From d3195d0b7572222fe66f4244a8250cb02898d3f9 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 22 Nov 2016 11:25:40 -0800 Subject: [PATCH 01/33] Pulled in patches from Debian package. --- ChangeLog | 1 + Makefile.am | 37 +++++++++++++++++++++---------------- configure.ac | 18 ++++++++++++------ wolfcrypt/src/aes_asm.s | 6 +++++- 4 files changed, 39 insertions(+), 23 deletions(-) diff --git a/ChangeLog b/ChangeLog index e69de29bb..87ed82401 100644 --- a/ChangeLog +++ b/ChangeLog @@ -0,0 +1 @@ +Please see the file 'README' in this directory. diff --git a/Makefile.am b/Makefile.am index 3ad41c388..a9b7a5e28 100644 --- a/Makefile.am +++ b/Makefile.am @@ -100,23 +100,28 @@ include testsuite/include.am include tests/include.am include sslSniffer/sslSnifferTest/include.am include rpm/include.am -include mqx/util_lib/Sources/include.am -include mqx/wolfcrypt_benchmark/Sources/include.am -include mqx/wolfcrypt_test/Sources/include.am -include mqx/wolfssl/include.am -include mqx/wolfssl_client/Sources/include.am -include mplabx/include.am -include mplabx/wolfcrypt_benchmark.X/nbproject/include.am -include mplabx/wolfcrypt_test.X/nbproject/include.am -include mplabx/wolfssl.X/nbproject/include.am -include mcapi/include.am -include mcapi/wolfcrypt_mcapi.X/nbproject/include.am -include mcapi/wolfcrypt_test.X/nbproject/include.am -include mcapi/wolfssl.X/nbproject/include.am -include mcapi/zlib.X/nbproject/include.am -include tirtos/include.am + +if BUILD_DISTRO + # Exclude references to non-DFSG sources from build files +else + include mqx/util_lib/Sources/include.am + include mqx/wolfcrypt_benchmark/Sources/include.am + include mqx/wolfcrypt_test/Sources/include.am + include mqx/wolfssl/include.am + include mqx/wolfssl_client/Sources/include.am + include mplabx/include.am + include mplabx/wolfcrypt_benchmark.X/nbproject/include.am + include mplabx/wolfcrypt_test.X/nbproject/include.am + include mplabx/wolfssl.X/nbproject/include.am + include mcapi/include.am + include mcapi/wolfcrypt_mcapi.X/nbproject/include.am + include mcapi/wolfcrypt_test.X/nbproject/include.am + include mcapi/wolfssl.X/nbproject/include.am + include mcapi/zlib.X/nbproject/include.am + include tirtos/include.am + include IDE/include.am +endif include scripts/include.am -include IDE/include.am if USE_VALGRIND TESTS_ENVIRONMENT=./valgrind-error.sh diff --git a/configure.ac b/configure.ac index bef64afca..574dd88bd 100644 --- a/configure.ac +++ b/configure.ac @@ -192,6 +192,7 @@ then enable_stunnel=yes enable_pwdbased=yes fi +AM_CONDITIONAL([BUILD_DISTRO], [test "x$ENABLED_DISTRO" = "xyes"]) # SINGLE THREADED @@ -2183,7 +2184,7 @@ then ENABLED_ECC="yes" AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256" AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"]) - + if test "$ENABLED_ECC_SHAMIR" = "yes" then AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR" @@ -2256,7 +2257,7 @@ then ENABLED_ECC="yes" AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256" AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"]) - + if test "$ENABLED_ECC_SHAMIR" = "yes" then AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR" @@ -2360,7 +2361,7 @@ then ENABLED_ECC="yes" AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256" AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"]) - + if test "$ENABLED_ECC_SHAMIR" = "yes" then AM_CFLAGS="$AM_CFLAGS -DECC_SHAMIR" @@ -2875,7 +2876,7 @@ AC_ARG_ENABLE([asynccrypt], if test "$ENABLED_ASYNCCRYPT" = "yes" then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASYNC_CRYPT -DHAVE_WOLF_EVENT" - + # if Cavium not enabled the use async simulator for testing if test "x$ENABLED_CAVIUM" = "xno" then @@ -3082,7 +3083,8 @@ AS_IF([test "x$ENABLED_DTLS" = "xno" && \ ################################################################################ # OPTIMIZE FLAGS -if test "$GCC" = "yes" +# For distro disable custom build options that interfere with symbol generation +if test "$GCC" = "yes" && test "$ENABLED_DISTRO" = "no" then AM_CFLAGS="$AM_CFLAGS -Wall -Wno-unused" if test "$ax_enable_debug" = "no" @@ -3131,7 +3133,11 @@ case $host_os in esac # add user C_EXTRA_FLAGS back -CFLAGS="$CFLAGS $USER_C_EXTRA_FLAGS" +# For distro disable custom build options that interfere with symbol generation +if test "$ENABLED_DISTRO" = "no" +then + CFLAGS="$CFLAGS $USER_C_EXTRA_FLAGS" +fi OPTION_FLAGS="$USER_CFLAGS $USER_C_EXTRA_FLAGS $AM_CFLAGS" CREATE_HEX_VERSION diff --git a/wolfcrypt/src/aes_asm.s b/wolfcrypt/src/aes_asm.s index ac67a09ee..e47b3469e 100644 --- a/wolfcrypt/src/aes_asm.s +++ b/wolfcrypt/src/aes_asm.s @@ -1205,7 +1205,7 @@ pslldq $4, %xmm4 pxor %xmm4, %xmm3 pxor %xmm2, %xmm3 ret - + /* void AES_256_Key_Expansion (const unsigned char *userkey, @@ -1372,3 +1372,7 @@ gfmul: ret #endif /* HAVE_AESGCM */ + +#if defined(__linux__) && defined(__ELF__) + .section .note.GNU-stack,"",%progbits +#endif From 2f3ec778bd8e534b05016f7090497869b5f5735c Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 29 Nov 2016 13:29:19 -0800 Subject: [PATCH 02/33] For distro build don't install options.h (conflicts with multi-arch). Fix for BUILD_DISTRO excludes with indent. --- Makefile.am | 37 ++++++++++++++++++------------------- cyassl/include.am | 8 +++++++- wolfssl/include.am | 8 +++++++- 3 files changed, 32 insertions(+), 21 deletions(-) diff --git a/Makefile.am b/Makefile.am index a9b7a5e28..1f042dc3d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -101,25 +101,24 @@ include tests/include.am include sslSniffer/sslSnifferTest/include.am include rpm/include.am -if BUILD_DISTRO - # Exclude references to non-DFSG sources from build files -else - include mqx/util_lib/Sources/include.am - include mqx/wolfcrypt_benchmark/Sources/include.am - include mqx/wolfcrypt_test/Sources/include.am - include mqx/wolfssl/include.am - include mqx/wolfssl_client/Sources/include.am - include mplabx/include.am - include mplabx/wolfcrypt_benchmark.X/nbproject/include.am - include mplabx/wolfcrypt_test.X/nbproject/include.am - include mplabx/wolfssl.X/nbproject/include.am - include mcapi/include.am - include mcapi/wolfcrypt_mcapi.X/nbproject/include.am - include mcapi/wolfcrypt_test.X/nbproject/include.am - include mcapi/wolfssl.X/nbproject/include.am - include mcapi/zlib.X/nbproject/include.am - include tirtos/include.am - include IDE/include.am +# Exclude references to non-DFSG sources from build files +if !BUILD_DISTRO +include mqx/util_lib/Sources/include.am +include mqx/wolfcrypt_benchmark/Sources/include.am +include mqx/wolfcrypt_test/Sources/include.am +include mqx/wolfssl/include.am +include mqx/wolfssl_client/Sources/include.am +include mplabx/include.am +include mplabx/wolfcrypt_benchmark.X/nbproject/include.am +include mplabx/wolfcrypt_test.X/nbproject/include.am +include mplabx/wolfssl.X/nbproject/include.am +include mcapi/include.am +include mcapi/wolfcrypt_mcapi.X/nbproject/include.am +include mcapi/wolfcrypt_test.X/nbproject/include.am +include mcapi/wolfssl.X/nbproject/include.am +include mcapi/zlib.X/nbproject/include.am +include tirtos/include.am +include IDE/include.am endif include scripts/include.am diff --git a/cyassl/include.am b/cyassl/include.am index db1f089ee..b4c7e0436 100644 --- a/cyassl/include.am +++ b/cyassl/include.am @@ -16,10 +16,16 @@ nobase_include_HEADERS+= \ cyassl/certs_test.h \ cyassl/test.h \ cyassl/version.h \ - cyassl/options.h \ cyassl/ocsp.h \ cyassl/crl.h noinst_HEADERS+= \ cyassl/internal.h +# For distro build don't install options.h. +# It depends on the architecture and conflicts with Multi-Arch. +if BUILD_DISTRO +noinst_HEADERS+= cyassl/options.h +else +nobase_include_HEADERS+= cyassl/options.h +endif diff --git a/wolfssl/include.am b/wolfssl/include.am index a02488fc8..03883b086 100644 --- a/wolfssl/include.am +++ b/wolfssl/include.am @@ -16,10 +16,16 @@ nobase_include_HEADERS+= \ wolfssl/certs_test.h \ wolfssl/test.h \ wolfssl/version.h \ - wolfssl/options.h \ wolfssl/ocsp.h \ wolfssl/crl.h noinst_HEADERS+= \ wolfssl/internal.h +# For distro build don't install options.h. +# It depends on the architecture and conflicts with Multi-Arch. +if BUILD_DISTRO +noinst_HEADERS+= wolfssl/options.h +else +nobase_include_HEADERS+= wolfssl/options.h +endif From cb0cc92ff2c41bf637522cd18e491b2d29a0822d Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 7 Dec 2016 07:07:27 -0800 Subject: [PATCH 03/33] Fixes for building with CRL monitor when not linux, OS X or FreeBSD and --enable-distro set. Cleanup of the crl.c HAVE_CRL_MONITOR checks for OS and make sure if StopMonitor preprocessor is defined the function will also be defined. --- configure.ac | 9 +++++++-- src/crl.c | 13 ++++++------- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/configure.ac b/configure.ac index 574dd88bd..58cad5908 100644 --- a/configure.ac +++ b/configure.ac @@ -1782,7 +1782,12 @@ then *linux* | *darwin* | *freebsd*) AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_MONITOR" ;; *) - AC_MSG_ERROR([crl monitor only allowed on linux, OS X, or freebsd]) ;; + if test "x$ENABLED_DISTRO" = "xyes" ; then + ENABLED_CRL_MONITOR="no" + else + AC_MSG_ERROR( [crl monitor only allowed on linux, OS X, or freebsd]) + fi + break;; esac fi @@ -2232,7 +2237,7 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP" AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"]) fi - if test "x$ENABLED_CRL_MONITOR" = "xno" + if test "x$ENABLED_CRL_MONITOR" = "xno" && test "x$ENABLED_DISTRO" = "xno" then ENABLED_CRL_MONITOR="yes" AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_MONITOR" diff --git a/src/crl.c b/src/crl.c index fcc925af7..2fbcde08c 100644 --- a/src/crl.c +++ b/src/crl.c @@ -42,8 +42,12 @@ #include #ifdef HAVE_CRL_MONITOR - static int StopMonitor(int mfd); -#endif + #if (defined(__MACH__) || defined(__FreeBSD__) || defined(__linux__)) + static int StopMonitor(int mfd); + #else + #error "CRL monitor only currently supported on linux or mach" + #endif +#endif /* HAVE_CRL_MONITOR */ /* Initialize CRL members */ @@ -718,11 +722,6 @@ static void* DoMonitor(void* arg) return NULL; } - -#else - -#error "CRL monitor only currently supported on linux or mach" - #endif /* MACH or linux */ From 050ba9d6e01580e9571fc354dac735b66efbd845 Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 19 Dec 2016 12:15:10 -0800 Subject: [PATCH 04/33] unit test md5, sha, sha256, sha384, sha512 Memory leak fix. --- mcapi/crypto.c | 12 +- mcapi/mcapi_test.c | 18 +- src/internal.c | 291 ++++++++++--- src/keys.c | 91 +++- src/sniffer.c | 16 +- src/ssl.c | 76 +++- tests/api.c | 912 ++++++++++++++++++++++++++++++++++++++- tests/hash.c | 18 +- wolfcrypt/src/hmac.c | 79 +++- wolfcrypt/src/md5.c | 56 ++- wolfcrypt/src/pwdbased.c | 55 ++- wolfcrypt/src/sha.c | 30 +- wolfcrypt/src/sha256.c | 61 ++- wolfcrypt/src/sha512.c | 313 ++++++++------ wolfcrypt/test/test.c | 17 +- wolfssl/wolfcrypt/md5.h | 8 +- 16 files changed, 1754 insertions(+), 299 deletions(-) diff --git a/mcapi/crypto.c b/mcapi/crypto.c index d0216035d..8ccf00460 100644 --- a/mcapi/crypto.c +++ b/mcapi/crypto.c @@ -52,9 +52,7 @@ int CRYPT_MD5_Initialize(CRYPT_MD5_CTX* md5) if (md5 == NULL) return BAD_FUNC_ARG; - wc_InitMd5((Md5*)md5); - - return 0; + return wc_InitMd5((Md5*)md5); } @@ -65,9 +63,7 @@ int CRYPT_MD5_DataAdd(CRYPT_MD5_CTX* md5, const unsigned char* input, if (md5 == NULL || input == NULL) return BAD_FUNC_ARG; - wc_Md5Update((Md5*)md5, input, sz); - - return 0; + return wc_Md5Update((Md5*)md5, input, sz); } @@ -77,9 +73,7 @@ int CRYPT_MD5_Finalize(CRYPT_MD5_CTX* md5, unsigned char* digest) if (md5 == NULL || digest == NULL) return BAD_FUNC_ARG; - wc_Md5Final((Md5*)md5, digest); - - return 0; + return wc_Md5Final((Md5*)md5, digest); } diff --git a/mcapi/mcapi_test.c b/mcapi/mcapi_test.c index 0a6d77e74..75f86c3f5 100644 --- a/mcapi/mcapi_test.c +++ b/mcapi/mcapi_test.c @@ -214,17 +214,27 @@ static int check_md5(void) { CRYPT_MD5_CTX mcMd5; Md5 defMd5; + int ret; byte mcDigest[CRYPT_MD5_DIGEST_SIZE]; byte defDigest[MD5_DIGEST_SIZE]; CRYPT_MD5_Initialize(&mcMd5); - wc_InitMd5(&defMd5); + ret = wc_InitMd5(&defMd5); + if (ret != 0) { + return ret; + } CRYPT_MD5_DataAdd(&mcMd5, ourData, OUR_DATA_SIZE); - wc_Md5Update(&defMd5, ourData, OUR_DATA_SIZE); + ret = wc_Md5Update(&defMd5, ourData, OUR_DATA_SIZE); + if (ret != 0) { + return ret; + } CRYPT_MD5_Finalize(&mcMd5, mcDigest); - wc_Md5Final(&defMd5, defDigest); + ret = wc_Md5Final(&defMd5, defDigest); + if (ret != 0) { + return ret; + } if (memcmp(mcDigest, defDigest, CRYPT_MD5_DIGEST_SIZE) != 0) { printf("md5 final memcmp fialed\n"); @@ -232,7 +242,7 @@ static int check_md5(void) } printf("md5 mcapi test passed\n"); - return 0; + return ret; } diff --git a/src/internal.c b/src/internal.c index e4701b8bf..a214b7fcb 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3531,7 +3531,10 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) #ifndef NO_OLD_TLS #ifndef NO_MD5 - wc_InitMd5(&ssl->hsHashes->hashMd5); + ret = wc_InitMd5(&ssl->hsHashes->hashMd5); + if (ret != 0) { + return ret; + } #endif #ifndef NO_SHA ret = wc_InitSha(&ssl->hsHashes->hashSha); @@ -4746,7 +4749,10 @@ static int HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz) wc_ShaUpdate(&ssl->hsHashes->hashSha, output, sz); #endif #ifndef NO_MD5 - wc_Md5Update(&ssl->hsHashes->hashMd5, output, sz); + ret = wc_Md5Update(&ssl->hsHashes->hashMd5, output, sz); + if (ret != 0) { + return ret; + } #endif #endif /* NO_OLD_TLS */ @@ -4794,10 +4800,16 @@ static int HashOutput(WOLFSSL* ssl, const byte* output, int sz, int ivSz) #endif #ifndef NO_OLD_TLS #ifndef NO_SHA - wc_ShaUpdate(&ssl->hsHashes->hashSha, adj, sz); + ret = wc_ShaUpdate(&ssl->hsHashes->hashSha, adj, sz); + if (ret != 0) { + return ret; + } #endif #ifndef NO_MD5 - wc_Md5Update(&ssl->hsHashes->hashMd5, adj, sz); + ret = wc_Md5Update(&ssl->hsHashes->hashMd5, adj, sz); + if (ret != 0) { + return ret; + } #endif #endif @@ -5439,9 +5451,9 @@ static const byte PAD2[PAD_MD5] = #include #endif -static void BuildMD5(WOLFSSL* ssl, Hashes* hashes, const byte* sender) +static int BuildMD5(WOLFSSL* ssl, Hashes* hashes, const byte* sender) { - + int ret; byte md5_result[MD5_DIGEST_SIZE]; #ifdef WOLFSSL_SMALL_STACK @@ -5455,24 +5467,81 @@ static void BuildMD5(WOLFSSL* ssl, Hashes* hashes, const byte* sender) /* make md5 inner */ md5[0] = ssl->hsHashes->hashMd5 ; /* Save current position */ - wc_Md5Update(&ssl->hsHashes->hashMd5, sender, SIZEOF_SENDER); - wc_Md5Update(&ssl->hsHashes->hashMd5, ssl->arrays->masterSecret,SECRET_LEN); - wc_Md5Update(&ssl->hsHashes->hashMd5, PAD1, PAD_MD5); + ret = wc_Md5Update(&ssl->hsHashes->hashMd5, sender, SIZEOF_SENDER); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_Md5Update(&ssl->hsHashes->hashMd5, ssl->arrays->masterSecret, + SECRET_LEN); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_Md5Update(&ssl->hsHashes->hashMd5, PAD1, PAD_MD5); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } wc_Md5GetHash(&ssl->hsHashes->hashMd5, md5_result); wc_Md5RestorePos(&ssl->hsHashes->hashMd5, md5) ; /* Restore current position */ /* make md5 outer */ - wc_InitMd5(md5_2) ; - wc_Md5Update(md5_2, ssl->arrays->masterSecret,SECRET_LEN); - wc_Md5Update(md5_2, PAD2, PAD_MD5); - wc_Md5Update(md5_2, md5_result, MD5_DIGEST_SIZE); - wc_Md5Final(md5_2, hashes->md5); + ret = wc_InitMd5(md5_2) ; + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_Md5Update(md5_2, ssl->arrays->masterSecret,SECRET_LEN); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_Md5Update(md5_2, PAD2, PAD_MD5); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_Md5Update(md5_2, md5_result, MD5_DIGEST_SIZE); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_Md5Final(md5_2, hashes->md5); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } #ifdef WOLFSSL_SMALL_STACK XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - + return ret; } @@ -5551,7 +5620,14 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) #endif #ifndef NO_OLD_TLS if (!ssl->options.tls) { - BuildMD5(ssl, hashes, sender); + if (BuildMD5(ssl, hashes, sender) != 0) { + #ifdef WOLFSSL_SMALL_STACK + #ifdef WOLFSSL_SHA384 + XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + #endif + return SSL_FATAL_ERROR; + } BuildSHA(ssl, hashes, sender); } #endif @@ -9899,10 +9975,9 @@ static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, byte result[MAX_DIGEST_SIZE]; word32 digestSz = ssl->specs.hash_size; /* actual sizes */ word32 padSz = ssl->specs.pad_size; - int ret = 0; - Md5 md5; Sha sha; + int ret; /* data */ byte seq[SEQ_SZ]; @@ -9920,45 +9995,109 @@ static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, WriteSEQ(ssl, verify, seq); if (ssl->specs.mac_algorithm == md5_mac) { - wc_InitMd5(&md5); + ret = wc_InitMd5(&md5); + if (ret != 0) { + return ret; + } /* inner */ - wc_Md5Update(&md5, macSecret, digestSz); - wc_Md5Update(&md5, PAD1, padSz); - wc_Md5Update(&md5, seq, SEQ_SZ); - wc_Md5Update(&md5, conLen, sizeof(conLen)); + ret = wc_Md5Update(&md5, macSecret, digestSz); + if (ret != 0) { + return ret; + } + ret = wc_Md5Update(&md5, PAD1, padSz); + if (ret != 0) { + return ret; + } + ret = wc_Md5Update(&md5, seq, SEQ_SZ); + if (ret != 0) { + return ret; + } + ret = wc_Md5Update(&md5, conLen, sizeof(conLen)); + if (ret != 0) { + return ret; + } /* in buffer */ - wc_Md5Update(&md5, in, sz); - wc_Md5Final(&md5, result); + ret = wc_Md5Update(&md5, in, sz); + if (ret != 0) { + return ret; + } + ret = wc_Md5Final(&md5, result); + if (ret != 0) { + return ret; + } /* outer */ - wc_Md5Update(&md5, macSecret, digestSz); - wc_Md5Update(&md5, PAD2, padSz); - wc_Md5Update(&md5, result, digestSz); - wc_Md5Final(&md5, digest); + ret = wc_Md5Update(&md5, macSecret, digestSz); + if (ret != 0) { + return ret; + } + ret = wc_Md5Update(&md5, PAD2, padSz); + if (ret != 0) { + return ret; + } + ret = wc_Md5Update(&md5, result, digestSz); + if (ret != 0) { + return ret; + } + ret = wc_Md5Final(&md5, digest); + if (ret != 0) { + return ret; + } } else { ret = wc_InitSha(&sha); if (ret != 0) return ret; /* inner */ - wc_ShaUpdate(&sha, macSecret, digestSz); - wc_ShaUpdate(&sha, PAD1, padSz); - wc_ShaUpdate(&sha, seq, SEQ_SZ); - wc_ShaUpdate(&sha, conLen, sizeof(conLen)); + ret = wc_ShaUpdate(&sha, macSecret, digestSz); + if (ret != 0) { + return ret; + } + ret = wc_ShaUpdate(&sha, PAD1, padSz); + if (ret != 0) { + return ret; + } + ret = wc_ShaUpdate(&sha, seq, SEQ_SZ); + if (ret != 0) { + return ret; + } + ret = wc_ShaUpdate(&sha, conLen, sizeof(conLen)); + if (ret != 0) { + return ret; + } /* in buffer */ - wc_ShaUpdate(&sha, in, sz); - wc_ShaFinal(&sha, result); + ret = wc_ShaUpdate(&sha, in, sz); + if (ret != 0) { + return ret; + } + ret = wc_ShaFinal(&sha, result); + if (ret != 0) { + return ret; + } /* outer */ - wc_ShaUpdate(&sha, macSecret, digestSz); - wc_ShaUpdate(&sha, PAD2, padSz); - wc_ShaUpdate(&sha, result, digestSz); - wc_ShaFinal(&sha, digest); + ret = wc_ShaUpdate(&sha, macSecret, digestSz); + if (ret != 0) { + return ret; + } + ret = wc_ShaUpdate(&sha, PAD2, padSz); + if (ret != 0) { + return ret; + } + ret = wc_ShaUpdate(&sha, result, digestSz); + if (ret != 0) { + return ret; + } + ret = wc_ShaFinal(&sha, digest); + if (ret != 0) { + return ret; + } } - return 0; + return ret; } #ifndef NO_CERTS -static void BuildMD5_CertVerify(WOLFSSL* ssl, byte* digest) +static int BuildMD5_CertVerify(WOLFSSL* ssl, byte* digest) { + int ret; byte md5_result[MD5_DIGEST_SIZE]; #ifdef WOLFSSL_SMALL_STACK @@ -9971,23 +10110,75 @@ static void BuildMD5_CertVerify(WOLFSSL* ssl, byte* digest) /* make md5 inner */ md5[0] = ssl->hsHashes->hashMd5 ; /* Save current position */ - wc_Md5Update(&ssl->hsHashes->hashMd5, ssl->arrays->masterSecret,SECRET_LEN); - wc_Md5Update(&ssl->hsHashes->hashMd5, PAD1, PAD_MD5); + ret = wc_Md5Update(&ssl->hsHashes->hashMd5, ssl->arrays->masterSecret, + SECRET_LEN); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_Md5Update(&ssl->hsHashes->hashMd5, PAD1, PAD_MD5); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } wc_Md5GetHash(&ssl->hsHashes->hashMd5, md5_result); wc_Md5RestorePos(&ssl->hsHashes->hashMd5, md5) ; /* Restore current position */ /* make md5 outer */ - wc_InitMd5(md5_2) ; - wc_Md5Update(md5_2, ssl->arrays->masterSecret, SECRET_LEN); - wc_Md5Update(md5_2, PAD2, PAD_MD5); - wc_Md5Update(md5_2, md5_result, MD5_DIGEST_SIZE); + ret = wc_InitMd5(md5_2) ; + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_Md5Update(md5_2, ssl->arrays->masterSecret, SECRET_LEN); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_Md5Update(md5_2, PAD2, PAD_MD5); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_Md5Update(md5_2, md5_result, MD5_DIGEST_SIZE); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } - wc_Md5Final(md5_2, digest); + ret = wc_Md5Final(md5_2, digest); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } #ifdef WOLFSSL_SMALL_STACK XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif + + return ret; } @@ -10064,7 +10255,9 @@ static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes) } #if ! defined( NO_OLD_TLS ) else { - BuildMD5_CertVerify(ssl, hashes->md5); + if (BuildMD5_CertVerify(ssl, hashes->md5) != 0) { + return SSL_FATAL_ERROR; + } BuildSHA_CertVerify(ssl, hashes->sha); } #endif diff --git a/src/keys.c b/src/keys.c index a1095b1eb..80440612e 100644 --- a/src/keys.c +++ b/src/keys.c @@ -2862,7 +2862,7 @@ int DeriveKeys(WOLFSSL* ssl) 2 * ssl->specs.iv_size; int rounds = (length + MD5_DIGEST_SIZE - 1 ) / MD5_DIGEST_SIZE, i; int ret = 0; - + #ifdef WOLFSSL_SMALL_STACK byte* shaOutput; byte* md5Input; @@ -2878,7 +2878,7 @@ int DeriveKeys(WOLFSSL* ssl) Md5 md5[1]; Sha sha[1]; #endif - + #ifdef WOLFSSL_SMALL_STACK shaOutput = (byte*)XMALLOC(SHA_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -2890,7 +2890,7 @@ int DeriveKeys(WOLFSSL* ssl) NULL, DYNAMIC_TYPE_TMP_BUFFER); md5 = (Md5*)XMALLOC(sizeof(Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER); sha = (Sha*)XMALLOC(sizeof(Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER); - + if (shaOutput == NULL || md5Input == NULL || shaInput == NULL || keyData == NULL || md5 == NULL || sha == NULL) { if (shaOutput) XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -2899,12 +2899,23 @@ int DeriveKeys(WOLFSSL* ssl) if (keyData) XFREE(keyData, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (md5) XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (sha) XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER); - + return MEMORY_E; } #endif - wc_InitMd5(md5); + ret = wc_InitMd5(md5); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(keyData, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } ret = wc_InitSha(sha); @@ -2931,8 +2942,30 @@ int DeriveKeys(WOLFSSL* ssl) wc_ShaFinal(sha, shaOutput); XMEMCPY(md5Input + SECRET_LEN, shaOutput, SHA_DIGEST_SIZE); - wc_Md5Update(md5, md5Input, SECRET_LEN + SHA_DIGEST_SIZE); - wc_Md5Final(md5, keyData + i * MD5_DIGEST_SIZE); + ret = wc_Md5Update(md5, md5Input, SECRET_LEN + SHA_DIGEST_SIZE); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(keyData, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_Md5Final(md5, keyData + i * MD5_DIGEST_SIZE); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(keyData, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } } if (ret == 0) @@ -3010,7 +3043,7 @@ static int MakeSslMasterSecret(WOLFSSL* ssl) NULL, DYNAMIC_TYPE_TMP_BUFFER); md5 = (Md5*)XMALLOC(sizeof(Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER); sha = (Sha*)XMALLOC(sizeof(Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER); - + if (shaOutput == NULL || md5Input == NULL || shaInput == NULL || md5 == NULL || sha == NULL) { if (shaOutput) XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -3018,15 +3051,25 @@ static int MakeSslMasterSecret(WOLFSSL* ssl) if (shaInput) XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (md5) XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (sha) XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER); - + return MEMORY_E; } #endif - wc_InitMd5(md5); - + ret = wc_InitMd5(md5); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_InitSha(sha); - + if (ret == 0) { XMEMCPY(md5Input, ssl->arrays->preMasterSecret, pmsSz); @@ -3053,8 +3096,28 @@ static int MakeSslMasterSecret(WOLFSSL* ssl) idx = pmsSz; /* preSz */ XMEMCPY(md5Input + idx, shaOutput, SHA_DIGEST_SIZE); idx += SHA_DIGEST_SIZE; - wc_Md5Update(md5, md5Input, idx); - wc_Md5Final(md5, &ssl->arrays->masterSecret[i * MD5_DIGEST_SIZE]); + ret = wc_Md5Update(md5, md5Input, idx); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_Md5Final(md5, &ssl->arrays->masterSecret[i * MD5_DIGEST_SIZE]); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } } #ifdef SHOW_SECRETS diff --git a/src/sniffer.c b/src/sniffer.c index 33278f4e0..35d38a5c1 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -576,8 +576,12 @@ static int HashInit(HsHashes* hash) ret = wc_InitSha(&hash->hashSha); #endif #ifndef NO_MD5 - if (ret == 0) - wc_InitMd5(&hash->hashMd5); + if (ret == 0) { + ret = wc_InitMd5(&hash->hashMd5); + if (ret != 0) { + return ret; + } + } #endif #endif #ifndef NO_SHA256 @@ -606,8 +610,12 @@ static int HashUpdate(HsHashes* hash, const byte* input, int sz) ret = wc_ShaUpdate(&hash->hashSha, input, sz); #endif #ifndef NO_MD5 - if (ret == 0) - wc_Md5Update(&hash->hashMd5, input, sz); + if (ret == 0) { + ret = wc_Md5Update(&hash->hashMd5, input, sz); + if (ret !=0) { + return ret; + } + } #endif #endif #ifndef NO_SHA256 diff --git a/src/ssl.c b/src/ssl.c index a865bed42..04b30517a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1671,7 +1671,10 @@ int wolfSSL_Rehandshake(WOLFSSL* ssl) #ifndef NO_OLD_TLS #ifndef NO_MD5 - wc_InitMd5(&ssl->hsHashes->hashMd5); + ret = wc_InitMd5(&ssl->hsHashes->hashMd5); + if (ret != 0) { + return ret; + } #endif #ifndef NO_SHA ret = wc_InitSha(&ssl->hsHashes->hashSha); @@ -7017,6 +7020,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, int wolfSSL_connect(WOLFSSL* ssl) { int neededState; + #if !defined(NO_OLD_TLS) && defined(WOLFSSL_DTLS) + int ret; + #endif WOLFSSL_ENTER("SSL_connect()"); @@ -7105,14 +7111,17 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifdef WOLFSSL_DTLS if (IsDtlsNotSctpMode(ssl)) { /* re-init hashes, exclude first hello and verify request */ -#ifndef NO_OLD_TLS - wc_InitMd5(&ssl->hsHashes->hashMd5); + #ifndef NO_OLD_TLS + ret = wc_InitMd5(&ssl->hsHashes->hashMd5); + if (ret) { + return ret; + } if ( (ssl->error = wc_InitSha(&ssl->hsHashes->hashSha)) != 0) { WOLFSSL_ERROR(ssl->error); return SSL_FATAL_ERROR; } -#endif + #endif if (IsAtLeastTLSv1_2(ssl)) { #ifndef NO_SHA256 if ( (ssl->error = wc_InitSha256( @@ -9540,6 +9549,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) int keyLeft; int ivLeft; int keyOutput = 0; + int ret; byte digest[MD5_DIGEST_SIZE]; #ifdef WOLFSSL_SMALL_STACK Md5* md5 = NULL; @@ -9556,7 +9566,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) (void)type; WOLFSSL_ENTER("wolfSSL_EVP_BytesToKey"); - wc_InitMd5(md5); + if (wc_InitMd5(md5)) { + return SSL_FATAL_ERROR; + } /* only support MD5 for now */ if (XSTRNCMP(md, "MD5", 3) != 0) return 0; @@ -9601,18 +9613,56 @@ int wolfSSL_set_compression(WOLFSSL* ssl) while (keyOutput < (keyLen + ivLen)) { int digestLeft = MD5_DIGEST_SIZE; /* D_(i - 1) */ - if (keyOutput) /* first time D_0 is empty */ - wc_Md5Update(md5, digest, MD5_DIGEST_SIZE); + if (keyOutput) { /* first time D_0 is empty */ + ret = wc_Md5Update(md5, digest, MD5_DIGEST_SIZE); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + } /* data */ - wc_Md5Update(md5, data, sz); + ret = wc_Md5Update(md5, data, sz); + if (ret !=0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } /* salt */ - if (salt) - wc_Md5Update(md5, salt, EVP_SALT_SIZE); - wc_Md5Final(md5, digest); + if (salt) { + ret = wc_Md5Update(md5, salt, EVP_SALT_SIZE); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + } + ret = wc_Md5Final(md5, digest); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } /* count */ for (j = 1; j < count; j++) { - wc_Md5Update(md5, digest, MD5_DIGEST_SIZE); - wc_Md5Final(md5, digest); + ret = wc_Md5Update(md5, digest, MD5_DIGEST_SIZE); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_Md5Final(md5, digest); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } } if (keyLeft) { diff --git a/tests/api.c b/tests/api.c index 26eea6794..fa04d30bb 100644 --- a/tests/api.c +++ b/tests/api.c @@ -43,6 +43,22 @@ #include #include +#ifndef NO_MD5 + #include +#endif +#ifndef NO_SHA + #include +#endif +#ifndef NO_SHA256 + #include +#endif +#ifdef WOLFSSL_SHA512 + #include +#endif +#ifdef WOLFSSL_SHA384 + #include +#endif + #ifdef OPENSSL_EXTRA #include #include @@ -57,6 +73,16 @@ #endif #include + +typedef struct testVector { + const char* input; + const char* output; + size_t inLen; + size_t outLen; + +} testVector; + + /*----------------------------------------------------------------------------* | Constants *----------------------------------------------------------------------------*/ @@ -2165,7 +2191,7 @@ static int test_wolfSSL_UseOCSPStapling(void) * check. * PRE: HAVE_CERTIFICATE_STATUS_REQUEST_V2 and HAVE_OCSP defined. */ -static int test_wolfSSL_UseOCSPStaplingV2(void) +static int test_wolfSSL_UseOCSPStaplingV2 (void) { #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && defined(HAVE_OCSP) int ret; @@ -2185,7 +2211,7 @@ static int test_wolfSSL_UseOCSPStaplingV2(void) wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); - if(ret != SSL_SUCCESS){ + if (ret != SSL_SUCCESS){ wolfSSL_Cleanup(); return SSL_FAILURE; } @@ -2197,6 +2223,868 @@ static int test_wolfSSL_UseOCSPStaplingV2(void) } /*END test_wolfSSL_UseOCSPStaplingV2*/ +/*----------------------------------------------------------------------------* + | Wolfcrypt + *----------------------------------------------------------------------------*/ + +/* + * Unit test for the wc_InitMd5() + */ +static int test_wc_InitMd5 (void) +{ +#ifndef NO_MD5 + + Md5 md5; + int ret, flag; + + printf(testingFmt, "wc_InitMd5()"); + + flag = SSL_SUCCESS; + /* Test good arg. */ + ret = wc_InitMd5(&md5); + if (ret) { + flag = SSL_FAILURE; + } + /* Test bad arg. */ + ret = wc_InitMd5(NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + + printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + + return flag; +#else + return SSL_SUCCESS; +#endif +} /* END test_wc_InitMd5 */ + +/* + * Unit test for the wc_InitSha() + */ +static int test_wc_InitSha(void) +{ +#ifndef NO_SHA + Sha sha; + int ret, flag; + + flag = SSL_SUCCESS; + + printf(testingFmt, "wc_InitSha()"); + /* Test good arg. */ + ret = wc_InitSha(&sha); + if (ret != 0) { + flag = SSL_FAILURE; + } + /* Test bad arg. */ + ret = wc_InitSha(NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + + printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + + return flag; +#else + return SSL_SUCCESS; +#endif + +} /* END test_wc_InitSha */ + +/* + * Unit test for wc_InitSha256() + */ +static int test_wc_InitSha256 (void) +{ +#ifndef NO_SHA256 + Sha256 sha256; + int ret, flag; + + flag = SSL_SUCCESS; + + printf(testingFmt, "wc_InitSha256()"); + /* Test good arg. */ + ret = wc_InitSha256(&sha256); + if (ret != 0) { + flag = SSL_FAILURE; + } + /* Test bad arg. */ + ret = wc_InitSha256(NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + + printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + + return flag; +#else + return SSL_SUCCESS; +#endif +} /* END test_wc_InitSha256 */ + + +/* + * Testing wc_InitSha512() + */ +static int test_wc_InitSha512 (void) +{ +#ifdef WOLFSSL_SHA512 + Sha512 sha512; + int ret, flag; + + flag = SSL_SUCCESS; + + printf(testingFmt, "wc_InitSha512()"); + /* Test good arg. */ + ret = wc_InitSha512(&sha512); + if (ret != 0) { + flag = SSL_FAILURE; + } + /* Test bad arg. */ + ret = wc_InitSha512(NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + + printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + + return flag; +#else + return SSL_SUCCESS; +#endif + +} /* END test_wc_InitSha512 */ + +/* + * Testing wc_InitSha384() + */ +static int test_wc_InitSha384 (void) +{ +#ifdef WOLFSSL_SHA384 + Sha384 sha384; + int ret, flag; + + flag = SSL_SUCCESS; + + printf(testingFmt, "wc_InitSha384()"); + /* Test good arg. */ + ret = wc_InitSha384(&sha384); + if (ret != 0) { + flag = SSL_FAILURE; + } + /* Test bad arg. */ + ret = wc_InitSha384(NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + + printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + + return flag; +#else + return SSL_SUCCESS; +#endif +} /* END test_wc_InitSha384 */ + + +/* + * Testing wc_UpdateMd5() + */ +static int test_wc_UpdateMd5 (void) +{ + +#ifndef NO_MD5 + Md5 md5; + byte hash[MD5_DIGEST_SIZE]; + testVector a, b, c; + int ret; + + ret = wc_InitMd5(&md5); + if (ret != 0) { + return ret; + } + + printf(testingFmt, "wc_Md5Update()"); + + /* Input */ + a.input = "a"; + a.inLen = XSTRLEN(a.input); + + ret = wc_Md5Update(&md5, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + return ret; + } + ret = wc_Md5Final(&md5, hash); + if (ret != 0) { + return ret; + } + + /* Update input. */ + a.input = "abc"; + a.output = "\x90\x01\x50\x98\x3c\xd2\x4f\xb0\xd6\x96\x3f\x7d\x28\xe1\x7f" + "\x72"; + a.inLen = XSTRLEN(a.input); + a.outLen = XSTRLEN(a.output); + + ret = wc_Md5Update(&md5, (byte*) a.input, (word32) a.inLen); + if (ret != 0) { + return ret; + } + ret = wc_Md5Final(&md5, hash); + if (ret != 0) { + return ret; + } + if (ret != 0 && XMEMCMP(hash, a.output, MD5_DIGEST_SIZE) != 0) { + return SSL_FAILURE; + } + + /*Pass in bad values. */ + b.input = NULL; + b.inLen = 0; + + ret = wc_Md5Update(&md5, (byte*)b.input, (word32)b.inLen); + + if (ret != 0) { + return ret; + } + + c.input = NULL; + c.inLen = MD5_DIGEST_SIZE; + + ret = wc_Md5Update(&md5, (byte*)c.input, (word32)c.inLen); + if (ret == 0) { + return SSL_FAILURE; + } + + ret = wc_Md5Update(NULL, (byte*)a.input, (word32)a.inLen); + if (ret != BAD_FUNC_ARG) { + return SSL_FAILURE; + } + + /* If not returned then the unit test passed test vectors. */ + printf(resultFmt, 0 == 0 ? passed : failed); + + return SSL_SUCCESS; +#else + return SSL_SUCCESS; +#endif +} /* END test_wc_UpdateMd5 */ + +/* + * Tesing wc_ShaUpdate() + */ +static int test_wc_ShaUpdate (void) +{ +#ifndef NO_SHA + Sha sha; + byte hash[SHA_DIGEST_SIZE]; + testVector a, b, c; + int ret; + + ret = wc_InitSha(&sha); + if (ret != 0) { + return ret; + } + + printf(testingFmt, "wc_ShaUpdate()"); + + /* Input. */ + a.input = "a"; + a.inLen = XSTRLEN(a.input); + + ret = wc_ShaUpdate(&sha, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + return ret; + } + ret = wc_ShaFinal(&sha, hash); + if (ret != 0) { + return ret; + } + + /* Update input. */ + a.input = "abc"; + a.output = "\xA9\x99\x3E\x36\x47\x06\x81\x6A\xBA\x3E\x25\x71\x78\x50\xC2" + "\x6C\x9C\xD0\xD8\x9D"; + a.inLen = XSTRLEN(a.input); + a.outLen = XSTRLEN(a.output); + + ret = wc_ShaUpdate(&sha, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + return ret; + } + ret = wc_ShaFinal(&sha, hash); + if (ret !=0) { + return ret; + } + if (ret != 0 && XMEMCMP(hash, a.output, SHA_DIGEST_SIZE) != 0) { + return SSL_FAILURE; + } + + /* Try passing in bad values. */ + b.input = NULL; + b.inLen = 0; + + ret = wc_ShaUpdate(&sha, (byte*)b.input, (word32)b.inLen); + if (ret != 0) { + return ret; + } + + c.input = NULL; + c.inLen = SHA_DIGEST_SIZE; + + ret = wc_ShaUpdate(&sha, (byte*)c.input, (word32)c.inLen); + if (ret == 0) { + return SSL_FAILURE; + } + + ret = wc_ShaUpdate(NULL, (byte*)a.input, (word32)a.inLen); + if (ret != BAD_FUNC_ARG) { + return SSL_FAILURE; + } + + /* If not returned then the unit test passed test vectors. */ + printf(resultFmt, 0 == 0 ? passed : failed); + + return SSL_SUCCESS; +#else + return SSL_SUCCESS; +#endif + +} /* END test_wc_ShaFinal */ + + +/* + * Unit test for wc_Sha256Update() + */ +static int test_wc_Sha256Update (void) +{ +#ifndef NO_SHA256 + Sha256 sha256; + byte hash[SHA256_DIGEST_SIZE]; + testVector a, b, c; + int ret; + + ret = wc_InitSha256(&sha256); + if (ret != 0) { + return ret; + } + + printf(testingFmt, "wc_Sha256Update()"); + + /* Input. */ + a.input = "a"; + a.inLen = XSTRLEN(a.input); + + ret = wc_Sha256Update(&sha256, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + return ret; + } + ret = wc_Sha256Final(&sha256, hash); + if (ret != 0) { + return ret; + } + + /* Update input. */ + a.input = "abc"; + a.output = "\xBA\x78\x16\xBF\x8F\x01\xCF\xEA\x41\x41\x40\xDE\x5D\xAE\x22" + "\x23\xB0\x03\x61\xA3\x96\x17\x7A\x9C\xB4\x10\xFF\x61\xF2\x00" + "\x15\xAD"; + a.inLen = XSTRLEN(a.input); + a.outLen = XSTRLEN(a.output); + + ret = wc_Sha256Update(&sha256, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + return ret; + } + ret = wc_Sha256Final(&sha256, hash); + if (ret != 0) { + return ret; + } + if (ret != 0 && XMEMCMP(hash, a.output, SHA256_DIGEST_SIZE) != 0) { + return SSL_FAILURE; + } + + /* Try passing in bad values */ + b.input = NULL; + b.inLen = 0; + + ret = wc_Sha256Update(&sha256, (byte*)b.input, (word32)b.inLen); + if (ret != 0) { + return ret; + } + + c.input = NULL; + c.inLen = SHA256_DIGEST_SIZE; + + ret = wc_Sha256Update(&sha256, (byte*)c.input, (word32)c.inLen); + if (ret == 0) { + return SSL_FAILURE; + } + + ret = wc_Sha256Update(NULL, (byte*)a.input, (word32)a.inLen); + if (ret != BAD_FUNC_ARG) { + return SSL_FAILURE; + } + + /* If not returned then the unit test passed. */ + printf(resultFmt, 0 == 0 ? passed : failed); + + return SSL_SUCCESS; +#else + return SSL_SUCCESS; +#endif + +} /* END test_wc_Sha256Update */ + +/* + * test wc_Sha384Update() + */ +static int test_wc_Sha384Update (void) +{ +#ifdef WOLFSSL_SHA384 + Sha384 sha384; + byte hash[SHA384_DIGEST_SIZE]; + testVector a, b, c; + int ret; + + ret = wc_InitSha384(&sha384); + if (ret != 0) { + return ret; + } + + printf(testingFmt, "wc_Sha384Update()"); + + /* Input */ + a.input = "a"; + a.inLen = XSTRLEN(a.input); + + ret = wc_Sha384Update(&sha384, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + return ret; + } + ret = wc_Sha384Final(&sha384, hash); + if (ret != 0) { + return ret; + } + + /* Update input. */ + a.input = "abc"; + a.output = "\xcb\x00\x75\x3f\x45\xa3\x5e\x8b\xb5\xa0\x3d\x69\x9a\xc6\x50" + "\x07\x27\x2c\x32\xab\x0e\xde\xd1\x63\x1a\x8b\x60\x5a\x43\xff" + "\x5b\xed\x80\x86\x07\x2b\xa1\xe7\xcc\x23\x58\xba\xec\xa1\x34" + "\xc8\x25\xa7"; + a.inLen = XSTRLEN(a.input); + a.outLen = XSTRLEN(a.output); + + ret = wc_Sha384Update(&sha384, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + return ret; + } + ret = wc_Sha384Final(&sha384, hash); + if (ret != 0) { + return ret; + } + if (ret != 0 && XMEMCMP(hash, a.output, SHA384_DIGEST_SIZE) != 0) { + return SSL_FAILURE; + } + + /* Pass in bad values. */ + b.input = NULL; + b.inLen = 0; + + ret = wc_Sha384Update(&sha384, (byte*)b.input, (word32)b.inLen); + + if (ret != 0) { + return ret; + } + + c.input = NULL; + c.inLen = SHA384_DIGEST_SIZE; + + ret = wc_Sha384Update(&sha384, (byte*)c.input, (word32)c.inLen); + if (ret == 0) { + return SSL_FAILURE; + } + + ret = wc_Sha384Update(NULL, (byte*)a.input, (word32)a.inLen); + if (ret != BAD_FUNC_ARG) { + return SSL_FAILURE; + } + + /* If not returned then the unit test passed test vectors. */ + printf(resultFmt, 0 == 0 ? passed : failed); + + return SSL_SUCCESS; +#else + return SSL_SUCCESS; +#endif +} /* END test_wc_Sha384Update */ + +/* + * wc_Sha512Update() test. + */ + +static int test_wc_Sha512Update (void) +{ +#ifdef WOLFSSL_SHA512 + Sha512 sha512; + byte hash[SHA512_DIGEST_SIZE]; + testVector a, b, c; + int ret; + + ret = wc_InitSha512(&sha512); + if (ret != 0) { + return ret; + } + + printf(testingFmt, "wc_Sha512Update()"); + + /* Input. */ + a.input = "a"; + a.inLen = XSTRLEN(a.input); + + ret = wc_Sha512Update(&sha512, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + return ret; + } + ret = wc_Sha512Final(&sha512, hash); + if (ret != 0) { + return ret; + } + + /* Update input. */ + a.input = "abc"; + a.output = "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31" + "\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3" + "\x9a\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe" + "\xeb\xbd\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5" + "\x4c\xa4\x9f"; + a.inLen = XSTRLEN(a.input); + a.outLen = XSTRLEN(a.output); + + ret = wc_Sha512Update(&sha512, (byte*) a.input, (word32) a.inLen); + if (ret != 0) { + return ret; + } + ret = wc_Sha512Final(&sha512, hash); + if (ret != 0) { + return ret; + } + if (ret != 0 && XMEMCMP(hash, a.output, SHA512_DIGEST_SIZE) != 0) { + return SSL_FAILURE; + } + + /* Try passing in bad values */ + b.input = NULL; + b.inLen = 0; + + ret = wc_Sha512Update(&sha512, (byte*)b.input, (word32)b.inLen); + if (ret != 0) { + return ret; + } + + c.input = NULL; + c.inLen = SHA512_DIGEST_SIZE; + + ret = wc_Sha512Update(&sha512, (byte*)c.input, (word32)c.inLen); + if (ret ==0) { + return SSL_FAILURE; + } + + ret = wc_Sha512Update(NULL, (byte*)a.input, (word32)a.inLen); + if (ret != BAD_FUNC_ARG) { + return SSL_FAILURE; + } + + /* If not returned then the unit test passed test vectors. */ + printf(resultFmt, 0 == 0 ? passed : failed); + + return SSL_SUCCESS; +#else + return SSL_SUCCESS; +#endif + +} /* END test_wc_Sha512Update */ + +/* + * Unit test on wc_Md5Final() in wolfcrypt/src/md5.c + */ +static int test_wc_Md5Final (void) +{ + +#ifndef NO_MD5 + /* Instantiate */ + Md5 md5; + byte* hash_test[3]; + byte hash1[MD5_DIGEST_SIZE]; + byte hash2[2*MD5_DIGEST_SIZE]; + byte hash3[5*MD5_DIGEST_SIZE]; + int times, i, flag, ret; + + /* Initialize */ + ret = wc_InitMd5(&md5); + if (ret != 0) { + return ret; + } + + hash_test[0] = hash1; + hash_test[1] = hash2; + hash_test[2] = hash3; + + times = sizeof(hash_test)/sizeof(byte*); + + flag = SSL_SUCCESS; + + /* Test good args. */ + printf(testingFmt, "wc_Md5Final()"); + + for (i = 0; i < times; i++) { + ret = wc_Md5Final(&md5, hash_test[i]); + if (ret != 0) { + flag = SSL_FAILURE; + } + } + /* Test bad args. */ + ret = wc_Md5Final(NULL, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + ret = wc_Md5Final(NULL, hash1); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + ret = wc_Md5Final(&md5, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + + printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + return flag; +#else + return SSL_SUCCESS; +#endif +} + +/* + * Unit test on wc_ShaFinal + */ +static int test_wc_ShaFinal (void) +{ +#ifndef NO_SHA + Sha sha; + byte* hash_test[3]; + byte hash1[SHA_DIGEST_SIZE]; + byte hash2[2*SHA_DIGEST_SIZE]; + byte hash3[5*SHA_DIGEST_SIZE]; + int times, i, ret, flag; + /*Initialize*/ + ret = wc_InitSha(&sha); + if (ret) { + return ret; + } + + hash_test[0] = hash1; + hash_test[1] = hash2; + hash_test[2] = hash3; + times = sizeof(hash_test)/sizeof(byte*); + flag = SSL_SUCCESS; + + /* Good test args. */ + printf(testingFmt, "wc_ShaFinal()"); + + for (i = 0; i < times; i++) { + ret = wc_ShaFinal(&sha, hash_test[i]); + if (ret != 0) { + flag = SSL_FAILURE; + } + } + /* Test bad args. */ + ret = wc_ShaFinal(NULL, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + ret = wc_ShaFinal(NULL, hash1); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + ret = wc_ShaFinal(&sha, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + + printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + return flag; +#else + return SSL_SUCCESS; +#endif +} /* END test_wc_ShaFinal */ + +/* + * Unit test function for wc_Sha256Final() + */ +static int test_wc_Sha256Final (void) +{ +#ifndef NO_SHA256 + Sha256 sha256; + byte* hash_test[3]; + byte hash1[SHA256_DIGEST_SIZE]; + byte hash2[2*SHA256_DIGEST_SIZE]; + byte hash3[5*SHA256_DIGEST_SIZE]; + int times, i, ret, flag; + /* Initialize */ + ret = wc_InitSha256(&sha256); + if (ret) { + return ret; + } + + hash_test[0] = hash1; + hash_test[1] = hash2; + hash_test[2] = hash3; + times = sizeof(hash_test) / sizeof(byte*); + flag = SSL_SUCCESS; + /* Good test args. */ + printf(testingFmt, "wc_Sha256Final()"); + + for (i = 0; i < times; i++) { + ret = wc_Sha256Final(&sha256, hash_test[i]); + if (ret != 0) { + flag = SSL_FAILURE; + } + } + /* Test bad args. */ + ret = wc_Sha256Final(NULL, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + ret = wc_Sha256Final(NULL, hash1); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + ret = wc_Sha256Final(&sha256, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + + printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + + return flag; +#else + return SSL_SUCCESS; +#endif + +} /* END test_wc_Sha256Final */ + +/* + * Unit test function for wc_Sha512Final() + */ +static int test_wc_Sha512Final (void) +{ +#ifdef WOLFSSL_SHA512 + Sha512 sha512; + byte* hash_test[3]; + byte hash1[SHA512_DIGEST_SIZE]; + byte hash2[2*SHA512_DIGEST_SIZE]; + byte hash3[5*SHA512_DIGEST_SIZE]; + int times, i, ret, flag; + /* Initialize */ + ret = wc_InitSha512(&sha512); + if (ret) { + return ret; + } + + hash_test[0] = hash1; + hash_test[1] = hash2; + hash_test[2] = hash3; + times = sizeof(hash_test) / sizeof(byte *); + flag = SSL_SUCCESS; + + /* Good test args. */ + printf(testingFmt, "wc_Sha512Final()"); + + for (i = 0; i < times; i++) { + ret = wc_Sha512Final(&sha512, hash_test[i]); + if (ret != 0) { + flag = SSL_FAILURE; + } + } + /* Test bad args. */ + ret = wc_Sha512Final(NULL, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + ret = wc_Sha512Final(NULL, hash1); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + ret = wc_Sha512Final(&sha512, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + + printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + + return flag; +#else + return SSL_SUCCESS; +#endif +} /* END test_wc_Sha512Final */ + +/* + * Unit test functionf or wc_Sha384Final(); + */ +static int test_wc_Sha384Final (void) +{ +#ifdef WOLFSSL_SHA384 + Sha384 sha384; + byte* hash_test[3]; + byte hash1[SHA384_DIGEST_SIZE]; + byte hash2[2*SHA384_DIGEST_SIZE]; + byte hash3[5*SHA384_DIGEST_SIZE]; + int times, i, ret, flag; + /* Initialize */ + ret = wc_InitSha384(&sha384); + if (ret) { + return ret; + } + + hash_test[0] = hash1; + hash_test[1] = hash2; + hash_test[2] = hash3; + times = sizeof(hash_test) / sizeof(byte*); + flag = SSL_SUCCESS; + + /* Good test args. */ + printf(testingFmt, "wc_Sha384Final()"); + for (i = 0; i < times; i++) { + ret = wc_Sha384Final(&sha384, hash_test[i]); + if (ret != 0) { + flag = SSL_FAILURE; + } + } + /* Test bad args. */ + ret = wc_Sha384Final(NULL, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + ret = wc_Sha384Final(NULL, hash1); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + ret = wc_Sha384Final(&sha384, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FAILURE; + } + + printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + + return flag; + +#else + return SSL_SUCCESS; +#endif + +} /* END test_wc_Sha384Final */ + /*----------------------------------------------------------------------------* | Compatibility Tests @@ -2254,7 +3142,6 @@ void ApiTest(void) printf(" Begin API Tests\n"); AssertIntEQ(test_wolfSSL_Init(), SSL_SUCCESS); /* wolfcrypt initialization tests */ - AssertFalse(test_wolfCrypt_Init()); test_wolfSSL_Method_Allocators(); test_wolfSSL_CTX_new(wolfSSLv23_server_method()); test_wolfSSL_CTX_use_certificate_file(); @@ -2293,6 +3180,25 @@ void ApiTest(void) test_wolfSSL_DES(); AssertIntEQ(test_wolfSSL_Cleanup(), SSL_SUCCESS); + + /*wolfcrypt */ + printf("\n-----------------wolfcrypt unit tests------------------\n"); + AssertFalse(test_wolfCrypt_Init()); + AssertTrue(test_wc_InitMd5()); + AssertTrue(test_wc_UpdateMd5()); + AssertTrue(test_wc_Md5Final()); + AssertTrue(test_wc_InitSha()); + AssertTrue(test_wc_ShaUpdate()); + AssertTrue(test_wc_ShaFinal()); + AssertTrue(test_wc_InitSha256()); + AssertTrue(test_wc_Sha256Update()); + AssertTrue(test_wc_Sha256Final()); + AssertTrue(test_wc_InitSha512()); + AssertTrue(test_wc_Sha512Update()); + AssertTrue(test_wc_Sha512Final()); + AssertTrue(test_wc_InitSha384()); + AssertTrue(test_wc_Sha384Update()); + AssertTrue(test_wc_Sha384Final()); printf(" End API Tests\n"); } diff --git a/tests/hash.c b/tests/hash.c index 9167cda16..c32e34efc 100644 --- a/tests/hash.c +++ b/tests/hash.c @@ -255,6 +255,7 @@ int md4_test(void) int md5_test(void) { Md5 md5; + int ret; byte hash[MD5_DIGEST_SIZE]; testVector a, b, c, d, e; @@ -299,11 +300,22 @@ int md5_test(void) test_md5[3] = d; test_md5[4] = e; - wc_InitMd5(&md5); + ret = wc_InitMd5(&md5); + if (ret) { + return ret; + } for (i = 0; i < times; ++i) { - wc_Md5Update(&md5, (byte*)test_md5[i].input, (word32)test_md5[i].inLen); - wc_Md5Final(&md5, hash); + ret = wc_Md5Update(&md5, (byte*)test_md5[i].input, + (word32)test_md5[i].inLen); + if (ret) { + return ret; + } + + ret = wc_Md5Final(&md5, hash); + if (ret) { + return ret; + } if (XMEMCMP(hash, test_md5[i].output, MD5_DIGEST_SIZE) != 0) return -5 - i; diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c index a699b6542..8f42a94a1 100644 --- a/wolfcrypt/src/hmac.c +++ b/wolfcrypt/src/hmac.c @@ -169,7 +169,7 @@ static int InitHmac(Hmac* hmac, int type) switch (type) { #ifndef NO_MD5 case MD5: - wc_InitMd5(&hmac->hash.md5); + ret = wc_InitMd5(&hmac->hash.md5); break; #endif @@ -248,8 +248,14 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length) XMEMCPY(ip, key, length); } else { - wc_Md5Update(&hmac->hash.md5, key, length); - wc_Md5Final(&hmac->hash.md5, ip); + ret = wc_Md5Update(&hmac->hash.md5, key, length); + if (ret != 0) { + return ret; + } + ret = wc_Md5Final(&hmac->hash.md5, ip); + if (ret != 0) { + return ret; + } length = MD5_DIGEST_SIZE; } } @@ -403,13 +409,21 @@ static int HmacKeyInnerHash(Hmac* hmac) switch (hmac->macType) { #ifndef NO_MD5 case MD5: - wc_Md5Update(&hmac->hash.md5, (byte*) hmac->ipad, MD5_BLOCK_SIZE); + ret = wc_Md5Update(&hmac->hash.md5, (byte*) hmac->ipad, + MD5_BLOCK_SIZE); + if (ret != 0) { + return ret; + } break; #endif #ifndef NO_SHA case SHA: - wc_ShaUpdate(&hmac->hash.sha, (byte*) hmac->ipad, SHA_BLOCK_SIZE); + ret = wc_ShaUpdate(&hmac->hash.sha, (byte*) hmac->ipad, + SHA_BLOCK_SIZE); + if (ret != 0) { + return ret; + } break; #endif @@ -487,13 +501,19 @@ int wc_HmacUpdate(Hmac* hmac, const byte* msg, word32 length) switch (hmac->macType) { #ifndef NO_MD5 case MD5: - wc_Md5Update(&hmac->hash.md5, msg, length); + ret = wc_Md5Update(&hmac->hash.md5, msg, length); + if (ret != 0) { + return ret; + } break; #endif #ifndef NO_SHA case SHA: - wc_ShaUpdate(&hmac->hash.sha, msg, length); + ret = wc_ShaUpdate(&hmac->hash.sha, msg, length); + if (ret != 0) { + return ret; + } break; #endif @@ -565,13 +585,27 @@ int wc_HmacFinal(Hmac* hmac, byte* hash) #ifndef NO_MD5 case MD5: { - wc_Md5Final(&hmac->hash.md5, (byte*) hmac->innerHash); + ret = wc_Md5Final(&hmac->hash.md5, (byte*) hmac->innerHash); + if (ret != 0) { + return ret; + } - wc_Md5Update(&hmac->hash.md5, (byte*) hmac->opad, MD5_BLOCK_SIZE); - wc_Md5Update(&hmac->hash.md5, + ret = wc_Md5Update(&hmac->hash.md5, (byte*) hmac->opad, + MD5_BLOCK_SIZE); + if (ret != 0) { + return ret; + } + + ret = wc_Md5Update(&hmac->hash.md5, (byte*) hmac->innerHash, MD5_DIGEST_SIZE); + if (ret != 0) { + return ret; + } - wc_Md5Final(&hmac->hash.md5, hash); + ret = wc_Md5Final(&hmac->hash.md5, hash); + if (ret != 0) { + return ret; + } } break; #endif @@ -579,13 +613,24 @@ int wc_HmacFinal(Hmac* hmac, byte* hash) #ifndef NO_SHA case SHA: { - wc_ShaFinal(&hmac->hash.sha, (byte*) hmac->innerHash); - - wc_ShaUpdate(&hmac->hash.sha, (byte*) hmac->opad, SHA_BLOCK_SIZE); - wc_ShaUpdate(&hmac->hash.sha, + ret = wc_ShaFinal(&hmac->hash.sha, (byte*) hmac->innerHash); + if (ret != 0) { + return ret; + } + ret = wc_ShaUpdate(&hmac->hash.sha, (byte*) hmac->opad, + SHA_BLOCK_SIZE); + if (ret != 0) { + return ret; + } + ret = wc_ShaUpdate(&hmac->hash.sha, (byte*) hmac->innerHash, SHA_DIGEST_SIZE); - - wc_ShaFinal(&hmac->hash.sha, hash); + if (ret != 0) { + return ret; + } + ret = wc_ShaFinal(&hmac->hash.sha, hash); + if (ret != 0) { + return ret; + } } break; #endif diff --git a/wolfcrypt/src/md5.c b/wolfcrypt/src/md5.c index fdde46ff7..525882fc8 100644 --- a/wolfcrypt/src/md5.c +++ b/wolfcrypt/src/md5.c @@ -180,8 +180,12 @@ #endif /* WOLFSSL_HAVE_MIN */ -void wc_InitMd5(Md5* md5) +int wc_InitMd5(Md5* md5) { + if (md5 == NULL) { + return BAD_FUNC_ARG; + } + md5->digest[0] = 0x67452301L; md5->digest[1] = 0xefcdab89L; md5->digest[2] = 0x98badcfeL; @@ -190,6 +194,8 @@ void wc_InitMd5(Md5* md5) md5->buffLen = 0; md5->loLen = 0; md5->hiLen = 0; + + return 0; } #ifdef FREESCALE_MMCAU_SHA @@ -308,10 +314,15 @@ static INLINE void AddLength(Md5* md5, word32 len) } -void wc_Md5Update(Md5* md5, const byte* data, word32 len) +int wc_Md5Update(Md5* md5, const byte* data, word32 len) { + byte* local; + + if (md5 == NULL || (data == NULL && len > 0)){ + return BAD_FUNC_ARG; + } /* do block size increments */ - byte* local = (byte*)md5->buffer; + local = (byte*)md5->buffer; while (len) { word32 add = min(len, MD5_BLOCK_SIZE - md5->buffLen); @@ -330,12 +341,19 @@ void wc_Md5Update(Md5* md5, const byte* data, word32 len) md5->buffLen = 0; } } + return 0; } -void wc_Md5Final(Md5* md5, byte* hash) +int wc_Md5Final(Md5* md5, byte* hash) { - byte* local = (byte*)md5->buffer; + byte* local; + + if (md5 == NULL || hash == NULL) { + return BAD_FUNC_ARG; + } + + local = (byte*)md5->buffer; AddLength(md5, md5->buffLen); /* before adding pads */ @@ -373,7 +391,8 @@ void wc_Md5Final(Md5* md5, byte* hash) #endif XMEMCPY(hash, md5->digest, MD5_DIGEST_SIZE); - wc_InitMd5(md5); /* reset state */ + + return wc_InitMd5(md5); /* reset state */ } #endif /* End wolfCrypt software implementation */ @@ -381,6 +400,7 @@ void wc_Md5Final(Md5* md5, byte* hash) int wc_Md5Hash(const byte* data, word32 len, byte* hash) { + int ret; #ifdef WOLFSSL_SMALL_STACK Md5* md5; #else @@ -393,9 +413,27 @@ int wc_Md5Hash(const byte* data, word32 len, byte* hash) return MEMORY_E; #endif - wc_InitMd5(md5); - wc_Md5Update(md5, data, len); - wc_Md5Final(md5, hash); + ret = wc_InitMd5(md5); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_Md5Update(md5, data, len); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + ret = wc_Md5Final(md5, hash); + if (ret != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } #ifdef WOLFSSL_SMALL_STACK XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c index 1492e72ed..7fcbf5cb6 100644 --- a/wolfcrypt/src/pwdbased.c +++ b/wolfcrypt/src/pwdbased.c @@ -100,10 +100,22 @@ int wc_PBKDF1(byte* output, const byte* passwd, int pLen, const byte* salt, switch (hashType) { #ifndef NO_MD5 case MD5: - wc_InitMd5(&md5); - wc_Md5Update(&md5, passwd, pLen); - wc_Md5Update(&md5, salt, sLen); - wc_Md5Final(&md5, buffer); + ret = wc_InitMd5(&md5); + if (ret != 0) { + return ret; + } + ret = wc_Md5Update(&md5, passwd, pLen); + if (ret != 0) { + return ret; + } + ret = wc_Md5Update(&md5, salt, sLen); + if (ret != 0) { + return ret; + } + ret = wc_Md5Final(&md5, buffer); + if (ret != 0) { + return ret; + } break; #endif /* NO_MD5 */ case SHA: @@ -124,8 +136,14 @@ int wc_PBKDF1(byte* output, const byte* passwd, int pLen, const byte* salt, } #ifndef NO_MD5 else { - wc_Md5Update(&md5, buffer, hLen); - wc_Md5Final(&md5, buffer); + ret = wc_Md5Update(&md5, buffer, hLen); + if (ret != 0) { + return ret; + } + ret = wc_Md5Final(&md5, buffer); + if (ret != 0) { + return ret; + } } #endif } @@ -310,13 +328,28 @@ int DoPKCS12Hash(int hashType, byte* buffer, word32 totalLen, case MD5: { Md5 md5; - wc_InitMd5(&md5); - wc_Md5Update(&md5, buffer, totalLen); - wc_Md5Final(&md5, Ai); + ret = wc_InitMd5(&md5); + if (ret != 0) { + return ret; + } + ret = wc_Md5Update(&md5, buffer, totalLen); + if (ret != 0) { + return ret; + } + ret = wc_Md5Final(&md5, Ai); + if (ret != 0) { + return ret; + } for (i = 1; i < iterations; i++) { - wc_Md5Update(&md5, Ai, u); - wc_Md5Final(&md5, Ai); + ret = wc_Md5Update(&md5, Ai, u); + if (ret != 0) { + return ret; + } + ret = wc_Md5Final(&md5, Ai); + if (ret != 0) { + return ret; + } } } break; diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index 499d72399..63c47cba1 100644 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -45,16 +45,25 @@ #ifdef HAVE_FIPS int wc_InitSha(Sha* sha) { + if (sha == NULL) { + return -173; + } return InitSha_fips(sha); } int wc_ShaUpdate(Sha* sha, const byte* data, word32 len) { + if (sha == NULL || (data == NULL && len > 0)) { + return -173; + } return ShaUpdate_fips(sha, data, len); } int wc_ShaFinal(Sha* sha, byte* out) { + if (sha == NULL || out == NULL) { + return -173; + } return ShaFinal_fips(sha,out); } @@ -255,6 +264,9 @@ { int ret = 0; + if (sha == NULL) { + return BAD_FUNC_ARG; + } sha->digest[0] = 0x67452301L; sha->digest[1] = 0xEFCDAB89L; sha->digest[2] = 0x98BADCFEL; @@ -393,10 +405,16 @@ static INLINE void AddLength(Sha* sha, word32 len) } -int wc_ShaUpdate(Sha* sha, const byte* data, word32 len) +int wc_ShaUpdate (Sha* sha, const byte* data, word32 len) { + byte* local; + + if (sha == NULL ||(data == NULL && len > 0)) { + return BAD_FUNC_ARG; + } + /* do block size increments */ - byte* local = (byte*)sha->buffer; + local = (byte*)sha->buffer; while (len) { word32 add = min(len, SHA_BLOCK_SIZE - sha->buffLen); @@ -421,7 +439,13 @@ int wc_ShaUpdate(Sha* sha, const byte* data, word32 len) int wc_ShaFinal(Sha* sha, byte* hash) { - byte* local = (byte*)sha->buffer; + byte* local; + + if (sha == NULL || hash == NULL) { + return BAD_FUNC_ARG; + } + + local = (byte*)sha->buffer; AddLength(sha, sha->buffLen); /* before adding pads */ diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index e0d986546..287522b9f 100644 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -34,18 +34,27 @@ int wc_InitSha256(Sha256* sha) { + if (sha == NULL) { + return -173; + } return InitSha256_fips(sha); } int wc_Sha256Update(Sha256* sha, const byte* data, word32 len) { + if (sha == NULL || (data == NULL && len > 0)) { + return -173; + } return Sha256Update_fips(sha, data, len); } int wc_Sha256Final(Sha256* sha, byte* out) { + if (sha == NULL || out == NULL) { + return -173; + } return Sha256Final_fips(sha, out); } @@ -309,28 +318,33 @@ int wc_InitSha256(Sha256* sha256) int wc_InitSha256(Sha256* sha256) { int ret = 0; - #ifdef FREESCALE_MMCAU_SHA - ret = wolfSSL_CryptHwMutexLock(); - if(ret != 0) { - return ret; - } - MMCAU_SHA256_InitializeOutput((uint32_t*)sha256->digest); - wolfSSL_CryptHwMutexUnLock(); - #else - sha256->digest[0] = 0x6A09E667L; - sha256->digest[1] = 0xBB67AE85L; - sha256->digest[2] = 0x3C6EF372L; - sha256->digest[3] = 0xA54FF53AL; - sha256->digest[4] = 0x510E527FL; - sha256->digest[5] = 0x9B05688CL; - sha256->digest[6] = 0x1F83D9ABL; - sha256->digest[7] = 0x5BE0CD19L; - #endif + + if (sha256 == NULL) { + return BAD_FUNC_ARG; + } + +#ifdef FREESCALE_MMCAU_SHA + ret = wolfSSL_CryptHwMutexLock(); + if(ret != 0) { + return ret; + } + MMCAU_SHA256_InitializeOutput((uint32_t*)sha256->digest); + wolfSSL_CryptHwMutexUnLock(); +#else + sha256->digest[0] = 0x6A09E667L; + sha256->digest[1] = 0xBB67AE85L; + sha256->digest[2] = 0x3C6EF372L; + sha256->digest[3] = 0xA54FF53AL; + sha256->digest[4] = 0x510E527FL; + sha256->digest[5] = 0x9B05688CL; + sha256->digest[6] = 0x1F83D9ABL; + sha256->digest[7] = 0x5BE0CD19L; +#endif sha256->buffLen = 0; sha256->loLen = 0; sha256->hiLen = 0; - + #if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2) set_Transform() ; /* choose best Transform function under this runtime environment */ #endif @@ -457,9 +471,14 @@ int wc_Sha256Update(Sha256* sha256, const byte* data, word32 len) #else static INLINE int Sha256Update(Sha256* sha256, const byte* data, word32 len) { + byte* local; + + if (sha256 == NULL || (data == NULL && len > 0)) { + return BAD_FUNC_ARG; + } /* do block size increments */ - byte* local = (byte*)sha256->buffer; + local = (byte*)sha256->buffer; SAVE_XMM_YMM ; /* for Intel AVX */ @@ -573,6 +592,10 @@ int wc_Sha256Final(Sha256* sha256, byte* hash) { int ret; + if (sha256 == NULL || hash == NULL) { + return BAD_FUNC_ARG; + } + ret = Sha256Final(sha256); if (ret != 0) return ret; diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index 9e8b1f7d8..0c971db33 100644 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -32,18 +32,27 @@ #ifdef HAVE_FIPS int wc_InitSha512(Sha512* sha) { + if (sha == NULL) { + return -173; + } return InitSha512_fips(sha); } int wc_Sha512Update(Sha512* sha, const byte* data, word32 len) { + if (sha == NULL || (data == NULL && len > 0)) { + return -173; + } return Sha512Update_fips(sha, data, len); } int wc_Sha512Final(Sha512* sha, byte* out) { + if (sha == NULL || out == NULL) { + return -173; + } return Sha512Final_fips(sha, out); } @@ -52,18 +61,27 @@ int wc_Sha512Final(Sha512* sha, byte* out) int wc_InitSha384(Sha384* sha) { + if (sha == NULL) { + return -173; + } return InitSha384_fips(sha); } int wc_Sha384Update(Sha384* sha, const byte* data, word32 len) { + if (sha == NULL || (data == NULL && len > 0)) { + return -173; + } return Sha384Update_fips(sha, data, len); } int wc_Sha384Final(Sha384* sha, byte* out) { + if (sha == NULL || out == NULL) { + return -173; + } return Sha384Final_fips(sha, out); } @@ -113,7 +131,7 @@ Intel AVX1/AVX2 Macro Control Structure #define HAVE_INTEL_AVX2 #endif -int InitSha512(Sha512* sha512) { +int InitSha512(Sha512* sha512) { Save/Recover XMM, YMM ... @@ -121,27 +139,27 @@ int InitSha512(Sha512* sha512) { } #if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2) - Transform_AVX1() ; # Function prototype + Transform_AVX1() ; # Function prototype Transform_AVX2() ; # #endif _Transform() { # Native Transform Function body - + } - - int Sha512Update() { + + int Sha512Update() { Save/Recover XMM, YMM ... } - - int Sha512Final() { + + int Sha512Final() { Save/Recover XMM, YMM ... } #if defined(HAVE_INTEL_AVX1) - + XMM Instructions/INLINE asm Definitions #endif @@ -153,7 +171,7 @@ int InitSha512(Sha512* sha512) { #endif #if defnied(HAVE_INTEL_AVX1) - + int Transform_AVX1() { Stitched Message Sched/Round } @@ -161,7 +179,7 @@ int InitSha512(Sha512* sha512) { #endif #if defnied(HAVE_INTEL_AVX2) - + int Transform_AVX2() { Stitched Message Sched/Round } @@ -195,9 +213,9 @@ int InitSha512(Sha512* sha512) { #define EAX 0 #define EBX 1 -#define ECX 2 +#define ECX 2 #define EDX 3 - + #define CPUID_AVX1 0x1 #define CPUID_AVX2 0x2 #define CPUID_RDRAND 0x4 @@ -215,15 +233,15 @@ static word32 cpuid_flags = 0 ; static word32 cpuid_flag(word32 leaf, word32 sub, word32 num, word32 bit) { int got_intel_cpu=0; - unsigned int reg[5]; - + unsigned int reg[5]; + reg[4] = '\0' ; - cpuid(reg, 0, 0); - if(XMEMCMP((char *)&(reg[EBX]), "Genu", 4) == 0 && - XMEMCMP((char *)&(reg[EDX]), "ineI", 4) == 0 && - XMEMCMP((char *)&(reg[ECX]), "ntel", 4) == 0) { - got_intel_cpu = 1; - } + cpuid(reg, 0, 0); + if(XMEMCMP((char *)&(reg[EBX]), "Genu", 4) == 0 && + XMEMCMP((char *)&(reg[EDX]), "ineI", 4) == 0 && + XMEMCMP((char *)&(reg[ECX]), "ntel", 4) == 0) { + got_intel_cpu = 1; + } if (got_intel_cpu) { cpuid(reg, leaf, sub); return((reg[num]>>bit)&0x1) ; @@ -237,7 +255,7 @@ static int set_cpuid_flags() { if(cpuid_flag(1, 0, ECX, 28)){ cpuid_flags |= CPUID_AVX1 ;} if(cpuid_flag(7, 0, EBX, 5)){ cpuid_flags |= CPUID_AVX2 ; } if(cpuid_flag(7, 0, EBX, 8)) { cpuid_flags |= CPUID_BMI2 ; } - if(cpuid_flag(1, 0, ECX, 30)){ cpuid_flags |= CPUID_RDRAND ; } + if(cpuid_flag(1, 0, ECX, 30)){ cpuid_flags |= CPUID_RDRAND ; } if(cpuid_flag(7, 0, EBX, 18)){ cpuid_flags |= CPUID_RDSEED ; } cpuid_check = 1 ; return 0 ; @@ -253,7 +271,7 @@ static int Transform_AVX1(Sha512 *sha512) ; #endif #if defined(HAVE_INTEL_AVX2) -static int Transform_AVX2(Sha512 *sha512) ; +static int Transform_AVX2(Sha512 *sha512) ; #if defined(HAVE_INTEL_AVX1) && defined(HAVE_INTEL_AVX2) && defined(HAVE_INTEL_RORX) static int Transform_AVX1_RORX(Sha512 *sha512) ; @@ -261,8 +279,8 @@ static int Transform_AVX1_RORX(Sha512 *sha512) ; #endif -static int _Transform(Sha512 *sha512) ; - +static int _Transform(Sha512 *sha512) ; + static int (*Transform_p)(Sha512* sha512) = _Transform ; #define Transform(sha512) (*Transform_p)(sha512) @@ -271,9 +289,9 @@ static void set_Transform(void) { if(set_cpuid_flags()) return ; #if defined(HAVE_INTEL_AVX2) - if(IS_INTEL_AVX2 && IS_INTEL_BMI2){ - Transform_p = Transform_AVX1_RORX; return ; - Transform_p = Transform_AVX2 ; + if(IS_INTEL_AVX2 && IS_INTEL_BMI2){ + Transform_p = Transform_AVX1_RORX; return ; + Transform_p = Transform_AVX2 ; /* for avoiding warning,"not used" */ } #endif @@ -338,6 +356,10 @@ static INLINE ROTR(rotrFixed64_41, 41, x) int wc_InitSha512(Sha512* sha512) { + if (sha512 == NULL) { + return BAD_FUNC_ARG; + } + sha512->digest[0] = W64LIT(0x6a09e667f3bcc908); sha512->digest[1] = W64LIT(0xbb67ae8584caa73b); sha512->digest[2] = W64LIT(0x3c6ef372fe94f82b); @@ -350,11 +372,11 @@ int wc_InitSha512(Sha512* sha512) sha512->buffLen = 0; sha512->loLen = 0; sha512->hiLen = 0; - + #if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2) set_Transform() ; /* choose best Transform function under this runtime environment */ #endif - + return 0 ; } @@ -452,7 +474,7 @@ static int _Transform(Sha512* sha512) /* over twice as small, but 50% slower */ /* 80 operations, not unrolled */ for (j = 0; j < 80; j += 16) { - int m; + int m; for (m = 0; m < 16; m++) { /* braces needed here for macros {} */ R(m); } @@ -499,8 +521,13 @@ static INLINE void AddLength(Sha512* sha512, word32 len) static INLINE int Sha512Update(Sha512* sha512, const byte* data, word32 len) { + byte* local; + + if (sha512 == NULL ||(data == NULL && len > 0)) { + return BAD_FUNC_ARG; + } /* do block size increments */ - byte* local = (byte*)sha512->buffer; + local = (byte*)sha512->buffer; SAVE_XMM_YMM ; /* for Intel AVX */ while (len) { @@ -515,7 +542,7 @@ static INLINE int Sha512Update(Sha512* sha512, const byte* data, word32 len) int ret; #if defined(LITTLE_ENDIAN_ORDER) #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) - if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2) + if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2) #endif ByteReverseWords64(sha512->buffer, sha512->buffer, SHA512_BLOCK_SIZE); @@ -551,7 +578,7 @@ static INLINE int Sha512Final(Sha512* sha512) if (sha512->buffLen > SHA512_PAD_SIZE) { XMEMSET(&local[sha512->buffLen], 0, SHA512_BLOCK_SIZE -sha512->buffLen); sha512->buffLen += SHA512_BLOCK_SIZE - sha512->buffLen; - #if defined(LITTLE_ENDIAN_ORDER) + #if defined(LITTLE_ENDIAN_ORDER) #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2) #endif @@ -564,9 +591,9 @@ static INLINE int Sha512Final(Sha512* sha512) sha512->buffLen = 0; } XMEMSET(&local[sha512->buffLen], 0, SHA512_PAD_SIZE - sha512->buffLen); - + /* put lengths in bits */ - sha512->hiLen = (sha512->loLen >> (8*sizeof(sha512->loLen) - 3)) + + sha512->hiLen = (sha512->loLen >> (8*sizeof(sha512->loLen) - 3)) + (sha512->hiLen << 3); sha512->loLen = sha512->loLen << 3; @@ -600,7 +627,13 @@ static INLINE int Sha512Final(Sha512* sha512) int wc_Sha512Final(Sha512* sha512, byte* hash) { - int ret = Sha512Final(sha512); + int ret; + + if (sha512 == NULL || hash == NULL) { + return BAD_FUNC_ARG; + } + + ret = Sha512Final(sha512); if (ret != 0) return ret; @@ -624,8 +657,8 @@ int wc_Sha512Final(Sha512* sha512, byte* hash) #endif -#if defined(HAVE_INTEL_AVX2) -#define Ry_1(i, w) h(i)+=S1(e(i))+Ch(e(i),f(i),g(i))+K[i+j] + w ; +#if defined(HAVE_INTEL_AVX2) +#define Ry_1(i, w) h(i)+=S1(e(i))+Ch(e(i),f(i),g(i))+K[i+j] + w ; #define Ry_2(i, w) d(i)+=h(i); #define Ry_3(i, w) h(i)+=S0(a(i))+Maj(a(i),b(i),c(i)); #endif @@ -648,13 +681,13 @@ int wc_Sha512Final(Sha512* sha512, byte* hash) RECV_REG(10); RECV_REG(11); RECV_REG(12); RECV_REG(13); RECV_REG(14); RECV_REG(15);\ } -#define DUMP_REG(REG) _DUMP_REG(REG, #REG) -#define PRINTF(fmt, ...) +#define DUMP_REG(REG) _DUMP_REG(REG, #REG) +#define PRINTF(fmt, ...) #else -#define DUMP_REG(REG) -#define PRINTF(fmt, ...) +#define DUMP_REG(REG) +#define PRINTF(fmt, ...) #endif @@ -681,7 +714,7 @@ int wc_Sha512Final(Sha512* sha512, byte* hash) #define MOVE_to_REG(xymm, mem) _MOVE_to_REG(xymm, mem) #define MOVE_to_MEM(mem, i, xymm) _MOVE_to_MEM(mem, i, xymm) -#define MOVE(dest, src) _MOVE(dest, src) +#define MOVE(dest, src) _MOVE(dest, src) #define XOR(dest, src1, src2) _XOR(dest, src1, src2) #define OR(dest, src1, src2) _OR(dest, src1, src2) @@ -693,7 +726,7 @@ int wc_Sha512Final(Sha512* sha512, byte* hash) #define Init_Mask(mask) \ __asm__ volatile("vmovdqu %0, %%xmm1\n\t"::"m"(mask):"%xmm1") ; - + #define _W_from_buff1(w, buff, xmm) \ /* X0..3(xmm4..7), W[0..15] = sha512->buffer[0.15]; */\ __asm__ volatile("vmovdqu %1, %%"#xmm"\n\t"\ @@ -701,7 +734,7 @@ int wc_Sha512Final(Sha512* sha512, byte* hash) "vmovdqu %%"#xmm", %0"\ :"=m"(w): "m"(buff):"%xmm0") ; -#define W_from_buff1(w, buff, xmm) _W_from_buff1(w, buff, xmm) +#define W_from_buff1(w, buff, xmm) _W_from_buff1(w, buff, xmm) #define W_from_buff(w, buff)\ Init_Mask(mBYTE_FLIP_MASK[0]) ;\ @@ -713,7 +746,7 @@ int wc_Sha512Final(Sha512* sha512, byte* hash) W_from_buff1(w[10],buff[10],W_10);\ W_from_buff1(w[12],buff[12],W_12);\ W_from_buff1(w[14],buff[14],W_14); - + static word64 mBYTE_FLIP_MASK[] = { 0x0001020304050607, 0x08090a0b0c0d0e0f } ; #define W_I_15 xmm14 @@ -735,35 +768,35 @@ static word64 mBYTE_FLIP_MASK[] = { 0x0001020304050607, 0x08090a0b0c0d0e0f } ; #define XMM_REGs -#define s0_1(dest, src) AVX1_S(dest, src, 1); -#define s0_2(dest, src) AVX1_S(G_TEMP, src, 8); XOR(dest, G_TEMP, dest) ; +#define s0_1(dest, src) AVX1_S(dest, src, 1); +#define s0_2(dest, src) AVX1_S(G_TEMP, src, 8); XOR(dest, G_TEMP, dest) ; #define s0_3(dest, src) AVX1_R(G_TEMP, src, 7); XOR(dest, G_TEMP, dest) ; #define s1_1(dest, src) AVX1_S(dest, src, 19); -#define s1_2(dest, src) AVX1_S(G_TEMP, src, 61); XOR(dest, G_TEMP, dest) ; +#define s1_2(dest, src) AVX1_S(G_TEMP, src, 61); XOR(dest, G_TEMP, dest) ; #define s1_3(dest, src) AVX1_R(G_TEMP, src, 6); XOR(dest, G_TEMP, dest) ; #define s0_(dest, src) s0_1(dest, src) ; s0_2(dest, src) ; s0_3(dest, src) #define s1_(dest, src) s1_1(dest, src) ; s1_2(dest, src) ; s1_3(dest, src) - + #define Block_xx_1(i) \ MOVE_to_REG(W_I_15, W_X[(i-15)&15]) ;\ MOVE_to_REG(W_I_7, W_X[(i- 7)&15]) ;\ - + #define Block_xx_2(i) \ MOVE_to_REG(W_I_2, W_X[(i- 2)&15]) ;\ MOVE_to_REG(W_I, W_X[(i)]) ;\ - + #define Block_xx_3(i) \ s0_ (XMM_TEMP0, W_I_15) ;\ - + #define Block_xx_4(i) \ ADD(W_I, W_I, XMM_TEMP0) ;\ ADD(W_I, W_I, W_I_7) ;\ - + #define Block_xx_5(i) \ s1_ (XMM_TEMP0, W_I_2) ;\ - + #define Block_xx_6(i) \ ADD(W_I, W_I, XMM_TEMP0) ;\ MOVE_to_MEM(W_X,i, W_I) ;\ @@ -773,7 +806,7 @@ static word64 mBYTE_FLIP_MASK[] = { 0x0001020304050607, 0x08090a0b0c0d0e0f } ; #define Block_xx_7(i) \ MOVE_to_REG(W_I_15, W_X[(i-15)&15]) ;\ MOVE_to_REG(W_I_7, W_X[(i- 7)&15]) ;\ - + #define Block_xx_8(i) \ MOVE_to_REG(W_I_2, W_X[(i- 2)&15]) ;\ MOVE_to_REG(W_I, W_X[(i)]) ;\ @@ -884,15 +917,15 @@ static const unsigned long mBYTE_FLIP_MASK_Y[] = RECV_REG_Y(13); RECV_REG_Y(14); RECV_REG_Y(15);\ } -#define DUMP_REG_Y(REG) _DUMP_REG_Y(REG, #REG) -#define DUMP_REG2_Y(REG) _DUMP_REG_Y(REG, #REG) -#define PRINTF_Y(fmt, ...) +#define DUMP_REG_Y(REG) _DUMP_REG_Y(REG, #REG) +#define DUMP_REG2_Y(REG) _DUMP_REG_Y(REG, #REG) +#define PRINTF_Y(fmt, ...) #else -#define DUMP_REG_Y(REG) +#define DUMP_REG_Y(REG) #define DUMP_REG2_Y(REG) -#define PRINTF_Y(fmt, ...) +#define PRINTF_Y(fmt, ...) #endif @@ -921,7 +954,7 @@ static const unsigned long mBYTE_FLIP_MASK_Y[] = #define MOVE_to_REGy(ymm, mem) _MOVE_to_REGy(ymm, mem) #define MOVE_to_MEMy(mem, i, ymm) _MOVE_to_MEMy(mem, i, ymm) -#define MOVE_128y(ymm0, ymm1, ymm2, map) _MOVE_128y(ymm0, ymm1, ymm2, map) +#define MOVE_128y(ymm0, ymm1, ymm2, map) _MOVE_128y(ymm0, ymm1, ymm2, map) #define XORy(dest, src1, src2) _XORy(dest, src1, src2) #define ADDy(dest, src1, src2) _ADDy(dest, src1, src2) #define BLENDy(map, dest, src1, src2) _BLENDy(map, dest, src1, src2) @@ -935,12 +968,12 @@ static const unsigned long mBYTE_FLIP_MASK_Y[] = #define FEEDBACK1_to_W_I_2(w_i_2, w_i) MOVE_128y(YMM_TEMP0, w_i, w_i, 0x08) ;\ - BLENDy(0xf0, w_i_2, YMM_TEMP0, w_i_2) ; + BLENDy(0xf0, w_i_2, YMM_TEMP0, w_i_2) ; #define MOVE_W_to_W_I_15(w_i_15, w_0, w_4) BLENDQy(0x1, w_i_15, w_4, w_0) ;\ PERMQy(0x39, w_i_15, w_i_15) ; #define MOVE_W_to_W_I_7(w_i_7, w_8, w_12) BLENDQy(0x1, w_i_7, w_12, w_8) ;\ - PERMQy(0x39, w_i_7, w_i_7) ; + PERMQy(0x39, w_i_7, w_i_7) ; #define MOVE_W_to_W_I_2(w_i_2, w_12) BLENDQy(0xc, w_i_2, w_12, w_i_2) ;\ PERMQy(0x0e, w_i_2, w_i_2) ; @@ -1002,25 +1035,25 @@ static int Transform_AVX1(Sha512* sha512) W_from_buff(W_X, sha512->buffer) ; for (j = 0; j < 80; j += 16) { - Rx_1( 0); Block_0_1(W_X); Rx_2( 0); Block_0_2(W_X); Rx_3( 0); Block_0_3(); - Rx_1( 1); Block_0_4(); Rx_2( 1); Block_0_5(); Rx_3( 1); Block_0_6(W_X); + Rx_1( 0); Block_0_1(W_X); Rx_2( 0); Block_0_2(W_X); Rx_3( 0); Block_0_3(); + Rx_1( 1); Block_0_4(); Rx_2( 1); Block_0_5(); Rx_3( 1); Block_0_6(W_X); Rx_1( 2); Block_0_7(W_X); Rx_2( 2); Block_0_8(W_X); Rx_3( 2); Block_0_9(); - Rx_1( 3); Block_0_10();Rx_2( 3); Block_0_11();Rx_3( 3); Block_0_12(W_X); - - Rx_1( 4); Block_4_1(W_X); Rx_2( 4); Block_4_2(W_X); Rx_3( 4); Block_4_3(); - Rx_1( 5); Block_4_4(); Rx_2( 5); Block_4_5(); Rx_3( 5); Block_4_6(W_X); + Rx_1( 3); Block_0_10();Rx_2( 3); Block_0_11();Rx_3( 3); Block_0_12(W_X); + + Rx_1( 4); Block_4_1(W_X); Rx_2( 4); Block_4_2(W_X); Rx_3( 4); Block_4_3(); + Rx_1( 5); Block_4_4(); Rx_2( 5); Block_4_5(); Rx_3( 5); Block_4_6(W_X); Rx_1( 6); Block_4_7(W_X); Rx_2( 6); Block_4_8(W_X); Rx_3( 6); Block_4_9(); - Rx_1( 7); Block_4_10();Rx_2( 7); Block_4_11();Rx_3( 7); Block_4_12(W_X); - - Rx_1( 8); Block_8_1(W_X); Rx_2( 8); Block_8_2(W_X); Rx_3( 8); Block_8_3(); - Rx_1( 9); Block_8_4(); Rx_2( 9); Block_8_5(); Rx_3( 9); Block_8_6(W_X); + Rx_1( 7); Block_4_10();Rx_2( 7); Block_4_11();Rx_3( 7); Block_4_12(W_X); + + Rx_1( 8); Block_8_1(W_X); Rx_2( 8); Block_8_2(W_X); Rx_3( 8); Block_8_3(); + Rx_1( 9); Block_8_4(); Rx_2( 9); Block_8_5(); Rx_3( 9); Block_8_6(W_X); Rx_1(10); Block_8_7(W_X); Rx_2(10); Block_8_8(W_X); Rx_3(10); Block_8_9(); - Rx_1(11); Block_8_10();Rx_2(11); Block_8_11();Rx_3(11); Block_8_12(W_X); - - Rx_1(12); Block_12_1(W_X); Rx_2(12); Block_12_2(W_X); Rx_3(12); Block_12_3(); - Rx_1(13); Block_12_4(); Rx_2(13); Block_12_5(); Rx_3(13); Block_12_6(W_X); + Rx_1(11); Block_8_10();Rx_2(11); Block_8_11();Rx_3(11); Block_8_12(W_X); + + Rx_1(12); Block_12_1(W_X); Rx_2(12); Block_12_2(W_X); Rx_3(12); Block_12_3(); + Rx_1(13); Block_12_4(); Rx_2(13); Block_12_5(); Rx_3(13); Block_12_6(W_X); Rx_1(14); Block_12_7(W_X); Rx_2(14); Block_12_8(W_X); Rx_3(14); Block_12_9(); - Rx_1(15); Block_12_10();Rx_2(15); Block_12_11();Rx_3(15); Block_12_12(W_X); + Rx_1(15); Block_12_10();Rx_2(15); Block_12_11();Rx_3(15); Block_12_12(W_X); } /* Add the working vars back into digest */ @@ -1058,41 +1091,41 @@ static int Transform_AVX1_RORX(Sha512* sha512) W_from_buff(W_X, sha512->buffer) ; for (j = 0; j < 80; j += 16) { - Rx_RORX_1( 0); Block_0_1(W_X); Rx_RORX_2( 0); Block_0_2(W_X); - Rx_RORX_3( 0); Block_0_3(); - Rx_RORX_1( 1); Block_0_4(); Rx_RORX_2( 1); Block_0_5(); - Rx_RORX_3( 1); Block_0_6(W_X); - Rx_RORX_1( 2); Block_0_7(W_X); Rx_RORX_2( 2); Block_0_8(W_X); + Rx_RORX_1( 0); Block_0_1(W_X); Rx_RORX_2( 0); Block_0_2(W_X); + Rx_RORX_3( 0); Block_0_3(); + Rx_RORX_1( 1); Block_0_4(); Rx_RORX_2( 1); Block_0_5(); + Rx_RORX_3( 1); Block_0_6(W_X); + Rx_RORX_1( 2); Block_0_7(W_X); Rx_RORX_2( 2); Block_0_8(W_X); Rx_RORX_3( 2); Block_0_9(); Rx_RORX_1( 3); Block_0_10();Rx_RORX_2( 3); Block_0_11(); - Rx_RORX_3( 3); Block_0_12(W_X); - - Rx_RORX_1( 4); Block_4_1(W_X); Rx_RORX_2( 4); Block_4_2(W_X); - Rx_RORX_3( 4); Block_4_3(); - Rx_RORX_1( 5); Block_4_4(); Rx_RORX_2( 5); Block_4_5(); - Rx_RORX_3( 5); Block_4_6(W_X); - Rx_RORX_1( 6); Block_4_7(W_X); Rx_RORX_2( 6); Block_4_8(W_X); + Rx_RORX_3( 3); Block_0_12(W_X); + + Rx_RORX_1( 4); Block_4_1(W_X); Rx_RORX_2( 4); Block_4_2(W_X); + Rx_RORX_3( 4); Block_4_3(); + Rx_RORX_1( 5); Block_4_4(); Rx_RORX_2( 5); Block_4_5(); + Rx_RORX_3( 5); Block_4_6(W_X); + Rx_RORX_1( 6); Block_4_7(W_X); Rx_RORX_2( 6); Block_4_8(W_X); Rx_RORX_3( 6); Block_4_9(); Rx_RORX_1( 7); Block_4_10();Rx_RORX_2( 7); Block_4_11(); - Rx_RORX_3( 7); Block_4_12(W_X); - - Rx_RORX_1( 8); Block_8_1(W_X); Rx_RORX_2( 8); Block_8_2(W_X); - Rx_RORX_3( 8); Block_8_3(); - Rx_RORX_1( 9); Block_8_4(); Rx_RORX_2( 9); Block_8_5(); - Rx_RORX_3( 9); Block_8_6(W_X); - Rx_RORX_1(10); Block_8_7(W_X); Rx_RORX_2(10); Block_8_8(W_X); + Rx_RORX_3( 7); Block_4_12(W_X); + + Rx_RORX_1( 8); Block_8_1(W_X); Rx_RORX_2( 8); Block_8_2(W_X); + Rx_RORX_3( 8); Block_8_3(); + Rx_RORX_1( 9); Block_8_4(); Rx_RORX_2( 9); Block_8_5(); + Rx_RORX_3( 9); Block_8_6(W_X); + Rx_RORX_1(10); Block_8_7(W_X); Rx_RORX_2(10); Block_8_8(W_X); Rx_RORX_3(10); Block_8_9(); Rx_RORX_1(11); Block_8_10();Rx_RORX_2(11); Block_8_11(); - Rx_RORX_3(11); Block_8_12(W_X); - - Rx_RORX_1(12); Block_12_1(W_X); Rx_RORX_2(12); Block_12_2(W_X); - Rx_RORX_3(12); Block_12_3(); - Rx_RORX_1(13); Block_12_4(); Rx_RORX_2(13); Block_12_5(); - Rx_RORX_3(13); Block_12_6(W_X); - Rx_RORX_1(14); Block_12_7(W_X); Rx_RORX_2(14); Block_12_8(W_X); + Rx_RORX_3(11); Block_8_12(W_X); + + Rx_RORX_1(12); Block_12_1(W_X); Rx_RORX_2(12); Block_12_2(W_X); + Rx_RORX_3(12); Block_12_3(); + Rx_RORX_1(13); Block_12_4(); Rx_RORX_2(13); Block_12_5(); + Rx_RORX_3(13); Block_12_6(W_X); + Rx_RORX_1(14); Block_12_7(W_X); Rx_RORX_2(14); Block_12_8(W_X); Rx_RORX_3(14); Block_12_9(); Rx_RORX_1(15); Block_12_10();Rx_RORX_2(15); Block_12_11(); - Rx_RORX_3(15); Block_12_12(W_X); + Rx_RORX_3(15); Block_12_12(W_X); } /* Add the working vars back into digest */ @@ -1117,12 +1150,12 @@ static int Transform_AVX1_RORX(Sha512* sha512) #if defined(HAVE_INTEL_AVX2) -#define s0_1y(dest, src) AVX2_S(dest, src, 1); -#define s0_2y(dest, src) AVX2_S(G_TEMPy, src, 8); XORy(dest, G_TEMPy, dest) ; +#define s0_1y(dest, src) AVX2_S(dest, src, 1); +#define s0_2y(dest, src) AVX2_S(G_TEMPy, src, 8); XORy(dest, G_TEMPy, dest) ; #define s0_3y(dest, src) AVX2_R(G_TEMPy, src, 7); XORy(dest, G_TEMPy, dest) ; #define s1_1y(dest, src) AVX2_S(dest, src, 19); -#define s1_2y(dest, src) AVX2_S(G_TEMPy, src, 61); XORy(dest, G_TEMPy, dest) ; +#define s1_2y(dest, src) AVX2_S(G_TEMPy, src, 61); XORy(dest, G_TEMPy, dest) ; #define s1_3y(dest, src) AVX2_R(G_TEMPy, src, 6); XORy(dest, G_TEMPy, dest) ; #define s0_y(dest, src) s0_1y(dest, src) ; s0_2y(dest, src) ; s0_3y(dest, src) @@ -1235,45 +1268,45 @@ static int Transform_AVX2(Sha512* sha512) XMEMCPY(T, sha512->digest, sizeof(T)); W_from_buff_Y(sha512->buffer) ; - MOVE_to_MEMy(w,0, W_0y) ; + MOVE_to_MEMy(w,0, W_0y) ; for (j = 0; j < 80; j += 16) { - Ry_1( 0, w[0]); Block_Y_0_1(); Ry_2( 0, w[0]); Block_Y_0_2(); - Ry_3( 0, w[0]); Block_Y_0_3(); - Ry_1( 1, w[1]); Block_Y_0_4(); Ry_2( 1, w[1]); Block_Y_0_5(); - Ry_3( 1, w[1]); Block_Y_0_6(); - Ry_1( 2, w[2]); Block_Y_0_7(); Ry_2( 2, w[2]); Block_Y_0_8(); + Ry_1( 0, w[0]); Block_Y_0_1(); Ry_2( 0, w[0]); Block_Y_0_2(); + Ry_3( 0, w[0]); Block_Y_0_3(); + Ry_1( 1, w[1]); Block_Y_0_4(); Ry_2( 1, w[1]); Block_Y_0_5(); + Ry_3( 1, w[1]); Block_Y_0_6(); + Ry_1( 2, w[2]); Block_Y_0_7(); Ry_2( 2, w[2]); Block_Y_0_8(); Ry_3( 2, w[2]); Block_Y_0_9(); Ry_1( 3, w[3]); Block_Y_0_10();Ry_2( 3, w[3]); Block_Y_0_11(); Ry_3( 3, w[3]); Block_Y_0_12(w); - - Ry_1( 4, w[0]); Block_Y_4_1(); Ry_2( 4, w[0]); Block_Y_4_2(); - Ry_3( 4, w[0]); Block_Y_4_3(); - Ry_1( 5, w[1]); Block_Y_4_4(); Ry_2( 5, w[1]); Block_Y_4_5(); + + Ry_1( 4, w[0]); Block_Y_4_1(); Ry_2( 4, w[0]); Block_Y_4_2(); + Ry_3( 4, w[0]); Block_Y_4_3(); + Ry_1( 5, w[1]); Block_Y_4_4(); Ry_2( 5, w[1]); Block_Y_4_5(); Ry_3( 5, w[1]); Block_Y_4_6(); - Ry_1( 6, w[2]); Block_Y_4_7(); Ry_2( 6, w[2]); Block_Y_4_8(); + Ry_1( 6, w[2]); Block_Y_4_7(); Ry_2( 6, w[2]); Block_Y_4_8(); Ry_3( 6, w[2]); Block_Y_4_9(); - Ry_1( 7, w[3]); Block_Y_4_10(); Ry_2( 7, w[3]);Block_Y_4_11(); - Ry_3( 7, w[3]);Block_Y_4_12(w); - - Ry_1( 8, w[0]); Block_Y_8_1(); Ry_2( 8, w[0]); Block_Y_8_2(); + Ry_1( 7, w[3]); Block_Y_4_10(); Ry_2( 7, w[3]);Block_Y_4_11(); + Ry_3( 7, w[3]);Block_Y_4_12(w); + + Ry_1( 8, w[0]); Block_Y_8_1(); Ry_2( 8, w[0]); Block_Y_8_2(); Ry_3( 8, w[0]); Block_Y_8_3(); - Ry_1( 9, w[1]); Block_Y_8_4(); Ry_2( 9, w[1]); Block_Y_8_5(); + Ry_1( 9, w[1]); Block_Y_8_4(); Ry_2( 9, w[1]); Block_Y_8_5(); Ry_3( 9, w[1]); Block_Y_8_6(); - Ry_1(10, w[2]); Block_Y_8_7(); Ry_2(10, w[2]); Block_Y_8_8(); - Ry_3(10, w[2]); Block_Y_8_9(); + Ry_1(10, w[2]); Block_Y_8_7(); Ry_2(10, w[2]); Block_Y_8_8(); + Ry_3(10, w[2]); Block_Y_8_9(); Ry_1(11, w[3]); Block_Y_8_10();Ry_2(11, w[3]); Block_Y_8_11(); Ry_3(11, w[3]); Block_Y_8_12(w); - - Ry_1(12, w[0]); Block_Y_12_1(); Ry_2(12, w[0]); Block_Y_12_2(); + + Ry_1(12, w[0]); Block_Y_12_1(); Ry_2(12, w[0]); Block_Y_12_2(); Ry_3(12, w[0]); Block_Y_12_3(); - Ry_1(13, w[1]); Block_Y_12_4(); Ry_2(13, w[1]); Block_Y_12_5(); - Ry_3(13, w[1]); Block_Y_12_6(); - Ry_1(14, w[2]); Block_Y_12_7(); Ry_2(14, w[2]); Block_Y_12_8(); + Ry_1(13, w[1]); Block_Y_12_4(); Ry_2(13, w[1]); Block_Y_12_5(); + Ry_3(13, w[1]); Block_Y_12_6(); + Ry_1(14, w[2]); Block_Y_12_7(); Ry_2(14, w[2]); Block_Y_12_8(); Ry_3(14, w[2]); Block_Y_12_9(); Ry_1(15, w[3]); Block_Y_12_10();Ry_2(15, w[3]); Block_Y_12_11(); Ry_3(15, w[3]);Block_Y_12_12(w); } - + /* Add the working vars back into digest */ sha512->digest[0] += a(0); @@ -1300,6 +1333,10 @@ static int Transform_AVX2(Sha512* sha512) #ifdef WOLFSSL_SHA384 int wc_InitSha384(Sha384* sha384) { + if (sha384 == NULL) { + return BAD_FUNC_ARG; + } + sha384->digest[0] = W64LIT(0xcbbb9d5dc1059ed8); sha384->digest[1] = W64LIT(0x629a292a367cd507); sha384->digest[2] = W64LIT(0x9159015a3070dd17); @@ -1316,7 +1353,7 @@ int wc_InitSha384(Sha384* sha384) #if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2) set_Transform() ; #endif - + return 0; } @@ -1328,7 +1365,13 @@ int wc_Sha384Update(Sha384* sha384, const byte* data, word32 len) int wc_Sha384Final(Sha384* sha384, byte* hash) { - int ret = Sha512Final((Sha512 *)sha384); + int ret; + + if (sha384 == NULL || hash == NULL) { + return BAD_FUNC_ARG; + } + + ret = Sha512Final((Sha512 *)sha384); if (ret != 0) return ret; diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 1b26570f6..c4cbcf1ed 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -842,6 +842,7 @@ int md5_test(void) testVector a, b, c, d, e; testVector test_md5[5]; int times = sizeof(test_md5) / sizeof(testVector), i; + int ret; a.input = "abc"; a.output = "\x90\x01\x50\x98\x3c\xd2\x4f\xb0\xd6\x96\x3f\x7d\x28\xe1\x7f" @@ -881,11 +882,21 @@ int md5_test(void) test_md5[3] = d; test_md5[4] = e; - wc_InitMd5(&md5); + ret = wc_InitMd5(&md5); + if (ret != 0) { + return ret; + } for (i = 0; i < times; ++i) { - wc_Md5Update(&md5, (byte*)test_md5[i].input, (word32)test_md5[i].inLen); - wc_Md5Final(&md5, hash); + ret = wc_Md5Update(&md5, (byte*)test_md5[i].input, + (word32)test_md5[i].inLen); + if (ret != 0) { + return ret; + } + ret = wc_Md5Final(&md5, hash); + if (ret != 0){ + return ret; + } if (XMEMCMP(hash, test_md5[i].output, MD5_DIGEST_SIZE) != 0) return -5 - i; diff --git a/wolfssl/wolfcrypt/md5.h b/wolfssl/wolfcrypt/md5.h index 17783b173..b3d1c43af 100644 --- a/wolfssl/wolfcrypt/md5.h +++ b/wolfssl/wolfcrypt/md5.h @@ -73,9 +73,11 @@ typedef struct Md5 { #include "wolfssl/wolfcrypt/port/ti/ti-hash.h" #endif -WOLFSSL_API void wc_InitMd5(Md5*); -WOLFSSL_API void wc_Md5Update(Md5*, const byte*, word32); -WOLFSSL_API void wc_Md5Final(Md5*, byte*); + +WOLFSSL_API int wc_InitMd5(Md5*); +WOLFSSL_API int wc_Md5Update(Md5*, const byte*, word32); +WOLFSSL_API int wc_Md5Final(Md5*, byte*); + WOLFSSL_API int wc_Md5Hash(const byte*, word32, byte*); #ifdef __cplusplus From 2c87f8d33ca5dd3f2f3f5e441e9bb913d071a679 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Fri, 6 Jan 2017 11:06:01 -0700 Subject: [PATCH 05/33] merge with wolfSSL master. --- .gitignore | 3 +- IDE/IAR-EWARM/Projects/lib/wolfSSL-Lib.ewp | 6 + IDE/IAR-EWARM/Projects/user_settings.h | 1 + IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp | 2 + IDE/ROWLEY-CROSSWORKS-ARM/wolfssl_ltc.hzp | 2 + IDE/WIN-SGX/include.am | 1 - IDE/WIN/wolfssl-fips.vcxproj | 4 +- README | 37 + README.md | 37 + certs/dsaparams.pem | 9 + certs/include.am | 3 +- configure.ac | 4 +- examples/client/client.c | 19 +- examples/server/server.c | 36 + rpm/spec.in | 5 +- src/bio.c | 446 ++++ src/include.am | 3 +- src/internal.c | 218 +- src/io.c | 48 +- src/keys.c | 38 +- src/sniffer.c | 10 - src/ssl.c | 2471 ++++++++++++++++++-- src/tls.c | 84 +- sslSniffer/sslSnifferTest/snifftest.c | 3 +- support/wolfssl.pc | 2 +- tests/api.c | 811 ++++++- tests/include.am | 1 + tests/srp.c | 34 +- wolfcrypt/src/aes.c | 30 + wolfcrypt/src/asn.c | 59 +- wolfcrypt/src/cmac.c | 11 - wolfcrypt/src/des3.c | 27 + wolfcrypt/src/dh.c | 22 +- wolfcrypt/src/dsa.c | 17 +- wolfcrypt/src/ecc.c | 43 +- wolfcrypt/src/error.c | 3 + wolfcrypt/src/evp.c | 535 +++++ wolfcrypt/src/hmac.c | 29 +- wolfcrypt/src/include.am | 2 + wolfcrypt/src/logging.c | 31 +- wolfcrypt/src/md4.c | 11 - wolfcrypt/src/md5.c | 10 - wolfcrypt/src/misc.c | 18 + wolfcrypt/src/pkcs7.c | 73 +- wolfcrypt/src/poly1305.c | 4 +- wolfcrypt/src/port/arm/armv8-sha256.c | 21 - wolfcrypt/src/pwdbased.c | 12 +- wolfcrypt/src/ripemd.c | 9 - wolfcrypt/src/rsa.c | 66 - wolfcrypt/src/sha.c | 25 +- wolfcrypt/src/sha256.c | 9 - wolfcrypt/src/sha512.c | 10 - wolfcrypt/src/srp.c | 6 +- wolfcrypt/src/tfm.c | 117 +- wolfcrypt/src/wc_port.c | 8 + wolfcrypt/src/wolfmath.c | 104 + wolfcrypt/test/test.c | 452 +++- wolfssl-ntru.vcproj | 4 + wolfssl.vcproj | 4 + wolfssl.vcxproj | 1 + wolfssl/internal.h | 60 +- wolfssl/openssl/aes.h | 73 + wolfssl/openssl/bn.h | 5 +- wolfssl/openssl/des.h | 4 +- wolfssl/openssl/evp.h | 174 +- wolfssl/openssl/include.am | 1 + wolfssl/openssl/md5.h | 9 +- wolfssl/openssl/pem.h | 16 +- wolfssl/openssl/ssl.h | 196 +- wolfssl/ssl.h | 316 ++- wolfssl/test.h | 3 + wolfssl/version.h | 4 +- wolfssl/wolfcrypt/aes.h | 8 +- wolfssl/wolfcrypt/asn.h | 28 +- wolfssl/wolfcrypt/asn_public.h | 6 +- wolfssl/wolfcrypt/des3.h | 6 + wolfssl/wolfcrypt/error-crypt.h | 3 +- wolfssl/wolfcrypt/include.am | 3 +- wolfssl/wolfcrypt/integer.h | 9 +- wolfssl/wolfcrypt/logging.h | 11 + wolfssl/wolfcrypt/misc.h | 7 + wolfssl/wolfcrypt/tfm.h | 35 +- wolfssl/wolfcrypt/types.h | 51 +- wolfssl/wolfcrypt/wolfmath.h | 33 + 84 files changed, 6276 insertions(+), 896 deletions(-) create mode 100644 certs/dsaparams.pem create mode 100644 src/bio.c create mode 100644 wolfcrypt/src/evp.c create mode 100644 wolfcrypt/src/wolfmath.c create mode 100644 wolfssl/openssl/aes.h create mode 100644 wolfssl/wolfcrypt/wolfmath.h diff --git a/.gitignore b/.gitignore index b22328702..cd9de3c0f 100644 --- a/.gitignore +++ b/.gitignore @@ -64,6 +64,7 @@ testsuite/testsuite tests/unit testsuite/testsuite.test tests/unit.test +tests/bio_write_test.txt testsuite/*.der testsuite/*.pem testsuite/*.raw @@ -188,4 +189,4 @@ wolfcrypt/user-crypto/lib/libusercrypto.