wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-04 13:14:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1191 from SparkiDev/tls13_no_ecc

Browse Source 
Fix no ECC builds with TLS13 code.
This commit is contained in:
toddouska
2017-10-26 10:49:59 -07:00
committed by GitHub
parent ee489b12ef 323db1a95d
commit 264c481c71
10 changed files with 125 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
configure.ac
View File

@@ -285,11 +285,7 @@ fi
if test "$ENABLED_TLS13" = "yes" if test "$ENABLED_TLS13" = "yes"
then then
AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS $AM_CFLAGS" AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES $AM_CFLAGS"
if test "$ENABLED_DH" = "yes"
then
AM_CFLAGS="-DHAVE_FFDHE_2048 $AM_CFLAGS"
fi
fi fi
# check if TLS v1.3 was enabled for conditionally running tls13.test script # check if TLS v1.3 was enabled for conditionally running tls13.test script
@@ -1512,6 +1508,11 @@ else
fi fi
fi fi
if test "$ENABLED_TLS13" = "yes" && test "$ENABLED_DH" = "yes"
then
AM_CFLAGS="-DHAVE_FFDHE_2048 $AM_CFLAGS"
fi
AM_CONDITIONAL([BUILD_DH], [test "x$ENABLED_DH" = "xyes"]) AM_CONDITIONAL([BUILD_DH], [test "x$ENABLED_DH" = "xyes"])

25
scripts/tls13.test
View File

@@ -175,21 +175,24 @@ if [ $RESULT -ne 0 ]; then
fi fi
echo "" echo ""
# Usual TLS v1.3 server / TLS v1.3 client and ECC certificates. ./examples/client/client -v 4 -e 2>&1 | grep -- '-ECC'
echo -e "\n\nTLS v1.3 server with TLS v1.3 client - ECC certificates" if [ $? -eq 0 ]; then
port=0 # Usual TLS v1.3 server / TLS v1.3 client and ECC certificates.
./examples/server/server -v 4 -A certs/client-ecc-cert.pem -c certs/server-ecc.pem -k certs/ecc-key.pem -R $ready_file -p $port & echo -e "\n\nTLS v1.3 server with TLS v1.3 client - ECC certificates"
server_pid=$! port=0
create_port ./examples/server/server -v 4 -A certs/client-ecc-cert.pem -c certs/server-ecc.pem -k certs/ecc-key.pem -R $ready_file -p $port &
./examples/client/client -v 4 -A certs/ca-ecc-cert.pem -c certs/client-ecc-cert.pem -k certs/ecc-client-key.pem -p $port server_pid=$!
RESULT=$? create_port
remove_ready_file ./examples/client/client -v 4 -A certs/ca-ecc-cert.pem -c certs/client-ecc-cert.pem -k certs/ecc-client-key.pem -p $port
if [ $RESULT -ne 0 ]; then RESULT=$?
remove_ready_file
if [ $RESULT -ne 0 ]; then
echo -e "\n\nTLS v1.3 ECC certificates not working" echo -e "\n\nTLS v1.3 ECC certificates not working"
do_cleanup do_cleanup
exit 1 exit 1
fi
echo ""
fi fi
echo ""
# Usual TLS v1.3 server / TLS v1.3 client and no client certificate. # Usual TLS v1.3 server / TLS v1.3 client and no client certificate.
echo -e "\n\nTLS v1.3 server with TLS v1.3 client - no client cretificate" echo -e "\n\nTLS v1.3 server with TLS v1.3 client - no client cretificate"

2
src/internal.c
View File

@@ -22021,7 +22021,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
} }
} }
#ifdef HAVE_SUPPORTED_CURVES #if defined(HAVE_SUPPORTED_CURVES) && defined(HAVE_ECC)
if (!TLSX_ValidateSupportedCurves(ssl, first, second)) { if (!TLSX_ValidateSupportedCurves(ssl, first, second)) {
WOLFSSL_MSG("Don't have matching curves"); WOLFSSL_MSG("Don't have matching curves");
return 0; return 0;

