolfSSL_X509_CRL_verify #define X509_CRL_get_REVOKED wolfSSL_X509_CRL_get_REVOKED +#define X509_load_crl_file wolfSSL_X509_load_crl_file #define X509_get_X509_PUBKEY wolfSSL_X509_get_X509_PUBKEY #define X509_REQ_get_X509_PUBKEY wolfSSL_X509_get_X509_PUBKEY @@ -1071,6 +1080,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define SSL_CTX_set_min_proto_version wolfSSL_CTX_set_min_proto_version #define SSL_CTX_set_max_proto_version wolfSSL_CTX_set_max_proto_version +#define SSL_CTX_get_min_proto_version wolfSSL_CTX_get_min_proto_version #define SSL_get_tlsext_status_exts wolfSSL_get_tlsext_status_exts @@ -1127,6 +1137,9 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define SSL3_AD_BAD_CERTIFICATE bad_certificate #define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE +#define SSL_AD_UNRECOGNIZED_NAME unrecognized_name +#define SSL_AD_NO_RENEGOTIATION no_renegotiation +#define SSL_AD_INTERNAL_ERROR 80 #define ASN1_STRFLGS_ESC_MSB 4 @@ -1167,6 +1180,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define SSL3_AL_FATAL 2 #define SSL_TLSEXT_ERR_OK 0 #define SSL_TLSEXT_ERR_ALERT_FATAL alert_fatal +#define SSL_TLSEXT_ERR_ALERT_WARNING alert_warning #define SSL_TLSEXT_ERR_NOACK alert_warning #define TLSEXT_NAMETYPE_host_name WOLFSSL_SNI_HOST_NAME @@ -1306,6 +1320,8 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define SSL_CTX_set_srp_strength wolfSSL_CTX_set_srp_strength #define SSL_get_SSL_CTX wolfSSL_get_SSL_CTX #define SSL_get0_param wolfSSL_get0_param +#define SSL_CTX_get0_param wolfSSL_CTX_get0_param +#define SSL_CTX_set1_param wolfSSL_CTX_set1_param #define SSL_get_srp_username wolfSSL_get_srp_username #define ERR_NUM_ERRORS 16 @@ -1317,6 +1333,11 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define SSL_get_rbio wolfSSL_SSL_get_rbio #define SSL_get_wbio wolfSSL_SSL_get_wbio #define SSL_do_handshake wolfSSL_SSL_do_handshake + +#if defined(WOLFSSL_EARLY_DATA) +#define SSL_get_early_data_status wolfSSL_get_early_data_status +#endif + #endif /* OPENSSL_EXTRA */ /* cipher suites for compatibility */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index e8c31fc84e..9116dff7a6 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -563,8 +563,16 @@ struct WOLFSSL_X509_STORE { #define WOLFSSL_USE_CHECK_TIME 0x2 #define WOLFSSL_NO_CHECK_TIME 0x200000 #define WOLFSSL_HOST_NAME_MAX 256 + +#define WOLFSSL_VPARAM_DEFAULT 0x1 +#define WOLFSSL_VPARAM_OVERWRITE 0x2 +#define WOLFSSL_VPARAM_RESET_FLAGS 0x4 +#define WOLFSSL_VPARAM_LOCKED 0x8 +#define WOLFSSL_VPARAM_ONCE 0x10 + struct WOLFSSL_X509_VERIFY_PARAM { time_t check_time; + unsigned int inherit_flags; unsigned long flags; char hostName[WOLFSSL_HOST_NAME_MAX]; unsigned int hostFlags; @@ -878,7 +886,9 @@ WOLFSSL_API int wolfSSL_CTX_set_ecdh_auto(WOLFSSL_CTX* ctx, int onoff); #endif WOLFSSL_ABI WOLFSSL_API WOLFSSL* wolfSSL_new(WOLFSSL_CTX*); WOLFSSL_API WOLFSSL_CTX* wolfSSL_get_SSL_CTX(WOLFSSL* ssl); +WOLFSSL_API WOLFSSL_X509_VERIFY_PARAM* wolfSSL_CTX_get0_param(WOLFSSL_CTX* ctx); WOLFSSL_API WOLFSSL_X509_VERIFY_PARAM* wolfSSL_get0_param(WOLFSSL* ssl); +WOLFSSL_API int wolfSSL_CTX_set1_param(WOLFSSL_CTX* ctx, WOLFSSL_X509_VERIFY_PARAM *vpm); WOLFSSL_API int