* wrapper/CSharp/x64/ # Visual Studio Code Workspace Files -*.vscode \ No newline at end of file +*.vscode diff --git a/IDE/IAR-EWARM/Projects/lib/wolfSSL-Lib.ewp b/IDE/IAR-EWARM/Projects/lib/wolfSSL-Lib.ewp index 61982d704..219a61c9a 100644 --- a/IDE/IAR-EWARM/Projects/lib/wolfSSL-Lib.ewp +++ b/IDE/IAR-EWARM/Projects/lib/wolfSSL-Lib.ewp @@ -2040,6 +2040,12 @@ $PROJ_DIR$\..\..\..\..\wolfcrypt\src\wc_port.c + + $PROJ_DIR$\..\..\..\..\wolfcrypt\src\wolfmath.c + + + $PROJ_DIR$\..\..\..\..\wolfcrypt\src\wolfevent.c + wolfSSL diff --git a/IDE/IAR-EWARM/Projects/user_settings.h b/IDE/IAR-EWARM/Projects/user_settings.h index 5e4f36e9a..2652f6df1 100644 --- a/IDE/IAR-EWARM/Projects/user_settings.h +++ b/IDE/IAR-EWARM/Projects/user_settings.h @@ -8,6 +8,7 @@ #define NO_DEV_RANDOM #define USE_CERT_BUFFERS_2048 #define WOLFSSL_USER_CURRTIME +#define SIZEOF_LONG_LONG 8 #define CUSTOM_RAND_GENERATE custom_rand_generate /* warning "write a real random seed!!!!, just for testing now" */ diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp b/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp index ad5c68af8..3deb98b3e 100644 --- a/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp +++ b/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp @@ -102,6 +102,8 @@ + + diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl_ltc.hzp b/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl_ltc.hzp index ca6a3a5c5..357ac26f3 100644 --- a/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl_ltc.hzp +++ b/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl_ltc.hzp @@ -104,6 +104,8 @@ + + diff --git a/IDE/WIN-SGX/include.am b/IDE/WIN-SGX/include.am index cce4b10f0..f7ef78fbc 100644 --- a/IDE/WIN-SGX/include.am +++ b/IDE/WIN-SGX/include.am @@ -5,6 +5,5 @@ EXTRA_DIST+= IDE/WIN-SGX/ReadMe.txt EXTRA_DIST+= IDE/WIN-SGX/wolfSSL_SGX.edl EXTRA_DIST+= IDE/WIN-SGX/wolfSSL_SGX.sln -EXTRA_DIST+= IDE/WIN-SGX/wolfSSL_SGX.suo EXTRA_DIST+= IDE/WIN-SGX/wolfSSL_SGX.vcxproj EXTRA_DIST+= IDE/WIN-SGX/wolfSSL_SGX.vcxproj.filters diff --git a/IDE/WIN/wolfssl-fips.vcxproj b/IDE/WIN/wolfssl-fips.vcxproj index 8575aeb9a..d6dc75b6f 100644 --- a/IDE/WIN/wolfssl-fips.vcxproj +++ b/IDE/WIN/wolfssl-fips.vcxproj @@ -300,7 +300,9 @@ + + @@ -324,4 +326,4 @@ - \ No newline at end of file + diff --git a/README b/README index af2771dd7..63f245259 100644 --- a/README +++ b/README @@ -35,6 +35,43 @@ before calling wolfSSL_new(); Though it's not recommended. *** end Notes *** +********* wolfSSL (Formerly CyaSSL) Release 3.10.0 (12/21/2016) + +Release 3.10.0 of wolfSSL has bug fixes and new features including: + +- Added support for SHA224 +- Added scrypt feature +- Build for Intel SGX use, added in directory IDE/WIN-SGX +- Fix for ChaCha20-Poly1305 ECDSA certificate type request +- Enhance PKCS#7 with ECC enveloped data and AES key wrap support +- Added support for RIOT OS +- Add support for parsing PKCS#12 files +- ECC performance increased with custom curves +- ARMv8 expanded to AArch32 and performance increased +- Added ANSI-X9.63-KDF support +- Port to STM32 F2/F4 CubeMX +- Port to Atmel ATECC508A board +- Removed fPIE by default when wolfSSL library is compiled +- Update to Python wrapper, dropping DES and adding wc_RSASetRNG +- Added support for NXP K82 hardware acceleration +- Added SCR client and server verify check +- Added a disable rng option with autoconf +- Added more tests vectors to test.c with AES-CTR +- Updated DTLS session export version number +- Updated DTLS for 64 bit sequence numbers +- Fix for memory management with TI and WOLFSSL_SMALL_STACK +- Hardening RSA CRT to be constant time +- Fix uninitialized warning with IAR compiler +- Fix for C# wrapper example IO hang on unexpected connection termination + + +This release of wolfSSL fixes a low level security vulnerability. The vulnerability reported was a potential cache attack on RSA operations. If using wolfSSL RSA on a server that other users can have access to monitor the cache, then it is recommended to update wolfSSL. Thanks to Andreas Zankl, Johann Heyszl and Georg Sigl at Fraunhofer AISEC for the report. More information will be available on our site: + +https://wolfssl.com/wolfSSL/security/vulnerabilities.php + +See INSTALL file for build instructions. +More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html + ********* wolfSSL (Formerly CyaSSL) Release 3.9.10 (9/23/2016) Release 3.9.10 of wolfSSL has bug fixes and new features including: diff --git a/README.md b/README.md index 17950e4e0..ae166c18e 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,43 @@ wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); before calling wolfSSL_new(); Though it's not recommended. ``` +# wolfSSL (Formerly CyaSSL) Release 3.10.0 (12/21/2016) + +## Release 3.10.0 of wolfSSL has bug fixes and new features including: + +- Added support for SHA224 +- Added scrypt feature +- Build for Intel SGX use, added in directory IDE/WIN-SGX +- Fix for ChaCha20-Poly1305 ECDSA certificate type request +- Enhance PKCS#7 with ECC enveloped data and AES key wrap support +- Added support for RIOT OS +- Add support for parsing PKCS#12 files +- ECC performance increased with custom curves +- ARMv8 expanded to AArch32 and performance increased +- Added ANSI-X9.63-KDF support +- Port to STM32 F2/F4 CubeMX +- Port to Atmel ATECC508A board +- Removed fPIE by default when wolfSSL library is compiled +- Update to Python wrapper, dropping DES and adding wc_RSASetRNG +- Added support for NXP K82 hardware acceleration +- Added SCR client and server verify check +- Added a disable rng option with autoconf +- Added more tests vectors to test.c with AES-CTR +- Updated DTLS session export version number +- Updated DTLS for 64 bit sequence numbers +- Fix for memory management with TI and WOLFSSL_SMALL_STACK +- Hardening RSA CRT to be constant time +- Fix uninitialized warning with IAR compiler +- Fix for C# wrapper example IO hang on unexpected connection termination + + +This release of wolfSSL fixes a low level security vulnerability. The vulnerability reported was a potential cache attack on RSA operations. If using wolfSSL RSA on a server that other users can have access to monitor the cache, then it is recommended to update wolfSSL. Thanks to Andreas Zankl, Johann Heyszl and Georg Sigl at Fraunhofer AISEC for the report. More information will be available on our site: + +https://wolfssl.com/wolfSSL/security/vulnerabilities.php + +See INSTALL file for build instructions. +More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html + # wolfSSL (Formerly CyaSSL) Release 3.9.10 (9/23/2016) diff --git a/certs/dsaparams.pem b/certs/dsaparams.pem new file mode 100644 index 000000000..973e89682 --- /dev/null +++ b/certs/dsaparams.pem @@ -0,0 +1,9 @@ +-----BEGIN DSA PARAMETERS----- +MIIBHwKBgQDN3iVogFMN5XfW0pA5P5CiPzOUbuhPK2OrMKsVuhHqil2NzLjUodXB +R51ac2piSdEGB2f2L6M5vU4NtNMiI4TskyZaSe58iUhmTejo2FD7pXGfIhjl5gtG +h2buUo9GT7UDzu3jvuW1gdJZ6cCtTdBNJve6UOjJj/4kGT0up1I8bQIVAPtH++yB +IMgc6Uq6BG8Zm5TugmfTAoGBAJuVu4XFWEoynKpEhdZo3D4U9M5to0k46tZhSJJa +QJVJOKrhOSloWEeKSwHhLo5sY29AylA/jAuZ5HJCuLHCJkjxnIPGNy5arhEJ2fOt +H2+trVDjeDLm3o6qv9EAn7MCEhmiFewUGFwOJs75rsx7tdEm/IX+FJO2nX124zWX +Ht7E +-----END DSA PARAMETERS----- diff --git a/certs/include.am b/certs/include.am index eedd53aa2..b7fad51e5 100644 --- a/certs/include.am +++ b/certs/include.am @@ -31,7 +31,8 @@ EXTRA_DIST += \ certs/server-revoked-cert.pem \ certs/server-revoked-key.pem \ certs/wolfssl-website-ca.pem \ - certs/test-servercert.p12 + certs/test-servercert.p12 \ + certs/dsaparams.pem EXTRA_DIST += \ certs/ca-key.der \ certs/ca-cert.der \ diff --git a/configure.ac b/configure.ac index 58cad5908..8afb2db4d 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([wolfssl],[3.9.10],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) +AC_INIT([wolfssl],[3.10.0],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) AC_CONFIG_AUX_DIR([build-aux]) @@ -35,7 +35,7 @@ AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_HEADERS([config.h:config.in])dnl Keep filename to 8.3 for MS-DOS. #shared library versioning -WOLFSSL_LIBRARY_VERSION=8:0:5 +WOLFSSL_LIBRARY_VERSION=9:0:6 # | | | # +------+ | +---+ # | | | diff --git a/examples/client/client.c b/examples/client/client.c index 7d5b43e2a..e0cc24125 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -1288,6 +1288,15 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); #endif + #if defined(OPENSSL_EXTRA) + if (wolfSSL_CTX_get_read_ahead(ctx) != 0) { + err_sys("bad read ahead default value"); + } + if (wolfSSL_CTX_set_read_ahead(ctx, 1) != SSL_SUCCESS) { + err_sys("error setting read ahead value"); + } + #endif + ssl = wolfSSL_new(ctx); if (ssl == NULL) err_sys("unable to get SSL object"); @@ -1445,13 +1454,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifdef OPENSSL_EXTRA { - byte* rnd; - byte* pt; - int size; + byte* rnd; + byte* pt; + size_t size; /* get size of buffer then print */ size = wolfSSL_get_client_random(NULL, NULL, 0); - if (size < 0) { + if (size == 0) { err_sys("error getting client random buffer size"); } @@ -1461,7 +1470,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } size = wolfSSL_get_client_random(ssl, rnd, size); - if (size < 0) { + if (size == 0) { XFREE(rnd, NULL, DYNAMIC_TYPE_TMP_BUFFER); err_sys("error getting client random buffer"); } diff --git a/examples/server/server.c b/examples/server/server.c index d39db8070..13bf57918 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -882,6 +882,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) ssl = SSL_new(ctx); if (ssl == NULL) err_sys("unable to get SSL"); + #ifdef OPENSSL_EXTRA + wolfSSL_KeepArrays(ssl); + #endif #if defined(WOLFSSL_STATIC_MEMORY) && defined(DEBUG_WOLFSSL) { @@ -1022,6 +1025,39 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) } showPeer(ssl); + if (SSL_state(ssl) != 0) { + err_sys("SSL in error state"); + } + +#ifdef OPENSSL_EXTRA + { + byte* rnd; + byte* pt; + size_t size; + + /* get size of buffer then print */ + size = wolfSSL_get_server_random(NULL, NULL, 0); + if (size == 0) { + err_sys("error getting server random buffer size"); + } + + rnd = (byte*)XMALLOC(size, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (rnd == NULL) { + err_sys("error creating server random buffer"); + } + + size = wolfSSL_get_server_random(ssl, rnd, size); + if (size == 0) { + XFREE(rnd, NULL, DYNAMIC_TYPE_TMP_BUFFER); + err_sys("error getting server random buffer"); + } + + printf("Server Random : "); + for (pt = rnd; pt < rnd + size; pt++) printf("%02X", *pt); + printf("\n"); + XFREE(rnd, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } +#endif #ifdef HAVE_ALPN if (alpnList != NULL) { diff --git a/rpm/spec.in b/rpm/spec.in index 8d19ce753..ae8fc8ad8 100644 --- a/rpm/spec.in +++ b/rpm/spec.in @@ -73,7 +73,7 @@ mkdir -p $RPM_BUILD_ROOT/ %{_libdir}/libwolfssl.la %{_libdir}/libwolfssl.so %{_libdir}/libwolfssl.so.3 -%{_libdir}/libwolfssl.so.3.5.0 +%{_libdir}/libwolfssl.so.3.6.0 %files devel %defattr(-,root,root,-) @@ -231,6 +231,7 @@ mkdir -p $RPM_BUILD_ROOT/ %{_includedir}/wolfssl/wolfcrypt/wolfevent.h %{_includedir}/wolfssl/error-ssl.h %{_includedir}/wolfssl/ocsp.h +%{_includedir}/wolfssl/openssl/aes.h %{_includedir}/wolfssl/openssl/asn1.h %{_includedir}/wolfssl/openssl/bio.h %{_includedir}/wolfssl/openssl/bn.h @@ -275,6 +276,8 @@ mkdir -p $RPM_BUILD_ROOT/ %{_libdir}/pkgconfig/wolfssl.pc %changelog +* Fri Nov 11 2016 Jacob Barthelmeh +- Added header for wolfssl/openssl/aes.h * Fri Oct 28 2016 Jacob Barthelmeh - Added header for pkcs12 * Fri Sep 23 2016 John Safranek diff --git a/src/bio.c b/src/bio.c new file mode 100644 index 000000000..aa02a9ada --- /dev/null +++ b/src/bio.c @@ -0,0 +1,446 @@ +/* bio.c + * + * Copyright (C) 2006-2016 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/*** TBD ***/ +WOLFSSL_API long wolfSSL_BIO_ctrl(WOLFSSL_BIO *bio, int cmd, long larg, void *parg) +{ + (void)bio; + (void)cmd; + (void)larg; + (void)parg; + + WOLFSSL_ENTER("BIO_ctrl"); + return 1; +} + + +/* Return the number of pending bytes in read and write buffers */ +size_t wolfSSL_BIO_ctrl_pending(WOLFSSL_BIO *bio) +{ + WOLFSSL_ENTER("BIO_ctrl_pending"); + if (bio == NULL) { + return 0; + } + + if (bio->ssl != NULL) { + return (long)wolfSSL_pending(bio->ssl); + } + + if (bio->type == BIO_MEMORY) { + return bio->memLen; + } + + /* type BIO_BIO then check paired buffer */ + if (bio->type == BIO_BIO && bio->pair != NULL) { + WOLFSSL_BIO* pair = bio->pair; + if (pair->wrIdx > 0 && pair->wrIdx <= pair->rdIdx) { + /* in wrap around state where begining of buffer is being + * overwritten */ + return pair->wrSz - pair->rdIdx + pair->wrIdx; + } + else { + /* simple case where has not wrapped around */ + return pair->wrIdx - pair->rdIdx; + } + } + + return 0; +} + + +long wolfSSL_BIO_get_mem_ptr(WOLFSSL_BIO *bio, WOLFSSL_BUF_MEM **ptr) +{ + WOLFSSL_ENTER("BIO_get_mem_ptr"); + + if (bio == NULL || ptr == NULL) { + return SSL_FAILURE; + } + + *ptr = (WOLFSSL_BUF_MEM*)(bio->mem); + return SSL_SUCCESS; +} + +/*** TBD ***/ +WOLFSSL_API long wolfSSL_BIO_int_ctrl(WOLFSSL_BIO *bp, int cmd, long larg, int iarg) +{ + (void) bp; + (void) cmd; + (void) larg; + (void) iarg; + WOLFSSL_ENTER("BIO_int_ctrl"); + return 0; +} + + +int wolfSSL_BIO_set_write_buf_size(WOLFSSL_BIO *bio, long size) +{ + WOLFSSL_ENTER("wolfSSL_BIO_set_write_buf_size"); + + if (bio == NULL || bio->type != BIO_BIO || size < 0) { + return SSL_FAILURE; + } + + /* if already in pair then do not change size */ + if (bio->pair != NULL) { + WOLFSSL_MSG("WOLFSSL_BIO is paired, free from pair before changing"); + return SSL_FAILURE; + } + + bio->wrSz = (int)size; + if (bio->wrSz < 0) { + WOLFSSL_MSG("Unexpected negative size value"); + return SSL_FAILURE; + } + + if (bio->mem != NULL) { + XFREE(bio->mem, bio->heap, DYNAMIC_TYPE_OPENSSL); + } + + bio->mem = (byte*)XMALLOC(bio->wrSz, bio->heap, DYNAMIC_TYPE_OPENSSL); + if (bio->mem == NULL) { + WOLFSSL_MSG("Memory allocation error"); + return SSL_FAILURE; + } + bio->wrIdx = 0; + bio->rdIdx = 0; + + return SSL_SUCCESS; +} + + +/* Joins two BIO_BIO types. The write of b1 goes to the read of b2 and vise + * versa. Creating something similar to a two way pipe. + * Reading and writing between the two BIOs is not thread safe, they are + * expected to be used by the same thread. */ +int wolfSSL_BIO_make_bio_pair(WOLFSSL_BIO *b1, WOLFSSL_BIO *b2) +{ + WOLFSSL_ENTER("wolfSSL_BIO_make_bio_pair"); + + if (b1 == NULL || b2 == NULL) { + WOLFSSL_LEAVE("wolfSSL_BIO_make_bio_pair", BAD_FUNC_ARG); + return SSL_FAILURE; + } + + /* both are expected to be of type BIO and not already paired */ + if (b1->type != BIO_BIO || b2->type != BIO_BIO || + b1->pair != NULL || b2->pair != NULL) { + WOLFSSL_MSG("Expected type BIO and not already paired"); + return SSL_FAILURE; + } + + /* set default write size if not already set */ + if (b1->mem == NULL && wolfSSL_BIO_set_write_buf_size(b1, + WOLFSSL_BIO_SIZE) != SSL_SUCCESS) { + return SSL_FAILURE; + } + + if (b2->mem == NULL && wolfSSL_BIO_set_write_buf_size(b2, + WOLFSSL_BIO_SIZE) != SSL_SUCCESS) { + return SSL_FAILURE; + } + + b1->pair = b2; + b2->pair = b1; + + return SSL_SUCCESS; +} + + +int wolfSSL_BIO_ctrl_reset_read_request(WOLFSSL_BIO *b) +{ + WOLFSSL_ENTER("wolfSSL_BIO_ctrl_reset_read_request"); + + if (b == NULL) { + return SSL_FAILURE; + } + + b->readRq = 0; + + return SSL_SUCCESS; +} + + +/* Does not advance read index pointer */ +int wolfSSL_BIO_nread0(WOLFSSL_BIO *bio, char **buf) +{ + WOLFSSL_ENTER("wolfSSL_BIO_nread0"); + + if (bio == NULL || buf == NULL) { + WOLFSSL_MSG("NULL argument passed in"); + return 0; + } + + /* if paired read from pair */ + if (bio->pair != NULL) { + WOLFSSL_BIO* pair = bio->pair; + + /* case where have wrapped around write buffer */ + *buf = (char*)pair->mem + pair->rdIdx; + if (pair->wrIdx > 0 && pair->rdIdx >= pair->wrIdx) { + return pair->wrSz - pair->rdIdx; + } + else { + return pair->wrIdx - pair->rdIdx; + } + } + + return 0; +} + + +/* similar to wolfSSL_BIO_nread0 but advances the read index */ +int wolfSSL_BIO_nread(WOLFSSL_BIO *bio, char **buf, int num) +{ + int sz = WOLFSSL_BIO_UNSET; + + WOLFSSL_ENTER("wolfSSL_BIO_nread"); + + if (bio == NULL || buf == NULL) { + WOLFSSL_MSG("NULL argument passed in"); + return SSL_FAILURE; + } + + if (bio->pair != NULL) { + /* special case if asking to read 0 bytes */ + if (num == 0) { + *buf = (char*)bio->pair->mem + bio->pair->rdIdx; + return 0; + } + + /* get amount able to read and set buffer pointer */ + sz = wolfSSL_BIO_nread0(bio, buf); + if (sz == 0) { + return WOLFSSL_BIO_ERROR; + } + + if (num < sz) { + sz = num; + } + bio->pair->rdIdx += sz; + + /* check if have read to the end of the buffer and need to reset */ + if (bio->pair->rdIdx == bio->pair->wrSz) { + bio->pair->rdIdx = 0; + if (bio->pair->wrIdx == bio->pair->wrSz) { + bio->pair->wrIdx = 0; + } + } + + /* check if read up to write index, if so then reset indexs */ + if (bio->pair->rdIdx == bio->pair->wrIdx) { + bio->pair->rdIdx = 0; + bio->pair->wrIdx = 0; + } + } + + return sz; +} + + +int wolfSSL_BIO_nwrite(WOLFSSL_BIO *bio, char **buf, int num) +{ + int sz = WOLFSSL_BIO_UNSET; + + WOLFSSL_ENTER("wolfSSL_BIO_nwrite"); + + if (bio == NULL || buf == NULL) { + WOLFSSL_MSG("NULL argument passed in"); + return 0; + } + + if (bio->pair != NULL) { + if (num == 0) { + *buf = (char*)bio->mem + bio->wrIdx; + return 0; + } + + if (bio->wrIdx < bio->rdIdx) { + /* if wrapped around only write up to read index. In this case + * rdIdx is always greater then wrIdx so sz will not be negative. */ + sz = bio->rdIdx - bio->wrIdx; + } + else if (bio->rdIdx > 0 && bio->wrIdx == bio->rdIdx) { + return WOLFSSL_BIO_ERROR; /* no more room to write */ + } + else { + /* write index is past read index so write to end of buffer */ + sz = bio->wrSz - bio->wrIdx; + + if (sz <= 0) { + /* either an error has occured with write index or it is at the + * end of the write buffer. */ + if (bio->rdIdx == 0) { + /* no more room, nothing has been read */ + return WOLFSSL_BIO_ERROR; + } + + bio->wrIdx = 0; + + /* check case where read index is not at 0 */ + if (bio->rdIdx > 0) { + sz = bio->rdIdx; /* can write up to the read index */ + } + else { + sz = bio->wrSz; /* no restriction other then buffer size */ + } + } + } + + if (num < sz) { + sz = num; + } + *buf = (char*)bio->mem + bio->wrIdx; + bio->wrIdx += sz; + + /* if at the end of the buffer and space for wrap around then set + * write index back to 0 */ + if (bio->wrIdx == bio->wrSz && bio->rdIdx > 0) { + bio->wrIdx = 0; + } + } + + return sz; +} + + +/* Reset BIO to initial state */ +int wolfSSL_BIO_reset(WOLFSSL_BIO *bio) +{ + WOLFSSL_ENTER("wolfSSL_BIO_reset"); + + if (bio == NULL) { + WOLFSSL_MSG("NULL argument passed in"); + /* -1 is consistent failure even for FILE type */ + return WOLFSSL_BIO_ERROR; + } + + switch (bio->type) { + #ifndef NO_FILESYSTEM + case BIO_FILE: + XREWIND(bio->file); + return 0; + #endif + + case BIO_BIO: + bio->rdIdx = 0; + bio->wrIdx = 0; + return 0; + + default: + WOLFSSL_MSG("Unknown BIO type needs added to reset function"); + } + + return WOLFSSL_BIO_ERROR; +} + +#ifndef NO_FILESYSTEM +long wolfSSL_BIO_set_fp(WOLFSSL_BIO *bio, XFILE fp, int c) +{ + WOLFSSL_ENTER("wolfSSL_BIO_set_fp"); + + if (bio == NULL || fp == NULL) { + WOLFSSL_LEAVE("wolfSSL_BIO_set_fp", BAD_FUNC_ARG); + return SSL_FAILURE; + } + + if (bio->type != BIO_FILE) { + return SSL_FAILURE; + } + + bio->close = (byte)c; + bio->file = fp; + + return SSL_SUCCESS; +} + + +long wolfSSL_BIO_get_fp(WOLFSSL_BIO *bio, XFILE* fp) +{ + WOLFSSL_ENTER("wolfSSL_BIO_get_fp"); + + if (bio == NULL || fp == NULL) { + return SSL_FAILURE; + } + + if (bio->type != BIO_FILE) { + return SSL_FAILURE; + } + + *fp = bio->file; + + return SSL_SUCCESS; +} + +/* overwrites file */ +int wolfSSL_BIO_write_filename(WOLFSSL_BIO *bio, char *name) +{ + WOLFSSL_ENTER("wolfSSL_BIO_write_filename"); + + if (bio == NULL || name == NULL) { + return SSL_FAILURE; + } + + if (bio->type == BIO_FILE) { + if (bio->file != NULL && bio->close == BIO_CLOSE) { + XFCLOSE(bio->file); + } + + bio->file = XFOPEN(name, "w"); + if (bio->file == NULL) { + return SSL_FAILURE; + } + bio->close = BIO_CLOSE; + + return SSL_SUCCESS; + } + + return SSL_FAILURE; +} + + +int wolfSSL_BIO_seek(WOLFSSL_BIO *bio, int ofs) +{ + WOLFSSL_ENTER("wolfSSL_BIO_seek"); + + if (bio == NULL) { + return -1; + } + + /* offset ofs from begining of file */ + if (bio->type == BIO_FILE && XFSEEK(bio->file, ofs, SEEK_SET) < 0) { + return -1; + } + + return 0; +} +#endif /* NO_FILESYSTEM */ + + +long wolfSSL_BIO_set_mem_eof_return(WOLFSSL_BIO *bio, int v) +{ + WOLFSSL_ENTER("wolfSSL_BIO_set_mem_eof_return"); + + if (bio != NULL) { + bio->eof = v; + } + + return 0; +} diff --git a/src/include.am b/src/include.am index 82be0c1a0..031e9645c 100644 --- a/src/include.am +++ b/src/include.am @@ -120,7 +120,8 @@ src_libwolfssl_la_SOURCES += \ wolfcrypt/src/wc_encrypt.c \ wolfcrypt/src/wc_port.c \ wolfcrypt/src/error.c \ - wolfcrypt/src/signature.c + wolfcrypt/src/signature.c \ + wolfcrypt/src/wolfmath.c if BUILD_MEMORY src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c diff --git a/src/internal.c b/src/internal.c index a214b7fcb..7e20cf95d 100644 --- a/src/internal.c +++ b/src/internal.c @@ -65,12 +65,6 @@ #include #endif -#ifndef TRUE - #define TRUE 1 -#endif -#ifndef FALSE - #define FALSE 0 -#endif #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; } @@ -150,16 +144,6 @@ static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes); int QSH_Init(WOLFSSL* ssl); #endif -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ - int IsTLS(const WOLFSSL* ssl) { @@ -1402,6 +1386,10 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) WOLFSSL_MSG("Bad Cert Manager New"); return BAD_CERT_MANAGER_ERROR; } + #ifdef OPENSSL_EXTRA + /* setup WOLFSSL_X509_STORE */ + ctx->x509_store.cm = ctx->cm; + #endif #endif #if defined(HAVE_EXTENDED_MASTER) && !defined(NO_WOLFSSL_CLIENT) @@ -1435,9 +1423,9 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) /* In case contexts are held in array and don't want to free actual ctx */ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) { +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 int i; - - (void)i; +#endif #ifdef HAVE_WOLF_EVENT wolfEventQueue_Free(&ctx->event_queue); @@ -1450,14 +1438,14 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) #ifndef NO_DH XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH); XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); -#endif +#endif /* !NO_DH */ #ifdef SINGLE_THREADED if (ctx->rng) { wc_FreeRng(ctx->rng); XFREE(ctx->rng, ctx->heap, DYNAMIC_TYPE_RNG); } -#endif +#endif /* SINGLE_THREADED */ #ifndef NO_CERTS FreeDer(&ctx->privateKey); @@ -1467,16 +1455,15 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) if (ctx->ourCert) { XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); } - #endif + #endif /* KEEP_OUR_CERT */ FreeDer(&ctx->certChain); wolfSSL_CertManagerFree(ctx->cm); -#endif +#endif /* !NO_CERTS */ #ifdef HAVE_TLS_EXTENSIONS TLSX_FreeAll(ctx->extensions, ctx->heap); #ifndef NO_WOLFSSL_SERVER - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) if (ctx->certOcspRequest) { @@ -1485,29 +1472,28 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) } #endif -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 for (i = 0; i < MAX_CHAIN_DEPTH; i++) { if (ctx->chainOcspRequest[i]) { FreeOcspRequest(ctx->chainOcspRequest[i]); XFREE(ctx->chainOcspRequest[i], ctx->heap, DYNAMIC_TYPE_OCSP_REQUEST); } } -#endif - -#endif /* NO_WOLFSSL_SERVER */ +#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ +#endif /* !NO_WOLFSSL_SERVER */ #endif /* HAVE_TLS_EXTENSIONS */ + #ifdef WOLFSSL_STATIC_MEMORY if (ctx->heap != NULL) { #ifdef WOLFSSL_HEAP_TEST /* avoid derefrencing a test value */ - if (ctx->heap != (void*)WOLFSSL_HEAP_TEST) { + if (ctx->heap != (void*)WOLFSSL_HEAP_TEST) #endif - WOLFSSL_HEAP_HINT* hint = (WOLFSSL_HEAP_HINT*)(ctx->heap); - wc_FreeMutex(&((WOLFSSL_HEAP*)(hint->memory))->memory_mutex); -#ifdef WOLFSSL_HEAP_TEST + { + WOLFSSL_HEAP_HINT* hint = (WOLFSSL_HEAP_HINT*)(ctx->heap); + wc_FreeMutex(&((WOLFSSL_HEAP*)(hint->memory))->memory_mutex); } -#endif } #endif /* WOLFSSL_STATIC_MEMORY */ } @@ -2589,6 +2575,13 @@ void FreeX509Name(WOLFSSL_X509_NAME* name, void* heap) /* Initialize wolfSSL X509 type */ void InitX509(WOLFSSL_X509* x509, int dynamicFlag, void* heap) { + if (x509 == NULL) { + WOLFSSL_MSG("Null parameter passed in!"); + return; + } + + XMEMSET(x509, 0, sizeof(WOLFSSL_X509)); + x509->heap = heap; InitX509Name(&x509->issuer, 0); InitX509Name(&x509->subject, 0); @@ -2644,6 +2637,12 @@ void FreeX509(WOLFSSL_X509* x509) #ifdef OPENSSL_EXTRA XFREE(x509->authKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); XFREE(x509->subjKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); + if (x509->authInfo != NULL) { + XFREE(x509->authInfo, x509->heap, DYNAMIC_TYPE_X509_EXT); + } + if (x509->extKeyUsageSrc != NULL) { + XFREE(x509->extKeyUsageSrc, x509->heap, DYNAMIC_TYPE_X509_EXT); + } #endif /* OPENSSL_EXTRA */ if (x509->altNames) FreeAltNames(x509->altNames, NULL); @@ -3315,6 +3314,10 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) #endif #endif +#ifdef OPENSSL_EXTRA + ssl->readAhead = ctx->readAhead; +#endif + return SSL_SUCCESS; } @@ -5323,6 +5326,32 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } #endif +#ifdef OPENSSL_EXTRA + /* case where specific protocols are turned off */ + if (!ssl->options.dtls && ssl->options.mask > 0) { + if (rh->pvMinor == SSLv3_MINOR && + (ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { + WOLFSSL_MSG("Option set to not allow SSLv3"); + return VERSION_ERROR; + } + if (rh->pvMinor == TLSv1_MINOR && + (ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { + WOLFSSL_MSG("Option set to not allow TLSv1"); + return VERSION_ERROR; + } + if (rh->pvMinor == TLSv1_1_MINOR && + (ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { + WOLFSSL_MSG("Option set to not allow TLSv1.1"); + return VERSION_ERROR; + } + if (rh->pvMinor == TLSv1_2_MINOR && + (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { + WOLFSSL_MSG("Option set to not allow TLSv1.2"); + return VERSION_ERROR; + } + } +#endif /* OPENSSL_EXTRA */ + /* catch version mismatch */ if (rh->pvMajor != ssl->version.major || rh->pvMinor != ssl->version.minor){ if (ssl->options.side == WOLFSSL_SERVER_END && @@ -5404,7 +5433,7 @@ static int GetDtlsHandShakeHeader(WOLFSSL* ssl, const byte* input, *type = input[idx++]; c24to32(input + idx, size); - idx += BYTE3_LEN; + idx += OPAQUE24_LEN; ato16(input + idx, &ssl->keys.dtls_peer_handshake_number); idx += DTLS_HANDSHAKE_SEQ_SZ; @@ -6232,7 +6261,7 @@ static int CheckAltNames(DecodedCert* dCert, char* domain) altName = dCert->altNames; while (altName) { - WOLFSSL_MSG(" individual AltName check"); + WOLFSSL_MSG("\tindividual AltName check"); if (MatchDomainName(altName->name,(int)XSTRLEN(altName->name), domain)){ match = 1; @@ -6253,7 +6282,8 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) { int ret = 0; - if (x509 == NULL || dCert == NULL) + if (x509 == NULL || dCert == NULL || + dCert->subjectCNLen < 0) return BAD_FUNC_ARG; x509->version = dCert->version + 1; @@ -6310,14 +6340,14 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) else x509->deviceTypeSz = 0; minSz = min(dCert->hwTypeSz, EXTERNAL_SERIAL_SIZE); - if (minSz != 0) { + if (minSz > 0) { x509->hwTypeSz = minSz; XMEMCPY(x509->hwType, dCert->hwType, minSz); } else x509->hwTypeSz = 0; minSz = min(dCert->hwSerialNumSz, EXTERNAL_SERIAL_SIZE); - if (minSz != 0) { + if (minSz > 0) { x509->hwSerialNumSz = minSz; XMEMCPY(x509->hwSerialNum, dCert->hwSerialNum, minSz); } @@ -6327,14 +6357,14 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) #endif /* WOLFSSL_SEP */ { int minSz = min(dCert->beforeDateLen, MAX_DATE_SZ); - if (minSz != 0) { + if (minSz > 0) { x509->notBeforeSz = minSz; XMEMCPY(x509->notBefore, dCert->beforeDate, minSz); } else x509->notBeforeSz = 0; minSz = min(dCert->afterDateLen, MAX_DATE_SZ); - if (minSz != 0) { + if (minSz > 0) { x509->notAfterSz = minSz; XMEMCPY(x509->notAfter, dCert->afterDate, minSz); } @@ -6384,6 +6414,23 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) x509->pathLength = dCert->pathLength; x509->keyUsage = dCert->extKeyUsage; + x509->CRLdistSet = dCert->extCRLdistSet; + x509->CRLdistCrit = dCert->extCRLdistCrit; + x509->CRLInfo = dCert->extCrlInfo; + x509->CRLInfoSz = dCert->extCrlInfoSz; + x509->authInfoSet = dCert->extAuthInfoSet; + x509->authInfoCrit = dCert->extAuthInfoCrit; + if (dCert->extAuthInfo != NULL && dCert->extAuthInfoSz > 0) { + x509->authInfo = (byte*)XMALLOC(dCert->extAuthInfoSz, x509->heap, + DYNAMIC_TYPE_X509_EXT); + if (x509->authInfo != NULL) { + XMEMCPY(x509->authInfo, dCert->extAuthInfo, dCert->extAuthInfoSz); + x509->authInfoSz = dCert->extAuthInfoSz; + } + else { + ret = MEMORY_E; + } + } x509->basicConstSet = dCert->extBasicConstSet; x509->basicConstCrit = dCert->extBasicConstCrit; x509->basicConstPlSet = dCert->pathLengthSet; @@ -6417,10 +6464,33 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) } x509->keyUsageSet = dCert->extKeyUsageSet; x509->keyUsageCrit = dCert->extKeyUsageCrit; + if (dCert->extExtKeyUsageSrc != NULL && dCert->extExtKeyUsageSz > 0) { + x509->extKeyUsageSrc = (byte*)XMALLOC(dCert->extExtKeyUsageSz, + x509->heap, DYNAMIC_TYPE_X509_EXT); + if (x509->extKeyUsageSrc != NULL) { + XMEMCPY(x509->extKeyUsageSrc, dCert->extExtKeyUsageSrc, + dCert->extExtKeyUsageSz); + x509->extKeyUsageSz = dCert->extExtKeyUsageSz; + x509->extKeyUsageCrit = dCert->extExtKeyUsageCrit; + x509->extKeyUsageCount = dCert->extExtKeyUsageCount; + } + else { + ret = MEMORY_E; + } + } #ifdef WOLFSSL_SEP x509->certPolicySet = dCert->extCertPolicySet; x509->certPolicyCrit = dCert->extCertPolicyCrit; #endif /* WOLFSSL_SEP */ + #ifdef WOLFSSL_CERT_EXT + { + int i; + for (i = 0; i < dCert->extCertPoliciesNb && i < MAX_CERTPOL_NB; i++) + XMEMCPY(x509->certPolicies[i], dCert->extCertPolicies[i], + MAX_CERTPOL_SZ); + x509->certPoliciesNb = dCert->extCertPoliciesNb; + } + #endif /* WOLFSSL_CERT_EXT */ #endif /* OPENSSL_EXTRA */ #ifdef HAVE_ECC x509->pkCurveOID = dCert->pkCurveOID; @@ -6480,8 +6550,12 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, while (listSz) { word32 certSz; - if (totalCerts >= MAX_CHAIN_DEPTH) + if (totalCerts >= MAX_CHAIN_DEPTH) { + #ifdef OPENSSL_EXTRA + ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG; + #endif return MAX_CHAIN_ERROR; + } if ((*inOutIdx - begin) + OPAQUE24_LEN > size) return BUFFER_ERROR; @@ -6511,7 +6585,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, listSz -= certSz + CERT_HEADER_SZ; totalCerts++; - WOLFSSL_MSG(" Put another cert into chain"); + WOLFSSL_MSG("\tPut another cert into chain"); } count = totalCerts; @@ -6702,6 +6776,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (ret == 0) { WOLFSSL_MSG("Verified Peer's cert"); + #ifdef OPENSSL_EXTRA + ssl->peerVerifyRet = X509_V_OK; + #endif fatal = 0; } else if (ret == ASN_PARSE_E) { @@ -6839,6 +6916,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, XFREE(dCert, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif ssl->error = ret; + #ifdef OPENSSL_EXTRA + ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; + #endif return ret; } ssl->options.havePeerCert = 1; @@ -7163,7 +7243,8 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, do { #ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (ssl->status_request) { - request = TLSX_CSR_GetRequest(ssl->extensions); + request = (OcspRequest*)TLSX_CSR_GetRequest( + ssl->extensions); ssl->status_request = 0; break; } @@ -7171,8 +7252,8 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 if (ssl->status_request_v2) { - request = TLSX_CSR2_GetRequest(ssl->extensions, - status_type, 0); + request = (OcspRequest*)TLSX_CSR2_GetRequest( + ssl->extensions, status_type, 0); ssl->status_request_v2 = 0; break; } @@ -7286,8 +7367,8 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, ret = BAD_CERTIFICATE_STATUS_ERROR; while (ret == 0) { - request = TLSX_CSR2_GetRequest(ssl->extensions, - status_type, index++); + request = (OcspRequest*)TLSX_CSR2_GetRequest( + ssl->extensions, status_type, index++); if (request == NULL) ret = BAD_CERTIFICATE_STATUS_ERROR; @@ -8258,7 +8339,7 @@ static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* This branch is in order next, and a complete message. */ ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz); if (ret == 0) { - if (type != client_hello) + if (type != client_hello || !IsDtlsNotSctpMode(ssl)) ssl->keys.dtls_expected_peer_handshake_number++; if (ssl->dtls_rx_msg_list != NULL) { ret = DtlsMsgDrain(ssl); @@ -9317,7 +9398,7 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type, WOLFSSL_MSG("Got alert"); if (*type == close_notify) { - WOLFSSL_MSG(" close notify"); + WOLFSSL_MSG("\tclose notify"); ssl->options.closeNotify = 1; } WOLFSSL_ERROR(*type); @@ -9473,7 +9554,7 @@ int ProcessReply(WOLFSSL* ssl) int ret = 0, type, readSz; int atomicUser = 0; word32 startIdx = 0; -#ifdef WOLFSSL_DTLS +#if defined(WOLFSSL_DTLS) int used; #endif @@ -9798,10 +9879,13 @@ int ProcessReply(WOLFSSL* ssl) #ifdef WOLFSSL_DTLS if (ssl->options.dtls) { DtlsMsgPoolReset(ssl); - ssl->keys.nextEpoch++; - ssl->keys.nextSeq_lo = 0; + ssl->keys.prevSeq_lo = ssl->keys.nextSeq_lo; + ssl->keys.prevSeq_hi = ssl->keys.nextSeq_hi; XMEMCPY(ssl->keys.prevWindow, ssl->keys.window, DTLS_SEQ_SZ); + ssl->keys.nextEpoch++; + ssl->keys.nextSeq_lo = 0; + ssl->keys.nextSeq_hi = 0; XMEMSET(ssl->keys.window, 0, DTLS_SEQ_SZ); } #endif @@ -10730,7 +10814,9 @@ int SendCertificate(WOLFSSL* ssl) sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, handshake, 1, 0); - XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); + + if (inputSz > 0) + XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); if (sendSz < 0) return sendSz; @@ -13909,11 +13995,11 @@ static void PickHashSigAlgo(WOLFSSL* ssl, WOLFSSL_MSG("server using lower version"); if (!ssl->options.downgrade) { - WOLFSSL_MSG(" no downgrade allowed, fatal error"); + WOLFSSL_MSG("\tno downgrade allowed, fatal error"); return VERSION_ERROR; } if (pv.minor < ssl->options.minDowngrade) { - WOLFSSL_MSG(" version below minimum allowed, fatal error"); + WOLFSSL_MSG("\tversion below minimum allowed, fatal error"); return VERSION_ERROR; } @@ -13928,19 +14014,19 @@ static void PickHashSigAlgo(WOLFSSL* ssl, if (pv.minor == SSLv3_MINOR) { /* turn off tls */ - WOLFSSL_MSG(" downgrading to SSLv3"); + WOLFSSL_MSG("\tdowngrading to SSLv3"); ssl->options.tls = 0; ssl->options.tls1_1 = 0; ssl->version.minor = SSLv3_MINOR; } else if (pv.minor == TLSv1_MINOR) { /* turn off tls 1.1+ */ - WOLFSSL_MSG(" downgrading to TLSv1"); + WOLFSSL_MSG("\tdowngrading to TLSv1"); ssl->options.tls1_1 = 0; ssl->version.minor = TLSv1_MINOR; } else if (pv.minor == TLSv1_1_MINOR) { - WOLFSSL_MSG(" downgrading to TLSv1.1"); + WOLFSSL_MSG("\tdowngrading to TLSv1.1"); ssl->version.minor = TLSv1_1_MINOR; } } @@ -18813,24 +18899,24 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, return VERSION_ERROR; } if (pv.minor < ssl->options.minDowngrade) { - WOLFSSL_MSG(" version below minimum allowed, fatal error"); + WOLFSSL_MSG("\tversion below minimum allowed, fatal error"); return VERSION_ERROR; } if (pv.minor == SSLv3_MINOR) { /* turn off tls */ - WOLFSSL_MSG(" downgrading to SSLv3"); + WOLFSSL_MSG("\tdowngrading to SSLv3"); ssl->options.tls = 0; ssl->options.tls1_1 = 0; ssl->version.minor = SSLv3_MINOR; } else if (pv.minor == TLSv1_MINOR) { - WOLFSSL_MSG(" downgrading to TLSv1"); + WOLFSSL_MSG("\tdowngrading to TLSv1"); /* turn off tls 1.1+ */ ssl->options.tls1_1 = 0; ssl->version.minor = TLSv1_MINOR; } else if (pv.minor == TLSv1_1_MINOR) { - WOLFSSL_MSG(" downgrading to TLSv1.1"); + WOLFSSL_MSG("\tdowngrading to TLSv1.1"); ssl->version.minor = TLSv1_1_MINOR; } #ifndef NO_RSA @@ -18997,7 +19083,7 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ssl->buffers.dtlsCookieSecret.length); if (ret != 0) return ret; ret = wc_HmacUpdate(&cookieHmac, - ssl->buffers.dtlsCtx.peer.sa, + (const byte*)ssl->buffers.dtlsCtx.peer.sa, ssl->buffers.dtlsCtx.peer.sz); if (ret != 0) return ret; ret = wc_HmacUpdate(&cookieHmac, input + i, OPAQUE16_LEN); @@ -19019,25 +19105,25 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, return VERSION_ERROR; } if (pv.minor < ssl->options.minDowngrade) { - WOLFSSL_MSG(" version below minimum allowed, fatal error"); + WOLFSSL_MSG("\tversion below minimum allowed, fatal error"); return VERSION_ERROR; } if (pv.minor == SSLv3_MINOR) { /* turn off tls */ - WOLFSSL_MSG(" downgrading to SSLv3"); + WOLFSSL_MSG("\tdowngrading to SSLv3"); ssl->options.tls = 0; ssl->options.tls1_1 = 0; ssl->version.minor = SSLv3_MINOR; } else if (pv.minor == TLSv1_MINOR) { /* turn off tls 1.1+ */ - WOLFSSL_MSG(" downgrading to TLSv1"); + WOLFSSL_MSG("\tdowngrading to TLSv1"); ssl->options.tls1_1 = 0; ssl->version.minor = TLSv1_MINOR; } else if (pv.minor == TLSv1_1_MINOR) { - WOLFSSL_MSG(" downgrading to TLSv1.1"); + WOLFSSL_MSG("\tdowngrading to TLSv1.1"); ssl->version.minor = TLSv1_1_MINOR; } #ifndef NO_RSA diff --git a/src/io.c b/src/io.c index bbfd971af..88aba2730 100644 --- a/src/io.c +++ b/src/io.c @@ -297,32 +297,32 @@ int EmbedReceive(WOLFSSL *ssl, char *buf, int sz, void *ctx) if (err == SOCKET_EWOULDBLOCK || err == SOCKET_EAGAIN) { if (!wolfSSL_dtls(ssl) || wolfSSL_get_using_nonblock(ssl)) { - WOLFSSL_MSG(" Would block"); + WOLFSSL_MSG("\tWould block"); return WOLFSSL_CBIO_ERR_WANT_READ; } else { - WOLFSSL_MSG(" Socket timeout"); + WOLFSSL_MSG("\tSocket timeout"); return WOLFSSL_CBIO_ERR_TIMEOUT; } } else if (err == SOCKET_ECONNRESET) { - WOLFSSL_MSG(" Connection reset"); + WOLFSSL_MSG("\tConnection reset"); return WOLFSSL_CBIO_ERR_CONN_RST; } else if (err == SOCKET_EINTR) { - WOLFSSL_MSG(" Socket interrupted"); + WOLFSSL_MSG("\tSocket interrupted"); return WOLFSSL_CBIO_ERR_ISR; } else if (err == SOCKET_ECONNREFUSED) { - WOLFSSL_MSG(" Connection refused"); + WOLFSSL_MSG("\tConnection refused"); return WOLFSSL_CBIO_ERR_WANT_READ; } else if (err == SOCKET_ECONNABORTED) { - WOLFSSL_MSG(" Connection aborted"); + WOLFSSL_MSG("\tConnection aborted"); return WOLFSSL_CBIO_ERR_CONN_CLOSE; } else { - WOLFSSL_MSG(" General error"); + WOLFSSL_MSG("\tGeneral error"); return WOLFSSL_CBIO_ERR_GENERAL; } } @@ -353,23 +353,23 @@ int EmbedSend(WOLFSSL* ssl, char *buf, int sz, void *ctx) WOLFSSL_MSG("Embed Send error"); if (err == SOCKET_EWOULDBLOCK || err == SOCKET_EAGAIN) { - WOLFSSL_MSG(" Would Block"); + WOLFSSL_MSG("\tWould Block"); return WOLFSSL_CBIO_ERR_WANT_WRITE; } else if (err == SOCKET_ECONNRESET) { - WOLFSSL_MSG(" Connection reset"); + WOLFSSL_MSG("\tConnection reset"); return WOLFSSL_CBIO_ERR_CONN_RST; } else if (err == SOCKET_EINTR) { - WOLFSSL_MSG(" Socket interrupted"); + WOLFSSL_MSG("\tSocket interrupted"); return WOLFSSL_CBIO_ERR_ISR; } else if (err == SOCKET_EPIPE) { - WOLFSSL_MSG(" Socket EPIPE"); + WOLFSSL_MSG("\tSocket EPIPE"); return WOLFSSL_CBIO_ERR_CONN_CLOSE; } else { - WOLFSSL_MSG(" General error"); + WOLFSSL_MSG("\tGeneral error"); return WOLFSSL_CBIO_ERR_GENERAL; } } @@ -435,28 +435,28 @@ int EmbedReceiveFrom(WOLFSSL *ssl, char *buf, int sz, void *ctx) if (err == SOCKET_EWOULDBLOCK || err == SOCKET_EAGAIN) { if (wolfSSL_get_using_nonblock(ssl)) { - WOLFSSL_MSG(" Would block"); + WOLFSSL_MSG("\tWould block"); return WOLFSSL_CBIO_ERR_WANT_READ; } else { - WOLFSSL_MSG(" Socket timeout"); + WOLFSSL_MSG("\tSocket timeout"); return WOLFSSL_CBIO_ERR_TIMEOUT; } } else if (err == SOCKET_ECONNRESET) { - WOLFSSL_MSG(" Connection reset"); + WOLFSSL_MSG("\tConnection reset"); return WOLFSSL_CBIO_ERR_CONN_RST; } else if (err == SOCKET_EINTR) { - WOLFSSL_MSG(" Socket interrupted"); + WOLFSSL_MSG("\tSocket interrupted"); return WOLFSSL_CBIO_ERR_ISR; } else if (err == SOCKET_ECONNREFUSED) { - WOLFSSL_MSG(" Connection refused"); + WOLFSSL_MSG("\tConnection refused"); return WOLFSSL_CBIO_ERR_WANT_READ; } else { - WOLFSSL_MSG(" General error"); + WOLFSSL_MSG("\tGeneral error"); return WOLFSSL_CBIO_ERR_GENERAL; } } @@ -464,7 +464,7 @@ int EmbedReceiveFrom(WOLFSSL *ssl, char *buf, int sz, void *ctx) if (dtlsCtx->peer.sz > 0 && peerSz != (XSOCKLENT)dtlsCtx->peer.sz && XMEMCMP(&peer, dtlsCtx->peer.sa, peerSz) != 0) { - WOLFSSL_MSG(" Ignored packet from invalid peer"); + WOLFSSL_MSG("\tIgnored packet from invalid peer"); return WOLFSSL_CBIO_ERR_WANT_READ; } } @@ -497,23 +497,23 @@ int EmbedSendTo(WOLFSSL* ssl, char *buf, int sz, void *ctx) WOLFSSL_MSG("Embed Send To error"); if (err == SOCKET_EWOULDBLOCK || err == SOCKET_EAGAIN) { - WOLFSSL_MSG(" Would Block"); + WOLFSSL_MSG("\tWould Block"); return WOLFSSL_CBIO_ERR_WANT_WRITE; } else if (err == SOCKET_ECONNRESET) { - WOLFSSL_MSG(" Connection reset"); + WOLFSSL_MSG("\tConnection reset"); return WOLFSSL_CBIO_ERR_CONN_RST; } else if (err == SOCKET_EINTR) { - WOLFSSL_MSG(" Socket interrupted"); + WOLFSSL_MSG("\tSocket interrupted"); return WOLFSSL_CBIO_ERR_ISR; } else if (err == SOCKET_EPIPE) { - WOLFSSL_MSG(" Socket EPIPE"); + WOLFSSL_MSG("\tSocket EPIPE"); return WOLFSSL_CBIO_ERR_CONN_CLOSE; } else { - WOLFSSL_MSG(" General error"); + WOLFSSL_MSG("\tGeneral error"); return WOLFSSL_CBIO_ERR_GENERAL; } } diff --git a/src/keys.c b/src/keys.c index 80440612e..ad97d3862 100644 --- a/src/keys.c +++ b/src/keys.c @@ -2690,6 +2690,40 @@ static int SetAuthKeys(OneTimeAuth* authentication, Keys* keys, } #endif /* HAVE_ONE_TIME_AUTH */ +#ifdef HAVE_SECURE_RENEGOTIATION +/* function name is for cache_status++ + * This function was added because of error incrementing enum type when + * compiling with a C++ compiler. + */ +static void CacheStatusPP(SecureRenegotiation* cache) +{ + switch (cache->cache_status) { + case SCR_CACHE_NULL: + cache->cache_status = SCR_CACHE_NEEDED; + break; + + case SCR_CACHE_NEEDED: + cache->cache_status = SCR_CACHE_COPY; + break; + + case SCR_CACHE_COPY: + cache->cache_status = SCR_CACHE_PARTIAL; + break; + + case SCR_CACHE_PARTIAL: + cache->cache_status = SCR_CACHE_COMPLETE; + break; + + case SCR_CACHE_COMPLETE: + WOLFSSL_MSG("SCR Cache state Complete"); + break; + + default: + WOLFSSL_MSG("Unknown cache state!!"); + } +} +#endif /* HAVE_SECURE_RENEGOTIATION */ + /* Set wc_encrypt/wc_decrypt or both sides of key setup * note: use wc_encrypt to avoid shadowing global encrypt @@ -2804,7 +2838,7 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side) } #endif } - ssl->secure_renegotiation->cache_status++; + CacheStatusPP(ssl->secure_renegotiation); } #endif /* HAVE_SECURE_RENEGOTIATION */ @@ -2822,7 +2856,7 @@ int StoreKeys(WOLFSSL* ssl, const byte* keyData) if (ssl->secure_renegotiation && ssl->secure_renegotiation->cache_status == SCR_CACHE_NEEDED) { keys = &ssl->secure_renegotiation->tmp_keys; - ssl->secure_renegotiation->cache_status++; + CacheStatusPP(ssl->secure_renegotiation); } #endif /* HAVE_SECURE_RENEGOTIATION */ diff --git a/src/sniffer.c b/src/sniffer.c index 35d38a5c1..f558a41b7 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -55,16 +55,6 @@ #endif -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - -static INLINE word32 min(word32 a, word32 b) -{ - return a > b ? b : a; -} - -#endif /* WOLFSSL_HAVE_MIN */ - #ifndef WOLFSSL_SNIFFER_TIMEOUT #define WOLFSSL_SNIFFER_TIMEOUT 900 /* Cache unclosed Sessions for 15 minutes since last used */ diff --git a/src/ssl.c b/src/ssl.c index 04b30517a..e69e7bb98 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -105,22 +105,6 @@ #endif #endif /* NO_FILESYSTEM */ -#ifndef TRUE - #define TRUE 1 -#endif -#ifndef FALSE - #define FALSE 0 -#endif - -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSSL_HAVE_MIN */ #if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_HAVE_MAX) #define WOLFSSL_HAVE_MAX @@ -1793,7 +1777,7 @@ WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL* ssl, byte* buf, word32 bufSz) if(ssl->session.isDynamic) XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - ssl->session.ticket = XMALLOC(bufSz, ssl->heap, + ssl->session.ticket = (byte*)XMALLOC(bufSz, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); if(!ssl->session.ticket) { ssl->session.ticket = ssl->session.staticTicket; @@ -1951,6 +1935,17 @@ int wolfSSL_shutdown(WOLFSSL* ssl) } +/* get current error state value */ +int wolfSSL_state(WOLFSSL* ssl) +{ + if (ssl == NULL) { + return BAD_FUNC_ARG; + } + + return ssl->error; +} + + int wolfSSL_get_error(WOLFSSL* ssl, int ret) { WOLFSSL_ENTER("SSL_get_error"); @@ -2151,7 +2146,6 @@ const byte* wolfSSL_GetServerWriteIV(WOLFSSL* ssl) return NULL; } - int wolfSSL_GetKeySize(WOLFSSL* ssl) { if (ssl) @@ -2483,31 +2477,147 @@ int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz, #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) +static struct cipher{ + unsigned char type; + const char *name; +} cipher_tbl[] = { + #ifndef NO_AES -static const char *EVP_AES_128_CBC = "AES-128-CBC"; -static const char *EVP_AES_192_CBC = "AES-192-CBC"; -static const char *EVP_AES_256_CBC = "AES-256-CBC"; + {AES_128_CBC_TYPE, "AES-128-CBC"}, + {AES_192_CBC_TYPE, "AES-192-CBC"}, + {AES_256_CBC_TYPE, "AES-256-CBC"}, #if defined(OPENSSL_EXTRA) - static const char *EVP_AES_128_CTR = "AES-128-CTR"; - static const char *EVP_AES_192_CTR = "AES-192-CTR"; - static const char *EVP_AES_256_CTR = "AES-256-CTR"; + {AES_128_CTR_TYPE, "AES-128-CTR"}, + {AES_192_CTR_TYPE, "AES-192-CTR"}, + {AES_256_CTR_TYPE, "AES-256-CTR"}, + + {AES_128_ECB_TYPE, "AES-128-ECB"}, + {AES_192_ECB_TYPE, "AES-192-ECB"}, + {AES_256_ECB_TYPE, "AES-256-ECB"}, +#endif + +#endif + +#ifndef NO_DES3 + {DES_CBC_TYPE, "DES-CBC"}, + {DES_ECB_TYPE, "DES-ECB"}, + + {DES_EDE3_CBC_TYPE, "DES-EDE3-CBC"}, + {DES_EDE3_ECB_TYPE, "DES-EDE3-ECB"}, +#endif + +#ifdef HAVE_IDEA + {IDEA_CBC_TYPE, "IDEA-CBC"}, +#endif + { 0, NULL} +} ; + +const WOLFSSL_EVP_CIPHER *wolfSSL_EVP_get_cipherbyname(const char *name) +{ + + static const struct alias { + const char *name; + const char *alias; + } alias_tbl[] = + { + {"DES-CBC", "DES"}, + {"DES-CBC", "des"}, + {"DES-EDE3-CBC", "DES3"}, + {"DES-EDE3-CBC", "des3"}, + {"DES-EDE3-ECB", "des-ede3-ecb"}, + {"IDEA-CBC", "IDEA"}, + {"IDEA-CBC", "idea"}, + {"AES-128-CBC", "AES128"}, + {"AES-128-CBC", "aes128"}, + {"AES-192-CBC", "AES192"}, + {"AES-192-CBC", "aes192"}, + {"AES-256-CBC", "AES256"}, + {"AES-256-CBC", "aes256"}, + { NULL, NULL} + }; + + const struct cipher *ent ; + const struct alias *al ; + + WOLFSSL_ENTER("EVP_get_cipherbyname"); + + for( al = alias_tbl; al->name != NULL; al++) + if(XSTRNCMP(name, al->alias, XSTRLEN(al->alias)+1) == 0) { + name = al->name; + break; + } + + for( ent = cipher_tbl; ent->name != NULL; ent++) + if(XSTRNCMP(name, ent->name, XSTRLEN(ent->name)+1) == 0) { + return (WOLFSSL_EVP_CIPHER *)ent->name; + } + + return NULL; +} + + +#ifndef NO_AES +static char *EVP_AES_128_CBC; +static char *EVP_AES_192_CBC; +static char *EVP_AES_256_CBC; +#if defined(OPENSSL_EXTRA) + static char *EVP_AES_128_CTR; + static char *EVP_AES_192_CTR; + static char *EVP_AES_256_CTR; + + static char *EVP_AES_128_ECB; + static char *EVP_AES_192_ECB; + static char *EVP_AES_256_ECB; #endif static const int EVP_AES_SIZE = 11; #endif #ifndef NO_DES3 -static const char *EVP_DES_CBC = "DES-CBC"; +static char *EVP_DES_CBC; +static char *EVP_DES_ECB; static const int EVP_DES_SIZE = 7; -static const char *EVP_DES_EDE3_CBC = "DES-EDE3-CBC"; +static char *EVP_DES_EDE3_CBC; +static char *EVP_DES_EDE3_ECB; static const int EVP_DES_EDE3_SIZE = 12; #endif #ifdef HAVE_IDEA -static const char *EVP_IDEA_CBC = "IDEA-CBC"; +static char *EVP_IDEA_CBC; static const int EVP_IDEA_SIZE = 8; #endif +void wolfSSL_EVP_init(void) +{ +#ifndef NO_AES + EVP_AES_128_CBC = (char *)EVP_get_cipherbyname("AES-128-CBC"); + EVP_AES_192_CBC = (char *)EVP_get_cipherbyname("AES-192-CBC"); + EVP_AES_256_CBC = (char *)EVP_get_cipherbyname("AES-256-CBC"); + +#if defined(OPENSSL_EXTRA) + EVP_AES_128_CTR = (char *)EVP_get_cipherbyname("AES-128-CTR"); + EVP_AES_192_CTR = (char *)EVP_get_cipherbyname("AES-192-CTR"); + EVP_AES_256_CTR = (char *)EVP_get_cipherbyname("AES-256-CTR"); + + EVP_AES_128_ECB = (char *)EVP_get_cipherbyname("AES-128-ECB"); + EVP_AES_192_ECB = (char *)EVP_get_cipherbyname("AES-192-ECB"); + EVP_AES_256_ECB = (char *)EVP_get_cipherbyname("AES-256-ECB"); +#endif +#endif + +#ifndef NO_DES3 + EVP_DES_CBC = (char *)EVP_get_cipherbyname("DES-CBC"); + EVP_DES_ECB = (char *)EVP_get_cipherbyname("DES-ECB"); + + EVP_DES_EDE3_CBC = (char *)EVP_get_cipherbyname("DES-EDE3-CBC"); + EVP_DES_EDE3_ECB = (char *)EVP_get_cipherbyname("DES-EDE3-ECB"); +#endif + +#ifdef HAVE_IDEA + EVP_IDEA_CBC = (char *)EVP_get_cipherbyname("IDEA-CBC"); +#endif +} + /* our KeyPemToDer password callback, password in userData */ static INLINE int OurPasswordCb(char* passwd, int sz, int rw, void* userdata) { @@ -3587,6 +3697,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, case CERT_TYPE: header=BEGIN_CERT; footer=END_CERT; break; case CRL_TYPE: header=BEGIN_X509_CRL; footer=END_X509_CRL; break; case DH_PARAM_TYPE: header=BEGIN_DH_PARAM; footer=END_DH_PARAM; break; + case DSA_PARAM_TYPE: header=BEGIN_DSA_PARAM; footer=END_DSA_PARAM; break; case CERTREQ_TYPE: header=BEGIN_CERT_REQ; footer=END_CERT_REQ; break; case DSA_TYPE: header=BEGIN_DSA_PRIV; footer=END_DSA_PRIV; break; case ECC_TYPE: header=BEGIN_EC_PRIV; footer=END_EC_PRIV; break; @@ -5671,6 +5782,529 @@ int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX* ctx, const char* fname, int format) #ifdef OPENSSL_EXTRA /* put SSL type in extra for now, not very common */ +WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type, WOLFSSL_EVP_PKEY** out, + const unsigned char **in, long inSz) +{ + WOLFSSL_EVP_PKEY* local; + + WOLFSSL_ENTER("wolfSSL_d2i_PrivateKey"); + + if (in == NULL || inSz < 0) { + WOLFSSL_MSG("Bad argument"); + return NULL; + } + + local = wolfSSL_PKEY_new(); + if (local == NULL) { + return NULL; + } + + local->type = type; + local->pkey_sz = (int)inSz; + local->pkey.ptr = (char*)XMALLOC(inSz, NULL, DYNAMIC_TYPE_PUBLIC_KEY); + if (local->pkey.ptr == NULL) { + wolfSSL_EVP_PKEY_free(local); + local = NULL; + } + else { + XMEMCPY(local->pkey.ptr, *in, inSz); + } + + if (out != NULL) { + *out = local; + } + + return local; +} + + +long wolfSSL_ctrl(WOLFSSL* ssl, int cmd, long opt, void* pt) +{ + WOLFSSL_STUB("wolfSSL_ctrl"); + (void)ssl; + (void)cmd; + (void)opt; + (void)pt; + return SSL_FAILURE; +} + + +long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt) +{ + WOLFSSL_STUB("wolfSSL_CTX_ctrl"); + (void)ctx; + (void)cmd; + (void)opt; + (void)pt; + return SSL_FAILURE; +} + +#ifndef NO_CERTS +int wolfSSL_check_private_key(const WOLFSSL* ssl) +{ + DecodedCert der; + word32 size; + byte* buff; + int ret; + + if (ssl == NULL) { + return SSL_FAILURE; + } + + size = ssl->buffers.certificate->length; + buff = ssl->buffers.certificate->buffer; + InitDecodedCert(&der, buff, size, ssl->heap); + if (ParseCertRelative(&der, CERT_TYPE, NO_VERIFY, NULL) != 0) { + FreeDecodedCert(&der); + return SSL_FAILURE; + } + + size = ssl->buffers.key->length; + buff = ssl->buffers.key->buffer; + ret = wc_CheckPrivateKey(buff, size, &der); + FreeDecodedCert(&der); + return ret; +} + + +/* Looks for the extension matching the passed in nid + * + * c : if not null then is set to status value -2 if multiple occurances + * of the extension are found, -1 if not found, 0 if found and not + * critical, and 1 if found and critical. + * nid : Extension OID to be found. + * idx : if NULL return first extension found match, otherwise start search at + * idx location and set idx to the location of extension returned. + * returns NULL or a pointer to an WOLFSSL_STACK holding extension structure + * + * NOTE code for decoding extensions is in asn.c DecodeCertExtensions -- + * use already decoded extension in this function to avoid decoding twice. + * Currently we do not make use of idx since getting pre decoded extensions. + */ +void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, + int nid, int* c, int* idx) +{ + WOLFSSL_STACK* sk = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + + WOLFSSL_ENTER("wolfSSL_X509_get_ext_d2i"); + + if (x509 == NULL) { + return NULL; + } + + if (c != NULL) { + *c = -1; /* default to not found */ + } + + sk = (STACK_OF(WOLFSSL_ASN1_OBJECT)*)XMALLOC( + sizeof(STACK_OF(WOLFSSL_ASN1_OBJECT)), NULL, DYNAMIC_TYPE_ASN1); + if (sk == NULL) { + return NULL; + } + XMEMSET(sk, 0, sizeof(STACK_OF(WOLFSSL_ASN1_OBJECT))); + + switch (nid) { + case BASIC_CA_OID: + if (x509->basicConstSet) { + obj = wolfSSL_ASN1_OBJECT_new(); + if (c != NULL) { + *c = x509->basicConstCrit; + } + obj->type = BASIC_CA_OID; + } + else { + WOLFSSL_MSG("No Basic Constraint set"); + } + break; + + case ALT_NAMES_OID: + { + DNS_entry* dns; + + if (x509->subjAltNameSet && x509->altNames != NULL) { + /* alt names are DNS_entry structs */ + if (c != NULL) { + if (x509->altNames->next != NULL) { + *c = -2; /* more then one found */ + } + else { + *c = x509->subjAltNameCrit; + } + } + + dns = x509->altNames; + while (dns != NULL) { + obj = wolfSSL_ASN1_OBJECT_new(); + obj->type = ALT_NAMES_OID; + obj->obj = (byte*)dns->name; + dns = dns->next; + /* last dns in list add at end of function */ + if (dns != NULL) { + if (wolfSSL_sk_ASN1_OBJECT_push(sk, obj) != + SSL_SUCCESS) { + WOLFSSL_MSG("Error pushing ASN1 object onto stack"); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_sk_ASN1_OBJECT_free(sk); + sk = NULL; + } + } + } + } + else { + WOLFSSL_MSG("No Alt Names set"); + } + } + break; + + case CRL_DIST_OID: + if (x509->CRLdistSet && x509->CRLInfo != NULL) { + if (c != NULL) { + *c = x509->CRLdistCrit; + } + obj = wolfSSL_ASN1_OBJECT_new(); + obj->type = CRL_DIST_OID; + obj->obj = x509->CRLInfo; + obj->objSz = x509->CRLInfoSz; + } + else { + WOLFSSL_MSG("No CRL dist set"); + } + break; + + case AUTH_INFO_OID: + if (x509->authInfoSet && x509->authInfo != NULL) { + if (c != NULL) { + *c = x509->authInfoCrit; + } + obj = wolfSSL_ASN1_OBJECT_new(); + obj->type = AUTH_INFO_OID; + obj->obj = x509->authInfo; + obj->objSz = x509->authInfoSz; + } + else { + WOLFSSL_MSG("No Auth Info set"); + } + break; + + case AUTH_KEY_OID: + if (x509->authKeyIdSet) { + if (c != NULL) { + *c = x509->authKeyIdCrit; + } + obj = wolfSSL_ASN1_OBJECT_new(); + obj->type = AUTH_KEY_OID; + obj->obj = x509->authKeyId; + obj->objSz = x509->authKeyIdSz; + } + else { + WOLFSSL_MSG("No Auth Key set"); + } + break; + + case SUBJ_KEY_OID: + if (x509->subjKeyIdSet) { + if (c != NULL) { + *c = x509->subjKeyIdCrit; + } + obj = wolfSSL_ASN1_OBJECT_new(); + obj->type = SUBJ_KEY_OID; + obj->obj = x509->subjKeyId; + obj->objSz = x509->subjKeyIdSz; + } + else { + WOLFSSL_MSG("No Subject Key set"); + } + break; + + case CERT_POLICY_OID: + #ifdef WOLFSSL_CERT_EXT + { + int i; + + if (x509->certPoliciesNb > 0) { + if (c != NULL) { + if (x509->certPoliciesNb > 1) { + *c = -2; + } + else { + *c = 0; + } + } + + for (i = 0; i < x509->certPoliciesNb - 1; i++) { + obj = wolfSSL_ASN1_OBJECT_new(); + obj->type = CERT_POLICY_OID; + obj->obj = (byte*)(x509->certPolicies[i]); + obj->objSz = MAX_CERTPOL_SZ; + if (wolfSSL_sk_ASN1_OBJECT_push(sk, obj) + != SSL_SUCCESS) { + WOLFSSL_MSG("Error pushing ASN1 object onto stack"); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_sk_ASN1_OBJECT_free(sk); + sk = NULL; + } + } + obj = wolfSSL_ASN1_OBJECT_new(); + obj->type = CERT_POLICY_OID; + obj->obj = (byte*)(x509->certPolicies[i]); + obj->objSz = MAX_CERTPOL_SZ; + } + else { + WOLFSSL_MSG("No Cert Policy set"); + } + } + #else + #ifdef WOLFSSL_SEP + if (x509->certPolicySet) { + if (c != NULL) { + *c = x509->certPolicyCrit; + } + obj = wolfSSL_ASN1_OBJECT_new(); + obj->type = CERT_POLICY_OID; + } + else { + WOLFSSL_MSG("No Cert Policy set"); + } + #else + WOLFSSL_MSG("wolfSSL not built with WOLFSSL_SEP or WOLFSSL_CERT_EXT"); + #endif /* WOLFSSL_SEP */ + #endif /* WOLFSSL_CERT_EXT */ + break; + + case KEY_USAGE_OID: + if (x509->keyUsageSet) { + if (c != NULL) { + *c = x509->keyUsageCrit; + } + obj = wolfSSL_ASN1_OBJECT_new(); + obj->type = KEY_USAGE_OID; + obj->obj = (byte*)&(x509->keyUsage); + obj->objSz = sizeof(word16); + } + else { + WOLFSSL_MSG("No Key Usage set"); + } + break; + + case INHIBIT_ANY_OID: + WOLFSSL_MSG("INHIBIT ANY extension not supported"); + break; + + case EXT_KEY_USAGE_OID: + if (x509->extKeyUsageSrc != NULL) { + if (c != NULL) { + if (x509->extKeyUsageCount > 1) { + *c = -2; + } + else { + *c = x509->extKeyUsageCrit; + } + } + obj = wolfSSL_ASN1_OBJECT_new(); + obj->type = EXT_KEY_USAGE_OID; + obj->obj = x509->extKeyUsageSrc; + obj->objSz = x509->extKeyUsageSz; + } + else { + WOLFSSL_MSG("No Extended Key Usage set"); + } + break; + + case NAME_CONS_OID: + WOLFSSL_MSG("Name Constraint OID extension not supported"); + break; + + case PRIV_KEY_USAGE_PERIOD_OID: + WOLFSSL_MSG("Private Key Usage Period extension not supported"); + break; + + case SUBJECT_INFO_ACCESS: + WOLFSSL_MSG("Subject Info Access extension not supported"); + break; + + case POLICY_MAP_OID: + WOLFSSL_MSG("Policy Map extension not supported"); + break; + + case POLICY_CONST_OID: + WOLFSSL_MSG("Policy Constraint extension not supported"); + break; + + case ISSUE_ALT_NAMES_OID: + WOLFSSL_MSG("Issue Alt Names extension not supported"); + break; + + case TLS_FEATURE_OID: + WOLFSSL_MSG("TLS Feature extension not supported"); + break; + + default: + WOLFSSL_MSG("Unsupported/Unknown extension OID"); + } + + if (obj != NULL) { + if (wolfSSL_sk_ASN1_OBJECT_push(sk, obj) != SSL_SUCCESS) { + WOLFSSL_MSG("Error pushing ASN1 object onto stack"); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_sk_ASN1_OBJECT_free(sk); + sk = NULL; + } + } + else { /* no ASN1 object found for extension, free stack */ + wolfSSL_sk_ASN1_OBJECT_free(sk); + sk = NULL; + } + + (void)idx; + + return sk; +} + + +/* this function makes the assumption that out buffer is big enough for digest*/ +static int wolfSSL_EVP_Digest(unsigned char* in, int inSz, unsigned char* out, + unsigned int* outSz, const WOLFSSL_EVP_MD* evp, + WOLFSSL_ENGINE* eng) +{ + enum wc_HashType hash = WC_HASH_TYPE_NONE; + int hashSz; + + if (XSTRLEN(evp) < 3) { + /* do not try comparing strings if size is too small */ + return SSL_FAILURE; + } + + if (XSTRNCMP("SHA", evp, 3) == 0) { + if (XSTRLEN(evp) > 3) { + if (XSTRNCMP("SHA256", evp, 6) == 0) { + hash = WC_HASH_TYPE_SHA256; + } + else if (XSTRNCMP("SHA384", evp, 6) == 0) { + hash = WC_HASH_TYPE_SHA384; + } + else if (XSTRNCMP("SHA512", evp, 6) == 0) { + hash = WC_HASH_TYPE_SHA512; + } + else { + WOLFSSL_MSG("Unknown SHA hash"); + } + } + else { + hash = WC_HASH_TYPE_SHA; + } + } + else if (XSTRNCMP("MD2", evp, 3) == 0) { + hash = WC_HASH_TYPE_MD2; + } + else if (XSTRNCMP("MD4", evp, 3) == 0) { + hash = WC_HASH_TYPE_MD4; + } + else if (XSTRNCMP("MD5", evp, 3) == 0) { + hash = WC_HASH_TYPE_MD5; + } + + hashSz = wc_HashGetDigestSize(hash); + if (hashSz < 0) { + WOLFSSL_LEAVE("wolfSSL_EVP_Digest", hashSz); + return SSL_FAILURE; + } + *outSz = hashSz; + + (void)eng; + if (wc_Hash(hash, in, inSz, out, *outSz) == 0) { + return SSL_SUCCESS; + } + else { + return SSL_FAILURE; + } +} + + +int wolfSSL_X509_digest(const WOLFSSL_X509* x509, const WOLFSSL_EVP_MD* digest, + unsigned char* buf, unsigned int* len) +{ + WOLFSSL_ENTER("wolfSSL_X509_digest"); + + if (x509 == NULL || digest == NULL) { + return SSL_FAILURE; + } + + return wolfSSL_EVP_Digest(x509->derCert->buffer, x509->derCert->length, buf, + len, digest, NULL); +} + + +int wolfSSL_use_PrivateKey(WOLFSSL* ssl, WOLFSSL_EVP_PKEY* pkey) +{ + WOLFSSL_ENTER("wolfSSL_use_PrivateKey"); + if (ssl == NULL || pkey == NULL ) { + return SSL_FAILURE; + } + + return wolfSSL_use_PrivateKey_buffer(ssl, (unsigned char*)pkey->pkey.ptr, + pkey->pkey_sz, SSL_FILETYPE_ASN1); +} + + +int wolfSSL_use_PrivateKey_ASN1(int pri, WOLFSSL* ssl, unsigned char* der, + long derSz) +{ + WOLFSSL_ENTER("wolfSSL_use_PrivateKey_ASN1"); + if (ssl == NULL || der == NULL ) { + return SSL_FAILURE; + } + + (void)pri; /* type of private key */ + return wolfSSL_use_PrivateKey_buffer(ssl, der, derSz, SSL_FILETYPE_ASN1); +} + + +#ifndef NO_RSA +int wolfSSL_use_RSAPrivateKey_ASN1(WOLFSSL* ssl, unsigned char* der, long derSz) +{ + WOLFSSL_ENTER("wolfSSL_use_RSAPrivateKey_ASN1"); + if (ssl == NULL || der == NULL ) { + return SSL_FAILURE; + } + + return wolfSSL_use_PrivateKey_buffer(ssl, der, derSz, SSL_FILETYPE_ASN1); +} +#endif + +int wolfSSL_use_certificate_ASN1(WOLFSSL* ssl, unsigned char* der, int derSz) +{ + long idx; + + WOLFSSL_ENTER("wolfSSL_use_certificate_ASN1"); + if (der != NULL && ssl != NULL) { + if (ProcessBuffer(NULL, der, derSz, SSL_FILETYPE_ASN1, CERT_TYPE, ssl, + &idx, 0) == SSL_SUCCESS) + return SSL_SUCCESS; + } + + (void)idx; + return SSL_FAILURE; +} + + +int wolfSSL_use_certificate(WOLFSSL* ssl, WOLFSSL_X509* x509) +{ + long idx; + + WOLFSSL_ENTER("wolfSSL_use_certificate"); + if (x509 != NULL && ssl != NULL && x509->derCert != NULL) { + if (ProcessBuffer(NULL, x509->derCert->buffer, x509->derCert->length, + SSL_FILETYPE_ASN1, CERT_TYPE, ssl, &idx, 0) == SSL_SUCCESS) + return SSL_SUCCESS; + } + + (void)idx; + return SSL_FAILURE; +} +#endif /* NO_CERTS */ + + int wolfSSL_use_certificate_file(WOLFSSL* ssl, const char* file, int format) { WOLFSSL_ENTER("wolfSSL_use_certificate_file"); @@ -5705,45 +6339,6 @@ int wolfSSL_use_certificate_chain_file(WOLFSSL* ssl, const char* file) } - -#if !defined(NO_WOLFSSL_CLIENT) -/* Return the amount of random bytes copied over or error case. - * ssl : ssl struct after handshake - * out : buffer to hold random bytes - * outSz : either 0 (return max buffer sz) or size of out buffer - * - * NOTE: wolfSSL_KeepArrays(ssl) must be called to retain handshake information. - */ -int wolfSSL_get_client_random(WOLFSSL* ssl, unsigned char* out, int outSz) -{ - int size; - - /* return max size of buffer */ - if (outSz == 0) { - return RAN_LEN; - } - - if (ssl == NULL || out == NULL || outSz < 0) { - return BAD_FUNC_ARG; - } - - if (ssl->options.saveArrays == 0 || ssl->arrays == NULL) { - WOLFSSL_MSG("Arrays struct not saved after handshake"); - return BAD_FUNC_ARG; - } - - if (outSz > RAN_LEN) { - size = RAN_LEN; - } - else { - size = outSz; - } - - XMEMCPY(out, ssl->arrays->clientRandom, size); - return size; -} -#endif /* !defined(NO_WOLFSSL_CLIENT) */ - #ifdef HAVE_ECC /* Set Temp CTX EC-DHE size in octets, should be 20 - 66 for 160 - 521 bit */ @@ -5790,6 +6385,47 @@ int wolfSSL_use_RSAPrivateKey_file(WOLFSSL* ssl, const char* file, int format) return wolfSSL_use_PrivateKey_file(ssl, file, format); } + +/* Copies the master secret over to out buffer. If outSz is 0 returns the size + * of master secret. + * + * ses : a session from completed TLS/SSL handshake + * out : buffer to hold copy of master secret + * outSz : size of out buffer + * returns : number of bytes copied into out buffer on success + * less then or equal to 0 is considered a failure case + */ +int wolfSSL_SESSION_get_master_key(const WOLFSSL_SESSION* ses, + unsigned char* out, int outSz) +{ + int size; + + if (outSz == 0) { + return SECRET_LEN; + } + + if (ses == NULL || out == NULL || outSz < 0) { + return 0; + } + + if (outSz > SECRET_LEN) { + size = SECRET_LEN; + } + else { + size = outSz; + } + + XMEMCPY(out, ses->masterSecret, size); + return size; +} + + +int wolfSSL_SESSION_get_master_key_length(const WOLFSSL_SESSION* ses) +{ + (void)ses; + return SECRET_LEN; +} + #endif /* OPENSSL_EXTRA */ #ifdef HAVE_NTRU @@ -6932,6 +7568,20 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */ +#ifdef OPENSSL_EXTRA + WOLFSSL_METHOD* wolfSSLv23_method(void) { + WOLFSSL_METHOD* m; + WOLFSSL_ENTER("wolfSSLv23_method"); +#ifndef NO_WOLFSSL_CLIENT + m = wolfSSLv23_client_method(); +#else + m = wolfSSLv23_server_method(); +#endif + m->side = WOLFSSL_NEITHER_END; + + return m; + } +#endif /* OPENSSL_EXTRA */ /* client only parts */ #ifndef NO_WOLFSSL_CLIENT @@ -7907,7 +8557,8 @@ static int GetDeepCopySession(WOLFSSL* ssl, WOLFSSL_SESSION* copyFrom) /* If doing dynamic copy, need to alloc outside lock, then inside a lock * confirm the size still matches and memcpy */ if (doDynamicCopy) { - tmpBuff = XMALLOC(ticketLen, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); + tmpBuff = (byte*)XMALLOC(ticketLen, ssl->heap, + DYNAMIC_TYPE_SESSION_TICK); if (!tmpBuff) return MEMORY_ERROR; @@ -7923,7 +8574,7 @@ static int GetDeepCopySession(WOLFSSL* ssl, WOLFSSL_SESSION* copyFrom) } if (ret == SSL_SUCCESS) { - copyInto->ticket = tmpBuff; + copyInto->ticket = (byte*)tmpBuff; copyInto->isDynamic = 1; XMEMCPY(copyInto->ticket, copyFrom->ticket, ticketLen); } @@ -8008,7 +8659,7 @@ int AddSession(WOLFSSL* ssl) ticLen = ssl->session.ticketLen; /* Alloc Memory here so if Malloc fails can exit outside of lock */ if(ticLen > SESSION_TICKET_LEN) { - tmpBuff = XMALLOC(ticLen, ssl->heap, + tmpBuff = (byte*)XMALLOC(ticLen, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); if(!tmpBuff) return MEMORY_E; @@ -9034,12 +9685,18 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } + /* returns previous set cache size which stays constant */ long wolfSSL_CTX_sess_set_cache_size(WOLFSSL_CTX* ctx, long sz) { /* cache size fixed at compile time in wolfSSL */ (void)ctx; (void)sz; - return 0; + WOLFSSL_MSG("session cache is set at compile time"); + #ifndef NO_SESSION_CACHE + return SESSIONS_PER_ROW * SESSION_ROWS; + #else + return 0; + #endif } @@ -9181,6 +9838,16 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } + long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx) + { + (void)ctx; + WOLFSSL_ENTER("wolfSSL_CTX_get_options"); + WOLFSSL_MSG("wolfSSL options are set through API calls and macros"); + + return 0; + } + + long wolfSSL_CTX_set_options(WOLFSSL_CTX* ctx, long opt) { /* goahead calls with 0, do nothing */ @@ -9225,6 +9892,31 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } + WOLFSSL_X509_STORE* wolfSSL_CTX_get_cert_store(WOLFSSL_CTX* ctx) + { + if (ctx == NULL) { + return NULL; + } + + return &(ctx->x509_store); + } + + +#ifndef NO_CERTS + void wolfSSL_CTX_set_cert_store(WOLFSSL_CTX* ctx, WOLFSSL_X509_STORE* str) + { + if (ctx == NULL || str == NULL) { + return; + } + + /* free cert manager if have one */ + if (ctx->cm != NULL) { + wolfSSL_CertManagerFree(ctx->cm); + } + ctx->cm = str->cm; + ctx->x509_store.cache = str->cache; + } + WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert( WOLFSSL_X509_STORE_CTX* ctx) @@ -9252,6 +9944,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return ctx->error_depth; return SSL_FATAL_ERROR; } +#endif WOLFSSL_BIO_METHOD* wolfSSL_BIO_f_buffer(void) @@ -9274,6 +9967,30 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } + WOLFSSL_BIO_METHOD* wolfSSL_BIO_s_bio(void) + { + static WOLFSSL_BIO_METHOD bio_meth; + + WOLFSSL_ENTER("wolfSSL_BIO_f_bio"); + bio_meth.type = BIO_BIO; + + return &bio_meth; + } + + +#ifndef NO_FILESYSTEM + WOLFSSL_BIO_METHOD* wolfSSL_BIO_s_file(void) + { + static WOLFSSL_BIO_METHOD file_meth; + + WOLFSSL_ENTER("wolfSSL_BIO_f_file"); + file_meth.type = BIO_FILE; + + return &file_meth; + } +#endif + + WOLFSSL_BIO_METHOD* wolfSSL_BIO_f_ssl(void) { static WOLFSSL_BIO_METHOD meth; @@ -9285,6 +10002,17 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } + WOLFSSL_BIO_METHOD *wolfSSL_BIO_s_socket(void) + { + static WOLFSSL_BIO_METHOD meth; + + WOLFSSL_ENTER("BIO_s_socket"); + meth.type = BIO_SOCKET; + + return &meth; + } + + WOLFSSL_BIO* wolfSSL_BIO_new_socket(int sfd, int closeF) { WOLFSSL_BIO* bio = (WOLFSSL_BIO*) XMALLOC(sizeof(WOLFSSL_BIO), 0, @@ -9292,15 +10020,11 @@ int wolfSSL_set_compression(WOLFSSL* ssl) WOLFSSL_ENTER("BIO_new_socket"); if (bio) { + XMEMSET(bio, 0, sizeof(WOLFSSL_BIO)); bio->type = BIO_SOCKET; bio->close = (byte)closeF; - bio->eof = 0; - bio->ssl = 0; bio->fd = sfd; - bio->prev = 0; - bio->next = 0; bio->mem = NULL; - bio->memLen = 0; } return bio; } @@ -9318,28 +10042,41 @@ int wolfSSL_set_compression(WOLFSSL* ssl) long wolfSSL_BIO_set_ssl(WOLFSSL_BIO* b, WOLFSSL* ssl, int closeF) { - WOLFSSL_ENTER("BIO_set_ssl"); - b->ssl = ssl; - b->close = (byte)closeF; + WOLFSSL_ENTER("wolfSSL_BIO_set_ssl"); + + if (b != NULL) { + b->ssl = ssl; + b->close = (byte)closeF; /* add to ssl for bio free if SSL_free called before/instead of free_all? */ + } return 0; } + long wolfSSL_BIO_set_fd(WOLFSSL_BIO* b, int fd, int closeF) + { + WOLFSSL_ENTER("wolfSSL_BIO_set_fd"); + + if (b != NULL) { + b->fd = fd; + b->close = (byte)closeF; + } + + return SSL_SUCCESS; + } + + WOLFSSL_BIO* wolfSSL_BIO_new(WOLFSSL_BIO_METHOD* method) { WOLFSSL_BIO* bio = (WOLFSSL_BIO*) XMALLOC(sizeof(WOLFSSL_BIO), 0, DYNAMIC_TYPE_OPENSSL); WOLFSSL_ENTER("BIO_new"); if (bio) { + XMEMSET(bio, 0, sizeof(WOLFSSL_BIO)); bio->type = method->type; - bio->close = 0; - bio->eof = 0; bio->ssl = NULL; bio->mem = NULL; - bio->memLen = 0; - bio->fd = 0; bio->prev = NULL; bio->next = NULL; } @@ -9393,17 +10130,31 @@ int wolfSSL_set_compression(WOLFSSL* ssl) int wolfSSL_BIO_free(WOLFSSL_BIO* bio) { /* unchain?, doesn't matter in goahead since from free all */ - WOLFSSL_ENTER("BIO_free"); + WOLFSSL_ENTER("wolfSSL_BIO_free"); if (bio) { + /* remove from pair by setting the paired bios pair to NULL */ + if (bio->pair != NULL) { + bio->pair->pair = NULL; + } + if (bio->close) { if (bio->ssl) wolfSSL_free(bio->ssl); if (bio->fd) CloseSocket(bio->fd); } + + #ifndef NO_FILESYSTEM + if (bio->type == BIO_FILE && bio->close == BIO_CLOSE) { + if (bio->file) { + XFCLOSE(bio->file); + } + } + #endif + if (bio->mem) - XFREE(bio->mem, 0, DYNAMIC_TYPE_OPENSSL); - XFREE(bio, 0, DYNAMIC_TYPE_OPENSSL); + XFREE(bio->mem, bio->heap, DYNAMIC_TYPE_OPENSSL); + XFREE(bio, bio->heap, DYNAMIC_TYPE_OPENSSL); } return 0; } @@ -9421,15 +10172,41 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } + static int wolfSSL_BIO_BIO_read(WOLFSSL_BIO* bio, void* buf, int len) + { + int sz; + char* pt; + + sz = wolfSSL_BIO_nread(bio, &pt, len); + + if (sz > 0) { + XMEMCPY(buf, pt, sz); + } + + return sz; + } + + int wolfSSL_BIO_read(WOLFSSL_BIO* bio, void* buf, int len) { int ret; WOLFSSL* ssl = 0; WOLFSSL_BIO* front = bio; - WOLFSSL_ENTER("BIO_read"); + WOLFSSL_ENTER("wolfSSL_BIO_read"); + + if (bio && bio->type == BIO_BIO) { + return wolfSSL_BIO_BIO_read(bio, buf, len); + } + + #ifndef NO_FILESYSTEM + if (bio && bio->type == BIO_FILE) { + return (int)XFREAD(buf, 1, len, bio->file); + } + #endif + /* already got eof, again is error */ - if (front->eof) + if (bio && front->eof) return SSL_FATAL_ERROR; while(bio && ((ssl = bio->ssl) == 0) ) @@ -9449,15 +10226,47 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } + static int wolfSSL_BIO_BIO_write(WOLFSSL_BIO* bio, const void* data, + int len) + { + /* internal function where arguments have already been sanity checked */ + int sz; + char* buf; + + sz = wolfSSL_BIO_nwrite(bio, &buf, len); + + /* test space for write */ + if (sz <= 0) { + WOLFSSL_MSG("No room left to write"); + return sz; + } + + XMEMCPY(buf, data, sz); + + return sz; + } + + int wolfSSL_BIO_write(WOLFSSL_BIO* bio, const void* data, int len) { int ret; WOLFSSL* ssl = 0; WOLFSSL_BIO* front = bio; - WOLFSSL_ENTER("BIO_write"); + WOLFSSL_ENTER("wolfSSL_BIO_write"); + + if (bio && bio->type == BIO_BIO) { + return wolfSSL_BIO_BIO_write(bio, data, len); + } + + #ifndef NO_FILESYSTEM + if (bio && bio->type == BIO_FILE) { + return (int)XFWRITE(data, 1, len, bio->file); + } + #endif + /* already got eof, again is error */ - if (front->eof) + if (bio && front->eof) return SSL_FATAL_ERROR; while(bio && ((ssl = bio->ssl) == 0) ) @@ -9513,7 +10322,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) void wolfSSL_CTX_set_default_passwd_cb(WOLFSSL_CTX* ctx, pem_password_cb cb) { WOLFSSL_ENTER("SSL_CTX_set_default_passwd_cb"); - ctx->passwd_cb = cb; + if (ctx != NULL) { + ctx->passwd_cb = cb; + } } int wolfSSL_num_locks(void) @@ -9698,6 +10509,79 @@ int wolfSSL_set_compression(WOLFSSL* ssl) #ifdef OPENSSL_EXTRA +#if !defined(NO_WOLFSSL_SERVER) +size_t wolfSSL_get_server_random(const WOLFSSL *ssl, unsigned char *out, + size_t outSz) +{ + size_t size; + + /* return max size of buffer */ + if (outSz == 0) { + return RAN_LEN; + } + + if (ssl == NULL || out == NULL) { + return 0; + } + + if (ssl->options.saveArrays == 0 || ssl->arrays == NULL) { + WOLFSSL_MSG("Arrays struct not saved after handshake"); + return 0; + } + + if (outSz > RAN_LEN) { + size = RAN_LEN; + } + else { + size = outSz; + } + + XMEMCPY(out, ssl->arrays->serverRandom, size); + return size; +} +#endif /* !defined(NO_WOLFSSL_SERVER) */ + + +#if !defined(NO_WOLFSSL_CLIENT) +/* Return the amount of random bytes copied over or error case. + * ssl : ssl struct after handshake + * out : buffer to hold random bytes + * outSz : either 0 (return max buffer sz) or size of out buffer + * + * NOTE: wolfSSL_KeepArrays(ssl) must be called to retain handshake information. + */ +size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, + size_t outSz) +{ + size_t size; + + /* return max size of buffer */ + if (outSz == 0) { + return RAN_LEN; + } + + if (ssl == NULL || out == NULL) { + return 0; + } + + if (ssl->options.saveArrays == 0 || ssl->arrays == NULL) { + WOLFSSL_MSG("Arrays struct not saved after handshake"); + return 0; + } + + if (outSz > RAN_LEN) { + size = RAN_LEN; + } + else { + size = outSz; + } + + XMEMCPY(out, ssl->arrays->clientRandom, size); + return size; +} +#endif /* !defined(NO_WOLFSSL_CLIENT) */ + + unsigned long wolfSSLeay(void) { return SSLEAY_VERSION_NUMBER; @@ -9906,12 +10790,89 @@ int wolfSSL_set_compression(WOLFSSL* ssl) #endif /* WOLFSSL_SHA512 */ + static struct s_ent{ + const unsigned char macType; + const char *name; + } md_tbl[] = { + #ifndef NO_MD5 + {MD5, "MD5"}, + #endif /* NO_MD5 */ + + #ifndef NO_SHA + {SHA, "SHA"}, + #endif /* NO_SHA */ + + #ifdef WOLFSSL_SHA224 + {SHA224, "SHA224"}, + #endif /* WOLFSSL_SHA224 */ + + {SHA256, "SHA256"}, + + #ifdef WOLFSSL_SHA384 + {SHA384, "SHA384"}, + #endif /* WOLFSSL_SHA384 */ + + #ifdef WOLFSSL_SHA512 + {SHA512, "SHA512"}, + #endif /* WOLFSSL_SHA512 */ + + {0, NULL} + } ; + +const WOLFSSL_EVP_MD *wolfSSL_EVP_get_digestbyname(const char *name) +{ + static const struct alias { + const char *name; + const char *alias; + } alias_tbl[] = + { + {"MD5", "ssl3-md5"}, + {"SHA1", "ssl3-sha1"}, + { NULL, NULL} + }; + + const struct alias *al ; + const struct s_ent *ent ; + + for( al = alias_tbl; al->name != NULL; al++) + if(XSTRNCMP(name, al->alias, XSTRLEN(al->alias)+1) == 0) { + name = al->name; + break; + } + + for( ent = md_tbl; ent->name != NULL; ent++) + if(XSTRNCMP(name, ent->name, XSTRLEN(ent->name)+1) == 0) { + return (EVP_MD *)ent->name; + } + return NULL; +} + +static WOLFSSL_EVP_MD *wolfSSL_EVP_get_md(const unsigned char type) +{ + const struct s_ent *ent ; + for( ent = md_tbl; ent->macType != 0; ent++) + if(type == ent->macType) { + return (WOLFSSL_EVP_MD *)ent->name; + } + return 0; +} + +int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) +{ + const struct s_ent *ent ; + for( ent = md_tbl; ent->name != NULL; ent++) + if(XSTRNCMP((const char *)md, ent->name, XSTRLEN(ent->name)+1) == 0) { + return ent->macType; + } + return 0; +} + #ifndef NO_MD5 const WOLFSSL_EVP_MD* wolfSSL_EVP_md5(void) { - static const char* type = "MD5"; + const char* type = EVP_get_digestbyname("MD5"); WOLFSSL_ENTER("EVP_md5"); return type; } @@ -9922,7 +10883,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) #ifndef NO_SHA const WOLFSSL_EVP_MD* wolfSSL_EVP_sha1(void) { - static const char* type = "SHA"; + const char* type = EVP_get_digestbyname("SHA"); WOLFSSL_ENTER("EVP_sha1"); return type; } @@ -9932,7 +10893,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) const WOLFSSL_EVP_MD* wolfSSL_EVP_sha224(void) { - static const char* type = "SHA224"; + const char* type = EVP_get_digestbyname("SHA224"); WOLFSSL_ENTER("EVP_sha224"); return type; } @@ -9942,7 +10903,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) const WOLFSSL_EVP_MD* wolfSSL_EVP_sha256(void) { - static const char* type = "SHA256"; + const char* type = EVP_get_digestbyname("SHA256"); WOLFSSL_ENTER("EVP_sha256"); return type; } @@ -9951,7 +10912,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) const WOLFSSL_EVP_MD* wolfSSL_EVP_sha384(void) { - static const char* type = "SHA384"; + const char* type = EVP_get_digestbyname("SHA384"); WOLFSSL_ENTER("EVP_sha384"); return type; } @@ -9962,13 +10923,33 @@ int wolfSSL_set_compression(WOLFSSL* ssl) const WOLFSSL_EVP_MD* wolfSSL_EVP_sha512(void) { - static const char* type = "SHA512"; + const char* type = EVP_get_digestbyname("SHA512"); WOLFSSL_ENTER("EVP_sha512"); return type; } #endif /* WOLFSSL_SHA512 */ + WOLFSSL_EVP_MD_CTX *wolfSSL_EVP_MD_CTX_new(void) + { + WOLFSSL_EVP_MD_CTX* ctx; + WOLFSSL_ENTER("EVP_MD_CTX_new"); + ctx = (WOLFSSL_EVP_MD_CTX*)XMALLOC(sizeof *ctx, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (ctx){ + wolfSSL_EVP_MD_CTX_init(ctx); + } + return ctx; + } + + WOLFSSL_API void wolfSSL_EVP_MD_CTX_free(WOLFSSL_EVP_MD_CTX *ctx) + { + if (ctx) { + WOLFSSL_ENTER("EVP_MD_CTX_free"); + wolfSSL_EVP_MD_CTX_cleanup(ctx); + XFREE(ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } + } void wolfSSL_EVP_MD_CTX_init(WOLFSSL_EVP_MD_CTX* ctx) { @@ -9977,6 +10958,13 @@ int wolfSSL_set_compression(WOLFSSL* ssl) /* do nothing */ } + const WOLFSSL_EVP_MD *wolfSSL_EVP_MD_CTX_md(const WOLFSSL_EVP_MD_CTX *ctx) + { + if (!ctx) + return NULL; + return (const WOLFSSL_EVP_MD *)wolfSSL_EVP_get_md(ctx->macType); + } + #ifndef NO_AES const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_cbc(void) @@ -10020,6 +11008,25 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return EVP_AES_256_CTR; } + const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_ecb(void) + { + WOLFSSL_ENTER("wolfSSL_EVP_aes_128_ecb"); + return EVP_AES_128_ECB; + } + + + const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_ecb(void) + { + WOLFSSL_ENTER("wolfSSL_EVP_aes_192_ecb"); + return EVP_AES_192_ECB; + } + + + const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_ecb(void) + { + WOLFSSL_ENTER("wolfSSL_EVP_aes_256_ecb"); + return EVP_AES_256_ECB; + } #endif /* NO_AES */ #ifndef NO_DES3 @@ -10028,13 +11035,25 @@ int wolfSSL_set_compression(WOLFSSL* ssl) WOLFSSL_ENTER("wolfSSL_EVP_des_cbc"); return EVP_DES_CBC; } - - +#ifdef WOLFSSL_DES_ECB + const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_des_ecb(void) + { + WOLFSSL_ENTER("wolfSSL_EVP_des_ecb"); + return EVP_DES_ECB; + } +#endif const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_des_ede3_cbc(void) { WOLFSSL_ENTER("wolfSSL_EVP_des_ede3_cbc"); return EVP_DES_EDE3_CBC; } +#ifdef WOLFSSL_DES_ECB + const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_des_ede3_ecb(void) + { + WOLFSSL_ENTER("wolfSSL_EVP_des_ede3_ecb"); + return EVP_DES_EDE3_ECB; + } +#endif #endif /* NO_DES3 */ const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_rc4(void) @@ -10113,13 +11132,19 @@ int wolfSSL_set_compression(WOLFSSL* ssl) WOLFSSL_MSG("no type set"); return 0; /* failure */ } + ctx->bufUsed = 0; + ctx->lastUsed = 0; + ctx->flags = 0; #ifndef NO_AES + /* printf("cipherType=%d\n", ctx->cipherType); */ if (ctx->cipherType == AES_128_CBC_TYPE || (type && XSTRNCMP(type, EVP_AES_128_CBC, EVP_AES_SIZE) == 0)) { WOLFSSL_MSG(EVP_AES_128_CBC); ctx->cipherType = AES_128_CBC_TYPE; + ctx->flags = WOLFSSL_EVP_CIPH_CBC_MODE; ctx->keyLen = 16; + ctx->block_size = AES_BLOCK_SIZE; if (enc == 0 || enc == 1) ctx->enc = enc ? 1 : 0; if (key) { @@ -10138,7 +11163,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) (type && XSTRNCMP(type, EVP_AES_192_CBC, EVP_AES_SIZE) == 0)) { WOLFSSL_MSG(EVP_AES_192_CBC); ctx->cipherType = AES_192_CBC_TYPE; + ctx->flags = WOLFSSL_EVP_CIPH_CBC_MODE; ctx->keyLen = 24; + ctx->block_size = AES_BLOCK_SIZE; if (enc == 0 || enc == 1) ctx->enc = enc ? 1 : 0; if (key) { @@ -10157,7 +11184,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) (type && XSTRNCMP(type, EVP_AES_256_CBC, EVP_AES_SIZE) == 0)) { WOLFSSL_MSG(EVP_AES_256_CBC); ctx->cipherType = AES_256_CBC_TYPE; + ctx->flags = WOLFSSL_EVP_CIPH_CBC_MODE; ctx->keyLen = 32; + ctx->block_size = AES_BLOCK_SIZE; if (enc == 0 || enc == 1) ctx->enc = enc ? 1 : 0; if (key) { @@ -10177,12 +11206,14 @@ int wolfSSL_set_compression(WOLFSSL* ssl) (type && XSTRNCMP(type, EVP_AES_128_CTR, EVP_AES_SIZE) == 0)) { WOLFSSL_MSG(EVP_AES_128_CTR); ctx->cipherType = AES_128_CTR_TYPE; + ctx->flags = WOLFSSL_EVP_CIPH_CTR_MODE; ctx->keyLen = 16; + ctx->block_size = AES_BLOCK_SIZE; if (enc == 0 || enc == 1) ctx->enc = enc ? 1 : 0; if (key) { - ret = wc_AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv, - AES_ENCRYPTION); + ret = wc_AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv, + AES_ENCRYPTION); if (ret != 0) return ret; } @@ -10196,12 +11227,14 @@ int wolfSSL_set_compression(WOLFSSL* ssl) (type && XSTRNCMP(type, EVP_AES_192_CTR, EVP_AES_SIZE) == 0)) { WOLFSSL_MSG(EVP_AES_192_CTR); ctx->cipherType = AES_192_CTR_TYPE; + ctx->flags = WOLFSSL_EVP_CIPH_CTR_MODE; ctx->keyLen = 24; + ctx->block_size = AES_BLOCK_SIZE; if (enc == 0 || enc == 1) ctx->enc = enc ? 1 : 0; if (key) { ret = wc_AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv, - AES_ENCRYPTION); + AES_ENCRYPTION); if (ret != 0) return ret; } @@ -10215,12 +11248,14 @@ int wolfSSL_set_compression(WOLFSSL* ssl) (type && XSTRNCMP(type, EVP_AES_256_CTR, EVP_AES_SIZE) == 0)) { WOLFSSL_MSG(EVP_AES_256_CTR); ctx->cipherType = AES_256_CTR_TYPE; + ctx->flags = WOLFSSL_EVP_CIPH_CTR_MODE; ctx->keyLen = 32; + ctx->block_size = AES_BLOCK_SIZE; if (enc == 0 || enc == 1) ctx->enc = enc ? 1 : 0; if (key) { ret = wc_AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv, - AES_ENCRYPTION); + AES_ENCRYPTION); if (ret != 0) return ret; } @@ -10231,6 +11266,55 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } } #endif /* WOLFSSL_AES_CTR */ + else if (ctx->cipherType == AES_128_ECB_TYPE || + (type && XSTRNCMP(type, EVP_AES_128_ECB, EVP_AES_SIZE) == 0)) { + WOLFSSL_MSG(EVP_AES_128_ECB); + ctx->cipherType = AES_128_ECB_TYPE; + ctx->flags = WOLFSSL_EVP_CIPH_ECB_MODE; + ctx->keyLen = 16; + ctx->block_size = AES_BLOCK_SIZE; + if (enc == 0 || enc == 1) + ctx->enc = enc ? 1 : 0; + if (key) { + ret = wc_AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, NULL, + ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION); + } + if (ret != 0) + return ret; + } + else if (ctx->cipherType == AES_192_ECB_TYPE || + (type && XSTRNCMP(type, EVP_AES_192_ECB, EVP_AES_SIZE) == 0)) { + WOLFSSL_MSG(EVP_AES_192_ECB); + ctx->cipherType = AES_192_ECB_TYPE; + ctx->flags = WOLFSSL_EVP_CIPH_ECB_MODE; + ctx->keyLen = 24; + ctx->block_size = AES_BLOCK_SIZE; + if (enc == 0 || enc == 1) + ctx->enc = enc ? 1 : 0; + if (key) { + if(ctx->enc) + ret = wc_AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, NULL, + ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION); + } + if (ret != 0) + return ret; + } + else if (ctx->cipherType == AES_256_ECB_TYPE || + (type && XSTRNCMP(type, EVP_AES_256_ECB, EVP_AES_SIZE) == 0)) { + WOLFSSL_MSG(EVP_AES_256_ECB); + ctx->cipherType = AES_256_ECB_TYPE; + ctx->flags = WOLFSSL_EVP_CIPH_ECB_MODE; + ctx->keyLen = 32; + ctx->block_size = AES_BLOCK_SIZE; + if (enc == 0 || enc == 1) + ctx->enc = enc ? 1 : 0; + if (key) { + ret = wc_AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, NULL, + ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION); + } + if (ret != 0) + return ret; + } #endif /* NO_AES */ #ifndef NO_DES3 @@ -10238,7 +11322,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) (type && XSTRNCMP(type, EVP_DES_CBC, EVP_DES_SIZE) == 0)) { WOLFSSL_MSG(EVP_DES_CBC); ctx->cipherType = DES_CBC_TYPE; + ctx->flags = WOLFSSL_EVP_CIPH_CBC_MODE; ctx->keyLen = 8; + ctx->block_size = DES_BLOCK_SIZE; if (enc == 0 || enc == 1) ctx->enc = enc ? 1 : 0; if (key) { @@ -10251,12 +11337,32 @@ int wolfSSL_set_compression(WOLFSSL* ssl) if (iv && key == NULL) wc_Des_SetIV(&ctx->cipher.des, iv); } +#ifdef WOLFSSL_DES_ECB + else if (ctx->cipherType == DES_ECB_TYPE || + (type && XSTRNCMP(type, EVP_DES_ECB, EVP_DES_SIZE) == 0)) { + WOLFSSL_MSG(EVP_DES_ECB); + ctx->cipherType = DES_ECB_TYPE; + ctx->flags = WOLFSSL_EVP_CIPH_ECB_MODE; + ctx->keyLen = 8; + ctx->block_size = DES_BLOCK_SIZE; + if (enc == 0 || enc == 1) + ctx->enc = enc ? 1 : 0; + if (key) { + ret = wc_Des_SetKey(&ctx->cipher.des, key, NULL, + ctx->enc ? DES_ENCRYPTION : DES_DECRYPTION); + if (ret != 0) + return ret; + } + } +#endif else if (ctx->cipherType == DES_EDE3_CBC_TYPE || (type && XSTRNCMP(type, EVP_DES_EDE3_CBC, EVP_DES_EDE3_SIZE) == 0)) { WOLFSSL_MSG(EVP_DES_EDE3_CBC); ctx->cipherType = DES_EDE3_CBC_TYPE; + ctx->flags = WOLFSSL_EVP_CIPH_CBC_MODE; ctx->keyLen = 24; + ctx->block_size = DES_BLOCK_SIZE; if (enc == 0 || enc == 1) ctx->enc = enc ? 1 : 0; if (key) { @@ -10272,12 +11378,30 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return ret; } } + else if (ctx->cipherType == DES_EDE3_ECB_TYPE || + (type && + XSTRNCMP(type, EVP_DES_EDE3_ECB, EVP_DES_EDE3_SIZE) == 0)) { + WOLFSSL_MSG(EVP_DES_EDE3_ECB); + ctx->cipherType = DES_EDE3_ECB_TYPE; + ctx->flags = WOLFSSL_EVP_CIPH_ECB_MODE; + ctx->keyLen = 24; + ctx->block_size = DES_BLOCK_SIZE; + if (enc == 0 || enc == 1) + ctx->enc = enc ? 1 : 0; + if (key) { + ret = wc_Des3_SetKey(&ctx->cipher.des3, key, NULL, + ctx->enc ? DES_ENCRYPTION : DES_DECRYPTION); + if (ret != 0) + return ret; + } + } #endif /* NO_DES3 */ #ifndef NO_RC4 if (ctx->cipherType == ARC4_TYPE || (type && XSTRNCMP(type, "ARC4", 4) == 0)) { WOLFSSL_MSG("ARC4"); ctx->cipherType = ARC4_TYPE; + ctx->flags = WOLFSSL_EVP_CIPH_STREAM_CIPHER; if (ctx->keyLen == 0) /* user may have already set */ ctx->keyLen = 16; /* default to 128 */ if (key) @@ -10290,6 +11414,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) (type && XSTRNCMP(type, EVP_IDEA_CBC, EVP_IDEA_SIZE) == 0)) { WOLFSSL_MSG(EVP_IDEA_CBC); ctx->cipherType = IDEA_CBC_TYPE; + ctx->flags = WOLFSSL_EVP_CIPH_CBC_MODE; ctx->keyLen = IDEA_KEY_SIZE; if (enc == 0 || enc == 1) ctx->enc = enc ? 1 : 0; @@ -10376,6 +11501,17 @@ int wolfSSL_set_compression(WOLFSSL* ssl) ret = wc_AesCbcDecrypt(&ctx->cipher.aes, dst, src, len); break; #endif /* HAVE_AES_CBC */ +#ifdef HAVE_AES_ECB + case AES_128_ECB_TYPE : + case AES_192_ECB_TYPE : + case AES_256_ECB_TYPE : + WOLFSSL_MSG("AES ECB"); + if (ctx->enc) + ret = wc_AesEcbEncrypt(&ctx->cipher.aes, dst, src, len); + else + ret = wc_AesEcbDecrypt(&ctx->cipher.aes, dst, src, len); + break; +#endif #ifdef WOLFSSL_AES_COUNTER case AES_128_CTR_TYPE : case AES_192_CTR_TYPE : @@ -10393,13 +11529,28 @@ int wolfSSL_set_compression(WOLFSSL* ssl) else wc_Des_CbcDecrypt(&ctx->cipher.des, dst, src, len); break; - +#ifdef WOLFSSL_DES_ECB + case DES_ECB_TYPE : + if (ctx->enc) + ret = wc_Des_EcbEncrypt(&ctx->cipher.des, dst, src, len); + else + ret = wc_Des_EcbDecrypt(&ctx->cipher.des, dst, src, len); + break; +#endif case DES_EDE3_CBC_TYPE : if (ctx->enc) ret = wc_Des3_CbcEncrypt(&ctx->cipher.des3, dst, src, len); else ret = wc_Des3_CbcDecrypt(&ctx->cipher.des3, dst, src, len); break; +#ifdef WOLFSSL_DES_ECB + case DES_EDE3_ECB_TYPE : + if (ctx->enc) + ret = wc_Des3_EcbEncrypt(&ctx->cipher.des3, dst, src, len); + else + ret = wc_Des3_EcbDecrypt(&ctx->cipher.des3, dst, src, len); + break; +#endif #endif #ifndef NO_RC4 @@ -10435,6 +11586,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return SSL_SUCCESS; /* success */ } +#include "wolfcrypt/src/evp.c" + /* store for external read of iv, SSL_SUCCESS on success */ int wolfSSL_StoreExternalIV(WOLFSSL_EVP_CIPHER_CTX* ctx) @@ -10574,6 +11727,11 @@ int wolfSSL_set_compression(WOLFSSL* ssl) const WOLFSSL_EVP_MD* type) { WOLFSSL_ENTER("EVP_DigestInit"); + + if (ctx == NULL || type == NULL) { + return BAD_FUNC_ARG; + } + if (XSTRNCMP(type, "SHA256", 6) == 0) { ctx->macType = SHA256; wolfSSL_SHA256_Init((SHA256_CTX*)&ctx->hash); @@ -10975,9 +12133,12 @@ int wolfSSL_set_compression(WOLFSSL* ssl) long wolfSSL_CTX_sess_get_cache_size(WOLFSSL_CTX* ctx) { - /* TODO: maybe? */ (void)ctx; - return (~0); + #ifndef NO_SESSION_CACHE + return SESSIONS_PER_ROW * SESSION_ROWS; + #else + return 0; + #endif } unsigned long wolfSSL_ERR_get_error_line_data(const char** file, int* line, @@ -10991,6 +12152,27 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return 0; } + WOLFSSL_API pem_password_cb* wolfSSL_CTX_get_default_passwd_cb( + WOLFSSL_CTX *ctx) + { + if (ctx == NULL || ctx->passwd_cb == NULL) { + return NULL; + } + + return &(ctx->passwd_cb); + } + + + WOLFSSL_API void *wolfSSL_CTX_get_default_passwd_cb_userdata( + WOLFSSL_CTX *ctx) + { + if (ctx == NULL) { + return NULL; + } + + return ctx->userdata; + } + #endif /* OPENSSL_EXTRA */ @@ -11962,6 +13144,135 @@ WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl) #ifdef OPENSSL_EXTRA +/* return 1 on success 0 on fail */ +int wolfSSL_sk_ASN1_OBJECT_push(STACK_OF(WOLFSSL_ASN1_OBJEXT)* sk, + WOLFSSL_ASN1_OBJECT* obj) +{ + WOLFSSL_STACK* node; + + if (sk == NULL || obj == NULL) { + return SSL_FAILURE; + } + + /* no previous values in stack */ + if (sk->data.obj == NULL) { + sk->data.obj = obj; + sk->num += 1; + return SSL_SUCCESS; + } + + /* stack already has value(s) create a new node and add more */ + node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, + DYNAMIC_TYPE_ASN1); + if (node == NULL) { + WOLFSSL_MSG("Memory error"); + return SSL_FAILURE; + } + XMEMSET(node, 0, sizeof(WOLFSSL_STACK)); + + /* push new obj onto head of stack */ + node->data.obj = sk->data.obj; + node->next = sk->next; + sk->next = node; + sk->data.obj = obj; + sk->num += 1; + + return SSL_SUCCESS; +} + + +WOLFSSL_ASN1_OBJECT* wolfSSL_sk_ASN1_OBJCET_pop( + STACK_OF(WOLFSSL_ASN1_OBJECT)* sk) +{ + WOLFSSL_STACK* node; + WOLFSSL_ASN1_OBJECT* obj; + + if (sk == NULL) { + return NULL; + } + + node = sk->next; + obj = sk->data.obj; + + if (node != NULL) { /* update sk and remove node from stack */ + sk->data.obj = node->data.obj; + sk->next = node->next; + XFREE(node, NULL, DYNAMIC_TYPE_ASN1); + } + else { /* last obj in stack */ + sk->data.obj = NULL; + } + + if (sk->num > 0) { + sk->num -= 1; + } + + return obj; +} + + +#ifndef NO_ASN +WOLFSSL_ASN1_OBJECT* wolfSSL_ASN1_OBJECT_new(void) +{ + WOLFSSL_ASN1_OBJECT* obj; + + obj = (WOLFSSL_ASN1_OBJECT*)XMALLOC(sizeof(WOLFSSL_ASN1_OBJECT), NULL, + DYNAMIC_TYPE_ASN1); + if (obj == NULL) { + return NULL; + } + + XMEMSET(obj, 0, sizeof(WOLFSSL_ASN1_OBJECT)); + return obj; +} + + +void wolfSSL_ASN1_OBJECT_free(WOLFSSL_ASN1_OBJECT* obj) +{ + if (obj == NULL) { + return; + } + + if (obj->dynamic == 1) { + if (obj->obj != NULL) { + WOLFSSL_MSG("Freeing ASN1 OBJECT data"); + XFREE(obj->obj, obj->heap, DYNAMIC_TYPE_ASN1); + } + } + + XFREE(obj, NULL, DYNAMIC_TYPE_ASN1); +} + + +/* free structure for x509 stack */ +void wolfSSL_sk_ASN1_OBJECT_free(STACK_OF(WOLFSSL_ASN1_OBJECT)* sk) +{ + WOLFSSL_STACK* node; + + if (sk == NULL) { + return; + } + + /* parse through stack freeing each node */ + node = sk->next; + while (sk->num > 1) { + WOLFSSL_STACK* tmp = node; + node = node->next; + + wolfSSL_ASN1_OBJECT_free(tmp->data.obj); + XFREE(tmp, NULL, DYNAMIC_TYPE_ASN1); + sk->num -= 1; + } + + /* free head of stack */ + if (sk->num == 1) { + wolfSSL_ASN1_OBJECT_free(sk->data.obj); + } + XFREE(sk, NULL, DYNAMIC_TYPE_ASN1); +} +#endif /* NO_ASN */ + + int wolfSSL_set_session_id_context(WOLFSSL* ssl, const unsigned char* id, unsigned int len) { @@ -12120,6 +13431,10 @@ char* wolfSSL_CIPHER_description(WOLFSSL_CIPHER* cipher, char* in, int len) WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl) { + if (ssl == NULL) { + return NULL; + } + /* sessions are stored statically, no need for reference count */ return wolfSSL_get_session(ssl); } @@ -12370,6 +13685,39 @@ WOLFSSL_X509_LOOKUP* wolfSSL_X509_STORE_add_lookup(WOLFSSL_X509_STORE* store, #ifndef NO_CERTS +WOLFSSL_X509* wolfSSL_d2i_X509_bio(WOLFSSL_BIO* bio, WOLFSSL_X509** x509) +{ + WOLFSSL_X509* localX509 = NULL; + const unsigned char* mem = NULL; + int ret; + word32 size; + + WOLFSSL_ENTER("wolfSSL_d2i_X509_bio"); + + if (bio == NULL) { + WOLFSSL_MSG("Bad Function Argument bio is NULL"); + return NULL; + } + + ret = wolfSSL_BIO_get_mem_data(bio, &mem); + if (mem == NULL || ret <= 0) { + WOLFSSL_MSG("Failed to get data from bio struct"); + return NULL; + } + size = ret; + + localX509 = wolfSSL_X509_d2i(NULL, mem, size); + if (localX509 == NULL) { + return NULL; + } + + if (x509 != NULL) { + *x509 = localX509; + } + + return localX509; +} + #if !defined(NO_ASN) && !defined(NO_PWDBASED) WC_PKCS12* wolfSSL_d2i_PKCS12_bio(WOLFSSL_BIO* bio, WC_PKCS12** pkcs12) @@ -12464,7 +13812,7 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, WC_DerCertList* current = certList; *ca = (STACK_OF(WOLFSSL_X509)*)XMALLOC(sizeof(STACK_OF(WOLFSSL_X509)), - heap, DYNAMIC_TYPE_PKCS); + heap, DYNAMIC_TYPE_X509); if (*ca == NULL) { if (pk != NULL) { XFREE(pk, heap, DYNAMIC_TYPE_PKCS); @@ -12490,7 +13838,7 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, WOLFSSL_X509* x509; x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), heap, - DYNAMIC_TYPE_PKCS); + DYNAMIC_TYPE_X509); InitX509(x509, 1, heap); InitDecodedCert(&DeCert, current->buffer, current->bufferSz, heap); if (ParseCertRelative(&DeCert, CERT_TYPE, NO_VERIFY, NULL) != 0) { @@ -12554,7 +13902,7 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, /* Decode cert and place in X509 struct */ if (certData != NULL) { *cert = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), heap, - DYNAMIC_TYPE_PKCS); + DYNAMIC_TYPE_X509); if (*cert == NULL) { if (pk != NULL) { XFREE(pk, heap, DYNAMIC_TYPE_PKCS); @@ -12590,8 +13938,9 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, /* get key type */ ret = BAD_STATE_E; if (pk != NULL) { /* decode key if present */ + /* using dynamic type public key because of wolfSSL_EVP_PKEY_free */ *pkey = (WOLFSSL_EVP_PKEY*)XMALLOC(sizeof(WOLFSSL_EVP_PKEY), - heap, DYNAMIC_TYPE_PKCS); + heap, DYNAMIC_TYPE_PUBLIC_KEY); if (*pkey == NULL) { wolfSSL_X509_free(*cert); *cert = NULL; if (ca != NULL) { @@ -12630,7 +13979,7 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, if (ca != NULL) { wolfSSL_sk_X509_free(*ca); *ca = NULL; } - XFREE(*pkey, heap, DYNAMIC_TYPE_PKCS); *pkey = NULL; + XFREE(*pkey, heap, DYNAMIC_TYPE_PUBLIC_KEY); *pkey = NULL; XFREE(pk, heap, DYNAMIC_TYPE_PKCS); return 0; } @@ -12641,7 +13990,7 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, if (ca != NULL) { wolfSSL_sk_X509_free(*ca); *ca = NULL; } - XFREE(*pkey, heap, DYNAMIC_TYPE_PKCS); *pkey = NULL; + XFREE(*pkey, heap, DYNAMIC_TYPE_PUBLIC_KEY); *pkey = NULL; XFREE(pk, heap, DYNAMIC_TYPE_PKCS); WOLFSSL_MSG("Bad PKCS12 key format"); return 0; @@ -12658,7 +14007,7 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, if (ca != NULL) { wolfSSL_sk_X509_free(*ca); *ca = NULL; } - XFREE(*pkey, heap, DYNAMIC_TYPE_PKCS); *pkey = NULL; + XFREE(*pkey, heap, DYNAMIC_TYPE_PUBLIC_KEY); *pkey = NULL; XFREE(pk, heap, DYNAMIC_TYPE_PKCS); WOLFSSL_MSG("Bad PKCS12 key format"); return 0; @@ -12685,6 +14034,18 @@ void wolfSSL_PKCS12_PBE_add(void) WOLFSSL_ENTER("wolfSSL_PKCS12_PBE_add"); } + + +WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx) +{ + if (ctx == NULL) { + return NULL; + } + + return ctx->chain; +} + + int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509) { int result = SSL_FATAL_ERROR; @@ -12742,6 +14103,23 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) } +int wolfSSL_X509_STORE_set_flags(WOLFSSL_X509_STORE* store, unsigned long flag) +{ + int ret = SSL_SUCCESS; + + WOLFSSL_ENTER("wolfSSL_X509_STORE_set_flags"); + + if ((flag & WOLFSSL_CRL_CHECKALL) || (flag & WOLFSSL_CRL_CHECK)) { + ret = wolfSSL_CertManagerEnableCRL(store->cm, (int)flag); + } + + (void)store; + (void)flag; + + return ret; +} + + int wolfSSL_X509_STORE_set_default_paths(WOLFSSL_X509_STORE* store) { (void)store; @@ -12780,6 +14158,7 @@ int wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX* ctx, if (ctx != NULL) { ctx->store = store; ctx->current_cert = x509; + ctx->chain = sk; ctx->domain = NULL; ctx->ex_data = NULL; ctx->userCtx = NULL; @@ -12799,6 +14178,8 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx) wolfSSL_X509_STORE_free(ctx->store); if (ctx->current_cert != NULL) wolfSSL_FreeX509(ctx->current_cert); + if (ctx->chain != NULL) + wolfSSL_sk_X509_free(ctx->chain); XFREE(ctx, NULL, DYNAMIC_TYPE_X509_CTX); } } @@ -12889,6 +14270,20 @@ void wolfSSL_X509_OBJECT_free_contents(WOLFSSL_X509_OBJECT* obj) } +WOLFSSL_EVP_PKEY* wolfSSL_PKEY_new() +{ + WOLFSSL_EVP_PKEY* pkey; + + pkey = (WOLFSSL_EVP_PKEY*)XMALLOC(sizeof(WOLFSSL_EVP_PKEY), NULL, + DYNAMIC_TYPE_PUBLIC_KEY); + if (pkey != NULL) { + XMEMSET(pkey, 0, sizeof(WOLFSSL_EVP_PKEY)); + } + + return pkey; +} + + void wolfSSL_EVP_PKEY_free(WOLFSSL_EVP_PKEY* key) { if (key != NULL) { @@ -12992,7 +14387,6 @@ long wolfSSL_ASN1_INTEGER_get(const WOLFSSL_ASN1_INTEGER* i) } - void* wolfSSL_X509_STORE_CTX_get_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx) { WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_ex_data"); @@ -13066,13 +14460,223 @@ int wolfSSL_PEM_def_callback(char* name, int num, int w, void* key) } +unsigned long wolfSSL_set_options(WOLFSSL* ssl, unsigned long op) +{ + WOLFSSL_ENTER("wolfSSL_set_options"); + + if (ssl == NULL) { + return 0; + } + + /* if SSL_OP_ALL then turn all bug workarounds one */ + if ((op & SSL_OP_ALL) == SSL_OP_ALL) { + WOLFSSL_MSG("\tSSL_OP_ALL"); + + op |= SSL_OP_MICROSOFT_SESS_ID_BUG; + op |= SSL_OP_NETSCAPE_CHALLENGE_BUG; + op |= SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; + op |= SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG; + op |= SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER; + op |= SSL_OP_MSIE_SSLV2_RSA_PADDING; + op |= SSL_OP_SSLEAY_080_CLIENT_DH_BUG; + op |= SSL_OP_TLS_D5_BUG; + op |= SSL_OP_TLS_BLOCK_PADDING_BUG; + op |= SSL_OP_TLS_ROLLBACK_BUG; + op |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + } + + + /* by default cookie exchange is on with DTLS */ + if ((op & SSL_OP_COOKIE_EXCHANGE) == SSL_OP_COOKIE_EXCHANGE) { + WOLFSSL_MSG("\tSSL_OP_COOKIE_EXCHANGE : on by default"); + } + + if ((op & SSL_OP_NO_SSLv2) == SSL_OP_NO_SSLv2) { + WOLFSSL_MSG("\tSSL_OP_NO_SSLv2 : wolfSSL does not support SSLv2"); + } + + if ((op & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { + WOLFSSL_MSG("\tSSL_OP_NO_SSLv3"); + } + + if ((op & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { + WOLFSSL_MSG("\tSSL_OP_NO_TLSv1"); + } + + if ((op & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { + WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_1"); + } + + if ((op & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { + WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_2"); + } + + if ((op & SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION) { + #ifdef HAVE_LIBZ + WOLFSSL_MSG("SSL_OP_NO_COMPRESSION"); + ssl->options.usingCompression = 0; + #else + WOLFSSL_MSG("SSL_OP_NO_COMPRESSION: compression not compiled in"); + #endif + } + + ssl->options.mask |= op; + + return ssl->options.mask; +} + + +unsigned long wolfSSL_get_options(const WOLFSSL* ssl) +{ + WOLFSSL_ENTER("wolfSSL_get_options"); + + return ssl->options.mask; +} + +/*** TBD ***/ +WOLFSSL_API long wolfSSL_clear_num_renegotiations(WOLFSSL *s) +{ + (void)s; + return 0; +} + +/*** TBD ***/ +WOLFSSL_API long wolfSSL_total_renegotiations(WOLFSSL *s) +{ + (void)s; + return 0; +} + + +#ifndef NO_DH +long wolfSSL_set_tmp_dh(WOLFSSL *ssl, WOLFSSL_DH *dh) +{ + int pSz, gSz; + byte *p, *g; + int ret = 0; + + WOLFSSL_ENTER("wolfSSL_set_tmp_dh"); + + if (!ssl || !dh) + return BAD_FUNC_ARG; + + /* Get needed size for p and g */ + pSz = wolfSSL_BN_bn2bin(dh->p, NULL); + gSz = wolfSSL_BN_bn2bin(dh->g, NULL); + + if (pSz <= 0 || gSz <= 0) + return SSL_FATAL_ERROR; + + p = (byte*)XMALLOC(pSz, ssl->heap, DYNAMIC_TYPE_DH); + if (!p) + return MEMORY_E; + + g = (byte*)XMALLOC(gSz, ssl->heap, DYNAMIC_TYPE_DH); + if (!g) { + XFREE(p, ssl->heap, DYNAMIC_TYPE_DH); + return MEMORY_E; + } + + pSz = wolfSSL_BN_bn2bin(dh->p, p); + gSz = wolfSSL_BN_bn2bin(dh->g, g); + + if (pSz >= 0 && gSz >= 0) /* Conversion successful */ + ret = wolfSSL_SetTmpDH(ssl, p, pSz, g, gSz); + + XFREE(p, ssl->heap, DYNAMIC_TYPE_DH); + XFREE(g, ssl->heap, DYNAMIC_TYPE_DH); + + return pSz > 0 && gSz > 0 ? ret : SSL_FATAL_ERROR; +} +#endif /* !NO_DH */ + + +#ifdef HAVE_PK_CALLBACKS +long wolfSSL_set_tlsext_debug_arg(WOLFSSL* ssl, void *arg) +{ + if (ssl == NULL) { + return SSL_FAILURE; + } + + ssl->loggingCtx = arg; + return SSL_SUCCESS; +} +#endif /* HAVE_PK_CALLBACKS */ + +/*** TBD ***/ +WOLFSSL_API long wolfSSL_set_tlsext_status_type(WOLFSSL *s, int type) +{ + (void)s; + (void)type; + return 0; +} + +/*** TBD ***/ +WOLFSSL_API long wolfSSL_get_tlsext_status_exts(WOLFSSL *s, void *arg) +{ + (void)s; + (void)arg; + return 0; +} + +/*** TBD ***/ +WOLFSSL_API long wolfSSL_set_tlsext_status_exts(WOLFSSL *s, void *arg) +{ + (void)s; + (void)arg; + return 0; +} + +/*** TBD ***/ +WOLFSSL_API long wolfSSL_get_tlsext_status_ids(WOLFSSL *s, void *arg) +{ + (void)s; + (void)arg; + return 0; +} + +/*** TBD ***/ +WOLFSSL_API long wolfSSL_set_tlsext_status_ids(WOLFSSL *s, void *arg) +{ + (void)s; + (void)arg; + return 0; +} + +/*** TBD ***/ +WOLFSSL_API long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char **resp) +{ + (void)s; + (void)resp; + return 0; +} + +/*** TBD ***/ +WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *resp, int len) +{ + (void)s; + (void)resp; + (void)len; + return 0; +} + + +long wolfSSL_get_verify_result(const WOLFSSL *ssl) +{ + if (ssl == NULL) { + return SSL_FAILURE; + } + + return ssl->peerVerifyRet; +} + + long wolfSSL_CTX_sess_accept(WOLFSSL_CTX* ctx) { (void)ctx; return 0; } - long wolfSSL_CTX_sess_connect(WOLFSSL_CTX* ctx) { (void)ctx; @@ -13149,14 +14753,130 @@ long wolfSSL_CTX_sess_number(WOLFSSL_CTX* ctx) return 0; } + +#ifndef NO_CERTS +long wolfSSL_CTX_add_extra_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509) +{ + byte* chain; + long chainSz = 0; + int derSz; + const byte* der; + int ret; + + WOLFSSL_ENTER("wolfSSL_CTX_add_extra_chain_cert"); + + if (ctx == NULL || x509 == NULL) { + WOLFSSL_MSG("Bad Argument"); + return SSL_FAILURE; + } + + der = wolfSSL_X509_get_der(x509, &derSz); + if (der == NULL || derSz <= 0) { + WOLFSSL_MSG("Error getting X509 DER"); + return SSL_FAILURE; + } + + /* adding cert to existing chain */ + if (ctx->certChain != NULL && ctx->certChain->length > 0) { + chainSz += ctx->certChain->length; + } + chainSz += derSz; + + chain = (byte*)XMALLOC(chainSz, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER); + if (chain == NULL) { + WOLFSSL_MSG("Memory Error"); + return SSL_FAILURE; + } + + if (ctx->certChain != NULL && ctx->certChain->length > 0) { + XMEMCPY(chain, ctx->certChain->buffer, ctx->certChain->length); + XMEMCPY(chain + ctx->certChain->length, der, derSz); + } + else { + XMEMCPY(chain, der, derSz); + } + + ret = ProcessBuffer(ctx, chain, chainSz, SSL_FILETYPE_ASN1, CERT_TYPE, + NULL, NULL, 1); + if (ret != SSL_SUCCESS) { + WOLFSSL_LEAVE("wolfSSL_CTX_add_extra_chain_cert", ret); + XFREE(chain, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER); + return SSL_FAILURE; + } + + /* on success WOLFSSL_X509 memory is responsibility of ctx */ + wolfSSL_X509_free(x509); + XFREE(chain, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER); + + return SSL_SUCCESS; +} + + +long wolfSSL_CTX_set_tlsext_status_arg(WOLFSSL_CTX* ctx, void* arg) +{ + if (ctx == NULL || ctx->cm == NULL) { + return SSL_FAILURE; + } + + ctx->cm->ocspIOCtx = arg; + return SSL_SUCCESS; +} + +#endif /* NO_CERTS */ + + +/*** TBC ***/ +WOLFSSL_API long wolfSSL_CTX_get_session_cache_mode(WOLFSSL_CTX* ctx) +{ + (void)ctx; + return 0; +} + + +int wolfSSL_CTX_get_read_ahead(WOLFSSL_CTX* ctx) +{ + if (ctx == NULL) { + return SSL_FAILURE; + } + + return ctx->readAhead; +} + + +int wolfSSL_CTX_set_read_ahead(WOLFSSL_CTX* ctx, int v) +{ + if (ctx == NULL) { + return SSL_FAILURE; + } + + ctx->readAhead = (byte)v; + + return SSL_SUCCESS; +} + + +long wolfSSL_CTX_set_tlsext_opaque_prf_input_callback_arg(WOLFSSL_CTX* ctx, + void* arg) +{ + if (ctx == NULL) { + return SSL_FAILURE; + } + + ctx->userPRFArg = arg; + return SSL_SUCCESS; +} + + #ifndef NO_DES3 -void wolfSSL_DES_set_key(WOLFSSL_const_DES_cblock* myDes, +/* 0 on success */ +int wolfSSL_DES_set_key(WOLFSSL_const_DES_cblock* myDes, WOLFSSL_DES_key_schedule* key) { #ifdef WOLFSSL_CHECK_DESKEY - wolfSSL_DES_set_key_checked(myDes, key); + return wolfSSL_DES_set_key_checked(myDes, key); #else wolfSSL_DES_set_key_unchecked(myDes, key); + return 0; #endif } @@ -13174,12 +14894,14 @@ static int DES_check(word32 mask, word32 mask2, unsigned char* key) } -/* check that the key is odd parity and is not a weak key */ -void wolfSSL_DES_set_key_checked(WOLFSSL_const_DES_cblock* myDes, +/* check that the key is odd parity and is not a weak key + * returns -1 if parity is wrong, -2 if weak/null key and 0 on success */ +int wolfSSL_DES_set_key_checked(WOLFSSL_const_DES_cblock* myDes, WOLFSSL_DES_key_schedule* key) { if (myDes == NULL || key == NULL) { WOLFSSL_MSG("Bad argument passed to wolfSSL_DES_set_key_checked"); + return -2; } else { word32 i, mask, mask2; @@ -13188,7 +14910,7 @@ void wolfSSL_DES_set_key_checked(WOLFSSL_const_DES_cblock* myDes, /* sanity check before call to DES_check */ if (sz != (sizeof(word32) * 2)) { WOLFSSL_MSG("Unexpected WOLFSSL_DES_key_schedule size"); - return; + return -2; } /* check odd parity */ @@ -13203,7 +14925,7 @@ void wolfSSL_DES_set_key_checked(WOLFSSL_const_DES_cblock* myDes, ((c >> 6) & 0x01) ^ ((c >> 7) & 0x01)) != 1) { WOLFSSL_MSG("Odd parity test fail"); - return; + return -1; } } @@ -13214,25 +14936,25 @@ void wolfSSL_DES_set_key_checked(WOLFSSL_const_DES_cblock* myDes, mask = 0x01010101; mask2 = 0x01010101; if (DES_check(mask, mask2, *key)) { WOLFSSL_MSG("Weak key found"); - return; + return -2; } mask = 0xFEFEFEFE; mask2 = 0xFEFEFEFE; if (DES_check(mask, mask2, *key)) { WOLFSSL_MSG("Weak key found"); - return; + return -2; } mask = 0xE0E0E0E0; mask2 = 0xF1F1F1F1; if (DES_check(mask, mask2, *key)) { WOLFSSL_MSG("Weak key found"); - return; + return -2; } mask = 0x1F1F1F1F; mask2 = 0x0E0E0E0E; if (DES_check(mask, mask2, *key)) { WOLFSSL_MSG("Weak key found"); - return; + return -2; } /* semi-weak *key check (list from same Nist paper) */ @@ -13240,39 +14962,41 @@ void wolfSSL_DES_set_key_checked(WOLFSSL_const_DES_cblock* myDes, if (DES_check(mask, mask2, *key) || DES_check(ByteReverseWord32(mask), ByteReverseWord32(mask2), *key)) { WOLFSSL_MSG("Weak key found"); - return; + return -2; } mask = 0x01E001E0; mask2 = 0x01F101F1; if (DES_check(mask, mask2, *key) || DES_check(ByteReverseWord32(mask), ByteReverseWord32(mask2), *key)) { WOLFSSL_MSG("Weak key found"); - return; + return -2; } mask = 0x01FE01FE; mask2 = 0x01FE01FE; if (DES_check(mask, mask2, *key) || DES_check(ByteReverseWord32(mask), ByteReverseWord32(mask2), *key)) { WOLFSSL_MSG("Weak key found"); - return; + return -2; } mask = 0x1FE01FE0; mask2 = 0x0EF10EF1; if (DES_check(mask, mask2, *key) || DES_check(ByteReverseWord32(mask), ByteReverseWord32(mask2), *key)) { WOLFSSL_MSG("Weak key found"); - return; + return -2; } mask = 0x1FFE1FFE; mask2 = 0x0EFE0EFE; if (DES_check(mask, mask2, *key) || DES_check(ByteReverseWord32(mask), ByteReverseWord32(mask2), *key)) { WOLFSSL_MSG("Weak key found"); - return; + return -2; } /* passed tests, now copy over key */ XMEMCPY(key, myDes, sizeof(WOLFSSL_const_DES_cblock)); + + return 0; } } @@ -13685,6 +15409,29 @@ int wolfSSL_BN_mod(WOLFSSL_BIGNUM* r, const WOLFSSL_BIGNUM* a, } +/* r = (a^p) % m */ +int wolfSSL_BN_mod_exp(WOLFSSL_BIGNUM *r, const WOLFSSL_BIGNUM *a, + const WOLFSSL_BIGNUM *p, const WOLFSSL_BIGNUM *m, WOLFSSL_BN_CTX *ctx) +{ + int ret; + + WOLFSSL_ENTER("wolfSSL_BN_mod_exp"); + + (void) ctx; + if (r == NULL || a == NULL || p == NULL || m == NULL) { + WOLFSSL_MSG("Bad Argument"); + return SSL_FAILURE; + } + + if ((ret = mp_exptmod((mp_int*)a->internal,(mp_int*)p->internal, + (mp_int*)m->internal, (mp_int*)r->internal)) == MP_OKAY) { + return SSL_SUCCESS; + } + + WOLFSSL_LEAVE("wolfSSL_BN_mod_exp", ret); + return SSL_FAILURE; +} + const WOLFSSL_BIGNUM* wolfSSL_BN_value_one(void) { static WOLFSSL_BIGNUM* bn_one = NULL; @@ -14317,7 +16064,7 @@ char *wolfSSL_BN_bn2hex(const WOLFSSL_BIGNUM *bn) { (void)bn; - WOLFSSL_MSG("wolfSSL_BN_bn2hex not implemented"); + WOLFSSL_MSG("wolfSSL_BN_bn2hex need WOLFSSL_KEY_GEN or HAVE_COMP_KEY"); return (char*)""; } @@ -14719,6 +16466,7 @@ void wolfSSL_DSA_free(WOLFSSL_DSA* dsa) dsa = NULL; } } + #endif /* NO_DSA */ #ifndef NO_RSA @@ -14801,8 +16549,10 @@ void wolfSSL_RSA_free(WOLFSSL_RSA* rsa) #endif /* NO_RSA */ -#if (!defined(NO_RSA) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA)) \ - || !defined(NO_DSA) || defined(HAVE_ECC) +/* these defines are to make sure the functions SetIndividualExternal is not + * declared and then not used. */ +#if !defined(NO_ASN) || !defined(NO_DSA) || defined(HAVE_ECC) || \ + (!defined(NO_RSA) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA)) static int SetIndividualExternal(WOLFSSL_BIGNUM** bn, mp_int* mpi) { WOLFSSL_MSG("Entering SetIndividualExternal"); @@ -14849,6 +16599,76 @@ static int SetIndividualInternal(WOLFSSL_BIGNUM* bn, mp_int* mpi) return SSL_SUCCESS; } + + +#ifndef NO_ASN +WOLFSSL_BIGNUM *wolfSSL_ASN1_INTEGER_to_BN(const WOLFSSL_ASN1_INTEGER *ai, + WOLFSSL_BIGNUM *bn) +{ + mp_int mpi; + word32 idx = 0; + int ret; + + WOLFSSL_ENTER("wolfSSL_ASN1_INTEGER_to_BN"); + + if (ai == NULL) { + return NULL; + } + + if ((ret = GetInt(&mpi, ai->data, &idx, sizeof(ai->data))) != 0) { + /* expecting ASN1 format for INTEGER */ + WOLFSSL_LEAVE("wolfSSL_ASN1_INTEGER_to_BN", ret); + return NULL; + } + + if (SetIndividualExternal(&bn, &mpi) != SSL_SUCCESS) { + return NULL; + } + + return bn; +} +#endif /* !NO_ASN */ + +#if !defined(NO_DSA) && !defined(NO_DH) +WOLFSSL_DH *wolfSSL_DSA_dup_DH(const WOLFSSL_DSA *dsa) +{ + WOLFSSL_DH* dh; + DhKey* key; + + dh = wolfSSL_DH_new(); + if (dh == NULL || dsa == NULL) { + return NULL; + } + key = (DhKey*)dh->internal; + + if (dsa->p != NULL && + SetIndividualInternal(((WOLFSSL_DSA*)dsa)->p, &key->p) != SSL_SUCCESS) { + WOLFSSL_MSG("rsa p key error"); + wolfSSL_DH_free(dh); + return NULL; + } + if (dsa->g != NULL && + SetIndividualInternal(((WOLFSSL_DSA*)dsa)->g, &key->g) != SSL_SUCCESS) { + WOLFSSL_MSG("rsa g key error"); + wolfSSL_DH_free(dh); + return NULL; + } + + if (SetIndividualExternal(&dh->p, &key->p) != SSL_SUCCESS) { + WOLFSSL_MSG("dsa p key error"); + wolfSSL_DH_free(dh); + return NULL; + } + if (SetIndividualExternal(&dh->g, &key->g) != SSL_SUCCESS) { + WOLFSSL_MSG("dsa g key error"); + wolfSSL_DH_free(dh); + return NULL; + } + + return dh; +} +#endif /* !defined(NO_DSA) && !defined(NO_DH) */ + #endif /* !NO_RSA && !NO_DSA */ @@ -16098,6 +17918,74 @@ static int EncryptDerKey(byte *der, int *derSz, const EVP_CIPHER* cipher, } #endif /* defined(WOLFSSL_KEY_GEN) */ +#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) + +int wolfSSL_PEM_write_bio_PrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key, + const WOLFSSL_EVP_CIPHER* cipher, + unsigned char* passwd, int len, + pem_password_cb* cb, void* arg) +{ + byte* keyDer; + int pemSz; + int type; + int ret; + + (void)cipher; + (void)passwd; + (void)len; + (void)cb; + (void)arg; + + WOLFSSL_ENTER("wolfSSL_PEM_write_bio_PrivateKey"); + + if (bio == NULL || key == NULL) { + return SSL_FAILURE; + } + + keyDer = (byte*)key->pkey.ptr; + + switch (key->type) { + case EVP_PKEY_RSA: + type = PRIVATEKEY_TYPE; + break; + +#ifndef NO_DSA + case EVP_PKEY_DSA: + type = DSA_PRIVATEKEY_TYPE; + break; +#endif + + case EVP_PKEY_EC: + type = ECC_PRIVATEKEY_TYPE; + break; + + default: + WOLFSSL_MSG("Unknown Key type!"); + type = PRIVATEKEY_TYPE; + } + + pemSz = wc_DerToPem(keyDer, key->pkey_sz, NULL, 0, type); + if (pemSz < 0) { + WOLFSSL_LEAVE("wolfSSL_PEM_write_bio_PrivateKey", pemSz); + return SSL_FAILURE; + } + if (bio->mem != NULL) { + XFREE(bio->mem, NULL, DYNAMIC_TYPE_OPENSSL); + } + bio->mem = (byte*)XMALLOC(pemSz, NULL, DYNAMIC_TYPE_OPENSSL); + bio->memLen = pemSz; + + ret = wc_DerToPemEx(keyDer, key->pkey_sz, bio->mem, bio->memLen, + NULL, type); + if (ret < 0) { + WOLFSSL_LEAVE("wolfSSL_PEM_write_bio_PrivateKey", ret); + return SSL_FAILURE; + } + + return SSL_SUCCESS; +} +#endif /* defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) */ + #if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) /* return code compliant with OpenSSL : @@ -16249,7 +18137,7 @@ int wolfSSL_PEM_write_RSAPrivateKey(FILE *fp, WOLFSSL_RSA *rsa, int wolfSSL_PEM_write_bio_RSAPrivateKey(WOLFSSL_BIO* bio, RSA* rsa, const EVP_CIPHER* cipher, unsigned char* passwd, int len, - pem_password_cb cb, void* arg) + pem_password_cb* cb, void* arg) { (void)bio; (void)rsa; @@ -17492,7 +19380,7 @@ int wolfSSL_PEM_write_EC_PUBKEY(FILE *fp, WOLFSSL_EC_KEY *x) int wolfSSL_PEM_write_bio_ECPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EC_KEY* ecc, const EVP_CIPHER* cipher, unsigned char* passwd, int len, - pem_password_cb cb, void* arg) + pem_password_cb* cb, void* arg) { (void)bio; (void)ecc; @@ -17667,7 +19555,7 @@ int wolfSSL_PEM_write_ECPrivateKey(FILE *fp, WOLFSSL_EC_KEY *ecc, int wolfSSL_PEM_write_bio_DSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_DSA* dsa, const EVP_CIPHER* cipher, unsigned char* passwd, int len, - pem_password_cb cb, void* arg) + pem_password_cb* cb, void* arg) { (void)bio; (void)dsa; @@ -17847,7 +19735,7 @@ int wolfSSL_PEM_write_DSA_PUBKEY(FILE *fp, WOLFSSL_DSA *x) #endif /* #ifndef NO_DSA */ WOLFSSL_EVP_PKEY* wolfSSL_PEM_read_bio_PrivateKey(WOLFSSL_BIO* bio, - WOLFSSL_EVP_PKEY** key, pem_password_cb cb, void* arg) + WOLFSSL_EVP_PKEY** key, pem_password_cb* cb, void* arg) { (void)bio; (void)key; @@ -18094,8 +19982,9 @@ WOLFSSL_X509* wolfSSL_get_chain_X509(WOLFSSL_X509_CHAIN* chain, int idx) InitDecodedCert(cert, chain->certs[idx].buffer, chain->certs[idx].length, NULL); - if ((ret = ParseCertRelative(cert, CERT_TYPE, 0, NULL)) != 0) + if ((ret = ParseCertRelative(cert, CERT_TYPE, 0, NULL)) != 0) { WOLFSSL_MSG("Failed to parse cert"); + } else { x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), NULL, DYNAMIC_TYPE_X509); @@ -18386,6 +20275,62 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) #ifdef OPENSSL_EXTRA /*Lighttp compatibility*/ + + #ifndef NO_CERTS + WOLFSSL_X509 *wolfSSL_PEM_read_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 **x, + pem_password_cb *cb, void *u) { + WOLFSSL_X509* x509 = NULL; + const unsigned char* pem = NULL; + int pemSz; + + WOLFSSL_ENTER("wolfSSL_PEM_read_bio_X509"); + + if (bp == NULL) { + WOLFSSL_LEAVE("wolfSSL_PEM_read_bio_X509", BAD_FUNC_ARG); + return NULL; + } + + pemSz = wolfSSL_BIO_get_mem_data(bp, &pem); + if (pemSz <= 0 || pem == NULL) { + WOLFSSL_MSG("Issue getting WOLFSSL_BIO mem"); + WOLFSSL_LEAVE("wolfSSL_PEM_read_bio_X509", pemSz); + return NULL; + } + + x509 = wolfSSL_X509_load_certificate_buffer(pem, pemSz, + SSL_FILETYPE_PEM); + + if (x != NULL) { + *x = x509; + } + + (void)cb; + (void)u; + + return x509; + } + + + /* + * bp : bio to read X509 from + * x : x509 to write to + * cb : password call back for reading PEM + * u : password + * _AUX is for working with a trusted X509 certificate + */ + WOLFSSL_X509 *wolfSSL_PEM_read_bio_X509_AUX(WOLFSSL_BIO *bp, + WOLFSSL_X509 **x, pem_password_cb *cb, void *u) { + WOLFSSL_ENTER("wolfSSL_PEM_read_bio_X509"); + + /* AUX info is; trusted/rejected uses, friendly name, private key id, + * and potentially a stack of "other" info. wolfSSL does not store + * friendly name or private key id yet in WOLFSSL_X509 for human + * readibility and does not support extra trusted/rejected uses for + * root CA. */ + return wolfSSL_PEM_read_bio_X509(bp, x, cb, u); + } + #endif /* ifndef NO_CERTS */ + #if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(HAVE_STUNNEL) unsigned char *wolfSSL_SHA1(const unsigned char *d, size_t n, unsigned char *md) @@ -18406,16 +20351,6 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) return 0; } - int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey) { - (void)ctx; - (void)pkey; - WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey"); - WOLFSSL_STUB("wolfSSL_CTX_use_PrivateKey"); - - return 0; - } - - int wolfSSL_BIO_read_filename(WOLFSSL_BIO *b, const char *name) { (void)b; (void)name; @@ -18425,17 +20360,10 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) return 0; } - WOLFSSL_BIO_METHOD* wolfSSL_BIO_s_file(void) { - WOLFSSL_ENTER("wolfSSL_BIO_s_file"); - WOLFSSL_STUB("wolfSSL_BIO_s_file"); - - return NULL; - } - #ifdef HAVE_ECC - const char * wolf_OBJ_nid2sn(int n) { + const char * wolfSSL_OBJ_nid2sn(int n) { int i; - WOLFSSL_ENTER("wolf_OBJ_nid2sn"); + WOLFSSL_ENTER("wolfSSL_OBJ_nid2sn"); /* find based on NID and return name */ for (i = 0; i < ecc_sets[i].size; i++) { @@ -18446,17 +20374,17 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) return NULL; } - int wolf_OBJ_obj2nid(const WOLFSSL_ASN1_OBJECT *o) { + int wolfSSL_OBJ_obj2nid(const WOLFSSL_ASN1_OBJECT *o) { (void)o; - WOLFSSL_ENTER("wolf_OBJ_obj2nid"); - WOLFSSL_STUB("wolf_OBJ_obj2nid"); + WOLFSSL_ENTER("wolfSSL_OBJ_obj2nid"); + WOLFSSL_STUB("wolfSSL_OBJ_obj2nid"); return 0; } - int wolf_OBJ_sn2nid(const char *sn) { + int wolfSSL_OBJ_sn2nid(const char *sn) { int i; - WOLFSSL_ENTER("wolf_OBJ_osn2nid"); + WOLFSSL_ENTER("wolfSSL_OBJ_osn2nid"); /* find based on name and return NID */ for (i = 0; i < ecc_sets[i].size; i++) { @@ -18469,17 +20397,6 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) #endif /* HAVE_ECC */ - WOLFSSL_X509 *PEM_read_bio_WOLFSSL_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 **x, pem_password_cb *cb, void *u) { - (void)bp; - (void)x; - (void)cb; - (void)u; - WOLFSSL_ENTER("PEM_read_bio_WOLFSSL_X509"); - WOLFSSL_STUB("PEM_read_bio_WOLFSSL_X509"); - - return NULL; - } - void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx, int depth) { (void)ctx; (void)depth; @@ -18581,6 +20498,46 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) #ifdef OPENSSL_EXTRA + +/* wolfSSL uses negative values for error states. This function returns an + * unsigned type so the value returned is the absolute value of the error. + */ +unsigned long wolfSSL_ERR_peek_last_error_line(const char **file, int *line) +{ + WOLFSSL_ENTER("wolfSSL_ERR_peek_last_error"); + + (void)line; + (void)file; +#if defined(DEBUG_WOLFSSL) + if (line != NULL) { + *line = (int)wc_last_error_line; + } + if (file != NULL) { + *file = (char*)wc_last_error_file; + } + return wc_last_error; +#else + return (unsigned long)(0 - NOT_COMPILED_IN); +#endif +} + + +#ifndef NO_CERTS +int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey) +{ + WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey"); + + if (ctx == NULL || pkey == NULL) { + return SSL_FAILURE; + } + + return wolfSSL_CTX_use_PrivateKey_buffer(ctx, + (const unsigned char*)pkey->pkey.ptr, + pkey->pkey_sz, PRIVATEKEY_TYPE); +} +#endif /* !NO_CERTS */ + + void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int idx) { WOLFSSL_ENTER("wolfSSL_CTX_get_ex_data"); @@ -18670,23 +20627,122 @@ void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx) #endif return 0; } + +#ifndef NO_DSA +WOLFSSL_DSA *wolfSSL_PEM_read_bio_DSAparams(WOLFSSL_BIO *bp, WOLFSSL_DSA **x, pem_password_cb *cb, void *u) +{ + WOLFSSL_DSA* dsa; + DsaKey* key; + int length; + const unsigned char* buf; + word32 bufSz; + int ret; + word32 idx = 0; + DerBuffer* pDer; + + WOLFSSL_ENTER("wolfSSL_PEM_read_bio_DSAparams"); + + ret = wolfSSL_BIO_get_mem_data(bp, &buf); + if (ret <= 0) { + WOLFSSL_LEAVE("wolfSSL_PEM_read_bio_DSAparams", ret); + return NULL; + } + + bufSz = (word32)ret; + + if (cb != NULL || u != NULL) { + /* + * cb is for a call back when encountering encrypted PEM files + * if cb == NULL and u != NULL then u = null terminated password string + */ + WOLFSSL_MSG("Not yet supporting call back or password for encrypted PEM"); + } + + if ((ret = PemToDer(buf, (long)bufSz, DSA_PARAM_TYPE, &pDer, NULL, NULL, + NULL)) < 0 ) { + WOLFSSL_MSG("Issue converting from PEM to DER"); + return NULL; + } + + if ((ret = GetSequence(pDer->buffer, &idx, &length, pDer->length)) < 0) { + WOLFSSL_LEAVE("wolfSSL_PEM_read_bio_DSAparams", ret); + FreeDer(&pDer); + return NULL; + } + + dsa = wolfSSL_DSA_new(); + if (dsa == NULL) { + FreeDer(&pDer); + WOLFSSL_MSG("Error creating DSA struct"); + return NULL; + } + + key = (DsaKey*)dsa->internal; + if (key == NULL) { + FreeDer(&pDer); + wolfSSL_DSA_free(dsa); + WOLFSSL_MSG("Error finding DSA key struct"); + return NULL; + } + + if (GetInt(&key->p, pDer->buffer, &idx, pDer->length) < 0 || + GetInt(&key->q, pDer->buffer, &idx, pDer->length) < 0 || + GetInt(&key->g, pDer->buffer, &idx, pDer->length) < 0 ) { + WOLFSSL_MSG("dsa key error"); + FreeDer(&pDer); + wolfSSL_DSA_free(dsa); + return NULL; + } + + if (SetIndividualExternal(&dsa->p, &key->p) != SSL_SUCCESS) { + WOLFSSL_MSG("dsa p key error"); + FreeDer(&pDer); + wolfSSL_DSA_free(dsa); + return NULL; + } + + if (SetIndividualExternal(&dsa->q, &key->q) != SSL_SUCCESS) { + WOLFSSL_MSG("dsa q key error"); + FreeDer(&pDer); + wolfSSL_DSA_free(dsa); + return NULL; + } + + if (SetIndividualExternal(&dsa->g, &key->g) != SSL_SUCCESS) { + WOLFSSL_MSG("dsa g key error"); + FreeDer(&pDer); + wolfSSL_DSA_free(dsa); + return NULL; + } + + if (x != NULL) { + *x = dsa; + } + + FreeDer(&pDer); + return dsa; +} +#endif /* NO_DSA */ + +#include "src/bio.c" + #endif /* OPENSSL_EXTRA */ #if defined(HAVE_LIGHTY) || defined(HAVE_STUNNEL) \ - || defined(WOLFSSL_MYSQL_COMPATIBLE) -char * wolf_OBJ_nid2ln(int n) { + || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_EXTRA) +char * wolfSSL_OBJ_nid2ln(int n) { (void)n; - WOLFSSL_ENTER("wolf_OBJ_nid2ln"); - WOLFSSL_STUB("wolf_OBJ_nid2ln"); + WOLFSSL_ENTER("wolfSSL_OBJ_nid2ln"); + WOLFSSL_STUB("wolfSSL_OBJ_nid2ln"); return NULL; } -int wolf_OBJ_txt2nid(const char* s) { +int wolfSSL_OBJ_txt2nid(const char* s) { (void)s; - WOLFSSL_ENTER("wolf_OBJ_txt2nid"); - WOLFSSL_STUB("wolf_OBJ_txt2nid"); + WOLFSSL_ENTER("wolfSSL_OBJ_txt2nid"); + WOLFSSL_STUB("wolfSSL_OBJ_txt2nid"); return 0; } @@ -18715,17 +20771,18 @@ WOLFSSL_DH *wolfSSL_PEM_read_bio_DHparams(WOLFSSL_BIO *bp, WOLFSSL_DH **x, pem_p return NULL; } -int PEM_write_bio_WOLFSSL_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x) { + +int wolfSSL_PEM_write_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x) { (void)bp; (void)x; - WOLFSSL_ENTER("PEM_write_bio_WOLFSSL_X509"); - WOLFSSL_STUB("PEM_write_bio_WOLFSSL_X509"); + WOLFSSL_ENTER("wolfSSL_PEM_write_bio_X509"); + WOLFSSL_STUB("wolfSSL_PEM_write_bio_X509"); return 0; } -#ifndef NO_DH +#if defined(OPENSSL_EXTRA) && !defined(NO_DH) /* Intialize ctx->dh with dh's params. Return SSL_SUCCESS on ok */ long wolfSSL_CTX_set_tmp_dh(WOLFSSL_CTX* ctx, WOLFSSL_DH* dh) { @@ -18766,7 +20823,7 @@ long wolfSSL_CTX_set_tmp_dh(WOLFSSL_CTX* ctx, WOLFSSL_DH* dh) return pSz > 0 && gSz > 0 ? ret : SSL_FATAL_ERROR; } -#endif /* NO_DH */ +#endif /* OPENSSL_EXTRA && !NO_DH */ #endif /* HAVE_LIGHTY || HAVE_STUNNEL || WOLFSSL_MYSQL_COMPATIBLE */ @@ -18778,6 +20835,11 @@ void WOLFSSL_ERR_remove_thread_state(void* pid) return; } +/***TBD ***/ +void wolfSSL_print_all_errors_fp(XFILE *fp) +{ + (void)fp; +} int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION* session, int idx, void* data) { @@ -19043,16 +21105,6 @@ STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL* ssl) } -long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx) -{ - (void)ctx; - WOLFSSL_ENTER("wolfSSL_CTX_get_options"); - WOLFSSL_STUB("wolfSSL_CTX_get_options"); - - return 0; -} - - WOLFSSL_CTX* wolfSSL_get_SSL_CTX(WOLFSSL* ssl) { WOLFSSL_ENTER("wolfSSL_get_SSL_CTX"); @@ -19602,4 +21654,35 @@ int wolfSSL_AsyncPoll(WOLFSSL* ssl, WOLF_EVENT_FLAG flags) #endif /* WOLFSSL_ASYNC_CRYPT */ +#ifdef OPENSSL_EXTRA +int wolfSSL_CTX_set_msg_callback(WOLFSSL_CTX *ctx, SSL_Msg_Cb cb) +{ + WOLFSSL_STUB("SSL_CTX_set_msg_callback"); + (void)ctx; + (void)cb; + return SSL_FAILURE; +} +int wolfSSL_set_msg_callback(WOLFSSL *ssl, SSL_Msg_Cb cb) +{ + WOLFSSL_STUB("SSL_set_msg_callback"); + (void)ssl; + (void)cb; + return SSL_FAILURE; +} +int wolfSSL_CTX_set_msg_callback_arg(WOLFSSL_CTX *ctx, void* arg) +{ + WOLFSSL_STUB("SSL_CTX_set_msg_callback_arg"); + (void)ctx; + (void)arg; + return SSL_FAILURE; +} +int wolfSSL_set_msg_callback_arg(WOLFSSL *ssl, void* arg) +{ + WOLFSSL_STUB("SSL_set_msg_callback_arg"); + (void)ssl; + (void)arg; + return SSL_FAILURE; +} +#endif + #endif /* WOLFCRYPT_ONLY */ diff --git a/src/tls.c b/src/tls.c index c0ca6c151..7fdb9ce03 100644 --- a/src/tls.c +++ b/src/tls.c @@ -66,17 +66,6 @@ #endif -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ - - #ifdef WOLFSSL_SHA384 #define P_HASH_MAX_SIZE SHA384_DIGEST_SIZE #else @@ -2084,13 +2073,14 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, if (!isRequest) { #ifndef NO_WOLFSSL_CLIENT TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); - CertificateStatusRequest* csr = extension ? extension->data : NULL; + CertificateStatusRequest* csr = extension ? + (CertificateStatusRequest*)extension->data : NULL; if (!csr) { /* look at context level */ extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST); - csr = extension ? extension->data : NULL; + csr = extension ? (CertificateStatusRequest*)extension->data : NULL; if (!csr) return BUFFER_ERROR; /* unexpected extension */ @@ -2106,7 +2096,7 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, /* propagate nonce */ if (csr->request.ocsp.nonceSz) { OcspRequest* request = - TLSX_CSR_GetRequest(ssl->extensions); + (OcspRequest*)TLSX_CSR_GetRequest(ssl->extensions); if (request) { XMEMCPY(request->nonce, csr->request.ocsp.nonce, @@ -2185,7 +2175,8 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert, void* heap) { TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST); - CertificateStatusRequest* csr = extension ? extension->data : NULL; + CertificateStatusRequest* csr = extension ? + (CertificateStatusRequest*)extension->data : NULL; int ret = 0; if (csr) { @@ -2215,7 +2206,8 @@ int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert, void* heap) void* TLSX_CSR_GetRequest(TLSX* extensions) { TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST); - CertificateStatusRequest* csr = extension ? extension->data : NULL; + CertificateStatusRequest* csr = extension ? + (CertificateStatusRequest*)extension->data : NULL; if (csr) { switch (csr->status_type) { @@ -2231,7 +2223,8 @@ void* TLSX_CSR_GetRequest(TLSX* extensions) int TLSX_CSR_ForceRequest(WOLFSSL* ssl) { TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); - CertificateStatusRequest* csr = extension ? extension->data : NULL; + CertificateStatusRequest* csr = extension ? + (CertificateStatusRequest*)extension->data : NULL; if (csr) { switch (csr->status_type) { @@ -2433,14 +2426,15 @@ static int TLSX_CSR2_Parse(WOLFSSL* ssl, byte* input, word16 length, if (!isRequest) { #ifndef NO_WOLFSSL_CLIENT TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2); - CertificateStatusRequestItemV2* csr2 = extension ? extension->data - : NULL; + CertificateStatusRequestItemV2* csr2 = extension ? + (CertificateStatusRequestItemV2*)extension->data : NULL; if (!csr2) { /* look at context level */ extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST_V2); - csr2 = extension ? extension->data : NULL; + csr2 = extension ? + (CertificateStatusRequestItemV2*)extension->data : NULL; if (!csr2) return BUFFER_ERROR; /* unexpected extension */ @@ -2459,7 +2453,7 @@ static int TLSX_CSR2_Parse(WOLFSSL* ssl, byte* input, word16 length, /* propagate nonce */ if (csr2->request.ocsp[0].nonceSz) { OcspRequest* request = - TLSX_CSR2_GetRequest(ssl->extensions, + (OcspRequest*)TLSX_CSR2_GetRequest(ssl->extensions, csr2->status_type, 0); if (request) { @@ -2567,7 +2561,8 @@ int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert, byte isPeer, void* heap) { TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2); - CertificateStatusRequestItemV2* csr2 = extension ? extension->data : NULL; + CertificateStatusRequestItemV2* csr2 = extension ? + (CertificateStatusRequestItemV2*)extension->data : NULL; int ret = 0; for (; csr2; csr2 = csr2->next) { @@ -2602,13 +2597,15 @@ int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert, byte isPeer, } } + (void)cert; return ret; } void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, byte index) { TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2); - CertificateStatusRequestItemV2* csr2 = extension ? extension->data : NULL; + CertificateStatusRequestItemV2* csr2 = extension ? + (CertificateStatusRequestItemV2*)extension->data : NULL; for (; csr2; csr2 = csr2->next) { if (csr2->status_type == status_type) { @@ -2632,7 +2629,8 @@ void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, byte index) int TLSX_CSR2_ForceRequest(WOLFSSL* ssl) { TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2); - CertificateStatusRequestItemV2* csr2 = extension ? extension->data : NULL; + CertificateStatusRequestItemV2* csr2 = extension ? + (CertificateStatusRequestItemV2*)extension->data : NULL; /* forces only the first one */ if (csr2) { @@ -3292,7 +3290,8 @@ int TLSX_AddEmptyRenegotiationInfo(TLSX** extensions, void* heap) static void TLSX_SessionTicket_ValidateRequest(WOLFSSL* ssl) { TLSX* extension = TLSX_Find(ssl->extensions, TLSX_SESSION_TICKET); - SessionTicket* ticket = extension ? extension->data : NULL; + SessionTicket* ticket = extension ? + (SessionTicket*)extension->data : NULL; if (ticket) { /* TODO validate ticket timeout here! */ @@ -4086,11 +4085,12 @@ void TLSX_FreeAll(TLSX* list, void* heap) break; case TLSX_STATUS_REQUEST: - CSR_FREE_ALL(extension->data, heap); + CSR_FREE_ALL((CertificateStatusRequest*)extension->data, heap); break; case TLSX_STATUS_REQUEST_V2: - CSR2_FREE_ALL(extension->data, heap); + CSR2_FREE_ALL((CertificateStatusRequestItemV2*)extension->data, + heap); break; case TLSX_RENEGOTIATION_INFO: @@ -4163,19 +4163,24 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest) break; case TLSX_STATUS_REQUEST: - length += CSR_GET_SIZE(extension->data, isRequest); + length += CSR_GET_SIZE( + (CertificateStatusRequest*)extension->data, isRequest); break; case TLSX_STATUS_REQUEST_V2: - length += CSR2_GET_SIZE(extension->data, isRequest); + length += CSR2_GET_SIZE( + (CertificateStatusRequestItemV2*)extension->data, + isRequest); break; case TLSX_RENEGOTIATION_INFO: - length += SCR_GET_SIZE(extension->data, isRequest); + length += SCR_GET_SIZE((SecureRenegotiation*)extension->data, + isRequest); break; case TLSX_SESSION_TICKET: - length += STK_GET_SIZE(extension->data, isRequest); + length += STK_GET_SIZE((SessionTicket*)extension->data, + isRequest); break; case TLSX_QUANTUM_SAFE_HYBRID: @@ -4241,23 +4246,24 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, break; case TLSX_STATUS_REQUEST: - offset += CSR_WRITE(extension->data, output + offset, - isRequest); + offset += CSR_WRITE((CertificateStatusRequest*)extension->data, + output + offset, isRequest); break; case TLSX_STATUS_REQUEST_V2: - offset += CSR2_WRITE(extension->data, output + offset, - isRequest); + offset += CSR2_WRITE( + (CertificateStatusRequestItemV2*)extension->data, + output + offset, isRequest); break; case TLSX_RENEGOTIATION_INFO: - offset += SCR_WRITE(extension->data, output + offset, - isRequest); + offset += SCR_WRITE((SecureRenegotiation*)extension->data, + output + offset, isRequest); break; case TLSX_SESSION_TICKET: - offset += STK_WRITE(extension->data, output + offset, - isRequest); + offset += STK_WRITE((SessionTicket*)extension->data, + output + offset, isRequest); break; case TLSX_QUANTUM_SAFE_HYBRID: diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c index 5e7757bde..bcbd307da 100644 --- a/sslSniffer/sslSnifferTest/snifftest.c +++ b/sslSniffer/sslSnifferTest/snifftest.c @@ -166,8 +166,9 @@ int main(int argc, char** argv) printf("Enter the interface number (1-%d): ", i); ret = scanf("%d", &inum); - if (ret != 1) + if (ret != 1) { printf("scanf port failed\n"); + } if (inum < 1 || inum > i) err_sys("Interface number out of range"); diff --git a/support/wolfssl.pc b/support/wolfssl.pc index 7970b1466..41636af6d 100644 --- a/support/wolfssl.pc +++ b/support/wolfssl.pc @@ -5,6 +5,6 @@ includedir=${prefix}/include Name: wolfssl Description: wolfssl C library. -Version: 3.9.10 +Version: 3.10.0 Libs: -L${libdir} -lwolfssl Cflags: -I${includedir} diff --git a/tests/api.c b/tests/api.c index fa04d30bb..b3c8c1cf7 100644 --- a/tests/api.c +++ b/tests/api.c @@ -62,6 +62,10 @@ #ifdef OPENSSL_EXTRA #include #include + #include + #include + #include + #include #ifndef NO_DES3 #include #endif @@ -555,7 +559,6 @@ static void test_wolfSSL_SetTmpDH_buffer(void) wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); - printf("SUCCESS4\n"); #endif } @@ -659,12 +662,17 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) #endif ((func_args*)args)->return_code = TEST_FAIL; - method = wolfSSLv23_server_method(); + if (((func_args*)args)->callbacks != NULL && + ((func_args*)args)->callbacks->method != NULL) { + method = ((func_args*)args)->callbacks->method(); + } + else { + method = wolfSSLv23_server_method(); + } ctx = wolfSSL_CTX_new(method); #if defined(USE_WINDOWS_API) - /* Generate random port for testing */ - port = GetRandomPort(); + port = ((func_args*)args)->signal->port; #elif defined(NO_MAIN_DRIVER) && !defined(WOLFSSL_SNIFFER) && \ !defined(WOLFSSL_MDK_SHELL) && !defined(WOLFSSL_TIRTOS) /* Let tcp_listen assign port */ @@ -802,7 +810,13 @@ static void test_client_nofail(void* args) #endif ((func_args*)args)->return_code = TEST_FAIL; - method = wolfSSLv23_client_method(); + if (((func_args*)args)->callbacks != NULL && + ((func_args*)args)->callbacks->method != NULL) { + method = ((func_args*)args)->callbacks->method(); + } + else { + method = wolfSSLv23_client_method(); + } ctx = wolfSSL_CTX_new(method); #ifdef OPENSSL_EXTRA @@ -911,8 +925,7 @@ static THREAD_RETURN WOLFSSL_THREAD run_wolfssl_server(void* args) ((func_args*)args)->return_code = TEST_FAIL; #if defined(USE_WINDOWS_API) - /* Generate random port for testing */ - port = GetRandomPort(); + port = ((func_args*)args)->signal->port; #elif defined(NO_MAIN_DRIVER) && !defined(WOLFSSL_SNIFFER) && \ !defined(WOLFSSL_MDK_SHELL) && !defined(WOLFSSL_TIRTOS) /* Let tcp_listen assign port */ @@ -1168,6 +1181,8 @@ static void test_wolfSSL_read_write(void) func_args server_args; THREAD_TYPE serverThread; + XMEMSET(&client_args, 0, sizeof(func_args)); + XMEMSET(&server_args, 0, sizeof(func_args)); #ifdef WOLFSSL_TIRTOS fdOpenSession(Task_self()); #endif @@ -1175,6 +1190,11 @@ static void test_wolfSSL_read_write(void) StartTCP(); InitTcpReady(&ready); +#if defined(USE_WINDOWS_API) + /* use RNG to get random port if using windows */ + ready.port = GetRandomPort(); +#endif + server_args.signal = &ready; client_args.signal = &ready; @@ -1212,7 +1232,14 @@ static void test_wolfSSL_dtls_export(void) InitTcpReady(&ready); +#if defined(USE_WINDOWS_API) + /* use RNG to get random port if using windows */ + ready.port = GetRandomPort(); +#endif + /* set using dtls */ + XMEMSET(&client_args, 0, sizeof(func_args)); + XMEMSET(&server_args, 0, sizeof(func_args)); XMEMSET(&server_cbf, 0, sizeof(callback_functions)); XMEMSET(&client_cbf, 0, sizeof(callback_functions)); server_cbf.method = wolfDTLSv1_2_server_method; @@ -1256,6 +1283,9 @@ static void test_wolfSSL_client_server(callback_functions* client_callbacks, func_args server_args; THREAD_TYPE serverThread; + XMEMSET(&client_args, 0, sizeof(func_args)); + XMEMSET(&server_args, 0, sizeof(func_args)); + StartTCP(); client_args.callbacks = client_callbacks; @@ -1267,6 +1297,12 @@ static void test_wolfSSL_client_server(callback_functions* client_callbacks, /* RUN Server side */ InitTcpReady(&ready); + +#if defined(USE_WINDOWS_API) + /* use RNG to get random port if using windows */ + ready.port = GetRandomPort(); +#endif + server_args.signal = &ready; client_args.signal = &ready; start_thread(run_wolfssl_server, &server_args, &serverThread); @@ -1984,7 +2020,7 @@ static void test_wolfSSL_DisableExtendedMasterSecret(void) *----------------------------------------------------------------------------*/ static void test_wolfSSL_X509_NAME_get_entry(void) { -#ifndef NO_CERTS +#if !defined(NO_CERTS) && !defined(NO_RSA) #if defined(OPENSSL_EXTRA) && (defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)) \ && (defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE)) printf(testingFmt, "wolfSSL_X509_NAME_get_entry()"); @@ -2032,7 +2068,7 @@ static void test_wolfSSL_PKCS12(void) { /* .p12 file is encrypted with DES3 */ #if defined(OPENSSL_EXTRA) && !defined(NO_DES3) && !defined(NO_FILESYSTEM) && \ - !defined(NO_ASN) && !defined(NO_PWDBASED) + !defined(NO_ASN) && !defined(NO_PWDBASED) && !defined(NO_RSA) byte buffer[5300]; char file[] = "./certs/test-servercert.p12"; FILE *f; @@ -3106,12 +3142,12 @@ static void test_wolfSSL_DES(void) /* check, check of odd parity */ XMEMSET(key, 4, sizeof(DES_key_schedule)); key[0] = 3; /*set even parity*/ XMEMSET(myDes, 5, sizeof(const_DES_cblock)); - DES_set_key_checked(&myDes, &key); + AssertIntEQ(DES_set_key_checked(&myDes, &key), -1); AssertIntNE(key[0], myDes[0]); /* should not have copied over key */ /* set odd parity for success case */ key[0] = 4; - DES_set_key_checked(&myDes, &key); + AssertIntEQ(DES_set_key_checked(&myDes, &key), 0); for (i = 0; i < sizeof(DES_key_schedule); i++) { AssertIntEQ(key[i], myDes[i]); } @@ -3119,7 +3155,7 @@ static void test_wolfSSL_DES(void) /* check weak key */ XMEMSET(key, 1, sizeof(DES_key_schedule)); XMEMSET(myDes, 5, sizeof(const_DES_cblock)); - DES_set_key_checked(&myDes, &key); + AssertIntEQ(DES_set_key_checked(&myDes, &key), -2); AssertIntNE(key[0], myDes[0]); /* should not have copied over key */ /* now do unchecked copy of a weak key over */ @@ -3133,6 +3169,745 @@ static void test_wolfSSL_DES(void) #endif /* defined(OPENSSL_EXTRA) && !defined(NO_DES3) */ } + +static void test_wolfSSL_certs(void) +{ + #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + X509* x509; + WOLFSSL* ssl; + WOLFSSL_CTX* ctx; + STACK_OF(ASN1_OBJECT)* sk; + int crit; + + printf(testingFmt, "wolfSSL_certs()"); + + AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCert, SSL_FILETYPE_PEM)); + AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKey, SSL_FILETYPE_PEM)); + AssertNotNull(ssl = SSL_new(ctx)); + + AssertIntEQ(wolfSSL_check_private_key(ssl), SSL_SUCCESS); + + #ifdef HAVE_PK_CALLBACKS + AssertIntEQ((int)SSL_set_tlsext_debug_arg(ssl, NULL), SSL_SUCCESS); + #endif /* HAVE_PK_CALLBACKS */ + + /* create and use x509 */ + x509 = wolfSSL_X509_load_certificate_file(cliCert, SSL_FILETYPE_PEM); + AssertNotNull(x509); + AssertIntEQ(SSL_use_certificate(ssl, x509), SSL_SUCCESS); + + #ifndef HAVE_USER_RSA + /* with loading in a new cert the check on private key should now fail */ + AssertIntNE(wolfSSL_check_private_key(ssl), SSL_SUCCESS); + #endif + + + #if defined(USE_CERT_BUFFERS_2048) + AssertIntEQ(SSL_use_certificate_ASN1(ssl, + (unsigned char*)server_cert_der_2048, + sizeof_server_cert_der_2048), SSL_SUCCESS); + #endif + + #if !defined(NO_SHA) && !defined(NO_SHA256) + /************* Get Digest of Certificate ******************/ + { + byte digest[64]; /* max digest size */ + word32 digestSz; + + XMEMSET(digest, 0, sizeof(digest)); + AssertIntEQ(X509_digest(x509, wolfSSL_EVP_sha1(), digest, &digestSz), + SSL_SUCCESS); + AssertIntEQ(X509_digest(x509, wolfSSL_EVP_sha256(), digest, &digestSz), + SSL_SUCCESS); + + AssertIntEQ(X509_digest(NULL, wolfSSL_EVP_sha1(), digest, &digestSz), + SSL_FAILURE); + } + #endif /* !NO_SHA && !NO_SHA256*/ + + /* test and checkout X509 extensions */ + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_basic_constraints, + &crit, NULL); + AssertNotNull(sk); + AssertIntEQ(crit, 0); + wolfSSL_sk_ASN1_OBJECT_free(sk); + + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_key_usage, + &crit, NULL); + /* AssertNotNull(sk); NID