20
src/tls.c
View File

@@ -2818,7 +2818,7 @@ int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type,
#ifdef HAVE_SUPPORTED_CURVES #ifdef HAVE_SUPPORTED_CURVES
#ifndef HAVE_ECC #if !defined(HAVE_ECC) && !defined(WOLFSSL_TLS13)
#error Elliptic Curves Extension requires Elliptic Curve Cryptography. \ #error Elliptic Curves Extension requires Elliptic Curve Cryptography. \
Use --enable-ecc in the configure script or define HAVE_ECC. Use --enable-ecc in the configure script or define HAVE_ECC.
#endif #endif
@@ -3077,6 +3077,7 @@ static int TLSX_PointFormat_Parse(WOLFSSL* ssl, byte* input, word16 length,
return 0; return 0;
} }
#ifdef HAVE_ECC
int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) { int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
TLSX* extension = (first == ECC_BYTE || first == CHACHA_BYTE) TLSX* extension = (first == ECC_BYTE || first == CHACHA_BYTE)
? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS) ? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)
@@ -3366,6 +3367,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
return sig && key; return sig && key;
} }
#endif
#endif /* NO_WOLFSSL_SERVER */ #endif /* NO_WOLFSSL_SERVER */
@@ -5200,6 +5202,7 @@ static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap)
while ((current = list) != NULL) { while ((current = list) != NULL) {
list = current->next; list = current->next;
#ifdef HAVE_ECC
if ((current->group & NAMED_DH_MASK) == 0) { if ((current->group & NAMED_DH_MASK) == 0) {
if (current->group == WOLFSSL_ECC_X25519) { if (current->group == WOLFSSL_ECC_X25519) {
#ifdef HAVE_CURVE25519 #ifdef HAVE_CURVE25519
@@ -5212,6 +5215,7 @@ static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap)
#endif #endif
} }
} }
#endif
XFREE(current->key, heap, DYNAMIC_TYPE_PRIVATE_KEY); XFREE(current->key, heap, DYNAMIC_TYPE_PRIVATE_KEY);
XFREE(current->ke, heap, DYNAMIC_TYPE_PUBLIC_KEY); XFREE(current->ke, heap, DYNAMIC_TYPE_PUBLIC_KEY);
XFREE(current, heap, DYNAMIC_TYPE_TLSX); XFREE(current, heap, DYNAMIC_TYPE_TLSX);
@@ -7759,18 +7763,18 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
#endif #endif
if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) { if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) {
#if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ #if defined(HAVE_ECC) && (!defined(NO_ECC256) || \
!defined(NO_ECC_SECP) defined(HAVE_ALL_CURVES)) && !defined(NO_ECC_SECP)
ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP256R1, 0, NULL, ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP256R1, 0, NULL,
NULL); NULL);
#elif defined(HAVE_CURVE25519) #elif defined(HAVE_ECC) && defined(HAVE_CURVE25519)
ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_X25519, 0, NULL, NULL); ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_X25519, 0, NULL, NULL);
#elif (!defined(NO_ECC384) || defined(HAVE_ALL_CURVES)) && \ #elif defined(HAVE_ECC) && (!defined(NO_ECC384) || \
!defined(NO_ECC_SECP) defined(HAVE_ALL_CURVES)) && !defined(NO_ECC_SECP)
ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP384R1, 0, NULL, ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP384R1, 0, NULL,
NULL); NULL);
#elif (!defined(NO_ECC521) || defined(HAVE_ALL_CURVES)) && \ #elif defined(HAVE_ECC) && (!defined(NO_ECC521) || \
!defined(NO_ECC_SECP) defined(HAVE_ALL_CURVES)) && !defined(NO_ECC_SECP)
ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP521R1, 0, NULL, ret = TLSX_KeyShare_Use(ssl, WOLFSSL_ECC_SECP521R1, 0, NULL,
NULL); NULL);
#elif defined(HAVE_FFDHE_2048) #elif defined(HAVE_FFDHE_2048)

2
src/tls13.c
View File

@@ -3325,7 +3325,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ssl->version.minor = pv.minor; ssl->version.minor = pv.minor;
} }
#ifdef WOLFSSL_SEND_HRR_COOKIE #if !defined(WOLFSSL_TLS13_DRAFT_18) && defined(WOLFSSL_SEND_HRR_COOKIE)
if (ssl->options.sendCookie && if (ssl->options.sendCookie &&
ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) { ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
TLSX* ext; TLSX* ext;