wolfSSL_is_server(WOLFSSL*); WOLFSSL_API WOLFSSL* wolfSSL_write_dup(WOLFSSL*); WOLFSSL_ABI WOLFSSL_API int wolfSSL_set_fd (WOLFSSL*, int); @@ -938,6 +948,11 @@ WOLFSSL_API int wolfSSL_connect_TLSv13(WOLFSSL*); WOLFSSL_API int wolfSSL_accept_TLSv13(WOLFSSL*); #ifdef WOLFSSL_EARLY_DATA + +#define WOLFSSL_EARLY_DATA_NOT_SENT 0 +#define WOLFSSL_EARLY_DATA_REJECTED 1 +#define WOLFSSL_EARLY_DATA_ACCEPTED 2 + WOLFSSL_API int wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx, unsigned int sz); WOLFSSL_API int wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz); @@ -945,6 +960,7 @@ WOLFSSL_API int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz); WOLFSSL_API int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz); +WOLFSSL_API int wolfSSL_get_early_data_status(const WOLFSSL* ssl); #endif /* WOLFSSL_EARLY_DATA */ #endif /* WOLFSSL_TLS13 */ WOLFSSL_ABI WOLFSSL_API void wolfSSL_CTX_free(WOLFSSL_CTX*); @@ -1338,6 +1354,7 @@ WOLFSSL_API int wolfSSL_BIO_nwrite(WOLFSSL_BIO *bio, char **buf, int num); WOLFSSL_API int wolfSSL_BIO_reset(WOLFSSL_BIO *bio); WOLFSSL_API int wolfSSL_BIO_seek(WOLFSSL_BIO *bio, int ofs); +WOLFSSL_API int wolfSSL_BIO_tell(WOLFSSL_BIO* bio); WOLFSSL_API int wolfSSL_BIO_write_filename(WOLFSSL_BIO *bio, char *name); WOLFSSL_API long wolfSSL_BIO_set_mem_eof_return(WOLFSSL_BIO *bio, int v); WOLFSSL_API long wolfSSL_BIO_get_mem_ptr(WOLFSSL_BIO *bio, WOLFSSL_BUF_MEM **m); @@ -1545,6 +1562,10 @@ WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* p unsigned int nameSz); WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_set1_ip_asc( WOLFSSL_X509_VERIFY_PARAM *param, const char *ipasc); +WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_set1(WOLFSSL_X509_VERIFY_PARAM* to, + const WOLFSSL_X509_VERIFY_PARAM* from); +WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, + const char *file, int type); #endif WOLFSSL_API WOLFSSL_X509_REVOKED* wolfSSL_X509_CRL_get_REVOKED(WOLFSSL_X509_CRL*); WOLFSSL_API WOLFSSL_X509_REVOKED* wolfSSL_sk_X509_REVOKED_value( @@ -2116,8 +2137,8 @@ WOLFSSL_API int wolfSSL_CTX_set_default_verify_paths(WOLFSSL_CTX*); WOLFSSL_API int wolfSSL_CTX_set_session_id_context(WOLFSSL_CTX*, const unsigned char*, unsigned int); WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509* wolfSSL_get_peer_certificate(WOLFSSL*); +#ifdef OPENSSL_EXTRA WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL*); -#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl); #endif @@ -2255,6 +2276,8 @@ WOLFSSL_API WOLFSSL_X509* WOLFSSL_API int wolfSSL_i2d_X509(WOLFSSL_X509* x509, unsigned char** out); WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL(WOLFSSL_X509_CRL **crl, const unsigned char *in, int len); +WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_bio(WOLFSSL_BIO *bp, + WOLFSSL_X509_CRL **crl); #if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_fp(XFILE file, WOLFSSL_X509_CRL **crl); #endif @@ -3480,6 +3503,8 @@ WOLFSSL_API void wolfSSL_X509V3_set_ctx(WOLFSSL_X509V3_CTX* ctx, WOLFSSL_API void wolfSSL_X509V3_set_ctx_nodb(WOLFSSL_X509V3_CTX* ctx); WOLFSSL_API int wolfSSL_X509_digest(const WOLFSSL_X509* x509, const WOLFSSL_EVP_MD* digest, unsigned char* buf, unsigned