not yet supported */ + AssertIntEQ(crit, -1); + wolfSSL_sk_ASN1_OBJECT_free(sk); + + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_ext_key_usage, + &crit, NULL); + /* AssertNotNull(sk); no extension set */ + wolfSSL_sk_ASN1_OBJECT_free(sk); + + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, + NID_authority_key_identifier, &crit, NULL); + AssertNotNull(sk); + wolfSSL_sk_ASN1_OBJECT_free(sk); + + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, + NID_private_key_usage_period, &crit, NULL); + /* AssertNotNull(sk); NID not yet supported */ + AssertIntEQ(crit, -1); + wolfSSL_sk_ASN1_OBJECT_free(sk); + + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_subject_alt_name, + &crit, NULL); + /* AssertNotNull(sk); no alt names set */ + wolfSSL_sk_ASN1_OBJECT_free(sk); + + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_issuer_alt_name, + &crit, NULL); + /* AssertNotNull(sk); NID not yet supported */ + AssertIntEQ(crit, -1); + wolfSSL_sk_ASN1_OBJECT_free(sk); + + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_info_access, &crit, + NULL); + /* AssertNotNull(sk); no auth info set */ + wolfSSL_sk_ASN1_OBJECT_free(sk); + + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_sinfo_access, + &crit, NULL); + /* AssertNotNull(sk); NID not yet supported */ + AssertIntEQ(crit, -1); + wolfSSL_sk_ASN1_OBJECT_free(sk); + + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_name_constraints, + &crit, NULL); + /* AssertNotNull(sk); NID not yet supported */ + AssertIntEQ(crit, -1); + wolfSSL_sk_ASN1_OBJECT_free(sk); + + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, + NID_certificate_policies, &crit, NULL); + #if !defined(WOLFSSL_SEP) && !defined(WOLFSSL_CERT_EXT) + AssertNull(sk); + #else + /* AssertNotNull(sk); no cert policy set */ + #endif + wolfSSL_sk_ASN1_OBJECT_free(sk); + + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_policy_mappings, + &crit, NULL); + /* AssertNotNull(sk); NID not yet supported */ + AssertIntEQ(crit, -1); + wolfSSL_sk_ASN1_OBJECT_free(sk); + + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_policy_constraints, + &crit, NULL); + /* AssertNotNull(sk); NID not yet supported */ + AssertIntEQ(crit, -1); + wolfSSL_sk_ASN1_OBJECT_free(sk); + + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_inhibit_any_policy, + &crit, NULL); + /* AssertNotNull(sk); NID not yet supported */ + AssertIntEQ(crit, -1); + wolfSSL_sk_ASN1_OBJECT_free(sk); + + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_tlsfeature, &crit, + NULL); + /* AssertNotNull(sk); NID not yet supported */ + AssertIntEQ(crit, -1); + wolfSSL_sk_ASN1_OBJECT_free(sk); + + /* test invalid cases */ + crit = 0; + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, -1, &crit, NULL); + AssertNull(sk); + AssertIntEQ(crit, -1); + sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(NULL, NID_tlsfeature, + NULL, NULL); + AssertNull(sk); + + AssertIntEQ(SSL_get_hit(ssl), 0); + X509_free(x509); + SSL_free(ssl); + SSL_CTX_free(ctx); + + printf(resultFmt, passed); + #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ +} + + +static void test_wolfSSL_private_keys(void) +{ + #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + WOLFSSL* ssl; + WOLFSSL_CTX* ctx; + EVP_PKEY* pkey = NULL; + + printf(testingFmt, "wolfSSL_private_keys()"); + + OpenSSL_add_all_digests(); + OpenSSL_add_all_algorithms(); + + AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCert, SSL_FILETYPE_PEM)); + AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKey, SSL_FILETYPE_PEM)); + AssertNotNull(ssl = SSL_new(ctx)); + + AssertIntEQ(wolfSSL_check_private_key(ssl), SSL_SUCCESS); + +#ifdef USE_CERT_BUFFERS_2048 + { + const unsigned char* server_key = (const unsigned char*)server_key_der_2048; + + AssertIntEQ(SSL_use_RSAPrivateKey_ASN1(ssl, + (unsigned char*)client_key_der_2048, + sizeof_client_key_der_2048), SSL_SUCCESS); +#ifndef HAVE_USER_RSA + /* Should missmatch now that a different private key loaded */ + AssertIntNE(wolfSSL_check_private_key(ssl), SSL_SUCCESS); +#endif + + AssertIntEQ(SSL_use_PrivateKey_ASN1(0, ssl, + (unsigned char*)server_key, + sizeof_server_key_der_2048), SSL_SUCCESS); + /* After loading back in DER format of original key, should match */ + AssertIntEQ(wolfSSL_check_private_key(ssl), SSL_SUCCESS); + + /* pkey not set yet, expecting to fail */ + AssertIntEQ(SSL_use_PrivateKey(ssl, pkey), SSL_FAILURE); + + /* set PKEY and test again */ + AssertNotNull(wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, &pkey, + &server_key, (long)sizeof_server_key_der_2048)); + AssertIntEQ(SSL_use_PrivateKey(ssl, pkey), SSL_SUCCESS); + } +#endif + + + EVP_PKEY_free(pkey); + SSL_free(ssl); /* frees x509 also since loaded into ssl */ + SSL_CTX_free(ctx); + + /* test existence of no-op macros in wolfssl/openssl/ssl.h */ + CONF_modules_free(); + ENGINE_cleanup(); + CONF_modules_unload(); + + printf(resultFmt, passed); + #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ +} + + +static void test_wolfSSL_PEM_PrivateKey(void) +{ + #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \ + (defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN)) && \ + defined(USE_CERT_BUFFERS_2048) + const unsigned char* server_key = (const unsigned char*)server_key_der_2048; + EVP_PKEY* pkey = NULL; + BIO* bio; + + printf(testingFmt, "wolfSSL_PEM_PrivateKey()"); + + bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem()); + AssertNotNull(bio); + + AssertNotNull(wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, &pkey, + &server_key, (long)sizeof_server_key_der_2048)); + AssertIntEQ(PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL), + SSL_SUCCESS); + + BIO_free(bio); + EVP_PKEY_free(pkey); + + printf(resultFmt, passed); + #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ +} + + +static void test_wolfSSL_tmp_dh(void) +{ + #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_DSA) && !defined(NO_RSA) + byte buffer[5300]; + char file[] = "./certs/dsaparams.pem"; + FILE *f; + int bytes; + DSA* dsa; + DH* dh; + BIO* bio; + SSL* ssl; + SSL_CTX* ctx; + + printf(testingFmt, "wolfSSL_tmp_dh()"); + + AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCert, SSL_FILETYPE_PEM)); + AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKey, SSL_FILETYPE_PEM)); + AssertNotNull(ssl = SSL_new(ctx)); + + f = fopen(file, "rb"); + AssertNotNull(f); + bytes = (int)fread(buffer, 1, sizeof(buffer), f); + fclose(f); + + bio = BIO_new_mem_buf((void*)buffer, bytes); + AssertNotNull(bio); + + dsa = wolfSSL_PEM_read_bio_DSAparams(bio, NULL, NULL, NULL); + AssertNotNull(dsa); + + dh = wolfSSL_DSA_dup_DH(dsa); + AssertNotNull(dh); + + AssertIntEQ((int)SSL_CTX_set_tmp_dh(ctx, dh), SSL_SUCCESS); + AssertIntEQ((int)SSL_set_tmp_dh(ssl, dh), SSL_SUCCESS); + + BIO_free(bio); + DSA_free(dsa); + DH_free(dh); + SSL_free(ssl); + SSL_CTX_free(ctx); + + printf(resultFmt, passed); + #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) */ +} + +static void test_wolfSSL_ctrl(void) +{ + #if defined(OPENSSL_EXTRA) + byte buffer[5300]; + BIO* bio; + int bytes; + BUF_MEM* ptr = NULL; + + printf(testingFmt, "wolfSSL_crtl()"); + + bytes = sizeof(buffer); + bio = BIO_new_mem_buf((void*)buffer, bytes); + AssertNotNull(bio); + AssertNotNull(BIO_s_socket()); + + AssertIntEQ((int)wolfSSL_BIO_get_mem_ptr(bio, &ptr), SSL_SUCCESS); + + /* needs tested after stubs filled out @TODO + SSL_ctrl + SSL_CTX_ctrl + */ + + BIO_free(bio); + printf(resultFmt, passed); + #endif /* defined(OPENSSL_EXTRA) */ +} + + +static void test_wolfSSL_CTX_add_extra_chain_cert(void) +{ + #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + char caFile[] = "./certs/client-ca.pem"; + char clientFile[] = "./certs/client-cert.pem"; + SSL_CTX* ctx; + X509* x509 = NULL; + + printf(testingFmt, "wolfSSL_CTX_add_extra_chain_cert()"); + + AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + + x509 = wolfSSL_X509_load_certificate_file(caFile, SSL_FILETYPE_PEM); + AssertNotNull(x509); + AssertIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), SSL_SUCCESS); + + x509 = wolfSSL_X509_load_certificate_file(clientFile, SSL_FILETYPE_PEM); + AssertNotNull(x509); + AssertIntEQ((int)SSL_CTX_add_extra_chain_cert(ctx, x509), SSL_SUCCESS); + + AssertNull(SSL_CTX_get_default_passwd_cb(ctx)); + AssertNull(SSL_CTX_get_default_passwd_cb_userdata(ctx)); + + SSL_CTX_free(ctx); + printf(resultFmt, passed); + #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ +} + + +static void test_wolfSSL_ERR_peek_last_error_line(void) +{ + #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && defined(DEBUG_WOLFSSL) + tcp_ready ready; + func_args client_args; + func_args server_args; + THREAD_TYPE serverThread; + callback_functions client_cb; + callback_functions server_cb; + int line = 0; + const char* file = NULL; + + printf(testingFmt, "wolfSSL_ERR_peek_last_error_line()"); + + /* create a failed connection and inspect the error */ +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif + XMEMSET(&client_args, 0, sizeof(func_args)); + XMEMSET(&server_args, 0, sizeof(func_args)); + + StartTCP(); + InitTcpReady(&ready); + + client_cb.method = wolfTLSv1_1_client_method; + server_cb.method = wolfTLSv1_2_server_method; + + server_args.signal = &ready; + server_args.callbacks = &server_cb; + client_args.signal = &ready; + client_args.callbacks = &client_cb; + + start_thread(test_server_nofail, &server_args, &serverThread); + wait_tcp_ready(&server_args); + test_client_nofail(&client_args); + join_thread(serverThread); + + FreeTcpReady(&ready); + + /* check that error code was stored */ + AssertIntNE((int)ERR_peek_last_error_line(NULL, NULL), 0); + ERR_peek_last_error_line(NULL, &line); + AssertIntNE(line, 0); + ERR_peek_last_error_line(&file, NULL); + AssertNotNull(file); + +#ifdef WOLFSSL_TIRTOS + fdOpenSession(Task_self()); +#endif + + printf(resultFmt, passed); + #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(DEBUG_WOLFSSL) */ +} + + +static void test_wolfSSL_X509_STORE_set_flags(void) +{ + #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + + X509_STORE* store; + X509* x509; + + printf(testingFmt, "wolfSSL_ERR_peek_last_error_line()"); + AssertNotNull((store = wolfSSL_X509_STORE_new())); + AssertNotNull((x509 = + wolfSSL_X509_load_certificate_file(svrCert, SSL_FILETYPE_PEM))); + AssertIntEQ(X509_STORE_add_cert(store, x509), SSL_SUCCESS); + +#ifdef HAVE_CRL + AssertIntEQ(X509_STORE_set_flags(store, WOLFSSL_CRL_CHECKALL), SSL_SUCCESS); +#else + AssertIntEQ(X509_STORE_set_flags(store, WOLFSSL_CRL_CHECKALL), + NOT_COMPILED_IN); +#endif + + wolfSSL_X509_free(x509); + wolfSSL_X509_STORE_free(store); + + printf(resultFmt, passed); + #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ +} + + +static void test_wolfSSL_BN(void) +{ + #if defined(OPENSSL_EXTRA) && !defined(NO_ASN) + BIGNUM* a; + BIGNUM* b; + BIGNUM* c; + BIGNUM* d; + ASN1_INTEGER ai; + unsigned char value[1]; + + printf(testingFmt, "wolfSSL_BN()"); + + AssertNotNull(b = BN_new()); + AssertNotNull(c = BN_new()); + AssertNotNull(d = BN_new()); + + value[0] = 0x03; + + /* at the moment hard setting since no set function */ + ai.data[0] = 0x02; /* tag for ASN_INTEGER */ + ai.data[1] = 0x01; /* length of integer */ + ai.data[2] = value[0]; + + AssertNotNull(a = ASN1_INTEGER_to_BN(&ai, NULL)); + + value[0] = 0x02; + AssertNotNull(BN_bin2bn(value, sizeof(value), b)); + + value[0] = 0x05; + AssertNotNull(BN_bin2bn(value, sizeof(value), c)); + + /* a^b mod c = */ + AssertIntEQ(BN_mod_exp(d, NULL, b, c, NULL), SSL_FAILURE); + AssertIntEQ(BN_mod_exp(d, a, b, c, NULL), SSL_SUCCESS); + + /* check result 3^2 mod 5 */ + value[0] = 0; + AssertIntEQ(BN_bn2bin(d, value), SSL_SUCCESS); + AssertIntEQ((int)(value[0] & 0x04), 4); + + BN_free(a); + BN_free(b); + BN_free(c); + BN_clear_free(d); + + printf(resultFmt, passed); + #endif /* defined(OPENSSL_EXTRA) && !defined(NO_ASN) */ +} + + +static void test_wolfSSL_set_options(void) +{ + #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + SSL* ssl; + SSL_CTX* ctx; + + printf(testingFmt, "wolfSSL_set_options()"); + + AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCert, SSL_FILETYPE_PEM)); + AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKey, SSL_FILETYPE_PEM)); + AssertNotNull(ssl = SSL_new(ctx)); + + AssertTrue(SSL_set_options(ssl, SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1); + AssertTrue(SSL_get_options(ssl) == SSL_OP_NO_TLSv1); + + AssertIntGT((int)SSL_set_options(ssl, (SSL_OP_COOKIE_EXCHANGE | + SSL_OP_NO_SSLv2)), 0); + AssertTrue((SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE) & + SSL_OP_COOKIE_EXCHANGE) == SSL_OP_COOKIE_EXCHANGE); + AssertTrue((SSL_set_options(ssl, SSL_OP_NO_TLSv1_2) & + SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2); + AssertTrue((SSL_set_options(ssl, SSL_OP_NO_COMPRESSION) & + SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION); + + SSL_free(ssl); + SSL_CTX_free(ctx); + + printf(resultFmt, passed); + #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ +} + + +static void test_wolfSSL_PEM_read_bio(void) +{ + #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + byte buffer[5300]; + FILE *f; + int bytes; + X509* x509; + BIO* bio = NULL; + + printf(testingFmt, "wolfSSL_PEM_read_bio()"); + + AssertNotNull(f = fopen(cliCert, "rb")); + bytes = (int)fread(buffer, 1, sizeof(buffer), f); + fclose(f); + + AssertNull(x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)); + AssertNotNull(bio = BIO_new_mem_buf((void*)buffer, bytes)); + AssertNotNull(x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)); + AssertIntEQ((int)BIO_set_fd(bio, 0, BIO_NOCLOSE), 1); + + BIO_free(bio); + X509_free(x509); + + printf(resultFmt, passed); + #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ +} + + +static void test_wolfSSL_BIO(void) +{ + #if defined(OPENSSL_EXTRA) + byte buffer[20]; + BIO* bio1; + BIO* bio2; + BIO* bio3; + char* bufPt; + int i; + + printf(testingFmt, "wolfSSL_BIO()"); + + for (i = 0; i < 20; i++) { + buffer[i] = i; + } + + /* Creating and testing type BIO_s_bio */ + AssertNotNull(bio1 = BIO_new(BIO_s_bio())); + AssertNotNull(bio2 = BIO_new(BIO_s_bio())); + AssertNotNull(bio3 = BIO_new(BIO_s_bio())); + + /* read/write before set up */ + AssertIntEQ(BIO_read(bio1, buffer, 2), WOLFSSL_BIO_UNSET); + AssertIntEQ(BIO_write(bio1, buffer, 2), WOLFSSL_BIO_UNSET); + + AssertIntEQ(BIO_set_write_buf_size(bio1, 20), SSL_SUCCESS); + AssertIntEQ(BIO_set_write_buf_size(bio2, 8), SSL_SUCCESS); + AssertIntEQ(BIO_make_bio_pair(bio1, bio2), SSL_SUCCESS); + + AssertIntEQ(BIO_nwrite(bio1, &bufPt, 10), 10); + XMEMCPY(bufPt, buffer, 10); + AssertIntEQ(BIO_write(bio1, buffer + 10, 10), 10); + /* write buffer full */ + AssertIntEQ(BIO_write(bio1, buffer, 10), WOLFSSL_BIO_ERROR); + AssertIntEQ(BIO_flush(bio1), SSL_SUCCESS); + AssertIntEQ((int)BIO_ctrl_pending(bio1), 0); + + /* write the other direction with pair */ + AssertIntEQ((int)BIO_nwrite(bio2, &bufPt, 10), 8); + XMEMCPY(bufPt, buffer, 8); + AssertIntEQ(BIO_write(bio2, buffer, 10), WOLFSSL_BIO_ERROR); + + /* try read */ + AssertIntEQ((int)BIO_ctrl_pending(bio1), 8); + AssertIntEQ((int)BIO_ctrl_pending(bio2), 20); + + AssertIntEQ(BIO_nread(bio2, &bufPt, (int)BIO_ctrl_pending(bio2)), 20); + for (i = 0; i < 20; i++) { + AssertIntEQ((int)bufPt[i], i); + } + AssertIntEQ(BIO_nread(bio2, &bufPt, 1), WOLFSSL_BIO_ERROR); + AssertIntEQ(BIO_nread(bio1, &bufPt, (int)BIO_ctrl_pending(bio1)), 8); + for (i = 0; i < 8; i++) { + AssertIntEQ((int)bufPt[i], i); + } + AssertIntEQ(BIO_nread(bio1, &bufPt, 1), WOLFSSL_BIO_ERROR); + AssertIntEQ(BIO_ctrl_reset_read_request(bio1), 1); + + /* new pair */ + AssertIntEQ(BIO_make_bio_pair(bio1, bio3), SSL_FAILURE); + BIO_free(bio2); /* free bio2 and automaticly remove from pair */ + AssertIntEQ(BIO_make_bio_pair(bio1, bio3), SSL_SUCCESS); + AssertIntEQ((int)BIO_ctrl_pending(bio3), 0); + AssertIntEQ(BIO_nread(bio3, &bufPt, 10), WOLFSSL_BIO_ERROR); + + /* test wrap around... */ + AssertIntEQ(BIO_reset(bio1), 0); + AssertIntEQ(BIO_reset(bio3), 0); + + /* fill write buffer, read only small amount then write again */ + AssertIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); + XMEMCPY(bufPt, buffer, 20); + AssertIntEQ(BIO_nread(bio3, &bufPt, 4), 4); + for (i = 0; i < 4; i++) { + AssertIntEQ(bufPt[i], i); + } + + /* try writing over read index */ + AssertIntEQ(BIO_nwrite(bio1, &bufPt, 5), 4); + XMEMSET(bufPt, 0, 4); + AssertIntEQ((int)BIO_ctrl_pending(bio3), 20); + + /* read and write 0 bytes */ + AssertIntEQ(BIO_nread(bio3, &bufPt, 0), 0); + AssertIntEQ(BIO_nwrite(bio1, &bufPt, 0), 0); + + /* should read only to end of write buffer then need to read again */ + AssertIntEQ(BIO_nread(bio3, &bufPt, 20), 16); + for (i = 0; i < 16; i++) { + AssertIntEQ(bufPt[i], buffer[4 + i]); + } + + AssertIntEQ(BIO_nread(bio3, NULL, 0), SSL_FAILURE); + AssertIntEQ(BIO_nread0(bio3, &bufPt), 4); + for (i = 0; i < 4; i++) { + AssertIntEQ(bufPt[i], 0); + } + + /* read index should not have advanced with nread0 */ + AssertIntEQ(BIO_nread(bio3, &bufPt, 5), 4); + for (i = 0; i < 4; i++) { + AssertIntEQ(bufPt[i], 0); + } + + /* write and fill up buffer checking reset of index state */ + AssertIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); + XMEMCPY(bufPt, buffer, 20); + + /* test reset on data in bio1 write buffer */ + AssertIntEQ(BIO_reset(bio1), 0); + AssertIntEQ((int)BIO_ctrl_pending(bio3), 0); + AssertIntEQ(BIO_nread(bio3, &bufPt, 3), WOLFSSL_BIO_ERROR); + AssertIntEQ(BIO_nwrite(bio1, &bufPt, 20), 20); + XMEMCPY(bufPt, buffer, 20); + AssertIntEQ(BIO_nread(bio3, &bufPt, 6), 6); + for (i = 0; i < 6; i++) { + AssertIntEQ(bufPt[i], i); + } + + /* test case of writing twice with offset read index */ + AssertIntEQ(BIO_nwrite(bio1, &bufPt, 3), 3); + AssertIntEQ(BIO_nwrite(bio1, &bufPt, 4), 3); /* try overwriting */ + AssertIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); + AssertIntEQ(BIO_nread(bio3, &bufPt, 0), 0); + AssertIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); + AssertIntEQ(BIO_nread(bio3, &bufPt, 1), 1); + AssertIntEQ(BIO_nwrite(bio1, &bufPt, 4), 1); + AssertIntEQ(BIO_nwrite(bio1, &bufPt, 4), WOLFSSL_BIO_ERROR); + + BIO_free(bio1); + BIO_free(bio3); + + /* BIOs with file pointers */ + #if !defined(NO_FILESYSTEM) + { + XFILE f1; + XFILE f2; + BIO* f_bio1; + BIO* f_bio2; + unsigned char cert[300]; + char testFile[] = "tests/bio_write_test.txt"; + char msg[] = "bio_write_test.txt contains the first 300 bytes of certs/server-cert.pem\ncreated by tests/unit.test\n\n"; + + AssertNotNull(f_bio1 = BIO_new(BIO_s_file())); + AssertNotNull(f_bio2 = BIO_new(BIO_s_file())); + + AssertIntEQ((int)BIO_set_mem_eof_return(f_bio1, -1), 0); + AssertIntEQ((int)BIO_set_mem_eof_return(NULL, -1), 0); + + f1 = XFOPEN(svrCert, "rwb"); + AssertIntEQ((int)BIO_set_fp(f_bio1, f1, BIO_CLOSE), SSL_SUCCESS); + AssertIntEQ(BIO_write_filename(f_bio2, testFile), + SSL_SUCCESS); + + AssertIntEQ(BIO_read(f_bio1, cert, sizeof(cert)), sizeof(cert)); + AssertIntEQ(BIO_write(f_bio2, msg, sizeof(msg)), sizeof(msg)); + AssertIntEQ(BIO_write(f_bio2, cert, sizeof(cert)), sizeof(cert)); + + AssertIntEQ((int)BIO_get_fp(f_bio2, &f2), SSL_SUCCESS); + AssertIntEQ(BIO_reset(f_bio2), 0); + AssertIntEQ(BIO_seek(f_bio2, 4), 0); + + BIO_free(f_bio1); + BIO_free(f_bio2); + } + #endif /* !defined(NO_FILESYSTEM) */ + + printf(resultFmt, passed); + #endif +} + + /*----------------------------------------------------------------------------* | Main *----------------------------------------------------------------------------*/ @@ -3178,6 +3953,18 @@ void ApiTest(void) /* compatibility tests */ test_wolfSSL_DES(); + test_wolfSSL_certs(); + test_wolfSSL_private_keys(); + test_wolfSSL_PEM_PrivateKey(); + test_wolfSSL_tmp_dh(); + test_wolfSSL_ctrl(); + test_wolfSSL_CTX_add_extra_chain_cert(); + test_wolfSSL_ERR_peek_last_error_line(); + test_wolfSSL_X509_STORE_set_flags(); + test_wolfSSL_BN(); + test_wolfSSL_set_options(); + test_wolfSSL_PEM_read_bio(); + test_wolfSSL_BIO(); AssertIntEQ(test_wolfSSL_Cleanup(), SSL_SUCCESS); diff --git a/tests/include.am b/tests/include.am index 63768e663..8368b49ce 100644 --- a/tests/include.am +++ b/tests/include.am @@ -23,5 +23,6 @@ EXTRA_DIST += tests/test.conf \ tests/test-qsh.conf \ tests/test-psk-no-id.conf \ tests/test-dtls.conf \ + tests/test-sctp.conf \ tests/test-sig.conf DISTCLEANFILES+= tests/.libs/unit.test diff --git a/tests/srp.c b/tests/srp.c index 3314a69b6..0ca2a2b70 100644 --- a/tests/srp.c +++ b/tests/srp.c @@ -117,8 +117,8 @@ static void test_SrpInit(void) /* invalid params */ AssertIntEQ(BAD_FUNC_ARG, wc_SrpInit(NULL, SRP_TYPE_SHA, SRP_CLIENT_SIDE)); - AssertIntEQ(BAD_FUNC_ARG, wc_SrpInit(&srp, 255, SRP_CLIENT_SIDE)); - AssertIntEQ(BAD_FUNC_ARG, wc_SrpInit(&srp, SRP_TYPE_SHA, 255 )); + AssertIntEQ(BAD_FUNC_ARG, wc_SrpInit(&srp, (SrpType)255, SRP_CLIENT_SIDE)); + AssertIntEQ(BAD_FUNC_ARG, wc_SrpInit(&srp, SRP_TYPE_SHA, (SrpSide)255)); /* success */ AssertIntEQ(0, wc_SrpInit(&srp, SRP_TYPE_SHA, SRP_CLIENT_SIDE)); @@ -240,8 +240,8 @@ static void test_SrpSetPassword(void) static void test_SrpGetPublic(void) { Srp srp; - byte public[64]; - word32 publicSz = 0; + byte pub[64]; + word32 pubSz = 0; AssertIntEQ(0, wc_SrpInit(&srp, SRP_TYPE_SHA, SRP_CLIENT_SIDE)); AssertIntEQ(0, wc_SrpSetUsername(&srp, username, usernameSz)); @@ -250,23 +250,23 @@ static void test_SrpGetPublic(void) salt, sizeof(salt))); /* invalid call order */ - AssertIntEQ(SRP_CALL_ORDER_E, wc_SrpGetPublic(&srp, public, &publicSz)); + AssertIntEQ(SRP_CALL_ORDER_E, wc_SrpGetPublic(&srp, pub, &pubSz)); /* fix call order */ AssertIntEQ(0, wc_SrpSetPassword(&srp, password, passwordSz)); /* invalid params */ - AssertIntEQ(BAD_FUNC_ARG, wc_SrpGetPublic(NULL, public, &publicSz)); - AssertIntEQ(BAD_FUNC_ARG, wc_SrpGetPublic(&srp, NULL, &publicSz)); - AssertIntEQ(BAD_FUNC_ARG, wc_SrpGetPublic(&srp, public, NULL)); - AssertIntEQ(BUFFER_E, wc_SrpGetPublic(&srp, public, &publicSz)); + AssertIntEQ(BAD_FUNC_ARG, wc_SrpGetPublic(NULL, pub, &pubSz)); + AssertIntEQ(BAD_FUNC_ARG, wc_SrpGetPublic(&srp, NULL, &pubSz)); + AssertIntEQ(BAD_FUNC_ARG, wc_SrpGetPublic(&srp, pub, NULL)); + AssertIntEQ(BUFFER_E, wc_SrpGetPublic(&srp, pub, &pubSz)); /* success */ - publicSz = sizeof(public); + pubSz = sizeof(pub); AssertIntEQ(0, wc_SrpSetPrivate(&srp, a, sizeof(a))); - AssertIntEQ(0, wc_SrpGetPublic(&srp, public, &publicSz)); - AssertIntEQ(publicSz, sizeof(A)); - AssertIntEQ(0, XMEMCMP(public, A, publicSz)); + AssertIntEQ(0, wc_SrpGetPublic(&srp, pub, &pubSz)); + AssertIntEQ(pubSz, sizeof(A)); + AssertIntEQ(0, XMEMCMP(pub, A, pubSz)); wc_SrpTerm(&srp); @@ -277,16 +277,16 @@ static void test_SrpGetPublic(void) salt, sizeof(salt))); /* invalid call order */ - AssertIntEQ(SRP_CALL_ORDER_E, wc_SrpGetPublic(&srp, public, &publicSz)); + AssertIntEQ(SRP_CALL_ORDER_E, wc_SrpGetPublic(&srp, pub, &pubSz)); /* fix call order */ AssertIntEQ(0, wc_SrpSetVerifier(&srp, verifier, sizeof(verifier))); /* success */ AssertIntEQ(0, wc_SrpSetPrivate(&srp, b, sizeof(b))); - AssertIntEQ(0, wc_SrpGetPublic(&srp, public, &publicSz)); - AssertIntEQ(publicSz, sizeof(B)); - AssertIntEQ(0, XMEMCMP(public, B, publicSz)); + AssertIntEQ(0, wc_SrpGetPublic(&srp, pub, &pubSz)); + AssertIntEQ(pubSz, sizeof(B)); + AssertIntEQ(0, XMEMCMP(pub, B, pubSz)); wc_SrpTerm(&srp); } diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index c1f1f74e8..cdd8d30fb 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -1959,6 +1959,9 @@ int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, checkAESNI = 1; } if (haveAESNI) { + #ifdef WOLFSSL_AES_COUNTER + aes->left = 0; + #endif /* WOLFSSL_AES_COUNTER */ aes->use_aesni = 1; if (iv) XMEMCPY(aes->reg, iv, AES_BLOCK_SIZE); @@ -2842,6 +2845,33 @@ int wc_InitAes_h(Aes* aes, void* h) #endif /* AES-CBC block */ #endif /* HAVE_AES_CBC */ +#ifdef HAVE_AES_ECB +int wc_AesEcbEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) +{ + if ((in == NULL) || (out == NULL) || (aes == NULL)) + return BAD_FUNC_ARG; + while (sz>0) { + wc_AesEncryptDirect(aes, out, in); + out += AES_BLOCK_SIZE; + in += AES_BLOCK_SIZE; + sz -= AES_BLOCK_SIZE; + } + return 0; +} +int wc_AesEcbDecrypt(Aes* aes, byte* out, const byte* in, word32 sz) +{ + if ((in == NULL) || (out == NULL) || (aes == NULL)) + return BAD_FUNC_ARG; + while (sz>0) { + wc_AesDecryptDirect(aes, out, in); + out += AES_BLOCK_SIZE; + in += AES_BLOCK_SIZE; + sz -= AES_BLOCK_SIZE; + } + return 0; +} +#endif + /* AES-CTR */ #ifdef WOLFSSL_AES_COUNTER diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index d5b99a0b0..32f355455 100755 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -96,13 +96,6 @@ ASN Options: #endif -#ifndef TRUE - #define TRUE 1 -#endif -#ifndef FALSE - #define FALSE 0 -#endif - #ifndef NO_ASN_TIME #if defined(USER_TIME) /* user time, and gmtime compatible functions, there is a gmtime @@ -410,7 +403,7 @@ time_t XTIME(time_t * timer) static INLINE word32 btoi(byte b) { - return b - 0x30; + return (word32)(b - 0x30); } @@ -1963,6 +1956,14 @@ int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz) return ASN_PARSE_E; } + if (length > MAX_IV_SIZE) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + return ASN_PARSE_E; + } + XMEMCPY(cbcIv, &input[inOutIdx], length); inOutIdx += length; } @@ -2552,6 +2553,10 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) #ifdef OPENSSL_EXTRA XMEMSET(&cert->issuerName, 0, sizeof(DecodedName)); XMEMSET(&cert->subjectName, 0, sizeof(DecodedName)); + cert->extCRLdistSet = 0; + cert->extCRLdistCrit = 0; + cert->extAuthInfoSet = 0; + cert->extAuthInfoCrit = 0; cert->extBasicConstSet = 0; cert->extBasicConstCrit = 0; cert->extSubjAltNameSet = 0; @@ -5198,11 +5203,19 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case CRL_DIST_OID: + #ifdef OPENSSL_EXTRA + cert->extCRLdistSet = 1; + cert->extCRLdistCrit = critical; + #endif if (DecodeCrlDist(&input[idx], length, cert) < 0) return ASN_PARSE_E; break; case AUTH_INFO_OID: + #ifdef OPENSSL_EXTRA + cert->extAuthInfoSet = 1; + cert->extAuthInfoCrit = critical; + #endif if (DecodeAuthInfo(&input[idx], length, cert) < 0) return ASN_PARSE_E; break; @@ -5726,6 +5739,8 @@ const char* BEGIN_CERT_REQ = "-----BEGIN CERTIFICATE REQUEST-----"; const char* END_CERT_REQ = "-----END CERTIFICATE REQUEST-----"; const char* BEGIN_DH_PARAM = "-----BEGIN DH PARAMETERS-----"; const char* END_DH_PARAM = "-----END DH PARAMETERS-----"; +const char* BEGIN_DSA_PARAM = "-----BEGIN DSA PARAMETERS-----"; +const char* END_DSA_PARAM = "-----END DSA PARAMETERS-----"; const char* BEGIN_X509_CRL = "-----BEGIN X509 CRL-----"; const char* END_X509_CRL = "-----END X509 CRL-----"; const char* BEGIN_RSA_PRIV = "-----BEGIN RSA PRIVATE KEY-----"; @@ -5854,6 +5869,20 @@ int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz, headerLen = (int)XSTRLEN(header); footerLen = (int)XSTRLEN(footer); + /* if null output and 0 size passed in then return size needed */ + if (!output && outSz == 0) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + outLen = 0; + if ((err = Base64_Encode(der, derSz, NULL, (word32*)&outLen)) + != LENGTH_ONLY_E) { + return err; + } + return headerLen + footerLen + outLen; + } + if (!der || !output) { #ifdef WOLFSSL_SMALL_STACK XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -6244,18 +6273,6 @@ int wc_RsaKeyToPublicDer(RsaKey* key, byte* output, word32 inLen) #if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) - -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ - - /* Initialize and Set Certificate defaults: version = 3 (0x2) serial = 0 @@ -9966,7 +9983,7 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp) /* Nonces are not critical. The responder may not necessarily add * the nonce to the response. */ - if (req->nonceSz && resp->nonceSz != 0) { + if (resp->nonceSz != 0) { cmp = req->nonceSz - resp->nonceSz; if (cmp != 0) { diff --git a/wolfcrypt/src/cmac.c b/wolfcrypt/src/cmac.c index 6c7c88dc9..79b13fc43 100644 --- a/wolfcrypt/src/cmac.c +++ b/wolfcrypt/src/cmac.c @@ -40,17 +40,6 @@ #include -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ - - static void ShiftAndXorRb(byte* out, byte* in) { int i, j, xorRb; diff --git a/wolfcrypt/src/des3.c b/wolfcrypt/src/des3.c index 4fc510154..005b03f33 100644 --- a/wolfcrypt/src/des3.c +++ b/wolfcrypt/src/des3.c @@ -76,6 +76,10 @@ int wc_Des_EcbEncrypt(Des* des, byte* out, const byte* in, word32 sz) return Des_EcbEncrypt(des, out, in, sz); } +int wc_Des3_EcbEncrypt(Des3* des, byte* out, const byte* in, word32 sz) +{ + return Des3_EcbEncrypt(des, out, in, sz); +} #endif /* WOLFSSL_DES_ECB */ @@ -1617,6 +1621,10 @@ int wc_Des_EcbEncrypt(Des* des, byte* out, const byte* in, word32 sz) { word32 blocks = sz / DES_BLOCK_SIZE; + if (des == NULL || out == NULL || in == NULL) { + return BAD_FUNC_ARG; + } + while (blocks--) { DesProcessBlock(des, in, out); @@ -1626,6 +1634,25 @@ int wc_Des_EcbEncrypt(Des* des, byte* out, const byte* in, word32 sz) return 0; } +int wc_Des3_EcbEncrypt(Des3* des, byte* out, const byte* in, word32 sz) +{ + word32 blocks = sz / DES_BLOCK_SIZE; + /* printf("wc_Des3_EcbEncrypt(%016x, %016x, %d)\n", + *(unsigned long *)in, *(unsigned long *)out, sz) ; */ + + if (des == NULL || out == NULL || in == NULL) { + return BAD_FUNC_ARG; + } + + while (blocks--) { + Des3ProcessBlock(des, in, out); + + out += DES_BLOCK_SIZE; + in += DES_BLOCK_SIZE; + } + return 0; +} + #endif /* WOLFSSL_DES_ECB */ #endif /* End wolfCrypt software implementation */ diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c index b300e5e0d..15b557a76 100644 --- a/wolfcrypt/src/dh.c +++ b/wolfcrypt/src/dh.c @@ -30,6 +30,15 @@ #include #include +#include + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + #if !defined(USER_MATH_LIB) && !defined(WOLFSSL_DH_CONST) #include @@ -40,17 +49,6 @@ #endif -#if !defined(WOLFSSL_HAVE_MIN) && !defined(WOLFSSL_DH_CONST) -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ - - void wc_InitDhKey(DhKey* key) { (void)key; @@ -185,7 +183,7 @@ int wc_DhAgree(DhKey* key, byte* agree, word32* agreeSz, const byte* priv, { int ret = 0; - mp_int x; + mp_int x; mp_int y; mp_int z; diff --git a/wolfcrypt/src/dsa.c b/wolfcrypt/src/dsa.c index d9ba8ac03..eaac64346 100644 --- a/wolfcrypt/src/dsa.c +++ b/wolfcrypt/src/dsa.c @@ -35,6 +35,13 @@ #include #include +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + enum { DSA_HALF_SIZE = 20, /* r and s size */ @@ -42,16 +49,6 @@ enum { }; -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ - void wc_InitDsaKey(DsaKey* key) { diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index ecdc408a2..01ba38cc6 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -982,24 +982,6 @@ static int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id) #ifndef WOLFSSL_ATECC508A -/* helper for either lib */ -static int get_digit_count(mp_int* a) -{ - if (a == NULL) - return 0; - - return a->used; -} - -/* helper for either lib */ -static mp_digit get_digit(mp_int* a, int n) -{ - if (a == NULL) - return 0; - - return (n >= a->used || n < 0) ? 0 : a->dp[n]; -} - /** Add two ECC points P The point to add @@ -3873,9 +3855,9 @@ int wc_ecc_export_x963_ex(ecc_key* key, byte* out, word32* outLen, #ifdef HAVE_COMP_KEY else return wc_ecc_export_x963_compressed(key, out, outLen); -#endif - +#else return NOT_COMPILED_IN; +#endif } #endif /* HAVE_ECC_KEY_EXPORT */ @@ -5239,7 +5221,8 @@ static int add_entry(int idx, ecc_point *g) static int build_lut(int idx, mp_int* a, mp_int* modulus, mp_digit mp, mp_int* mu) { - unsigned x, y, err, bitlen, lut_gap; + int err; + unsigned x, y, bitlen, lut_gap; mp_int tmp; if (mp_init(&tmp) != MP_OKAY) @@ -5385,8 +5368,8 @@ static int accel_fp_mul(int idx, mp_int* k, ecc_point *R, mp_int* a, #else unsigned char kb[KB_SIZE]; #endif - int x; - unsigned y, z = 0, err, bitlen, bitpos, lut_gap, first; + int x, err; + unsigned y, z = 0, bitlen, bitpos, lut_gap, first; mp_int tk, order; if (mp_init_multi(&tk, &order, NULL, NULL, NULL, NULL) != MP_OKAY) @@ -5534,8 +5517,8 @@ static int accel_fp_mul2add(int idx1, int idx2, #else unsigned char kb[2][KB_SIZE]; #endif - int x; - unsigned y, z, err, bitlen, bitpos, lut_gap, first, zA, zB; + int x, err; + unsigned y, z, bitlen, bitpos, lut_gap, first, zA, zB; mp_int tka, tkb, order; if (mp_init_multi(&tka, &tkb, &order, NULL, NULL, NULL) != MP_OKAY) @@ -6982,16 +6965,6 @@ int wc_ecc_set_custom_curve(ecc_key* key, const ecc_set_type* dp) #ifdef HAVE_X963_KDF -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ - static INLINE void IncrementX963KdfCounter(byte* inOutCtr) { int i; diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index 9a030bdc6..2de4e7c0a 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -401,6 +401,9 @@ const char* wc_GetErrorString(int error) case ASN_PATHLEN_INV_E: return "ASN CA path length larger than signer error"; + case BAD_KEYWRAP_ALG_E: + return "Unsupported key wrap algorithm error"; + case BAD_KEYWRAP_IV_E: return "Decrypted AES key wrap IV does not match expected"; diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c new file mode 100644 index 000000000..fb9e56edc --- /dev/null +++ b/wolfcrypt/src/evp.c @@ -0,0 +1,535 @@ +/* evp.c + * + * Copyright (C) 2006-2016 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +static unsigned int cipherType(const WOLFSSL_EVP_CIPHER *cipher); + +WOLFSSL_API int wolfSSL_EVP_EncryptInit(WOLFSSL_EVP_CIPHER_CTX* ctx, + const WOLFSSL_EVP_CIPHER* type, + unsigned char* key, unsigned char* iv) +{ + return wolfSSL_EVP_CipherInit(ctx, type, key, iv, 1); +} + +WOLFSSL_API int wolfSSL_EVP_EncryptInit_ex(WOLFSSL_EVP_CIPHER_CTX* ctx, + const WOLFSSL_EVP_CIPHER* type, + WOLFSSL_ENGINE *impl, + unsigned char* key, unsigned char* iv) +{ + (void) impl; + return wolfSSL_EVP_CipherInit(ctx, type, key, iv, 1); +} + +WOLFSSL_API int wolfSSL_EVP_DecryptInit(WOLFSSL_EVP_CIPHER_CTX* ctx, + const WOLFSSL_EVP_CIPHER* type, + unsigned char* key, unsigned char* iv) +{ + WOLFSSL_ENTER("wolfSSL_EVP_CipherInit"); + return wolfSSL_EVP_CipherInit(ctx, type, key, iv, 0); +} + +WOLFSSL_API int wolfSSL_EVP_DecryptInit_ex(WOLFSSL_EVP_CIPHER_CTX* ctx, + const WOLFSSL_EVP_CIPHER* type, + WOLFSSL_ENGINE *impl, + unsigned char* key, unsigned char* iv) +{ + (void) impl; + WOLFSSL_ENTER("wolfSSL_EVP_DecryptInit"); + return wolfSSL_EVP_CipherInit(ctx, type, key, iv, 0); +} + +WOLFSSL_API WOLFSSL_EVP_CIPHER_CTX *wolfSSL_EVP_CIPHER_CTX_new(void) +{ + WOLFSSL_EVP_CIPHER_CTX *ctx = (WOLFSSL_EVP_CIPHER_CTX*)XMALLOC(sizeof *ctx, + NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (ctx){ + WOLFSSL_ENTER("wolfSSL_EVP_CIPHER_CTX_new"); + wolfSSL_EVP_CIPHER_CTX_init(ctx); + } + return ctx; +} + +WOLFSSL_API void wolfSSL_EVP_CIPHER_CTX_free(WOLFSSL_EVP_CIPHER_CTX *ctx) +{ + if (ctx) { + WOLFSSL_ENTER("wolfSSL_EVP_CIPHER_CTX_free"); + wolfSSL_EVP_CIPHER_CTX_cleanup(ctx); + XFREE(ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } +} + +WOLFSSL_API unsigned long wolfSSL_EVP_CIPHER_CTX_mode(const WOLFSSL_EVP_CIPHER_CTX *ctx) +{ + if (ctx == NULL) return 0; + return ctx->flags & WOLFSSL_EVP_CIPH_MODE; +} + +WOLFSSL_API int wolfSSL_EVP_EncryptFinal(WOLFSSL_EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl) +{ + if (ctx && ctx->enc){ + WOLFSSL_ENTER("wolfSSL_EVP_EncryptFinal"); + return wolfSSL_EVP_CipherFinal(ctx, out, outl); + } + else + return 0; +} + + +WOLFSSL_API int wolfSSL_EVP_CipherInit_ex(WOLFSSL_EVP_CIPHER_CTX* ctx, + const WOLFSSL_EVP_CIPHER* type, + WOLFSSL_ENGINE *impl, + unsigned char* key, unsigned char* iv, + int enc) +{ + (void)impl; + return wolfSSL_EVP_CipherInit(ctx, type, key, iv, enc); +} + +WOLFSSL_API int wolfSSL_EVP_EncryptFinal_ex(WOLFSSL_EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl) +{ + if (ctx && ctx->enc){ + WOLFSSL_ENTER("wolfSSL_EVP_EncryptFinal_ex"); + return wolfSSL_EVP_CipherFinal(ctx, out, outl); + } + else + return 0; +} + +WOLFSSL_API int wolfSSL_EVP_DecryptFinal(WOLFSSL_EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl) +{ + if (ctx && ctx->enc) + return 0; + else{ + WOLFSSL_ENTER("wolfSSL_EVP_DecryptFinal"); + return wolfSSL_EVP_CipherFinal(ctx, out, outl); + } +} + +WOLFSSL_API int wolfSSL_EVP_DecryptFinal_ex(WOLFSSL_EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl) +{ + if (ctx && ctx->enc) + return 0; + else{ + WOLFSSL_ENTER("wolfSSL_EVP_CipherFinal_ex"); + return wolfSSL_EVP_CipherFinal(ctx, out, outl); + } +} + + +WOLFSSL_API int wolfSSL_EVP_DigestInit_ex(WOLFSSL_EVP_MD_CTX* ctx, + const WOLFSSL_EVP_MD* type, + WOLFSSL_ENGINE *impl) +{ + (void) impl; + WOLFSSL_ENTER("wolfSSL_EVP_DigestInit_ex"); + return wolfSSL_EVP_DigestInit(ctx, type); +} + +#ifdef DEBUG_WOLFSSL_EVP +#define PRINT_BUF(b, sz) { int i; for(i=0; i<(sz); i++){printf("%02x(%c),", (b)[i], (b)[i]); if((i+1)%8==0)printf("\n");}} +#else +#define PRINT_BUF(b, sz) +#endif + +static int fillBuff(WOLFSSL_EVP_CIPHER_CTX *ctx, const unsigned char *in, int sz) +{ + int fill; + + if (sz > 0) { + if ((sz+ctx->bufUsed) > ctx->block_size) { + fill = ctx->block_size - ctx->bufUsed; + } else { + fill = sz; + } + XMEMCPY(&(ctx->buf[ctx->bufUsed]), in, fill); + ctx->bufUsed += fill; + return fill; + } else return 0; +} + +static int evpCipherBlock(WOLFSSL_EVP_CIPHER_CTX *ctx, + unsigned char *out, + const unsigned char *in, int inl) +{ + switch (ctx->cipherType) { + #if !defined(NO_AES) && defined(HAVE_AES_CBC) + case AES_128_CBC_TYPE: + case AES_192_CBC_TYPE: + case AES_256_CBC_TYPE: + if (ctx->enc) + wc_AesCbcEncrypt(&ctx->cipher.aes, out, in, inl); + else + wc_AesCbcDecrypt(&ctx->cipher.aes, out, in, inl); + break; + #endif + #if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) + case AES_128_CTR_TYPE: + case AES_192_CTR_TYPE: + case AES_256_CTR_TYPE: + if (ctx->enc) + wc_AesCtrEncrypt(&ctx->cipher.aes, out, in, inl); + else + wc_AesCtrEncrypt(&ctx->cipher.aes, out, in, inl); + break; + #endif + #if !defined(NO_AES) && defined(HAVE_AES_ECB) + case AES_128_ECB_TYPE: + case AES_192_ECB_TYPE: + case AES_256_ECB_TYPE: + if (ctx->enc) + wc_AesEcbEncrypt(&ctx->cipher.aes, out, in, inl); + else + wc_AesEcbDecrypt(&ctx->cipher.aes, out, in, inl); + break; + #endif + #ifndef NO_DES3 + case DES_CBC_TYPE: + if (ctx->enc) + wc_Des_CbcEncrypt(&ctx->cipher.des, out, in, inl); + else + wc_Des_CbcDecrypt(&ctx->cipher.des, out, in, inl); + break; + case DES_EDE3_CBC_TYPE: + if (ctx->enc) + wc_Des3_CbcEncrypt(&ctx->cipher.des3, out, in, inl); + else + wc_Des3_CbcDecrypt(&ctx->cipher.des3, out, in, inl); + break; + #if defined(WOLFSSL_DES_ECB) + case DES_ECB_TYPE: + wc_Des_EcbEncrypt(&ctx->cipher.des, out, in, inl); + break; + case DES_EDE3_ECB_TYPE: + if (ctx->enc) + wc_Des3_EcbEncrypt(&ctx->cipher.des3, out, in, inl); + else + wc_Des3_EcbEncrypt(&ctx->cipher.des3, out, in, inl); + break; + #endif + #endif + default: + return 0; + } + (void)in; + (void)inl; + (void)out; + return 1; +} + +WOLFSSL_API int wolfSSL_EVP_CipherUpdate(WOLFSSL_EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl, + const unsigned char *in, int inl) +{ + int blocks; + int fill; + + if (ctx == NULL) return BAD_FUNC_ARG; + WOLFSSL_ENTER("wolfSSL_EVP_CipherUpdate"); + *outl = 0; + if (ctx->bufUsed > 0) { /* concatinate them if there is anything */ + fill = fillBuff(ctx, in, inl); + inl -= fill; + in += fill; + } + if((ctx->enc == 0)&& (ctx->lastUsed == 1)){ + PRINT_BUF(ctx->lastBlock, ctx->block_size); + XMEMCPY(out, ctx->lastBlock, ctx->block_size); + *outl+= ctx->block_size; + out += ctx->block_size; + } + if ((ctx->bufUsed == ctx->block_size) || (ctx->flags & WOLFSSL_EVP_CIPH_NO_PADDING)){ + /* the buff is full, flash out */ + PRINT_BUF(ctx->buf, ctx->block_size); + if (evpCipherBlock(ctx, out, ctx->buf, ctx->block_size) == 0) + return 0; + PRINT_BUF(out, ctx->block_size); + if(ctx->enc == 0){ + ctx->lastUsed = 1; + XMEMCPY(ctx->lastBlock, out, ctx->block_size); + } else { + *outl+= ctx->block_size; + out += ctx->block_size; + } + ctx->bufUsed = 0; + } + + blocks = inl / ctx->block_size; + if (blocks > 0) { + /* process blocks */ + if (evpCipherBlock(ctx, out, ctx->buf, blocks) == 0) + return 0; + PRINT_BUF(ctx->buf, ctx->block_size); + PRINT_BUF(out, ctx->block_size); + inl -= ctx->block_size * blocks; + in += ctx->block_size * blocks; + if(ctx->enc == 0){ + ctx->lastUsed = 1; + XMEMCPY(ctx->lastBlock, &out[ctx->block_size * (blocks-1)], ctx->block_size); + *outl+= ctx->block_size * (blocks-1); + } else { + *outl+= ctx->block_size * blocks; + } + } + if (inl > 0) { + /* put fraction into buff */ + fillBuff(ctx, in, inl); + /* no increase of outl */ + } + + (void)out; /* silence warning in case not read */ + + return 1; +} + +static void padBlock(WOLFSSL_EVP_CIPHER_CTX *ctx) +{ + int i; + for (i = ctx->bufUsed; i < ctx->block_size; i++) + ctx->buf[i] = (byte)(ctx->block_size - ctx->bufUsed); +} + +static int checkPad(WOLFSSL_EVP_CIPHER_CTX *ctx, unsigned char *buff) +{ + int i; + int n; + n = buff[ctx->block_size-1]; + + if (n > ctx->block_size) return FALSE; + for (i = 0; i < n; i++){ + if (buff[ctx->block_size-i-1] != n) + return FALSE; + } + return ctx->block_size - n; +} + +WOLFSSL_API int wolfSSL_EVP_CipherFinal(WOLFSSL_EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl) +{ + int fl ; + if (ctx == NULL) return BAD_FUNC_ARG; + WOLFSSL_ENTER("wolfSSL_EVP_CipherFinal"); + if (ctx->flags & WOLFSSL_EVP_CIPH_NO_PADDING) { + *outl = 0; + return 1; + } + if (ctx->enc) { + if (ctx->bufUsed > 0) { + padBlock(ctx); + PRINT_BUF(ctx->buf, ctx->block_size); + if (evpCipherBlock(ctx, out, ctx->buf, ctx->block_size) == 0) + return 0; + PRINT_BUF(out, ctx->block_size); + *outl = ctx->block_size; + } + } else { + if (ctx->lastUsed){ + PRINT_BUF(ctx->lastBlock, ctx->block_size); + if ((fl = checkPad(ctx, ctx->lastBlock)) >= 0) { + XMEMCPY(out, ctx->lastBlock, fl); + *outl = fl; + } else return 0; + } + } + return 1; +} + +WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_block_size(const WOLFSSL_EVP_CIPHER_CTX *ctx) +{ + if (ctx == NULL) return BAD_FUNC_ARG; + switch (ctx->cipherType) { + +#if !defined(NO_AES) && defined(HAVE_AES_CBC) + case AES_128_CBC_TYPE: + case AES_192_CBC_TYPE: + case AES_256_CBC_TYPE: +#endif +#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) + case AES_128_CTR_TYPE: + case AES_192_CTR_TYPE: + case AES_256_CTR_TYPE: +#endif +#if !defined(NO_AES) + case AES_128_ECB_TYPE: + case AES_192_ECB_TYPE: + case AES_256_ECB_TYPE: +#endif +#ifndef NO_DES3 + case DES_CBC_TYPE: + case DES_ECB_TYPE: + case DES_EDE3_CBC_TYPE: + case DES_EDE3_ECB_TYPE: +#endif + return ctx->block_size; + default: + return 0; + } +} + +static unsigned int cipherType(const WOLFSSL_EVP_CIPHER *cipher) +{ + if (cipher == NULL) return 0; /* dummy for #ifdef */ + #ifndef NO_DES3 + else if (XSTRNCMP(cipher, EVP_DES_CBC, EVP_DES_SIZE) == 0) + return DES_CBC_TYPE; + else if (XSTRNCMP(cipher, EVP_DES_EDE3_CBC, EVP_DES_EDE3_SIZE) == 0) + return DES_EDE3_CBC_TYPE; + #if !defined(NO_DES3) + else if (XSTRNCMP(cipher, EVP_DES_ECB, EVP_DES_SIZE) == 0) + return DES_ECB_TYPE; + else if (XSTRNCMP(cipher, EVP_DES_EDE3_ECB, EVP_DES_EDE3_SIZE) == 0) + return DES_EDE3_ECB_TYPE; + #endif /* NO_DES3 && HAVE_AES_ECB */ + #endif + + #if !defined(NO_AES) && defined(HAVE_AES_CBC) + else if (XSTRNCMP(cipher, EVP_AES_128_CBC, EVP_AES_SIZE) == 0) + return AES_128_CBC_TYPE; + else if (XSTRNCMP(cipher, EVP_AES_192_CBC, EVP_AES_SIZE) == 0) + return AES_192_CBC_TYPE; + else if (XSTRNCMP(cipher, EVP_AES_256_CBC, EVP_AES_SIZE) == 0) + return AES_256_CBC_TYPE; + #endif /* !NO_AES && HAVE_AES_CBC */ + #if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) + else if (XSTRNCMP(cipher, EVP_AES_128_CTR, EVP_AES_SIZE) == 0) + return AES_128_CTR_TYPE; + else if (XSTRNCMP(cipher, EVP_AES_192_CTR, EVP_AES_SIZE) == 0) + return AES_192_CTR_TYPE; + else if (XSTRNCMP(cipher, EVP_AES_256_CTR, EVP_AES_SIZE) == 0) + return AES_256_CTR_TYPE; + #endif /* !NO_AES && HAVE_AES_CBC */ + #if !defined(NO_AES) && defined(HAVE_AES_ECB) + else if (XSTRNCMP(cipher, EVP_AES_128_ECB, EVP_AES_SIZE) == 0) + return AES_128_ECB_TYPE; + else if (XSTRNCMP(cipher, EVP_AES_192_ECB, EVP_AES_SIZE) == 0) + return AES_192_ECB_TYPE; + else if (XSTRNCMP(cipher, EVP_AES_256_ECB, EVP_AES_SIZE) == 0) + return AES_256_ECB_TYPE; + #endif /* !NO_AES && HAVE_AES_CBC */ + else return 0; +} + +WOLFSSL_API int wolfSSL_EVP_CIPHER_block_size(const WOLFSSL_EVP_CIPHER *cipher) +{ + if (cipher == NULL) return BAD_FUNC_ARG; + switch (cipherType(cipher)) { + #if !defined(NO_AES) && defined(HAVE_AES_CBC) + case AES_128_CBC_TYPE: + case AES_192_CBC_TYPE: + case AES_256_CBC_TYPE: + return AES_BLOCK_SIZE; + #endif + #if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) + case AES_128_CTR_TYPE: + case AES_192_CTR_TYPE: + case AES_256_CTR_TYPE: + return AES_BLOCK_SIZE; + #endif + #if !defined(NO_AES) && defined(HAVE_AES_ECB) + case AES_128_ECB_TYPE: + case AES_192_ECB_TYPE: + case AES_256_ECB_TYPE: + return AES_BLOCK_SIZE; + #endif + #ifndef NO_DES3 + case DES_CBC_TYPE: return 8; + case DES_EDE3_CBC_TYPE: return 8; + case DES_ECB_TYPE: return 8; + case DES_EDE3_ECB_TYPE: return 8; + #endif + default: + return 0; + } +} + +unsigned long WOLFSSL_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher) +{ + switch (cipherType(cipher)) { + #if !defined(NO_AES) && defined(HAVE_AES_CBC) + case AES_128_CBC_TYPE: + case AES_192_CBC_TYPE: + case AES_256_CBC_TYPE: + return WOLFSSL_EVP_CIPH_CBC_MODE ; + #endif + #if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) + case AES_128_CTR_TYPE: + case AES_192_CTR_TYPE: + case AES_256_CTR_TYPE: + return WOLFSSL_EVP_CIPH_CTR_MODE ; + #endif + #if !defined(NO_AES) + case AES_128_ECB_TYPE: + case AES_192_ECB_TYPE: + case AES_256_ECB_TYPE: + return WOLFSSL_EVP_CIPH_ECB_MODE ; + #endif + #ifndef NO_DES3 + case DES_CBC_TYPE: + case DES_EDE3_CBC_TYPE: + return WOLFSSL_EVP_CIPH_CBC_MODE ; + case DES_ECB_TYPE: + case DES_EDE3_ECB_TYPE: + return WOLFSSL_EVP_CIPH_ECB_MODE ; + #endif + default: + return 0; + } +} + +WOLFSSL_API unsigned long WOLFSSL_EVP_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher) +{ + if (cipher == NULL) return 0; + return WOLFSSL_CIPHER_mode(cipher); +} + +WOLFSSL_API void wolfSSL_EVP_CIPHER_CTX_set_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, int flags) +{ + if (ctx != NULL) { + ctx->flags = flags; + } +} + +WOLFSSL_API unsigned long wolfSSL_EVP_CIPHER_flags(const WOLFSSL_EVP_CIPHER *cipher) +{ + if (cipher == NULL) return 0; + return WOLFSSL_CIPHER_mode(cipher); +} + +WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_set_padding(WOLFSSL_EVP_CIPHER_CTX *ctx, int padding) +{ + if (ctx == NULL) return BAD_FUNC_ARG; + if (padding) { + ctx->flags &= ~WOLFSSL_EVP_CIPH_NO_PADDING; + } + else { + ctx->flags |= WOLFSSL_EVP_CIPH_NO_PADDING; + } + return 1; +} + +WOLFSSL_API int wolfSSL_EVP_add_digest(const WOLFSSL_EVP_MD *digest) +{ + (void)digest; + /* nothing to do */ + return 0; +} diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c index 8f42a94a1..0d7ed7ee1 100644 --- a/wolfcrypt/src/hmac.c +++ b/wolfcrypt/src/hmac.c @@ -30,6 +30,14 @@ #include +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + + #ifdef HAVE_FIPS /* does init */ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 keySz) @@ -825,17 +833,6 @@ int wolfSSL_GetHmacMaxSize(void) #ifdef HAVE_HKDF -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ - - /* HMAC-KDF with hash type, optional salt and info, return 0 on success */ int wc_HKDF(int type, const byte* inKey, word32 inKeySz, const byte* salt, word32 saltSz, @@ -860,13 +857,13 @@ int wc_HKDF(int type, const byte* inKey, word32 inKeySz, return BAD_FUNC_ARG; #ifdef WOLFSSL_SMALL_STACK - tmp = (byte*)XMALLOC(MAX_DIGEST_SIZE, myHmac.heap, DYNAMIC_TYPE_TMP_BUFFER); + tmp = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (tmp == NULL) return MEMORY_E; - prk = (byte*)XMALLOC(MAX_DIGEST_SIZE, myHmac.heap, DYNAMIC_TYPE_TMP_BUFFER); + prk = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (prk == NULL) { - XFREE(tmp, myHmac.heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); return MEMORY_E; } #endif @@ -918,8 +915,8 @@ int wc_HKDF(int type, const byte* inKey, word32 inKeySz, } #ifdef WOLFSSL_SMALL_STACK - XFREE(tmp, myHmac.heap, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(prk, myHmac.heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(prk, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; diff --git a/wolfcrypt/src/include.am b/wolfcrypt/src/include.am index 714d5d434..81aa797db 100644 --- a/wolfcrypt/src/include.am +++ b/wolfcrypt/src/include.am @@ -1,7 +1,9 @@ # vim:ft=automake # All paths should be given relative to the root +EXTRA_DIST += src/bio.c EXTRA_DIST += wolfcrypt/src/misc.c +EXTRA_DIST += wolfcrypt/src/evp.c EXTRA_DIST += wolfcrypt/src/asm.c EXTRA_DIST += wolfcrypt/src/aes_asm.asm diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index 9a4fac5f4..9307413b5 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -43,6 +43,11 @@ #ifdef DEBUG_WOLFSSL + #if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) + volatile char wc_last_error_file[80]; + volatile unsigned long wc_last_error_line; + volatile unsigned long wc_last_error; + #endif /* Set these to default values initially. */ static wolfSSL_Logging_cb log_function = 0; @@ -198,11 +203,35 @@ void WOLFSSL_LEAVE(const char* msg, int ret) } +/* + * When using OPENSSL_EXTRA or DEBUG_WOLFSSL_VERBOSE macro then WOLFSSL_ERROR is + * mapped to new funtion WOLFSSL_ERROR_LINE which gets the line # and function + * name where WOLFSSL_ERROR is called at. + */ +#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) +void WOLFSSL_ERROR_LINE(int error, const char* func, unsigned int line, + const char* file, void* usrCtx) +#else void WOLFSSL_ERROR(int error) +#endif { if (loggingEnabled) { char buffer[80]; - sprintf(buffer, "wolfSSL error occurred, error = %d", error); + #if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) + (void)usrCtx; /* a user ctx for future flexibility */ + (void)func; + if (error < 0) error = error - (2*error); /* get absolute value */ + wc_last_error = (unsigned long)error; + wc_last_error_line = (unsigned long)line; + XMEMSET((char*)wc_last_error_file, 0, sizeof(file)); + if (XSTRLEN(file) < sizeof(file)) { + XSTRNCPY((char*)wc_last_error_file, file, XSTRLEN(file)); + } + sprintf(buffer, "wolfSSL error occurred, error = %d line:%d file:%s", + error, line, file); + #else + sprintf(buffer, "wolfSSL error occurred, error = %d", error); + #endif wolfssl_log(ERROR_LOG , buffer); } } diff --git a/wolfcrypt/src/md4.c b/wolfcrypt/src/md4.c index 3b3ae9555..bac424065 100644 --- a/wolfcrypt/src/md4.c +++ b/wolfcrypt/src/md4.c @@ -37,17 +37,6 @@ #endif -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ - - void wc_InitMd4(Md4* md4) { md4->digest[0] = 0x67452301L; diff --git a/wolfcrypt/src/md5.c b/wolfcrypt/src/md5.c index 525882fc8..a427de00c 100644 --- a/wolfcrypt/src/md5.c +++ b/wolfcrypt/src/md5.c @@ -170,16 +170,6 @@ #else /* Begin wolfCrypt software implementation */ -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ - int wc_InitMd5(Md5* md5) { if (md5 == NULL) { diff --git a/wolfcrypt/src/misc.c b/wolfcrypt/src/misc.c index cbd63c959..e1df3277c 100644 --- a/wolfcrypt/src/misc.c +++ b/wolfcrypt/src/misc.c @@ -50,6 +50,12 @@ #else + +#if defined(__ICCARM__) + #include +#endif + + #ifdef INTEL_INTRINSICS #include /* get intrinsic definitions */ @@ -210,6 +216,18 @@ STATIC INLINE int ConstantCompare(const byte* a, const byte* b, int length) return compareSum; } +#ifndef WOLFSSL_HAVE_MIN + #define WOLFSSL_HAVE_MIN + #if defined(HAVE_FIPS) && !defined(min) + #define min min + #endif + STATIC INLINE word32 min(word32 a, word32 b) + { + return a > b ? b : a; + } +#endif /* WOLFSSL_HAVE_MIN */ + + #undef STATIC diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 65351f09f..096d4c178 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -38,16 +38,6 @@ #include #endif -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ - /* direction for processing, encoding or decoding */ typedef enum { @@ -1079,6 +1069,7 @@ static int wc_PKCS7_KariKeyWrap(byte* cek, word32 cekSz, byte* kek, return BAD_FUNC_ARG; switch (keyWrapAlgo) { +#ifndef NO_AES case AES128_WRAP: case AES192_WRAP: case AES256_WRAP: @@ -1101,12 +1092,17 @@ static int wc_PKCS7_KariKeyWrap(byte* cek, word32 cekSz, byte* kek, return ret; break; +#endif /* NO_AES */ default: WOLFSSL_MSG("Unsupported key wrap algorithm"); - return BAD_FUNC_ARG; + return BAD_KEYWRAP_ALG_E; }; + (void)cekSz; + (void)kekSz; + (void)outSz; + (void)direction; return ret; } @@ -1409,7 +1405,8 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, int keyWrapOID, int keyEncOID) { int ret; - int kSz, kdfType; + int kSz; + enum wc_HashType kdfType; byte* secret; word32 secretSz; @@ -1451,6 +1448,7 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, } else { /* bad direction */ + XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7); return BAD_FUNC_ARG; } @@ -1515,7 +1513,7 @@ static int wc_CreateKeyAgreeRecipientInfo(PKCS7* pkcs7, const byte* cert, int* keyEncSz, byte* out, word32 outSz) { int ret = 0, idx = 0; - int keySz; + int keySz, direction = 0; /* ASN.1 layout */ int totalSz = 0; @@ -1561,6 +1559,20 @@ static int wc_CreateKeyAgreeRecipientInfo(PKCS7* pkcs7, const byte* cert, if (keyAgreeAlgo != ECDSAk) return BAD_FUNC_ARG; + /* set direction based on keyWrapAlgo */ + switch (keyWrapAlgo) { +#ifndef NO_AES + case AES128_WRAP: + case AES192_WRAP: + case AES256_WRAP: + direction = AES_ENCRYPTION; + break; +#endif + default: + WOLFSSL_MSG("Unsupported key wrap algorithm"); + return BAD_KEYWRAP_ALG_E; + } + kari = wc_PKCS7_KariNew(pkcs7, WC_PKCS7_ENCODE); if (kari == NULL) return MEMORY_E; @@ -1596,7 +1608,7 @@ static int wc_CreateKeyAgreeRecipientInfo(PKCS7* pkcs7, const byte* cert, /* encrypt CEK with KEK */ keySz = wc_PKCS7_KariKeyWrap(contentKeyPlain, blockKeySz, kari->kek, kari->kekSz, contentKeyEnc, *keyEncSz, keyWrapAlgo, - AES_ENCRYPTION); + direction); if (keySz <= 0) { wc_PKCS7_KariFree(kari); return ret; @@ -2102,13 +2114,15 @@ static int wc_PKCS7_GenerateIV(WC_RNG* rng, byte* iv, word32 ivSz) /* input RNG is optional, init local one if input rng is NULL */ if (rng == NULL) { - random = XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); + random = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); if (random == NULL) return MEMORY_E; ret = wc_InitRng(random); - if (ret != 0) + if (ret != 0) { + XFREE(random, NULL, DYNAMIC_TYPE_RNG); return ret; + } } else { random = rng; @@ -2836,6 +2850,7 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, { int ret, keySz; int encryptedKeySz; + int direction = 0; word32 keyAgreeOID, keyWrapOID; #ifdef WOLFSSL_SMALL_STACK @@ -2908,6 +2923,24 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, return ret; } + /* set direction based on key wrap algorithm */ + switch (keyWrapOID) { +#ifndef NO_AES + case AES128_WRAP: + case AES192_WRAP: + case AES256_WRAP: + direction = AES_DECRYPTION; + break; +#endif + default: + wc_PKCS7_KariFree(kari); + #ifdef WOLFSSL_SMALL_STACK + XFREE(encryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + #endif + WOLFSSL_MSG("AES key wrap algorithm unsupported"); + return BAD_KEYWRAP_ALG_E; + } + /* remove RecipientEncryptedKeys */ ret = wc_PKCS7_KariGetRecipientEncryptedKeys(kari, pkiMsg, pkiMsgSz, idx, recipFound, encryptedKey, &encryptedKeySz); @@ -2932,7 +2965,7 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, /* decrypt CEK with KEK */ keySz = wc_PKCS7_KariKeyWrap(encryptedKey, encryptedKeySz, kari->kek, kari->kekSz, decryptedKey, *decryptedKeySz, - keyWrapOID, AES_DECRYPTION); + keyWrapOID, direction); if (keySz <= 0) { wc_PKCS7_KariFree(kari); #ifdef WOLFSSL_SMALL_STACK @@ -3147,13 +3180,17 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, blockKeySz = wc_PKCS7_GetOIDKeySize(encOID); if (blockKeySz < 0) { +#ifdef WOLFSSL_SMALL_STACK XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); +#endif return blockKeySz; } expBlockSz = wc_PKCS7_GetOIDBlockSize(encOID); if (expBlockSz < 0) { +#ifdef WOLFSSL_SMALL_STACK XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); +#endif return expBlockSz; } @@ -3525,9 +3562,9 @@ static int wc_PKCS7_DecodeUnprotectedAttributes(PKCS7* pkcs7, byte* pkiMsg, /* save attribute value bytes and size */ if (GetSet(pkiMsg, &idx, &length, pkiMsgSz) < 0) { - return ASN_PARSE_E; XFREE(attrib->oid, pkcs7->heap, DYNAMIC_TYPE_PKCS); XFREE(attrib, pkcs7->heap, DYNAMIC_TYPE_PKCS); + return ASN_PARSE_E; } if ((pkiMsgSz - idx) < (word32)length) { diff --git a/wolfcrypt/src/poly1305.c b/wolfcrypt/src/poly1305.c index 1b5bc2622..637106b63 100644 --- a/wolfcrypt/src/poly1305.c +++ b/wolfcrypt/src/poly1305.c @@ -68,9 +68,9 @@ } word128; #define MUL(out, x, y) out.lo = _umul128((x), (y), &out.hi) - #define ADD(out, in) { word64 t = out.lo; out.lo += in.lo; + #define ADD(out, in) { word64 t = out.lo; out.lo += in.lo; \ out.hi += (out.lo < t) + in.hi; } - #define ADDLO(out, in) { word64 t = out.lo; out.lo += in; + #define ADDLO(out, in) { word64 t = out.lo; out.lo += in; \ out.hi += (out.lo < t); } #define SHR(in, shift) (__shiftright128(in.lo, in.hi, (shift))) #define LO(in) (in.lo) diff --git a/wolfcrypt/src/port/arm/armv8-sha256.c b/wolfcrypt/src/port/arm/armv8-sha256.c index fdf2634bf..80f3a901a 100644 --- a/wolfcrypt/src/port/arm/armv8-sha256.c +++ b/wolfcrypt/src/port/arm/armv8-sha256.c @@ -38,27 +38,6 @@ #include #endif -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ - -#if !defined (ALIGN32) - #if defined (__GNUC__) - #define ALIGN32 __attribute__ ( (aligned (32))) - #elif defined(_MSC_VER) - /* disable align warning, we want alignment ! */ - #pragma warning(disable: 4324) - #define ALIGN32 __declspec (align (32)) - #else - #define ALIGN32 - #endif -#endif static const ALIGN32 word32 K[64] = { 0x428A2F98L, 0x71374491L, 0xB5C0FBCFL, 0xE9B5DBA5L, 0x3956C25BL, diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c index 7fcbf5cb6..68cb1cf45 100644 --- a/wolfcrypt/src/pwdbased.c +++ b/wolfcrypt/src/pwdbased.c @@ -59,16 +59,6 @@ #include #endif -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ - #ifndef NO_SHA /* PBKDF1 needs at least SHA available */ @@ -91,7 +81,7 @@ int wc_PBKDF1(byte* output, const byte* passwd, int pLen, const byte* salt, hLen = (int)MD5_DIGEST_SIZE; #endif - if (kLen > hLen) + if ((kLen > hLen) || (kLen < 0)) return BAD_FUNC_ARG; if (iterations < 1) diff --git a/wolfcrypt/src/ripemd.c b/wolfcrypt/src/ripemd.c index 9da179e4e..8cda86aef 100644 --- a/wolfcrypt/src/ripemd.c +++ b/wolfcrypt/src/ripemd.c @@ -38,15 +38,6 @@ #endif -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ void wc_InitRipeMd(RipeMd* ripemd) { diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index df475d800..fba54b011 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -846,72 +846,6 @@ static int wc_RsaUnPad_ex(byte* pkcsBlock, word32 pkcsBlockLen, byte** out, return ret; } - -#ifdef WC_RSA_BLINDING - -/* helper for either lib */ -static int get_digit_count(mp_int* a) -{ - if (a == NULL) - return 0; - - return a->used; -} - - -static int get_rand_digit(WC_RNG* rng, mp_digit* d) -{ - return wc_RNG_GenerateBlock(rng, (byte*)d, sizeof(mp_digit)); -} - - -static int mp_rand(mp_int* a, int digits, WC_RNG* rng) -{ - int ret; - mp_digit d; - - if (rng == NULL) - return MISSING_RNG_E; - - if (a == NULL) - return BAD_FUNC_ARG; - - mp_zero(a); - if (digits <= 0) { - return MP_OKAY; - } - - /* first place a random non-zero digit */ - do { - ret = get_rand_digit(rng, &d); - if (ret != 0) { - return ret; - } - } while (d == 0); - - if ((ret = mp_add_d(a, d, a)) != MP_OKAY) { - return ret; - } - - while (--digits > 0) { - if ((ret = mp_lshd(a, 1)) != MP_OKAY) { - return ret; - } - if ((ret = get_rand_digit(rng, &d)) != 0) { - return ret; - } - if ((ret = mp_add_d(a, d, a)) != MP_OKAY) { - return ret; - } - } - - return ret; -} - - -#endif /* WC_RSA_BLINGING */ - - static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out, word32* outLen, int type, RsaKey* key, WC_RNG* rng) { diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index 63c47cba1..079ee01c6 100644 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -30,15 +30,6 @@ #if !defined(NO_SHA) #include -#include -#include - -#ifdef NO_INLINE - #include -#else - #define WOLFSSL_MISC_INCLUDED - #include -#endif /* fips wrapper calls, user can call direct */ @@ -69,6 +60,15 @@ #else /* else build without fips */ +#include +#include +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + /****************************************/ /* SHA Hardware Variations */ @@ -390,13 +390,6 @@ #endif /* !USE_CUSTOM_SHA_TRANSFORM */ -#ifndef WOLFSSL_HAVE_MIN - #define WOLFSSL_HAVE_MIN - static INLINE word32 min(word32 a, word32 b) { - return a > b ? b : a; - } -#endif /* WOLFSSL_HAVE_MIN */ - static INLINE void AddLength(Sha* sha, word32 len) { word32 tmp = sha->loLen; diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index 287522b9f..2f9c52635 100644 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -298,15 +298,6 @@ static void set_Transform(void) { #include "fsl_mmcau.h" #endif -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ #ifdef FREESCALE_LTC_SHA int wc_InitSha256(Sha256* sha256) diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index 0c971db33..6aeddf98a 100644 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -99,16 +99,6 @@ int wc_Sha384Final(Sha384* sha, byte* out) #endif -#ifndef WOLFSSL_HAVE_MIN -#define WOLFSSL_HAVE_MIN - - static INLINE word32 min(word32 a, word32 b) - { - return a > b ? b : a; - } - -#endif /* WOLFSSL_HAVE_MIN */ - #if defined(USE_INTEL_SPEEDUP) #define HAVE_INTEL_AVX1 #define HAVE_INTEL_AVX2 diff --git a/wolfcrypt/src/srp.c b/wolfcrypt/src/srp.c index 246db1d70..480f81668 100644 --- a/wolfcrypt/src/srp.c +++ b/wolfcrypt/src/srp.c @@ -454,12 +454,12 @@ int wc_SrpSetVerifier(Srp* srp, const byte* verifier, word32 size) return mp_read_unsigned_bin(&srp->auth, verifier, size); } -int wc_SrpSetPrivate(Srp* srp, const byte* private, word32 size) +int wc_SrpSetPrivate(Srp* srp, const byte* priv, word32 size) { mp_int p; int r; - if (!srp || !private || !size) + if (!srp || !priv || !size) return BAD_FUNC_ARG; if (mp_iszero(&srp->auth) == MP_YES) @@ -468,7 +468,7 @@ int wc_SrpSetPrivate(Srp* srp, const byte* private, word32 size) r = mp_init(&p); if (r != MP_OKAY) return MP_INIT_E; - if (!r) r = mp_read_unsigned_bin(&p, private, size); + if (!r) r = mp_read_unsigned_bin(&p, priv, size); if (!r) r = mp_mod(&p, &srp->N, &srp->priv); if (!r) r = mp_iszero(&srp->priv) == MP_YES ? SRP_BAD_KEY_E : 0; diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c index e73135a60..499c6a6c0 100644 --- a/wolfcrypt/src/tfm.c +++ b/wolfcrypt/src/tfm.c @@ -49,6 +49,7 @@ #include #include #include /* will define asm MACROS or C ones */ +#include /* common functions */ #if defined(FREESCALE_LTC_TFM) #include @@ -446,12 +447,11 @@ INLINE static void fp_mul_comba_mulx(fp_int *A, fp_int *B, fp_int *C) pa = FP_SIZE-1; } - if (A == C || B == C) { + /* Always take branch to use tmp variable. This avoids a cache attack for + * determining if C equals A */ + if (1) { fp_init(&tmp); dst = &tmp; - } else { - fp_zero(C); - dst = C; } TFM_INTEL_MUL_COMBA(A, B, dst) ; @@ -1005,12 +1005,12 @@ int fp_mulmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d) fp_init(&t); fp_mul(a, b, &t); -#ifdef ALT_ECC_SIZE - err = fp_mod(&t, c, &t); - fp_copy(&t, d); -#else - err = fp_mod(&t, c, d); -#endif + if (d->size < FP_SIZE) { + err = fp_mod(&t, c, &t); + fp_copy(&t, d); + } else { + err = fp_mod(&t, c, d); + } return err; } @@ -1023,12 +1023,12 @@ int fp_submod(fp_int *a, fp_int *b, fp_int *c, fp_int *d) fp_init(&t); fp_sub(a, b, &t); -#ifdef ALT_ECC_SIZE - err = fp_mod(&t, c, &t); - fp_copy(&t, d); -#else - err = fp_mod(&t, c, d); -#endif + if (d->size < FP_SIZE) { + err = fp_mod(&t, c, &t); + fp_copy(&t, d); + } else { + err = fp_mod(&t, c, d); + } return err; } @@ -1041,12 +1041,12 @@ int fp_addmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d) fp_init(&t); fp_add(a, b, &t); -#ifdef ALT_ECC_SIZE - err = fp_mod(&t, c, &t); - fp_copy(&t, d); -#else - err = fp_mod(&t, c, d); -#endif + if (d->size < FP_SIZE) { + err = fp_mod(&t, c, &t); + fp_copy(&t, d); + } else { + err = fp_mod(&t, c, d); + } return err; } @@ -2168,12 +2168,12 @@ void fp_sub_d(fp_int *a, fp_digit b, fp_int *c) fp_int tmp; fp_init(&tmp); fp_set(&tmp, b); -#ifdef ALT_ECC_SIZE - fp_sub(a, &tmp, &tmp); - fp_copy(&tmp, c); -#else - fp_sub(a, &tmp, c); - #endif + if (c->size < FP_SIZE) { + fp_sub(a, &tmp, &tmp); + fp_copy(&tmp, c); + } else { + fp_sub(a, &tmp, c); + } } @@ -2187,7 +2187,6 @@ int mp_init (mp_int * a) return MP_OKAY; } -#ifdef ALT_ECC_SIZE void fp_init(fp_int *a) { a->size = FP_SIZE; @@ -2207,7 +2206,6 @@ void fp_clear(fp_int *a) a->sign = FP_ZPOS; ForceZero(a->dp, a->size * sizeof(fp_digit)); } -#endif /* clear one (frees) */ @@ -2348,21 +2346,34 @@ int mp_div_2d(fp_int* a, int b, fp_int* c, fp_int* d) return MP_OKAY; } -#ifdef ALT_ECC_SIZE void fp_copy(fp_int *a, fp_int *b) { - if (a != b && b->size >= a->used) { - int x, oldused; - oldused = b->used; + /* if source and destination are different */ + if (a != b) { +#ifdef ALT_ECC_SIZE + /* verify a will fit in b */ + if (b->size >= a->used) { + int x, oldused; + oldused = b->used; + b->used = a->used; + b->sign = a->sign; + + XMEMCPY(b->dp, a->dp, a->used * sizeof(fp_digit)); + + /* zero any excess digits on the destination that we didn't write to */ + for (x = b->used; x < oldused; x++) { + b->dp[x] = 0; + } + } + else { + /* TODO: Handle error case */ + } +#else + /* all dp's are same size, so do straight copy */ b->used = a->used; b->sign = a->sign; - - XMEMCPY(b->dp, a->dp, a->used * sizeof(fp_digit)); - - /* zero any excess digits on the destination that we didn't write to */ - for (x = b->used; x < oldused; x++) { - b->dp[x] = 0; - } + XMEMCPY(b->dp, a->dp, FP_SIZE * sizeof(fp_digit)); +#endif } } @@ -2373,7 +2384,6 @@ void fp_init_copy(fp_int *a, fp_int* b) fp_copy(b, a); } } -#endif /* fast math wrappers */ int mp_copy(fp_int* a, fp_int* b) @@ -2433,12 +2443,14 @@ int fp_sqrmod(fp_int *a, fp_int *b, fp_int *c) fp_init(&t); fp_sqr(a, &t); -#ifdef ALT_ECC_SIZE - err = fp_mod(&t, b, &t); - fp_copy(&t, c); -#else - err = fp_mod(&t, b, c); -#endif + + if (c->size < FP_SIZE) { + err = fp_mod(&t, b, &t); + fp_copy(&t, c); + } + else { + err = fp_mod(&t, b, c); + } return err; } @@ -2851,7 +2863,7 @@ int fp_randprime(fp_int* N, int len, WC_RNG* rng, void* heap) XMEMSET(buf, 0, len); XFREE(buf, heap, DYNAMIC_TYPE_TMP_BUFFER); - + return FP_OKAY; } @@ -3173,14 +3185,9 @@ int mp_toradix (mp_int *a, char *str, int radix) void mp_dump(const char* desc, mp_int* a, byte verbose) { char buffer[FP_SIZE * sizeof(fp_digit) * 2]; - int size = FP_SIZE; - -#ifdef ALT_ECC_SIZE - size = a->size; -#endif printf("%s: ptr=%p, used=%d, sign=%d, size=%d, fpd=%d\n", - desc, a, a->used, a->sign, size, (int)sizeof(fp_digit)); + desc, a, a->used, a->sign, a->size, (int)sizeof(fp_digit)); mp_toradix(a, buffer, 16); printf(" %s\n ", buffer); diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 669298cb6..434248fd7 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -43,6 +43,10 @@ #include #endif +#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) + #include +#endif + #ifdef _MSC_VER /* 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy */ #pragma warning(disable: 4996) @@ -89,6 +93,10 @@ int wolfCrypt_Init(void) WOLFSSL_MSG("Using ARM hardware acceleration"); #endif + #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) + wolfSSL_EVP_init(); + #endif + initRefCount = 1; } diff --git a/wolfcrypt/src/wolfmath.c b/wolfcrypt/src/wolfmath.c new file mode 100644 index 000000000..9b4ede53a --- /dev/null +++ b/wolfcrypt/src/wolfmath.c @@ -0,0 +1,104 @@ +/* wolfmath.c + * + * Copyright (C) 2006-2016 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + + +/* common functions for either math library */ + +#ifdef HAVE_CONFIG_H + #include +#endif + +/* in case user set USE_FAST_MATH there */ +#include + +#ifdef USE_FAST_MATH + #include +#else + #include +#endif + +#include +#include + + +int get_digit_count(mp_int* a) +{ + if (a == NULL) + return 0; + + return a->used; +} + +mp_digit get_digit(mp_int* a, int n) +{ + if (a == NULL) + return 0; + + return (n >= a->used || n < 0) ? 