10
tests/api.c
View File

@@ -10721,6 +10721,7 @@ static int test_tls13_apis(void)
WOLFSSL_SUCCESS); WOLFSSL_SUCCESS);
#endif #endif
#ifdef HAVE_ECC
AssertIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_SECP256R1), BAD_FUNC_ARG); AssertIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_SECP256R1), BAD_FUNC_ARG);
AssertIntEQ(wolfSSL_UseKeyShare(serverSsl, WOLFSSL_ECC_SECP256R1), AssertIntEQ(wolfSSL_UseKeyShare(serverSsl, WOLFSSL_ECC_SECP256R1),
SIDE_ERROR); SIDE_ERROR);
@@ -10728,6 +10729,15 @@ static int test_tls13_apis(void)
WOLFSSL_SUCCESS); WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_UseKeyShare(clientSsl, WOLFSSL_ECC_SECP256R1), AssertIntEQ(wolfSSL_UseKeyShare(clientSsl, WOLFSSL_ECC_SECP256R1),
WOLFSSL_SUCCESS); WOLFSSL_SUCCESS);
#else
AssertIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_SECP256R1), BAD_FUNC_ARG);
AssertIntEQ(wolfSSL_UseKeyShare(serverSsl, WOLFSSL_ECC_SECP256R1),
SIDE_ERROR);
AssertIntEQ(wolfSSL_UseKeyShare(clientTls12Ssl, WOLFSSL_ECC_SECP256R1),
NOT_COMPILED_IN);
AssertIntEQ(wolfSSL_UseKeyShare(clientSsl, WOLFSSL_ECC_SECP256R1),
NOT_COMPILED_IN);
#endif
AssertIntEQ(wolfSSL_NoKeyShares(NULL), BAD_FUNC_ARG); AssertIntEQ(wolfSSL_NoKeyShares(NULL), BAD_FUNC_ARG);
AssertIntEQ(wolfSSL_NoKeyShares(serverSsl), SIDE_ERROR); AssertIntEQ(wolfSSL_NoKeyShares(serverSsl), SIDE_ERROR);

1
tests/include.am
View File

@@ -21,6 +21,7 @@ endif
EXTRA_DIST += tests/unit.h EXTRA_DIST += tests/unit.h
EXTRA_DIST += tests/test.conf \ EXTRA_DIST += tests/test.conf \
tests/test-tls13.conf \ tests/test-tls13.conf \
tests/test-tls13-ecc.conf \
tests/test-qsh.conf \ tests/test-qsh.conf \
tests/test-psk-no-id.conf \ tests/test-psk-no-id.conf \
tests/test-dtls.conf \ tests/test-dtls.conf \

10
tests/suites.c
View File

@@ -577,6 +577,16 @@ int SuiteTest(void)
printf("error from script %d\n", args.return_code); printf("error from script %d\n", args.return_code);
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
#ifdef HAVE_ECC
/* add TLSv13 ECC extra suites */
strcpy(argv0[1], "tests/test-tls13-ecc.conf");
printf("starting TLSv13 ECC extra cipher suite tests\n");
test_harness(&args);
if (args.return_code != 0) {
printf("error from script %d\n", args.return_code);
exit(EXIT_FAILURE);
}
#endif
#endif #endif
#if defined(HAVE_CURVE25519) && defined(HAVE_ED25519) #if defined(HAVE_CURVE25519) && defined(HAVE_ED25519)
/* add ED25519 certificate cipher suite tests */ /* add ED25519 certificate cipher suite tests */

67
tests/test-tls13-ecc.conf Normal file
View File

@@ -0,0 +1,67 @@
# server TLSv1.3 TLS13-CHACH20-POLY1305-SHA256
-v 4
-l TLS13-CHACH20-POLY1305-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-CHACH20-POLY1305-SHA256
-v 4
-l TLS13-CHACH20-POLY1305-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES256-GCM-SHA384
-v 4
-l TLS13-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES256-GCM-SHA384
-v 4
-l TLS13-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-CCM-SHA256
-v 4
-l TLS13-AES128-CCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-CCM-SHA256
-v 4
-l TLS13-AES128-CCM-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-CCM-8-SHA256
-v 4
-l TLS13-AES128-CCM-8-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-CCM-8-SHA256
-v 4
-l TLS13-AES128-CCM-8-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/ca-ecc-cert.pem
-t

67
tests/test-tls13.conf
View File

@@ -38,73 +38,6 @@
-v 4 -v 4
-l TLS13-AES128-CCM-8-SHA256 -l TLS13-AES128-CCM-8-SHA256
# server TLSv1.3 TLS13-CHACH20-POLY1305-SHA256
-v 4
-l TLS13-CHACH20-POLY1305-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-CHACH20-POLY1305-SHA256
-v 4
-l TLS13-CHACH20-POLY1305-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES256-GCM-SHA384
-v 4
-l TLS13-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES256-GCM-SHA384
-v 4
-l TLS13-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-CCM-SHA256
-v 4
-l TLS13-AES128-CCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-CCM-SHA256
-v 4
-l TLS13-AES128-CCM-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-CCM-8-SHA256
-v 4
-l TLS13-AES128-CCM-8-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-CCM-8-SHA256
-v 4
-l TLS13-AES128-CCM-8-SHA256
-A ./certs/ca-ecc-cert.pem
# server TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/ca-ecc-cert.pem
-t
# server TLSv1.3 accepting EarlyData # server TLSv1.3 accepting EarlyData
-v 4 -v 4
-l TLS13-AES128-GCM-SHA256 -l TLS13-AES128-GCM-SHA256