int* len); +WOLFSSL_API int wolfSSL_X509_pubkey_digest(const WOLFSSL_X509 *x509, + const WOLFSSL_EVP_MD *digest, unsigned char* buf, unsigned int* len); WOLFSSL_API int wolfSSL_use_certificate(WOLFSSL* ssl, WOLFSSL_X509* x509); WOLFSSL_API int wolfSSL_use_PrivateKey(WOLFSSL* ssl, WOLFSSL_EVP_PKEY* pkey); WOLFSSL_API int wolfSSL_use_PrivateKey_ASN1(int pri, WOLFSSL* ssl, @@ -3554,6 +3579,7 @@ WOLFSSL_API int wolfSSL_get_server_tmp_key(const WOLFSSL*, WOLFSSL_EVP_PKEY**); WOLFSSL_API int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX*, int); WOLFSSL_API int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX*, int); +WOLFSSL_API int wolfSSL_CTX_get_min_proto_version(WOLFSSL_CTX*); WOLFSSL_API int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey); WOLFSSL_API WOLFSSL_X509 *wolfSSL_PEM_read_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 **x, pem_password_cb *cb, void *u); @@ -3615,6 +3641,7 @@ WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl); WOLFSSL_API int wolfSSL_set_app_data(WOLFSSL *ssl, void *arg); WOLFSSL_API WOLFSSL_ASN1_OBJECT * wolfSSL_X509_NAME_ENTRY_get_object(WOLFSSL_X509_NAME_ENTRY *ne); WOLFSSL_API unsigned char *wolfSSL_SHA1(const unsigned char *d, size_t n, unsigned char *md); +WOLFSSL_API unsigned char *wolfSSL_SHA224(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API unsigned char *wolfSSL_SHA256(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API unsigned char *wolfSSL_SHA384(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API unsigned char *wolfSSL_SHA512(const unsigned char *d, size_t n, unsigned char *md); @@ -3990,9 +4017,9 @@ WOLFSSL_API int wolfSSL_i2a_ASN1_INTEGER(WOLFSSL_BIO *bp, const WOLFSSL_ASN1_INTEGER *a); #ifdef HAVE_SESSION_TICKET -WOLFSSL_API int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *, int (*)( - WOLFSSL *ssl, unsigned char *name, unsigned char *iv, - WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc)); +typedef int (*ticketCompatCb)(WOLFSSL *ssl, unsigned char *name, unsigned char *iv, + WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc); +WOLFSSL_API int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *, ticketCompatCb); #endif #if defined(HAVE_OCSP) || defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \ diff --git a/wolfssl/test.h b/wolfssl/test.h index 5da853e609..50a5c96a25 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -4088,4 +4088,30 @@ static WC_INLINE word16 GetRandomPort(void) return port; } +#ifdef WOLFSSL_EARLY_DATA +static WC_INLINE void EarlyDataStatus(WOLFSSL* ssl) +{ + int earlyData_status; + + earlyData_status = wolfSSL_get_early_data_status(ssl); + if (earlyData_status < 0) return; + + printf("Early Data was "); + + switch(earlyData_status) { + case WOLFSSL_EARLY_DATA_NOT_SENT: + printf("not sent.\n"); + break; + case WOLFSSL_EARLY_DATA_REJECTED: + printf("rejected.\n"); + break; + case WOLFSSL_EARLY_DATA_ACCEPTED: + printf("accepted\n"); + break; + default: + printf("unknown...