0 : a->dp[n]; +} + +int get_rand_digit(WC_RNG* rng, mp_digit* d) +{ + return wc_RNG_GenerateBlock(rng, (byte*)d, sizeof(mp_digit)); +} + +int mp_rand(mp_int* a, int digits, WC_RNG* rng) +{ + int ret; + mp_digit d; + + if (rng == NULL) + return MISSING_RNG_E; + + if (a == NULL) + return BAD_FUNC_ARG; + + mp_zero(a); + if (digits <= 0) { + return MP_OKAY; + } + + /* first place a random non-zero digit */ + do { + ret = get_rand_digit(rng, &d); + if (ret != 0) { + return ret; + } + } while (d == 0); + + if ((ret = mp_add_d(a, d, a)) != MP_OKAY) { + return ret; + } + + while (--digits > 0) { + if ((ret = mp_lshd(a, 1)) != MP_OKAY) { + return ret; + } + if ((ret = get_rand_digit(rng, &d)) != 0) { + return ret; + } + if ((ret = mp_add_d(a, d, a)) != MP_OKAY) { + return ret; + } + } + + return ret; +} diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index c4cbcf1ed..213a86019 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -111,6 +111,7 @@ #include #include #include + #include #include #endif @@ -2092,7 +2093,7 @@ int hc128_test(void) (word32)test_hc128[i].outLen) != 0) { return -110; } - if (wc_Hc128_Process(&dec, plain, cipher, + if (wc_Hc128_Process(&dec, plain, cipher, (word32)test_hc128[i].outLen) != 0) { return -115; } @@ -4871,7 +4872,7 @@ int rsa_test(void) !defined(HAVE_FIPS) #ifndef NO_SHA XMEMSET(plain, 0, sizeof(plain)); - + do { #if defined(WOLFSSL_ASYNC_CRYPT) ret = wc_RsaAsyncWait(ret, &key); @@ -6686,6 +6687,9 @@ int openssl_test(void) { byte* p; p = (byte*)CRYPTO_malloc(10, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (p == NULL) { + return -70; + } XMEMSET(p, 0, 10); CRYPTO_free(p, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); } @@ -6887,7 +6891,7 @@ int openssl_test(void) #ifndef NO_AES - { /* evp_cipher test */ + { /* evp_cipher test: EVP_aes_128_cbc */ EVP_CIPHER_CTX ctx; @@ -6930,13 +6934,437 @@ int openssl_test(void) return -86; + } /* end evp_cipher test: EVP_aes_128_cbc*/ + +#ifdef HAVE_AES_ECB + { /* evp_cipher test: EVP_aes_128_ecb*/ + EVP_CIPHER_CTX ctx; + const byte msg[] = + { + 0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96, + 0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a + }; + + const byte verify[] = + { + 0xf3,0xee,0xd1,0xbd,0xb5,0xd2,0xa0,0x3c, + 0x06,0x4b,0x5a,0x7e,0x3d,0xb1,0x81,0xf8 + }; + + const byte key[] = + { + 0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe, + 0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81, + 0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7, + 0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4 + }; + + + byte cipher[AES_BLOCK_SIZE * 4]; + byte plain [AES_BLOCK_SIZE * 4]; + + EVP_CIPHER_CTX_init(&ctx); + if (EVP_CipherInit(&ctx, EVP_aes_256_ecb(), (unsigned char*)key, NULL, 1) == 0) + return -181; + + if (EVP_Cipher(&ctx, cipher, (byte*)msg, 16) == 0) + return -182; + + if (XMEMCMP(cipher, verify, AES_BLOCK_SIZE)) + return -183; + + EVP_CIPHER_CTX_init(&ctx); + if (EVP_CipherInit(&ctx, EVP_aes_256_ecb(), (unsigned char*)key, NULL, 0) == 0) + return -184; + + if (EVP_Cipher(&ctx, plain, cipher, 16) == 0) + return -185; + + if (XMEMCMP(plain, msg, AES_BLOCK_SIZE)) + return -186; + } /* end evp_cipher test */ +#endif #endif /* NO_AES */ +#define OPENSSL_TEST_ERROR (-10000) + + +#ifndef NO_AES +#ifdef WOLFSSL_AES_DIRECT + /* enable HAVE_AES_DECRYPT for AES_encrypt/decrypt */ +{ + + /* Test: AES_encrypt/decrypt/set Key */ + AES_KEY enc; +#ifdef HAVE_AES_DECRYPT + AES_KEY dec; +#endif + + const byte msg[] = + { + 0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96, + 0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a + }; + + const byte verify[] = + { + 0xf3,0xee,0xd1,0xbd,0xb5,0xd2,0xa0,0x3c, + 0x06,0x4b,0x5a,0x7e,0x3d,0xb1,0x81,0xf8 + }; + + const byte key[] = + { + 0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe, + 0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81, + 0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7, + 0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4 + }; + + byte plain[sizeof(msg)]; + byte cipher[sizeof(msg)]; + + printf("openSSL extra test\n") ; + + + AES_set_encrypt_key(key, sizeof(key)*8, &enc); + AES_set_decrypt_key(key, sizeof(key)*8, &dec); + + AES_encrypt(msg, cipher, &enc); + +#ifdef HAVE_AES_DECRYPT + AES_decrypt(cipher, plain, &dec); + if (XMEMCMP(plain, msg, AES_BLOCK_SIZE)) + return OPENSSL_TEST_ERROR-60; +#endif /* HAVE_AES_DECRYPT */ + + if (XMEMCMP(cipher, verify, AES_BLOCK_SIZE)) + return OPENSSL_TEST_ERROR-61; +} + +#endif + +/* EVP_Cipher with EVP_aes_xxx_ctr() */ +#ifdef WOLFSSL_AES_COUNTER +{ + const byte ctrKey[] = + { + 0x2b,0x7e,0x15,0x16,0x28,0xae,0xd2,0xa6, + 0xab,0xf7,0x15,0x88,0x09,0xcf,0x4f,0x3c + }; + + const byte ctrIv[] = + { + 0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7, + 0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff + }; + + + const byte ctrPlain[] = + { + 0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96, + 0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a, + 0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c, + 0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51, + 0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11, + 0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef, + 0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17, + 0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10 + }; + + const byte ctrCipher[] = + { + 0x87,0x4d,0x61,0x91,0xb6,0x20,0xe3,0x26, + 0x1b,0xef,0x68,0x64,0x99,0x0d,0xb6,0xce, + 0x98,0x06,0xf6,0x6b,0x79,0x70,0xfd,0xff, + 0x86,0x17,0x18,0x7b,0xb9,0xff,0xfd,0xff, + 0x5a,0xe4,0xdf,0x3e,0xdb,0xd5,0xd3,0x5e, + 0x5b,0x4f,0x09,0x02,0x0d,0xb0,0x3e,0xab, + 0x1e,0x03,0x1d,0xda,0x2f,0xbe,0x03,0xd1, + 0x79,0x21,0x70,0xa0,0xf3,0x00,0x9c,0xee + }; + + byte plainBuff [64]; + byte cipherBuff[64]; + + const byte oddCipher[] = + { + 0xb9,0xd7,0xcb,0x08,0xb0,0xe1,0x7b,0xa0, + 0xc2 + }; + + + /* test vector from "Recommendation for Block Cipher Modes of Operation" + * NIST Special Publication 800-38A */ + const byte ctr192Key[] = + { + 0x8e,0x73,0xb0,0xf7,0xda,0x0e,0x64,0x52, + 0xc8,0x10,0xf3,0x2b,0x80,0x90,0x79,0xe5, + 0x62,0xf8,0xea,0xd2,0x52,0x2c,0x6b,0x7b + }; + + const byte ctr192Iv[] = + { + 0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7, + 0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff + }; + + + const byte ctr192Plain[] = + { + 0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96, + 0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a + }; + + const byte ctr192Cipher[] = + { + 0x1a,0xbc,0x93,0x24,0x17,0x52,0x1c,0xa2, + 0x4f,0x2b,0x04,0x59,0xfe,0x7e,0x6e,0x0b + }; + + /* test vector from "Recommendation for Block Cipher Modes of Operation" + * NIST Special Publication 800-38A */ + const byte ctr256Key[] = + { + 0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe, + 0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81, + 0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7, + 0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4 + }; + + const byte ctr256Iv[] = + { + 0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7, + 0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff + }; + + + const byte ctr256Plain[] = + { + 0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96, + 0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a + }; + + const byte ctr256Cipher[] = + { + 0x60,0x1e,0xc3,0x13,0x77,0x57,0x89,0xa5, + 0xb7,0xa7,0xf5,0x04,0xbb,0xf3,0xd2,0x28 + }; + + EVP_CIPHER_CTX en; + EVP_CIPHER_CTX de; + EVP_CIPHER_CTX *p_en; + EVP_CIPHER_CTX *p_de; + + EVP_CIPHER_CTX_init(&en); + if (EVP_CipherInit(&en, EVP_aes_128_ctr(), + (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0) + return -3300; + if (EVP_Cipher(&en, (byte*)cipherBuff, (byte*)ctrPlain, AES_BLOCK_SIZE*4) == 0) + return -3301; + EVP_CIPHER_CTX_init(&de); + if (EVP_CipherInit(&de, EVP_aes_128_ctr(), + (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0) + return -3302; + + if (EVP_Cipher(&de, (byte*)plainBuff, (byte*)cipherBuff, AES_BLOCK_SIZE*4) == 0) + return -3303; + + if (XMEMCMP(cipherBuff, ctrCipher, AES_BLOCK_SIZE*4)) + return -3304; + if (XMEMCMP(plainBuff, ctrPlain, AES_BLOCK_SIZE*4)) + return -3305; + + p_en = wolfSSL_EVP_CIPHER_CTX_new(); + if(p_en == NULL)return -3390; + p_de = wolfSSL_EVP_CIPHER_CTX_new(); + if(p_de == NULL)return -3391; + + if (EVP_CipherInit(p_en, EVP_aes_128_ctr(), + (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0) + return -3392; + if (EVP_Cipher(p_en, (byte*)cipherBuff, (byte*)ctrPlain, AES_BLOCK_SIZE*4) == 0) + return -3393; + if (EVP_CipherInit(p_de, EVP_aes_128_ctr(), + (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0) + return -3394; + + if (EVP_Cipher(p_de, (byte*)plainBuff, (byte*)cipherBuff, AES_BLOCK_SIZE*4) == 0) + return -3395; + + wolfSSL_EVP_CIPHER_CTX_free(p_en); + wolfSSL_EVP_CIPHER_CTX_free(p_de); + + if (XMEMCMP(cipherBuff, ctrCipher, AES_BLOCK_SIZE*4)) + return -3396; + if (XMEMCMP(plainBuff, ctrPlain, AES_BLOCK_SIZE*4)) + return -3397; + + EVP_CIPHER_CTX_init(&en); + if (EVP_CipherInit(&en, EVP_aes_128_ctr(), + (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0) + return -3306; + if (EVP_Cipher(&en, (byte*)cipherBuff, (byte*)ctrPlain, 9) == 0) + return -3307; + + EVP_CIPHER_CTX_init(&de); + if (EVP_CipherInit(&de, EVP_aes_128_ctr(), + (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0) + return -3308; + + if (EVP_Cipher(&de, (byte*)plainBuff, (byte*)cipherBuff, 9) == 0) + return -3309; + + if (XMEMCMP(plainBuff, ctrPlain, 9)) + return -3310; + if (XMEMCMP(cipherBuff, ctrCipher, 9)) + return -3311; + + if (EVP_Cipher(&en, (byte*)cipherBuff, (byte*)ctrPlain, 9) == 0) + return -3312; + if (EVP_Cipher(&de, (byte*)plainBuff, (byte*)cipherBuff, 9) == 0) + return -3313; + + if (XMEMCMP(plainBuff, ctrPlain, 9)) + return -3314; + if (XMEMCMP(cipherBuff, oddCipher, 9)) + return -3315; + + EVP_CIPHER_CTX_init(&en); + if (EVP_CipherInit(&en, EVP_aes_192_ctr(), + (unsigned char*)ctr192Key, (unsigned char*)ctr192Iv, 0) == 0) + return -3316; + if (EVP_Cipher(&en, (byte*)cipherBuff, (byte*)ctr192Plain, AES_BLOCK_SIZE) == 0) + return -3317; + EVP_CIPHER_CTX_init(&de); + if (EVP_CipherInit(&de, EVP_aes_192_ctr(), + (unsigned char*)ctr192Key, (unsigned char*)ctr192Iv, 0) == 0) + return -3318; + + XMEMSET(plainBuff, 0, sizeof(plainBuff)); + if (EVP_Cipher(&de, (byte*)plainBuff, (byte*)cipherBuff, AES_BLOCK_SIZE) == 0) + return -3319; + + if (XMEMCMP(plainBuff, ctr192Plain, sizeof(ctr192Plain))) + return -3320; + if (XMEMCMP(ctr192Cipher, cipherBuff, sizeof(ctr192Cipher))) + return -3321; + + EVP_CIPHER_CTX_init(&en); + if (EVP_CipherInit(&en, EVP_aes_256_ctr(), + (unsigned char*)ctr256Key, (unsigned char*)ctr256Iv, 0) == 0) + return -3322; + if (EVP_Cipher(&en, (byte*)cipherBuff, (byte*)ctr256Plain, AES_BLOCK_SIZE) == 0) + return -3323; + EVP_CIPHER_CTX_init(&de); + if (EVP_CipherInit(&de, EVP_aes_256_ctr(), + (unsigned char*)ctr256Key, (unsigned char*)ctr256Iv, 0) == 0) + return -3324; + + XMEMSET(plainBuff, 0, sizeof(plainBuff)); + if (EVP_Cipher(&de, (byte*)plainBuff, (byte*)cipherBuff, AES_BLOCK_SIZE) == 0) + return -3325; + + if (XMEMCMP(plainBuff, ctr256Plain, sizeof(ctr256Plain))) + return -3326; + if (XMEMCMP(ctr256Cipher, cipherBuff, sizeof(ctr256Cipher))) + return -3327; +} +#endif /* HAVE_AES_COUNTER */ + +{ + /* EVP_CipherUpdate test */ + + + const byte cbcPlain[] = + { + 0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96, + 0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a, + 0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c, + 0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51, + 0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11, + 0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef, + 0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17, + 0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10 + }; + + byte key[] = "0123456789abcdef "; /* align */ + byte iv[] = "1234567890abcdef "; /* align */ + + byte cipher[AES_BLOCK_SIZE * 4]; + byte plain [AES_BLOCK_SIZE * 4]; + EVP_CIPHER_CTX en; + EVP_CIPHER_CTX de; + int outlen ; + int total = 0; + + EVP_CIPHER_CTX_init(&en); + if (EVP_CipherInit(&en, EVP_aes_128_cbc(), + (unsigned char*)key, (unsigned char*)iv, 1) == 0) + return -3401; + if (EVP_CipherUpdate(&en, (byte*)cipher, &outlen, (byte*)cbcPlain, 9) == 0) + return -3402; + if(outlen != 0) + return -3403; + total += outlen; + + if (EVP_CipherUpdate(&en, (byte*)&cipher[total], &outlen, (byte*)&cbcPlain[9] , 9) == 0) + return -3404; + if(outlen != 16) + return -3405; + total += outlen; + + if (EVP_CipherFinal(&en, (byte*)&cipher[total], &outlen) == 0) + return -3406; + if(outlen != 16) + return -3407; + total += outlen; + if(total != 32) + return 3408; + + total = 0; + EVP_CIPHER_CTX_init(&de); + if (EVP_CipherInit(&de, EVP_aes_128_cbc(), + (unsigned char*)key, (unsigned char*)iv, 0) == 0) + return -3420; + + if (EVP_CipherUpdate(&de, (byte*)plain, &outlen, (byte*)cipher, 6) == 0) + return -3421; + if(outlen != 0) + return -3422; + total += outlen; + + if (EVP_CipherUpdate(&de, (byte*)&plain[total], &outlen, (byte*)&cipher[6], 12) == 0) + return -3423; + if(outlen != 0) + total += outlen; + + if (EVP_CipherUpdate(&de, (byte*)&plain[total], &outlen, (byte*)&cipher[6+12], 14) == 0) + return -3423; + if(outlen != 16) + return -3424; + total += outlen; + + if (EVP_CipherFinal(&de, (byte*)&plain[total], &outlen) == 0) + return -3425; + if(outlen != 2) + return -3426; + total += outlen; + + if(total != 18) + return 3427; + + if (XMEMCMP(plain, cbcPlain, 18)) + return -3428; + + } +#endif /* ifndef NO_AES */ + return 0; } + #endif /* OPENSSL_EXTRA */ @@ -7102,6 +7530,7 @@ int pbkdf2_test(void) return -102; return 0; + } @@ -8846,7 +9275,7 @@ int ed25519_test(void) #if defined(WOLFSSL_CMAC) && !defined(NO_AES) - + typedef struct CMAC_Test_Case { int type; int partial; @@ -9200,9 +9629,11 @@ static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz, 0x72,0x6c,0x64 }; +#ifndef NO_AES byte optionalUkm[] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07 }; +#endif /* NO_AES */ const pkcs7EnvelopedVector testVectors[] = { @@ -9279,8 +9710,10 @@ static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz, /* encode envelopedData */ envelopedSz = wc_PKCS7_EncodeEnvelopedData(&pkcs7, enveloped, sizeof(enveloped)); - if (envelopedSz <= 0) + if (envelopedSz <= 0) { + printf("DEBUG: i = %d, envelopedSz = %d\n", i, envelopedSz); return -210; + } /* decode envelopedData */ decodedSz = wc_PKCS7_DecodeEnvelopedData(&pkcs7, enveloped, envelopedSz, @@ -9305,6 +9738,10 @@ static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz, wc_PKCS7_Free(&pkcs7); } + (void)eccCert; + (void)eccCertSz; + (void)eccPrivKey; + (void)eccPrivKeySz; return 0; } @@ -9463,6 +9900,7 @@ int pkcs7encrypted_test(void) 0x72,0x6c,0x64 }; +#ifndef NO_DES3 byte desKey[] = { 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef }; @@ -9471,6 +9909,9 @@ int pkcs7encrypted_test(void) 0xfe,0xde,0xba,0x98,0x76,0x54,0x32,0x10, 0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67 }; +#endif + +#ifndef NO_AES byte aes128Key[] = { 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08, 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08 @@ -9518,6 +9959,7 @@ int pkcs7encrypted_test(void) { genAttrOid, sizeof(genAttrOid), genAttr, sizeof(genAttr) }, { genAttrOid2, sizeof(genAttrOid2), genAttr2, sizeof(genAttr2) } }; +#endif /* NO_AES */ const pkcs7EncryptedVector testVectors[] = { diff --git a/wolfssl-ntru.vcproj b/wolfssl-ntru.vcproj index a9f5c4577..3b7703c1b 100755 --- a/wolfssl-ntru.vcproj +++ b/wolfssl-ntru.vcproj @@ -274,6 +274,10 @@ RelativePath=".\wolfcrypt\src\wc_port.c" > + + diff --git a/wolfssl.vcproj b/wolfssl.vcproj index 106ba29fe..6843f4072 100755 --- a/wolfssl.vcproj +++ b/wolfssl.vcproj @@ -271,6 +271,10 @@ RelativePath=".\wolfcrypt\src\wc_port.c" > + + diff --git a/wolfssl.vcxproj b/wolfssl.vcxproj index 985f3383b..7824a9b18 100644 --- a/wolfssl.vcxproj +++ b/wolfssl.vcxproj @@ -318,6 +318,7 @@ + diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 3859c1534..19195f675 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -164,12 +164,6 @@ #pragma warning(disable: 4996) #endif -#ifdef NO_AES - #if !defined (ALIGN16) - #define ALIGN16 - #endif -#endif - #ifdef NO_SHA #define SHA_DIGEST_SIZE 20 #endif @@ -924,7 +918,6 @@ enum Misc { LENGTH_SZ = 2, /* length field for HMAC, data only */ VERSION_SZ = 2, /* length of proctocol version */ SEQ_SZ = 8, /* 64 bit sequence number */ - BYTE3_LEN = 3, /* up to 24 bit byte lengths */ ALERT_SIZE = 2, /* level + description */ VERIFY_HEADER = 2, /* always use 2 bytes */ EXT_ID_SZ = 2, /* always use 2 bytes */ @@ -1249,7 +1242,9 @@ enum BIO_TYPE { BIO_BUFFER = 1, BIO_SOCKET = 2, BIO_SSL = 3, - BIO_MEMORY = 4 + BIO_MEMORY = 4, + BIO_BIO = 5, + BIO_FILE = 6 }; @@ -1261,15 +1256,24 @@ struct WOLFSSL_BIO_METHOD { /* wolfSSL BIO type */ struct WOLFSSL_BIO { - byte type; /* method type */ - byte close; /* close flag */ - byte eof; /* eof flag */ WOLFSSL* ssl; /* possible associated ssl */ - byte* mem; /* memory buffer */ - int memLen; /* memory buffer length */ - int fd; /* possible file descriptor */ +#ifndef NO_FILESYSTEM + XFILE file; +#endif WOLFSSL_BIO* prev; /* previous in chain */ WOLFSSL_BIO* next; /* next in chain */ + WOLFSSL_BIO* pair; /* BIO paired with */ + void* heap; /* user heap hint */ + byte* mem; /* memory buffer */ + int wrSz; /* write buffer size (mem) */ + int wrIdx; /* current index for write buffer */ + int rdIdx; /* current read index */ + int readRq; /* read request */ + int memLen; /* memory buffer length */ + int fd; /* possible file descriptor */ + int eof; /* eof flag */ + byte type; /* method type */ + byte close; /* close flag */ }; @@ -2001,6 +2005,9 @@ struct WOLFSSL_CTX { #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) pem_password_cb passwd_cb; void* userdata; + WOLFSSL_X509_STORE x509_store; /* points to ctx->cm */ + byte readAhead; + void* userPRFArg; /* passed to prf callback */ #endif /* OPENSSL_EXTRA */ #ifdef HAVE_STUNNEL void* ex_data[MAX_EX_DATA]; @@ -2378,6 +2385,9 @@ typedef struct Options { wc_psk_server_callback server_psk_cb; word16 havePSK:1; /* psk key set by user */ #endif /* NO_PSK */ +#ifdef OPENSSL_EXTRA + unsigned long mask; /* store SSL_OP_ flags */ +#endif /* on/off or small bit flags, optimize layout */ word16 sendVerify:2; /* false = 0, true = 1, sendBlank = 2 */ @@ -2502,6 +2512,7 @@ struct WOLFSSL_STACK { union { WOLFSSL_X509* x509; WOLFSSL_BIO* bio; + WOLFSSL_ASN1_OBJECT* obj; } data; WOLFSSL_STACK* next; }; @@ -2565,9 +2576,21 @@ struct WOLFSSL_X509 { void* heap; /* heap hint */ byte dynamicMemory; /* dynamic memory flag */ byte isCa; +#ifdef WOLFSSL_CERT_EXT + char certPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ]; + int certPoliciesNb; +#endif /* WOLFSSL_CERT_EXT */ #ifdef OPENSSL_EXTRA word32 pathLength; word16 keyUsage; + byte CRLdistSet; + byte CRLdistCrit; + byte* CRLInfo; + int CRLInfoSz; + byte authInfoSet; + byte authInfoCrit; + byte* authInfo; + int authInfoSz; byte basicConstSet; byte basicConstCrit; byte basicConstPlSet; @@ -2583,6 +2606,10 @@ struct WOLFSSL_X509 { word32 subjKeyIdSz; byte keyUsageSet; byte keyUsageCrit; + byte extKeyUsageCrit; + byte* extKeyUsageSrc; + word32 extKeyUsageSz; + word32 extKeyUsageCount; #endif /* OPENSSL_EXTRA */ }; @@ -2732,6 +2759,11 @@ struct WOLFSSL { #ifdef OPENSSL_EXTRA WOLFSSL_BIO* biord; /* socket bio read to free/close */ WOLFSSL_BIO* biowr; /* socket bio write to free/close */ + unsigned long peerVerifyRet; + byte readAhead; +#ifdef HAVE_PK_CALLBACKS + void* loggingCtx; /* logging callback argument */ +#endif #endif #ifndef NO_RSA RsaKey* peerRsaKey; diff --git a/wolfssl/openssl/aes.h b/wolfssl/openssl/aes.h new file mode 100644 index 000000000..418914808 --- /dev/null +++ b/wolfssl/openssl/aes.h @@ -0,0 +1,73 @@ +/* aes.h + * + * Copyright (C) 2006-2016 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + + + +/* aes.h defines mini des openssl compatibility layer + * + */ + + +#ifndef WOLFSSL_AES_H_ +#define WOLFSSL_AES_H_ + +#include + +#ifndef NO_AES +#ifdef WOLFSSL_AES_DIRECT + +#ifdef __cplusplus + extern "C" { +#endif + + +typedef Aes AES_KEY; + +WOLFSSL_API void wolfSSL_AES_set_encrypt_key + (const unsigned char *, const int bits, AES_KEY *); +WOLFSSL_API void wolfSSL_AES_set_decrypt_key + (const unsigned char *, const int bits, AES_KEY *); +WOLFSSL_API void wolfSSL_AES_encrypt + (const unsigned char* input, unsigned char* output, AES_KEY *); +WOLFSSL_API void wolfSSL_AES_decrypt + (const unsigned char* input, unsigned char* output, AES_KEY *); + +#define AES_set_encrypt_key wolfSSL_AES_set_encrypt_key +#define AES_set_decrypt_key wolfSSL_AES_set_decrypt_key +#define AES_encrypt wolfSSL_AES_encrypt +#define AES_decrypt wolfSSL_AES_decrypt + +#define wolfSSL_AES_set_encrypt_key(key, bits, aes) \ + wc_AesSetKey(aes, key, ((bits)/8), NULL, AES_ENCRYPTION) +#define wolfSSL_AES_set_decrypt_key(key, bits, aes) \ + wc_AesSetKey(aes, key, ((bits)/8), NULL, AES_DECRYPTION) + +#define wolfSSL_AES_encrypt(in, out, aes) wc_AesEncryptDirect(aes, out, in) +#define wolfSSL_AES_decrypt(in, out, aes) wc_AesDecryptDirect(aes, out, in) + +#ifdef __cplusplus + } /* extern "C" */ +#endif + +#endif /* HAVE_AES_DIRECT */ +#endif /* NO_AES */ + +#endif /* WOLFSSL_DES_H_ */ diff --git a/wolfssl/openssl/bn.h b/wolfssl/openssl/bn.h index c56a3cfca..ba5648a88 100644 --- a/wolfssl/openssl/bn.h +++ b/wolfssl/openssl/bn.h @@ -35,7 +35,8 @@ WOLFSSL_API int wolfSSL_BN_sub(WOLFSSL_BIGNUM*, const WOLFSSL_BIGNUM*, const WOLFSSL_BIGNUM*); WOLFSSL_API int wolfSSL_BN_mod(WOLFSSL_BIGNUM*, const WOLFSSL_BIGNUM*, const WOLFSSL_BIGNUM*, const WOLFSSL_BN_CTX*); - +WOLFSSL_API int wolfSSL_BN_mod_exp(WOLFSSL_BIGNUM *r, const WOLFSSL_BIGNUM *a, + const WOLFSSL_BIGNUM *p, const WOLFSSL_BIGNUM *m, WOLFSSL_BN_CTX *ctx); WOLFSSL_API const WOLFSSL_BIGNUM* wolfSSL_BN_value_one(void); @@ -109,6 +110,7 @@ typedef WOLFSSL_BN_GENCB BN_GENCB; #define BN_bin2bn wolfSSL_BN_bin2bn #define BN_mod wolfSSL_BN_mod +#define BN_mod_exp wolfSSL_BN_mod_exp #define BN_sub wolfSSL_BN_sub #define BN_value_one wolfSSL_BN_value_one @@ -148,4 +150,3 @@ typedef WOLFSSL_BN_GENCB BN_GENCB; #endif /* WOLFSSL__H_ */ - diff --git a/wolfssl/openssl/des.h b/wolfssl/openssl/des.h index 042551196..d154b72be 100644 --- a/wolfssl/openssl/des.h +++ b/wolfssl/openssl/des.h @@ -53,9 +53,9 @@ enum { }; -WOLFSSL_API void wolfSSL_DES_set_key(WOLFSSL_const_DES_cblock* myDes, +WOLFSSL_API int wolfSSL_DES_set_key(WOLFSSL_const_DES_cblock* myDes, WOLFSSL_DES_key_schedule* key); -WOLFSSL_API void wolfSSL_DES_set_key_checked(WOLFSSL_const_DES_cblock* myDes, +WOLFSSL_API int wolfSSL_DES_set_key_checked(WOLFSSL_const_DES_cblock* myDes, WOLFSSL_DES_key_schedule* key); WOLFSSL_API void wolfSSL_DES_set_key_unchecked(WOLFSSL_const_DES_cblock*, WOLFSSL_DES_key_schedule*); diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h index e13e60ed1..086e82c4c 100644 --- a/wolfssl/openssl/evp.h +++ b/wolfssl/openssl/evp.h @@ -21,7 +21,7 @@ -/* evp.h defines mini evp openssl compatibility layer +/* evp.h defines mini evp openssl compatibility layer * */ @@ -47,13 +47,14 @@ #include #include #include - +#ifdef HAVE_IDEA + #include +#endif #ifdef __cplusplus extern "C" { #endif -typedef char WOLFSSL_EVP_MD; typedef char WOLFSSL_EVP_CIPHER; #ifndef NO_MD5 @@ -66,12 +67,17 @@ WOLFSSL_API const WOLFSSL_EVP_MD* wolfSSL_EVP_sha384(void); WOLFSSL_API const WOLFSSL_EVP_MD* wolfSSL_EVP_sha512(void); WOLFSSL_API const WOLFSSL_EVP_MD* wolfSSL_EVP_ripemd160(void); +WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_ecb(void); +WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_ecb(void); +WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_ecb(void); WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_cbc(void); WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_cbc(void); WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_cbc(void); WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_ctr(void); WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_ctr(void); WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_ctr(void); +WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_des_ecb(void); +WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_des_ede3_ecb(void); WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_des_cbc(void); WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_des_ede3_cbc(void); WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_rc4(void); @@ -101,8 +107,8 @@ typedef union { typedef struct WOLFSSL_EVP_MD_CTX { - unsigned char macType; WOLFSSL_Hasher hash; + unsigned char macType; } WOLFSSL_EVP_MD_CTX; @@ -128,39 +134,65 @@ enum { AES_128_CTR_TYPE = 4, AES_192_CTR_TYPE = 5, AES_256_CTR_TYPE = 6, - DES_CBC_TYPE = 7, - DES_EDE3_CBC_TYPE = 8, - ARC4_TYPE = 9, - NULL_CIPHER_TYPE = 10, - EVP_PKEY_RSA = 11, - EVP_PKEY_DSA = 12, - EVP_PKEY_EC = 13, - IDEA_CBC_TYPE = 14, + AES_128_ECB_TYPE = 7, + AES_192_ECB_TYPE = 8, + AES_256_ECB_TYPE = 9, + DES_CBC_TYPE = 10, + DES_ECB_TYPE = 11, + DES_EDE3_CBC_TYPE = 12, + DES_EDE3_ECB_TYPE = 13, + ARC4_TYPE = 14, + NULL_CIPHER_TYPE = 15, + EVP_PKEY_RSA = 16, + EVP_PKEY_DSA = 17, + EVP_PKEY_EC = 18, + IDEA_CBC_TYPE = 19, NID_sha1 = 64, NID_md2 = 3, NID_md5 = 4 }; - +#define WOLFSSL_EVP_BUF_SIZE 16 typedef struct WOLFSSL_EVP_CIPHER_CTX { int keyLen; /* user may set for variable */ + int block_size; + unsigned long flags; unsigned char enc; /* if encrypt side, then true */ unsigned char cipherType; #ifndef NO_AES - unsigned char iv[AES_BLOCK_SIZE]; /* working iv pointer into cipher */ + /* working iv pointer into cipher */ + ALIGN16 unsigned char iv[AES_BLOCK_SIZE]; #elif !defined(NO_DES3) - unsigned char iv[DES_BLOCK_SIZE]; /* working iv pointer into cipher */ + /* working iv pointer into cipher */ + ALIGN16 unsigned char iv[DES_BLOCK_SIZE]; #endif WOLFSSL_Cipher cipher; + ALIGN16 byte buf[WOLFSSL_EVP_BUF_SIZE]; + int bufUsed; + ALIGN16 byte lastBlock[WOLFSSL_EVP_BUF_SIZE]; + int lastUsed; } WOLFSSL_EVP_CIPHER_CTX; +typedef int WOLFSSL_ENGINE ; +typedef WOLFSSL_ENGINE ENGINE; +WOLFSSL_API void wolfSSL_EVP_init(void); WOLFSSL_API int wolfSSL_EVP_MD_size(const WOLFSSL_EVP_MD* md); +WOLFSSL_API int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md); + +WOLFSSL_API WOLFSSL_EVP_MD_CTX *wolfSSL_EVP_MD_CTX_new (void); +WOLFSSL_API void wolfSSL_EVP_MD_CTX_free(WOLFSSL_EVP_MD_CTX* ctx); WOLFSSL_API void wolfSSL_EVP_MD_CTX_init(WOLFSSL_EVP_MD_CTX* ctx); WOLFSSL_API int wolfSSL_EVP_MD_CTX_cleanup(WOLFSSL_EVP_MD_CTX* ctx); +WOLFSSL_API const WOLFSSL_EVP_MD *wolfSSL_EVP_MD_CTX_md(const WOLFSSL_EVP_MD_CTX *ctx); +WOLFSSL_API const WOLFSSL_EVP_CIPHER *wolfSSL_EVP_get_cipherbyname(const char *name); +WOLFSSL_API const WOLFSSL_EVP_MD *wolfSSL_EVP_get_digestbyname(const char *name); WOLFSSL_API int wolfSSL_EVP_DigestInit(WOLFSSL_EVP_MD_CTX* ctx, const WOLFSSL_EVP_MD* type); +WOLFSSL_API int wolfSSL_EVP_DigestInit_ex(WOLFSSL_EVP_MD_CTX* ctx, + const WOLFSSL_EVP_MD* type, + WOLFSSL_ENGINE *impl); WOLFSSL_API int wolfSSL_EVP_DigestUpdate(WOLFSSL_EVP_MD_CTX* ctx, const void* data, unsigned long sz); WOLFSSL_API int wolfSSL_EVP_DigestFinal(WOLFSSL_EVP_MD_CTX* ctx, unsigned char* md, @@ -184,6 +216,43 @@ WOLFSSL_API int wolfSSL_EVP_CipherInit(WOLFSSL_EVP_CIPHER_CTX* ctx, const WOLFSSL_EVP_CIPHER* type, unsigned char* key, unsigned char* iv, int enc); +WOLFSSL_API int wolfSSL_EVP_CipherInit_ex(WOLFSSL_EVP_CIPHER_CTX* ctx, + const WOLFSSL_EVP_CIPHER* type, + WOLFSSL_ENGINE *impl, + unsigned char* key, unsigned char* iv, + int enc); +WOLFSSL_API int wolfSSL_EVP_EncryptInit(WOLFSSL_EVP_CIPHER_CTX* ctx, + const WOLFSSL_EVP_CIPHER* type, + unsigned char* key, unsigned char* iv); +WOLFSSL_API int wolfSSL_EVP_EncryptInit_ex(WOLFSSL_EVP_CIPHER_CTX* ctx, + const WOLFSSL_EVP_CIPHER* type, + WOLFSSL_ENGINE *impl, + unsigned char* key, unsigned char* iv); +WOLFSSL_API int wolfSSL_EVP_DecryptInit(WOLFSSL_EVP_CIPHER_CTX* ctx, + const WOLFSSL_EVP_CIPHER* type, + unsigned char* key, unsigned char* iv); +WOLFSSL_API int wolfSSL_EVP_DecryptInit_ex(WOLFSSL_EVP_CIPHER_CTX* ctx, + const WOLFSSL_EVP_CIPHER* type, + WOLFSSL_ENGINE *impl, + unsigned char* key, unsigned char* iv); +WOLFSSL_API int wolfSSL_EVP_CipherUpdate(WOLFSSL_EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl, + const unsigned char *in, int inl); +WOLFSSL_API int wolfSSL_EVP_CipherFinal(WOLFSSL_EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl); +WOLFSSL_API int wolfSSL_EVP_CipherFinal_ex(WOLFSSL_EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl, int enc); +WOLFSSL_API int wolfSSL_EVP_EncryptFinal(WOLFSSL_EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl); +WOLFSSL_API int wolfSSL_EVP_EncryptFinal_ex(WOLFSSL_EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl); +WOLFSSL_API int wolfSSL_EVP_DecryptFinal(WOLFSSL_EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl); +WOLFSSL_API int wolfSSL_EVP_DecryptFinal_ex(WOLFSSL_EVP_CIPHER_CTX *ctx, + unsigned char *out, int *outl); + +WOLFSSL_API WOLFSSL_EVP_CIPHER_CTX *wolfSSL_EVP_CIPHER_CTX_new(void); +WOLFSSL_API void wolfSSL_EVP_CIPHER_CTX_free(WOLFSSL_EVP_CIPHER_CTX *ctx); WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_key_length(WOLFSSL_EVP_CIPHER_CTX* ctx); WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_set_key_length(WOLFSSL_EVP_CIPHER_CTX* ctx, int keylen); @@ -209,6 +278,35 @@ WOLFSSL_API void wolfSSL_aes_ctr_iv(WOLFSSL_EVP_CIPHER_CTX* ctx, int doset, WOLFSSL_API int wolfSSL_StoreExternalIV(WOLFSSL_EVP_CIPHER_CTX* ctx); WOLFSSL_API int wolfSSL_SetInternalIV(WOLFSSL_EVP_CIPHER_CTX* ctx); +WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_block_size(const WOLFSSL_EVP_CIPHER_CTX *ctx); +WOLFSSL_API int wolfSSL_EVP_CIPHER_block_size(const WOLFSSL_EVP_CIPHER *cipher); +WOLFSSL_API unsigned long WOLFSSL_EVP_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher); +WOLFSSL_API unsigned long WOLFSSL_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher); +WOLFSSL_API unsigned long wolfSSL_EVP_CIPHER_flags(const WOLFSSL_EVP_CIPHER *cipher); +WOLFSSL_API void wolfSSL_EVP_CIPHER_CTX_set_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, int flags); +WOLFSSL_API unsigned long wolfSSL_EVP_CIPHER_CTX_mode(const WOLFSSL_EVP_CIPHER_CTX *ctx); +WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_set_padding(WOLFSSL_EVP_CIPHER_CTX *c, int pad); +WOLFSSL_API int wolfSSL_EVP_add_digest(const WOLFSSL_EVP_MD *digest); + +#define EVP_CIPH_STREAM_CIPHER WOLFSSL_EVP_CIPH_STREAM_CIPHER +#define EVP_CIPH_ECB_MODE WOLFSSL_EVP_CIPH_ECB_MODE +#define EVP_CIPH_CBC_MODE WOLFSSL_EVP_CIPH_CBC_MODE +#define EVP_CIPH_CFB_MODE WOLFSSL_EVP_CIPH_CFB_MODE +#define EVP_CIPH_OFB_MODE WOLFSSL_EVP_CIPH_OFB_MODE +#define EVP_CIPH_CTR_MODE WOLFSSL_EVP_CIPH_CTR_MODE +#define EVP_CIPH_GCM_MODE WOLFSSL_EVP_CIPH_GCM_MODE +#define EVP_CIPH_CCM_MODE WOLFSSL_EVP_CIPH_CCM_MODE + +#define WOLFSSL_EVP_CIPH_MODE 0x0007 +#define WOLFSSL_EVP_CIPH_STREAM_CIPHER 0x0 +#define WOLFSSL_EVP_CIPH_ECB_MODE 0x1 +#define WOLFSSL_EVP_CIPH_CBC_MODE 0x2 +#define WOLFSSL_EVP_CIPH_CFB_MODE 0x3 +#define WOLFSSL_EVP_CIPH_OFB_MODE 0x4 +#define WOLFSSL_EVP_CIPH_CTR_MODE 0x5 +#define WOLFSSL_EVP_CIPH_GCM_MODE 0x6 +#define WOLFSSL_EVP_CIPH_CCM_MODE 0x7 +#define WOLFSSL_EVP_CIPH_NO_PADDING 0x100 /* end OpenSSH compat */ @@ -230,38 +328,84 @@ typedef WOLFSSL_EVP_CIPHER_CTX EVP_CIPHER_CTX; #define EVP_aes_128_cbc wolfSSL_EVP_aes_128_cbc #define EVP_aes_192_cbc wolfSSL_EVP_aes_192_cbc #define EVP_aes_256_cbc wolfSSL_EVP_aes_256_cbc +#define EVP_aes_128_ecb wolfSSL_EVP_aes_128_ecb +#define EVP_aes_192_ecb wolfSSL_EVP_aes_192_ecb +#define EVP_aes_256_ecb wolfSSL_EVP_aes_256_ecb #define EVP_aes_128_ctr wolfSSL_EVP_aes_128_ctr #define EVP_aes_192_ctr wolfSSL_EVP_aes_192_ctr #define EVP_aes_256_ctr wolfSSL_EVP_aes_256_ctr #define EVP_des_cbc wolfSSL_EVP_des_cbc +#define EVP_des_ecb wolfSSL_EVP_des_ecb #define EVP_des_ede3_cbc wolfSSL_EVP_des_ede3_cbc +#define EVP_des_ede3_ecb wolfSSL_EVP_des_ede3_ecb #define EVP_rc4 wolfSSL_EVP_rc4 #define EVP_idea_cbc wolfSSL_EVP_idea_cbc #define EVP_enc_null wolfSSL_EVP_enc_null #define EVP_MD_size wolfSSL_EVP_MD_size +#define EVP_MD_CTX_new wolfSSL_EVP_MD_CTX_new +#define EVP_MD_CTX_create wolfSSL_EVP_MD_CTX_new +#define EVP_MD_CTX_free wolfSSL_EVP_MD_CTX_free +#define EVP_MD_CTX_destroy wolfSSL_EVP_MD_CTX_free #define EVP_MD_CTX_init wolfSSL_EVP_MD_CTX_init #define EVP_MD_CTX_cleanup wolfSSL_EVP_MD_CTX_cleanup +#define EVP_MD_CTX_md wolfSSL_EVP_MD_CTX_md +#define EVP_MD_CTX_type wolfSSL_EVP_MD_type +#define EVP_MD_type wolfSSL_EVP_MD_type + #define EVP_DigestInit wolfSSL_EVP_DigestInit +#define EVP_DigestInit_ex wolfSSL_EVP_DigestInit_ex #define EVP_DigestUpdate wolfSSL_EVP_DigestUpdate #define EVP_DigestFinal wolfSSL_EVP_DigestFinal #define EVP_DigestFinal_ex wolfSSL_EVP_DigestFinal_ex #define EVP_BytesToKey wolfSSL_EVP_BytesToKey +#define EVP_get_cipherbyname wolfSSL_EVP_get_cipherbyname +#define EVP_get_digestbyname wolfSSL_EVP_get_digestbyname + #define EVP_CIPHER_CTX_init wolfSSL_EVP_CIPHER_CTX_init #define EVP_CIPHER_CTX_cleanup wolfSSL_EVP_CIPHER_CTX_cleanup #define EVP_CIPHER_CTX_iv_length wolfSSL_EVP_CIPHER_CTX_iv_length #define EVP_CIPHER_CTX_key_length wolfSSL_EVP_CIPHER_CTX_key_length #define EVP_CIPHER_CTX_set_key_length wolfSSL_EVP_CIPHER_CTX_set_key_length +#define EVP_CIPHER_CTX_mode wolfSSL_EVP_CIPHER_CTX_mode + #define EVP_CipherInit wolfSSL_EVP_CipherInit +#define EVP_CipherInit_ex wolfSSL_EVP_CipherInit_ex +#define EVP_EncryptInit wolfSSL_EVP_EncryptInit +#define EVP_EncryptInit_ex wolfSSL_EVP_EncryptInit_ex +#define EVP_DecryptInit wolfSSL_EVP_DecryptInit +#define EVP_DecryptInit_ex wolfSSL_EVP_DecryptInit_ex + #define EVP_Cipher wolfSSL_EVP_Cipher +#define EVP_CipherUpdate wolfSSL_EVP_CipherUpdate +#define EVP_EncryptUpdate wolfSSL_EVP_CipherUpdate +#define EVP_DecryptUpdate wolfSSL_EVP_CipherUpdate +#define EVP_CipherFinal wolfSSL_EVP_CipherFinal +#define EVP_CipherFinal_ex wolfSSL_EVP_CipherFinal +#define EVP_EncryptFinal wolfSSL_EVP_CipherFinal +#define EVP_EncryptFinal_ex wolfSSL_EVP_CipherFinal +#define EVP_DecryptFinal wolfSSL_EVP_CipherFinal +#define EVP_DecryptFinal_ex wolfSSL_EVP_CipherFinal + +#define EVP_CIPHER_CTX_free wolfSSL_EVP_CIPHER_CTX_free +#define EVP_CIPHER_CTX_new wolfSSL_EVP_CIPHER_CTX_new #define EVP_get_digestbynid wolfSSL_EVP_get_digestbynid +#define EVP_get_cipherbyname wolfSSL_EVP_get_cipherbyname +#define EVP_get_digestbyname wolfSSL_EVP_get_digestbyname #define EVP_PKEY_get1_RSA wolfSSL_EVP_PKEY_get1_RSA #define EVP_PKEY_get1_DSA wolfSSL_EVP_PKEY_get1_DSA #define EVP_PKEY_get1_EC_KEY wolfSSL_EVP_PKEY_get1_EC_KEY +#define EVP_CIPHER_CTX_block_size wolfSSL_EVP_CIPHER_CTX_block_size +#define EVP_CIPHER_block_size wolfSSL_EVP_CIPHER_block_size +#define EVP_CIPHER_flags wolfSSL_EVP_CIPHER_flags +#define EVP_CIPHER_CTX_set_flags wolfSSL_EVP_CIPHER_CTX_set_flags +#define EVP_CIPHER_CTX_set_padding wolfSSL_EVP_CIPHER_CTX_set_padding +#define EVP_CIPHER_CTX_flags wolfSSL_EVP_CIPHER_CTX_flags +#define EVP_add_digest wolfSSL_EVP_add_digest #ifndef EVP_MAX_MD_SIZE #define EVP_MAX_MD_SIZE 64 /* sha512 */ diff --git a/wolfssl/openssl/include.am b/wolfssl/openssl/include.am index 21d99ef00..d6d743835 100644 --- a/wolfssl/openssl/include.am +++ b/wolfssl/openssl/include.am @@ -3,6 +3,7 @@ nobase_include_HEADERS+= \ wolfssl/openssl/asn1.h \ + wolfssl/openssl/aes.h\ wolfssl/openssl/bio.h \ wolfssl/openssl/bn.h \ wolfssl/openssl/conf.h \ diff --git a/wolfssl/openssl/md5.h b/wolfssl/openssl/md5.h index bdcda5b98..2e8620825 100644 --- a/wolfssl/openssl/md5.h +++ b/wolfssl/openssl/md5.h @@ -32,11 +32,16 @@ typedef WOLFSSL_MD5_CTX MD5_CTX; #define MD5_Update wolfSSL_MD5_Update #define MD5_Final wolfSSL_MD5_Final +#ifdef OPENSSL_EXTRA_BSD + #define MD5Init wolfSSL_MD5_Init + #define MD5Update wolfSSL_MD5_Update + #define MD5Final wolfSSL_MD5_Final +#endif + #ifdef __cplusplus - } /* extern "C" */ + } /* extern "C" */ #endif #endif /* NO_MD5 */ #endif /* WOLFSSL_MD5_H_ */ - diff --git a/wolfssl/openssl/pem.h b/wolfssl/openssl/pem.h index 76a391f54..60624aa5c 100644 --- a/wolfssl/openssl/pem.h +++ b/wolfssl/openssl/pem.h @@ -13,13 +13,14 @@ extern "C" { #endif +#define PEM_write_bio_PrivateKey wolfSSL_PEM_write_bio_PrivateKey /* RSA */ WOLFSSL_API int wolfSSL_PEM_write_bio_RSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa, const EVP_CIPHER* cipher, unsigned char* passwd, int len, - pem_password_cb cb, void* arg); + pem_password_cb* cb, void* arg); WOLFSSL_API int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, unsigned char* passwd, int len, @@ -46,7 +47,7 @@ int wolfSSL_PEM_write_bio_DSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_DSA* dsa, const EVP_CIPHER* cipher, unsigned char* passwd, int len, - pem_password_cb cb, void* arg); + pem_password_cb* cb, void* arg); WOLFSSL_API int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, const EVP_CIPHER* cipher, @@ -67,7 +68,7 @@ WOLFSSL_API int wolfSSL_PEM_write_bio_ECPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EC_KEY* ec, const EVP_CIPHER* cipher, unsigned char* passwd, int len, - pem_password_cb cb, void* arg); + pem_password_cb* cb, void* arg); WOLFSSL_API int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* key, const EVP_CIPHER* cipher, @@ -87,9 +88,15 @@ int wolfSSL_PEM_write_EC_PUBKEY(FILE *fp, WOLFSSL_EC_KEY *key); WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_PEM_read_bio_PrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY**, - pem_password_cb cb, + pem_password_cb* cb, void* arg); WOLFSSL_API +int wolfSSL_PEM_write_bio_PrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key, + const WOLFSSL_EVP_CIPHER* cipher, + unsigned char* passwd, int len, + pem_password_cb* cb, void* arg); + +WOLFSSL_API int wolfSSL_EVP_PKEY_type(int type); #if !defined(NO_FILESYSTEM) @@ -98,6 +105,7 @@ WOLFSSL_EVP_PKEY *wolfSSL_PEM_read_PUBKEY(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u); #endif /* NO_FILESYSTEM */ +#define PEM_write_bio_PrivateKey wolfSSL_PEM_write_bio_PrivateKey /* RSA */ #define PEM_write_bio_RSAPrivateKey wolfSSL_PEM_write_bio_RSAPrivateKey #define PEM_write_RSAPrivateKey wolfSSL_PEM_write_RSAPrivateKey diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 22592f7d7..f89c3608c 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -21,7 +21,7 @@ -/* ssl.h defines wolfssl_openssl compatibility layer +/* ssl.h defines wolfssl_openssl compatibility layer * */ @@ -80,6 +80,12 @@ typedef WOLFSSL_ASN1_INTEGER ASN1_INTEGER; typedef WOLFSSL_ASN1_OBJECT ASN1_OBJECT; typedef WOLFSSL_ASN1_STRING ASN1_STRING; typedef WOLFSSL_dynlock_value CRYPTO_dynlock_value; +typedef WOLFSSL_BUF_MEM BUF_MEM; + +/* GENERAL_NAME and BASIC_CONSTRAINTS structs may need implemented as + * compatibility layer expands. For now treating them as an ASN1_OBJECT */ +typedef WOLFSSL_ASN1_OBJECT GENERAL_NAME; +typedef WOLFSSL_ASN1_OBJECT BASIC_CONSTRAINTS; #define ASN1_UTCTIME WOLFSSL_ASN1_TIME @@ -101,16 +107,23 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; strncpy(buf, "Not Implemented, SSLv2 only", len) /* @TODO */ -#define ERR_print_errors_fp(file) +#define ERR_print_errors_fp(file) wolfSSL_ERR_print_errors_fp((file)) /* at the moment only returns ok */ -#define SSL_get_verify_result(ctx) X509_V_OK +#define SSL_get_verify_result wolfSSL_get_verify_result #define SSL_get_verify_mode wolfSSL_SSL_get_mode #define SSL_get_verify_depth wolfSSL_get_verify_depth #define SSL_CTX_get_verify_mode wolfSSL_CTX_get_verify_mode #define SSL_CTX_get_verify_depth wolfSSL_CTX_get_verify_depth #define SSL_get_certificate wolfSSL_get_certificate +#define SSL_use_certificate wolfSSL_use_certificate +#define SSL_use_certificate_ASN1 wolfSSL_use_certificate_ASN1 +#define SSL_use_PrivateKey wolfSSL_use_PrivateKey +#define SSL_use_PrivateKey_ASN1 wolfSSL_use_PrivateKey_ASN1 +#define SSL_use_RSAPrivateKey_ASN1 wolfSSL_use_RSAPrivateKey_ASN1 + +#define SSLv23_method wolfSSLv23_method #define SSLv3_server_method wolfSSLv3_server_method #define SSLv3_client_method wolfSSLv3_client_method #define TLSv1_server_method wolfTLSv1_server_method @@ -134,7 +147,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define SSL_CTX_load_verify_locations wolfSSL_CTX_load_verify_locations #define SSL_CTX_use_certificate_chain_file wolfSSL_CTX_use_certificate_chain_file #define SSL_CTX_use_RSAPrivateKey_file wolfSSL_CTX_use_RSAPrivateKey_file - + #define SSL_use_certificate_file wolfSSL_use_certificate_file #define SSL_use_PrivateKey_file wolfSSL_use_PrivateKey_file #define SSL_use_certificate_chain_file wolfSSL_use_certificate_chain_file @@ -147,6 +160,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define SSL_get_fd wolfSSL_get_fd #define SSL_connect wolfSSL_connect #define SSL_clear wolfSSL_clear +#define SSL_state wolfSSL_state #define SSL_write wolfSSL_write #define SSL_read wolfSSL_read @@ -201,7 +215,12 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define SSL_get_keyblock_size wolfSSL_get_keyblock_size #define SSL_get_keys wolfSSL_get_keys +#define SSL_SESSION_get_master_key wolfSSL_SESSION_get_master_key +#define SSL_SESSION_get_master_key_length wolfSSL_SESSION_get_master_key_length +#define SSL_X509_NAME_get_text_by_NID wolfSSL_X509_NAME_get_text_by_NID +#define X509_get_ext_d2i wolfSSL_X509_get_ext_d2i +#define X509_digest wolfSSL_X509_digest #define X509_free wolfSSL_X509_free #define OPENSSL_free wolfSSL_OPENSSL_free @@ -217,7 +236,11 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define BIO_new wolfSSL_BIO_new #define BIO_free wolfSSL_BIO_free #define BIO_free_all wolfSSL_BIO_free_all +#define BIO_nread0 wolfSSL_BIO_nread0 +#define BIO_nread wolfSSL_BIO_nread #define BIO_read wolfSSL_BIO_read +#define BIO_nwrite0 wolfSSL_BIO_nwrite0 +#define BIO_nwrite wolfSSL_BIO_nwrite #define BIO_write wolfSSL_BIO_write #define BIO_push wolfSSL_BIO_push #define BIO_pop wolfSSL_BIO_pop @@ -239,9 +262,10 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define BIO_f_base64 wolfSSL_BIO_f_base64 #define BIO_set_flags wolfSSL_BIO_set_flags +#define OpenSSL_add_all_digests() #define OpenSSL_add_all_algorithms wolfSSL_add_all_algorithms #define SSLeay_add_ssl_algorithms wolfSSL_add_all_algorithms -#define SSLeay_add_all_algorithms wolfSSL_add_all_algorithms +#define SSLeay_add_all_algorithms wolfSSL_add_all_algorithms #define RAND_screen wolfSSL_RAND_screen #define RAND_file_name wolfSSL_RAND_file_name @@ -271,6 +295,9 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; # define CRYPTO_WRITE 8 #define X509_STORE_CTX_get_current_cert wolfSSL_X509_STORE_CTX_get_current_cert +#define X509_STORE_add_cert wolfSSL_X509_STORE_add_cert +#define X509_STORE_set_flags wolfSSL_X509_STORE_set_flags +#define X509_STORE_CTX_get_chain wolfSSL_X509_STORE_CTX_get_chain #define X509_STORE_CTX_get_error wolfSSL_X509_STORE_CTX_get_error #define X509_STORE_CTX_get_error_depth wolfSSL_X509_STORE_CTX_get_error_depth @@ -297,6 +324,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define X509_CRL_verify wolfSSL_X509_CRL_verify #define X509_STORE_CTX_set_error wolfSSL_X509_STORE_CTX_set_error #define X509_OBJECT_free_contents wolfSSL_X509_OBJECT_free_contents +#define EVP_PKEY_new wolfSSL_PKEY_new #define EVP_PKEY_free wolfSSL_EVP_PKEY_free #define X509_cmp_current_time wolfSSL_X509_cmp_current_time #define sk_X509_REVOKED_num wolfSSL_sk_X509_REVOKED_num @@ -312,10 +340,13 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define ASN1_INTEGER_cmp wolfSSL_ASN1_INTEGER_cmp #define ASN1_INTEGER_get wolfSSL_ASN1_INTEGER_get +#define ASN1_INTEGER_to_BN wolfSSL_ASN1_INTEGER_to_BN #define SSL_load_client_CA_file wolfSSL_load_client_CA_file #define SSL_CTX_set_client_CA_list wolfSSL_CTX_set_client_CA_list +#define SSL_CTX_set_cert_store wolfSSL_CTX_set_cert_store +#define SSL_CTX_get_cert_store wolfSSL_CTX_get_cert_store #define X509_STORE_CTX_get_ex_data wolfSSL_X509_STORE_CTX_get_ex_data #define SSL_get_ex_data_X509_STORE_CTX_idx wolfSSL_get_ex_data_X509_STORE_CTX_idx #define SSL_get_ex_data wolfSSL_get_ex_data @@ -327,6 +358,8 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define SSL_CTX_set_info_callback wolfSSL_CTX_set_info_callback #define ERR_peek_error wolfSSL_ERR_peek_error +#define ERR_peek_last_error_line wolfSSL_ERR_peek_last_error_line +#define ERR_peek_errors_fp wolfSSL_ERR_peek_errors_fp #define ERR_GET_REASON wolfSSL_ERR_GET_REASON #define SSL_alert_type_string wolfSSL_alert_type_string @@ -377,7 +410,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define RAND_status wolfSSL_RAND_status #define RAND_bytes wolfSSL_RAND_bytes #define SSLv23_server_method wolfSSLv23_server_method -#define SSL_CTX_set_options wolfSSL_CTX_set_options +#define SSL_CTX_set_options wolfSSL_CTX_set_options #define SSL_CTX_check_private_key wolfSSL_CTX_check_private_key #define ERR_free_strings wolfSSL_ERR_free_strings @@ -405,6 +438,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define sk_value wolfSSL_sk_value #define sk_X509_pop wolfSSL_sk_X509_pop #define sk_X509_free wolfSSL_sk_X509_free +#define d2i_X509_bio wolfSSL_d2i_X509_bio #define SSL_CTX_get_ex_data wolfSSL_CTX_get_ex_data #define SSL_CTX_set_ex_data wolfSSL_CTX_set_ex_data @@ -418,6 +452,21 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define SSL_SESSION_get_timeout wolfSSL_SESSION_get_timeout #define SSL_SESSION_get_time wolfSSL_SESSION_get_time #define SSL_CTX_get_ex_new_index wolfSSL_CTX_get_ex_new_index +#define PEM_read_bio_X509 wolfSSL_PEM_read_bio_X509 +#define PEM_read_bio_X509_AUX wolfSSL_PEM_read_bio_X509_AUX + +/*#if OPENSSL_API_COMPAT < 0x10100000L*/ +#define CONF_modules_free() +#define ENGINE_cleanup() +#define HMAC_CTX_cleanup wolfSSL_HMAC_cleanup +#define SSL_CTX_need_tmp_RSA(ctx) 0 +#define SSL_CTX_set_tmp_rsa(ctx,rsa) 1 +#define SSL_need_tmp_RSA(ssl) 0 +#define SSL_set_tmp_rsa(ssl,rsa) 1 +/*#endif*/ +#define CONF_modules_unload(a) + +#define SSL_get_hit wolfSSL_session_reused /* yassl had set the default to be 500 */ #define SSL_get_default_timeout(ctx) 500 @@ -427,16 +476,14 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(HAVE_STUNNEL) typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; -#define SSL_CB_HANDSHAKE_START 0x10 #define X509_NAME_free wolfSSL_X509_NAME_free #define SSL_CTX_use_certificate wolfSSL_CTX_use_certificate #define SSL_CTX_use_PrivateKey wolfSSL_CTX_use_PrivateKey #define BIO_read_filename wolfSSL_BIO_read_filename #define BIO_s_file wolfSSL_BIO_s_file -#define OBJ_nid2sn wolf_OBJ_nid2sn -#define OBJ_obj2nid wolf_OBJ_obj2nid -#define OBJ_sn2nid wolf_OBJ_sn2nid -#define PEM_read_bio_X509 PEM_read_bio_WOLFSSL_X509 +#define OBJ_nid2sn wolfSSL_OBJ_nid2sn +#define OBJ_obj2nid wolfSSL_OBJ_obj2nid +#define OBJ_sn2nid wolfSSL_OBJ_sn2nid #define SSL_CTX_set_verify_depth wolfSSL_CTX_set_verify_depth #define SSL_get_app_data wolfSSL_get_app_data #define SSL_set_app_data wolfSSL_set_app_data @@ -458,21 +505,103 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) \ || defined(WOLFSSL_MYSQL_COMPATIBLE) -#define OBJ_nid2ln wolf_OBJ_nid2ln -#define OBJ_txt2nid wolf_OBJ_txt2nid +#define OBJ_nid2ln wolfSSL_OBJ_nid2ln +#define OBJ_txt2nid wolfSSL_OBJ_txt2nid #define PEM_read_bio_DHparams wolfSSL_PEM_read_bio_DHparams +#define PEM_read_bio_DSAparams wolfSSL_PEM_read_bio_DSAparams #define PEM_write_bio_X509 PEM_write_bio_WOLFSSL_X509 -#define SSL_CTX_set_tmp_dh wolfSSL_CTX_set_tmp_dh -#define BIO_new_file wolfSSL_BIO_new_file - #endif /* HAVE_STUNNEL || HAVE_LIGHTY || WOLFSSL_MYSQL_COMPATIBLE */ +#define SSL_CTX_set_tmp_dh wolfSSL_CTX_set_tmp_dh + +#define BIO_new_file wolfSSL_BIO_new_file +#define BIO_ctrl wolfSSL_BIO_ctrl +#define BIO_ctrl_pending wolfSSL_BIO_ctrl_pending +#define BIO_get_mem_ptr wolfSSL_BIO_get_mem_ptr +#define BIO_int_ctrl wolfSSL_BIO_int_ctrl +#define BIO_reset wolfSSL_BIO_reset +#define BIO_s_file wolfSSL_BIO_s_file +#define BIO_s_bio wolfSSL_BIO_s_bio +#define BIO_s_socket wolfSSL_BIO_s_socket +#define BIO_set_fd wolfSSL_BIO_set_fd +#define BIO_ctrl_reset_read_request wolfSSL_BIO_ctrl_reset_read_request + +#define BIO_set_write_buf_size wolfSSL_BIO_set_write_buf_size +#define BIO_make_bio_pair wolfSSL_BIO_make_bio_pair + +#define BIO_set_fp wolfSSL_BIO_set_fp +#define BIO_get_fp wolfSSL_BIO_get_fp +#define BIO_seek wolfSSL_BIO_seek +#define BIO_write_filename wolfSSL_BIO_write_filename +#define BIO_set_mem_eof_return wolfSSL_BIO_set_mem_eof_return + +#define SSL_set_options wolfSSL_set_options +#define SSL_get_options wolfSSL_get_options +#define SSL_set_tmp_dh wolfSSL_set_tmp_dh +#define SSL_clear_num_renegotiations wolfSSL_clear_num_renegotiations +#define SSL_total_renegotiations wolfSSL_total_renegotiations +#define SSL_set_tlsext_debug_arg wolfSSL_set_tlsext_debug_arg +#define SSL_set_tlsext_status_type wolfSSL_set_tlsext_status_type +#define SSL_set_tlsext_status_exts wolfSSL_set_tlsext_status_exts +#define SSL_get_tlsext_status_ids wolfSSL_get_tlsext_status_ids +#define SSL_set_tlsext_status_ids wolfSSL_set_tlsext_status_ids +#define SSL_get_tlsext_status_ocsp_resp wolfSSL_get_tlsext_status_ocsp_resp +#define SSL_set_tlsext_status_ocsp_resp wolfSSL_set_tlsext_status_ocsp_resp + +#define SSL_CTX_add_extra_chain_cert wolfSSL_CTX_add_extra_chain_cert +#define SSL_CTX_get_read_ahead wolfSSL_CTX_get_read_ahead +#define SSL_CTX_set_read_ahead wolfSSL_CTX_set_read_ahead +#define SSL_CTX_set_tlsext_status_arg wolfSSL_CTX_set_tlsext_status_arg +#define SSL_CTX_set_tlsext_opaque_prf_input_callback_arg \ + wolfSSL_CTX_set_tlsext_opaque_prf_input_callback_arg +#define SSL_get_server_random wolfSSL_get_server_random + +#define SSL_get_tlsext_status_exts wolfSSL_get_tlsext_status_exts + +#define BIO_C_SET_FILE_PTR 106 +#define BIO_C_GET_FILE_PTR 107 +#define BIO_C_SET_FILENAME 108 +#define BIO_C_FILE_SEEK 128 +#define BIO_C_SET_BUF_MEM_EOF_RETURN 130 +#define BIO_C_SET_WRITE_BUF_SIZE 136 +#define BIO_C_MAKE_BIO_PAIR 138 + +#define BIO_CTRL_RESET 1 +#define BIO_CTRL_INFO 3 +#define BIO_CTRL_FLUSH 11 +#define BIO_CLOSE 0x01 +#define BIO_FP_WRITE 0x04 + +#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11 +#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12 +#define SSL_CTRL_SET_TMP_DH 3 +#define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57 +#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65 +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66 +#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS 67 +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS 68 +#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS 69 +#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP 70 +#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71 + +#define SSL_CTRL_SET_TMP_DH 3 +#define SSL_CTRL_EXTRA_CHAIN_CERT 14 + +#define SSL_CTRL_SET_SESS_CACHE_SIZE 42 +#define SSL_CTRL_GET_READ_AHEAD 40 +#define SSL_CTRL_SET_READ_AHEAD 41 + +#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64 + +#define SSL_ctrl wolfSSL_ctrl +#define SSL_CTX_ctrl wolfSSL_CTX_ctrl + +#define X509_V_FLAG_CRL_CHECK WOLFSSL_CRL_CHECK +#define X509_V_FLAG_CRL_CHECK_ALL WOLFSSL_CRL_CHECKALL #ifdef HAVE_STUNNEL #include -/* defined as: (SSL_ST_ACCEPT|SSL_CB_LOOP), which becomes 0x2001*/ -#define SSL_CB_ACCEPT_LOOP 0x2001 #define SSL2_VERSION 0x0002 #define SSL3_VERSION 0x0300 #define TLS1_VERSION 0x0301 @@ -518,8 +647,8 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; #define SSL_get_servername wolfSSL_get_servername #define SSL_set_SSL_CTX wolfSSL_set_SSL_CTX #define SSL_CTX_get_verify_callback wolfSSL_CTX_get_verify_callback -#define SSL_CTX_set_tlsext_servername_callback wolfSSL_CTX_set_servername_callback -#define SSL_CTX_set_tlsext_servername_arg wolfSSL_CTX_set_servername_arg +#define SSL_CTX_set_tlsext_servername_callback wolfSSL_CTX_set_servername_callback +#define SSL_CTX_set_tlsext_servername_arg wolfSSL_CTX_set_servername_arg #define PSK_MAX_PSK_LEN 256 #define PSK_MAX_IDENTITY_LEN 128 @@ -528,6 +657,33 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; #endif /* HAVE_STUNNEL */ +#define SSL_CTX_get_default_passwd_cb wolfSSL_CTX_get_default_passwd_cb +#define SSL_CTX_get_default_passwd_cb_userdata wolfSSL_CTX_get_default_passwd_cb_userdata + +/* certificate extension NIDs */ +#define NID_basic_constraints 133 +#define NID_key_usage 129 /* 2.5.29.15 */ +#define NID_ext_key_usage 151 /* 2.5.29.37 */ +#define NID_subject_key_identifier 128 +#define NID_authority_key_identifier 149 +#define NID_private_key_usage_period 130 /* 2.5.29.16 */ +#define NID_subject_alt_name 131 +#define NID_issuer_alt_name 132 +#define NID_info_access 69 +#define NID_sinfo_access 79 /* id-pe 11 */ +#define NID_name_constraints 144 /* 2.5.29.30 */ +#define NID_certificate_policies 146 +#define NID_policy_mappings 147 +#define NID_policy_constraints 150 +#define NID_inhibit_any_policy 168 /* 2.5.29.54 */ +#define NID_tlsfeature 92 /* id-pe 24 */ + + +#define SSL_CTX_set_msg_callback wolfSSL_CTX_set_msg_callback +#define SSL_set_msg_callback wolfSSL_set_msg_callback +#define SSL_CTX_set_msg_callback_arg wolfSSL_CTX_set_msg_callback_arg +#define SSL_set_msg_callback_arg wolfSSL_set_msg_callback_arg + #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 24fee4e10..dc74b6b19 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -59,7 +59,9 @@ #undef OCSP_RESPONSE #endif - +#ifdef OPENSSL_EXTRA + #include +#endif #ifdef __cplusplus extern "C" { @@ -113,15 +115,24 @@ typedef struct WOLFSSL_ASN1_STRING WOLFSSL_ASN1_STRING; typedef struct WOLFSSL_dynlock_value WOLFSSL_dynlock_value; typedef struct WOLFSSL_DH WOLFSSL_DH; typedef struct WOLFSSL_ASN1_BIT_STRING WOLFSSL_ASN1_BIT_STRING; +typedef unsigned char* WOLFSSL_BUF_MEM; #define WOLFSSL_ASN1_UTCTIME WOLFSSL_ASN1_TIME +struct WOLFSSL_ASN1_INTEGER { + /* size can be increased set at 20 for tag, length then to hold at least 16 + * byte type */ + unsigned char data[20]; + /* ASN_INTEGER | LENGTH | hex of number */ +}; + +typedef char WOLFSSL_EVP_MD; typedef struct WOLFSSL_EVP_PKEY { int type; /* openssh dereference */ int save_type; /* openssh dereference */ int pkey_sz; union { - char* ptr; + char* ptr; /* der format of key / or raw for NTRU */ } pkey; #ifdef HAVE_ECC int pkey_curve; @@ -174,6 +185,7 @@ typedef struct WOLFSSL_BUFFER_INFO { typedef struct WOLFSSL_X509_STORE_CTX { WOLFSSL_X509_STORE* store; /* Store full of a CA cert chain */ WOLFSSL_X509* current_cert; /* stunnel dereference */ + WOLFSSL_STACK* chain; char* domain; /* subject CN domain name */ void* ex_data; /* external data, for fortress build */ void* userCtx; /* user ctx */ @@ -239,6 +251,7 @@ WOLFSSL_API WOLFSSL_METHOD *wolfSSLv23_client_method_ex(void* heap); WOLFSSL_API WOLFSSL_METHOD *wolfDTLSv1_2_client_method_ex(void* heap); WOLFSSL_API WOLFSSL_METHOD *wolfDTLSv1_2_server_method_ex(void* heap); #endif +WOLFSSL_API WOLFSSL_METHOD *wolfSSLv23_method(void); WOLFSSL_API WOLFSSL_METHOD *wolfSSLv3_server_method(void); WOLFSSL_API WOLFSSL_METHOD *wolfSSLv3_client_method(void); WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_server_method(void); @@ -438,6 +451,13 @@ WOLFSSL_API int wolfSSL_sk_X509_push(STACK_OF(WOLFSSL_X509_NAME)* sk, WOLFSSL_X509* x509); WOLFSSL_API WOLFSSL_X509* wolfSSL_sk_X509_pop(STACK_OF(WOLFSSL_X509_NAME)* sk); WOLFSSL_API void wolfSSL_sk_X509_free(STACK_OF(WOLFSSL_X509_NAME)* sk); +WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_ASN1_OBJECT_new(void); +WOLFSSL_API void wolfSSL_ASN1_OBJECT_free(WOLFSSL_ASN1_OBJECT* obj); +WOLFSSL_API int wolfSSL_sk_ASN1_OBJECT_push(STACK_OF(WOLFSSL_ASN1_OBJEXT)* sk, + WOLFSSL_ASN1_OBJECT* obj); +WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_sk_ASN1_OBJCET_pop( + STACK_OF(WOLFSSL_ASN1_OBJECT)* sk); +WOLFSSL_API void wolfSSL_sk_ASN1_OBJECT_free(STACK_OF(WOLFSSL_ASN1_OBJECT)* sk); WOLFSSL_API int wolfSSL_set_ex_data(WOLFSSL*, int, void*); WOLFSSL_API int wolfSSL_get_shutdown(const WOLFSSL*); @@ -501,11 +521,34 @@ WOLFSSL_API int wolfSSL_BIO_get_mem_data(WOLFSSL_BIO* bio,const unsigned char** WOLFSSL_API WOLFSSL_BIO* wolfSSL_BIO_new_mem_buf(void* buf, int len); -WOLFSSL_API long wolfSSL_BIO_set_ssl(WOLFSSL_BIO*, WOLFSSL*, int flag); -WOLFSSL_API void wolfSSL_set_bio(WOLFSSL*, WOLFSSL_BIO* rd, WOLFSSL_BIO* wr); - +WOLFSSL_API long wolfSSL_BIO_set_ssl(WOLFSSL_BIO*, WOLFSSL*, int flag); +WOLFSSL_API long wolfSSL_BIO_set_fd(WOLFSSL_BIO* b, int fd, int flag); +WOLFSSL_API void wolfSSL_set_bio(WOLFSSL*, WOLFSSL_BIO* rd, WOLFSSL_BIO* wr); WOLFSSL_API int wolfSSL_add_all_algorithms(void); +#ifndef NO_FILESYSTEM +WOLFSSL_API WOLFSSL_BIO_METHOD *wolfSSL_BIO_s_file(void); +#endif + +WOLFSSL_API WOLFSSL_BIO_METHOD *wolfSSL_BIO_s_bio(void); +WOLFSSL_API WOLFSSL_BIO_METHOD *wolfSSL_BIO_s_socket(void); + +WOLFSSL_API long wolfSSL_BIO_ctrl(WOLFSSL_BIO *bp, int cmd, long larg, void *parg); +WOLFSSL_API long wolfSSL_BIO_int_ctrl(WOLFSSL_BIO *bp, int cmd, long larg, int iarg); + +WOLFSSL_API int wolfSSL_BIO_set_write_buf_size(WOLFSSL_BIO *b, long size); +WOLFSSL_API int wolfSSL_BIO_make_bio_pair(WOLFSSL_BIO *b1, WOLFSSL_BIO *b2); +WOLFSSL_API int wolfSSL_BIO_ctrl_reset_read_request(WOLFSSL_BIO *b); +WOLFSSL_API int wolfSSL_BIO_nread0(WOLFSSL_BIO *bio, char **buf); +WOLFSSL_API int wolfSSL_BIO_nread(WOLFSSL_BIO *bio, char **buf, int num); +WOLFSSL_API int wolfSSL_BIO_nwrite(WOLFSSL_BIO *bio, char **buf, int num); +WOLFSSL_API int wolfSSL_BIO_reset(WOLFSSL_BIO *bio); + +WOLFSSL_API int wolfSSL_BIO_seek(WOLFSSL_BIO *bio, int ofs); +WOLFSSL_API int wolfSSL_BIO_write_filename(WOLFSSL_BIO *bio, char *name); +WOLFSSL_API long wolfSSL_BIO_set_mem_eof_return(WOLFSSL_BIO *bio, int v); +WOLFSSL_API long wolfSSL_BIO_get_mem_ptr(WOLFSSL_BIO *bio, WOLFSSL_BUF_MEM **m); + WOLFSSL_API void wolfSSL_RAND_screen(void); WOLFSSL_API const char* wolfSSL_RAND_file_name(char*, unsigned long); WOLFSSL_API int wolfSSL_RAND_write_file(const char*); @@ -574,6 +617,10 @@ WOLFSSL_API WOLFSSL_X509_STORE* wolfSSL_X509_STORE_new(void); WOLFSSL_API void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE*); WOLFSSL_API int wolfSSL_X509_STORE_add_cert( WOLFSSL_X509_STORE*, WOLFSSL_X509*); +WOLFSSL_API WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain( + WOLFSSL_X509_STORE_CTX* ctx); +WOLFSSL_API int wolfSSL_X509_STORE_set_flags(WOLFSSL_X509_STORE* store, + unsigned long flag); WOLFSSL_API int wolfSSL_X509_STORE_set_default_paths(WOLFSSL_X509_STORE*); WOLFSSL_API int wolfSSL_X509_STORE_get_by_subject(WOLFSSL_X509_STORE_CTX*, int, WOLFSSL_X509_NAME*, WOLFSSL_X509_OBJECT*); @@ -591,6 +638,9 @@ WOLFSSL_API int wolfSSL_X509_CRL_verify(WOLFSSL_X509_CRL*, WOLFSSL_EVP_PKE WOLFSSL_API void wolfSSL_X509_STORE_CTX_set_error(WOLFSSL_X509_STORE_CTX*, int); WOLFSSL_API void wolfSSL_X509_OBJECT_free_contents(WOLFSSL_X509_OBJECT*); +WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type, + WOLFSSL_EVP_PKEY** out, const unsigned char **in, long inSz); +WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_PKEY_new(void); WOLFSSL_API void wolfSSL_EVP_PKEY_free(WOLFSSL_EVP_PKEY*); WOLFSSL_API int wolfSSL_X509_cmp_current_time(const WOLFSSL_ASN1_TIME*); WOLFSSL_API int wolfSSL_sk_X509_REVOKED_num(WOLFSSL_X509_REVOKED*); @@ -606,7 +656,11 @@ WOLFSSL_API int wolfSSL_ASN1_INTEGER_cmp(const WOLFSSL_ASN1_INTEGER*, const WOLFSSL_ASN1_INTEGER*); WOLFSSL_API long wolfSSL_ASN1_INTEGER_get(const WOLFSSL_ASN1_INTEGER*); +#ifdef OPENSSL_EXTRA +WOLFSSL_API WOLFSSL_BIGNUM *wolfSSL_ASN1_INTEGER_to_BN(const WOLFSSL_ASN1_INTEGER *ai, + WOLFSSL_BIGNUM *bn); WOLFSSL_API STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_load_client_CA_file(const char*); +#endif WOLFSSL_API void wolfSSL_CTX_set_client_CA_list(WOLFSSL_CTX*, STACK_OF(WOLFSSL_X509_NAME)*); @@ -648,11 +702,73 @@ WOLFSSL_API long wolfSSL_CTX_sess_cache_full(WOLFSSL_CTX*); WOLFSSL_API long wolfSSL_CTX_sess_misses(WOLFSSL_CTX*); WOLFSSL_API long wolfSSL_CTX_sess_timeouts(WOLFSSL_CTX*); WOLFSSL_API long wolfSSL_CTX_sess_number(WOLFSSL_CTX*); + +WOLFSSL_API long wolfSSL_CTX_add_extra_chain_cert(WOLFSSL_CTX*, WOLFSSL_X509*); +WOLFSSL_API long wolfSSL_CTX_sess_set_cache_size(WOLFSSL_CTX*, long); WOLFSSL_API long wolfSSL_CTX_sess_get_cache_size(WOLFSSL_CTX*); +WOLFSSL_API long wolfSSL_CTX_get_session_cache_mode(WOLFSSL_CTX*); +WOLFSSL_API int wolfSSL_CTX_get_read_ahead(WOLFSSL_CTX*); +WOLFSSL_API int wolfSSL_CTX_set_read_ahead(WOLFSSL_CTX*, int v); +WOLFSSL_API long wolfSSL_CTX_set_tlsext_status_arg(WOLFSSL_CTX*, void* arg); +WOLFSSL_API long wolfSSL_CTX_set_tlsext_opaque_prf_input_callback_arg( + WOLFSSL_CTX*, void* arg); + +WOLFSSL_API unsigned long wolfSSL_set_options(WOLFSSL *s, unsigned long op); +WOLFSSL_API unsigned long wolfSSL_get_options(const WOLFSSL *s); +WOLFSSL_API long wolfSSL_clear_num_renegotiations(WOLFSSL *s); +WOLFSSL_API long wolfSSL_total_renegotiations(WOLFSSL *s); +WOLFSSL_API long wolfSSL_set_tmp_dh(WOLFSSL *s, WOLFSSL_DH *dh); +WOLFSSL_API long wolfSSL_set_tlsext_debug_arg(WOLFSSL *s, void *arg); +WOLFSSL_API long wolfSSL_set_tlsext_status_type(WOLFSSL *s, int type); +WOLFSSL_API long wolfSSL_set_tlsext_status_exts(WOLFSSL *s, void *arg); +WOLFSSL_API long wolfSSL_get_tlsext_status_ids(WOLFSSL *s, void *arg); +WOLFSSL_API long wolfSSL_set_tlsext_status_ids(WOLFSSL *s, void *arg); +WOLFSSL_API long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char **resp); +WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *resp, int len); + +WOLFSSL_API void wolfSSL_CONF_modules_unload(int all); +WOLFSSL_API long wolfSSL_get_tlsext_status_exts(WOLFSSL *s, void *arg); +WOLFSSL_API long wolfSSL_get_verify_result(const WOLFSSL *ssl); + #define WOLFSSL_DEFAULT_CIPHER_LIST "" /* default all */ #define WOLFSSL_RSA_F4 0x10001L +/* seperated out from other enums because of size */ +enum { + /* bit flags (ie 0001 vs 0010) : each is 2 times previous value */ + SSL_OP_MICROSOFT_SESS_ID_BUG = 1, + SSL_OP_NETSCAPE_CHALLENGE_BUG = 2, + SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 4, + SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = 8, + SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = 16, + SSL_OP_MSIE_SSLV2_RSA_PADDING = 32, + SSL_OP_SSLEAY_080_CLIENT_DH_BUG = 64, + SSL_OP_TLS_D5_BUG = 128, + SSL_OP_TLS_BLOCK_PADDING_BUG = 256, + SSL_OP_TLS_ROLLBACK_BUG = 512, + SSL_OP_ALL = 1024, + SSL_OP_EPHEMERAL_RSA = 2048, + SSL_OP_NO_SSLv3 = 4096, + SSL_OP_NO_TLSv1 = 8192, + SSL_OP_PKCS1_CHECK_1 = 16384, + SSL_OP_PKCS1_CHECK_2 = 32768, + SSL_OP_NETSCAPE_CA_DN_BUG = 65536, + SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = 131072, + SSL_OP_SINGLE_DH_USE = 262144, + SSL_OP_NO_TICKET = 524288, + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = 1048576, + SSL_OP_NO_QUERY_MTU = 2097152, + SSL_OP_COOKIE_EXCHANGE = 4194304, + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 8388608, + SSL_OP_SINGLE_ECDH_USE = 16777216, + SSL_OP_CIPHER_SERVER_PREFERENCE = 33554432, + SSL_OP_NO_TLSv1_1 = 67108864, + SSL_OP_NO_TLSv1_2 = 134217728, + SSL_OP_NO_COMPRESSION = 268435456, +}; + + enum { OCSP_NOCERTS = 1, OCSP_NOINTERN = 2, @@ -677,46 +793,29 @@ enum { WOLFSSL_OCSP_CHECKALL = 4, WOLFSSL_CRL_CHECKALL = 1, + WOLFSSL_CRL_CHECK = 27, ASN1_GENERALIZEDTIME = 4, - - SSL_OP_MICROSOFT_SESS_ID_BUG = 1, - SSL_OP_NETSCAPE_CHALLENGE_BUG = 2, - SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 3, - SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = 4, - SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = 5, - SSL_OP_MSIE_SSLV2_RSA_PADDING = 6, - SSL_OP_SSLEAY_080_CLIENT_DH_BUG = 7, - SSL_OP_TLS_D5_BUG = 8, - SSL_OP_TLS_BLOCK_PADDING_BUG = 9, - SSL_OP_TLS_ROLLBACK_BUG = 10, - SSL_OP_ALL = 11, - SSL_OP_EPHEMERAL_RSA = 12, - SSL_OP_NO_SSLv3 = 13, - SSL_OP_NO_TLSv1 = 14, - SSL_OP_PKCS1_CHECK_1 = 15, - SSL_OP_PKCS1_CHECK_2 = 16, - SSL_OP_NETSCAPE_CA_DN_BUG = 17, - SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = 18, - SSL_OP_SINGLE_DH_USE = 19, - SSL_OP_NO_TICKET = 20, - SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = 21, - SSL_OP_NO_QUERY_MTU = 22, - SSL_OP_COOKIE_EXCHANGE = 23, - SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 24, - SSL_OP_SINGLE_ECDH_USE = 25, - SSL_OP_CIPHER_SERVER_PREFERENCE = 26, - SSL_MAX_SSL_SESSION_ID_LENGTH = 32, EVP_R_BAD_DECRYPT = 2, - SSL_CB_LOOP = 4, - SSL_ST_CONNECT = 5, - SSL_ST_ACCEPT = 6, - SSL_CB_ALERT = 7, - SSL_CB_READ = 8, - SSL_CB_HANDSHAKE_DONE = 9, + SSL_ST_CONNECT = 0x1000, + SSL_ST_ACCEPT = 0x2000, + + SSL_CB_LOOP = 0x01, + SSL_CB_EXIT = 0x02, + SSL_CB_READ = 0x04, + SSL_CB_WRITE = 0x08, + SSL_CB_HANDSHAKE_START = 0x10, + SSL_CB_HANDSHAKE_DONE = 0x20, + SSL_CB_ALERT = 0x4000, + SSL_CB_READ_ALERT = (SSL_CB_ALERT | SSL_CB_READ), + SSL_CB_WRITE_ALERT = (SSL_CB_ALERT | SSL_CB_WRITE), + SSL_CB_ACCEPT_LOOP = (SSL_ST_ACCEPT | SSL_CB_LOOP), + SSL_CB_ACCEPT_EXIT = (SSL_ST_ACCEPT | SSL_CB_EXIT), + SSL_CB_CONNECT_LOOP = (SSL_ST_CONNECT | SSL_CB_LOOP), + SSL_CB_CONNECT_EXIT = (SSL_ST_CONNECT | SSL_CB_EXIT), SSL_MODE_ENABLE_PARTIAL_WRITE = 2, @@ -730,6 +829,7 @@ enum { X509_LU_X509 = 9, X509_LU_CRL = 12, + X509_V_OK = 0, X509_V_ERR_CRL_SIGNATURE_FAILURE = 13, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = 14, X509_V_ERR_CRL_HAS_EXPIRED = 15, @@ -741,7 +841,39 @@ enum { X509_V_ERR_CERT_HAS_EXPIRED = 21, X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = 22, X509_V_ERR_CERT_REJECTED = 23, - X509_V_OK = 0, + /* additional X509_V_ERR_* enums not used in wolfSSL */ + X509_V_ERR_UNABLE_TO_GET_CRL, + X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, + X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, + X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, + X509_V_ERR_CERT_SIGNATURE_FAILURE, + X509_V_ERR_CRL_NOT_YET_VALID, + X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, + X509_V_ERR_OUT_OF_MEM, + X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, + X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, + X509_V_ERR_INVALID_CA, + X509_V_ERR_PATH_LENGTH_EXCEEDED, + X509_V_ERR_INVALID_PURPOSE, + X509_V_ERR_CERT_UNTRUSTED, + X509_V_ERR_SUBJECT_ISSUER_MISMATCH, + X509_V_ERR_AKID_SKID_MISMATCH, + X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH, + X509_V_ERR_KEYUSAGE_NO_CERTSIGN, + X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, + X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION, + X509_V_ERR_KEYUSAGE_NO_CRL_SIGN, + X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION, + X509_V_ERR_INVALID_NON_CA, + X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED, + X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE, + X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED, + X509_V_ERR_INVALID_EXTENSION, + X509_V_ERR_INVALID_POLICY_EXTENSION, + X509_V_ERR_NO_EXPLICIT_POLICY, + X509_V_ERR_UNNESTED_RESOURCE, XN_FLAG_SPC_EQ = (1 << 23), XN_FLAG_ONELINE = 0, @@ -854,6 +986,14 @@ enum { /* ERR Constants */ ERR_TXT_STRING = 1 }; +/* bio misc */ +enum { + WOLFSSL_BIO_ERROR = -1, + WOLFSSL_BIO_UNSET = -2, + WOLFSSL_BIO_SIZE = 17000 /* default BIO write size if not set */ +}; + + WOLFSSL_API unsigned long wolfSSL_ERR_get_error_line_data(const char**, int*, const char**, int *); @@ -873,6 +1013,7 @@ WOLFSSL_API void wolfSSL_ERR_free_strings(void); WOLFSSL_API void wolfSSL_ERR_remove_state(unsigned long); WOLFSSL_API void wolfSSL_EVP_cleanup(void); WOLFSSL_API int wolfSSL_clear(WOLFSSL* ssl); +WOLFSSL_API int wolfSSL_state(WOLFSSL* ssl); WOLFSSL_API void wolfSSL_cleanup_all_ex_data(void); WOLFSSL_API long wolfSSL_CTX_set_mode(WOLFSSL_CTX* ctx, long mode); @@ -880,7 +1021,6 @@ WOLFSSL_API long wolfSSL_CTX_get_mode(WOLFSSL_CTX* ctx); WOLFSSL_API void wolfSSL_CTX_set_default_read_ahead(WOLFSSL_CTX* ctx, int m); WOLFSSL_API long wolfSSL_SSL_get_mode(WOLFSSL* ssl); -WOLFSSL_API long wolfSSL_CTX_sess_set_cache_size(WOLFSSL_CTX*, long); WOLFSSL_API int wolfSSL_CTX_set_default_verify_paths(WOLFSSL_CTX*); WOLFSSL_API int wolfSSL_CTX_set_session_id_context(WOLFSSL_CTX*, @@ -1290,6 +1430,7 @@ WOLFSSL_API int wolfSSL_SetTlsHmacInner(WOLFSSL*, unsigned char enum { WOLFSSL_SERVER_END = 0, WOLFSSL_CLIENT_END = 1, + WOLFSSL_NEITHER_END = 3, WOLFSSL_BLOCK_TYPE = 2, WOLFSSL_STREAM_TYPE = 3, WOLFSSL_AEAD_TYPE = 4, @@ -1748,7 +1889,8 @@ WOLFSSL_API int wolfSSL_UseSupportedQSH(WOLFSSL* ssl, unsigned short name); then will not send keys in the hello extension */ WOLFSSL_API int wolfSSL_UseClientQSHKeys(WOLFSSL* ssl, unsigned char flag); #endif -#endif + +#endif /* QSH */ /* TLS Extended Master Secret Extension */ WOLFSSL_API int wolfSSL_DisableExtendedMasterSecret(WOLFSSL* ssl); @@ -1821,9 +1963,55 @@ WOLFSSL_API char* wolfSSL_ASN1_TIME_to_string(WOLFSSL_ASN1_TIME* time, #ifdef OPENSSL_EXTRA -WOLFSSL_API int wolfSSL_get_client_random(WOLFSSL* ssl, unsigned char* out, - int outSz); +#ifndef NO_FILESYSTEM +WOLFSSL_API long wolfSSL_BIO_set_fp(WOLFSSL_BIO *bio, XFILE fp, int c); +WOLFSSL_API long wolfSSL_BIO_get_fp(WOLFSSL_BIO *bio, XFILE* fp); +#endif +WOLFSSL_API unsigned long wolfSSL_ERR_peek_last_error_line(const char **file, int *line); +WOLFSSL_API long wolfSSL_ctrl(WOLFSSL* ssl, int cmd, long opt, void* pt); +WOLFSSL_API long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt,void* pt); + +#ifndef NO_CERTS +WOLFSSL_API int wolfSSL_check_private_key(const WOLFSSL* ssl); +WOLFSSL_API void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, + int nid, int* c, int* idx); +WOLFSSL_API int wolfSSL_X509_digest(const WOLFSSL_X509* x509, + const WOLFSSL_EVP_MD* digest, unsigned char* buf, unsigned int* len); +WOLFSSL_API int wolfSSL_use_certificate(WOLFSSL* ssl, WOLFSSL_X509* x509); +WOLFSSL_API int wolfSSL_use_certificate_ASN1(WOLFSSL* ssl, unsigned char* der, + int derSz); +WOLFSSL_API int wolfSSL_use_PrivateKey(WOLFSSL* ssl, WOLFSSL_EVP_PKEY* pkey); +WOLFSSL_API int wolfSSL_use_PrivateKey_ASN1(int pri, WOLFSSL* ssl, + unsigned char* der, long derSz); +#ifndef NO_RSA +WOLFSSL_API int wolfSSL_use_RSAPrivateKey_ASN1(WOLFSSL* ssl, unsigned char* der, + long derSz); +#endif +#endif /* NO_CERTS */ + +WOLFSSL_API WOLFSSL_DH *wolfSSL_DSA_dup_DH(const WOLFSSL_DSA *r); + +WOLFSSL_API int wolfSSL_SESSION_get_master_key(const WOLFSSL_SESSION* ses, + unsigned char* out, int outSz); +WOLFSSL_API int wolfSSL_SESSION_get_master_key_length(const WOLFSSL_SESSION* ses); + +WOLFSSL_API void wolfSSL_CTX_set_cert_store(WOLFSSL_CTX* ctx, + WOLFSSL_X509_STORE* str); +WOLFSSL_X509* wolfSSL_d2i_X509_bio(WOLFSSL_BIO* bio, WOLFSSL_X509** x509); +WOLFSSL_API WOLFSSL_X509_STORE* wolfSSL_CTX_get_cert_store(WOLFSSL_CTX* ctx); + +WOLFSSL_API size_t wolfSSL_BIO_ctrl_pending(WOLFSSL_BIO *b); +WOLFSSL_API size_t wolfSSL_get_server_random(const WOLFSSL *ssl, + unsigned char *out, size_t outlen); +WOLFSSL_API size_t wolfSSL_get_client_random(const WOLFSSL* ssl, + unsigned char* out, size_t outSz); +WOLFSSL_API pem_password_cb* wolfSSL_CTX_get_default_passwd_cb(WOLFSSL_CTX *ctx); +WOLFSSL_API void *wolfSSL_CTX_get_default_passwd_cb_userdata(WOLFSSL_CTX *ctx); +WOLFSSL_API int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey); +WOLFSSL_API WOLFSSL_X509 *wolfSSL_PEM_read_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 **x, pem_password_cb *cb, void *u); +WOLFSSL_API WOLFSSL_X509 *wolfSSL_PEM_read_bio_X509_AUX + (WOLFSSL_BIO *bp, WOLFSSL_X509 **x, pem_password_cb *cb, void *u); /*lighttp compatibility */ @@ -1839,14 +2027,11 @@ struct WOLFSSL_X509_NAME_ENTRY { #if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(HAVE_STUNNEL) WOLFSSL_API void wolfSSL_X509_NAME_free(WOLFSSL_X509_NAME *name); WOLFSSL_API char wolfSSL_CTX_use_certificate(WOLFSSL_CTX *ctx, WOLFSSL_X509 *x); -WOLFSSL_API int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey); WOLFSSL_API int wolfSSL_BIO_read_filename(WOLFSSL_BIO *b, const char *name); -WOLFSSL_API WOLFSSL_BIO_METHOD* wolfSSL_BIO_s_file(void); /* These are to be merged shortly */ -WOLFSSL_API const char * wolf_OBJ_nid2sn(int n); -WOLFSSL_API int wolf_OBJ_obj2nid(const WOLFSSL_ASN1_OBJECT *o); -WOLFSSL_API int wolf_OBJ_sn2nid(const char *sn); -WOLFSSL_API WOLFSSL_X509 *PEM_read_bio_WOLFSSL_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 **x, pem_password_cb *cb, void *u); +WOLFSSL_API const char * wolfSSL_OBJ_nid2sn(int n); +WOLFSSL_API int wolfSSL_OBJ_obj2nid(const WOLFSSL_ASN1_OBJECT *o); +WOLFSSL_API int wolfSSL_OBJ_sn2nid(const char *sn); WOLFSSL_API void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx,int depth); WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl); WOLFSSL_API void wolfSSL_set_app_data(WOLFSSL *ssl, void *arg); @@ -1857,20 +2042,25 @@ WOLFSSL_API unsigned char *wolfSSL_SHA1(const unsigned char *d, size_t n, unsign WOLFSSL_API int wolfSSL_X509_check_private_key(WOLFSSL_X509*, WOLFSSL_EVP_PKEY*); WOLFSSL_API STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list( STACK_OF(WOLFSSL_X509_NAME) *sk ); -/* end lighttpd, mysql, have_stunnel*/ +/* end lighttpd*/ #endif #endif #if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) \ - || defined(WOLFSSL_MYSQL_COMPATIBLE) + || defined(WOLFSSL_MYSQL_COMPATIBLE) \ + || defined(OPENSSL_EXTRA) -WOLFSSL_API char * wolf_OBJ_nid2ln(int n); -WOLFSSL_API int wolf_OBJ_txt2nid(const char *sn); +WOLFSSL_API char* wolfSSL_OBJ_nid2ln(int n); +WOLFSSL_API int wolfSSL_OBJ_txt2nid(const char *sn); WOLFSSL_API WOLFSSL_BIO* wolfSSL_BIO_new_file(const char *filename, const char *mode); WOLFSSL_API long wolfSSL_CTX_set_tmp_dh(WOLFSSL_CTX*, WOLFSSL_DH*); WOLFSSL_API WOLFSSL_DH *wolfSSL_PEM_read_bio_DHparams(WOLFSSL_BIO *bp, WOLFSSL_DH **x, pem_password_cb *cb, void *u); -WOLFSSL_API int PEM_write_bio_WOLFSSL_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x); +WOLFSSL_API WOLFSSL_DSA *wolfSSL_PEM_read_bio_DSAparams(WOLFSSL_BIO *bp, + WOLFSSL_DSA **x, pem_password_cb *cb, void *u); +WOLFSSL_API int wolfSSL_PEM_write_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x); +WOLFSSL_API long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx); + #endif /* HAVE_STUNNEL || HAVE_LIGHTY */ @@ -1928,8 +2118,6 @@ WOLFSSL_API void* wolfSSL_sk_X509_value(STACK_OF(WOLFSSL_X509)*, int); WOLFSSL_API STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL*); -WOLFSSL_API long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx); - WOLFSSL_API void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION*, int); WOLFSSL_API int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION*, int, void*); @@ -1958,6 +2146,10 @@ WOLFSSL_API void wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX *, void*); WOLFSSL_API void WOLFSSL_ERR_remove_thread_state(void*); +#ifndef NO_FILESYSTEM +WOLFSSL_API void wolfSSL_print_all_errors_fp(XFILE *fp); +#endif + WOLFSSL_API long wolfSSL_CTX_clear_options(WOLFSSL_CTX*, long); WOLFSSL_API void wolfSSL_THREADID_set_callback(void (*threadid_func)(void*)); @@ -1988,6 +2180,16 @@ WOLFSSL_API int wolfSSL_CTX_AsyncPoll(WOLFSSL_CTX* ctx, WOLF_EVENT** events, int WOLF_EVENT_FLAG flags, int* eventCount); #endif /* WOLFSSL_ASYNC_CRYPT */ +#ifdef OPENSSL_EXTRA +typedef void (*SSL_Msg_Cb)(int write_p, int version, int content_type, + const void *buf, size_t len, WOLFSSL *ssl, void *arg); + +WOLFSSL_API int wolfSSL_CTX_set_msg_callback(WOLFSSL_CTX *ctx, SSL_Msg_Cb cb); +WOLFSSL_API int wolfSSL_set_msg_callback(WOLFSSL *ssl, SSL_Msg_Cb cb); +WOLFSSL_API int wolfSSL_CTX_set_msg_callback_arg(WOLFSSL_CTX *ctx, void* arg); +WOLFSSL_API int wolfSSL_set_msg_callback_arg(WOLFSSL *ssl, void* arg); +#endif + #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/test.h b/wolfssl/test.h index e0a3c1a0e..3e278161c 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -524,6 +524,7 @@ static INLINE void showPeer(WOLFSSL* ssl) #endif #if defined(SHOW_CERTS) && defined(OPENSSL_EXTRA) && defined(KEEP_OUR_CERT) ShowX509(wolfSSL_get_certificate(ssl), "our cert info:"); + printf("Peer verify result = %lu\n", wolfSSL_get_verify_result(ssl)); #endif /* SHOW_CERTS */ printf("SSL version is %s\n", wolfSSL_get_version(ssl)); @@ -664,6 +665,8 @@ static INLINE void build_addr(SOCKADDR_IN_T* addr, const char* peer, static INLINE void tcp_socket(SOCKET_T* sockfd, int udp, int sctp) { + (void)sctp; + if (udp) *sockfd = socket(AF_INET_V, SOCK_DGRAM, IPPROTO_UDP); #ifdef WOLFSSL_SCTP diff --git a/wolfssl/version.h b/wolfssl/version.h index bd14b29ee..bd92deb26 100644 --- a/wolfssl/version.h +++ b/wolfssl/version.h @@ -28,8 +28,8 @@ extern "C" { #endif -#define LIBWOLFSSL_VERSION_STRING "3.9.10" -#define LIBWOLFSSL_VERSION_HEX 0x03009010 +#define LIBWOLFSSL_VERSION_STRING "3.10.0" +#define LIBWOLFSSL_VERSION_HEX 0x03010000 #ifdef __cplusplus } diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h index b7fb2c776..2b3c4e576 100644 --- a/wolfssl/wolfcrypt/aes.h +++ b/wolfssl/wolfcrypt/aes.h @@ -124,6 +124,13 @@ WOLFSSL_API int wc_AesCbcEncrypt(Aes* aes, byte* out, WOLFSSL_API int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz); +#ifdef HAVE_AES_ECB +WOLFSSL_API int wc_AesEcbEncrypt(Aes* aes, byte* out, + const byte* in, word32 sz); +WOLFSSL_API int wc_AesEcbDecrypt(Aes* aes, byte* out, + const byte* in, word32 sz); +#endif + /* AES-CTR */ #ifdef WOLFSSL_AES_COUNTER WOLFSSL_API void wc_AesCtrEncrypt(Aes* aes, byte* out, @@ -192,4 +199,3 @@ WOLFSSL_API int wc_AesGetKeySize(Aes* aes, word32* keySize); #endif /* NO_AES */ #endif /* WOLF_CRYPT_AES_H */ - diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index fdb8dc7dc..1eb4b6d90 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -303,14 +303,20 @@ enum Extensions_Sum { BASIC_CA_OID = 133, ALT_NAMES_OID = 131, CRL_DIST_OID = 145, - AUTH_INFO_OID = 69, + AUTH_INFO_OID = 69, /* id-pe 1 */ AUTH_KEY_OID = 149, SUBJ_KEY_OID = 128, CERT_POLICY_OID = 146, KEY_USAGE_OID = 129, /* 2.5.29.15 */ INHIBIT_ANY_OID = 168, /* 2.5.29.54 */ - EXT_KEY_USAGE_OID = 151, /* 2.5.29.37 */ - NAME_CONS_OID = 144 /* 2.5.29.30 */ + EXT_KEY_USAGE_OID = 151, /* 2.5.29.37 */ + NAME_CONS_OID = 144, /* 2.5.29.30 */ + PRIV_KEY_USAGE_PERIOD_OID = 130, /* 2.5.29.16 */ + SUBJECT_INFO_ACCESS = 79, /* id-pe 11 */ + POLICY_MAP_OID = 147, + POLICY_CONST_OID = 150, + ISSUE_ALT_NAMES_OID = 132, + TLS_FEATURE_OID = 92 /* id-pe 24 */ }; enum CertificatePolicy_Sum { @@ -475,6 +481,10 @@ struct DecodedCert { byte extExtKeyUsageSet; /* Extended Key Usage */ byte extExtKeyUsage; /* Extended Key usage bitfield */ #ifdef OPENSSL_EXTRA + byte extCRLdistSet; + byte extCRLdistCrit; + byte extAuthInfoSet; + byte extAuthInfoCrit; byte extBasicConstSet; byte extBasicConstCrit; byte extSubjAltNameSet; @@ -554,10 +564,22 @@ struct DecodedCert { #endif /* WOLFSSL_CERT_EXT */ }; + +struct WOLFSSL_ASN1_OBJECT { + void* heap; + byte* obj; + int type; /* oid */ + word32 objSz; + byte dynamic; /* if 1 then obj was dynamiclly created, 0 otherwise */ +}; + + extern const char* BEGIN_CERT; extern const char* END_CERT; extern const char* BEGIN_CERT_REQ; extern const char* END_CERT_REQ; +extern const char* BEGIN_DSA_PARAM; +extern const char* END_DSA_PARAM; extern const char* BEGIN_DH_PARAM; extern const char* END_DH_PARAM; extern const char* BEGIN_X509_CRL; diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index c9d95459d..576d2d28f 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -41,6 +41,7 @@ enum CertType { CERT_TYPE = 0, PRIVATEKEY_TYPE, DH_PARAM_TYPE, + DSA_PARAM_TYPE, CRL_TYPE, CA_TYPE, ECC_PRIVATEKEY_TYPE, @@ -157,11 +158,6 @@ typedef struct Cert { #endif void* heap; /* heap hint */ } Cert; -#endif /* WOLFSSL_CERT_GEN */ - - -#ifdef WOLFSSL_CERT_GEN - /* Initialize and Set Certificate defaults: diff --git a/wolfssl/wolfcrypt/des3.h b/wolfssl/wolfcrypt/des3.h index db12cc900..409aa81f7 100644 --- a/wolfssl/wolfcrypt/des3.h +++ b/wolfssl/wolfcrypt/des3.h @@ -94,6 +94,12 @@ WOLFSSL_API int wc_Des_CbcDecrypt(Des* des, byte* out, const byte* in, word32 sz); WOLFSSL_API int wc_Des_EcbEncrypt(Des* des, byte* out, const byte* in, word32 sz); +WOLFSSL_API int wc_Des3_EcbEncrypt(Des3* des, byte* out, + const byte* in, word32 sz); + +/* ECB decrypt same process as encrypt but with decrypt key */ +#define wc_Des_EcbDecrypt wc_Des_EcbEncrypt +#define wc_Des3_EcbDecrypt wc_Des3_EcbEncrypt WOLFSSL_API int wc_Des3_SetKey(Des3* des, const byte* key, const byte* iv,int dir); diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index 62bad6f83..9ebdc5d21 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -178,7 +178,8 @@ enum { ASN_PATHLEN_SIZE_E = -237, /* ASN CA path length too large error */ ASN_PATHLEN_INV_E = -238, /* ASN CA path length inversion error */ - BAD_KEYWRAP_IV_E = -239, /* Decrypted AES key wrap IV incorrect */ + BAD_KEYWRAP_ALG_E = -239, + BAD_KEYWRAP_IV_E = -240, /* Decrypted AES key wrap IV incorrect */ MIN_CODE_E = -300 /* errors -101 - -299 */ diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am index 7c9c0fb7f..ca33c8b1e 100644 --- a/wolfssl/wolfcrypt/include.am +++ b/wolfssl/wolfcrypt/include.am @@ -58,7 +58,8 @@ nobase_include_HEADERS+= \ wolfssl/wolfcrypt/mpi_superclass.h \ wolfssl/wolfcrypt/mem_track.h \ wolfssl/wolfcrypt/wolfevent.h \ - wolfssl/wolfcrypt/pkcs12.h + wolfssl/wolfcrypt/pkcs12.h \ + wolfssl/wolfcrypt/wolfmath.h noinst_HEADERS+= \ wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h \ diff --git a/wolfssl/wolfcrypt/integer.h b/wolfssl/wolfcrypt/integer.h index c965330ea..7cd447a4c 100644 --- a/wolfssl/wolfcrypt/integer.h +++ b/wolfssl/wolfcrypt/integer.h @@ -64,7 +64,7 @@ extern "C" { /* C on the other hand doesn't care */ #define OPT_CAST(x) -#endif +#endif /* __cplusplus */ /* detect 64-bit mode if possible */ @@ -179,7 +179,7 @@ typedef int mp_err; #define MP_WARRAY (1 << (sizeof(mp_word) * CHAR_BIT - 2 * DIGIT_BIT + 1)) /* the infamous mp_int structure */ -typedef struct { +typedef struct mp_int { int used, alloc, sign; mp_digit *dp; #ifdef WOLFSSL_ASYNC_CRYPT @@ -342,6 +342,11 @@ int mp_radix_size (mp_int * a, int radix, int *size); int mp_cnt_lsb(mp_int *a); int mp_mod_d(mp_int* a, mp_digit b, mp_digit* c); + +/* wolf big int and common functions */ +#include + + #ifdef __cplusplus } #endif diff --git a/wolfssl/wolfcrypt/logging.h b/wolfssl/wolfcrypt/logging.h index 29bf0abea..a69bde5c7 100644 --- a/wolfssl/wolfcrypt/logging.h +++ b/wolfssl/wolfcrypt/logging.h @@ -55,7 +55,18 @@ WOLFSSL_API int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb log_function); #define WOLFSSL_STUB(m) \ WOLFSSL_MSG(WOLFSSL_LOG_CAT(wolfSSL Stub, m, not implemented)) +#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) + /* make these variables global and declare them in logging.c */ + extern volatile char wc_last_error_file[80]; + extern volatile unsigned long wc_last_error_line; + extern volatile unsigned long wc_last_error; + + void WOLFSSL_ERROR_LINE(int err, const char* func, unsigned int line, + const char* file, void* ctx); + #define WOLFSSL_ERROR(x) WOLFSSL_ERROR_LINE((x), __func__, __LINE__, __FILE__,NULL) +#else void WOLFSSL_ERROR(int); +#endif void WOLFSSL_MSG(const char* msg); void WOLFSSL_BUFFER(byte* buffer, word32 length); diff --git a/wolfssl/wolfcrypt/misc.h b/wolfssl/wolfcrypt/misc.h index 959b2d87f..c86fe2a6f 100644 --- a/wolfssl/wolfcrypt/misc.h +++ b/wolfssl/wolfcrypt/misc.h @@ -67,6 +67,13 @@ WOLFSSL_LOCAL void ByteReverseWords64(word64*, const word64*, word32); #endif /* WORD64_AVAILABLE */ +#ifndef WOLFSSL_HAVE_MIN + #if defined(HAVE_FIPS) && !defined(min) + #define min min + #endif + WOLFSSL_LOCAL word32 min(word32 a, word32 b); +#endif + #endif /* NO_INLINE */ diff --git a/wolfssl/wolfcrypt/tfm.h b/wolfssl/wolfcrypt/tfm.h index c7cf9fa06..ea7f80e9b 100644 --- a/wolfssl/wolfcrypt/tfm.h +++ b/wolfssl/wolfcrypt/tfm.h @@ -282,12 +282,10 @@ #define FP_NO 0 /* no response */ /* a FP type */ -typedef struct { - int used, - sign; -#ifdef ALT_ECC_SIZE +typedef struct fp_int { + int used; + int sign; int size; -#endif fp_digit dp[FP_SIZE]; #ifdef WOLFSSL_ASYNC_CRYPT byte *dpraw; /* Used for hardware crypto */ @@ -370,15 +368,9 @@ typedef struct { /*const char *fp_ident(void);*/ /* initialize [or zero] an fp int */ -#ifdef ALT_ECC_SIZE - void fp_init(fp_int *a); - void fp_zero(fp_int *a); - void fp_clear(fp_int *a); /* uses ForceZero to clear sensitive memory */ -#else - #define fp_init(a) (void)XMEMSET((a), 0, sizeof(fp_int)) - #define fp_zero(a) fp_init(a) - #define fp_clear(a) ForceZero((a), sizeof(fp_int)); -#endif +void fp_init(fp_int *a); +void fp_zero(fp_int *a); +void fp_clear(fp_int *a); /* uses ForceZero to clear sensitive memory */ /* zero/even/odd ? */ #define fp_iszero(a) (((a)->used == 0) ? FP_YES : FP_NO) @@ -397,13 +389,8 @@ int fp_is_bit_set(fp_int *a, fp_digit b); int fp_set_bit (fp_int * a, fp_digit b); /* copy from a to b */ -#ifndef ALT_ECC_SIZE - #define fp_copy(a, b) (void)(((a) != (b)) ? ((void)XMEMCPY((b), (a), sizeof(fp_int))) : (void)0) - #define fp_init_copy(a, b) fp_copy(b, a) -#else - void fp_copy(fp_int *a, fp_int *b); - void fp_init_copy(fp_int *a, fp_int *b); -#endif +void fp_copy(fp_int *a, fp_int *b); +void fp_init_copy(fp_int *a, fp_int *b); /* clamp digits */ #define fp_clamp(a) { while ((a)->used && (a)->dp[(a)->used-1] == 0) --((a)->used); (a)->sign = (a)->used ? (a)->sign : FP_ZPOS; } @@ -703,6 +690,12 @@ WOLFSSL_API word32 CheckRunTimeFastMath(void); /* If user uses RSA, DH, DSA, or ECC math lib directly then fast math FP_SIZE must match, return 1 if a match otherwise 0 */ #define CheckFastMathSettings() (FP_SIZE == CheckRunTimeFastMath()) + + +/* wolf big int and common functions */ +#include + + #ifdef __cplusplus } #endif diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index ac20cae99..d40916548 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -339,7 +339,8 @@ DYNAMIC_TYPE_SESSION_TICK = 57, DYNAMIC_TYPE_PKCS = 58, DYNAMIC_TYPE_MUTEX = 59, - DYNAMIC_TYPE_PKCS7 = 60 + DYNAMIC_TYPE_PKCS7 = 60, + DYNAMIC_TYPE_ASN1 = 61 }; /* max error buffer string size */ @@ -391,22 +392,46 @@ /* AESNI requires alignment and ARMASM gains some performance from it */ #if defined(WOLFSSL_AESNI) || defined(WOLFSSL_ARMASM) - #if !defined (ALIGN16) - #if defined (__GNUC__) - #define ALIGN16 __attribute__ ( (aligned (16))) - #elif defined(_MSC_VER) - /* disable align warning, we want alignment ! */ - #pragma warning(disable: 4324) - #define ALIGN16 __declspec (align (16)) - #else - #define ALIGN16 - #endif - #endif + #if !defined(ALIGN16) + #if defined(__GNUC__) + #define ALIGN16 __attribute__ ( (aligned (16))) + #elif defined(_MSC_VER) + /* disable align warning, we want alignment ! */ + #pragma warning(disable: 4324) + #define ALIGN16 __declspec (align (16)) + #else + #define ALIGN16 + #endif + #endif /* !ALIGN16 */ + + #if !defined(ALIGN32) + #if defined(__GNUC__) + #define ALIGN32 __attribute__ ( (aligned (32))) + #elif defined(_MSC_VER) + /* disable align warning, we want alignment ! */ + #pragma warning(disable: 4324) + #define ALIGN32 __declspec (align (32)) + #else + #define ALIGN32 + #endif + #endif /* !ALIGN32 */ #else #ifndef ALIGN16 #define ALIGN16 #endif - #endif /* WOLFSSL_AESNI or WOLFSSL_ARMASM */ + #ifndef ALIGN32 + #define ALIGN32 + #endif + #endif /* WOLFSSL_AESNI || WOLFSSL_ARMASM */ + + + #ifndef TRUE + #define TRUE 1 + #endif + #ifndef FALSE + #define FALSE 0 + #endif + #ifdef WOLFSSL_RIOT_OS #define EXIT_TEST(ret) exit(ret) diff --git a/wolfssl/wolfcrypt/wolfmath.h b/wolfssl/wolfcrypt/wolfmath.h new file mode 100644 index 000000000..e6a348653 --- /dev/null +++ b/wolfssl/wolfcrypt/wolfmath.h @@ -0,0 +1,33 @@ +/* wolfmath.h + * + * Copyright (C) 2006-2016 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef __WOLFMATH_H__ +#define __WOLFMATH_H__ + + +/* common math functions */ +WOLFSSL_LOCAL int get_digit_count(mp_int* a); +WOLFSSL_LOCAL mp_digit get_digit(mp_int* a, int n); +WOLFSSL_LOCAL int get_rand_digit(WC_RNG* rng, mp_digit* d); +WOLFSSL_LOCAL int mp_rand(mp_int* a, int digits, WC_RNG* rng); + + +#endif /* __WOLFMATH_H__ */ From c5bd24c1b7dbd75202e2676106eb7050b42fb4a1 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Tue, 17 Jan 2017 10:59:17 -0700 Subject: [PATCH 06/33] Added changes Chris requested. Moved error-crypt.h location and corrected FIPS return code. Made requested changes to printf where 0 == 0. --- src/internal.c | 10 ++++++---- src/ssl.c | 5 +++-- tests/api.c | 23 +++++++++++------------ wolfcrypt/src/sha.c | 9 ++++----- wolfcrypt/src/sha256.c | 8 ++++---- wolfcrypt/src/sha512.c | 14 +++++++------- 6 files changed, 35 insertions(+), 34 deletions(-) diff --git a/src/internal.c b/src/internal.c index 7e20cf95d..1f2f64e68 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5649,13 +5649,14 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) #endif #ifndef NO_OLD_TLS if (!ssl->options.tls) { - if (BuildMD5(ssl, hashes, sender) != 0) { + ret = BuildMD5(ssl, hashes, sender); + if (ret != 0) { #ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SHA384 XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif #endif - return SSL_FATAL_ERROR; + return ret; } BuildSHA(ssl, hashes, sender); } @@ -10339,8 +10340,9 @@ static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes) } #if ! defined( NO_OLD_TLS ) else { - if (BuildMD5_CertVerify(ssl, hashes->md5) != 0) { - return SSL_FATAL_ERROR; + ret = BuildMD5_CertVerify(ssl, hashes->md5); + if (ret != 0) { + return ret; } BuildSHA_CertVerify(ssl, hashes->sha); } diff --git a/src/ssl.c b/src/ssl.c index e69e7bb98..e27abbf90 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10377,8 +10377,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) (void)type; WOLFSSL_ENTER("wolfSSL_EVP_BytesToKey"); - if (wc_InitMd5(md5)) { - return SSL_FATAL_ERROR; + ret = wc_InitMd5(md5); + if (ret != 0) { + return ret; } /* only support MD5 for now */ diff --git a/tests/api.c b/tests/api.c index b3c8c1cf7..ede0921c4 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2426,7 +2426,7 @@ static int test_wc_InitSha384 (void) /* * Testing wc_UpdateMd5() */ -static int test_wc_UpdateMd5 (void) +static int test_wc_Md5Update (void) { #ifndef NO_MD5 @@ -2471,7 +2471,7 @@ static int test_wc_UpdateMd5 (void) return ret; } if (ret != 0 && XMEMCMP(hash, a.output, MD5_DIGEST_SIZE) != 0) { - return SSL_FAILURE; + return SSL_FAILURE; } /*Pass in bad values. */ @@ -2497,14 +2497,13 @@ static int test_wc_UpdateMd5 (void) return SSL_FAILURE; } - /* If not returned then the unit test passed test vectors. */ - printf(resultFmt, 0 == 0 ? passed : failed); + printf(resultFmt, ret == BAD_FUNC_ARG ? passed : failed); - return SSL_SUCCESS; + return SSL_SUCCESS; #else return SSL_SUCCESS; #endif -} /* END test_wc_UpdateMd5 */ +} /* END test_wc_Md5Update() */ /* * Tesing wc_ShaUpdate() @@ -2579,14 +2578,14 @@ static int test_wc_ShaUpdate (void) } /* If not returned then the unit test passed test vectors. */ - printf(resultFmt, 0 == 0 ? passed : failed); + printf(resultFmt, ret == BAD_FUNC_ARG ? passed : failed); return SSL_SUCCESS; #else return SSL_SUCCESS; #endif -} /* END test_wc_ShaFinal */ +} /* END test_wc_ShaUpdate() */ /* @@ -2663,7 +2662,7 @@ static int test_wc_Sha256Update (void) } /* If not returned then the unit test passed. */ - printf(resultFmt, 0 == 0 ? passed : failed); + printf(resultFmt, ret == BAD_FUNC_ARG ? passed : failed); return SSL_SUCCESS; #else @@ -2748,7 +2747,7 @@ static int test_wc_Sha384Update (void) } /* If not returned then the unit test passed test vectors. */ - printf(resultFmt, 0 == 0 ? passed : failed); + printf(resultFmt, ret == BAD_FUNC_ARG ? passed : failed); return SSL_SUCCESS; #else @@ -2833,7 +2832,7 @@ static int test_wc_Sha512Update (void) } /* If not returned then the unit test passed test vectors. */ - printf(resultFmt, 0 == 0 ? passed : failed); + printf(resultFmt, ret == BAD_FUNC_ARG ? passed : failed); return SSL_SUCCESS; #else @@ -3972,7 +3971,7 @@ void ApiTest(void) printf("\n-----------------wolfcrypt unit tests------------------\n"); AssertFalse(test_wolfCrypt_Init()); AssertTrue(test_wc_InitMd5()); - AssertTrue(test_wc_UpdateMd5()); + AssertTrue(test_wc_Md5Update()); AssertTrue(test_wc_Md5Final()); AssertTrue(test_wc_InitSha()); AssertTrue(test_wc_ShaUpdate()); diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index 079ee01c6..893e02fb4 100644 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -30,14 +30,14 @@ #if !defined(NO_SHA) #include - +#include /* fips wrapper calls, user can call direct */ #ifdef HAVE_FIPS int wc_InitSha(Sha* sha) { if (sha == NULL) { - return -173; + return BAD_FUNC_ARG; } return InitSha_fips(sha); } @@ -45,7 +45,7 @@ int wc_ShaUpdate(Sha* sha, const byte* data, word32 len) { if (sha == NULL || (data == NULL && len > 0)) { - return -173; + return BAD_FUNC_ARG; } return ShaUpdate_fips(sha, data, len); } @@ -53,7 +53,7 @@ int wc_ShaFinal(Sha* sha, byte* out) { if (sha == NULL || out == NULL) { - return -173; + return BAD_FUNC_ARG; } return ShaFinal_fips(sha,out); } @@ -61,7 +61,6 @@ #else /* else build without fips */ #include -#include #ifdef NO_INLINE #include #else diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index 2f9c52635..ef47e74cc 100644 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -28,6 +28,7 @@ #include #include +#include #if !defined(NO_SHA256) #ifdef HAVE_FIPS @@ -35,7 +36,7 @@ int wc_InitSha256(Sha256* sha) { if (sha == NULL) { - return -173; + return BAD_FUNC_ARG;; } return InitSha256_fips(sha); } @@ -44,7 +45,7 @@ int wc_InitSha256(Sha256* sha) int wc_Sha256Update(Sha256* sha, const byte* data, word32 len) { if (sha == NULL || (data == NULL && len > 0)) { - return -173; + return BAD_FUNC_ARG;; } return Sha256Update_fips(sha, data, len); } @@ -53,7 +54,7 @@ int wc_Sha256Update(Sha256* sha, const byte* data, word32 len) int wc_Sha256Final(Sha256* sha, byte* out) { if (sha == NULL || out == NULL) { - return -173; + return BAD_FUNC_ARG;; } return Sha256Final_fips(sha, out); } @@ -285,7 +286,6 @@ static void set_Transform(void) { #endif #include -#include #ifdef NO_INLINE #include diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index 6aeddf98a..adb0301a8 100644 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -28,12 +28,13 @@ #include #ifdef WOLFSSL_SHA512 +#include #ifdef HAVE_FIPS int wc_InitSha512(Sha512* sha) { if (sha == NULL) { - return -173; + return BAD_FUNC_ARG; } return InitSha512_fips(sha); } @@ -42,7 +43,7 @@ int wc_InitSha512(Sha512* sha) int wc_Sha512Update(Sha512* sha, const byte* data, word32 len) { if (sha == NULL || (data == NULL && len > 0)) { - return -173; + return BAD_FUNC_ARG; } return Sha512Update_fips(sha, data, len); } @@ -51,7 +52,7 @@ int wc_Sha512Update(Sha512* sha, const byte* data, word32 len) int wc_Sha512Final(Sha512* sha, byte* out) { if (sha == NULL || out == NULL) { - return -173; + return BAD_FUNC_ARG; } return Sha512Final_fips(sha, out); } @@ -62,7 +63,7 @@ int wc_Sha512Final(Sha512* sha, byte* out) int wc_InitSha384(Sha384* sha) { if (sha == NULL) { - return -173; + return BAD_FUNC_ARG; } return InitSha384_fips(sha); } @@ -71,7 +72,7 @@ int wc_InitSha384(Sha384* sha) int wc_Sha384Update(Sha384* sha, const byte* data, word32 len) { if (sha == NULL || (data == NULL && len > 0)) { - return -173; + return BAD_FUNC_ARG; } return Sha384Update_fips(sha, data, len); } @@ -80,7 +81,7 @@ int wc_Sha384Update(Sha384* sha, const byte* data, word32 len) int wc_Sha384Final(Sha384* sha, byte* out) { if (sha == NULL || out == NULL) { - return -173; + return BAD_FUNC_ARG; } return Sha384Final_fips(sha, out); } @@ -89,7 +90,6 @@ int wc_Sha384Final(Sha384* sha, byte* out) #endif /* WOLFSSL_SHA384 */ #else /* else build without using fips */ #include -#include #ifdef NO_INLINE #include From 3918cdef03c5557d7acf2d476e874b27b9e36908 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Thu, 19 Jan 2017 13:35:23 -0700 Subject: [PATCH 07/33] Wrapped functions. --- tests/api.c | 575 +++++++++++++++++++++++++++++++++------------------- 1 file changed, 365 insertions(+), 210 deletions(-) diff --git a/tests/api.c b/tests/api.c index ede0921c4..b2324c9d9 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2433,73 +2433,103 @@ static int test_wc_Md5Update (void) Md5 md5; byte hash[MD5_DIGEST_SIZE]; testVector a, b, c; - int ret; + int ret, flag; + + flag = 0; ret = wc_InitMd5(&md5); if (ret != 0) { - return ret; + flag = ret;; } printf(testingFmt, "wc_Md5Update()"); /* Input */ - a.input = "a"; - a.inLen = XSTRLEN(a.input); - - ret = wc_Md5Update(&md5, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - return ret; + if (!flag) { + a.input = "a"; + a.inLen = XSTRLEN(a.input); } - ret = wc_Md5Final(&md5, hash); - if (ret != 0) { - return ret; + + if (!flag){ + ret = wc_Md5Update(&md5, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + flag = ret; + } + } + + if (!flag) { + ret = wc_Md5Final(&md5, hash); + if (ret != 0) { + flag = ret; + } } /* Update input. */ - a.input = "abc"; - a.output = "\x90\x01\x50\x98\x3c\xd2\x4f\xb0\xd6\x96\x3f\x7d\x28\xe1\x7f" - "\x72"; - a.inLen = XSTRLEN(a.input); - a.outLen = XSTRLEN(a.output); + if (!flag) { + a.input = "abc"; + a.output = "\x90\x01\x50\x98\x3c\xd2\x4f\xb0\xd6\x96\x3f\x7d\x28\xe1\x7f" + "\x72"; + a.inLen = XSTRLEN(a.input); + a.outLen = XSTRLEN(a.output); + } - ret = wc_Md5Update(&md5, (byte*) a.input, (word32) a.inLen); - if (ret != 0) { - return ret; + if (!flag) { + ret = wc_Md5Update(&md5, (byte*) a.input, (word32) a.inLen); + if (ret != 0) { + flag = ret; + } } - ret = wc_Md5Final(&md5, hash); - if (ret != 0) { - return ret; + + if (!flag) { + ret = wc_Md5Final(&md5, hash); + if (ret != 0) { + flag = ret; + } } - if (ret != 0 && XMEMCMP(hash, a.output, MD5_DIGEST_SIZE) != 0) { - return SSL_FAILURE; + + if (!flag) { + if (ret != 0 && XMEMCMP(hash, a.output, MD5_DIGEST_SIZE) != 0) { + flag = SSL_FATAL_ERROR; + } } /*Pass in bad values. */ - b.input = NULL; - b.inLen = 0; - - ret = wc_Md5Update(&md5, (byte*)b.input, (word32)b.inLen); - - if (ret != 0) { - return ret; + if (!flag) { + b.input = NULL; + b.inLen = 0; } + if (!flag) { + ret = wc_Md5Update(&md5, (byte*)b.input, (word32)b.inLen); + if (ret != 0) { + flag = ret; + } + } + + if (!flag) { c.input = NULL; c.inLen = MD5_DIGEST_SIZE; - - ret = wc_Md5Update(&md5, (byte*)c.input, (word32)c.inLen); - if (ret == 0) { - return SSL_FAILURE; } - ret = wc_Md5Update(NULL, (byte*)a.input, (word32)a.inLen); - if (ret != BAD_FUNC_ARG) { - return SSL_FAILURE; + if (!flag) { + ret = wc_Md5Update(&md5, (byte*)c.input, (word32)c.inLen); + if (ret == 0) { + flag = SSL_FATAL_ERROR; + } } - printf(resultFmt, ret == BAD_FUNC_ARG ? passed : failed); + if (!flag) { + ret = wc_Md5Update(NULL, (byte*)a.input, (word32)a.inLen); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR;; + } else { + flag = SSL_SUCCESS; + } + } - return SSL_SUCCESS; + printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + + return flag; #else return SSL_SUCCESS; #endif @@ -2510,77 +2540,109 @@ static int test_wc_Md5Update (void) */ static int test_wc_ShaUpdate (void) { + #ifndef NO_SHA Sha sha; byte hash[SHA_DIGEST_SIZE]; testVector a, b, c; - int ret; + int ret, flag; + + flag = 0; ret = wc_InitSha(&sha); if (ret != 0) { - return ret; + flag = ret; } printf(testingFmt, "wc_ShaUpdate()"); /* Input. */ - a.input = "a"; - a.inLen = XSTRLEN(a.input); - - ret = wc_ShaUpdate(&sha, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - return ret; + if (!flag) { + a.input = "a"; + a.inLen = XSTRLEN(a.input); } - ret = wc_ShaFinal(&sha, hash); - if (ret != 0) { - return ret; + + if (!flag) { + ret = wc_ShaUpdate(&sha, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + flag = ret; + } + } + + if (!flag) { + ret = wc_ShaFinal(&sha, hash); + if (ret != 0) { + flag = ret; + } } /* Update input. */ - a.input = "abc"; - a.output = "\xA9\x99\x3E\x36\x47\x06\x81\x6A\xBA\x3E\x25\x71\x78\x50\xC2" - "\x6C\x9C\xD0\xD8\x9D"; - a.inLen = XSTRLEN(a.input); - a.outLen = XSTRLEN(a.output); + if (!flag) { + a.input = "abc"; + a.output = "\xA9\x99\x3E\x36\x47\x06\x81\x6A\xBA\x3E\x25\x71\x78\x50\xC2" + "\x6C\x9C\xD0\xD8\x9D"; + a.inLen = XSTRLEN(a.input); + a.outLen = XSTRLEN(a.output); + } - ret = wc_ShaUpdate(&sha, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - return ret; + if (!flag) { + ret = wc_ShaUpdate(&sha, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + flag = ret; + } } - ret = wc_ShaFinal(&sha, hash); - if (ret !=0) { - return ret; + + if (!flag) { + ret = wc_ShaFinal(&sha, hash); + if (ret !=0) { + flag = ret; + } } - if (ret != 0 && XMEMCMP(hash, a.output, SHA_DIGEST_SIZE) != 0) { - return SSL_FAILURE; + + if (!flag) { + if (ret != 0 && XMEMCMP(hash, a.output, SHA_DIGEST_SIZE) != 0) { + flag = SSL_FATAL_ERROR; + } } /* Try passing in bad values. */ - b.input = NULL; - b.inLen = 0; - - ret = wc_ShaUpdate(&sha, (byte*)b.input, (word32)b.inLen); - if (ret != 0) { - return ret; + if (!flag) { + b.input = NULL; + b.inLen = 0; } - c.input = NULL; - c.inLen = SHA_DIGEST_SIZE; - - ret = wc_ShaUpdate(&sha, (byte*)c.input, (word32)c.inLen); - if (ret == 0) { - return SSL_FAILURE; + if (!flag) { + ret = wc_ShaUpdate(&sha, (byte*)b.input, (word32)b.inLen); + if (ret != 0) { + flag = ret; + } } - ret = wc_ShaUpdate(NULL, (byte*)a.input, (word32)a.inLen); - if (ret != BAD_FUNC_ARG) { - return SSL_FAILURE; + if (!flag) { + c.input = NULL; + c.inLen = SHA_DIGEST_SIZE; + } + + if (!flag) { + ret = wc_ShaUpdate(&sha, (byte*)c.input, (word32)c.inLen); + if (ret == 0) { + flag = SSL_FATAL_ERROR; + } + } + + if (!flag) { + ret = wc_ShaUpdate(NULL, (byte*)a.input, (word32)a.inLen); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } else { + flag = SSL_SUCCESS; + } } /* If not returned then the unit test passed test vectors. */ - printf(resultFmt, ret == BAD_FUNC_ARG ? passed : failed); + printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); - return SSL_SUCCESS; + return flag; #else return SSL_SUCCESS; #endif @@ -2597,74 +2659,105 @@ static int test_wc_Sha256Update (void) Sha256 sha256; byte hash[SHA256_DIGEST_SIZE]; testVector a, b, c; - int ret; + int ret, flag; + + flag = 0; ret = wc_InitSha256(&sha256); if (ret != 0) { - return ret; + flag = ret; } printf(testingFmt, "wc_Sha256Update()"); /* Input. */ - a.input = "a"; - a.inLen = XSTRLEN(a.input); - - ret = wc_Sha256Update(&sha256, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - return ret; + if (!flag) { + a.input = "a"; + a.inLen = XSTRLEN(a.input); } - ret = wc_Sha256Final(&sha256, hash); - if (ret != 0) { - return ret; + + if (!flag) { + ret = wc_Sha256Update(&sha256, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + flag = ret; + } + } + + if (!flag) { + ret = wc_Sha256Final(&sha256, hash); + if (ret != 0) { + flag = ret; + } } /* Update input. */ - a.input = "abc"; - a.output = "\xBA\x78\x16\xBF\x8F\x01\xCF\xEA\x41\x41\x40\xDE\x5D\xAE\x22" - "\x23\xB0\x03\x61\xA3\x96\x17\x7A\x9C\xB4\x10\xFF\x61\xF2\x00" - "\x15\xAD"; - a.inLen = XSTRLEN(a.input); - a.outLen = XSTRLEN(a.output); + if (!flag) { + a.input = "abc"; + a.output = "\xBA\x78\x16\xBF\x8F\x01\xCF\xEA\x41\x41\x40\xDE\x5D\xAE\x22" + "\x23\xB0\x03\x61\xA3\x96\x17\x7A\x9C\xB4\x10\xFF\x61\xF2\x00" + "\x15\xAD"; + a.inLen = XSTRLEN(a.input); + a.outLen = XSTRLEN(a.output); + } - ret = wc_Sha256Update(&sha256, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - return ret; + if (!flag) { + ret = wc_Sha256Update(&sha256, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + flag = ret; + } } - ret = wc_Sha256Final(&sha256, hash); - if (ret != 0) { - return ret; + + if (!flag) { + ret = wc_Sha256Final(&sha256, hash); + if (ret != 0) { + flag = ret; + } } - if (ret != 0 && XMEMCMP(hash, a.output, SHA256_DIGEST_SIZE) != 0) { - return SSL_FAILURE; + + if (!flag) { + if (ret != 0 && XMEMCMP(hash, a.output, SHA256_DIGEST_SIZE) != 0) { + flag = SSL_FATAL_ERROR; + } } /* Try passing in bad values */ - b.input = NULL; - b.inLen = 0; - - ret = wc_Sha256Update(&sha256, (byte*)b.input, (word32)b.inLen); - if (ret != 0) { - return ret; + if (!flag) { + b.input = NULL; + b.inLen = 0; } - c.input = NULL; - c.inLen = SHA256_DIGEST_SIZE; - - ret = wc_Sha256Update(&sha256, (byte*)c.input, (word32)c.inLen); - if (ret == 0) { - return SSL_FAILURE; + if (!flag) { + ret = wc_Sha256Update(&sha256, (byte*)b.input, (word32)b.inLen); + if (ret != 0) { + flag = ret; + } } - ret = wc_Sha256Update(NULL, (byte*)a.input, (word32)a.inLen); - if (ret != BAD_FUNC_ARG) { - return SSL_FAILURE; + if (!flag) { + c.input = NULL; + c.inLen = SHA256_DIGEST_SIZE; + } + + if (!flag) { + ret = wc_Sha256Update(&sha256, (byte*)c.input, (word32)c.inLen); + if (ret == 0) { + flag = SSL_FATAL_ERROR; + } + } + + if (!flag) { + ret = wc_Sha256Update(NULL, (byte*)a.input, (word32)a.inLen); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } else { + flag = SSL_SUCCESS; + } } /* If not returned then the unit test passed. */ - printf(resultFmt, ret == BAD_FUNC_ARG ? passed : failed); + printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); - return SSL_SUCCESS; + return flag; #else return SSL_SUCCESS; #endif @@ -2676,80 +2769,111 @@ static int test_wc_Sha256Update (void) */ static int test_wc_Sha384Update (void) { + #ifdef WOLFSSL_SHA384 Sha384 sha384; byte hash[SHA384_DIGEST_SIZE]; testVector a, b, c; - int ret; + int ret, flag; + + flag = 0; ret = wc_InitSha384(&sha384); if (ret != 0) { - return ret; + flag = ret; } printf(testingFmt, "wc_Sha384Update()"); /* Input */ - a.input = "a"; - a.inLen = XSTRLEN(a.input); - - ret = wc_Sha384Update(&sha384, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - return ret; + if (!flag) { + a.input = "a"; + a.inLen = XSTRLEN(a.input); } - ret = wc_Sha384Final(&sha384, hash); - if (ret != 0) { - return ret; + + if (!flag) { + ret = wc_Sha384Update(&sha384, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + flag = ret; + } + } + + if (!flag) { + ret = wc_Sha384Final(&sha384, hash); + if (ret != 0) { + flag = ret; + } } /* Update input. */ - a.input = "abc"; - a.output = "\xcb\x00\x75\x3f\x45\xa3\x5e\x8b\xb5\xa0\x3d\x69\x9a\xc6\x50" - "\x07\x27\x2c\x32\xab\x0e\xde\xd1\x63\x1a\x8b\x60\x5a\x43\xff" - "\x5b\xed\x80\x86\x07\x2b\xa1\xe7\xcc\x23\x58\xba\xec\xa1\x34" - "\xc8\x25\xa7"; + if (!flag) { + a.input = "abc"; + a.output = "\xcb\x00\x75\x3f\x45\xa3\x5e\x8b\xb5\xa0\x3d\x69\x9a\xc6\x50" + "\x07\x27\x2c\x32\xab\x0e\xde\xd1\x63\x1a\x8b\x60\x5a\x43\xff" + "\x5b\xed\x80\x86\x07\x2b\xa1\xe7\xcc\x23\x58\xba\xec\xa1\x34" + "\xc8\x25\xa7"; a.inLen = XSTRLEN(a.input); a.outLen = XSTRLEN(a.output); + } - ret = wc_Sha384Update(&sha384, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - return ret; + if (!flag) { + ret = wc_Sha384Update(&sha384, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + flag = ret; + } } - ret = wc_Sha384Final(&sha384, hash); - if (ret != 0) { - return ret; + + if (!flag) { + ret = wc_Sha384Final(&sha384, hash); + if (ret != 0) { + flag = ret; + } } - if (ret != 0 && XMEMCMP(hash, a.output, SHA384_DIGEST_SIZE) != 0) { - return SSL_FAILURE; + + if (!flag) { + if (ret != 0 && XMEMCMP(hash, a.output, SHA384_DIGEST_SIZE) != 0) { + flag = SSL_FATAL_ERROR; + } } /* Pass in bad values. */ - b.input = NULL; - b.inLen = 0; - - ret = wc_Sha384Update(&sha384, (byte*)b.input, (word32)b.inLen); - - if (ret != 0) { - return ret; + if (!flag) { + b.input = NULL; + b.inLen = 0; } - c.input = NULL; - c.inLen = SHA384_DIGEST_SIZE; - - ret = wc_Sha384Update(&sha384, (byte*)c.input, (word32)c.inLen); - if (ret == 0) { - return SSL_FAILURE; + if (!flag) { + ret = wc_Sha384Update(&sha384, (byte*)b.input, (word32)b.inLen); + if (ret != 0) { + flag = ret; + } } - ret = wc_Sha384Update(NULL, (byte*)a.input, (word32)a.inLen); - if (ret != BAD_FUNC_ARG) { - return SSL_FAILURE; + if (!flag) { + c.input = NULL; + c.inLen = SHA384_DIGEST_SIZE; + } + + if (!flag) { + ret = wc_Sha384Update(&sha384, (byte*)c.input, (word32)c.inLen); + if (ret == 0) { + flag = SSL_FATAL_ERROR; + } + } + + if (!flag) { + ret = wc_Sha384Update(NULL, (byte*)a.input, (word32)a.inLen); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } else { + flag = SSL_SUCCESS; + } } /* If not returned then the unit test passed test vectors. */ - printf(resultFmt, ret == BAD_FUNC_ARG ? passed : failed); + printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); - return SSL_SUCCESS; + return flag; #else return SSL_SUCCESS; #endif @@ -2758,83 +2882,114 @@ static int test_wc_Sha384Update (void) /* * wc_Sha512Update() test. */ - static int test_wc_Sha512Update (void) { + #ifdef WOLFSSL_SHA512 Sha512 sha512; byte hash[SHA512_DIGEST_SIZE]; testVector a, b, c; - int ret; + int ret, flag; + + flag = 0; ret = wc_InitSha512(&sha512); if (ret != 0) { - return ret; + flag = ret; } printf(testingFmt, "wc_Sha512Update()"); /* Input. */ - a.input = "a"; - a.inLen = XSTRLEN(a.input); - - ret = wc_Sha512Update(&sha512, (byte*)a.input, (word32)a.inLen); - if (ret != 0) { - return ret; + if (!flag) { + a.input = "a"; + a.inLen = XSTRLEN(a.input); } - ret = wc_Sha512Final(&sha512, hash); - if (ret != 0) { - return ret; + + if (!flag) { + ret = wc_Sha512Update(&sha512, (byte*)a.input, (word32)a.inLen); + if (ret != 0) { + flag = ret; + } + } + + if (!flag) { + ret = wc_Sha512Final(&sha512, hash); + if (ret != 0) { + flag = ret; + } } /* Update input. */ - a.input = "abc"; - a.output = "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31" - "\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3" - "\x9a\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe" - "\xeb\xbd\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5" - "\x4c\xa4\x9f"; - a.inLen = XSTRLEN(a.input); - a.outLen = XSTRLEN(a.output); + if (!flag) { + a.input = "abc"; + a.output = "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31" + "\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3" + "\x9a\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe" + "\xeb\xbd\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5" + "\x4c\xa4\x9f"; + a.inLen = XSTRLEN(a.input); + a.outLen = XSTRLEN(a.output); + } - ret = wc_Sha512Update(&sha512, (byte*) a.input, (word32) a.inLen); - if (ret != 0) { - return ret; + if (!flag) { + ret = wc_Sha512Update(&sha512, (byte*) a.input, (word32) a.inLen); + if (ret != 0) { + flag = ret; + } } - ret = wc_Sha512Final(&sha512, hash); - if (ret != 0) { - return ret; + + if (!flag) { + ret = wc_Sha512Final(&sha512, hash); + if (ret != 0) { + flag = ret; + } } - if (ret != 0 && XMEMCMP(hash, a.output, SHA512_DIGEST_SIZE) != 0) { - return SSL_FAILURE; + + if (!flag) { + if (ret != 0 && XMEMCMP(hash, a.output, SHA512_DIGEST_SIZE) != 0) { + flag = SSL_FAILURE; + } } /* Try passing in bad values */ - b.input = NULL; - b.inLen = 0; - - ret = wc_Sha512Update(&sha512, (byte*)b.input, (word32)b.inLen); - if (ret != 0) { - return ret; + if (!flag) { + b.input = NULL; + b.inLen = 0; } - c.input = NULL; - c.inLen = SHA512_DIGEST_SIZE; - - ret = wc_Sha512Update(&sha512, (byte*)c.input, (word32)c.inLen); - if (ret ==0) { - return SSL_FAILURE; + if (!flag) { + ret = wc_Sha512Update(&sha512, (byte*)b.input, (word32)b.inLen); + if (ret != 0) { + flag = ret; + } } - ret = wc_Sha512Update(NULL, (byte*)a.input, (word32)a.inLen); - if (ret != BAD_FUNC_ARG) { - return SSL_FAILURE; + if (!flag) { + c.input = NULL; + c.inLen = SHA512_DIGEST_SIZE; + } + + if (!flag) { + ret = wc_Sha512Update(&sha512, (byte*)c.input, (word32)c.inLen); + if (ret ==0) { + flag = SSL_FATAL_ERROR; + } + } + + if (!flag) { + ret = wc_Sha512Update(NULL, (byte*)a.input, (word32)a.inLen); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } else { + flag = SSL_SUCCESS; + } } /* If not returned then the unit test passed test vectors. */ - printf(resultFmt, ret == BAD_FUNC_ARG ? passed : failed); + printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); - return SSL_SUCCESS; + return flag; #else return SSL_SUCCESS; #endif From be768f5395ad05a319113e445a1f370c08380ff2 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Thu, 26 Jan 2017 12:34:09 -0700 Subject: [PATCH 08/33] Made changes in api.c to reflect Update() changes. --- tests/api.c | 475 +++++++++++++++++++++++++++++++--------------------- 1 file changed, 287 insertions(+), 188 deletions(-) diff --git a/tests/api.c b/tests/api.c index b2324c9d9..7787a305f 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2275,23 +2275,27 @@ static int test_wc_InitMd5 (void) printf(testingFmt, "wc_InitMd5()"); - flag = SSL_SUCCESS; + flag = 0; + /* Test good arg. */ ret = wc_InitMd5(&md5); - if (ret) { - flag = SSL_FAILURE; - } - /* Test bad arg. */ - ret = wc_InitMd5(NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; + if (ret != 0) { + flag = SSL_FATAL_ERROR; } - printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + /* Test bad arg. */ + if (!flag) { + ret = wc_InitMd5(NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } + } + + printf(resultFmt, flag == 0 ? passed : failed); return flag; #else - return SSL_SUCCESS; + return 0; #endif } /* END test_wc_InitMd5 */ @@ -2304,25 +2308,29 @@ static int test_wc_InitSha(void) Sha sha; int ret, flag; - flag = SSL_SUCCESS; + flag = 0; printf(testingFmt, "wc_InitSha()"); + /* Test good arg. */ ret = wc_InitSha(&sha); if (ret != 0) { - flag = SSL_FAILURE; - } - /* Test bad arg. */ - ret = wc_InitSha(NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; + flag = SSL_FATAL_ERROR; } - printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + /* Test bad arg. */ + if (!flag) { + ret = wc_InitSha(NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } + } + + printf(resultFmt, flag == 0 ? passed : failed); return flag; #else - return SSL_SUCCESS; + return 0; #endif } /* END test_wc_InitSha */ @@ -2336,25 +2344,29 @@ static int test_wc_InitSha256 (void) Sha256 sha256; int ret, flag; - flag = SSL_SUCCESS; + flag = 0; printf(testingFmt, "wc_InitSha256()"); + /* Test good arg. */ ret = wc_InitSha256(&sha256); if (ret != 0) { - flag = SSL_FAILURE; - } - /* Test bad arg. */ - ret = wc_InitSha256(NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; + flag = SSL_FATAL_ERROR; } - printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + /* Test bad arg. */ + if (!flag) { + ret = wc_InitSha256(NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } + } + + printf(resultFmt, flag == 0 ? passed : failed); return flag; #else - return SSL_SUCCESS; + return 0; #endif } /* END test_wc_InitSha256 */ @@ -2368,25 +2380,29 @@ static int test_wc_InitSha512 (void) Sha512 sha512; int ret, flag; - flag = SSL_SUCCESS; + flag = 0; printf(testingFmt, "wc_InitSha512()"); + /* Test good arg. */ ret = wc_InitSha512(&sha512); if (ret != 0) { - flag = SSL_FAILURE; - } - /* Test bad arg. */ - ret = wc_InitSha512(NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; + flag = SSL_FATAL_ERROR; } - printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + /* Test bad arg. */ + if (!flag) { + ret = wc_InitSha512(NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } + } + + printf(resultFmt, flag == 0 ? passed : failed); return flag; #else - return SSL_SUCCESS; + return 0; #endif } /* END test_wc_InitSha512 */ @@ -2400,25 +2416,29 @@ static int test_wc_InitSha384 (void) Sha384 sha384; int ret, flag; - flag = SSL_SUCCESS; + flag = 0; printf(testingFmt, "wc_InitSha384()"); + /* Test good arg. */ ret = wc_InitSha384(&sha384); if (ret != 0) { - flag = SSL_FAILURE; - } - /* Test bad arg. */ - ret = wc_InitSha384(NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; + flag = SSL_FATAL_ERROR; } - printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + /* Test bad arg. */ + if (!flag) { + ret = wc_InitSha384(NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } + } + + printf(resultFmt, flag == 0 ? passed : failed); return flag; #else - return SSL_SUCCESS; + return 0; #endif } /* END test_wc_InitSha384 */ @@ -2523,15 +2543,15 @@ static int test_wc_Md5Update (void) if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR;; } else { - flag = SSL_SUCCESS; + flag = 0; } } - printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + printf(resultFmt, flag == 0 ? passed : failed); return flag; #else - return SSL_SUCCESS; + return 0; #endif } /* END test_wc_Md5Update() */ @@ -2540,7 +2560,7 @@ static int test_wc_Md5Update (void) */ static int test_wc_ShaUpdate (void) { - + #ifndef NO_SHA Sha sha; byte hash[SHA_DIGEST_SIZE]; @@ -2635,16 +2655,16 @@ static int test_wc_ShaUpdate (void) if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR; } else { - flag = SSL_SUCCESS; + flag = 0; } } /* If not returned then the unit test passed test vectors. */ - printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + printf(resultFmt, flag == 0 ? passed : failed); return flag; #else - return SSL_SUCCESS; + return 0; #endif } /* END test_wc_ShaUpdate() */ @@ -2750,16 +2770,16 @@ static int test_wc_Sha256Update (void) if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR; } else { - flag = SSL_SUCCESS; + flag = 0; } } /* If not returned then the unit test passed. */ - printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + printf(resultFmt, flag == 0 ? passed : failed); return flag; -#else - return SSL_SUCCESS; +#else + return 0; #endif } /* END test_wc_Sha256Update */ @@ -2769,7 +2789,7 @@ static int test_wc_Sha256Update (void) */ static int test_wc_Sha384Update (void) { - + #ifdef WOLFSSL_SHA384 Sha384 sha384; byte hash[SHA384_DIGEST_SIZE]; @@ -2866,16 +2886,16 @@ static int test_wc_Sha384Update (void) if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR; } else { - flag = SSL_SUCCESS; + flag = 0; } } /* If not returned then the unit test passed test vectors. */ - printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + printf(resultFmt, flag == 0 ? passed : failed); return flag; #else - return SSL_SUCCESS; + return 0; #endif } /* END test_wc_Sha384Update */ @@ -2884,7 +2904,7 @@ static int test_wc_Sha384Update (void) */ static int test_wc_Sha512Update (void) { - + #ifdef WOLFSSL_SHA512 Sha512 sha512; byte hash[SHA512_DIGEST_SIZE]; @@ -2982,16 +3002,16 @@ static int test_wc_Sha512Update (void) if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR; } else { - flag = SSL_SUCCESS; + flag = 0; } } /* If not returned then the unit test passed test vectors. */ - printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + printf(resultFmt, flag == 0 ? passed : failed); return flag; #else - return SSL_SUCCESS; + return 0; #endif } /* END test_wc_Sha512Update */ @@ -3011,47 +3031,61 @@ static int test_wc_Md5Final (void) byte hash3[5*MD5_DIGEST_SIZE]; int times, i, flag, ret; + flag = 0; + /* Initialize */ ret = wc_InitMd5(&md5); if (ret != 0) { - return ret; + flag = ret; } - hash_test[0] = hash1; - hash_test[1] = hash2; - hash_test[2] = hash3; + if (!flag) { + hash_test[0] = hash1; + hash_test[1] = hash2; + hash_test[2] = hash3; + } times = sizeof(hash_test)/sizeof(byte*); - flag = SSL_SUCCESS; - /* Test good args. */ printf(testingFmt, "wc_Md5Final()"); for (i = 0; i < times; i++) { - ret = wc_Md5Final(&md5, hash_test[i]); - if (ret != 0) { - flag = SSL_FAILURE; + if (!flag) { + ret = wc_Md5Final(&md5, hash_test[i]); + if (ret != 0) { + flag = SSL_FATAL_ERROR; + } } } + /* Test bad args. */ - ret = wc_Md5Final(NULL, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; - } - ret = wc_Md5Final(NULL, hash1); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; - } - ret = wc_Md5Final(&md5, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; + if (!flag) { + ret = wc_Md5Final(NULL, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } } - printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + if (!flag) { + ret = wc_Md5Final(NULL, hash1); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } + } + + if (!flag) { + ret = wc_Md5Final(&md5, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } + } + + printf(resultFmt, flag == 0 ? passed : failed); + return flag; #else - return SSL_SUCCESS; + return 0; #endif } @@ -3067,45 +3101,62 @@ static int test_wc_ShaFinal (void) byte hash2[2*SHA_DIGEST_SIZE]; byte hash3[5*SHA_DIGEST_SIZE]; int times, i, ret, flag; + + flag = 0; + /*Initialize*/ ret = wc_InitSha(&sha); if (ret) { - return ret; + flag = ret; + } + + if (!flag) { + hash_test[0] = hash1; + hash_test[1] = hash2; + hash_test[2] = hash3; } - hash_test[0] = hash1; - hash_test[1] = hash2; - hash_test[2] = hash3; times = sizeof(hash_test)/sizeof(byte*); - flag = SSL_SUCCESS; /* Good test args. */ printf(testingFmt, "wc_ShaFinal()"); for (i = 0; i < times; i++) { - ret = wc_ShaFinal(&sha, hash_test[i]); - if (ret != 0) { - flag = SSL_FAILURE; + if (!flag) { + ret = wc_ShaFinal(&sha, hash_test[i]); + if (ret != 0) { + flag = SSL_FATAL_ERROR; + } } } + /* Test bad args. */ - ret = wc_ShaFinal(NULL, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; - } - ret = wc_ShaFinal(NULL, hash1); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; - } - ret = wc_ShaFinal(&sha, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; + if (!flag) { + ret = wc_ShaFinal(NULL, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } } - printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + if (!flag) { + ret = wc_ShaFinal(NULL, hash1); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } + } + + if (!flag) { + ret = wc_ShaFinal(&sha, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } + } + + printf(resultFmt, flag == 0 ? passed : failed); + return flag; #else - return SSL_SUCCESS; + return 0; #endif } /* END test_wc_ShaFinal */ @@ -3121,45 +3172,62 @@ static int test_wc_Sha256Final (void) byte hash2[2*SHA256_DIGEST_SIZE]; byte hash3[5*SHA256_DIGEST_SIZE]; int times, i, ret, flag; + + flag = 0; + /* Initialize */ ret = wc_InitSha256(&sha256); - if (ret) { - return ret; + if (ret != 0) { + flag = ret; + } + + if (!flag) { + hash_test[0] = hash1; + hash_test[1] = hash2; + hash_test[2] = hash3; } - hash_test[0] = hash1; - hash_test[1] = hash2; - hash_test[2] = hash3; times = sizeof(hash_test) / sizeof(byte*); - flag = SSL_SUCCESS; + /* Good test args. */ printf(testingFmt, "wc_Sha256Final()"); for (i = 0; i < times; i++) { - ret = wc_Sha256Final(&sha256, hash_test[i]); - if (ret != 0) { - flag = SSL_FAILURE; + if (!flag) { + ret = wc_Sha256Final(&sha256, hash_test[i]); + if (ret != 0) { + flag = SSL_FATAL_ERROR; + } } } + /* Test bad args. */ - ret = wc_Sha256Final(NULL, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; - } - ret = wc_Sha256Final(NULL, hash1); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; - } - ret = wc_Sha256Final(&sha256, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; + if (!flag ) { + ret = wc_Sha256Final(NULL, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } } - printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + if (!flag) { + ret = wc_Sha256Final(NULL, hash1); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } + } + + if (!flag) { + ret = wc_Sha256Final(&sha256, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } + } + + printf(resultFmt, flag == 0 ? passed : failed); return flag; #else - return SSL_SUCCESS; + return 0; #endif } /* END test_wc_Sha256Final */ @@ -3176,46 +3244,60 @@ static int test_wc_Sha512Final (void) byte hash2[2*SHA512_DIGEST_SIZE]; byte hash3[5*SHA512_DIGEST_SIZE]; int times, i, ret, flag; + + flag = 0; + /* Initialize */ ret = wc_InitSha512(&sha512); - if (ret) { - return ret; + if (ret != 0) { + flag = ret; + } + + if (!flag) { + hash_test[0] = hash1; + hash_test[1] = hash2; + hash_test[2] = hash3; } - hash_test[0] = hash1; - hash_test[1] = hash2; - hash_test[2] = hash3; times = sizeof(hash_test) / sizeof(byte *); - flag = SSL_SUCCESS; /* Good test args. */ printf(testingFmt, "wc_Sha512Final()"); for (i = 0; i < times; i++) { - ret = wc_Sha512Final(&sha512, hash_test[i]); - if (ret != 0) { - flag = SSL_FAILURE; + if (!flag) { + ret = wc_Sha512Final(&sha512, hash_test[i]); + if (ret != 0) { + flag = SSL_FATAL_ERROR; + } } } /* Test bad args. */ - ret = wc_Sha512Final(NULL, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; - } - ret = wc_Sha512Final(NULL, hash1); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; - } - ret = wc_Sha512Final(&sha512, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; + if (!flag) { + ret = wc_Sha512Final(NULL, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } + + if (!flag) {} + ret = wc_Sha512Final(NULL, hash1); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } } - printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + if (!flag) { + ret = wc_Sha512Final(&sha512, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } + } + + printf(resultFmt, flag == 0 ? passed : failed); return flag; #else - return SSL_SUCCESS; + return 0; #endif } /* END test_wc_Sha512Final */ @@ -3231,46 +3313,63 @@ static int test_wc_Sha384Final (void) byte hash2[2*SHA384_DIGEST_SIZE]; byte hash3[5*SHA384_DIGEST_SIZE]; int times, i, ret, flag; + + flag = 0; + /* Initialize */ ret = wc_InitSha384(&sha384); if (ret) { - return ret; + flag = ret; + } + + if (!flag) { + hash_test[0] = hash1; + hash_test[1] = hash2; + hash_test[2] = hash3; } - hash_test[0] = hash1; - hash_test[1] = hash2; - hash_test[2] = hash3; times = sizeof(hash_test) / sizeof(byte*); - flag = SSL_SUCCESS; /* Good test args. */ printf(testingFmt, "wc_Sha384Final()"); + for (i = 0; i < times; i++) { - ret = wc_Sha384Final(&sha384, hash_test[i]); - if (ret != 0) { - flag = SSL_FAILURE; + if (!flag) { + ret = wc_Sha384Final(&sha384, hash_test[i]); + if (ret != 0) { + flag = SSL_FATAL_ERROR; + } } } + /* Test bad args. */ - ret = wc_Sha384Final(NULL, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; - } - ret = wc_Sha384Final(NULL, hash1); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; - } - ret = wc_Sha384Final(&sha384, NULL); - if (ret != BAD_FUNC_ARG) { - flag = SSL_FAILURE; + if (!flag) { + ret = wc_Sha384Final(NULL, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } } - printf(resultFmt, flag == SSL_SUCCESS ? passed : failed); + if (!flag) { + ret = wc_Sha384Final(NULL, hash1); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } + } + + if (!flag) { + ret = wc_Sha384Final(&sha384, NULL); + if (ret != BAD_FUNC_ARG) { + flag = SSL_FATAL_ERROR; + } + } + + printf(resultFmt, flag == 0 ? passed : failed); return flag; #else - return SSL_SUCCESS; + return 0; #endif } /* END test_wc_Sha384Final */ @@ -4125,21 +4224,21 @@ void ApiTest(void) /*wolfcrypt */ printf("\n-----------------wolfcrypt unit tests------------------\n"); AssertFalse(test_wolfCrypt_Init()); - AssertTrue(test_wc_InitMd5()); - AssertTrue(test_wc_Md5Update()); - AssertTrue(test_wc_Md5Final()); - AssertTrue(test_wc_InitSha()); - AssertTrue(test_wc_ShaUpdate()); - AssertTrue(test_wc_ShaFinal()); - AssertTrue(test_wc_InitSha256()); - AssertTrue(test_wc_Sha256Update()); - AssertTrue(test_wc_Sha256Final()); - AssertTrue(test_wc_InitSha512()); - AssertTrue(test_wc_Sha512Update()); - AssertTrue(test_wc_Sha512Final()); - AssertTrue(test_wc_InitSha384()); - AssertTrue(test_wc_Sha384Update()); - AssertTrue(test_wc_Sha384Final()); + AssertFalse(test_wc_InitMd5()); + AssertFalse(test_wc_Md5Update()); + AssertFalse(test_wc_Md5Final()); + AssertFalse(test_wc_InitSha()); + AssertFalse(test_wc_ShaUpdate()); + AssertFalse(test_wc_ShaFinal()); + AssertFalse(test_wc_InitSha256()); + AssertFalse(test_wc_Sha256Update()); + AssertFalse(test_wc_Sha256Final()); + AssertFalse(test_wc_InitSha512()); + AssertFalse(test_wc_Sha512Update()); + AssertFalse(test_wc_Sha512Final()); + AssertFalse(test_wc_InitSha384()); + AssertFalse(test_wc_Sha384Update()); + AssertFalse(test_wc_Sha384Final()); printf(" End API Tests\n"); } From 79e8bd2f2b7dff60124bd9583e142c9433bd20c8 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Thu, 26 Jan 2017 12:44:20 -0700 Subject: [PATCH 09/33] Restore the ssl->hsHashes->hashSha384 before returning on failure. --- src/internal.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/internal.c b/src/internal.c index 1f2f64e68..653f2aad4 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5656,6 +5656,8 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif #endif + /* restore */ + ssl->hsHashes->hashSha384 = sha384[0]; return ret; } BuildSHA(ssl, hashes, sender); From 74f72b5c6b558d7637a9c4608c3ba809570a8c1f Mon Sep 17 00:00:00 2001 From: jrblixt Date: Thu, 26 Jan 2017 13:15:11 -0700 Subject: [PATCH 10/33] Jenkins fix. --- src/internal.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/internal.c b/src/internal.c index 31522b453..e83e35bfc 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5661,10 +5661,10 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) #ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SHA384 XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - #endif /* restore */ ssl->hsHashes->hashSha384 = sha384[0]; + #endif + #endif return ret; } BuildSHA(ssl, hashes, sender); From e4942eaa3d2472c42b6d5fc7984fb870046ec20a Mon Sep 17 00:00:00 2001 From: jrblixt Date: Thu, 26 Jan 2017 17:03:05 -0700 Subject: [PATCH 11/33] Reorder restore statement. --- src/internal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index e83e35bfc..486421b21 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5660,9 +5660,9 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) if (ret != 0) { #ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SHA384 - XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER); /* restore */ ssl->hsHashes->hashSha384 = sha384[0]; + XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif #endif return ret; From de9f05f3c5cc3398591bb1480e45058a6d239587 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Tue, 31 Jan 2017 14:33:21 -0700 Subject: [PATCH 12/33] Update sha256.c function punctuation. --- wolfcrypt/src/sha256.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index 18cbf6635..4052ea39b 100644 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -36,7 +36,7 @@ int wc_InitSha256(Sha256* sha) { if (sha == NULL) { - return BAD_FUNC_ARG;; + return BAD_FUNC_ARG; } return InitSha256_fips(sha); } @@ -45,7 +45,7 @@ int wc_InitSha256(Sha256* sha) int wc_Sha256Update(Sha256* sha, const byte* data, word32 len) { if (sha == NULL || (data == NULL && len > 0)) { - return BAD_FUNC_ARG;; + return BAD_FUNC_ARG; } return Sha256Update_fips(sha, data, len); } @@ -54,7 +54,7 @@ int wc_Sha256Update(Sha256* sha, const byte* data, word32 len) int wc_Sha256Final(Sha256* sha, byte* out) { if (sha == NULL || out == NULL) { - return BAD_FUNC_ARG;; + return BAD_FUNC_ARG; } return Sha256Final_fips(sha, out); } From c467bbd776254da346b90f59b208820a0342512d Mon Sep 17 00:00:00 2001 From: jrblixt Date: Fri, 24 Feb 2017 15:16:54 -0700 Subject: [PATCH 13/33] Reasses return values on all Init, Update, Final functions. --- wolfcrypt/src/sha256.c | 256 ++++++++++++++++++++--------------------- wolfcrypt/src/sha512.c | 10 +- 2 files changed, 135 insertions(+), 131 deletions(-) diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index 4052ea39b..41ced5193 100644 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -96,7 +96,7 @@ int wc_Sha256Final(Sha256* sha, byte* out) #if defined(HAVE_INTEL_AVX2) #define HAVE_INTEL_RORX #endif - + /***** Intel AVX1/AVX2 Macro Control Structure @@ -107,16 +107,16 @@ Intel AVX1/AVX2 Macro Control Structure #define HAVE_INTEL_RORX -int InitSha256(Sha256* sha256) { +int InitSha256(Sha256* sha256) { Save/Recover XMM, YMM ... } #if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2) - Transform() ; Function prototype + Transform() ; Function prototype #else Transform() { } - int Sha256Final() { + int Sha256Final() { Save/Recover XMM, YMM ... } @@ -131,21 +131,21 @@ int InitSha256(Sha256* sha256) { #endif #if defined(HAVE_INTEL_AVX1) - + #define XMM Instructions/inline asm - + int Transform() { Stitched Message Sched/Round - } - + } + #elif defined(HAVE_INTEL_AVX2) - + #define YMM Instructions/inline asm - + int Transform() { More granural Stitched Message Sched/Round } - + */ @@ -173,9 +173,9 @@ int InitSha256(Sha256* sha256) { #define EAX 0 #define EBX 1 -#define ECX 2 +#define ECX 2 #define EDX 3 - + #define CPUID_AVX1 0x1 #define CPUID_AVX2 0x2 #define CPUID_RDRAND 0x4 @@ -193,15 +193,15 @@ static word32 cpuid_flags = 0 ; static word32 cpuid_flag(word32 leaf, word32 sub, word32 num, word32 bit) { int got_intel_cpu=0; - unsigned int reg[5]; - + unsigned int reg[5]; + reg[4] = '\0' ; - cpuid(reg, 0, 0); - if(XMEMCMP((char *)&(reg[EBX]), "Genu", 4) == 0 && - XMEMCMP((char *)&(reg[EDX]), "ineI", 4) == 0 && - XMEMCMP((char *)&(reg[ECX]), "ntel", 4) == 0) { - got_intel_cpu = 1; - } + cpuid(reg, 0, 0); + if(XMEMCMP((char *)&(reg[EBX]), "Genu", 4) == 0 && + XMEMCMP((char *)&(reg[EDX]), "ineI", 4) == 0 && + XMEMCMP((char *)&(reg[ECX]), "ntel", 4) == 0) { + got_intel_cpu = 1; + } if (got_intel_cpu) { cpuid(reg, leaf, sub); return((reg[num]>>bit)&0x1) ; @@ -209,12 +209,12 @@ static word32 cpuid_flag(word32 leaf, word32 sub, word32 num, word32 bit) { return 0 ; } -static int set_cpuid_flags(void) { +static int set_cpuid_flags(void) { if(cpuid_check==0) { if(cpuid_flag(1, 0, ECX, 28)){ cpuid_flags |= CPUID_AVX1 ;} if(cpuid_flag(7, 0, EBX, 5)){ cpuid_flags |= CPUID_AVX2 ; } if(cpuid_flag(7, 0, EBX, 8)) { cpuid_flags |= CPUID_BMI2 ; } - if(cpuid_flag(1, 0, ECX, 30)){ cpuid_flags |= CPUID_RDRAND ; } + if(cpuid_flag(1, 0, ECX, 30)){ cpuid_flags |= CPUID_RDRAND ; } if(cpuid_flag(7, 0, EBX, 18)){ cpuid_flags |= CPUID_RDSEED ; } cpuid_check = 1 ; return 0 ; @@ -230,8 +230,8 @@ static int Transform(Sha256* sha256); static int Transform_AVX1(Sha256 *sha256) ; #endif #if defined(HAVE_INTEL_AVX2) -static int Transform_AVX2(Sha256 *sha256) ; -static int Transform_AVX1_RORX(Sha256 *sha256) ; +static int Transform_AVX2(Sha256 *sha256) ; +static int Transform_AVX1_RORX(Sha256 *sha256) ; #endif static int (*Transform_p)(Sha256* sha256) /* = _Transform */; @@ -242,9 +242,9 @@ static void set_Transform(void) { if(set_cpuid_flags())return ; #if defined(HAVE_INTEL_AVX2) - if(IS_INTEL_AVX2 && IS_INTEL_BMI2){ - Transform_p = Transform_AVX1_RORX; return ; - Transform_p = Transform_AVX2 ; + if(IS_INTEL_AVX2 && IS_INTEL_BMI2){ + Transform_p = Transform_AVX1_RORX; return ; + Transform_p = Transform_AVX2 ; /* for avoiding warning,"not used" */ } #endif @@ -459,10 +459,6 @@ static INLINE int Sha256Update(Sha256* sha256, const byte* data, word32 len) { byte* local; - if (sha256 == NULL || (data == NULL && len > 0)) { - return BAD_FUNC_ARG; - } - /* do block size increments */ local = (byte*)sha256->buffer; @@ -500,6 +496,10 @@ static INLINE int Sha256Update(Sha256* sha256, const byte* data, word32 len) int wc_Sha256Update(Sha256* sha256, const byte* data, word32 len) { + if (sha256 == NULL || (data == NULL && len > 0)) { + return BAD_FUNC_ARG; + } + return Sha256Update(sha256, data, len); } @@ -517,7 +517,7 @@ static INLINE int Sha256Final(Sha256* sha256) { byte* local = (byte*)sha256->buffer; int ret; - + SAVE_XMM_YMM ; /* for Intel AVX */ AddLength(sha256, sha256->buffLen); /* before adding pads */ @@ -633,9 +633,9 @@ int wc_Sha256Final(Sha256* sha256, byte* hash) -#define S_0 %r15d +#define S_0 %r15d #define S_1 %r10d -#define S_2 %r11d +#define S_2 %r11d #define S_3 %r12d #define S_4 %r13d #define S_5 %r14d @@ -671,7 +671,7 @@ __asm__ volatile("rorx $13, %"#a", %%edi\n\t":::"%edi",SSE_REGs);/* edi = a>>13 __asm__ volatile("rorx $22, %"#a", %%edx\n\t":::"%edx",SSE_REGs); /* edx = a>>22 */\ __asm__ volatile("xorl %%r8d, %%edi\n\t":::"%edi","%r8",SSE_REGs);/* edi = (a>>2) ^ (a>>13) */\ __asm__ volatile("xorl %%edi, %%edx\n\t":::"%edi","%edx",SSE_REGs); /* edx = Sigma0(a) */\ - + #define RND_STEP_RORX_6(a,b,c,d,e,f,g,h,i)\ __asm__ volatile("movl %"#b", %%edi\n\t":::"%edi",SSE_REGs); /* edi = b */\ __asm__ volatile("orl %"#a", %%edi\n\t":::"%edi",SSE_REGs); /* edi = a | b */\ @@ -687,7 +687,7 @@ __asm__ volatile("orl %%edi, %%r8d\n\t":::"%edi","%r8",SSE_REGs); /* r8d = Maj __asm__ volatile("addl "#h", "#d"\n\t"); /* d += h + w_k + Sigma1(e) + Ch(e,f,g) */\ __asm__ volatile("addl %"#h", %%r8d\n\t":::"%r8",SSE_REGs); \ __asm__ volatile("addl %%edx, %%r8d\n\t":::"%edx","%r8",SSE_REGs); \ -__asm__ volatile("movl %r8d, "#h"\n\t"); +__asm__ volatile("movl %r8d, "#h"\n\t"); #endif @@ -751,7 +751,7 @@ __asm__ volatile("movl %%r8d, %"#h"\n\t":::"%r8", SSE_REGs); \ RND_STEP_5(a,b,c,d,e,f,g,h,i); \ RND_STEP_6(a,b,c,d,e,f,g,h,i); \ RND_STEP_7(a,b,c,d,e,f,g,h,i); \ - RND_STEP_8(a,b,c,d,e,f,g,h,i); + RND_STEP_8(a,b,c,d,e,f,g,h,i); #define RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i); #define RND_7(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_7,S_0,S_1,S_2,S_3,S_4,S_5,S_6,_i); @@ -818,7 +818,7 @@ __asm__ volatile("movl %%r8d, %"#h"\n\t":::"%r8", SSE_REGs); \ #define RND_1_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_7_8(S_1,S_2,S_3,S_4,S_5,S_6,S_7,S_0,_i); #define FOR(cnt, init, max, inc, loop) \ - __asm__ volatile("movl $"#init", %0\n\t"#loop":"::"m"(cnt):) + __asm__ volatile("movl $"#init", %0\n\t"#loop":"::"m"(cnt):) #define END(cnt, init, max, inc, loop) \ __asm__ volatile("addl $"#inc", %0\n\tcmpl $"#max", %0\n\tjle "#loop"\n\t":"=m"(cnt)::) ; @@ -826,7 +826,7 @@ __asm__ volatile("movl %%r8d, %"#h"\n\t":::"%r8", SSE_REGs); \ #if defined(HAVE_INTEL_AVX1) /* inline Assember for Intel AVX1 instructions */ -#define VPALIGNR(op1,op2,op3,op4) __asm__ volatile("vpalignr $"#op4", %"#op3", %"#op2", %"#op1:::XMM_REGs) +#define VPALIGNR(op1,op2,op3,op4) __asm__ volatile("vpalignr $"#op4", %"#op3", %"#op2", %"#op1:::XMM_REGs) #define VPADDD(op1,op2,op3) __asm__ volatile("vpaddd %"#op3", %"#op2", %"#op1:::XMM_REGs) #define VPSRLD(op1,op2,op3) __asm__ volatile("vpsrld $"#op3", %"#op2", %"#op1:::XMM_REGs) #define VPSRLQ(op1,op2,op3) __asm__ volatile("vpsrlq $"#op3", %"#op2", %"#op1:::XMM_REGs) @@ -1037,49 +1037,49 @@ static int Transform_AVX1(Sha256* sha256) W_K_from_buff ; /* X0, X1, X2, X3 = W[0..15] ; */ DigestToReg(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7) ; - + SET_W_K_XFER(X0, 0) ; - MessageSched(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, + MessageSched(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,0) ; SET_W_K_XFER(X1, 4) ; MessageSched(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,4) ; SET_W_K_XFER(X2, 8) ; - MessageSched(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, + MessageSched(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,8) ; SET_W_K_XFER(X3, 12) ; - MessageSched(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, + MessageSched(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,12) ; SET_W_K_XFER(X0, 16) ; - MessageSched(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, + MessageSched(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,16) ; SET_W_K_XFER(X1, 20) ; - MessageSched(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, + MessageSched(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,20) ; SET_W_K_XFER(X2, 24) ; - MessageSched(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, + MessageSched(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,24) ; SET_W_K_XFER(X3, 28) ; - MessageSched(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, + MessageSched(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,28) ; SET_W_K_XFER(X0, 32) ; - MessageSched(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, + MessageSched(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,32) ; SET_W_K_XFER(X1, 36) ; - MessageSched(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, + MessageSched(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,36) ; SET_W_K_XFER(X2, 40) ; - MessageSched(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, + MessageSched(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,40) ; SET_W_K_XFER(X3, 44) ; - MessageSched(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, + MessageSched(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,44) ; SET_W_K_XFER(X0, 48) ; SET_W_K_XFER(X1, 52) ; SET_W_K_XFER(X2, 56) ; SET_W_K_XFER(X3, 60) ; - + RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,48) ; RND_7(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,49) ; RND_6(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,50) ; @@ -1090,7 +1090,7 @@ static int Transform_AVX1(Sha256* sha256) RND_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,54) ; RND_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,55) ; - RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,56) ; + RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,56) ; RND_7(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,57) ; RND_6(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,58) ; RND_5(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,59) ; @@ -1099,9 +1099,9 @@ static int Transform_AVX1(Sha256* sha256) RND_3(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,61) ; RND_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,62) ; RND_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,63) ; - - RegToDigest(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7) ; - + + RegToDigest(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7) ; + return 0; } @@ -1116,34 +1116,34 @@ static int Transform_AVX1_RORX(Sha256* sha256) DigestToReg(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7) ; SET_W_K_XFER(X0, 0) ; - MessageSched_RORX(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, + MessageSched_RORX(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,0) ; SET_W_K_XFER(X1, 4) ; - MessageSched_RORX(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, + MessageSched_RORX(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,4) ; SET_W_K_XFER(X2, 8) ; - MessageSched_RORX(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, + MessageSched_RORX(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,8) ; SET_W_K_XFER(X3, 12) ; - MessageSched_RORX(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, + MessageSched_RORX(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,12) ; SET_W_K_XFER(X0, 16) ; - MessageSched_RORX(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, + MessageSched_RORX(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,16) ; SET_W_K_XFER(X1, 20) ; - MessageSched_RORX(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, + MessageSched_RORX(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,20) ; SET_W_K_XFER(X2, 24) ; - MessageSched_RORX(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, + MessageSched_RORX(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,24) ; SET_W_K_XFER(X3, 28) ; - MessageSched_RORX(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, + MessageSched_RORX(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,28) ; SET_W_K_XFER(X0, 32) ; - MessageSched_RORX(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, + MessageSched_RORX(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,32) ; SET_W_K_XFER(X1, 36) ; - MessageSched_RORX(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, + MessageSched_RORX(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,36) ; SET_W_K_XFER(X2, 40) ; MessageSched_RORX(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, @@ -1156,7 +1156,7 @@ static int Transform_AVX1_RORX(Sha256* sha256) SET_W_K_XFER(X1, 52) ; SET_W_K_XFER(X2, 56) ; SET_W_K_XFER(X3, 60) ; - + RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,48) ; RND_7(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,49) ; RND_6(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,50) ; @@ -1167,7 +1167,7 @@ static int Transform_AVX1_RORX(Sha256* sha256) RND_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,54) ; RND_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,55) ; - RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,56) ; + RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,56) ; RND_7(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,57) ; RND_6(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,58) ; RND_5(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,59) ; @@ -1176,9 +1176,9 @@ static int Transform_AVX1_RORX(Sha256* sha256) RND_3(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,61) ; RND_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,62) ; RND_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,63) ; - - RegToDigest(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7) ; - + + RegToDigest(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7) ; + return 0; } @@ -1225,12 +1225,12 @@ static int Transform_AVX1_RORX(Sha256* sha256) #define _EXTRACT_XMM_7(xmm, mem) __asm__ volatile("vpextrd $3, %%"#xmm", %0 ":"=r"(mem)::YMM_REGs) ; #define _SWAP_YMM_HL(ymm) __asm__ volatile("vperm2i128 $0x1, %%"#ymm", %%"#ymm", %%"#ymm" ":::YMM_REGs) ; -#define SWAP_YMM_HL(ymm) _SWAP_YMM_HL(ymm) +#define SWAP_YMM_HL(ymm) _SWAP_YMM_HL(ymm) #define MOVE_to_REG(ymm, mem) _MOVE_to_REG(ymm, mem) #define MOVE_to_MEM(mem, ymm) _MOVE_to_MEM(mem, ymm) #define BYTE_SWAP(ymm, map) _BYTE_SWAP(ymm, map) -#define MOVE_128(ymm0, ymm1, ymm2, map) _MOVE_128(ymm0, ymm1, ymm2, map) +#define MOVE_128(ymm0, ymm1, ymm2, map) _MOVE_128(ymm0, ymm1, ymm2, map) #define MOVE_BYTE(ymm0, ymm1, map) _MOVE_BYTE(ymm0, ymm1, map) #define XOR(dest, src1, src2) _XOR(dest, src1, src2) #define OR(dest, src1, src2) _OR(dest, src1, src2) @@ -1238,28 +1238,28 @@ static int Transform_AVX1_RORX(Sha256* sha256) #define ADD_MEM(dest, src1, mem) _ADD_MEM(dest, src1, mem) #define BLEND(map, dest, src1, src2) _BLEND(map, dest, src1, src2) -#define S_TMP(dest, src, bits, temp) _S_TEMP(dest, src, bits, temp); +#define S_TMP(dest, src, bits, temp) _S_TEMP(dest, src, bits, temp); #define AVX2_S(dest, src, bits) S_TMP(dest, src, bits, S_TEMP) #define AVX2_R(dest, src, bits) _AVX2_R(dest, src, bits) #define GAMMA0(dest, src) AVX2_S(dest, src, 7); AVX2_S(G_TEMP, src, 18); \ XOR(dest, G_TEMP, dest) ; AVX2_R(G_TEMP, src, 3); XOR(dest, G_TEMP, dest) ; -#define GAMMA0_1(dest, src) AVX2_S(dest, src, 7); AVX2_S(G_TEMP, src, 18); +#define GAMMA0_1(dest, src) AVX2_S(dest, src, 7); AVX2_S(G_TEMP, src, 18); #define GAMMA0_2(dest, src) XOR(dest, G_TEMP, dest) ; AVX2_R(G_TEMP, src, 3); \ XOR(dest, G_TEMP, dest) ; #define GAMMA1(dest, src) AVX2_S(dest, src, 17); AVX2_S(G_TEMP, src, 19); \ XOR(dest, G_TEMP, dest) ; AVX2_R(G_TEMP, src, 10); XOR(dest, G_TEMP, dest) ; -#define GAMMA1_1(dest, src) AVX2_S(dest, src, 17); AVX2_S(G_TEMP, src, 19); +#define GAMMA1_1(dest, src) AVX2_S(dest, src, 17); AVX2_S(G_TEMP, src, 19); #define GAMMA1_2(dest, src) XOR(dest, G_TEMP, dest) ; AVX2_R(G_TEMP, src, 10); \ XOR(dest, G_TEMP, dest) ; #define FEEDBACK1_to_W_I_2 MOVE_BYTE(YMM_TEMP0, W_I, mMAP1toW_I_2[0]) ; \ BLEND(0x0c, W_I_2, YMM_TEMP0, W_I_2) ; #define FEEDBACK2_to_W_I_2 MOVE_128(YMM_TEMP0, W_I, W_I, 0x08) ; \ - MOVE_BYTE(YMM_TEMP0, YMM_TEMP0, mMAP2toW_I_2[0]) ; BLEND(0x30, W_I_2, YMM_TEMP0, W_I_2) ; + MOVE_BYTE(YMM_TEMP0, YMM_TEMP0, mMAP2toW_I_2[0]) ; BLEND(0x30, W_I_2, YMM_TEMP0, W_I_2) ; #define FEEDBACK3_to_W_I_2 MOVE_BYTE(YMM_TEMP0, W_I, mMAP3toW_I_2[0]) ; \ - BLEND(0xc0, W_I_2, YMM_TEMP0, W_I_2) ; + BLEND(0xc0, W_I_2, YMM_TEMP0, W_I_2) ; #define FEEDBACK_to_W_I_7 MOVE_128(YMM_TEMP0, W_I, W_I, 0x08) ;\ MOVE_BYTE(YMM_TEMP0, YMM_TEMP0, mMAPtoW_I_7[0]) ; BLEND(0x80, W_I_7, YMM_TEMP0, W_I_7) ; @@ -1359,26 +1359,26 @@ static int Transform_AVX1_RORX(Sha256* sha256) #define DumS(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 )\ _DumpS(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 ) - + /* Byte swap Masks to ensure that rest of the words are filled with zero's. */ - static const unsigned long mBYTE_FLIP_MASK_16[] = + static const unsigned long mBYTE_FLIP_MASK_16[] = { 0x0405060700010203, 0x0c0d0e0f08090a0b, 0x0405060700010203, 0x0c0d0e0f08090a0b } ; - static const unsigned long mBYTE_FLIP_MASK_15[] = + static const unsigned long mBYTE_FLIP_MASK_15[] = { 0x0405060700010203, 0x0c0d0e0f08090a0b, 0x0405060700010203, 0x0c0d0e0f08090a0b } ; - static const unsigned long mBYTE_FLIP_MASK_7 [] = + static const unsigned long mBYTE_FLIP_MASK_7 [] = { 0x0405060700010203, 0x0c0d0e0f08090a0b, 0x0405060700010203, 0x8080808008090a0b } ; - static const unsigned long mBYTE_FLIP_MASK_2 [] = + static const unsigned long mBYTE_FLIP_MASK_2 [] = { 0x0405060700010203, 0x8080808080808080, 0x8080808080808080, 0x8080808080808080 } ; - static const unsigned long mMAPtoW_I_7[] = + static const unsigned long mMAPtoW_I_7[] = { 0x8080808080808080, 0x8080808080808080, 0x8080808080808080, 0x0302010080808080 } ; - static const unsigned long mMAP1toW_I_2[] = + static const unsigned long mMAP1toW_I_2[] = { 0x8080808080808080, 0x0706050403020100, 0x8080808080808080, 0x8080808080808080 } ; - static const unsigned long mMAP2toW_I_2[] = + static const unsigned long mMAP2toW_I_2[] = { 0x8080808080808080, 0x8080808080808080, 0x0f0e0d0c0b0a0908, 0x8080808080808080 } ; - static const unsigned long mMAP3toW_I_2[] = + static const unsigned long mMAP3toW_I_2[] = { 0x8080808080808080, 0x8080808080808080, 0x8080808080808080, 0x0706050403020100 } ; - + static int Transform_AVX2(Sha256* sha256) { @@ -1400,19 +1400,19 @@ static int Transform_AVX2(Sha256* sha256) DigestToReg(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7) ; ADD_MEM(W_K_TEMP, W_I_16, K[0]) ; - MOVE_to_MEM(W_K[0], W_K_TEMP) ; + MOVE_to_MEM(W_K[0], W_K_TEMP) ; RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,0) ; RND_7(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,1) ; RND_6(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,2) ; - RND_5(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,3) ; + RND_5(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,3) ; RND_4(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,4) ; RND_3(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,5) ; RND_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,6) ; RND_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,7) ; ADD_MEM(YMM_TEMP0, W_I, K[8]) ; - MOVE_to_MEM(W_K[8], YMM_TEMP0) ; + MOVE_to_MEM(W_K[8], YMM_TEMP0) ; /* W[i] = Gamma1(W[i-2]) + W[i-7] + Gamma0(W[i-15] + W[i-16]) */ RND_0_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,8) ; @@ -1424,21 +1424,21 @@ static int Transform_AVX2(Sha256* sha256) RND_7_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,9) ; ADD(W_I, W_I_7, W_I_TEMP); RND_7_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,9) ; - GAMMA1_1(YMM_TEMP0, W_I_2) ; + GAMMA1_1(YMM_TEMP0, W_I_2) ; RND_7_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,9) ; - GAMMA1_2(YMM_TEMP0, W_I_2) ; + GAMMA1_2(YMM_TEMP0, W_I_2) ; RND_6_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,10) ; ADD(W_I, W_I, YMM_TEMP0) ;/* now W[16..17] are completed */ RND_6_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,10) ; FEEDBACK1_to_W_I_2 ; RND_6_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,10) ; - FEEDBACK_to_W_I_7 ; + FEEDBACK_to_W_I_7 ; RND_5_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,11) ; ADD(W_I_TEMP, W_I_7, W_I_TEMP); RND_5_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,11) ; - GAMMA1_1(YMM_TEMP0, W_I_2) ; + GAMMA1_1(YMM_TEMP0, W_I_2) ; RND_5_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,11) ; - GAMMA1_2(YMM_TEMP0, W_I_2) ; + GAMMA1_2(YMM_TEMP0, W_I_2) ; RND_4_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,12) ; ADD(W_I, W_I_TEMP, YMM_TEMP0) ;/* now W[16..19] are completed */ RND_4_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,12) ; @@ -1446,7 +1446,7 @@ static int Transform_AVX2(Sha256* sha256) RND_4_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,12) ; GAMMA1_1(YMM_TEMP0, W_I_2) ; RND_3_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,13) ; - GAMMA1_2(YMM_TEMP0, W_I_2) ; + GAMMA1_2(YMM_TEMP0, W_I_2) ; RND_3_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,13) ; ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..21] are completed */ RND_3_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,13) ; @@ -1458,7 +1458,7 @@ static int Transform_AVX2(Sha256* sha256) ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..23] are completed */ RND_1_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,15) ; - MOVE_to_REG(YMM_TEMP0, K[16]) ; + MOVE_to_REG(YMM_TEMP0, K[16]) ; RND_1_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,15) ; ROTATE_W(W_I_16, W_I_15, W_I_7, W_I_2, W_I) ; RND_1_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,15) ; @@ -1475,21 +1475,21 @@ static int Transform_AVX2(Sha256* sha256) RND_7_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,17) ; ADD(W_I, W_I_7, W_I_TEMP); RND_7_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,17) ; - GAMMA1_1(YMM_TEMP0, W_I_2) ; + GAMMA1_1(YMM_TEMP0, W_I_2) ; RND_7_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,17) ; - GAMMA1_2(YMM_TEMP0, W_I_2) ; + GAMMA1_2(YMM_TEMP0, W_I_2) ; RND_6_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,18) ; ADD(W_I, W_I, YMM_TEMP0) ;/* now W[16..17] are completed */ RND_6_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,18) ; FEEDBACK1_to_W_I_2 ; RND_6_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,18) ; - FEEDBACK_to_W_I_7 ; + FEEDBACK_to_W_I_7 ; RND_5_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,19) ; ADD(W_I_TEMP, W_I_7, W_I_TEMP); RND_5_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,19) ; - GAMMA1(YMM_TEMP0, W_I_2) ; + GAMMA1(YMM_TEMP0, W_I_2) ; RND_5_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,19) ; - GAMMA1_2(YMM_TEMP0, W_I_2) ; + GAMMA1_2(YMM_TEMP0, W_I_2) ; RND_4_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,20) ; ADD(W_I, W_I_TEMP, YMM_TEMP0) ;/* now W[16..19] are completed */ RND_4_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,20) ; @@ -1497,7 +1497,7 @@ static int Transform_AVX2(Sha256* sha256) RND_4_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,20) ; GAMMA1_1(YMM_TEMP0, W_I_2) ; RND_3_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,21) ; - GAMMA1_2(YMM_TEMP0, W_I_2) ; + GAMMA1_2(YMM_TEMP0, W_I_2) ; RND_3_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,21) ; ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..21] are completed */ RND_3_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,21) ; @@ -1505,12 +1505,12 @@ static int Transform_AVX2(Sha256* sha256) RND_2_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,22) ; GAMMA1_1(YMM_TEMP0, W_I_2) ; RND_2_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,22) ; - GAMMA1_2(YMM_TEMP0, W_I_2) ; + GAMMA1_2(YMM_TEMP0, W_I_2) ; RND_2_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,22) ; ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..23] are completed */ RND_1_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,23) ; - MOVE_to_REG(YMM_TEMP0, K[24]) ; + MOVE_to_REG(YMM_TEMP0, K[24]) ; RND_1_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,23) ; ROTATE_W(W_I_16, W_I_15, W_I_7, W_I_2, W_I) ; RND_1_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,23) ; @@ -1527,21 +1527,21 @@ static int Transform_AVX2(Sha256* sha256) RND_7_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,25) ; ADD(W_I, W_I_7, W_I_TEMP); RND_7_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,25) ; - GAMMA1_1(YMM_TEMP0, W_I_2) ; + GAMMA1_1(YMM_TEMP0, W_I_2) ; RND_7_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,25) ; - GAMMA1_2(YMM_TEMP0, W_I_2) ; + GAMMA1_2(YMM_TEMP0, W_I_2) ; RND_6_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,26) ; ADD(W_I, W_I, YMM_TEMP0) ;/* now W[16..17] are completed */ RND_6_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,26) ; FEEDBACK1_to_W_I_2 ; RND_6_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,26) ; - FEEDBACK_to_W_I_7 ; + FEEDBACK_to_W_I_7 ; RND_5_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,27) ; ADD(W_I_TEMP, W_I_7, W_I_TEMP); RND_5_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,27) ; - GAMMA1_1(YMM_TEMP0, W_I_2) ; + GAMMA1_1(YMM_TEMP0, W_I_2) ; RND_5_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,27) ; - GAMMA1_2(YMM_TEMP0, W_I_2) ; + GAMMA1_2(YMM_TEMP0, W_I_2) ; RND_4_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,28) ; ADD(W_I, W_I_TEMP, YMM_TEMP0) ;/* now W[16..19] are completed */ RND_4_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,28) ; @@ -1549,7 +1549,7 @@ static int Transform_AVX2(Sha256* sha256) RND_4_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,28) ; GAMMA1_1(YMM_TEMP0, W_I_2) ; RND_3_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,29) ; - GAMMA1_2(YMM_TEMP0, W_I_2) ; + GAMMA1_2(YMM_TEMP0, W_I_2) ; RND_3_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,29) ; ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..21] are completed */ RND_3_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,29) ; @@ -1561,14 +1561,14 @@ static int Transform_AVX2(Sha256* sha256) ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..23] are completed */ RND_1_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,31) ; - MOVE_to_REG(YMM_TEMP0, K[32]) ; + MOVE_to_REG(YMM_TEMP0, K[32]) ; RND_1_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,31) ; ROTATE_W(W_I_16, W_I_15, W_I_7, W_I_2, W_I) ; RND_1_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,31) ; ADD(YMM_TEMP0, YMM_TEMP0, W_I) ; MOVE_to_MEM(W_K[32], YMM_TEMP0) ; - + /* W[i] = Gamma1(W[i-2]) + W[i-7] + Gamma0(W[i-15] + W[i-16]) */ RND_0_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,32) ; GAMMA0_1(W_I_TEMP, W_I_15) ; @@ -1581,13 +1581,13 @@ static int Transform_AVX2(Sha256* sha256) RND_7_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,33) ; GAMMA1_1(YMM_TEMP0, W_I_2) ; RND_7_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,33) ; - GAMMA1_2(YMM_TEMP0, W_I_2) ; + GAMMA1_2(YMM_TEMP0, W_I_2) ; RND_6_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,34) ; ADD(W_I, W_I, YMM_TEMP0) ;/* now W[16..17] are completed */ RND_6_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,34) ; FEEDBACK1_to_W_I_2 ; RND_6_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,34) ; - FEEDBACK_to_W_I_7 ; + FEEDBACK_to_W_I_7 ; RND_5_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,35) ; ADD(W_I_TEMP, W_I_7, W_I_TEMP); RND_5_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,35) ; @@ -1614,7 +1614,7 @@ static int Transform_AVX2(Sha256* sha256) ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..23] are completed */ RND_1_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,39) ; - MOVE_to_REG(YMM_TEMP0, K[40]) ; + MOVE_to_REG(YMM_TEMP0, K[40]) ; RND_1_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,39) ; ROTATE_W(W_I_16, W_I_15, W_I_7, W_I_2, W_I) ; RND_1_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,39) ; @@ -1639,11 +1639,11 @@ static int Transform_AVX2(Sha256* sha256) RND_6_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,42) ; FEEDBACK1_to_W_I_2 ; RND_6_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,42) ; - FEEDBACK_to_W_I_7 ; + FEEDBACK_to_W_I_7 ; RND_5_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,43) ; ADD(W_I_TEMP, W_I_7, W_I_TEMP); RND_5_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,43) ; - GAMMA1_1(YMM_TEMP0, W_I_2) ; + GAMMA1_1(YMM_TEMP0, W_I_2) ; RND_5_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,43) ; GAMMA1_2(YMM_TEMP0, W_I_2) ; RND_4_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,44) ; @@ -1666,13 +1666,13 @@ static