\n"); + } +} +#endif /* WOLFSSL_EARLY_DATA */ + #endif /* wolfSSL_TEST_H */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index e412c1d065..5080841119 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -977,6 +977,14 @@ struct DecodedCert { #endif }; +/* ASN Encoded Name field */ +typedef struct EncodedName { + int nameLen; /* actual string value length */ + int totalLen; /* total encoded length */ + int type; /* type of name */ + int used; /* are we actually using this one */ + byte encoded[CTC_NAME_SIZE * 2]; /* encoding */ +} EncodedName; #ifdef NO_SHA #define SIGNER_DIGEST_SIZE WC_SHA256_DIGEST_SIZE @@ -1163,6 +1171,8 @@ WOLFSSL_LOCAL int DateGreaterThan(const struct tm* a, const struct tm* b); WOLFSSL_LOCAL int wc_ValidateDate(const byte* date, byte format, int dateType); WOLFSSL_LOCAL int wc_OBJ_sn2nid(const char *sn); +WOLFSSL_LOCAL int wc_EncodeName(EncodedName* name, const char* nameStr, + char nameType, byte type); /* ASN.1 helper functions */ #ifdef WOLFSSL_CERT_GEN WOLFSSL_ASN_API int SetName(byte* output, word32 outputSz, CertName* name); @@ -1390,6 +1400,8 @@ struct OcspEntry byte* rawCertId; /* raw bytes of the CertID */ int rawCertIdSize; /* num bytes in raw CertID */ /* option bits - using 32-bit for alignment */ + word32 ownStatus:1; /* do we need to free the status + * response list */ word32 isDynamic:1; /* was dynamically allocated */ }; diff --git a/wolfssl/wolfcrypt/hash.h b/wolfssl/wolfcrypt/hash.h index 73222cab9b..44b505da4a 100644 --- a/wolfssl/wolfcrypt/hash.h +++ b/wolfssl/wolfcrypt/hash.h @@ -88,7 +88,7 @@ enum wc_HashFlags { #endif }; - +#ifndef NO_HASH_WRAPPER typedef union { #ifndef NO_MD5 wc_Md5 md5; @@ -112,6 +112,7 @@ typedef union { wc_Sha3 sha3; #endif } wc_HashAlg; +#endif /* !NO_HASH_WRAPPER */ /* Find largest possible digest size Note if this gets up to the size of 80 or over check smallstack build */ @@ -151,6 +152,8 @@ WOLFSSL_API enum wc_HashType wc_OidGetHash(int oid); WOLFSSL_API enum wc_HashType wc_HashTypeConvert(int hashType); +#ifndef NO_HASH_WRAPPER + WOLFSSL_API int wc_HashGetDigestSize(enum wc_HashType hash_type); WOLFSSL_API int wc_HashGetBlockSize(enum wc_HashType hash_type); WOLFSSL_API int wc_Hash(enum wc_HashType hash_type, @@ -215,6 +218,8 @@ WOLFSSL_API int wc_Shake256Hash(const byte*, word32, byte*, word32); #endif #endif /* WOLFSSL_SHA3 */ +#endif /* !NO_HASH_WRAPPER */ + enum max_prf { #ifdef HAVE_FFDHE_8192 MAX_PRF_HALF = 516, /* Maximum half secret len */ diff --git a/wolfssl/wolfcrypt/integer.h b/wolfssl/wolfcrypt/integer.h index 8f3665b60e..59a366bb1b 100644 --- a/wolfssl/wolfcrypt/integer.h +++ b/wolfssl/wolfcrypt/integer.h @@ -227,7 +227,8 @@ typedef int ltm_prime_callback(unsigned char *dst, int len, void *dat); /* ---> Basic Manipulations <--- */ #define mp_iszero(a) (((a)->used == 0) ? MP_YES : MP_NO) #define mp_isone(a) \ - (((((a)->used == 1)) && ((a)->dp[0] == 1u)) ? MP_YES : MP_NO) + (((((a)->used == 1)) && ((a)->dp[0] == 1u) && ((a)->sign == MP_ZPOS)) \ + ? MP_YES : MP_NO) #define mp_iseven(a) \ (((a)->used > 0 && (((a)->dp[0] & 1u) == 0u)) ? MP_YES : MP_NO) #define mp_isodd(a) \ diff --git a/wolfssl/wolfcrypt/md5.h b/wolfssl/wolfcrypt/md5.h index e2ee13c32a..290c5ec919 100644 --- a/wolfssl/wolfcrypt/md5.h +++ b/wolfssl/wolfcrypt/md5.h @@ -42,9 +42,12 @@ extern "C" { #endif +#if !defined(NO_OLD_MD5_NAME) + #define MD5 WC_MD5 +#endif + #ifndef