int Transform_AVX2(Sha256* sha256) ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..23] are completed */ RND_1_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,47) ; - MOVE_to_REG(YMM_TEMP0, K[48]) ; + MOVE_to_REG(YMM_TEMP0, K[48]) ; RND_1_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,47) ; ROTATE_W(W_I_16, W_I_15, W_I_7, W_I_2, W_I) ; RND_1_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,47) ; ADD(YMM_TEMP0, YMM_TEMP0, W_I) ; MOVE_to_MEM(W_K[48], YMM_TEMP0) ; - + /* W[i] = Gamma1(W[i-2]) + W[i-7] + Gamma0(W[i-15] + W[i-16]) */ RND_0_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,48) ; GAMMA0_1(W_I_TEMP, W_I_15) ; @@ -1683,7 +1683,7 @@ static int Transform_AVX2(Sha256* sha256) RND_7_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,49) ; ADD(W_I, W_I_7, W_I_TEMP); RND_7_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,49) ; - GAMMA1_1(YMM_TEMP0, W_I_2) ; + GAMMA1_1(YMM_TEMP0, W_I_2) ; RND_7_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,49) ; GAMMA1_2(YMM_TEMP0, W_I_2) ; RND_6_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,50) ; @@ -1691,7 +1691,7 @@ static int Transform_AVX2(Sha256* sha256) RND_6_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,50) ; FEEDBACK1_to_W_I_2 ; RND_6_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,50) ; - FEEDBACK_to_W_I_7 ; + FEEDBACK_to_W_I_7 ; RND_5_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,51) ; ADD(W_I_TEMP, W_I_7, W_I_TEMP); RND_5_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,51) ; @@ -1718,13 +1718,13 @@ static int Transform_AVX2(Sha256* sha256) ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..23] are completed */ RND_1_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,55) ; - MOVE_to_REG(YMM_TEMP0, K[56]) ; + MOVE_to_REG(YMM_TEMP0, K[56]) ; RND_1_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,55) ; ROTATE_W(W_I_16, W_I_15, W_I_7, W_I_2, W_I) ; RND_1_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,55) ; ADD(YMM_TEMP0, YMM_TEMP0, W_I) ; - MOVE_to_MEM(W_K[56], YMM_TEMP0) ; - + MOVE_to_MEM(W_K[56], YMM_TEMP0) ; + RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,56) ; RND_7(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,57) ; RND_6(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,58) ; @@ -1735,7 +1735,7 @@ static int Transform_AVX2(Sha256* sha256) RND_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,62) ; RND_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,63) ; - RegToDigest(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7) ; + RegToDigest(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7) ; #ifdef WOLFSSL_SMALL_STACK XFREE(W_K, NULL, DYNAMIC_TYPE_TMP_BUFFER); diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index adb0301a8..b7c405a6b 100644 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -513,9 +513,6 @@ static INLINE int Sha512Update(Sha512* sha512, const byte* data, word32 len) { byte* local; - if (sha512 == NULL ||(data == NULL && len > 0)) { - return BAD_FUNC_ARG; - } /* do block size increments */ local = (byte*)sha512->buffer; SAVE_XMM_YMM ; /* for Intel AVX */ @@ -550,6 +547,9 @@ static INLINE int Sha512Update(Sha512* sha512, const byte* data, word32 len) int wc_Sha512Update(Sha512* sha512, const byte* data, word32 len) { + if (sha512 == NULL ||(data == NULL && len > 0)) { + return BAD_FUNC_ARG; + } return Sha512Update(sha512, data, len); } @@ -1349,6 +1349,10 @@ int wc_InitSha384(Sha384* sha384) int wc_Sha384Update(Sha384* sha384, const byte* data, word32 len) { + if (sha384 == NULL || (data == NULL && len > 0)) { + return BAD_FUNC_ARG; + } + return Sha512Update((Sha512 *)sha384, data, len); } From b2fc525a1d5f6a61f1a776624aca8ca3215c66b1 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Fri, 24 Feb 2017 15:58:47 -0700 Subject: [PATCH 14/33] update MD5, SHA, SHA256, SHA384, SHA512 Update functions. --- tests/api.c | 88 +++++++++++++++-------------------------------------- 1 file changed, 24 insertions(+), 64 deletions(-) diff --git a/tests/api.c b/tests/api.c index 3d1b60369..28f62fdcb 100644 --- a/tests/api.c +++ b/tests/api.c @@ -100,7 +100,7 @@ static const char* passed = "passed"; static const char* failed = "failed"; #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) - static const char* bogusFile = + static const char* bogusFile = #ifdef _WIN32 "NUL" #else @@ -564,7 +564,7 @@ static void test_wolfSSL_SetTmpDH_buffer(void) /* Test function for wolfSSL_SetMinVersion. Sets the minimum downgrade version - * allowed. + * allowed. * POST: return 1 on success. */ static int test_wolfSSL_SetMinVersion(void) @@ -2279,8 +2279,8 @@ static int test_wc_InitMd5 (void) /* Test good arg. */ ret = wc_InitMd5(&md5); - if (ret != 0) { - flag = SSL_FATAL_ERROR; + if (ret != 0) { + flag = SSL_FATAL_ERROR; } /* Test bad arg. */ @@ -2321,7 +2321,7 @@ static int test_wc_InitSha(void) /* Test bad arg. */ if (!flag) { ret = wc_InitSha(NULL); - if (ret != BAD_FUNC_ARG) { + if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR; } } @@ -2459,7 +2459,7 @@ static int test_wc_Md5Update (void) ret = wc_InitMd5(&md5); if (ret != 0) { - flag = ret;; + flag = ret; } printf(testingFmt, "wc_Md5Update()"); @@ -2491,9 +2491,7 @@ static int test_wc_Md5Update (void) "\x72"; a.inLen = XSTRLEN(a.input); a.outLen = XSTRLEN(a.output); - } - if (!flag) { ret = wc_Md5Update(&md5, (byte*) a.input, (word32) a.inLen); if (ret != 0) { flag = ret; @@ -2508,7 +2506,7 @@ static int test_wc_Md5Update (void) } if (!flag) { - if (ret != 0 && XMEMCMP(hash, a.output, MD5_DIGEST_SIZE) != 0) { + if (XMEMCMP(hash, a.output, MD5_DIGEST_SIZE) != 0) { flag = SSL_FATAL_ERROR; } } @@ -2517,9 +2515,7 @@ static int test_wc_Md5Update (void) if (!flag) { b.input = NULL; b.inLen = 0; - } - if (!flag) { ret = wc_Md5Update(&md5, (byte*)b.input, (word32)b.inLen); if (ret != 0) { flag = ret; @@ -2527,13 +2523,11 @@ static int test_wc_Md5Update (void) } if (!flag) { - c.input = NULL; - c.inLen = MD5_DIGEST_SIZE; - } + c.input = NULL; + c.inLen = MD5_DIGEST_SIZE; - if (!flag) { ret = wc_Md5Update(&md5, (byte*)c.input, (word32)c.inLen); - if (ret == 0) { + if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR; } } @@ -2541,9 +2535,7 @@ static int test_wc_Md5Update (void) if (!flag) { ret = wc_Md5Update(NULL, (byte*)a.input, (word32)a.inLen); if (ret != BAD_FUNC_ARG) { - flag = SSL_FATAL_ERROR;; - } else { - flag = 0; + flag = SSL_FATAL_ERROR; } } @@ -2603,9 +2595,7 @@ static int test_wc_ShaUpdate (void) "\x6C\x9C\xD0\xD8\x9D"; a.inLen = XSTRLEN(a.input); a.outLen = XSTRLEN(a.output); - } - if (!flag) { ret = wc_ShaUpdate(&sha, (byte*)a.input, (word32)a.inLen); if (ret != 0) { flag = ret; @@ -2620,7 +2610,7 @@ static int test_wc_ShaUpdate (void) } if (!flag) { - if (ret != 0 && XMEMCMP(hash, a.output, SHA_DIGEST_SIZE) != 0) { + if (XMEMCMP(hash, a.output, SHA_DIGEST_SIZE) != 0) { flag = SSL_FATAL_ERROR; } } @@ -2629,9 +2619,7 @@ static int test_wc_ShaUpdate (void) if (!flag) { b.input = NULL; b.inLen = 0; - } - if (!flag) { ret = wc_ShaUpdate(&sha, (byte*)b.input, (word32)b.inLen); if (ret != 0) { flag = ret; @@ -2641,11 +2629,9 @@ static int test_wc_ShaUpdate (void) if (!flag) { c.input = NULL; c.inLen = SHA_DIGEST_SIZE; - } - if (!flag) { ret = wc_ShaUpdate(&sha, (byte*)c.input, (word32)c.inLen); - if (ret == 0) { + if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR; } } @@ -2654,8 +2640,6 @@ static int test_wc_ShaUpdate (void) ret = wc_ShaUpdate(NULL, (byte*)a.input, (word32)a.inLen); if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR; - } else { - flag = 0; } } @@ -2718,9 +2702,7 @@ static int test_wc_Sha256Update (void) "\x15\xAD"; a.inLen = XSTRLEN(a.input); a.outLen = XSTRLEN(a.output); - } - if (!flag) { ret = wc_Sha256Update(&sha256, (byte*)a.input, (word32)a.inLen); if (ret != 0) { flag = ret; @@ -2735,7 +2717,7 @@ static int test_wc_Sha256Update (void) } if (!flag) { - if (ret != 0 && XMEMCMP(hash, a.output, SHA256_DIGEST_SIZE) != 0) { + if (XMEMCMP(hash, a.output, SHA256_DIGEST_SIZE) != 0) { flag = SSL_FATAL_ERROR; } } @@ -2744,9 +2726,7 @@ static int test_wc_Sha256Update (void) if (!flag) { b.input = NULL; b.inLen = 0; - } - if (!flag) { ret = wc_Sha256Update(&sha256, (byte*)b.input, (word32)b.inLen); if (ret != 0) { flag = ret; @@ -2756,11 +2736,9 @@ static int test_wc_Sha256Update (void) if (!flag) { c.input = NULL; c.inLen = SHA256_DIGEST_SIZE; - } - if (!flag) { ret = wc_Sha256Update(&sha256, (byte*)c.input, (word32)c.inLen); - if (ret == 0) { + if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR; } } @@ -2769,8 +2747,6 @@ static int test_wc_Sha256Update (void) ret = wc_Sha256Update(NULL, (byte*)a.input, (word32)a.inLen); if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR; - } else { - flag = 0; } } @@ -2832,11 +2808,9 @@ static int test_wc_Sha384Update (void) "\x07\x27\x2c\x32\xab\x0e\xde\xd1\x63\x1a\x8b\x60\x5a\x43\xff" "\x5b\xed\x80\x86\x07\x2b\xa1\xe7\xcc\x23\x58\xba\xec\xa1\x34" "\xc8\x25\xa7"; - a.inLen = XSTRLEN(a.input); - a.outLen = XSTRLEN(a.output); - } + a.inLen = XSTRLEN(a.input); + a.outLen = XSTRLEN(a.output); - if (!flag) { ret = wc_Sha384Update(&sha384, (byte*)a.input, (word32)a.inLen); if (ret != 0) { flag = ret; @@ -2851,7 +2825,7 @@ static int test_wc_Sha384Update (void) } if (!flag) { - if (ret != 0 && XMEMCMP(hash, a.output, SHA384_DIGEST_SIZE) != 0) { + if (XMEMCMP(hash, a.output, SHA384_DIGEST_SIZE) != 0) { flag = SSL_FATAL_ERROR; } } @@ -2860,9 +2834,7 @@ static int test_wc_Sha384Update (void) if (!flag) { b.input = NULL; b.inLen = 0; - } - if (!flag) { ret = wc_Sha384Update(&sha384, (byte*)b.input, (word32)b.inLen); if (ret != 0) { flag = ret; @@ -2872,11 +2844,9 @@ static int test_wc_Sha384Update (void) if (!flag) { c.input = NULL; c.inLen = SHA384_DIGEST_SIZE; - } - if (!flag) { ret = wc_Sha384Update(&sha384, (byte*)c.input, (word32)c.inLen); - if (ret == 0) { + if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR; } } @@ -2885,8 +2855,6 @@ static int test_wc_Sha384Update (void) ret = wc_Sha384Update(NULL, (byte*)a.input, (word32)a.inLen); if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR; - } else { - flag = 0; } } @@ -2950,9 +2918,7 @@ static int test_wc_Sha512Update (void) "\x4c\xa4\x9f"; a.inLen = XSTRLEN(a.input); a.outLen = XSTRLEN(a.output); - } - if (!flag) { ret = wc_Sha512Update(&sha512, (byte*) a.input, (word32) a.inLen); if (ret != 0) { flag = ret; @@ -2967,7 +2933,7 @@ static int test_wc_Sha512Update (void) } if (!flag) { - if (ret != 0 && XMEMCMP(hash, a.output, SHA512_DIGEST_SIZE) != 0) { + if (XMEMCMP(hash, a.output, SHA512_DIGEST_SIZE) != 0) { flag = SSL_FAILURE; } } @@ -2976,9 +2942,7 @@ static int test_wc_Sha512Update (void) if (!flag) { b.input = NULL; b.inLen = 0; - } - if (!flag) { ret = wc_Sha512Update(&sha512, (byte*)b.input, (word32)b.inLen); if (ret != 0) { flag = ret; @@ -2988,11 +2952,9 @@ static int test_wc_Sha512Update (void) if (!flag) { c.input = NULL; c.inLen = SHA512_DIGEST_SIZE; - } - if (!flag) { ret = wc_Sha512Update(&sha512, (byte*)c.input, (word32)c.inLen); - if (ret ==0) { + if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR; } } @@ -3001,8 +2963,6 @@ static int test_wc_Sha512Update (void) ret = wc_Sha512Update(NULL, (byte*)a.input, (word32)a.inLen); if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR; - } else { - flag = 0; } } @@ -3016,7 +2976,7 @@ static int test_wc_Sha512Update (void) } /* END test_wc_Sha512Update */ -/* +/* * Unit test on wc_Md5Final() in wolfcrypt/src/md5.c */ static int test_wc_Md5Final (void) @@ -3188,7 +3148,7 @@ static int test_wc_Sha256Final (void) } times = sizeof(hash_test) / sizeof(byte*); - + /* Good test args. */ printf(testingFmt, "wc_Sha256Final()"); @@ -3278,7 +3238,7 @@ static int test_wc_Sha512Final (void) if (ret != BAD_FUNC_ARG) { flag = SSL_FATAL_ERROR; } - + if (!flag) {} ret = wc_Sha512Final(NULL, hash1); if (ret != BAD_FUNC_ARG) { From d5d7a4ae7b9fcdfb9135e8a82965c81872ef4c0b Mon Sep 17 00:00:00 2001 From: jrblixt Date: Tue, 28 Feb 2017 14:44:11 -0700 Subject: [PATCH 15/33] Report failure but continue to run. --- tests/api.c | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/tests/api.c b/tests/api.c index 28f62fdcb..793dac59e 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2293,7 +2293,7 @@ static int test_wc_InitMd5 (void) printf(resultFmt, flag == 0 ? passed : failed); - return flag; + return 0; #else return 0; #endif @@ -2328,7 +2328,7 @@ static int test_wc_InitSha(void) printf(resultFmt, flag == 0 ? passed : failed); - return flag; + return 0; #else return 0; #endif @@ -2364,7 +2364,7 @@ static int test_wc_InitSha256 (void) printf(resultFmt, flag == 0 ? passed : failed); - return flag; + return 0; #else return 0; #endif @@ -2400,7 +2400,7 @@ static int test_wc_InitSha512 (void) printf(resultFmt, flag == 0 ? passed : failed); - return flag; + return 0; #else return 0; #endif @@ -2436,7 +2436,7 @@ static int test_wc_InitSha384 (void) printf(resultFmt, flag == 0 ? passed : failed); - return flag; + return 0; #else return 0; #endif @@ -2541,7 +2541,7 @@ static int test_wc_Md5Update (void) printf(resultFmt, flag == 0 ? passed : failed); - return flag; + return 0; #else return 0; #endif @@ -2646,7 +2646,7 @@ static int test_wc_ShaUpdate (void) /* If not returned then the unit test passed test vectors. */ printf(resultFmt, flag == 0 ? passed : failed); - return flag; + return 0; #else return 0; #endif @@ -2753,7 +2753,7 @@ static int test_wc_Sha256Update (void) /* If not returned then the unit test passed. */ printf(resultFmt, flag == 0 ? passed : failed); - return flag; + return 0; #else return 0; #endif @@ -2861,7 +2861,7 @@ static int test_wc_Sha384Update (void) /* If not returned then the unit test passed test vectors. */ printf(resultFmt, flag == 0 ? passed : failed); - return flag; + return 0; #else return 0; #endif @@ -2969,7 +2969,7 @@ static int test_wc_Sha512Update (void) /* If not returned then the unit test passed test vectors. */ printf(resultFmt, flag == 0 ? passed : failed); - return flag; + return 0; #else return 0; #endif @@ -3043,7 +3043,7 @@ static int test_wc_Md5Final (void) printf(resultFmt, flag == 0 ? passed : failed); - return flag; + return 0; #else return 0; #endif @@ -3114,7 +3114,7 @@ static int test_wc_ShaFinal (void) printf(resultFmt, flag == 0 ? passed : failed); - return flag; + return 0; #else return 0; #endif @@ -3185,7 +3185,7 @@ static int test_wc_Sha256Final (void) printf(resultFmt, flag == 0 ? passed : failed); - return flag; + return 0; #else return 0; #endif @@ -3255,7 +3255,7 @@ static int test_wc_Sha512Final (void) printf(resultFmt, flag == 0 ? passed : failed); - return flag; + return 0; #else return 0; #endif @@ -3326,8 +3326,7 @@ static int test_wc_Sha384Final (void) printf(resultFmt, flag == 0 ? passed : failed); - return flag; - + return 0; #else return 0; #endif From 739436d7a8005f824a67a05cd6ec0a8a77e5655b Mon Sep 17 00:00:00 2001 From: jrblixt Date: Tue, 21 Mar 2017 15:23:47 -0600 Subject: [PATCH 16/33] Merge with wolfSSL master. --- .gitignore | 1 + IDE/INTIME-RTOS/README.md | 158 ++ IDE/INTIME-RTOS/include.am | 13 + IDE/INTIME-RTOS/libwolfssl.c | 20 + IDE/INTIME-RTOS/libwolfssl.vcxproj | 225 ++ IDE/INTIME-RTOS/user_settings.h | 514 ++++ IDE/INTIME-RTOS/wolfExamples.c | 619 ++++ IDE/INTIME-RTOS/wolfExamples.h | 47 + IDE/INTIME-RTOS/wolfExamples.sln | 31 + IDE/INTIME-RTOS/wolfExamples.vcxproj | 100 + IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h | 11 +- IDE/include.am | 1 + certs/include.am | 1 + certs/server-keyPkcs8.der | Bin 0 -> 1219 bytes certs/test/cert-ext-ia.cfg | 18 + certs/test/cert-ext-ia.der | Bin 0 -> 1030 bytes certs/test/cert-ext-nc.cfg | 18 + certs/test/cert-ext-nc.der | Bin 0 -> 1052 bytes certs/test/cert-ext-ns.der | Bin 0 -> 4677 bytes certs/test/gen-ext-certs.sh | 69 + certs/test/include.am | 12 + configure.ac | 109 +- cyassl/ctaocrypt/settings.h | 2 +- cyassl/openssl/include.am | 1 + cyassl/openssl/ssl23.h | 3 + examples/client/client.c | 61 +- examples/server/server.c | 48 +- fips-check.sh | 15 +- gencertbuf.pl | 1 + src/crl.c | 152 +- src/internal.c | 310 ++- src/io.c | 1102 ++++---- src/ocsp.c | 603 +++- src/ssl.c | 2939 ++++++++++++++++--- src/tls.c | 336 ++- tests/api.c | 52 + wolfcrypt/benchmark/benchmark.c | 2 +- wolfcrypt/src/aes.c | 10 + wolfcrypt/src/asn.c | 233 +- wolfcrypt/src/dh.c | 56 + wolfcrypt/src/ecc.c | 224 +- wolfcrypt/src/error.c | 8 +- wolfcrypt/src/evp.c | 2 +- wolfcrypt/src/fe_low_mem.c | 18 +- wolfcrypt/src/fe_operations.c | 4 +- wolfcrypt/src/ge_operations.c | 132 +- wolfcrypt/src/hash.c | 47 +- wolfcrypt/src/hmac.c | 12 +- wolfcrypt/src/integer.c | 51 +- wolfcrypt/src/logging.c | 89 +- wolfcrypt/src/memory.c | 37 +- wolfcrypt/src/pkcs12.c | 4 + wolfcrypt/src/poly1305.c | 4 +- wolfcrypt/src/port/arm/armv8-aes.c | 31 + wolfcrypt/src/port/ti/ti-aes.c | 3 + wolfcrypt/src/random.c | 18 + wolfcrypt/src/rsa.c | 2 +- wolfcrypt/src/tfm.c | 82 +- wolfcrypt/src/wc_port.c | 1340 +++++---- wolfcrypt/test/test.c | 3097 ++++++++++++++++++--- wolfcrypt/user-crypto/src/rsa.c | 6 +- wolfssl/certs_test.h | 126 + wolfssl/error-ssl.h | 3 +- wolfssl/include.am | 3 +- wolfssl/internal.h | 130 +- wolfssl/io.h | 402 +++ wolfssl/ocsp.h | 50 + wolfssl/openssl/crypto.h | 7 +- wolfssl/openssl/dsa.h | 8 +- wolfssl/openssl/ec.h | 13 +- wolfssl/openssl/ecdsa.h | 8 +- wolfssl/openssl/evp.h | 22 + wolfssl/openssl/hmac.h | 3 + wolfssl/openssl/include.am | 1 + wolfssl/openssl/ocsp.h | 43 + wolfssl/openssl/opensslv.h | 2 +- wolfssl/openssl/rsa.h | 8 +- wolfssl/openssl/sha.h | 1 + wolfssl/openssl/ssl.h | 162 +- wolfssl/openssl/ssl23.h | 1 + wolfssl/ssl.h | 375 ++- wolfssl/test.h | 34 +- wolfssl/wolfcrypt/asn.h | 21 +- wolfssl/wolfcrypt/asn_public.h | 6 +- wolfssl/wolfcrypt/dh.h | 1 + wolfssl/wolfcrypt/ecc.h | 32 +- wolfssl/wolfcrypt/error-crypt.h | 2 + wolfssl/wolfcrypt/fe_operations.h | 4 +- wolfssl/wolfcrypt/integer.h | 161 +- wolfssl/wolfcrypt/logging.h | 30 +- wolfssl/wolfcrypt/settings.h | 50 +- wolfssl/wolfcrypt/tfm.h | 120 +- wolfssl/wolfcrypt/types.h | 10 +- wolfssl/wolfcrypt/wc_port.h | 63 +- wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs | 29 + 95 files changed, 12106 insertions(+), 2929 deletions(-) create mode 100755 IDE/INTIME-RTOS/README.md create mode 100644 IDE/INTIME-RTOS/include.am create mode 100755 IDE/INTIME-RTOS/libwolfssl.c create mode 100755 IDE/INTIME-RTOS/libwolfssl.vcxproj create mode 100755 IDE/INTIME-RTOS/user_settings.h create mode 100755 IDE/INTIME-RTOS/wolfExamples.c create mode 100755 IDE/INTIME-RTOS/wolfExamples.h create mode 100755 IDE/INTIME-RTOS/wolfExamples.sln create mode 100755 IDE/INTIME-RTOS/wolfExamples.vcxproj create mode 100644 certs/server-keyPkcs8.der create mode 100644 certs/test/cert-ext-ia.cfg create mode 100644 certs/test/cert-ext-ia.der create mode 100644 certs/test/cert-ext-nc.cfg create mode 100644 certs/test/cert-ext-nc.der create mode 100644 certs/test/cert-ext-ns.der create mode 100644 certs/test/gen-ext-certs.sh create mode 100644 certs/test/include.am create mode 100644 cyassl/openssl/ssl23.h mode change 100644 => 100755 src/crl.c mode change 100644 => 100755 src/tls.c mode change 100644 => 100755 wolfcrypt/src/fe_operations.c mode change 100644 => 100755 wolfcrypt/src/wc_port.c mode change 100644 => 100755 wolfssl/internal.h create mode 100644 wolfssl/io.h create mode 100644 wolfssl/openssl/ssl23.h mode change 100644 => 100755 wolfssl/wolfcrypt/logging.h diff --git a/.gitignore b/.gitignore index cd9de3c0f..f1fd0c9c9 100644 --- a/.gitignore +++ b/.gitignore @@ -190,3 +190,4 @@ wrapper/CSharp/x64/ # Visual Studio Code Workspace Files *.vscode +IDE/INTIME-RTOS/Debug_* diff --git a/IDE/INTIME-RTOS/README.md b/IDE/INTIME-RTOS/README.md new file mode 100755 index 000000000..e747efdde --- /dev/null +++ b/IDE/INTIME-RTOS/README.md @@ -0,0 +1,158 @@ +# tenAsys INtime RTOS Port + +## Overview + +This port is for the tenAsys INtime RTOS available [here](http://www.tenasys.com/tenasys-products/intime-rtos-family/overview-rtos). + +To enable use the define `INTIME_RTOS`. + +## Usage + +The wolfExamples.sln is a Visual Studio 2015 project. You must have the INtime SDK installed and an INtime RTOS agent running. + +The default configuration is set inside the `IDE/INTIME-RTOS/user_settings.h` file. + +The example application provides a simple menu interface to select difference application functions to test. + +``` +wolfExamples started +wolfExamples finished initialization + + MENU + + t. WolfCrypt Test + b. WolfCrypt Benchmark + c. WolfSSL Client Example + s. WolfSSL Server Example + l. WolfSSL Localhost Client/Server Example +Please select one of the above options: +``` + +### `t`wolfCrypt Test + +Performs testing of all crypto algorithms. + +``` +Crypt Test +error test passed! +base64 test passed! +base64 test passed! +MD5 test passed! +SHA test passed! +SHA-256 test passed! +SHA-384 test passed! +SHA-512 test passed! +Hash test passed! +HMAC-MD5 test passed! +HMAC-SHA test passed! +HMAC-SHA256 test passed! +HMAC-SHA384 test passed! +HMAC-SHA512 test passed! +HMAC-KDF test passed! +X963-KDF test passed! +GMAC test passed! +Chacha test passed! +POLY1305 test passed! +ChaCha20-Poly1305 AEAD test passed! +DES test passed! +DES3 test passed! +AES test passed! +AES-GCM test passed! +AES-CCM test passed! +AES Key Wrap test passed! +RANDOM test passed! +RSA test passed! +DH test passed! +DSA test passed! +SRP test passed! +PWDBASED test passed! +openSSL extra test +OPENSSL test passed! +ECC test passed! +ECC Enc test passed! +ECC buffer test passed! +CURVE25519 test passed! +ED25519 test passed! +CMAC test passed! +PKCS7enveloped test passed! +PKCS7signed test passed! +PKCS7encrypted test passed! +mutex test passed! +memcb test passed! +Crypt Test: Return code 0 +``` + +### `b` wolfCrypt Benchmark + +Performs benchmark of crypto algorithms. + +``` +Benchmark Test +RNG 25 kB took 0.002 seconds, 11.017 MB/s +AES enc 25 kB took 0.002 seconds, 15.090 MB/s +AES dec 25 kB took 0.002 seconds, 15.119 MB/s +AES-GCM 25 kB took 0.003 seconds, 9.433 MB/s +AES-CTR 25 kB took 0.001 seconds, 22.378 MB/s +AES-CCM 25 kB took 0.002 seconds, 15.306 MB/s +CHACHA 25 kB took 0.002 seconds, 16.063 MB/s +CHA-POLY 25 kB took 0.001 seconds, 20.447 MB/s +3DES 25 kB took 0.002 seconds, 10.717 MB/s + +MD5 25 kB took 0.00 seconds, 31.576 MB/s +POLY1305 25 kB took 0.000 seconds, 201.575 MB/s +SHA 25 kB took 0.00 seconds, 43.761 MB/s +SHA-256 25 kB took 0.001 seconds, 19.299 MB/s +SHA-384 25 kB took 0.002 seconds, 14.577 MB/s +SHA-512 25 kB took 0.001 seconds, 21.718 MB/s +AES-CMAC 25 kB took 0.00 seconds, 34.925 MB/s + +RSA 2048 public 2.445 milliseconds, avg over 1 iterations +RSA 2048 private 64.711 milliseconds, avg over 1 iterations + +RSA 1024 key generation 318.755 milliseconds, avg over 5 iterations +RSA 2048 key generation 22648.396 milliseconds, avg over 5 iterations +DH 2048 key generation 23.119 milliseconds, avg over 1 iterations +DH 2048 key agreement 26.756 milliseconds, avg over 1 iterations + +ECC 256 key generation 2.984 milliseconds, avg over 5 iterations +EC-DHE key agreement 2.967 milliseconds, avg over 5 iterations +EC-DSA sign time 1.448 milliseconds, avg over 5 iterations +EC-DSA verify time 3.304 milliseconds, avg over 5 iterations +ECC encrypt 5.860 milliseconds, avg over 1 iterations +ECC decrypt 6.360 milliseconds, avg over 1 iterations + +CURVE25519 256 key generation 1.416 milliseconds, avg over 5 iterations +CURVE25519 key agreement 1.332 milliseconds, avg over 5 iterations + +ED25519 key generation 0.320 milliseconds, avg over 5 iterations +ED25519 sign time 0.595 milliseconds, avg over 5 iterations +ED25519 verify time 1.310 milliseconds, avg over 5 iterations +Benchmark Test: Return code 0 +``` + +### `c` wolfSSL Client + +To configure the host address and port modify the `TLS_HOST_REMOTE` and `TLS_PORT` macros at top of `wolfExamples.c`. This example uses TLS 1.2 to connect to a remote host. + +### `s` wolfSSL Server + +To configure the port to listen on modify `TLS_PORT` at top of `wolfExamples.c`. + +### `l` wolfSSL Localhost Server/Client + +Starts a TLS server thread listening on localhost. Starts the TLS client and performs connect, exchanges some data and disconnects. + +``` +Waiting for a connection... +Client connected successfully +Using Non-Blocking I/O: 0 +Message for server: Client: + +Recieved: I hear ya fa shizzle! + +The client has closed the connection. +``` + +## References + +For more information please contact info@wolfssl.com. diff --git a/IDE/INTIME-RTOS/include.am b/IDE/INTIME-RTOS/include.am new file mode 100644 index 000000000..5828c76ec --- /dev/null +++ b/IDE/INTIME-RTOS/include.am @@ -0,0 +1,13 @@ +# vim:ft=automake +# included from Top Level Makefile.am +# All paths should be given relative to the root + +EXTRA_DIST += \ + IDE/INTIME-RTOS/README.md \ + IDE/INTIME-RTOS/user_settings.h \ + IDE/INTIME-RTOS/libwolfssl.c \ + IDE/INTIME-RTOS/libwolfssl.vcxproj \ + IDE/INTIME-RTOS/wolfExamples.c \ + IDE/INTIME-RTOS/wolfExamples.h \ + IDE/INTIME-RTOS/wolfExamples.vcxproj \ + IDE/INTIME-RTOS/wolfExamples.sln diff --git a/IDE/INTIME-RTOS/libwolfssl.c b/IDE/INTIME-RTOS/libwolfssl.c new file mode 100755 index 000000000..94d39bb24 --- /dev/null +++ b/IDE/INTIME-RTOS/libwolfssl.c @@ -0,0 +1,20 @@ +// libwolfssl.c +// Defines the entry point for the DLL application + +#include + +BOOLEAN __stdcall RslMain( RTHANDLE hModule, + DWORD ul_reason_for_call, + LPVOID lpReserved + ) +{ + switch (ul_reason_for_call) { + case RSL_PROCESS_ATTACH: + case RSL_THREAD_ATTACH: + case RSL_THREAD_DETACH: + case RSL_PROCESS_DETACH: + break; + } + + return TRUE; +} diff --git a/IDE/INTIME-RTOS/libwolfssl.vcxproj b/IDE/INTIME-RTOS/libwolfssl.vcxproj new file mode 100755 index 000000000..155da63aa --- /dev/null +++ b/IDE/INTIME-RTOS/libwolfssl.vcxproj @@ -0,0 +1,225 @@ + + + + + Debug + INtime + + + Release + INtime + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + {1731767D-573F-45C9-A466-191DA0D180CF} + 8.1 + + + + StaticLibrary + NotSet + v140 + + + StaticLibrary + false + NotSet + v140 + + + + + + + + + + + + $(Configuration)_$(ProjectName)\ + + + $(Configuration)_$(ProjectName)\ + + + + + + 21076.20052 + /SAFESEH:NO %(AdditionalOptions) + rt.lib;pcibus.lib;netlib.lib;clib.lib;vshelper.lib + $(SolutionDir)$(Configuration)\\libwolfssl.rsl + + + Async + _USRDLL;WOLFSSL_DLL;BUILDING_WOLFSSL;WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions) + $(ProjectDir);$(ProjectDir)..\..\;%(AdditionalIncludeDirectories) + $(IntDir) + $(IntDir) + $(IntDir) + $(IntDir)vc$(PlatformToolsetVersion).pdb + + + + + + + 21076.20052 + /SAFESEH:NO %(AdditionalOptions) + rt.lib;pcibus.lib;netlib.lib;clib.lib;vshelper.lib + $(SolutionDir)$(Configuration)\\libwolfssl.rsl + + + Async + _USRDLL;WOLFSSL_DLL;BUILDING_WOLFSSL;WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions) + $(ProjectDir);$(ProjectDir)..\..\;%(AdditionalIncludeDirectories) + $(IntDir) + $(IntDir) + $(IntDir) + $(IntDir)vc$(PlatformToolsetVersion).pdb + + + + + + diff --git a/IDE/INTIME-RTOS/user_settings.h b/IDE/INTIME-RTOS/user_settings.h new file mode 100755 index 000000000..fa4867fe1 --- /dev/null +++ b/IDE/INTIME-RTOS/user_settings.h @@ -0,0 +1,514 @@ +/* Example custom user settings for wolfSSL and INtime RTOS port */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------------------------------- */ +/* Port - Platform */ +/* ------------------------------------------------------------------------- */ +#undef INTIME_RTOS +#define INTIME_RTOS + +#undef INTIME_RTOS_MUTEX_MAX +#define INTIME_RTOS_MUTEX_MAX 10 + +#undef WOLF_EXAMPLES_STACK +#define WOLF_EXAMPLES_STACK 65536 + +#undef WOLFSSL_GENERAL_ALIGNMENT +#define WOLFSSL_GENERAL_ALIGNMENT 4 + +/* platform already has min()/max() */ +#undef WOLFSSL_HAVE_MIN +#define WOLFSSL_HAVE_MIN +#undef WOLFSSL_HAVE_MAX +#define WOLFSSL_HAVE_MAX + +/* disable directory support */ +#undef NO_WOLFSSL_DIR +#define NO_WOLFSSL_DIR + +/* disable writev */ +#undef NO_WRITEV +#define NO_WRITEV + +/* we provide main entry point */ +#undef NO_MAIN_DRIVER +#define NO_MAIN_DRIVER + +/* if using in single threaded mode */ +#undef SINGLE_THREADED +//#define SINGLE_THREADED +/* Note: HAVE_THREAD_LS is not support for INtime RTOS */ + +/* reduces stack usage, by using malloc/free for stack variables over 100 bytes */ +#undef WOLFSSL_SMALL_STACK +//#define WOLFSSL_SMALL_STACK + + +/* ------------------------------------------------------------------------- */ +/* Math Configuration */ +/* ------------------------------------------------------------------------- */ +/* fast math uses stack and inline assembly to speed up math */ +#undef USE_FAST_MATH +#define USE_FAST_MATH + +#ifdef USE_FAST_MATH + /* timing resistance for side-channel attack protection */ + #undef TFM_TIMING_RESISTANT + #define TFM_TIMING_RESISTANT +#endif + + +/* ------------------------------------------------------------------------- */ +/* Crypto */ +/* ------------------------------------------------------------------------- */ +/* ECC */ +#if 1 + #undef HAVE_ECC + #define HAVE_ECC + + /* Support for custom curves */ + #define WOLFSSL_CUSTOM_CURVES + + /* Curve types */ + //#define NO_ECC_SECP + #define HAVE_ECC_SECPR2 + #define HAVE_ECC_SECPR3 + #define HAVE_ECC_BRAINPOOL + #define HAVE_ECC_KOBLITZ + + /* Curve sizes */ + #undef HAVE_ALL_CURVES + //#define HAVE_ALL_CURVES + #ifndef HAVE_ALL_CURVES + /* allows enabling custom curve sizes */ + #undef ECC_USER_CURVES + #define ECC_USER_CURVES + + //#define HAVE_ECC112 + //#define HAVE_ECC128 + //#define HAVE_ECC160 + #define HAVE_ECC192 + #define HAVE_ECC224 + //#define NO_ECC256 + #define HAVE_ECC384 + #define HAVE_ECC521 + #endif + + /* Fixed point cache (speeds repeated operations against same private key) */ + #undef FP_ECC + #define FP_ECC + #ifdef FP_ECC + /* Bits / Entries */ + #undef FP_ENTRIES + #define FP_ENTRIES 2 + #undef FP_LUT + #define FP_LUT 4 + #endif + + /* Optional ECC calculation method */ + /* Note: doubles heap usage, but slightly faster */ + #undef ECC_SHAMIR + #define ECC_SHAMIR + + /* Reduces heap usage, but slower */ + /* timing resistance for side-channel attack protection */ + #undef ECC_TIMING_RESISTANT + #define ECC_TIMING_RESISTANT + + #ifdef USE_FAST_MATH + /* use reduced size math buffers for ecc points */ + #undef ALT_ECC_SIZE + #define ALT_ECC_SIZE + + /* Enable TFM optimizations for ECC */ + #if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES) + #define TFM_ECC192 + #endif + #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES) + #define TFM_ECC224 + #endif + #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) + #define TFM_ECC256 + #endif + #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES) + #define TFM_ECC384 + #endif + #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES) + #define TFM_ECC521 + #endif + #endif +#endif + +/* RSA */ +#undef NO_RSA +#if 1 + #ifdef USE_FAST_MATH + /* Maximum math bits (Max RSA key bits * 2) */ + #undef FP_MAX_BITS + #define FP_MAX_BITS 4096 + #endif + + /* half as much memory but twice as slow */ + #undef RSA_LOW_MEM + //#define RSA_LOW_MEM + + /* RSA blinding countermeasures */ + #undef WC_RSA_BLINDING + #define WC_RSA_BLINDING +#else + #define NO_RSA +#endif + +/* AES */ +#undef NO_AES +#if 1 + #undef HAVE_AESGCM + #define HAVE_AESGCM + + #ifdef HAVE_AESGCM + /* GCM Method: GCM_SMALL, GCM_WORD32 or GCM_TABLE */ + //#define GCM_SMALL + #define GCM_TABLE + #endif + + #undef WOLFSSL_AES_COUNTER + #define WOLFSSL_AES_COUNTER + + #undef HAVE_AESCCM + #define HAVE_AESCCM + + #undef WOLFSSL_AES_DIRECT + #define WOLFSSL_AES_DIRECT + + #undef HAVE_AES_KEYWRAP + #define HAVE_AES_KEYWRAP +#else + #define NO_AES +#endif + +/* ChaCha20 / Poly1305 */ +#undef HAVE_CHACHA +#undef HAVE_POLY1305 +#if 1 + #define HAVE_CHACHA + #define HAVE_POLY1305 + + /* Needed for Poly1305 */ + #undef HAVE_ONE_TIME_AUTH + #define HAVE_ONE_TIME_AUTH +#endif + +/* Ed25519 / Curve25519 */ +#undef HAVE_CURVE25519 +#undef HAVE_ED25519 +#if 1 + #define HAVE_CURVE25519 + #define HAVE_ED25519 + + /* Optionally use small math (less flash usage, but much slower) */ + #if 0 + #define CURVED25519_SMALL + #endif +#endif + + +/* ------------------------------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------------------------------- */ +/* Sha */ +#undef NO_SHA +#if 1 + /* 1k smaller, but 25% slower */ + //#define USE_SLOW_SHA +#else + #define NO_SHA +#endif + +/* Sha256 */ +#undef NO_SHA256 +#if 1 +#else + #define NO_SHA256 +#endif + +/* Sha512 */ +#undef WOLFSSL_SHA512 +#if 1 + #define WOLFSSL_SHA512 + + /* Sha384 */ + #undef WOLFSSL_SHA384 + #if 1 + #define WOLFSSL_SHA384 + #endif + + /* over twice as small, but 50% slower */ + //#define USE_SLOW_SHA2 +#endif + +/* MD5 */ +#undef NO_MD5 +#if 1 +#else + #define NO_MD5 +#endif + + +/* ------------------------------------------------------------------------- */ +/* Enable Features */ +/* ------------------------------------------------------------------------- */ +#undef KEEP_PEER_CERT +#define KEEP_PEER_CERT + +#undef HAVE_COMP_KEY +#define HAVE_COMP_KEY + +#undef HAVE_ECC_ENCRYPT +#define HAVE_ECC_ENCRYPT + +#undef HAVE_TLS_EXTENSIONS +#define HAVE_TLS_EXTENSIONS + +#undef HAVE_SUPPORTED_CURVES +#define HAVE_SUPPORTED_CURVES + +#undef HAVE_EXTENDED_MASTER +#define HAVE_EXTENDED_MASTER + +#undef WOLFSSL_DTLS +#define WOLFSSL_DTLS + +#undef OPENSSL_EXTRA +#define OPENSSL_EXTRA + +#undef WOLFSSL_BASE64_ENCODE +#define WOLFSSL_BASE64_ENCODE + +#undef HAVE_HKDF +#define HAVE_HKDF + +#undef WOLFSSL_CMAC +#define WOLFSSL_CMAC + +#undef WOLFSSL_KEY_GEN +#define WOLFSSL_KEY_GEN + +#undef WOLFSSL_CERT_GEN +#define WOLFSSL_CERT_GEN + +#undef WOLFSSL_CERT_REQ +#define WOLFSSL_CERT_REQ + +#undef WOLFSSL_CERT_EXT +#define WOLFSSL_CERT_EXT + +#undef HAVE_PK_CALLBACKS +#define HAVE_PK_CALLBACKS + +#undef HAVE_ALPN +#define HAVE_ALPN + +#undef HAVE_SNI +#define HAVE_SNI + +#undef HAVE_MAX_FRAGMENT +#define HAVE_MAX_FRAGMENT + +#undef HAVE_TRUNCATED_HMAC +#define HAVE_TRUNCATED_HMAC + +#undef SESSION_CERTS +#define SESSION_CERTS + +#undef HAVE_SESSION_TICKET +#define HAVE_SESSION_TICKET + +#undef WOLFCRYPT_HAVE_SRP +#define WOLFCRYPT_HAVE_SRP + +#undef WOLFSSL_HAVE_CERT_SERVICE +#define WOLFSSL_HAVE_CERT_SERVICE + +#undef HAVE_PKCS7 +#define HAVE_PKCS7 + +#undef HAVE_X963_KDF +#define HAVE_X963_KDF + +#undef WOLFSSL_HAVE_WOLFSCEP +#define WOLFSSL_HAVE_WOLFSCEP + +#undef WOLFSSL_ALWAYS_KEEP_SNI +#define WOLFSSL_ALWAYS_KEEP_SNI + +#undef WOLFSSL_ALWAYS_VERIFY_CB +#define WOLFSSL_ALWAYS_VERIFY_CB + +#undef WOLFSSL_SEP +#define WOLFSSL_SEP + +#undef ATOMIC_USER +#define ATOMIC_USER + +#undef HAVE_OCSP +#define HAVE_OCSP + +#undef HAVE_CERTIFICATE_STATUS_REQUEST +#define HAVE_CERTIFICATE_STATUS_REQUEST + +#undef HAVE_CERTIFICATE_STATUS_REQUEST_V2 +#define HAVE_CERTIFICATE_STATUS_REQUEST_V2 + +#undef HAVE_CRL +#define HAVE_CRL + +#undef PERSIST_CERT_CACHE +//#define PERSIST_CERT_CACHE + +#undef PERSIST_SESSION_CACHE +//#define PERSIST_SESSION_CACHE + +#undef WOLFSSL_DER_LOAD +//#define WOLFSSL_DER_LOAD + +#undef WOLFSSL_DES_ECB +//#define WOLFSSL_DES_ECB + +#undef HAVE_CAMELLIA +//#define HAVE_CAMELLIA + +#undef HAVE_NULL_CIPHER +//#define HAVE_NULL_CIPHER + +#undef WOLFSSL_RIPEMD +//#define WOLFSSL_RIPEMD + + +/* TLS Session Cache */ +#if 1 + #define SMALL_SESSION_CACHE + //#define MEDIUM_SESSION_CACHE + //#define BIG_SESSION_CACHE + //#define HUGE_SESSION_CACHE +#else + #define NO_SESSION_CACHE +#endif + + +/* ------------------------------------------------------------------------- */ +/* Disable Features */ +/* ------------------------------------------------------------------------- */ +#undef NO_WOLFSSL_SERVER +//#define NO_WOLFSSL_SERVER + +#undef NO_WOLFSSL_CLIENT +//#define NO_WOLFSSL_CLIENT + +/* disables TLS 1.0/1.1 support */ +#undef NO_OLD_TLS +//#define NO_OLD_TLS + +/* disable access to filesystem */ +#undef NO_FILESYSTEM +//#define NO_FILESYSTEM + +#undef NO_RC4 +#define NO_RC4 + +#undef NO_HC128 +#define NO_HC128 + +#undef NO_RABBIT +#define NO_RABBIT + +#undef NO_MD4 +#define NO_MD4 + +/* Pre-shared keys */ +#undef NO_PSK +//#define NO_PSK + +#undef NO_DSA +//#define NO_DSA + +#undef NO_DH +//#define NO_DH + +#undef NO_DES3 +//#define NO_DES3 + +#undef NO_PWDBASED +//#define NO_PWDBASED + +/* encoding/decoding support */ +#undef NO_CODING +//#define NO_CODING + +/* memory wrappers and memory callbacks */ +#undef NO_WOLFSSL_MEMORY +//#define NO_WOLFSSL_MEMORY + +/* In-lining of misc.c functions */ +/* If defined, must include wolfcrypt/src/misc.c in build */ +/* Slower, but about 1k smaller */ +#undef NO_INLINE +//#define NO_INLINE + + + +/* ------------------------------------------------------------------------- */ +/* Benchmark / Test */ +/* ------------------------------------------------------------------------- */ +#undef NO_CRYPT_TEST +//#define NO_CRYPT_TEST + +#undef NO_CRYPT_BENCHMARK +//#define NO_CRYPT_BENCHMARK + +/* Use reduced benchmark / test sizes */ +#undef BENCH_EMBEDDED +#define BENCH_EMBEDDED + +#undef USE_CERT_BUFFERS_2048 +#define USE_CERT_BUFFERS_2048 + +#undef USE_CERT_BUFFERS_256 +#define USE_CERT_BUFFERS_256 + + + +/* ------------------------------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------------------------------- */ +#undef DEBUG_WOLFSSL +//#define DEBUG_WOLFSSL +#ifdef DEBUG_WOLFSSL + /* Use this to measure / print heap usage */ + #if 0 + #undef USE_WOLFSSL_MEMORY + #define USE_WOLFSSL_MEMORY + + #undef WOLFSSL_TRACK_MEMORY + #define WOLFSSL_TRACK_MEMORY + #endif + + /* Math debugging (adds support for mp_dump) */ + #undef WOLFSSL_DEBUG_MATH + //#define WOLFSSL_DEBUG_MATH +#else + #undef NO_ERROR_STRINGS + //#define NO_ERROR_STRINGS +#endif + + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/IDE/INTIME-RTOS/wolfExamples.c b/IDE/INTIME-RTOS/wolfExamples.c new file mode 100755 index 000000000..d7b801ee7 --- /dev/null +++ b/IDE/INTIME-RTOS/wolfExamples.c @@ -0,0 +1,619 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "wolfExamples.h" +#include +#include +#include +#include +#include + + +/***************************************************************************** + * Globals + ****************************************************************************/ +RTHANDLE hRootProcess; +DWORD dwKtickInUsecs; +INIT_STRUCT gInit; +static int gServerExit = 0; +static int gServerReady = 0; + +static const char menu1[] = "\r\n" + "\tt. WolfCrypt Test\r\n" + "\tb. WolfCrypt Benchmark\r\n" + "\tc. WolfSSL Client Example\r\n" + "\ts. WolfSSL Server Example\r\n" + "\tl. WolfSSL Localhost Client/Server Example\r\n"; + + +/***************************************************************************** + * Configuration + ****************************************************************************/ + +#define TLS_MAXDATASIZE 4096 /* maximum acceptable amount of data */ +#define TLS_PORT 11111 /* define default port number */ +#define TLS_HOST_LOCAL "127.0.0.1" +#define TLS_HOST_REMOTE "192.168.0.112" +#define SOCK_MAX_PENDING 5 +#define THREAD_BASE_PRIO 150 + + +/***************************************************************************** + * TLS Client + ****************************************************************************/ +int wolfExample_TLSClient(const char* ip, int port) +{ + int ret = 0; + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; /* create WOLFSSL object */ + int sockFd = -1; /* socket file descriptor */ + struct sockaddr_in servAddr; /* struct for server address */ + char sendBuff[TLS_MAXDATASIZE], rcvBuff[TLS_MAXDATASIZE]; + + sockFd = socket(AF_INET, SOCK_STREAM, 0); + if (sockFd < 0) { + printf("Failed to create socket. Error: %d\n", errno); + return errno; + } + + memset(&servAddr, 0, sizeof(servAddr)); /* clears memory block for use */ + servAddr.sin_family = AF_INET; /* sets addressfamily to internet*/ + servAddr.sin_port = htons(port); /* sets port to defined port */ + + /* looks for the server at the entered address (ip in the command line) */ + if (inet_pton(AF_INET, ip, &servAddr.sin_addr) < 1) { + /* checks validity of address */ + ret = errno; + printf("Invalid Address. Error: %d\n", ret); + goto exit; + } + + if (connect(sockFd, (struct sockaddr *)&servAddr, sizeof(servAddr)) < 0) { + /* if socket fails to connect to the server*/ + ret = errno; + printf("Connect error. Error: %d\n", ret); + goto exit; + } + + /* create and initialize WOLFSSL_CTX structure */ + if ((ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())) == NULL) { + printf("SSL_CTX_new error.\n"); + goto exit; + } + + /* load CA certificates into wolfSSL_CTX. which will verify the server */ + ret = wolfSSL_CTX_load_verify_buffer(ctx, ca_cert_der_2048, + sizeof_ca_cert_der_2048, SSL_FILETYPE_ASN1); + if (ret != SSL_SUCCESS) { + printf("Error %d loading CA cert\n", ret); + goto exit; + } + if ((ssl = wolfSSL_new(ctx)) == NULL) { + printf("wolfSSL_new error.\n"); + goto exit; + } + wolfSSL_set_fd(ssl, sockFd); + + ret = wolfSSL_connect(ssl); + if (ret == SSL_SUCCESS) { + printf("Message for server:\t"); + fgets(sendBuff, TLS_MAXDATASIZE, stdin); + + if (wolfSSL_write(ssl, sendBuff, strlen(sendBuff)) != strlen(sendBuff)) { + /* the message is not able to send, or error trying */ + ret = wolfSSL_get_error(ssl, 0); + printf("Write error: Error: %d\n", ret); + goto exit; + } + + memset(rcvBuff, 0, TLS_MAXDATASIZE); + if (wolfSSL_read(ssl, rcvBuff, TLS_MAXDATASIZE) < 0) { + /* the server failed to send data, or error trying */ + ret = wolfSSL_get_error(ssl, 0); + printf("Read error. Error: %d\n", ret); + goto exit; + } + printf("Recieved: \t%s\n", rcvBuff); + } + +exit: + /* frees all data before client termination */ + if (sockFd != -1) + close(sockFd); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); + gServerExit = 1; + + return ret; +} + +/***************************************************************************** + * TLS Server + ****************************************************************************/ +int wolfExample_TLSServer(int port) +{ + int ret = 0; + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + int sockFd = -1, clientFd = -1; + struct sockaddr_in serverAddr = {0}, clientAddr = {0}; + const char reply[] = "I hear ya fa shizzle!\n"; + int addrSize = sizeof(clientAddr); + char buff[256]; + + sockFd = socket(AF_INET, SOCK_STREAM, 0); + if (sockFd < 0) { + printf("Failed to create socket. Error: %d\n", errno); + return errno; + } + + /* create and initialize WOLFSSL_CTX structure */ + if ((ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method())) == NULL) { + fprintf(stderr, "wolfSSL_CTX_new error.\n"); + goto exit; + } + + /* Load server certificate into WOLFSSL_CTX */ + ret = wolfSSL_CTX_use_certificate_buffer(ctx, server_cert_der_2048, + sizeof_server_cert_der_2048, SSL_FILETYPE_ASN1); + if (ret != SSL_SUCCESS) { + fprintf(stderr, "Error %d loading server-cert!\n", ret); + goto exit; + } + + /* Load server key into WOLFSSL_CTX */ + ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, server_key_der_2048, + sizeof_server_key_der_2048, SSL_FILETYPE_ASN1); + if (ret != SSL_SUCCESS) { + fprintf(stderr, "Error %d loading server-key!\n", ret); + goto exit; + } + + /* Initialize the server address struct to zero */ + memset((char *)&serverAddr, 0, sizeof(serverAddr)); + + /* Fill the server's address family */ + serverAddr.sin_family = AF_INET; + serverAddr.sin_addr.s_addr = INADDR_ANY; + serverAddr.sin_port = htons(port); + + /* Attach the server socket to our port */ + if (bind(sockFd, (struct sockaddr *)&serverAddr, sizeof(serverAddr)) < 0) { + printf("ERROR: failed to bind\n"); + goto exit; + } + + printf("Waiting for a connection...\n"); + gServerReady = 1; + + /* Continuously accept connects while not in an active connection */ + while (gServerExit == 0) { + /* listen for a new connection */ + ret = listen(sockFd, SOCK_MAX_PENDING); + if (ret == 0) { + /* Wait until a client connects */ + clientFd = accept(sockFd, (struct sockaddr*)&clientAddr, &addrSize); + + /* If fails to connect, loop back up and wait for a new connection */ + if (clientFd == -1) { + printf("failed to accept the connection..\n"); + } + /* If it connects, read in and reply to the client */ + else { + printf("Client connected successfully\n"); + + ssl = wolfSSL_new(ctx); + if (ssl == NULL) { + fprintf(stderr, "wolfSSL_new error.\n"); + break; + } + + /* direct our ssl to our clients connection */ + wolfSSL_set_fd(ssl, clientFd); + + printf("Using Non-Blocking I/O: %d\n", + wolfSSL_get_using_nonblock(ssl)); + + for ( ; ; ) { + /* Clear the buffer memory for anything possibly left over */ + memset(&buff, 0, sizeof(buff)); + + /* Read the client data into our buff array */ + ret = wolfSSL_read(ssl, buff, sizeof(buff) - 1); + if (ret > 0) { + /* Print any data the client sends to the console */ + printf("Client: %s\n", buff); + + /* Reply back to the client */ + ret = wolfSSL_write(ssl, reply, sizeof(reply) - 1); + if (ret < 0) { + printf("wolfSSL_write error = %d\n", + wolfSSL_get_error(ssl, ret)); + gServerExit = 1; + break; + } + } + /* if the client disconnects break the loop */ + else { + if (ret < 0) + printf("wolfSSL_read error = %d\n", + wolfSSL_get_error(ssl, ret)); + else if (ret == 0) + printf("The client has closed the connection.\n"); + gServerExit = 1; + break; + } + } + wolfSSL_free(ssl); /* Free the WOLFSSL object */ + ssl = NULL; + } + close(clientFd); /* close the connected socket */ + clientFd = -1; + } + } /* while */ + +exit: + if (clientFd != -1) + close(clientFd); + if (sockFd != -1) + close(sockFd); + wolfSSL_free(ssl); /* Free the WOLFSSL object */ + wolfSSL_CTX_free(ctx); /* Free WOLFSSL_CTX */ + + return ret; +} + +/***************************************************************************** + * TLS Local Test + ****************************************************************************/ +static void wolfSSLLocalServerThread(void* param) +{ + int port = (int)((int*)param); + wolfExample_TLSServer(port); +} + +int wolfExample_TLSLocal(int port) +{ + int ret; + RTHANDLE srvHandle; + + /* start server thread */ + srvHandle = CreateRtThread(THREAD_BASE_PRIO + 10, + (LPPROC)wolfSSLLocalServerThread, WOLF_EXAMPLES_STACK, (void*)port); + if (srvHandle == BAD_RTHANDLE) { + Fail("Cannot create server thread"); + return -1; + } + + /* wait for server to be ready */ + while (gServerReady != 1) { + RtSleep(0); + } + + /* run client */ + ret = wolfExample_TLSClient(TLS_HOST_LOCAL, port); + + return ret; +} + + +/***************************************************************************** + * Thread + memset(&args, 0, sizeof(args)); + ****************************************************************************/ +typedef struct func_args { + int argc; + char** argv; + int return_code; +} func_args; + +static void wolfExampleThread(void* param) +{ + func_args args; + +#ifdef DEBUG_WOLFSSL + wolfSSL_Debugging_ON(); +#endif + + /* initialize wolfSSL */ + wolfSSL_Init(); + + while (1) { + char rc; + + gServerExit = 0; + gServerReady = 0; + + printf("\r\n\t\t\t\tMENU\r\n"); + printf(menu1); + printf("Please select one of the above options: "); + + rc = getchar(); + switch (rc) { + case 't': + printf("\nCrypt Test\n"); + wolfcrypt_test(&args); + printf("Crypt Test: Return code %d\n", args.return_code); + break; + + case 'b': + printf("\nBenchmark Test\n"); + benchmark_test(&args); + printf("Benchmark Test: Return code %d\n", args.return_code); + break; + + case 'c': + wolfExample_TLSClient(TLS_HOST_REMOTE, TLS_PORT); + break; + + case 's': + wolfExample_TLSServer(TLS_PORT); + break; + + case 'l': + wolfExample_TLSLocal(TLS_PORT); + break; + + // All other cases go here + default: + if (rc != '\r' && rc != '\n') + printf("\r\nSelection %c out of range\r\n", rc); + break; + } + } + + wolfSSL_Cleanup(); +} + + +/***************************************************************************** +* FUNCTION: Catalog +* +* PARAMETERS: 1. handle of the process whose object directory must be used +* 2. the object whose handle must be cataloged +* 3. the name to be used (upto 14 characters) +* +* RETURNS: TRUE on success +* +* DESCRIPTION: If the given name already exists, +* and the existing name refers to a non-existing object, +* then the existing name is removed before cataloging. +\*****************************************************************************/ +BOOLEAN Catalog( + RTHANDLE hProcess, + RTHANDLE hObject, + LPSTR lpszName) +{ + RTHANDLE hOld; + + if (CatalogRtHandle(hProcess, hObject, lpszName)) + return TRUE; + + // something wrong: check for the case mentioned above + if (((hOld = LookupRtHandle(hProcess, lpszName, NO_WAIT)) != BAD_RTHANDLE) && + (GetRtHandleType(hOld) == INVALID_TYPE)) + { + // this is the case mentioned above: remove the old entry and try again + if (UncatalogRtHandle(hProcess, lpszName)) + return (CatalogRtHandle(hProcess, hObject, lpszName)); + } + return FALSE; +} + +/***************************************************************************** +* FUNCTION: Cleanup (local function) +* +* DESCRIPTION: +* Tell threads to delete themselves and wait a while; +* if any thread still exists, kill it. +* Remove all other objects as far as they have been created. +\*****************************************************************************/ +void Cleanup(void) +{ + // indicate that we are cleaning up + gInit.state = CLEANUP_BUSY; + gInit.bShutdown = TRUE; + +#ifdef _DEBUG + fprintf(stderr, "wolfExamples started cleaning up\n"); +#endif + + // remove our name from the root process + if (gInit.bCataloged) { + if (!UncatalogRtHandle(hRootProcess, "wolfExample")) + Fail("Cannot remove my own name"); + } + +#ifdef _DEBUG + fprintf(stderr, "wolfExamples finished cleaning up\n"); +#endif + + // lie down + exit(0); +} + +/***************************************************************************** +* FUNCTION: Fail +* +* PARAMETERS: same parameters as expected by printf +* +* DESCRIPTION: +* If in debug mode, prints the message, appending a new line and the error number. +* Then the current process is killed graciously: +* If the current thread is the main thread, this is done directly. +* if the current thread is another one, a terminate request is sent and +* the function returns to the calling thread. +\*****************************************************************************/ +void Fail(LPSTR lpszMessage, ...) +{ + EXCEPTION eh; + RTHANDLE hDelMbx; + DWORD dwTerminate; + +#ifdef _DEBUG + va_list ap; + + va_start(ap, lpszMessage); + vfprintf(stderr, lpszMessage, ap); + va_end(ap); + fprintf(stderr, "\nError nr=%x %s\n", GetLastRtError(), GetRtErrorText(GetLastRtError())); +#endif + + // make sure that exceptions are returned for inline handling + GetRtExceptionHandlerInfo(THREAD_HANDLER, &eh); + eh.ExceptionMode = 0; + SetRtExceptionHandler(&eh); + + // if we had not started initializing yet, just get out + if (BEFORE_INIT == gInit.state) + exit(0); + + if (gInit.hMain == GetRtThreadHandles(THIS_THREAD)) + { + // this is the main thread: + // if we are busy initializing, then do Cleanup + if (INIT_BUSY == gInit.state) + Cleanup(); // does not return + + // this is the main thread, but we are not initializing: just return + return; + } + + // this is not the main thread: + // ask main thread to do cleanup + // (allow some time to setup the deletion mailbox, ignore errors) + hDelMbx = LookupRtHandle(NULL_RTHANDLE, "R?EXIT_MBOX", 5000); + dwTerminate = TERMINATE; + SendRtData(hDelMbx, &dwTerminate, 4); +} + +/***************************************************************************** +* +* FUNCTION: UsecsToKticks +* +* PARAMETERS: 1. number of usecs +* +* RETURNS: number of low level ticks +* +* DESCRIPTION: returns the parameter if it is WAIT_FOREVER +* otherwise rounds up to number of low level ticks +\*****************************************************************************/ +DWORD UsecsToKticks(DWORD dwUsecs) +{ + if (dwUsecs == WAIT_FOREVER) + return WAIT_FOREVER; + + return (dwUsecs + dwKtickInUsecs - 1) / dwKtickInUsecs; +} + + +/***************************************************************************** +* FUNCTION: main +* +* DESCRIPTION: +* This is the main program module. +* It creates global objects and all threads. +* The main thread then waits for notifications and acts accordingly +\*****************************************************************************/ +int main(int argc, char* argv[]) +{ + SYSINFO sysinfo; + EVENTINFO eiEventInfo; + RTHANDLE taskHandle; + +#ifdef _DEBUG + fprintf(stderr, "wolfExamples started\n"); +#endif + + // obtain handle of root process (cannot fail) + hRootProcess = GetRtThreadHandles(ROOT_PROCESS); + + // initialize the structure for cleaning up + memset(&gInit, 0, sizeof(gInit)); + gInit.state = BEFORE_INIT; + + // get low level tick length in usecs + if (!CopyRtSystemInfo(&sysinfo)) + Fail("Cannot copy system info"); + dwKtickInUsecs = 10000 / sysinfo.KernelTickRatio; + if (dwKtickInUsecs == 0) + Fail("Invalid low level tick length"); + + // adjust process max priority (ignore error) + // TODO adjust the 2nd parameter to a value closer to zero if you want to allow more priorities + SetRtProcessMaxPriority(NULL_RTHANDLE, THREAD_BASE_PRIO); + + // obtain main thread's handle + gInit.hMain = GetRtThreadHandles(THIS_THREAD); + gInit.state = INIT_BUSY; + + // attempt to catalog the thread but ignore error + Catalog(NULL_RTHANDLE, gInit.hMain, "TMain"); + + // catalog the handle of this process in the root process + if (!Catalog(hRootProcess, GetRtThreadHandles(THIS_PROCESS), "wolfExample")) { + Fail("Cannot catalog process name"); + } + gInit.bCataloged = TRUE; + + // create thread + taskHandle = CreateRtThread(THREAD_BASE_PRIO + 20, + (LPPROC)wolfExampleThread, WOLF_EXAMPLES_STACK, 0); + if (taskHandle == BAD_RTHANDLE) { + Fail("Cannot create thread"); + } + + // indicate that initialization has finished + gInit.state = INIT_DONE; +#ifdef _DEBUG + fprintf(stderr, "wolfExamples finished initialization\n"); +#endif + + // wait for notifications + while (RtNotifyEvent(RT_SYSTEM_NOTIFICATIONS | RT_EXIT_NOTIFICATIONS, + WAIT_FOREVER, &eiEventInfo)) + { + switch(eiEventInfo.dwNotifyType) + { + case TERMINATE: + // TODO: this process should terminate + // cleanup the environment + Cleanup(); // does not return + + case NT_HOST_UP: + // TODO: react to a Windows host that has come back + break; + + case NT_BLUESCREEN: + // TODO: react to a Windows blue screen + break; + + case KERNEL_STOPPING: + // TODO: react to the INtime kernel stopping + break; + + case NT_HOST_HIBERNATE: + // TODO: react to the Windows host going in hibernation + break; + + case NT_HOST_STANDBY: + // TODO: react to the Windows host going in standby mode + break; + + case NT_HOST_SHUTDOWN_PENDING: + // TODO: react to a Windows host that is about to shutdown + break; + } + } + Fail("Notify failed"); + return 0; +} diff --git a/IDE/INTIME-RTOS/wolfExamples.h b/IDE/INTIME-RTOS/wolfExamples.h new file mode 100755 index 000000000..89ce77cda --- /dev/null +++ b/IDE/INTIME-RTOS/wolfExamples.h @@ -0,0 +1,47 @@ +#ifndef _WOLFEXAMPLES_H_ +#define _WOLFEXAMPLES_H_ + +#include + +#ifdef __cplusplus + extern "C" { +#endif + +// support functions for all threads +BOOLEAN Catalog(RTHANDLE hProcess, RTHANDLE hObject, LPSTR lpszName); +void Cleanup(void); +void Fail(LPSTR lpszMessage, ...); +DWORD UsecsToKticks(DWORD dwUsecs); + + +/* Example API's */ +int wolfExample_TLSServer(int port); +int wolfExample_TLSClient(const char* ip, int port); +int wolfExample_TLSLocal(int port); + + +// global type definitions +typedef enum { + BEFORE_INIT, + INIT_BUSY, + INIT_DONE, + CLEANUP_BUSY +} INIT_STATE; + +typedef struct { + RTHANDLE hMain; // RTHANDLE of main thread + INIT_STATE state; // main thread state + BOOLEAN bCataloged; // TRUE if we cataloged process name in root + BOOLEAN bShutdown; // TRUE if all threads have to terminate +} INIT_STRUCT; + +// global variables +extern RTHANDLE hRootProcess; // RTHANDLE of root process +extern DWORD dwKtickInUsecs; // length of one low level tick in usecs +extern INIT_STRUCT gInit; // structure describing all global objects + +#ifdef __cplusplus + } /* extern "C" */ +#endif + +#endif /* _WOLFEXAMPLES_H_ */ diff --git a/IDE/INTIME-RTOS/wolfExamples.sln b/IDE/INTIME-RTOS/wolfExamples.sln new file mode 100755 index 000000000..ab478bf6d --- /dev/null +++ b/IDE/INTIME-RTOS/wolfExamples.sln @@ -0,0 +1,31 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 14 +VisualStudioVersion = 14.0.23107.0 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "wolfExamples", "wolfExamples.vcxproj", "{557A7EFD-2627-478A-A855-50F518DD13EE}" + ProjectSection(ProjectDependencies) = postProject + {1731767D-573F-45C9-A466-191DA0D180CF} = {1731767D-573F-45C9-A466-191DA0D180CF} + EndProjectSection +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libwolfssl", "libwolfssl.vcxproj", "{1731767D-573F-45C9-A466-191DA0D180CF}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|INtime = Debug|INtime + Release|INtime = Release|INtime + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {557A7EFD-2627-478A-A855-50F518DD13EE}.Debug|INtime.ActiveCfg = Debug|INtime + {557A7EFD-2627-478A-A855-50F518DD13EE}.Debug|INtime.Build.0 = Debug|INtime + {557A7EFD-2627-478A-A855-50F518DD13EE}.Release|INtime.ActiveCfg = Release|INtime + {557A7EFD-2627-478A-A855-50F518DD13EE}.Release|INtime.Build.0 = Release|INtime + {1731767D-573F-45C9-A466-191DA0D180CF}.Debug|INtime.ActiveCfg = Debug|INtime + {1731767D-573F-45C9-A466-191DA0D180CF}.Debug|INtime.Build.0 = Debug|INtime + {1731767D-573F-45C9-A466-191DA0D180CF}.Release|INtime.ActiveCfg = Release|INtime + {1731767D-573F-45C9-A466-191DA0D180CF}.Release|INtime.Build.0 = Release|INtime + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/IDE/INTIME-RTOS/wolfExamples.vcxproj b/IDE/INTIME-RTOS/wolfExamples.vcxproj new file mode 100755 index 000000000..81f82318e --- /dev/null +++ b/IDE/INTIME-RTOS/wolfExamples.vcxproj @@ -0,0 +1,100 @@ + + + + + Debug + INtime + + + Release + INtime + + + + + + + + + + + + + + + + {557A7EFD-2627-478A-A855-50F518DD13EE} + wolfExamples + 8.1 + + + + Application + NotSet + v140 + + + Application + false + NotSet + v140 + + + + + + + + + + + + $(Configuration)_$(ProjectName)\ + + + $(Configuration)_$(ProjectName)\ + + + + + + 21076.20053 + /SAFESEH:NO %(AdditionalOptions) + rt.lib;pcibus.lib;netlib.lib;clib.lib;vshelper.lib;libwolfssl.lib + $(SolutionDir)$(Configuration)\\wolfExamples.rta + $(ProjectDir)$(Configuration);%(AdditionalLibraryDirectories) + + + Async + WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions) + $(ProjectDir);$(ProjectDir)..\..\;%(AdditionalIncludeDirectories) + $(IntDir) + $(IntDir) + $(IntDir)vc$(PlatformToolsetVersion).pdb + $(IntDir) + + + + + + + 21076.20053 + /SAFESEH:NO %(AdditionalOptions) + rt.lib;pcibus.lib;netlib.lib;clib.lib;vshelper.lib;libwolfssl.lib + $(SolutionDir)$(Configuration)\\wolfExamples.rta + $(ProjectDir)$(Configuration);%(AdditionalLibraryDirectories) + + + Async + WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions) + $(ProjectDir);$(ProjectDir)..\..\;%(AdditionalIncludeDirectories) + $(IntDir) + $(IntDir) + $(IntDir)vc$(PlatformToolsetVersion).pdb + $(IntDir) + + + + + + diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h b/IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h index ae3e57858..5641973c9 100644 --- a/IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h +++ b/IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h @@ -232,14 +232,17 @@ extern "C" { #undef USE_CERT_BUFFERS_2048 #define USE_CERT_BUFFERS_2048 +#undef USE_CERT_BUFFERS_256 +#define USE_CERT_BUFFERS_256 + /* ------------------------------------------------------------------------- */ /* Debugging */ /* ------------------------------------------------------------------------- */ -#undef WOLFSSL_DEBUG -//#define WOLFSSL_DEBUG +#undef DEBUG_WOLFSSL +//#define DEBUG_WOLFSSL -#ifdef WOLFSSL_DEBUG +#ifdef DEBUG_WOLFSSL #define fprintf(file, format, ...) printf(format, ##__VA_ARGS__) /* Use this to measure / print heap usage */ @@ -255,7 +258,7 @@ extern "C" { #define NO_WOLFSSL_MEMORY #undef NO_ERROR_STRINGS - #define NO_ERROR_STRINGS + //#define NO_ERROR_STRINGS #endif diff --git a/IDE/include.am b/IDE/include.am index 96fa894d7..4a547bb16 100644 --- a/IDE/include.am +++ b/IDE/include.am @@ -8,5 +8,6 @@ include IDE/WIN-SGX/include.am include IDE/WORKBENCH/include.am include IDE/ROWLEY-CROSSWORKS-ARM/include.am include IDE/ARDUINO/include.am +include IDE/INTIME-RTOS/include.am EXTRA_DIST+= IDE/IAR-EWARM IDE/MDK-ARM IDE/MDK5-ARM IDE/MYSQL IDE/LPCXPRESSO diff --git a/certs/include.am b/certs/include.am index b7fad51e5..b32e88225 100644 --- a/certs/include.am +++ b/certs/include.am @@ -58,4 +58,5 @@ dist_doc_DATA+= certs/taoCert.txt EXTRA_DIST+= certs/ntru-key.raw +include certs/test/include.am include certs/test-pathlen/include.am diff --git a/certs/server-keyPkcs8.der b/certs/server-keyPkcs8.der new file mode 100644 index 0000000000000000000000000000000000000000..5a5873543466614225e07a472bd26f158d8872f1 GIT binary patch literal 1219 zcmXqLV%g8c$Y8+B#;Mij(e|B}k&%&=fu)IMr9l(RQYJ%9D$Lz} z$<sd-#mjmmRx;(TKP<_pw?p9Zu`>=^G8elUXSU}Z*)6{8^NYJ{i}zIPD{lRp z7Ra+VWb?z^c$q!Q#TPl5J4G%D>`XbVbz$K&uRRa1NJSrCaNuBa1;2~Afzh-EBju?J z%XbN1nqK@UR`p~S?_tY?C0jORIyrH^yuq=@SYdO7((+ZWk34*q*nITTwEH(N_^-Xr z#LURR2o8x^7fkqrl2`*6-_L)Wl6UCHEvZi}*Cz>hOgi#1>veZ&&aq01PbZ7K+EPNM zmY+U6Ywq?dvP&3F%=3G4_xP@Kv4bUhR$iOZuWcap`|W*2R^^*smV0Mpr_S1O=Sc0l zWzM2{w)HI;>vE=y=HB2YbBOlf?2%37_WozWB21b@Dx}>5cDwa-M~n1Zr!TdeUhcq8dIKa-O=gfcro{a zjPwubHJPW)Y*K3Pe39I7IALSBM|_Zfq*Z9W(E&;40Q+_4^2I;%&38EEw^r2pWaY~P zkru@TbGT|wT6q{Pzu{TR)q3dAU(w=QGdZ;~XU*p-+`oZkSx;3|zDHDu^|6h?;`g6} z+;DpGy>ijm?J+SmHzur{p?fWpFM0FgJIl^=XDwMI)YDh(p|i=`{0^H$?W=!f3$HAE zY0rCBI(~ipylK(V{0nQ=Z=OBjc6hPX+YQPt>m2>%*`0)yeNO-SBC_P__jzVD(eqc> z9Bhp*xn!yP|3b_C--V>JlA&X}rIa(b#L{4SOR0Ey=RNIN z_wz0*G5k}SQQ#*fsR?pJmt&Yl;Jo-N^SG^NEDrgU6Lw|Q%S_`|6`osHcyy2K_h-tq zsJZg&j?dfcVuFY57@i+iI}pfpZ+GdO{IEGypZngQ?>ee|=@wg-%gN$@c{AI8MDP1p z^DK3%f6j-KNB@hR>XsIN6k)r_d^O{q{SN1Xd-~qKe-}CTLGrVjxUYTQAFU5EH8%LV z{&eU$8vR8}s%y(9nKjujdBV)L`xQ;Q`n2oPqyHa2N(kGwaqhTLw)~__VbBx<=La7v zO8zEF`*5ClmZ4R+R_4C*p0L|Xm+UhwSQ2;M{|`gxOeO_1bPsExxrzI(TQi z{dGxRRsV;{$${P6DfVlfcPy2OG15l{hJoZvo~b(!`yh8J<7!wIhi{}E(z>RIjnVI z;WV#353fi?A760bU~&b&i@AZ(v<4&PsSC?@316CC{3urSWESsX%Y-FcHe@h0Cq`ZtQ8D3=)Z&uNymW=kyo}7G%o2sfyh`MNL0f|TgW5%ZY(4k9ek#@4{;;((KuleILhQK(Z#_@muUjOyO0#;Qv`t_^?xBN= zJr;fyJiebdI}Yd6l|NKGCBXQ( z^iEdj!!u9yF6=z6ZS+ey`@?Y^{WUop+T|R-O%gNSMa54l;d(ng#Kf4xurD*^c1X2o zjqjo`YuQ~EyQg@hg|I~!uqiB4my}qv*PK^V;EKPWz1Y;-=dTII#GgL8Yk_oL5>NP} z^A7J`=bez?oAJEb=e)_eyGOPNRJ~U!KRGE;*KFF$Ex%oi5AMA1YPEyTyx(avJe$4% E0I0os$^ZZW literal 0 HcmV?d00001 diff --git a/certs/test/cert-ext-nc.cfg b/certs/test/cert-ext-nc.cfg new file mode 100644 index 000000000..b27f3f4fe --- /dev/null +++ b/certs/test/cert-ext-nc.cfg @@ -0,0 +1,18 @@ +[ req ] +distinguished_name = req_distinguished_name +prompt = no +x509_extensions = v3_ca + +[ req_distinguished_name ] +C = AU +ST = Queensland +L = Brisbane +O = wolfSSL Inc +OU = Engineering +CN = www.wolfssl.com +emailAddress = support@www.wolfsssl.com + +[ v3_ca ] +nameConstraints = critical,permitted;email:.wolfssl.com +nsComment = "Testing name constraints" + diff --git a/certs/test/cert-ext-nc.der b/certs/test/cert-ext-nc.der new file mode 100644 index 0000000000000000000000000000000000000000..ff944476d5564054aec33f6ea7572170d309cfd6 GIT binary patch literal 1052 zcmXqLVv#UtVrE#t%*4pV#L2L$Fxht+|JyDDUN%mxHjlRNyo`+8tPBQ?OANUUIN6v( zS=fY`977F-4Fo|P4j!(+($v(v;+(|16hlD+evlwL4~J7xW^qztUaFypfe=WDi-)^B zKPN3X*hj%LFBvAv&BN`Qm!6rInp%{Zmu@IwAO=#)%)?(^UakjHUtFA{mzBO}9ssT>c(9X}Q3ZolN}sLq&r%yr$TJt_t}rk>OHyY@|{V^7We z-z(DV|HaG+EdAbfiv78%e*eS0)d%!zR;R2G|8pv~de;NRr$u`CdTlqR7T;PU9lSH% z{<DSDi+1cs*E-U6|H0xPBy_CLi<2*a}%>~i5DXwo9Nl#xl?QLxgcR}<2 zmrruO-n@O!;+0H(_`Z@$p(lO4+W)jen5Hgla(r;MD1(vr7Y}p9@1$;t=P{M$HjlrZo$z(84Mu(JIBz$}-i;$jr(-#VXapDk;gzB+<&q(8|=pDmld}IoZlA z$;ucc2sSb}Gd(Y{q_iki!7(R2zbLaLBiBlyI3v+8JhLPtDA>_8FS)3)pd>Rt53C$y zjc0LjX=;&`g0q6HLTIp#g1>^Tf>Ky&Q6|VN9R<(4WIZJv1^-Y5TLqY?LP$|*afyOo zYDsy1Q8rXkNh4WP!N|bC46Y2KSwUC9Ex$-1v9u&3zbLaRHASJcI8`A(FQ-yTN5R<- z*;wbC#NuKFV}*dyq@2uTg@B^W+{B_v1w`0p=I1FmLJTUYRM1s$H-&p6EHNiDC9|Xw zE&%eIUw(;#Q)*g%QL2@KUw)Z_f`x*CffX1*oa*iyf}z1Ntt7Qb!AilaG)KYEOu@+5 z%GA=z)KbC7z}QRySwnDXQdVkm$&e2^s6SxA?wwkx;F*_}kD3~xaRQP=N?Jw5iCB^p zDCj{LqDR*|wbDvK!^ptILLn)$1d;YZN4SskOT-D7+58ySs9sF8CZaj zk)@S+qLs0!m1U}xnSqr-vQ=WDRjRp_2{;#^#3e{K2%Dr@r6gOKCtD>YTNx)?nV4D` zCWG>kQIb`vfmK?nm64^Dfss|3rIo2U4mVg>B^q0qnOIqvS{a&J8JSz9nOdb8S|z4f zC0ke-8(LXdTA8L;85x0cC{{NZC4$_UXl7+%WR+xWWszo;W?_|NX=Q3^m1J&}WC$Wn zl0Z^v(DDQ1a%60gW@VmgWnd0+WNNZiYMPaau~kZvm6@59nGwiUW`xU25y+fW3oCO2 zD^o)&lN3;iXJKh&W{KSw=1Eq`<{-ssW}x6oNwzXHvNAUT1%-JMC>BhTtW3?UQjD!E z&9Ix0lm-eeb90b`lMJlVOso=(tc*;p(u_bU%`n-@(#Xop+{(}bX$GK(OH2dVXl@D$d1GUcrG_b>?Wnyk+VFAikW|meK z#vn`6QbB@ADWDW$o@!;1W|eGeWoe2%E)r9%3{tHuQ>;=L8YA%i!+lI zob&UFONtUR^Gb@X6q1WFOEQxab1>|5cC-o!3Ux&hhZ+MacSDO4(^K(jN3=l{AeFas zkPn!JVxpm*v7VWpp`NLpsh+u>p`M|Ul>&+aP_bhWuNSKqZ4hY?ZV;-cmzkTGo~oao znP#A9pl6_`r>Cul0lru_73as??bMn*k^~zFAJqfFbK%VtXNzDVbs6b5<6ty7NnY&rJ7+aZ{S~;3qIU8BIxLCP5 zTRAydxfxg)8(0}wTDcj6${AxzD>p|_9&~gAB@bgmD`R7@S)kA%v6-Y`X$-1`OcFsh zn5Kcs&g3*ufohm&Wocn$lm^ON6OG_V9^4AV4F znU!J&Y6u!xfI=kA$jZPFRM{96m7jmYFpc>W8(#pud${+<) z5*VjinWb2nrGhfF0hj>}E>Mswq*z#`nt{qaOG7IY15ojpWC^NDk`1j=Q>;?bKqasV z*ydCNP`)!Vuu4WQ!;@1$UNSVbGPba?Fa*h2nt*aaC86jWoFB!b$-Cg5r?IS~{<2>ljD zpi0Le31muQBB;POG`BLg1eMh(Nmk}*pjL#12`C7S5<%saMItB)k@TB^!p}4n zW@=@MT;>|2SXr1^nVVTzCWAuWJkcu63=~eL$sh)(&@}=jCu3t!1euyxC7FTJ2*Ury zX;x+yRv^_zpjMDcBB(WGYyoO}SQvw>N-+c#(MI4}FEQE5(9kLcx$aA}0Hrf<(}ByN ziRH3E6Z7r`%uI|-Oacjy?R%d*|C}Nur786L^>0xcB41;Uo^*5aHLJ zry@gI)t+kiOV5A(b>YNA#-2Bvle2=nFZI7D2=u+!nOS|j;M?XqLM6AWW4*&JPunkA zzHq~rMXI0H%S=j_c>0Bn<^6=6PZ*xuwc0BApJ~?@n|BYoUz>No`Eq^Dr*9u@*WWFj zXe=o!<8Zn}MN)C{O_6_Vw1STJUuE%p(wpqwVUyW>`k(t=?K=OXQ`hm$y>ij{Kzi|G z5std2_VbH(7;~MEwKr*>*7YvJw|jq45g*_cCRg&7(Dv#=U4Gcx`+ z-~$Qpg9KQZnHbp&a@jbv*%(<_*%^6Q5)I-P#x8(X@M4^qNEN)i0XrM3HXk#S6pKjz z)5}tAYkK>#51((yy5b?BQ!S}ypeja81rN?jvV1IJEF$%nQ~0!Et=fI`F*!}?y54~UeYb;a>=oZHPb7?KjBneQx-SVDphgIt+(r+ zx1?%K?b_RRFRoFnSy$l9y}v7(v~o4%dAW}~eJ-UY`S6QizQES0f1W$B8r?oOH!x0P z+q~Ax(eIbmx;hl~ZRgA8WBYAv>QT63u6p;8)Og;uvN$TMP 2>&1 + + if [ "$?" = "0" -a -f $OUT ]; then + echo "Created: $OUT" + else + cat $TMP + echo "Failed: $OUT" + fi + + rm $TMP +} + +OUT=certs/test/cert-ext-nc.der +KEYFILE=certs/test/cert-ext-nc-key.der +CONFIG=certs/test/cert-ext-nc.cfg +tee >$CONFIG <$CONFIG <> $OPTION_FILE echo "" >> $OPTION_FILE echo -#backwards compatability for those who have included options or version +#backwards compatibility for those who have included options or version touch cyassl/options.h echo "/* cyassl options.h" > cyassl/options.h echo " * generated from wolfssl/options.h" >> cyassl/options.h @@ -3352,6 +3440,7 @@ echo " * MEMORY: $ENABLED_MEMORY" echo " * I/O POOL: $ENABLED_IOPOOL" echo " * LIGHTY: $ENABLED_LIGHTY" echo " * STUNNEL: $ENABLED_STUNNEL" +echo " * NGINX: $ENABLED_NGINX" echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS" echo " * DTLS: $ENABLED_DTLS" echo " * SCTP: $ENABLED_SCTP" diff --git a/cyassl/ctaocrypt/settings.h b/cyassl/ctaocrypt/settings.h index c12a962ff..4de8b13ca 100644 --- a/cyassl/ctaocrypt/settings.h +++ b/cyassl/ctaocrypt/settings.h @@ -246,7 +246,7 @@ /* Micrium will use Visual Studio for compilation but not the Win32 API */ #if defined(_WIN32) && !defined(MICRIUM) && !defined(FREERTOS) \ - && !defined(EBSNET) && !defined(CYASSL_EROAD) + && !defined(EBSNET) && !defined(CYASSL_EROAD) && !defined(INTIME_RTOS) #define USE_WINDOWS_API #endif diff --git a/cyassl/openssl/include.am b/cyassl/openssl/include.am index f5c3c56e9..c0a6d125f 100644 --- a/cyassl/openssl/include.am +++ b/cyassl/openssl/include.am @@ -32,6 +32,7 @@ nobase_include_HEADERS+= \ cyassl/openssl/rand.h \ cyassl/openssl/rsa.h \ cyassl/openssl/sha.h \ + cyassl/openssl/ssl23.h \ cyassl/openssl/ssl.h \ cyassl/openssl/stack.h \ cyassl/openssl/ui.h \ diff --git a/cyassl/openssl/ssl23.h b/cyassl/openssl/ssl23.h new file mode 100644 index 000000000..f8aa85681 --- /dev/null +++ b/cyassl/openssl/ssl23.h @@ -0,0 +1,3 @@ +/* ssl23.h for openssl */ + +#include diff --git a/examples/client/client.c b/examples/client/client.c index 71c86da12..6774ad08a 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -57,6 +57,8 @@ static int devId = INVALID_DEVID; #endif +#define DEFAULT_TIMEOUT_SEC 2 + /* Note on using port 0: the client standalone example doesn't utilize the * port 0 port sharing; that is used by (1) the server in external control * test mode and (2) the testsuite which uses this code and sets up the correct @@ -277,7 +279,7 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port, tx_time += current_time(0) - start; /* Perform RX */ - select_ret = tcp_select(sockfd, 1); /* Timeout=1 second */ + select_ret = tcp_select(sockfd, DEFAULT_TIMEOUT_SEC); if (select_ret == TEST_RECV_READY) { start = current_time(1); rx_pos = 0; @@ -299,6 +301,10 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port, /* Compare TX and RX buffers */ if(XMEMCMP(tx_buffer, rx_buffer, len) != 0) { + free(tx_buffer); + tx_buffer = NULL; + free(rx_buffer); + rx_buffer = NULL; err_sys("Compare TX and RX buffers failed"); } @@ -1178,6 +1184,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifdef HAVE_OCSP if (useOcsp) { + #ifdef HAVE_IO_TIMEOUT + wolfIO_SetTimeout(DEFAULT_TIMEOUT_SEC); + #endif + if (ocspUrl != NULL) { wolfSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl); wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE @@ -1454,6 +1464,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifdef HAVE_CRL if (disableCRL == 0) { + #ifdef HAVE_IO_TIMEOUT + wolfIO_SetTimeout(DEFAULT_TIMEOUT_SEC); + #endif + if (wolfSSL_EnableCRL(ssl, WOLFSSL_CRL_CHECKALL) != SSL_SUCCESS) { wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); @@ -1523,7 +1537,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } } #else - timeout.tv_sec = 2; + timeout.tv_sec = DEFAULT_TIMEOUT_SEC; timeout.tv_usec = 0; NonBlockingSSL_Connect(ssl); /* will keep retrying on timeout */ #endif @@ -1787,7 +1801,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) err_sys("SSL resume failed"); } #else - timeout.tv_sec = 2; + timeout.tv_sec = DEFAULT_TIMEOUT_SEC; timeout.tv_usec = 0; NonBlockingSSL_Connect(ssl); /* will keep retrying on timeout */ #endif @@ -1844,32 +1858,33 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif } - input = wolfSSL_read(sslResume, reply, sizeof(reply)-1); + input = wolfSSL_read(sslResume, reply, sizeof(reply)-1); - if (input > 0) { - reply[input] = 0; - printf("Server resume response: %s\n", reply); + if (input > 0) { + reply[input] = 0; + printf("Server resume response: %s\n", reply); - if (sendGET) { /* get html */ - while (1) { - input = wolfSSL_read(sslResume, reply, sizeof(reply)-1); - if (input > 0) { - reply[input] = 0; - printf("%s\n", reply); + if (sendGET) { /* get html */ + while (1) { + input = wolfSSL_read(sslResume, reply, sizeof(reply)-1); + if (input > 0) { + reply[input] = 0; + printf("%s\n", reply); + } + else + break; } - else - break; } } - } else if (input < 0) { - int readErr = wolfSSL_get_error(sslResume, 0); - if (readErr != SSL_ERROR_WANT_READ) { - printf("wolfSSL_read error %d!\n", readErr); - wolfSSL_free(sslResume); - wolfSSL_CTX_free(ctx); - err_sys("wolfSSL_read failed"); + else if (input < 0) { + int readErr = wolfSSL_get_error(sslResume, 0); + if (readErr != SSL_ERROR_WANT_READ) { + printf("wolfSSL_read error %d!\n", readErr); + wolfSSL_free(sslResume); + wolfSSL_CTX_free(ctx); + err_sys("wolfSSL_read failed"); + } } - } /* try to send session break */ wolfSSL_write(sslResume, msg, msgSz); diff --git a/examples/server/server.c b/examples/server/server.c index 13bf57918..0769207df 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -74,7 +74,19 @@ int myHsDoneCb(WOLFSSL* ssl, void* user_ctx); #endif - +static const char webServerMsg[] = + "HTTP/1.1 200 OK\n" + "Content-Type: text/html\n" + "Connection: close\n" + "\n" + "\n" + "\n" + "Welcome to wolfSSL!\n" + "\n" + "\n" + "

wolfSSL has successfully performed handshake!