NO_OLD_WC_NAMES #define Md5 wc_Md5 - #define MD5 WC_MD5 #define MD5_BLOCK_SIZE WC_MD5_BLOCK_SIZE #define MD5_DIGEST_SIZE WC_MD5_DIGEST_SIZE #define WC_MD5_PAD_SIZE WC_MD5_PAD_SIZE @@ -109,6 +112,9 @@ WOLFSSL_API int wc_InitMd5_ex(wc_Md5*, void*, int); WOLFSSL_API int wc_Md5Update(wc_Md5*, const byte*, word32); WOLFSSL_API int wc_Md5Final(wc_Md5*, byte*); WOLFSSL_API void wc_Md5Free(wc_Md5*); +#ifdef OPENSSL_EXTRA +WOLFSSL_API int wc_Md5Transform(wc_Md5*, const byte*); +#endif WOLFSSL_API int wc_Md5GetHash(wc_Md5*, byte*); WOLFSSL_API int wc_Md5Copy(wc_Md5*, wc_Md5*); diff --git a/wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h b/wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h index 5262498218..f025deda60 100644 --- a/wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h +++ b/wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h @@ -89,11 +89,13 @@ uint64_t wc_esp32elapsedTime(); /* RAW hash function APIs are not implemented with esp32 hardware acceleration*/ #define WOLFSSL_NO_HASH_RAW +#define SHA_CTX ETS_SHAContext #if ESP_IDF_VERSION_MAJOR >= 4 #include "esp32/rom/sha.h" #else #include "rom/sha.h" #endif +#undef SHA_CTX typedef enum { ESP32_SHA_INIT = 0, diff --git a/wolfssl/wolfcrypt/port/ti/ti-ccm.h b/wolfssl/wolfcrypt/port/ti/ti-ccm.h index f5d71fca11..f704d7705d 100644 --- a/wolfssl/wolfcrypt/port/ti/ti-ccm.h +++ b/wolfssl/wolfcrypt/port/ti/ti-ccm.h @@ -1,47 +1,47 @@ -/* port/ti/ti_ccm.c - * - * Copyright (C) 2006-2020 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ +/* port/ti/ti_ccm.c + * + * Copyright (C) 2006-2020 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + + +#ifndef WOLF_CRYPT_TI_CCM_H +#define WOLF_CRYPT_TI_CCM_H + +#ifdef HAVE_CONFIG_H + #include +#endif + +#include + +#if defined(WOLFSSL_TI_CRYPT) || defined(WOLFSSL_TI_HASH) + +int wolfSSL_TI_CCMInit(void) ; + +#ifndef SINGLE_THREADED +void wolfSSL_TI_lockCCM(void) ; +void wolfSSL_TI_unlockCCM(void) ; +#else +#define wolfSSL_TI_lockCCM() +#define wolfSSL_TI_unlockCCM() +#endif + +#endif + +#endif - -#ifndef WOLF_CRYPT_TI_CCM_H -#define WOLF_CRYPT_TI_CCM_H - -#ifdef HAVE_CONFIG_H - #include -#endif - -#include - -#if defined(WOLFSSL_TI_CRYPT) || defined(WOLFSSL_TI_HASH) - -int wolfSSL_TI_CCMInit(void) ; - -#ifndef SINGLE_THREADED -void wolfSSL_TI_lockCCM(void) ; -void wolfSSL_TI_unlockCCM(void) ; -#else -#define wolfSSL_TI_lockCCM() -#define wolfSSL_TI_unlockCCM() -#endif - -#endif - -#endif - diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 6d180137e5..31a33a57b5 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -1796,7 +1796,9 @@ extern void uITRON4_free(void *p) ; /* ECC Configs */ #ifdef HAVE_ECC /* By default enable Sign, Verify, DHE, Key Import and Key Export unless explicitly disabled */ - #ifndef NO_ECC_SIGN + #if !defined(NO_ECC_SIGN) && \ + (!defined(ECC_TIMING_RESISTANT) || \ + (defined(ECC_TIMING_RESISTANT) && !defined(WC_NO_RNG))) #undef HAVE_ECC_SIGN #define HAVE_ECC_SIGN #endif @@ -1808,7 +1810,7 @@ extern void uITRON4_free(void *p) ; #undef HAVE_ECC_CHECK_KEY #define HAVE_ECC_CHECK_KEY #endif - #ifndef NO_ECC_DHE + #if !defined(NO_ECC_DHE) && !defined(WC_NO_RNG) #undef HAVE_ECC_DHE #define HAVE_ECC_DHE #endif @@ -2094,8 +2096,9 @@ extern void uITRON4_free(void *p) ; #if defined(HAVE_IO_POOL) || defined(XMALLOC_USER) || defined(NO_WOLFSSL_MEMORY) #error static memory cannot be used with HAVE_IO_POOL, XMALLOC_USER or NO_WOLFSSL_MEMORY #endif - #if !defined(USE_FAST_MATH) && !defined(NO_BIG_INT) - #error static memory requires fast math please define USE_FAST_MATH + #if !defined(WOLFSSL_SP_NO_MALLOC) && \ + !defined(USE_FAST_MATH) && !defined(NO_BIG_INT) + #error The static memory option is only supported for fast math or SP with no malloc #endif #ifdef WOLFSSL_SMALL_STACK #error static memory does not support small stack please undefine @@ -2271,9 +2274,14 @@ extern void uITRON4_free(void *p) ; #if defined(NO_OLD_WC_NAMES) || defined(OPENSSL_EXTRA) /* added to have compatibility with SHA256() */ - #if !defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) + #if !defined(NO_OLD_SHA_NAMES) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) #define NO_OLD_SHA_NAMES #endif + #if !defined(NO_OLD_MD5_NAME) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + #define NO_OLD_MD5_NAME + #endif #endif /* switch for compatibility layer functionality. Has subparts i.e. BIO/X509 diff --git a/wolfssl/wolfcrypt/sha.h b/wolfssl/wolfcrypt/sha.h index 6203d648d6..f074f28c46 100644 --- a/wolfssl/wolfcrypt/sha.h +++ b/wolfssl/wolfcrypt/sha.h @@ -169,6 +169,9 @@ WOLFSSL_API void wc_ShaFree(wc_Sha*); WOLFSSL_API int wc_ShaGetHash(wc_Sha*, byte*); WOLFSSL_API int wc_ShaCopy(wc_Sha*, wc_Sha*); +#if defined(OPENSSL_EXTRA) +WOLFSSL_API int wc_ShaTransform(wc_Sha*, const byte*); +#endif #ifdef WOLFSSL_PIC32MZ_HASH WOLFSSL_API void wc_ShaSizeSet(wc_Sha* sha, word32 len); diff --git a/wolfssl/wolfcrypt/sha256.h b/wolfssl/wolfcrypt/sha256.h index 9538fed7b9..93c794f31e 100644 --- a/wolfssl/wolfcrypt/sha256.h +++ b/wolfssl/wolfcrypt/sha256.h @@ -198,7 +198,9 @@ WOLFSSL_API int wc_Sha256Update(wc_Sha256*, const byte*, word32); WOLFSSL_API int wc_Sha256FinalRaw(wc_Sha256*, byte*); WOLFSSL_API int wc_Sha256Final(wc_Sha256*, byte*); WOLFSSL_API void wc_Sha256Free(wc_Sha256*); - +#if defined(OPENSSL_EXTRA) +WOLFSSL_API int wc_Sha256Transform(wc_Sha256*, const byte*); +#endif WOLFSSL_API int wc_Sha256GetHash(wc_Sha256*, byte*); WOLFSSL_API int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst); @@ -216,9 +218,12 @@ WOLFSSL_API void wc_Sha256SizeSet(wc_Sha256*, word32); #if !defined(HAVE_FIPS) || \ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)) +#if !defined(NO_OLD_SHA_NAMES) + #define SHA224 WC_SHA224 +#endif + #ifndef NO_OLD_WC_NAMES #define Sha224 wc_Sha224 - #define SHA224 WC_SHA224 #define SHA224_BLOCK_SIZE WC_SHA224_BLOCK_SIZE #define SHA224_DIGEST_SIZE WC_SHA224_DIGEST_SIZE #define SHA224_PAD_SIZE WC_SHA224_PAD_SIZE diff --git a/wolfssl/wolfcrypt/sha512.h b/wolfssl/wolfcrypt/sha512.h index f3e79a263e..6b6ad84e9a 100644 --- a/wolfssl/wolfcrypt/sha512.h +++ b/wolfssl/wolfcrypt/sha512.h @@ -180,6 +180,9 @@ WOLFSSL_API int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst); WOLFSSL_API int wc_Sha512GetFlags(wc_Sha512* sha512, word32* flags); #endif +#if defined(OPENSSL_EXTRA) +WOLFSSL_API int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data); +#endif #endif /* WOLFSSL_SHA512 */ #if defined(WOLFSSL_SHA384) diff --git a/wolfssl/wolfcrypt/sp_int.h b/wolfssl/wolfcrypt/sp_int.h index 562603e81d..163dcdad0d 100644 --- a/wolfssl/wolfcrypt/sp_int.h +++ b/wolfssl/wolfcrypt/sp_int.h @@ -655,9 +655,9 @@ typedef struct sp_ecc_ctx { #endif /** Radix is base 10 or decimal. */ -#define MP_RADIX_DEC 10 +#define MP_RADIX_DEC 10 /** Radix is base 16 or hexadecimal. */ -#define MP_RADIX_HEX 16 +#define MP_RADIX_HEX 16 /** Result of comparison is that the first number is greater than second. */ #define MP_GT 1 @@ -666,16 +666,21 @@ typedef struct sp_ecc_ctx { /** Result of comparison is that the first number is less than second. */ #define MP_LT -1 +/* ERROR VALUES */ /** Error value on success. */ -#define MP_OKAY 0 +#define MP_OKAY 0 /** Error value when dynamic memory allocation fails. */ -#define MP_MEM -2 +#define MP_MEM -2 /** Error value when value passed is not able to be used. */ -#define MP_VAL -3 +#define MP_VAL -3 /** Error value when non-blocking operation is returning after partial * completion. */ -#define FP_WOULDBLOCK -4 +#define FP_WOULDBLOCK -4 +/* Unused error. Defined for backward compatability. */ +#define MP_NOT_INF -5 +/* Unused error. Defined for backward compatability. */ +#define MP_RANGE MP_NOT_INF /* Number of bits in each word/digit. */ #define DIGIT_BIT SP_WORD_SIZE diff --git a/wolfssl/wolfcrypt/srp.h b/wolfssl/wolfcrypt/srp.h index 94f198dfb3..bb6aa203ad 100644 --- a/wolfssl/wolfcrypt/srp.h +++ b/wolfssl/wolfcrypt/srp.h @@ -246,7 +246,7 @@ WOLFSSL_API int wc_SrpSetPrivate(Srp* srp, const byte* priv, word32 size); * * The public ephemeral value is known as: * A at the client side. A = g ^ a % N - * B at the server side. B = (k * v + (g ˆ b % N)) % N + * B at the server side. B = (k * v + (g ^ b % N)) % N * This function MUST be called after wc_SrpSetPassword or wc_SrpSetVerifier. * * @param[in,out] srp the Srp structure. diff --git a/wolfssl/wolfcrypt/tfm.h b/wolfssl/wolfcrypt/tfm.h index 5546b57bf3..3f4c43276b 100644 --- a/wolfssl/wolfcrypt/tfm.h +++ b/wolfssl/wolfcrypt/tfm.h @@ -422,13 +422,16 @@ MP_API void fp_free(fp_int* a); /* zero/one/even/odd/neg/word ? */ #define fp_iszero(a) (((a)->used == 0) ? FP_YES : FP_NO) #define fp_isone(a) \ - ((((a)->used == 1) && ((a)->dp[0] == 1)) ? FP_YES : FP_NO) -#define fp_iseven(a) (((a)->used > 0 && (((a)->dp[0] & 1) == 0)) ? FP_YES : FP_NO) -#define fp_isodd(a) (((a)->used > 0 && (((a)->dp[0] & 1) == 1)) ? FP_YES : FP_NO) -#define fp_isneg(a) (((a)->sign != 0) ? FP_YES : FP_NO) -#define fp_isword(a, w) \ - ((((a)->used == 1) && ((a)->dp[0] == w)) || ((w == 0) && ((a)->used == 0)) \ + ((((a)->used == 1) && ((a)->dp[0] == 1) && ((a)->sign == FP_ZPOS)) \ ? FP_YES : FP_NO) +#define fp_iseven(a) \ + (((a)->used > 0 && (((a)->dp[0] & 1) == 0)) ? FP_YES : FP_NO) +#define fp_isodd(a) \ + (((a)->used > 0 && (((a)->dp[0] & 1) == 1)) ? FP_YES : FP_NO) +#define fp_isneg(a) (((a)->sign != FP_ZPOS) ? FP_YES : FP_NO) +#define fp_isword(a, w) \ + (((((a)->used == 1) && ((a)->dp[0] == w)) || \ + ((w == 0) && ((a)->used == 0))) ? FP_YES : FP_NO) /* set to a small digit */ void fp_set(fp_int *a, fp_digit b);