\n" + "\n" + "\n"; static int NonBlockingSSL_Accept(SSL* ssl) { @@ -253,6 +265,8 @@ static void Usage(void) #ifdef HAVE_WNR printf("-q Whitewood config file, default %s\n", wnrConfig); #endif + printf("-g Return basic HTML web page\n"); + printf("-C The number of connections to accept, default: 1\n"); } THREAD_RETURN CYASSL_THREAD server_test(void* args) @@ -269,6 +283,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #else const char msg[] = "I hear you fa shizzle!\n"; #endif + int useWebServerMsg = 0; char input[80]; int ch; int version = SERVER_DEFAULT_VERSION; @@ -290,7 +305,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int wc_shutdown = 0; int resume = 0; int resumeCount = 0; - int loopIndefinitely = 0; + int loops = 1; int echoData = 0; int throughput = 0; int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS; @@ -376,7 +391,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) useAnyAddr = 1; #else while ((ch = mygetopt(argc, argv, - "?jdbstnNuGfrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:E:q:")) != -1) { + "?jdbstnNuGfrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:E:q:gC:")) != -1) { switch (ch) { case '?' : Usage(); @@ -541,7 +556,15 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) break; case 'i' : - loopIndefinitely = 1; + loops = -1; + break; + + case 'C' : + loops = atoi(myoptarg); + if (loops <= 0) { + Usage(); + exit(MY_EX_USAGE); + } break; case 'e' : @@ -568,6 +591,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #endif break; + case 'g' : + useWebServerMsg = 1; + break; + default: Usage(); exit(MY_EX_USAGE); @@ -1096,8 +1123,15 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) err_sys("SSL_read failed"); } - if (SSL_write(ssl, msg, sizeof(msg)) != sizeof(msg)) - err_sys("SSL_write failed"); + if (!useWebServerMsg) { + if (SSL_write(ssl, msg, sizeof(msg)) != sizeof(msg)) + err_sys("SSL_write failed"); + } + else { + if (SSL_write(ssl, webServerMsg, sizeof(webServerMsg)) + != sizeof(webServerMsg)) + err_sys("SSL_write failed"); + } } else { ServerEchoData(ssl, clientfd, echoData, throughput); @@ -1139,7 +1173,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) } resumeCount = 0; - if(!loopIndefinitely) { + if (loops > 0 && --loops == 0) { break; /* out of while loop, done with normal and resume option */ } } /* while(1) */ diff --git a/fips-check.sh b/fips-check.sh index a9c1ddb8e..d6d88375c 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -9,14 +9,17 @@ # This should check out all the approved versions. The command line # option selects the version. # -# $ ./fips-check [version] +# $ ./fips-check [version] [keep] # # - version: linux (default), ios, android, windows, freertos, linux-ecc # +# - keep: (default off) XXX-fips-test temp dir around for inspection +# function Usage() { - echo "Usage: $0 [platform]" + echo "Usage: $0 [platform] [keep]" echo "Where \"platform\" is one of linux (default), ios, android, windows, freertos, openrtos-3.9.2, linux-ecc" + echo "Where \"keep\" means keep (default off) XXX-fips-test temp dir around for inspection" } LINUX_FIPS_VERSION=v3.2.6 @@ -62,6 +65,8 @@ WC_SRC_PATH=ctaocrypt/src if [ "x$1" == "x" ]; then PLATFORM="linux"; else PLATFORM=$1; fi +if [ "x$2" == "xkeep" ]; then KEEP="yes"; else KEEP="no"; fi + case $PLATFORM in ios) FIPS_VERSION=$IOS_FIPS_VERSION @@ -172,5 +177,7 @@ fi # Clean up popd -rm -rf $TEST_DIR - +if [ "x$KEEP" == "xno" ]; +then + rm -rf $TEST_DIR +fi diff --git a/gencertbuf.pl b/gencertbuf.pl index 09c6114c2..e7dc9f7d6 100755 --- a/gencertbuf.pl +++ b/gencertbuf.pl @@ -55,6 +55,7 @@ my @fileList_2048 = ( [ "./certs/dh2048.der", "dh_key_der_2048" ], [ "./certs/dsa2048.der", "dsa_key_der_2048" ], [ "./certs/rsa2048.der", "rsa_key_der_2048" ], + [ "./certs/ca-key.der", "ca_key_der_2048" ], [ "./certs/ca-cert.der", "ca_cert_der_2048" ], [ "./certs/server-key.der", "server_key_der_2048" ], [ "./certs/server-cert.der", "server_cert_der_2048" ] diff --git a/src/crl.c b/src/crl.c old mode 100644 new mode 100755 index 8d3729ec1..d2033dd53 --- a/src/crl.c +++ b/src/crl.c @@ -34,11 +34,6 @@ #include #include -#ifndef NO_FILESYSTEM - #include - #include -#endif - #include #ifdef HAVE_CRL_MONITOR @@ -154,15 +149,12 @@ void FreeCRL(WOLFSSL_CRL* crl, int dynamic) } -/* Is the cert ok with CRL, return 0 on success */ -int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert) +static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntry) { CRL_Entry* crle; int foundEntry = 0; int ret = 0; - WOLFSSL_ENTER("CheckCertCRL"); - if (wc_LockMutex(&crl->crlLock) != 0) { WOLFSSL_MSG("wc_LockMutex failed"); return BAD_MUTEX_E; @@ -182,13 +174,17 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert) doNextDate = 0; /* skip */ #endif - if (doNextDate && !ValidateDate(crle->nextDate, - crle->nextDateFormat, AFTER)) { - WOLFSSL_MSG("CRL next date is no longer valid"); - ret = ASN_AFTER_DATE_E; + if (doNextDate) { + #ifndef NO_ASN_TIME + if (!ValidateDate(crle->nextDate,crle->nextDateFormat, AFTER)) { + WOLFSSL_MSG("CRL next date is no longer valid"); + ret = ASN_AFTER_DATE_E; + } + #endif } - else + if (ret == 0) { foundEntry = 1; + } break; } crle = crle->next; @@ -209,9 +205,39 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert) wc_UnLockMutex(&crl->crlLock); + *pFoundEntry = foundEntry; + + return ret; +} + +/* Is the cert ok with CRL, return 0 on success */ +int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert) +{ + int foundEntry = 0; + int ret = 0; + + WOLFSSL_ENTER("CheckCertCRL"); + + ret = CheckCertCRLList(crl, cert, &foundEntry); + +#ifdef HAVE_CRL_IO + if (foundEntry == 0) { + /* perform embedded lookup */ + if (crl->crlIOCb) { + ret = crl->crlIOCb(crl, (const char*)cert->extCrlInfo, + cert->extCrlInfoSz); + if (ret >= 0) { + /* try again */ + ret = CheckCertCRLList(crl, cert, &foundEntry); + } + } + } +#endif + if (foundEntry == 0) { WOLFSSL_MSG("Couldn't find CRL for status check"); ret = CRL_MISSING; + if (crl->cm->cbMissingCRL) { char url[256]; @@ -224,11 +250,11 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert) else { WOLFSSL_MSG("CRL url too long"); } + crl->cm->cbMissingCRL(url); } } - return ret; } @@ -790,74 +816,61 @@ static int StartMonitorCRL(WOLFSSL_CRL* crl) #endif /* HAVE_CRL_MONITOR */ -#ifndef NO_FILESYSTEM +#if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) /* Load CRL path files of type, SSL_SUCCESS on ok */ int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor) { - struct dirent* entry; - DIR* dir; - int ret = SSL_SUCCESS; + int ret = SSL_SUCCESS; + char* name = NULL; #ifdef WOLFSSL_SMALL_STACK - char* name; + ReadDirCtx* readCtx = NULL; #else - char name[MAX_FILENAME_SZ]; + ReadDirCtx readCtx[1]; #endif WOLFSSL_ENTER("LoadCRL"); if (crl == NULL) return BAD_FUNC_ARG; - dir = opendir(path); - if (dir == NULL) { - WOLFSSL_MSG("opendir path crl load failed"); - return BAD_PATH_ERROR; - } - #ifdef WOLFSSL_SMALL_STACK - name = (char*)XMALLOC(MAX_FILENAME_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (name == NULL) + readCtx = (ReadDirCtx*)XMALLOC(sizeof(ReadDirCtx), crl->heap, + DYNAMIC_TYPE_TMP_BUFFER); + if (readCtx == NULL) return MEMORY_E; #endif - while ( (entry = readdir(dir)) != NULL) { - struct stat s; - - XMEMSET(name, 0, MAX_FILENAME_SZ); - XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2); - XSTRNCAT(name, "/", 1); - XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2); - - if (stat(name, &s) != 0) { - WOLFSSL_MSG("stat on name failed"); - continue; - } - if (s.st_mode & S_IFREG) { - - if (type == SSL_FILETYPE_PEM) { - if (XSTRSTR(entry->d_name, ".pem") == NULL) { - WOLFSSL_MSG("not .pem file, skipping"); - continue; - } - } - else { - if (XSTRSTR(entry->d_name, ".der") == NULL && - XSTRSTR(entry->d_name, ".crl") == NULL) { - - WOLFSSL_MSG("not .der or .crl file, skipping"); - continue; - } - } - - if (ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl) - != SSL_SUCCESS) { - WOLFSSL_MSG("CRL file load failed, continuing"); + /* try to load each regular file in path */ + ret = wc_ReadDirFirst(readCtx, path, &name); + while (ret == 0 && name) { + int skip = 0; + if (type == SSL_FILETYPE_PEM) { + if (XSTRSTR(name, ".pem") == NULL) { + WOLFSSL_MSG("not .pem file, skipping"); + skip = 1; } } + else { + if (XSTRSTR(name, ".der") == NULL && + XSTRSTR(name, ".crl") == NULL) + { + WOLFSSL_MSG("not .der or .crl file, skipping"); + skip = 1; + } + } + + if (!skip && ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl) + != SSL_SUCCESS) { + WOLFSSL_MSG("CRL file load failed, continuing"); + } + + ret = wc_ReadDirNext(readCtx, path, &name); } + wc_ReadDirClose(readCtx); + ret = SSL_SUCCESS; /* load failures not reported, for backwards compat */ #ifdef WOLFSSL_SMALL_STACK - XFREE(name, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(readCtx, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif if (monitor & WOLFSSL_CRL_MONITOR) { @@ -901,12 +914,21 @@ int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor) } } - closedir(dir); - return ret; } -#endif /* NO_FILESYSTEM */ +#else +int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor) +{ + (void)crl; + (void)path; + (void)type; + (void)monitor; + + /* stub for scenario where file system is not supported */ + return NOT_COMPILED_IN; +} +#endif /* !NO_FILESYSTEM && !NO_WOLFSSL_DIR */ #endif /* HAVE_CRL */ #endif /* !WOLFCRYPT_ONLY */ diff --git a/src/internal.c b/src/internal.c index e9dc3de03..1f6f302ba 100644 --- a/src/internal.c +++ b/src/internal.c @@ -105,7 +105,7 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS #if !defined(NO_RSA) || defined(HAVE_ECC) static int DoCertificateVerify(WOLFSSL* ssl, byte*, word32*, word32); #endif - #ifdef HAVE_STUNNEL + #if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) static int SNI_Callback(WOLFSSL* ssl); #endif #ifdef WOLFSSL_DTLS @@ -1063,12 +1063,12 @@ static int ImportPeerInfo(WOLFSSL* ssl, byte* buf, word32 len, byte ver) /* import ip address idx, and ipSz are unsigned but cast for enum */ ato16(buf + idx, &ipSz); idx += DTLS_EXPORT_LEN; - if (ipSz > sizeof(ip) || (word16)(idx + ipSz + DTLS_EXPORT_LEN) > len) { + if (ipSz >= sizeof(ip) || (word16)(idx + ipSz + DTLS_EXPORT_LEN) > len) { return BUFFER_E; } XMEMSET(ip, 0, sizeof(ip)); XMEMCPY(ip, buf + idx, ipSz); idx += ipSz; - ip[ipSz] = '\0'; + ip[ipSz] = '\0'; /* with check that ipSz less than ip this is valid */ ato16(buf + idx, &port); idx += DTLS_EXPORT_LEN; /* sanity check for a function to call, then use it to import peer info */ @@ -1452,13 +1452,30 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) FreeDer(&ctx->privateKey); FreeDer(&ctx->certificate); #ifdef KEEP_OUR_CERT - FreeX509(ctx->ourCert); - if (ctx->ourCert) { + if (ctx->ourCert && ctx->ownOurCert) { + FreeX509(ctx->ourCert); XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); } #endif /* KEEP_OUR_CERT */ FreeDer(&ctx->certChain); wolfSSL_CertManagerFree(ctx->cm); + #ifdef OPENSSL_EXTRA + while (ctx->ca_names != NULL) { + WOLFSSL_STACK *next = ctx->ca_names->next; + wolfSSL_X509_NAME_free(ctx->ca_names->data.name); + XFREE(ctx->ca_names->data.name, NULL, DYNAMIC_TYPE_OPENSSL); + XFREE(ctx->ca_names, NULL, DYNAMIC_TYPE_OPENSSL); + ctx->ca_names = next; + } + #endif + #ifdef WOLFSSL_NGINX + while (ctx->x509Chain != NULL) { + WOLFSSL_STACK *next = ctx->x509Chain->next; + wolfSSL_X509_free(ctx->x509Chain->data.x509); + XFREE(ctx->x509Chain, NULL, DYNAMIC_TYPE_OPENSSL); + ctx->x509Chain = next; + } + #endif #endif /* !NO_CERTS */ #ifdef HAVE_TLS_EXTENSIONS @@ -1672,7 +1689,8 @@ static void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, suites->hashSigAlgo[idx++] = sha256_mac; suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; #endif - #if !defined(NO_SHA) && !defined(NO_OLD_TLS) + #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ + defined(WOLFSSL_ALLOW_TLS_SHA1)) suites->hashSigAlgo[idx++] = sha_mac; suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; #endif @@ -1691,7 +1709,8 @@ static void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, suites->hashSigAlgo[idx++] = sha256_mac; suites->hashSigAlgo[idx++] = rsa_sa_algo; #endif - #if !defined(NO_SHA) && !defined(NO_OLD_TLS) + #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \ + defined(WOLFSSL_ALLOW_TLS_SHA1)) suites->hashSigAlgo[idx++] = sha_mac; suites->hashSigAlgo[idx++] = rsa_sa_algo; #endif @@ -3079,8 +3098,15 @@ int EccMakeKey(WOLFSSL* ssl, ecc_key* key, ecc_key* peer) keySz = peer->dp->size; } - /* TODO: Implement _ex version here */ - ret = wc_ecc_make_key(ssl->rng, keySz, key); + if (ssl->ecdhCurveOID > 0) { + ret = wc_ecc_make_key_ex(ssl->rng, keySz, key, + wc_ecc_get_oid(ssl->ecdhCurveOID, NULL, NULL)); + } + else { + ret = wc_ecc_make_key(ssl->rng, keySz, key); + if (ret == 0) + ssl->ecdhCurveOID = key->dp->oidSum; + } /* Handle async pending response */ #if defined(WOLFSSL_ASYNC_CRYPT) @@ -3212,17 +3238,19 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) #ifdef HAVE_ECC ssl->eccTempKeySz = ctx->eccTempKeySz; ssl->pkCurveOID = ctx->pkCurveOID; + ssl->ecdhCurveOID = ctx->ecdhCurveOID; #endif +#ifdef OPENSSL_EXTRA + ssl->options.mask = ctx->mask; +#endif ssl->timeout = ctx->timeout; ssl->verifyCallback = ctx->verifyCallback; ssl->options.side = ctx->method->side; ssl->options.downgrade = ctx->method->downgrade; ssl->options.minDowngrade = ctx->minDowngrade; - if (ssl->options.side == WOLFSSL_SERVER_END) - ssl->options.haveDH = ctx->haveDH; - + ssl->options.haveDH = ctx->haveDH; ssl->options.haveNTRU = ctx->haveNTRU; ssl->options.haveECDSAsig = ctx->haveECDSAsig; ssl->options.haveECC = ctx->haveECC; @@ -3249,6 +3277,9 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) ssl->options.sessionCacheOff = ctx->sessionCacheOff; ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff; +#ifdef HAVE_EXT_CACHE + ssl->options.internalCacheOff = ctx->internalCacheOff; +#endif ssl->options.verifyPeer = ctx->verifyPeer; ssl->options.verifyNone = ctx->verifyNone; @@ -3261,10 +3292,8 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) ssl->options.groupMessages = ctx->groupMessages; #ifndef NO_DH - if (ssl->options.side == WOLFSSL_SERVER_END) { - ssl->buffers.serverDH_P = ctx->serverDH_P; - ssl->buffers.serverDH_G = ctx->serverDH_G; - } + ssl->buffers.serverDH_P = ctx->serverDH_P; + ssl->buffers.serverDH_G = ctx->serverDH_G; #endif #ifndef NO_CERTS @@ -3484,6 +3513,7 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) #ifdef HAVE_EXTENDED_MASTER ssl->options.haveEMS = ctx->haveEMS; #endif + ssl->options.useClientOrder = ctx->useClientOrder; #ifdef HAVE_TLS_EXTENSIONS #ifdef HAVE_MAX_FRAGMENT @@ -3491,6 +3521,10 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) #endif #ifdef HAVE_ALPN ssl->alpn_client_list = NULL; + #ifdef WOLFSSL_NGINX + ssl->alpnSelect = ctx->alpnSelect; + ssl->alpnSelectArg = ctx->alpnSelectArg; + #endif #endif #ifdef HAVE_SUPPORTED_CURVES ssl->options.userCurves = ctx->userCurves; @@ -3808,6 +3842,9 @@ void SSL_ResourceFree(WOLFSSL* ssl) ssl->session.ticketLen = 0; } #endif +#ifdef HAVE_EXT_CACHE + wolfSSL_SESSION_free(ssl->extSession); +#endif #ifdef WOLFSSL_STATIC_MEMORY /* check if using fixed io buffers and free them */ @@ -6303,6 +6340,78 @@ static int CheckAltNames(DecodedCert* dCert, char* domain) } +#ifdef OPENSSL_EXTRA +/* Check that alternative names, if they exists, match the domain. + * Fail if there are wild patterns and they didn't match. + * Check the common name if no alternative names matched. + * + * dCert Decoded cert to get the alternative names from. + * domain Domain name to compare against. + * checkCN Whether to check the common name. + * returns whether there was a problem in matching. + */ +static int CheckForAltNames(DecodedCert* dCert, char* domain, int* checkCN) +{ + int match; + DNS_entry* altName = NULL; + + WOLFSSL_MSG("Checking AltNames"); + + if (dCert) + altName = dCert->altNames; + + *checkCN = altName == NULL; + match = 0; + while (altName) { + WOLFSSL_MSG("\tindividual AltName check"); + + if (MatchDomainName(altName->name, (int)XSTRLEN(altName->name), + domain)) { + match = 1; + *checkCN = 0; + break; + } + /* No matches and wild pattern match failed. */ + else if (altName->name[0] == '*' && match == 0) + match = -1; + + altName = altName->next; + } + + return match != -1; +} + +/* Check the domain name matches the subject alternative name or the subject + * name. + * + * dcert Decoded certificate. + * domainName The domain name. + * domainNameLen The length of the domain name. + * returns DOMAIN_NAME_MISMATCH when no match found and 0 on success. + */ +int CheckHostName(DecodedCert* dCert, char *domainName, size_t domainNameLen) +{ + int checkCN; + + /* Assume name is NUL terminated. */ + (void)domainNameLen; + + if (CheckForAltNames(dCert, domainName, &checkCN) == 0) { + WOLFSSL_MSG("DomainName match on alt names failed too"); + return DOMAIN_NAME_MISMATCH; + } + if (checkCN == 1) { + if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen, + domainName) == 0) { + WOLFSSL_MSG("DomainName match on common name failed"); + return DOMAIN_NAME_MISMATCH; + } + } + + return 0; +} +#endif + #if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) /* Copy parts X509 needs from Decoded cert, 0 on success */ @@ -6731,6 +6840,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, } else if (ret != 0) { WOLFSSL_MSG("Failed to verify CA from chain"); + #ifdef OPENSSL_EXTRA + ssl->peerVerifyRet = X509_V_ERR_INVALID_CA; + #endif } else { WOLFSSL_MSG("Verified CA from chain and already had it"); @@ -6815,6 +6927,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, } else { WOLFSSL_MSG("Failed to verify Peer's cert"); + #ifdef OPENSSL_EXTRA + ssl->peerVerifyRet = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; + #endif if (ssl->verifyCallback) { WOLFSSL_MSG("\tCallback override available, will continue"); fatal = 0; @@ -6877,6 +6992,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (ret != 0) { WOLFSSL_MSG("\tOCSP Lookup not ok"); fatal = 0; + #ifdef OPENSSL_EXTRA + ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; + #endif } } #endif /* HAVE_OCSP */ @@ -6888,6 +7006,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (ret != 0) { WOLFSSL_MSG("\tCRL check not ok"); fatal = 0; + #ifdef OPENSSL_EXTRA + ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; + #endif } } #endif /* HAVE_CRL */ @@ -7155,7 +7276,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #else store->current_cert = NULL; #endif -#if defined(HAVE_FORTRESS) || defined(HAVE_STUNNEL) +#if defined(HAVE_EX_DATA) || defined(HAVE_FORTRESS) store->ex_data = ssl; #endif ok = ssl->verifyCallback(0, store); @@ -7183,7 +7304,11 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, int ok; store->error = ret; +#ifdef WOLFSSL_WPAS + store->error_depth = 0; +#else store->error_depth = totalCerts; +#endif store->discardSessionCerts = 0; store->domain = domain; store->userCtx = ssl->verifyCbCtx; @@ -7311,10 +7436,15 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, InitOcspResponse(response, status, input +*inOutIdx, status_length); - if ((OcspResponseDecode(response, ssl->ctx->cm, ssl->heap) != 0) - || (response->responseStatus != OCSP_SUCCESSFUL) - || (response->status->status != CERT_GOOD) - || (CompareOcspReqResp(request, response) != 0)) + if (OcspResponseDecode(response, ssl->ctx->cm, ssl->heap, 0) != 0) + ret = BAD_CERTIFICATE_STATUS_ERROR; + else if (CompareOcspReqResp(request, response) != 0) + ret = BAD_CERTIFICATE_STATUS_ERROR; + else if (response->responseStatus != OCSP_SUCCESSFUL) + ret = BAD_CERTIFICATE_STATUS_ERROR; + else if (response->status->status == CERT_REVOKED) + ret = OCSP_CERT_REVOKED; + else if (response->status->status != CERT_GOOD) ret = BAD_CERTIFICATE_STATUS_ERROR; *inOutIdx += status_length; @@ -7388,8 +7518,8 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, InitOcspResponse(response, status, input +*inOutIdx, status_length); - if ((OcspResponseDecode(response, ssl->ctx->cm, ssl->heap) - != 0) + if ((OcspResponseDecode(response, ssl->ctx->cm, ssl->heap, + 0) != 0) || (response->responseStatus != OCSP_SUCCESSFUL) || (response->status->status != CERT_GOOD)) ret = BAD_CERTIFICATE_STATUS_ERROR; @@ -11177,6 +11307,9 @@ int SendCertificateStatus(WOLFSSL* ssl) } if (ret == 0) { + #ifdef WOLFSSL_NGINX + request->ssl = ssl; + #endif ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, &response); @@ -11275,6 +11408,9 @@ int SendCertificateStatus(WOLFSSL* ssl) } if (ret == 0) { + #ifdef WOLFSSL_NGINX + request->ssl = ssl; + #endif ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, &responses[0]); @@ -11347,6 +11483,9 @@ int SendCertificateStatus(WOLFSSL* ssl) &ssl->ctx->cm->ocsp_stapling->ocspLock); } + #ifdef WOLFSSL_NGINX + request->ssl = ssl; + #endif ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, &responses[i + 1]); @@ -11372,6 +11511,9 @@ int SendCertificateStatus(WOLFSSL* ssl) else { while (ret == 0 && NULL != (request = ssl->ctx->chainOcspRequest[i])) { + #ifdef WOLFSSL_NGINX + request->ssl = ssl; + #endif ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, &responses[++i]); @@ -11386,7 +11528,7 @@ int SendCertificateStatus(WOLFSSL* ssl) if (responses[0].buffer) { if (ret == 0) ret = BuildCertificateStatus(ssl, status_type, - responses, i + 1); + responses, (byte)i + 1); for (i = 0; i < 1 + MAX_CHAIN_DEPTH; i++) if (responses[i].buffer) @@ -11898,8 +12040,8 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case NOT_CA_ERROR: return "Not a CA by basic constraint error"; - case BAD_PATH_ERROR: - return "Bad path for opendir error"; + case HTTP_TIMEOUT: + return "HTTP timeout for OCSP or CRL req"; case BAD_CERT_MANAGER_ERROR: return "Bad Cert Manager error"; @@ -13463,7 +13605,8 @@ int SetCipherList(Suites* suites, const char* list) return 0; } - if (next[0] == 0 || XSTRNCMP(next, "ALL", 3) == 0) + if (next[0] == 0 || XSTRNCMP(next, "ALL", 3) == 0 || + XSTRNCMP(next, "DEFAULT", 7) == 0) return 1; /* wolfSSL defualt */ do { @@ -14645,6 +14788,7 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input, if ((curveOid = CheckCurveId(b)) < 0) { ERROR_OUT(ECC_CURVE_ERROR, exit_dske); } + ssl->ecdhCurveOID = curveOid; length = input[idx++]; if ((idx - begin) + length > size) { @@ -14936,7 +15080,9 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input, #endif break; case sha_mac: - #ifndef NO_OLD_TLS + #if !defined(NO_SHA) && \ + (!defined(NO_OLD_TLS) || \ + defined(WOLFSSL_ALLOW_TLS_SHA1)) hashType = WC_HASH_TYPE_SHA; #endif break; @@ -15915,7 +16061,7 @@ int SendClientKeyExchange(WOLFSSL* ssl) case KEYSHARE_BUILD: { encSz = MAX_ENCRYPT_SZ; - encSecret = (byte*)XMALLOC(MAX_ENCRYPT_SZ, NULL, + encSecret = (byte*)XMALLOC(MAX_ENCRYPT_SZ, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); if (encSecret == NULL) { ERROR_OUT(MEMORY_E, exit_scke); @@ -15942,8 +16088,8 @@ int SendClientKeyExchange(WOLFSSL* ssl) case diffie_hellman_kea: { ssl->buffers.sig.length = ENCRYPT_LEN; - ssl->buffers.sig.buffer = (byte*)XMALLOC(ENCRYPT_LEN, NULL, - DYNAMIC_TYPE_TMP_BUFFER); + ssl->buffers.sig.buffer = (byte*)XMALLOC(ENCRYPT_LEN, + ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); if (ssl->buffers.sig.buffer == NULL) { ERROR_OUT(MEMORY_E, exit_scke); } @@ -16003,8 +16149,8 @@ int SendClientKeyExchange(WOLFSSL* ssl) } ssl->buffers.sig.length = ENCRYPT_LEN; - ssl->buffers.sig.buffer = (byte*)XMALLOC(ENCRYPT_LEN, NULL, - DYNAMIC_TYPE_TMP_BUFFER); + ssl->buffers.sig.buffer = (byte*)XMALLOC(ENCRYPT_LEN, + ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); if (ssl->buffers.sig.buffer == NULL) { ERROR_OUT(MEMORY_E, exit_scke); } @@ -17216,6 +17362,7 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, idx += RAN_LEN; output[idx++] = sessIdSz; XMEMCPY(ssl->arrays->sessionID, output + idx, sessIdSz); + ssl->arrays->sessionIDSz = sessIdSz; } else { /* If resuming, use info from SSL */ @@ -17531,6 +17678,9 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } } + ssl->options.dhKeySz = + (word16)ssl->buffers.serverDH_P.length; + ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_P.buffer, ssl->buffers.serverDH_P.length, @@ -17943,7 +18093,9 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif break; case sha_mac: - #ifndef NO_OLD_TLS + #if !defined(NO_SHA) && \ + (!defined(NO_OLD_TLS) || \ + defined(WOLFSSL_ALLOW_TLS_SHA1)) hashType = WC_HASH_TYPE_SHA; #endif break; @@ -18037,7 +18189,9 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif break; case sha_mac: - #ifndef NO_OLD_TLS + #if !defined(NO_SHA) && \ + (!defined(NO_OLD_TLS) || \ + defined(WOLFSSL_ALLOW_TLS_SHA1)) typeH = SHAh; #endif break; @@ -18207,7 +18361,9 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif break; case sha_mac: - #ifndef NO_OLD_TLS + #if !defined(NO_SHA) && \ + (!defined(NO_OLD_TLS) || \ + defined(WOLFSSL_ALLOW_TLS_SHA1)) hashType = WC_HASH_TYPE_SHA; #endif break; @@ -18296,7 +18452,9 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif break; case sha_mac: - #ifndef NO_OLD_TLS + #if !defined(NO_SHA) && \ + (!defined(NO_OLD_TLS) || \ + defined(WOLFSSL_ALLOW_TLS_SHA1)) typeH = SHAh; #endif break; @@ -18834,8 +18992,34 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } #ifndef NO_WOLFSSL_SERVER + static int CompareSuites(WOLFSSL* ssl, Suites* peerSuites, word16 i, + word16 j) + { + if (ssl->suites->suites[i] == peerSuites->suites[j] && + ssl->suites->suites[i+1] == peerSuites->suites[j+1] ) { + + if (VerifyServerSuite(ssl, i)) { + int result; + WOLFSSL_MSG("Verified suite validity"); + ssl->options.cipherSuite0 = ssl->suites->suites[i]; + ssl->options.cipherSuite = ssl->suites->suites[i+1]; + result = SetCipherSpecs(ssl); + if (result == 0) + PickHashSigAlgo(ssl, peerSuites->hashSigAlgo, + peerSuites->hashSigAlgoSz); + return result; + } + else { + WOLFSSL_MSG("Could not verify suite validity, continue"); + } + } + + return MATCH_SUITE_ERROR; + } + static int MatchSuite(WOLFSSL* ssl, Suites* peerSuites) { + int ret; word16 i, j; WOLFSSL_ENTER("MatchSuite"); @@ -18846,27 +19030,27 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (ssl->suites == NULL) return SUITES_ERROR; - /* start with best, if a match we are good */ - for (i = 0; i < ssl->suites->suiteSz; i += 2) - for (j = 0; j < peerSuites->suiteSz; j += 2) - if (ssl->suites->suites[i] == peerSuites->suites[j] && - ssl->suites->suites[i+1] == peerSuites->suites[j+1] ) { - if (VerifyServerSuite(ssl, i)) { - int result; - WOLFSSL_MSG("Verified suite validity"); - ssl->options.cipherSuite0 = ssl->suites->suites[i]; - ssl->options.cipherSuite = ssl->suites->suites[i+1]; - result = SetCipherSpecs(ssl); - if (result == 0) - PickHashSigAlgo(ssl, peerSuites->hashSigAlgo, - peerSuites->hashSigAlgoSz); - return result; - } - else { - WOLFSSL_MSG("Could not verify suite validity, continue"); - } + if (!ssl->options.useClientOrder) { + /* Server order */ + for (i = 0; i < ssl->suites->suiteSz; i += 2) { + for (j = 0; j < peerSuites->suiteSz; j += 2) { + ret = CompareSuites(ssl, peerSuites, i, j); + if (ret != MATCH_SUITE_ERROR) + return ret; } + } + } + else { + /* Client order */ + for (j = 0; j < peerSuites->suiteSz; j += 2) { + for (i = 0; i < ssl->suites->suiteSz; i += 2) { + ret = CompareSuites(ssl, peerSuites, i, j); + if (ret != MATCH_SUITE_ERROR) + return ret; + } + } + } return MATCH_SUITE_ERROR; } @@ -19031,6 +19215,9 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, WOLFSSL_MSG("Session lookup for resume failed"); ssl->options.resuming = 0; } else { + #ifdef HAVE_EXT_CACHE + wolfSSL_SESSION_free(session); + #endif if (MatchSuite(ssl, &clSuites) < 0) { WOLFSSL_MSG("Unsupported cipher suite, OldClientHello"); return UNSUPPORTED_SUITE; @@ -19394,9 +19581,10 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if ((ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz, 1, &clSuites))) return ret; -#ifdef HAVE_STUNNEL +#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) if((ret=SNI_Callback(ssl))) return ret; + ssl->options.side = WOLFSSL_SERVER_END; #endif /*HAVE_STUNNEL*/ i += totalExtSz; @@ -19481,8 +19669,14 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, "using EMS"); return EXT_MASTER_SECRET_NEEDED_E; } +#ifdef HAVE_EXT_CACHE + wolfSSL_SESSION_free(session); +#endif } else { +#ifdef HAVE_EXT_CACHE + wolfSSL_SESSION_free(session); +#endif if (MatchSuite(ssl, &clSuites) < 0) { WOLFSSL_MSG("Unsupported cipher suite, ClientHello"); return UNSUPPORTED_SUITE; @@ -21080,7 +21274,7 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } -#ifdef HAVE_STUNNEL +#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) static int SNI_Callback(WOLFSSL* ssl) { /* Stunnel supports a custom sni callback to switch an SSL's ctx diff --git a/src/io.c b/src/io.c index 88aba2730..38bc69e30 100644 --- a/src/io.c +++ b/src/io.c @@ -36,188 +36,30 @@ #include #include +#include + +#if defined(HAVE_HTTP_CLIENT) + #include /* atoi(), strtol() */ +#endif + +/* +Possible IO enable options: + * WOLFSSL_USER_IO: Disables default Embed* callbacks and default: off + allows user to define their own using + wolfSSL_SetIORecv and wolfSSL_SetIOSend + * USE_WOLFSSL_IO: Enables the wolfSSL IO functions default: off + * HAVE_HTTP_CLIENT: Enables HTTP client API's default: off + (unless HAVE_OCSP or HAVE_CRL_IO defined) + * HAVE_IO_TIMEOUT: Enables support for connect timeout default: off + */ /* if user writes own I/O callbacks they can define WOLFSSL_USER_IO to remove automatic setting of default I/O functions EmbedSend() and EmbedReceive() but they'll still need SetCallback xxx() at end of file */ -#ifndef WOLFSSL_USER_IO - -#ifdef HAVE_LIBZ - #include "zlib.h" -#endif - -#ifndef USE_WINDOWS_API - #ifdef WOLFSSL_LWIP - /* lwIP needs to be configured to use sockets API in this mode */ - /* LWIP_SOCKET 1 in lwip/opt.h or in build */ - #include "lwip/sockets.h" - #include - #ifndef LWIP_PROVIDE_ERRNO - #define LWIP_PROVIDE_ERRNO 1 - #endif - #elif defined(FREESCALE_MQX) - #include - #include - #elif defined(FREESCALE_KSDK_MQX) - #include - #elif defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET) - #if !defined(WOLFSSL_MDK_ARM) - #include "cmsis_os.h" - #include "rl_net.h" - #else - #include - #endif - #include "errno.h" - #define SOCKET_T int - #elif defined(WOLFSSL_TIRTOS) - #include - #elif defined(FREERTOS_TCP) - #include "FreeRTOS_Sockets.h" - #elif defined(WOLFSSL_IAR_ARM) - /* nothing */ - #elif defined(WOLFSSL_VXWORKS) - #include - #include - #elif defined(WOLFSSL_ATMEL) - #include "socket/include/socket.h" - #else - #include - #include - #ifndef EBSNET - #include - #endif - #include - - #if defined(HAVE_RTP_SYS) - #include - #elif defined(EBSNET) - #include "rtipapi.h" /* errno */ - #include "socket.h" - #elif !defined(DEVKITPRO) && !defined(WOLFSSL_PICOTCP) - #include - #include - #include - #include - #ifdef __PPU - #include - #else - #include - #endif - #endif - #endif -#endif /* USE_WINDOWS_API */ - -#ifdef __sun - #include -#endif - -#ifdef USE_WINDOWS_API - /* no epipe yet */ - #ifndef WSAEPIPE - #define WSAEPIPE -12345 - #endif - #define SOCKET_EWOULDBLOCK WSAEWOULDBLOCK - #define SOCKET_EAGAIN WSAETIMEDOUT - #define SOCKET_ECONNRESET WSAECONNRESET - #define SOCKET_EINTR WSAEINTR - #define SOCKET_EPIPE WSAEPIPE - #define SOCKET_ECONNREFUSED WSAENOTCONN - #define SOCKET_ECONNABORTED WSAECONNABORTED - #define close(s) closesocket(s) -#elif defined(__PPU) - #define SOCKET_EWOULDBLOCK SYS_NET_EWOULDBLOCK - #define SOCKET_EAGAIN SYS_NET_EAGAIN - #define SOCKET_ECONNRESET SYS_NET_ECONNRESET - #define SOCKET_EINTR SYS_NET_EINTR - #define SOCKET_EPIPE SYS_NET_EPIPE - #define SOCKET_ECONNREFUSED SYS_NET_ECONNREFUSED - #define SOCKET_ECONNABORTED SYS_NET_ECONNABORTED -#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) - #if MQX_USE_IO_OLD - /* RTCS old I/O doesn't have an EWOULDBLOCK */ - #define SOCKET_EWOULDBLOCK EAGAIN - #define SOCKET_EAGAIN EAGAIN - #define SOCKET_ECONNRESET RTCSERR_TCP_CONN_RESET - #define SOCKET_EINTR EINTR - #define SOCKET_EPIPE EPIPE - #define SOCKET_ECONNREFUSED RTCSERR_TCP_CONN_REFUSED - #define SOCKET_ECONNABORTED RTCSERR_TCP_CONN_ABORTED - #else - #define SOCKET_EWOULDBLOCK NIO_EWOULDBLOCK - #define SOCKET_EAGAIN NIO_EAGAIN - #define SOCKET_ECONNRESET NIO_ECONNRESET - #define SOCKET_EINTR NIO_EINTR - #define SOCKET_EPIPE NIO_EPIPE - #define SOCKET_ECONNREFUSED NIO_ECONNREFUSED - #define SOCKET_ECONNABORTED NIO_ECONNABORTED - #endif -#elif defined(WOLFSSL_MDK_ARM)|| defined(WOLFSSL_KEIL_TCP_NET) - #if !defined(WOLFSSL_MDK_ARM) - #define SOCKET_EWOULDBLOCK BSD_ERROR_WOULDBLOCK - #define SOCKET_EAGAIN BSD_ERROR_LOCKED - #define SOCKET_ECONNRESET BSD_ERROR_CLOSED - #define SOCKET_EINTR BSD_ERROR - #define SOCKET_EPIPE BSD_ERROR - #define SOCKET_ECONNREFUSED BSD_ERROR - #define SOCKET_ECONNABORTED BSD_ERROR - #else - #define SOCKET_EWOULDBLOCK SCK_EWOULDBLOCK - #define SOCKET_EAGAIN SCK_ELOCKED - #define SOCKET_ECONNRESET SCK_ECLOSED - #define SOCKET_EINTR SCK_ERROR - #define SOCKET_EPIPE SCK_ERROR - #define SOCKET_ECONNREFUSED SCK_ERROR - #define SOCKET_ECONNABORTED SCK_ERROR - #endif -#elif defined(WOLFSSL_PICOTCP) - #define SOCKET_EWOULDBLOCK PICO_ERR_EAGAIN - #define SOCKET_EAGAIN PICO_ERR_EAGAIN - #define SOCKET_ECONNRESET PICO_ERR_ECONNRESET - #define SOCKET_EINTR PICO_ERR_EINTR - #define SOCKET_EPIPE PICO_ERR_EIO - #define SOCKET_ECONNREFUSED PICO_ERR_ECONNREFUSED - #define SOCKET_ECONNABORTED PICO_ERR_ESHUTDOWN -#elif defined(FREERTOS_TCP) - #define SOCKET_EWOULDBLOCK FREERTOS_EWOULDBLOCK - #define SOCKET_EAGAIN FREERTOS_EWOULDBLOCK - #define SOCKET_ECONNRESET FREERTOS_SOCKET_ERROR - #define SOCKET_EINTR FREERTOS_SOCKET_ERROR - #define SOCKET_EPIPE FREERTOS_SOCKET_ERROR - #define SOCKET_ECONNREFUSED FREERTOS_SOCKET_ERROR - #define SOCKET_ECONNABORTED FREERTOS_SOCKET_ERROR -#else - #define SOCKET_EWOULDBLOCK EWOULDBLOCK - #define SOCKET_EAGAIN EAGAIN - #define SOCKET_ECONNRESET ECONNRESET - #define SOCKET_EINTR EINTR - #define SOCKET_EPIPE EPIPE - #define SOCKET_ECONNREFUSED ECONNREFUSED - #define SOCKET_ECONNABORTED ECONNABORTED -#endif /* USE_WINDOWS_API */ - - -#ifdef DEVKITPRO - /* from network.h */ - int net_send(int, const void*, int, unsigned int); - int net_recv(int, void*, int, unsigned int); - #define SEND_FUNCTION net_send - #define RECV_FUNCTION net_recv -#elif defined(WOLFSSL_LWIP) - #define SEND_FUNCTION lwip_send - #define RECV_FUNCTION lwip_recv -#elif defined(WOLFSSL_PICOTCP) - #define SEND_FUNCTION pico_send - #define RECV_FUNCTION pico_recv -#elif defined(FREERTOS_TCP) - #define RECV_FUNCTION(a,b,c,d) FreeRTOS_recv((Socket_t)(a),(void*)(b), (size_t)(c), (BaseType_t)(d)) - #define SEND_FUNCTION(a,b,c,d) FreeRTOS_send((Socket_t)(a),(void*)(b), (size_t)(c), (BaseType_t)(d)) -#else - #define SEND_FUNCTION send - #define RECV_FUNCTION recv -#endif +#if defined(USE_WOLFSSL_IO) || defined(HAVE_HTTP_CLIENT) /* Translates return codes returned from * send() and recv() if need be. @@ -257,14 +99,18 @@ static INLINE int LastError(void) #endif } +#endif /* USE_WOLFSSL_IO || HAVE_HTTP_CLIENT */ + + +#ifdef USE_WOLFSSL_IO + /* The receive embedded callback * return : nb bytes read, or error */ int EmbedReceive(WOLFSSL *ssl, char *buf, int sz, void *ctx) { - int recvd; - int err; int sd = *(int*)ctx; + int recvd; #ifdef WOLFSSL_DTLS { @@ -287,12 +133,9 @@ int EmbedReceive(WOLFSSL *ssl, char *buf, int sz, void *ctx) } #endif - recvd = (int)RECV_FUNCTION(sd, buf, sz, ssl->rflags); - - recvd = TranslateReturnCode(recvd, sd); - + recvd = wolfIO_Recv(sd, buf, sz, ssl->rflags); if (recvd < 0) { - err = LastError(); + int err = LastError(); WOLFSSL_MSG("Embed Receive error"); if (err == SOCKET_EWOULDBLOCK || err == SOCKET_EAGAIN) { @@ -341,15 +184,10 @@ int EmbedSend(WOLFSSL* ssl, char *buf, int sz, void *ctx) { int sd = *(int*)ctx; int sent; - int len = sz; - int err; - - sent = (int)SEND_FUNCTION(sd, &buf[sz - len], len, ssl->wflags); - - sent = TranslateReturnCode(sent, sd); + sent = wolfIO_Send(sd, buf, sz, ssl->wflags); if (sent < 0) { - err = LastError(); + int err = LastError(); WOLFSSL_MSG("Embed Send error"); if (err == SOCKET_EWOULDBLOCK || err == SOCKET_EAGAIN) { @@ -382,12 +220,6 @@ int EmbedSend(WOLFSSL* ssl, char *buf, int sz, void *ctx) #include -#ifdef USE_WINDOWS_API - #define XSOCKLENT int -#else - #define XSOCKLENT socklen_t -#endif - #define SENDTO_FUNCTION sendto #define RECVFROM_FUNCTION recvfrom @@ -402,7 +234,7 @@ int EmbedReceiveFrom(WOLFSSL *ssl, char *buf, int sz, void *ctx) int err; int sd = dtlsCtx->rfd; int dtls_timeout = wolfSSL_dtls_get_current_timeout(ssl); - struct sockaddr_storage peer; + SOCKADDR_S peer; XSOCKLENT peerSz = sizeof(peer); WOLFSSL_ENTER("EmbedReceiveFrom()"); @@ -425,7 +257,7 @@ int EmbedReceiveFrom(WOLFSSL *ssl, char *buf, int sz, void *ctx) } recvd = (int)RECVFROM_FUNCTION(sd, buf, sz, ssl->rflags, - (struct sockaddr*)&peer, &peerSz); + (SOCKADDR*)&peer, &peerSz); recvd = TranslateReturnCode(recvd, sd); @@ -487,7 +319,7 @@ int EmbedSendTo(WOLFSSL* ssl, char *buf, int sz, void *ctx) WOLFSSL_ENTER("EmbedSendTo()"); sent = (int)SENDTO_FUNCTION(sd, &buf[sz - len], len, ssl->wflags, - (const struct sockaddr*)dtlsCtx->peer.sa, + (const SOCKADDR*)dtlsCtx->peer.sa, dtlsCtx->peer.sz); sent = TranslateReturnCode(sent, sd); @@ -528,7 +360,7 @@ int EmbedSendTo(WOLFSSL* ssl, char *buf, int sz, void *ctx) int EmbedGenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *ctx) { int sd = ssl->wfd; - struct sockaddr_storage peer; + SOCKADDR_S peer; XSOCKLENT peerSz = sizeof(peer); byte digest[SHA_DIGEST_SIZE]; int ret = 0; @@ -536,7 +368,7 @@ int EmbedGenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *ctx) (void)ctx; XMEMSET(&peer, 0, sizeof(peer)); - if (getpeername(sd, (struct sockaddr*)&peer, &peerSz) != 0) { + if (getpeername(sd, (SOCKADDR*)&peer, &peerSz) != 0) { WOLFSSL_MSG("getpeername failed in EmbedGenerateCookie"); return GEN_COOKIE_E; } @@ -553,29 +385,6 @@ int EmbedGenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *ctx) } #ifdef WOLFSSL_SESSION_EXPORT - #ifndef XINET_NTOP - #define XINET_NTOP(a,b,c,d) inet_ntop((a),(b),(c),(d)) - #endif - #ifndef XINET_PTON - #define XINET_PTON(a,b,c) inet_pton((a),(b),(c)) - #endif - #ifndef XHTONS - #define XHTONS(a) htons((a)) - #endif - #ifndef XNTOHS - #define XNTOHS(a) ntohs((a)) - #endif - - #ifndef WOLFSSL_IP4 - #define WOLFSSL_IP4 AF_INET - #endif - #ifndef WOLFSSL_IP6 - #define WOLFSSL_IP6 AF_INET6 - #endif - - typedef struct sockaddr_storage SOCKADDR_S; - typedef struct sockaddr_in SOCKADDR_IN; - typedef struct sockaddr_in6 SOCKADDR_IN6; /* get the peer information in human readable form (ip, port, family) * default function assumes BSD sockets @@ -613,12 +422,14 @@ int EmbedGenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *ctx) break; case WOLFSSL_IP6: + #ifdef WOLFSSL_IPV6 if (XINET_NTOP(*fam, &(((SOCKADDR_IN6*)&peer)->sin6_addr), ip, *ipSz) == NULL) { WOLFSSL_MSG("XINET_NTOP error"); return SOCKET_ERROR_E; } *port = XNTOHS(((SOCKADDR_IN6*)&peer)->sin6_port); + #endif /* WOLFSSL_IPV6 */ break; default: @@ -665,6 +476,7 @@ int EmbedGenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *ctx) break; case WOLFSSL_IP6: + #ifdef WOLFSSL_IPV6 if (XINET_PTON(addr.ss_family, ip, &(((SOCKADDR_IN6*)&addr)->sin6_addr)) <= 0) { WOLFSSL_MSG("XINET_PTON error"); @@ -678,6 +490,7 @@ int EmbedGenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *ctx) WOLFSSL_MSG("Import DTLS peer info error"); return ret; } + #endif /* WOLFSSL_IPV6 */ break; default: @@ -690,92 +503,184 @@ int EmbedGenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *ctx) #endif /* WOLFSSL_SESSION_EXPORT */ #endif /* WOLFSSL_DTLS */ -#ifdef HAVE_OCSP -#include /* atoi() */ +int wolfIO_Recv(SOCKET_T sd, char *buf, int sz, int rdFlags) +{ + int recvd; + + recvd = (int)RECV_FUNCTION(sd, buf, sz, rdFlags); + recvd = TranslateReturnCode(recvd, sd); + + return recvd; +} + +int wolfIO_Send(SOCKET_T sd, char *buf, int sz, int wrFlags) +{ + int sent; + int len = sz; + + sent = (int)SEND_FUNCTION(sd, &buf[sz - len], len, wrFlags); + sent = TranslateReturnCode(sent, sd); + + return sent; +} + +#endif /* USE_WOLFSSL_IO */ -static int Word16ToString(char* d, word16 number) +#ifdef HAVE_HTTP_CLIENT + +#ifndef HAVE_IO_TIMEOUT + #define io_timeout_sec 0 +#else + + #ifndef DEFAULT_TIMEOUT_SEC + #define DEFAULT_TIMEOUT_SEC 0 /* no timeout */ + #endif + + static int io_timeout_sec = DEFAULT_TIMEOUT_SEC; + + void wolfIO_SetTimeout(int to_sec) + { + io_timeout_sec = to_sec; + } + + int wolfIO_SetBlockingMode(SOCKET_T sockfd, int non_blocking) + { + int ret = 0; + + #ifdef USE_WINDOWS_API + unsigned long blocking = non_blocking; + ret = ioctlsocket(sockfd, FIONBIO, &blocking); + if (ret == SOCKET_ERROR) + ret = -1; + #else + ret = fcntl(sockfd, F_GETFL, 0); + if (ret >= 0) { + if (non_blocking) + ret |= O_NONBLOCK; + else + ret &= ~O_NONBLOCK; + ret = fcntl(sockfd, F_SETFL, ret); + } + #endif + if (ret < 0) { + WOLFSSL_MSG("wolfIO_SetBlockingMode failed"); + } + + return ret; + } + + #ifdef _MSC_VER + /* 4204: non-constant aggregate initializer (nfds = sockfd + 1) */ + #pragma warning(disable: 4204) + #endif + int wolfIO_Select(SOCKET_T sockfd, int to_sec) + { + fd_set fds; + SOCKET_T nfds = sockfd + 1; + struct timeval timeout = { (to_sec > 0) ? to_sec : 0, 0}; + int ret; + + FD_ZERO(&fds); + FD_SET(sockfd, &fds); + + ret = select(nfds, &fds, &fds, NULL, &timeout); + if (ret == 0) { + #ifdef DEBUG_HTTP + printf("Timeout: %d\n", ret); + #endif + return HTTP_TIMEOUT; + } + else if (ret > 0) { + if (FD_ISSET(sockfd, &fds)) + return 0; + } + return SOCKET_ERROR_E; + } +#endif /* HAVE_IO_TIMEOUT */ + +static int wolfIO_Word16ToString(char* d, word16 number) { int i = 0; + word16 order = 10000; + word16 digit; - if (d != NULL) { - word16 order = 10000; - word16 digit; + if (d == NULL) + return i; - if (number == 0) { - d[i++] = '0'; + if (number == 0) + d[i++] = '0'; + else { + while (order) { + digit = number / order; + if (i > 0 || digit != 0) + d[i++] = (char)digit + '0'; + if (digit != 0) + number %= digit * order; + + order = (order > 1) ? order / 10 : 0; } - else { - while (order) { - digit = number / order; - if (i > 0 || digit != 0) { - d[i++] = (char)digit + '0'; - } - if (digit != 0) - number %= digit * order; - if (order > 1) - order /= 10; - else - order = 0; - } - } - d[i] = 0; } + d[i] = 0; /* null terminate */ return i; } - -static int tcp_connect(SOCKET_T* sockfd, const char* ip, word16 port) +int wolfIO_TcpConnect(SOCKET_T* sockfd, const char* ip, word16 port, int to_sec) { - struct sockaddr_storage addr; - int sockaddr_len = sizeof(struct sockaddr_in); +#ifdef HAVE_SOCKADDR + int ret = 0; + SOCKADDR_S addr; + int sockaddr_len = sizeof(SOCKADDR_IN); +#ifdef HAVE_GETADDRINFO + ADDRINFO hints; + ADDRINFO* answer = NULL; + char strPort[6]; +#else + HOSTENT* entry; + SOCKADDR_IN *sin; +#endif + XMEMSET(&addr, 0, sizeof(addr)); - #ifdef HAVE_GETADDRINFO - { - struct addrinfo hints; - struct addrinfo* answer = NULL; - char strPort[6]; +#ifdef WOLFIO_DEBUG + printf("TCP Connect: %s:%d\n", ip, port); +#endif - XMEMSET(&hints, 0, sizeof(hints)); - hints.ai_family = AF_UNSPEC; - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - if (Word16ToString(strPort, port) == 0) { - WOLFSSL_MSG("invalid port number for OCSP responder"); - return -1; - } - - if (getaddrinfo(ip, strPort, &hints, &answer) < 0 || answer == NULL) { - WOLFSSL_MSG("no addr info for OCSP responder"); - return -1; - } - - sockaddr_len = answer->ai_addrlen; - XMEMCPY(&addr, answer->ai_addr, sockaddr_len); - freeaddrinfo(answer); +#ifdef HAVE_GETADDRINFO + XMEMSET(&hints, 0, sizeof(hints)); + hints.ai_family = AF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_protocol = IPPROTO_TCP; + if (wolfIO_Word16ToString(strPort, port) == 0) { + WOLFSSL_MSG("invalid port number for responder"); + return -1; } - #else /* HAVE_GETADDRINFO */ - { - struct hostent* entry = gethostbyname(ip); - struct sockaddr_in *sin = (struct sockaddr_in *)&addr; - if (entry) { - sin->sin_family = AF_INET; - sin->sin_port = htons(port); - XMEMCPY(&sin->sin_addr.s_addr, entry->h_addr_list[0], - entry->h_length); - } - else { - WOLFSSL_MSG("no addr info for OCSP responder"); - return -1; - } + if (getaddrinfo(ip, strPort, &hints, &answer) < 0 || answer == NULL) { + WOLFSSL_MSG("no addr info for responder"); + return -1; } - #endif /* HAVE_GETADDRINFO */ + + sockaddr_len = answer->ai_addrlen; + XMEMCPY(&addr, answer->ai_addr, sockaddr_len); + freeaddrinfo(answer); +#else + entry = gethostbyname(ip); + sin = (SOCKADDR_IN *)&addr; + + if (entry) { + sin->sin_family = AF_INET; + sin->sin_port = XHTONS(port); + XMEMCPY(&sin->sin_addr.s_addr, entry->h_addr_list[0], entry->h_length); + } + else { + WOLFSSL_MSG("no addr info for responder"); + return -1; + } +#endif *sockfd = (SOCKET_T)socket(addr.ss_family, SOCK_STREAM, 0); @@ -791,248 +696,400 @@ static int tcp_connect(SOCKET_T* sockfd, const char* ip, word16 port) } #endif - if (connect(*sockfd, (struct sockaddr *)&addr, sockaddr_len) != 0) { - WOLFSSL_MSG("OCSP responder tcp connect failed"); +#ifdef HAVE_IO_TIMEOUT + /* if timeout value provided then set socket non-blocking */ + if (to_sec > 0) { + wolfIO_SetBlockingMode(*sockfd, 1); + } +#else + (void)to_sec; +#endif + + ret = connect(*sockfd, (SOCKADDR *)&addr, sockaddr_len); +#ifdef HAVE_IO_TIMEOUT + if (ret != 0) { + if ((errno == EINPROGRESS) && (to_sec > 0)) { + /* wait for connect to complete */ + ret = wolfIO_Select(*sockfd, to_sec); + + /* restore blocking mode */ + wolfIO_SetBlockingMode(*sockfd, 0); + } + } +#endif + if (ret != 0) { + WOLFSSL_MSG("Responder tcp connect failed"); return -1; } - - return 0; + return ret; +#else + (void)sockfd; + (void)ip; + (void)port; + (void)to_sec; + return -1; +#endif /* HAVE_SOCKADDR */ } +#ifndef HTTP_SCRATCH_BUFFER_SIZE + #define HTTP_SCRATCH_BUFFER_SIZE 512 +#endif +#ifndef MAX_URL_ITEM_SIZE + #define MAX_URL_ITEM_SIZE 80 +#endif -static int build_http_request(const char* domainName, const char* path, - int ocspReqSz, byte* buf, int bufSize) -{ - word32 domainNameLen, pathLen, ocspReqSzStrLen, completeLen; - char ocspReqSzStr[6]; - - domainNameLen = (word32)XSTRLEN(domainName); - pathLen = (word32)XSTRLEN(path); - ocspReqSzStrLen = Word16ToString(ocspReqSzStr, (word16)ocspReqSz); - - completeLen = domainNameLen + pathLen + ocspReqSzStrLen + 84; - if (completeLen > (word32)bufSize) - return 0; - - XSTRNCPY((char*)buf, "POST ", 5); - buf += 5; - XSTRNCPY((char*)buf, path, pathLen); - buf += pathLen; - XSTRNCPY((char*)buf, " HTTP/1.1\r\nHost: ", 17); - buf += 17; - XSTRNCPY((char*)buf, domainName, domainNameLen); - buf += domainNameLen; - XSTRNCPY((char*)buf, "\r\nContent-Length: ", 18); - buf += 18; - XSTRNCPY((char*)buf, ocspReqSzStr, ocspReqSzStrLen); - buf += ocspReqSzStrLen; - XSTRNCPY((char*)buf, - "\r\nContent-Type: application/ocsp-request\r\n\r\n", 44); - - return completeLen; -} - - -static int decode_url(const char* url, int urlSz, - char* outName, char* outPath, word16* outPort) +int wolfIO_DecodeUrl(const char* url, int urlSz, char* outName, char* outPath, + word16* outPort) { int result = -1; - if (outName != NULL && outPath != NULL && outPort != NULL) - { - if (url == NULL || urlSz == 0) - { + if (url == NULL || urlSz == 0) { + if (outName) *outName = 0; + if (outPath) *outPath = 0; + if (outPort) *outPort = 0; + } + else { + int i, cur; + + /* need to break the url down into scheme, address, and port */ + /* "http://example.com:8080/" */ + /* "http://[::1]:443/" */ + if (XSTRNCMP(url, "http://", 7) == 0) { + cur = 7; + } else cur = 0; + + i = 0; + if (url[cur] == '[') { + cur++; + /* copy until ']' */ + while (url[cur] != 0 && url[cur] != ']' && cur < urlSz) { + if (outName) + outName[i] = url[cur]; + i++; cur++; + } + cur++; /* skip ']' */ } - else - { - int i, cur; - - /* need to break the url down into scheme, address, and port */ - /* "http://example.com:8080/" */ - /* "http://[::1]:443/" */ - if (XSTRNCMP(url, "http://", 7) == 0) { - cur = 7; - } else cur = 0; - - i = 0; - if (url[cur] == '[') { - cur++; - /* copy until ']' */ - while (url[cur] != 0 && url[cur] != ']' && cur < urlSz) { - outName[i++] = url[cur++]; - } - cur++; /* skip ']' */ - } - else { - while (url[cur] != 0 && url[cur] != ':' && - url[cur] != '/' && cur < urlSz) { - outName[i++] = url[cur++]; - } + else { + while (url[cur] != 0 && url[cur] != ':' && + url[cur] != '/' && cur < urlSz) { + if (outName) + outName[i] = url[cur]; + i++; cur++; } + } + if (outName) outName[i] = 0; - /* Need to pick out the path after the domain name */ + /* Need to pick out the path after the domain name */ - if (cur < urlSz && url[cur] == ':') { - char port[6]; - int j; - word32 bigPort = 0; - i = 0; - cur++; - while (cur < urlSz && url[cur] != 0 && url[cur] != '/' && - i < 6) { - port[i++] = url[cur++]; - } + if (cur < urlSz && url[cur] == ':') { + char port[6]; + int j; + word32 bigPort = 0; + i = 0; + cur++; + while (cur < urlSz && url[cur] != 0 && url[cur] != '/' && + i < 6) { + port[i++] = url[cur++]; + } - for (j = 0; j < i; j++) { - if (port[j] < '0' || port[j] > '9') return -1; - bigPort = (bigPort * 10) + (port[j] - '0'); - } + for (j = 0; j < i; j++) { + if (port[j] < '0' || port[j] > '9') return -1; + bigPort = (bigPort * 10) + (port[j] - '0'); + } + if (outPort) *outPort = (word16)bigPort; - } - else - *outPort = 80; - - if (cur < urlSz && url[cur] == '/') { - i = 0; - while (cur < urlSz && url[cur] != 0 && i < 80) { - outPath[i++] = url[cur++]; - } - outPath[i] = 0; - } - else { - outPath[0] = '/'; - outPath[1] = 0; - } - result = 0; } + else if (outPort) + *outPort = 80; + + + if (cur < urlSz && url[cur] == '/') { + i = 0; + while (cur < urlSz && url[cur] != 0 && i < MAX_URL_ITEM_SIZE) { + if (outPath) + outPath[i] = url[cur]; + i++; cur++; + } + if (outPath) + outPath[i] = 0; + } + else if (outPath) { + outPath[0] = '/'; + outPath[1] = 0; + } + + result = 0; } return result; } - -/* return: >0 OCSP Response Size - * -1 error */ -static int process_http_response(int sfd, byte** respBuf, - byte* httpBuf, int httpBufSz, void* heap) +static int wolfIO_HttpProcessResponseBuf(int sfd, byte **recvBuf, int* recvBufSz, + int chunkSz, char* start, int len, int dynType, void* heap) { - int result; + byte* newRecvBuf = NULL; + int newRecvSz = *recvBufSz + chunkSz; + int pos = 0; + + WOLFSSL_MSG("Processing HTTP response"); +#ifdef WOLFIO_DEBUG + printf("HTTP Chunk %d->%d\n", *recvBufSz, chunkSz); +#endif + + newRecvBuf = (byte*)XMALLOC(newRecvSz, heap, dynType); + if (newRecvBuf == NULL) { + WOLFSSL_MSG("wolfIO_HttpProcessResponseBuf malloc failed"); + return MEMORY_E; + } + + /* if buffer already exists, then we are growing it */ + if (*recvBuf) { + XMEMCPY(&newRecvBuf[pos], *recvBuf, *recvBufSz); + XFREE(*recvBuf, heap, dynType); + pos += *recvBufSz; + *recvBuf = NULL; + } + + /* copy the remainder of the httpBuf into the respBuf */ + if (len != 0) { + XMEMCPY(&newRecvBuf[pos], start, len); + pos += len; + } + + /* receive the remainder of chunk */ + while (len < chunkSz) { + int rxSz = wolfIO_Recv(sfd, (char*)&newRecvBuf[pos], chunkSz-len, 0); + if (rxSz > 0) { + len += rxSz; + pos += rxSz; + } + else { + WOLFSSL_MSG("wolfIO_HttpProcessResponseBuf recv failed"); + XFREE(newRecvBuf, heap, dynType); + return -1; + } + } + + *recvBuf = newRecvBuf; + *recvBufSz = newRecvSz; + + return 0; +} + +int wolfIO_HttpProcessResponse(int sfd, const char* appStr, + byte** respBuf, byte* httpBuf, int httpBufSz, int dynType, void* heap) +{ + int result = 0; int len = 0; char *start, *end; - byte *recvBuf = NULL; - int recvBufSz = 0; - enum phr_state { phr_init, phr_http_start, phr_have_length, - phr_have_type, phr_wait_end, phr_http_end + int respBufSz = 0; + int isChunked = 0, chunkSz = 0; + enum phr_state { phr_init, phr_http_start, phr_have_length, phr_have_type, + phr_wait_end, phr_get_chunk_len, phr_get_chunk_data, + phr_http_end } state = phr_init; + *respBuf = NULL; start = end = NULL; do { + if (state == phr_get_chunk_data) { + /* get chunk of data */ + result = wolfIO_HttpProcessResponseBuf(sfd, respBuf, &respBufSz, + chunkSz, start, len, dynType, heap); + + state = (result != 0) ? phr_http_end : phr_get_chunk_len; + end = NULL; + len = 0; + } + + /* read data if no \r\n or first time */ if (end == NULL) { - result = (int)recv(sfd, (char*)httpBuf+len, httpBufSz-len-1, 0); + result = wolfIO_Recv(sfd, (char*)httpBuf+len, httpBufSz-len-1, 0); if (result > 0) { len += result; start = (char*)httpBuf; start[len] = 0; } else { - WOLFSSL_MSG("process_http_response recv http from peer failed"); + WOLFSSL_MSG("wolfIO_HttpProcessResponse recv http from peer failed"); return -1; } } - end = XSTRSTR(start, "\r\n"); + end = XSTRSTR(start, "\r\n"); /* locate end */ + /* handle incomplete rx */ if (end == NULL) { if (len != 0) XMEMMOVE(httpBuf, start, len); start = end = NULL; } + /* when start is "\r\n" */ else if (end == start) { - if (state == phr_wait_end) { - state = phr_http_end; - len -= 2; - start += 2; + /* if waiting for end or need chunk len */ + if (state == phr_wait_end || state == phr_get_chunk_len) { + state = (isChunked) ? phr_get_chunk_len : phr_http_end; + len -= 2; start += 2; /* skip \r\n */ } else { - WOLFSSL_MSG("process_http_response header ended early"); + WOLFSSL_MSG("wolfIO_HttpProcessResponse header ended early"); return -1; } } else { - *end = 0; + *end = 0; /* null terminate */ len -= (int)(end - start) + 2; /* adjust len to remove the first line including the /r/n */ - if (XSTRNCASECMP(start, "HTTP/1", 6) == 0) { - start += 9; - if (XSTRNCASECMP(start, "200 OK", 6) != 0 || - state != phr_init) { - WOLFSSL_MSG("process_http_response not OK"); - return -1; - } - state = phr_http_start; - } - else if (XSTRNCASECMP(start, "Content-Type:", 13) == 0) { - start += 13; - while (*start == ' ' && *start != '\0') start++; - if (XSTRNCASECMP(start, "application/ocsp-response", 25) != 0) { - WOLFSSL_MSG("process_http_response not ocsp-response"); - return -1; - } + #ifdef WOLFIO_DEBUG + printf("HTTP Resp: %s\n", start); + #endif - if (state == phr_http_start) state = phr_have_type; - else if (state == phr_have_length) state = phr_wait_end; - else { - WOLFSSL_MSG("process_http_response type invalid state"); - return -1; - } - } - else if (XSTRNCASECMP(start, "Content-Length:", 15) == 0) { - start += 15; - while (*start == ' ' && *start != '\0') start++; - recvBufSz = atoi(start); - - if (state == phr_http_start) state = phr_have_length; - else if (state == phr_have_type) state = phr_wait_end; - else { - WOLFSSL_MSG("process_http_response length invalid state"); - return -1; - } - } + switch (state) { + case phr_init: + if (XSTRNCASECMP(start, "HTTP/1", 6) == 0) { + start += 9; + if (XSTRNCASECMP(start, "200 OK", 6) != 0) { + WOLFSSL_MSG("wolfIO_HttpProcessResponse not OK"); + return -1; + } + state = phr_http_start; + } + break; + case phr_http_start: + case phr_have_length: + case phr_have_type: + if (XSTRNCASECMP(start, "Content-Type:", 13) == 0) { + start += 13; + while (*start == ' ' && *start != '\0') start++; + if (XSTRNCASECMP(start, appStr, XSTRLEN(appStr)) != 0) { + WOLFSSL_MSG("wolfIO_HttpProcessResponse appstr mismatch"); + return -1; + } + state = (state == phr_http_start) ? phr_have_type : phr_wait_end; + } + else if (XSTRNCASECMP(start, "Content-Length:", 15) == 0) { + start += 15; + while (*start == ' ' && *start != '\0') start++; + chunkSz = atoi(start); + state = (state == phr_http_start) ? phr_have_length : phr_wait_end; + } + else if (XSTRNCASECMP(start, "Transfer-Encoding:", 18) == 0) { + start += 18; + while (*start == ' ' && *start != '\0') start++; + if (XSTRNCASECMP(start, "chunked", 7) == 0) { + isChunked = 1; + state = (state == phr_http_start) ? phr_have_length : phr_wait_end; + } + } + break; + case phr_get_chunk_len: + chunkSz = (int)strtol(start, NULL, 16); /* hex format */ + state = (chunkSz == 0) ? phr_http_end : phr_get_chunk_data; + break; + case phr_get_chunk_data: + /* processing for chunk data done above, since \r\n isn't required */ + case phr_wait_end: + case phr_http_end: + /* do nothing */ + break; + } /* switch (state) */ + /* skip to end plus \r\n */ start = end + 2; } } while (state != phr_http_end); - recvBuf = (byte*)XMALLOC(recvBufSz, heap, DYNAMIC_TYPE_OCSP); - if (recvBuf == NULL) { - WOLFSSL_MSG("process_http_response couldn't create response buffer"); - return -1; + if (!isChunked) { + result = wolfIO_HttpProcessResponseBuf(sfd, respBuf, &respBufSz, chunkSz, + start, len, dynType, heap); } - /* copy the remainder of the httpBuf into the respBuf */ - if (len != 0) - XMEMCPY(recvBuf, start, len); - - /* receive the OCSP response data */ - while (len < recvBufSz) { - result = (int)recv(sfd, (char*)recvBuf+len, recvBufSz-len, 0); - if (result > 0) - len += result; - else { - WOLFSSL_MSG("process_http_response recv ocsp from peer failed"); - return -1; - } + if (result >= 0) { + result = respBufSz; + } + else { + WOLFSSL_ERROR(result); } - *respBuf = recvBuf; - return recvBufSz; + return result; +} + +int wolfIO_HttpBuildRequest(const char* reqType, const char* domainName, + const char* path, int pathLen, int reqSz, const char* contentType, + byte* buf, int bufSize) +{ + word32 reqTypeLen, domainNameLen, reqSzStrLen, contentTypeLen, maxLen; + char reqSzStr[6]; + char* req = (char*)buf; + + reqTypeLen = (word32)XSTRLEN(reqType); + domainNameLen = (word32)XSTRLEN(domainName); + reqSzStrLen = wolfIO_Word16ToString(reqSzStr, (word16)reqSz); + contentTypeLen = (word32)XSTRLEN(contentType); + + /* determine max length */ + maxLen = reqTypeLen + domainNameLen + pathLen + reqSzStrLen + contentTypeLen + 56; + if (maxLen > (word32)bufSize) + return 0; + + XSTRNCPY((char*)buf, reqType, reqTypeLen); + buf += reqTypeLen; + XSTRNCPY((char*)buf, " ", 1); + buf += 1; + XSTRNCPY((char*)buf, path, pathLen); + buf += pathLen; + XSTRNCPY((char*)buf, " HTTP/1.1", 9); + buf += 9; + if (domainNameLen > 0) { + XSTRNCPY((char*)buf, "\r\nHost: ", 8); + buf += 8; + XSTRNCPY((char*)buf, domainName, domainNameLen); + buf += domainNameLen; + } + if (reqSz > 0 && reqSzStrLen > 0) { + XSTRNCPY((char*)buf, "\r\nContent-Length: ", 18); + buf += 18; + XSTRNCPY((char*)buf, reqSzStr, reqSzStrLen); + buf += reqSzStrLen; + } + if (contentTypeLen > 0) { + XSTRNCPY((char*)buf, "\r\nContent-Type: ", 16); + buf += 16; + XSTRNCPY((char*)buf, contentType, contentTypeLen); + buf += contentTypeLen; + } + XSTRNCPY((char*)buf, "\r\n\r\n", 4); + buf += 4; + +#ifdef WOLFIO_DEBUG + printf("HTTP %s: %s", reqType, req); +#endif + + /* calculate actual length based on original and new pointer */ + return (int)((char*)buf - req); } -#define SCRATCH_BUFFER_SIZE 512 +#ifdef HAVE_OCSP + +int wolfIO_HttpBuildRequestOcsp(const char* domainName, const char* path, + int ocspReqSz, byte* buf, int bufSize) +{ + return wolfIO_HttpBuildRequest("POST", domainName, path, (int)XSTRLEN(path), + ocspReqSz, "application/ocsp-request", buf, bufSize); +} + +/* return: >0 OCSP Response Size + * -1 error */ +int wolfIO_HttpProcessResponseOcsp(int sfd, byte** respBuf, + byte* httpBuf, int httpBufSz, void* heap) +{ + return wolfIO_HttpProcessResponse(sfd, "application/ocsp-response", + respBuf, httpBuf, httpBufSz, DYNAMIC_TYPE_OCSP, heap); +} /* in default wolfSSL callback ctx is the heap pointer */ int EmbedOcspLookup(void* ctx, const char* url, int urlSz, @@ -1045,19 +1102,19 @@ int EmbedOcspLookup(void* ctx, const char* url, int urlSz, char* path; char* domainName; #else - char path[80]; - char domainName[80]; + char path[MAX_URL_ITEM_SIZE]; + char domainName[MAX_URL_ITEM_SIZE]; #endif #ifdef WOLFSSL_SMALL_STACK - path = (char*)XMALLOC(80, NULL, DYNAMIC_TYPE_TMP_BUFFER); + path = (char*)XMALLOC(MAX_URL_ITEM_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (path == NULL) - return -1; + return MEMORY_E; - domainName = (char*)XMALLOC(80, NULL, DYNAMIC_TYPE_TMP_BUFFER); + domainName = (char*)XMALLOC(MAX_URL_ITEM_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (domainName == NULL) { XFREE(path, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return -1; + return MEMORY_E; } #endif @@ -1067,37 +1124,37 @@ int EmbedOcspLookup(void* ctx, const char* url, int urlSz, else if (ocspRespBuf == NULL) { WOLFSSL_MSG("Cannot save OCSP response"); } - else if (decode_url(url, urlSz, domainName, path, &port) < 0) { + else if (wolfIO_DecodeUrl(url, urlSz, domainName, path, &port) < 0) { WOLFSSL_MSG("Unable to decode OCSP URL"); } else { /* Note, the library uses the EmbedOcspRespFree() callback to * free this buffer. */ - int httpBufSz = SCRATCH_BUFFER_SIZE; - byte* httpBuf = (byte*)XMALLOC(httpBufSz, ctx, - DYNAMIC_TYPE_OCSP); + int httpBufSz = HTTP_SCRATCH_BUFFER_SIZE; + byte* httpBuf = (byte*)XMALLOC(httpBufSz, ctx, DYNAMIC_TYPE_OCSP); if (httpBuf == NULL) { WOLFSSL_MSG("Unable to create OCSP response buffer"); } else { - httpBufSz = build_http_request(domainName, path, ocspReqSz, + httpBufSz = wolfIO_HttpBuildRequestOcsp(domainName, path, ocspReqSz, httpBuf, httpBufSz); - if ((tcp_connect(&sfd, domainName, port) != 0) || (sfd <= 0)) { + ret = wolfIO_TcpConnect(&sfd, domainName, port, io_timeout_sec); + if ((ret != 0) || (sfd <= 0)) { WOLFSSL_MSG("OCSP Responder connection failed"); } - else if ((int)send(sfd, (char*)httpBuf, httpBufSz, 0) != + else if (wolfIO_Send(sfd, (char*)httpBuf, httpBufSz, 0) != httpBufSz) { WOLFSSL_MSG("OCSP http request failed"); } - else if ((int)send(sfd, (char*)ocspReqBuf, ocspReqSz, 0) != + else if (wolfIO_Send(sfd, (char*)ocspReqBuf, ocspReqSz, 0) != ocspReqSz) { WOLFSSL_MSG("OCSP ocsp request failed"); } else { - ret = process_http_response(sfd, ocspRespBuf, httpBuf, - SCRATCH_BUFFER_SIZE, ctx); + ret = wolfIO_HttpProcessResponseOcsp(sfd, ocspRespBuf, httpBuf, + HTTP_SCRATCH_BUFFER_SIZE, ctx); } close(sfd); @@ -1113,7 +1170,6 @@ int EmbedOcspLookup(void* ctx, const char* url, int urlSz, return ret; } - /* in default callback ctx is heap hint */ void EmbedOcspRespFree(void* ctx, byte *resp) { @@ -1122,11 +1178,97 @@ void EmbedOcspRespFree(void* ctx, byte *resp) (void)ctx; } +#endif /* HAVE_OCSP */ +#if defined(HAVE_CRL) && defined(HAVE_CRL_IO) + +int wolfIO_HttpBuildRequestCrl(const char* url, int urlSz, + const char* domainName, byte* buf, int bufSize) +{ + return wolfIO_HttpBuildRequest("GET", domainName, url, urlSz, 0, "", + buf, bufSize); +} + +int wolfIO_HttpProcessResponseCrl(WOLFSSL_CRL* crl, int sfd, byte* httpBuf, + int httpBufSz) +{ + int result; + byte *respBuf = NULL; + + result = wolfIO_HttpProcessResponse(sfd, "application/pkix-crl", + &respBuf, httpBuf, httpBufSz, DYNAMIC_TYPE_CRL, crl->heap); + if (result >= 0) { + result = BufferLoadCRL(crl, respBuf, result, SSL_FILETYPE_ASN1); + } + XFREE(respBuf, crl->heap, DYNAMIC_TYPE_CRL); + + return result; +} + +int EmbedCrlLookup(WOLFSSL_CRL* crl, const char* url, int urlSz) +{ + SOCKET_T sfd = 0; + word16 port; + int ret = -1; +#ifdef WOLFSSL_SMALL_STACK + char* domainName; +#else + char domainName[MAX_URL_ITEM_SIZE]; #endif -#endif /* WOLFSSL_USER_IO */ +#ifdef WOLFSSL_SMALL_STACK + domainName = (char*)XMALLOC(MAX_URL_ITEM_SIZE, crl->heap, + DYNAMIC_TYPE_TMP_BUFFER); + if (domainName == NULL) { + XFREE(path, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return MEMORY_E; + } +#endif + + if (wolfIO_DecodeUrl(url, urlSz, domainName, NULL, &port) < 0) { + WOLFSSL_MSG("Unable to decode CRL URL"); + } + else { + int httpBufSz = HTTP_SCRATCH_BUFFER_SIZE; + byte* httpBuf = (byte*)XMALLOC(httpBufSz, crl->heap, + DYNAMIC_TYPE_CRL); + if (httpBuf == NULL) { + WOLFSSL_MSG("Unable to create CRL response buffer"); + } + else { + httpBufSz = wolfIO_HttpBuildRequestCrl(url, urlSz, domainName, + httpBuf, httpBufSz); + + ret = wolfIO_TcpConnect(&sfd, domainName, port, io_timeout_sec); + if ((ret != 0) || (sfd <= 0)) { + WOLFSSL_MSG("CRL connection failed"); + } + else if (wolfIO_Send(sfd, (char*)httpBuf, httpBufSz, 0) + != httpBufSz) { + WOLFSSL_MSG("CRL http get failed"); + } + else { + ret = wolfIO_HttpProcessResponseCrl(crl, sfd, httpBuf, + HTTP_SCRATCH_BUFFER_SIZE); + } + + close(sfd); + XFREE(httpBuf, crl->heap, DYNAMIC_TYPE_CRL); + } + } + +#ifdef WOLFSSL_SMALL_STACK + XFREE(domainName, crl->heap, DYNAMIC_TYPE_TMP_BUFFER); +#endif + + return ret; +} +#endif /* HAVE_CRL && HAVE_CRL_IO */ + +#endif /* HAVE_HTTP_CLIENT */ + + WOLFSSL_API void wolfSSL_SetIORecv(WOLFSSL_CTX *ctx, CallbackIORecv CBIORecv) { @@ -1328,5 +1470,5 @@ void wolfSSL_SetIO_NetX(WOLFSSL* ssl, NX_TCP_SOCKET* nxSocket, ULONG waitOption) } #endif /* HAVE_NETX */ -#endif /* WOLFCRYPT_ONLY */ +#endif /* WOLFCRYPT_ONLY */ diff --git a/src/ocsp.c b/src/ocsp.c index 7b69ab466..d481ab676 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -219,9 +219,11 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, ret = OCSP_INVALID_STATUS; } else if (*status) { +#ifndef NO_ASN_TIME if (ValidateDate((*status)->thisDate, (*status)->thisDateFormat, BEFORE) && ((*status)->nextDate[0] != 0) && ValidateDate((*status)->nextDate, (*status)->nextDateFormat, AFTER)) +#endif { ret = xstat2err((*status)->status); @@ -244,6 +246,133 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, return ret; } +/* Check that the response for validity. Store result in status. + * + * ocsp Context object for OCSP status. + * response OCSP response message data. + * responseSz Length of OCSP response message data. + * reponseBuffer Buffer object to return the response with. + * status The certificate status object. + * entry The OCSP entry for this certificate. + * returns OCSP_LOOKUP_FAIL when the response is bad and 0 otherwise. + */ +static int CheckResponse(WOLFSSL_OCSP* ocsp, byte* response, int responseSz, + buffer* responseBuffer, CertStatus* status, + OcspEntry* entry, OcspRequest* ocspRequest) +{ +#ifdef WOLFSSL_SMALL_STACK + CertStatus* newStatus; + OcspResponse* ocspResponse; +#else + CertStatus newStatus[1]; + OcspResponse ocspResponse[1]; +#endif + int ret; + int validated = 0; /* ocsp validation flag */ + +#ifdef WOLFSSL_SMALL_STACK + newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + + if (newStatus == NULL || ocspResponse == NULL) { + if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); + return MEMORY_E; + } +#endif + XMEMSET(newStatus, 0, sizeof(CertStatus)); + + InitOcspResponse(ocspResponse, newStatus, response, responseSz); + ret = OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap, 0); + if (ret != 0) { + WOLFSSL_MSG("OcspResponseDecode failed"); + goto end; + } + + if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) { + WOLFSSL_MSG("OcspResponse status bad"); + goto end; + } + if (ocspRequest != NULL) { + ret = CompareOcspReqResp(ocspRequest, ocspResponse); + if (ret != 0) { + goto end; + } + } + + if (responseBuffer) { + responseBuffer->buffer = (byte*)XMALLOC(responseSz, ocsp->cm->heap, + DYNAMIC_TYPE_TMP_BUFFER); + + if (responseBuffer->buffer) { + responseBuffer->length = responseSz; + XMEMCPY(responseBuffer->buffer, response, responseSz); + } + } + + ret = xstat2err(ocspResponse->status->status); + if (ret == 0) { + validated = 1; + } + + if (wc_LockMutex(&ocsp->ocspLock) != 0) { + ret = BAD_MUTEX_E; + goto end; + } + + if (status != NULL) { + if (status->rawOcspResponse) { + XFREE(status->rawOcspResponse, ocsp->cm->heap, + DYNAMIC_TYPE_OCSP_STATUS); + } + + /* Replace existing certificate entry with updated */ + XMEMCPY(status, newStatus, sizeof(CertStatus)); + } + else { + /* Save new certificate entry */ + status = (CertStatus*)XMALLOC(sizeof(CertStatus), + ocsp->cm->heap, DYNAMIC_TYPE_OCSP_STATUS); + if (status != NULL) { + XMEMCPY(status, newStatus, sizeof(CertStatus)); + status->next = entry->status; + entry->status = status; + entry->totalStatus++; + } + } + + if (status && responseBuffer && responseBuffer->buffer) { + status->rawOcspResponse = (byte*)XMALLOC(responseBuffer->length, + ocsp->cm->heap, + DYNAMIC_TYPE_OCSP_STATUS); + + if (status->rawOcspResponse) { + status->rawOcspResponseSz = responseBuffer->length; + XMEMCPY(status->rawOcspResponse, responseBuffer->buffer, + responseBuffer->length); + } + } + + wc_UnLockMutex(&ocsp->ocspLock); + +end: + if (ret == 0 && validated == 1) { + WOLFSSL_MSG("New OcspResponse validated"); + } else if (ret != OCSP_CERT_REVOKED) { + ret = OCSP_LOOKUP_FAIL; + } + +#ifdef WOLFSSL_SMALL_STACK + XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + return ret; +} + /* 0 on success */ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, buffer* responseBuffer) @@ -257,15 +386,6 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, const char* url = NULL; int urlSz = 0; int ret = -1; - int validated = 0; /* ocsp validation flag */ - -#ifdef WOLFSSL_SMALL_STACK - CertStatus* newStatus; - OcspResponse* ocspResponse; -#else - CertStatus newStatus[1]; - OcspResponse ocspResponse[1]; -#endif WOLFSSL_ENTER("CheckOcspRequest"); @@ -282,6 +402,22 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, if (ret != OCSP_INVALID_STATUS) return ret; +#ifdef WOLFSSL_NGINX + if (ocsp->statusCb != NULL && ocspRequest->ssl != NULL) { + ret = ocsp->statusCb((WOLFSSL*)ocspRequest->ssl, ocsp->cm->ocspIOCtx); + if (ret == 0) { + ret = wolfSSL_get_ocsp_response((WOLFSSL*)ocspRequest->ssl, + &response); + ret = CheckResponse(ocsp, response, ret, responseBuffer, status, + entry, NULL); + if (response != NULL) + XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL); + return ret; + } + return OCSP_LOOKUP_FAIL; + } +#endif + if (ocsp->cm->ocspUseOverrideURL) { url = ocsp->cm->ocspOverrideURL; if (url != NULL && url[0] != '\0') @@ -304,120 +440,373 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, return MEMORY_ERROR; } -#ifdef WOLFSSL_SMALL_STACK - newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, - DYNAMIC_TYPE_TMP_BUFFER); - ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, - DYNAMIC_TYPE_TMP_BUFFER); - - if (newStatus == NULL || ocspResponse == NULL) { - if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - XFREE(request, NULL, DYNAMIC_TYPE_OCSP); - - WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); - return MEMORY_E; - } -#endif - requestSz = EncodeOcspRequest(ocspRequest, request, requestSz); if (requestSz > 0 && ocsp->cm->ocspIOCb) { responseSz = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, request, requestSz, &response); } + XFREE(request, ocsp->cm->heap, DYNAMIC_TYPE_OCSP); + if (responseSz >= 0 && response) { - XMEMSET(newStatus, 0, sizeof(CertStatus)); - - InitOcspResponse(ocspResponse, newStatus, response, responseSz); - if (OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap) != 0) { - WOLFSSL_MSG("OcspResponseDecode failed"); - } - else if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) { - WOLFSSL_MSG("OcspResponse status bad"); - } - else { - if (CompareOcspReqResp(ocspRequest, ocspResponse) == 0) { - if (responseBuffer) { - responseBuffer->buffer = (byte*)XMALLOC(responseSz, - ocsp->cm->heap, DYNAMIC_TYPE_TMP_BUFFER); - - if (responseBuffer->buffer) { - responseBuffer->length = responseSz; - XMEMCPY(responseBuffer->buffer, response, responseSz); - } - } - - /* only way to get to good state */ - ret = xstat2err(ocspResponse->status->status); - if (ret == 0) { - validated = 1; - } - - if (wc_LockMutex(&ocsp->ocspLock) != 0) - ret = BAD_MUTEX_E; - else { - if (status != NULL) { - if (status->rawOcspResponse) - XFREE(status->rawOcspResponse, ocsp->cm->heap, - DYNAMIC_TYPE_OCSP_STATUS); - - /* Replace existing certificate entry with updated */ - XMEMCPY(status, newStatus, sizeof(CertStatus)); - } - else { - /* Save new certificate entry */ - status = (CertStatus*)XMALLOC(sizeof(CertStatus), - ocsp->cm->heap, DYNAMIC_TYPE_OCSP_STATUS); - if (status != NULL) { - XMEMCPY(status, newStatus, sizeof(CertStatus)); - status->next = entry->status; - entry->status = status; - entry->totalStatus++; - } - } - - if (status && responseBuffer && responseBuffer->buffer) { - status->rawOcspResponse = (byte*)XMALLOC( - responseBuffer->length, - ocsp->cm->heap, - DYNAMIC_TYPE_OCSP_STATUS); - - if (status->rawOcspResponse) { - status->rawOcspResponseSz = responseBuffer->length; - XMEMCPY(status->rawOcspResponse, - responseBuffer->buffer, - responseBuffer->length); - } - } - - wc_UnLockMutex(&ocsp->ocspLock); - } - } - } + ret = CheckResponse(ocsp, response, responseSz, responseBuffer, status, + entry, ocspRequest); } -#ifdef WOLFSSL_SMALL_STACK - XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - XFREE(request, NULL, DYNAMIC_TYPE_OCSP); - if (response != NULL && ocsp->cm->ocspRespFreeCb) ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, response); - if (ret == 0 && validated == 1) { - WOLFSSL_MSG("New OcspResponse validated"); - } else { - ret = OCSP_LOOKUP_FAIL; - } - WOLFSSL_LEAVE("CheckOcspRequest", ret); return ret; } +#ifdef WOLFSSL_NGINX + +int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs, + WOLFSSL_OCSP_CERTID* id, int* status, int* reason, + WOLFSSL_ASN1_TIME** revtime, WOLFSSL_ASN1_TIME** thisupd, + WOLFSSL_ASN1_TIME** nextupd) +{ + if (bs == NULL || id == NULL) + return SSL_FAILURE; + + /* Only supporting one certificate status in asn.c. */ + if (CompareOcspReqResp(id, bs) != 0) + return SSL_FAILURE; + + if (status != NULL) + *status = bs->status->status; + if (thisupd != NULL) + *thisupd = (WOLFSSL_ASN1_TIME*)bs->status->thisDateAsn; + if (nextupd != NULL) + *nextupd = (WOLFSSL_ASN1_TIME*)bs->status->nextDateAsn; + + /* TODO: Not needed for Nginx. */ + if (reason != NULL) + *reason = 0; + if (revtime != NULL) + *revtime = NULL; + + return SSL_SUCCESS; +} + +const char *wolfSSL_OCSP_cert_status_str(long s) +{ + switch (s) { + case CERT_GOOD: + return "good"; + case CERT_REVOKED: + return "revoked"; + case CERT_UNKNOWN: + return "unknown"; + default: + return "(UNKNOWN)"; + } +} + +int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME* thisupd, + WOLFSSL_ASN1_TIME* nextupd, long sec, long maxsec) +{ + (void)thisupd; + (void)nextupd; + (void)sec; + (void)maxsec; + /* Dates validated in DecodeSingleResponse. */ + return SSL_SUCCESS; +} + +void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* certId) +{ + FreeOcspRequest(certId); + XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); +} + +WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id( + const WOLFSSL_EVP_MD *dgst, const WOLFSSL_X509 *subject, + const WOLFSSL_X509 *issuer) +{ + WOLFSSL_OCSP_CERTID* certId; + DecodedCert cert; + WOLFSSL_CERT_MANAGER* cm; + int ret; + DerBuffer* derCert = NULL; + + (void)dgst; + + cm = wolfSSL_CertManagerNew(); + if (cm == NULL) + return NULL; + + + ret = AllocDer(&derCert, issuer->derCert->length, + issuer->derCert->type, NULL); + if (ret == 0) { + /* AddCA() frees the buffer. */ + XMEMCPY(derCert->buffer, issuer->derCert->buffer, + issuer->derCert->length); + AddCA(cm, &derCert, WOLFSSL_USER_CA, 1); + } + + certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(WOLFSSL_OCSP_CERTID), NULL, + DYNAMIC_TYPE_OPENSSL); + if (certId != NULL) { + InitDecodedCert(&cert, subject->derCert->buffer, + subject->derCert->length, NULL); + if (ParseCertRelative(&cert, CERT_TYPE, VERIFY_OCSP, cm) != 0) { + XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); + certId = NULL; + } + else + InitOcspRequest(certId, &cert, 0, NULL); + FreeDecodedCert(&cert); + } + + wolfSSL_CertManagerFree(cm); + + return certId; +} + +void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse) +{ + wolfSSL_OCSP_RESPONSE_free(basicResponse); +} + +/* Signature verified in DecodeBasicOcspResponse. + * But no store available to verify certificate. */ +int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs, + STACK_OF(WOLFSSL_X509) *certs, WOLFSSL_X509_STORE *st, unsigned long flags) +{ + DecodedCert cert; + int ret = SSL_SUCCESS; + + (void)certs; + + if (flags & OCSP_NOVERIFY) + return SSL_SUCCESS; + + InitDecodedCert(&cert, bs->cert, bs->certSz, NULL); + if (ParseCertRelative(&cert, CERT_TYPE, VERIFY, st->cm) < 0) + ret = SSL_FAILURE; + FreeDecodedCert(&cert); + + return ret; +} + +void wolfSSL_OCSP_RESPONSE_free(OcspResponse* response) +{ + if (response->status != NULL) + XFREE(response->status, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (response->source != NULL) + XFREE(response->source, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL); +} + +OcspResponse* wolfSSL_d2i_OCSP_RESPONSE_bio(WOLFSSL_BIO* bio, + OcspResponse** response) +{ + byte* data; + byte* p; + int len; + int dataAlloced = 0; + OcspResponse* ret; + + if (bio == NULL) + return NULL; + + if (bio->type == BIO_MEMORY) { + len = wolfSSL_BIO_get_mem_data(bio, &data); + if (len <= 0 || data == NULL) { + return NULL; + } + } + else if (bio->type == BIO_FILE) { + long i; + long l; + + i = XFTELL(bio->file); + XFSEEK(bio->file, 0, SEEK_END); + l = XFTELL(bio->file); + XFSEEK(bio->file, i, SEEK_SET); + data = (byte*)XMALLOC(l - i, 0, DYNAMIC_TYPE_TMP_BUFFER); + if (data == NULL) + return NULL; + dataAlloced = 1; + + len = wolfSSL_BIO_read(bio, (char *)data, (int)l); + } + else + return NULL; + + p = data; + ret = wolfSSL_d2i_OCSP_RESPONSE(response, (const unsigned char **)&p, len); + + if (dataAlloced) + XFREE(data, 0, DYNAMIC_TYPE_TMP_BUFFER); + + return ret; +} + +OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response, + const unsigned char** data, int len) +{ + OcspResponse *resp = NULL; + word32 idx = 0; + int length = 0; + + if (data == NULL) + return NULL; + + if (response != NULL) + resp = *response; + if (resp == NULL) { + resp = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, + DYNAMIC_TYPE_OPENSSL); + if (resp == NULL) + return NULL; + XMEMSET(resp, 0, sizeof(OcspResponse)); + } + + resp->source = (byte*)XMALLOC(len, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (resp->source == NULL) { + XFREE(resp, NULL, DYNAMIC_TYPE_OPENSSL); + return NULL; + } + resp->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (resp->status == NULL) { + XFREE(resp->source, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(resp, NULL, DYNAMIC_TYPE_OPENSSL); + return NULL; + } + + XMEMCPY(resp->source, *data, len); + resp->maxIdx = len; + + if (OcspResponseDecode(resp, NULL, NULL, 1) != 0) { + wolfSSL_OCSP_RESPONSE_free(resp); + return NULL; + } + + GetSequence(*data, &idx, &length, len); + (*data) += idx + length; + + return resp; +} + +int wolfSSL_i2d_OCSP_RESPONSE(OcspResponse* response, + unsigned char** data) +{ + if (data == NULL) + return response->maxIdx; + + XMEMCPY(*data, response->source, response->maxIdx); + return response->maxIdx; +} + +int wolfSSL_OCSP_response_status(OcspResponse *response) +{ + return response->responseStatus; +} + +const char *wolfSSL_OCSP_response_status_str(long s) +{ + switch (s) { + case OCSP_SUCCESSFUL: + return "successful"; + case OCSP_MALFORMED_REQUEST: + return "malformedrequest"; + case OCSP_INTERNAL_ERROR: + return "internalerror"; + case OCSP_TRY_LATER: + return "trylater"; + case OCSP_SIG_REQUIRED: + return "sigrequired"; + case OCSP_UNAUTHROIZED: + return "unauthorized"; + default: + return "(UNKNOWN)"; + } +} + +WOLFSSL_OCSP_BASICRESP* wolfSSL_OCSP_response_get1_basic(OcspResponse* response) +{ + WOLFSSL_OCSP_BASICRESP* bs; + + bs = (WOLFSSL_OCSP_BASICRESP*)XMALLOC(sizeof(WOLFSSL_OCSP_BASICRESP), NULL, + DYNAMIC_TYPE_OPENSSL); + if (bs == NULL) + return NULL; + + XMEMCPY(bs, response, sizeof(OcspResponse)); + bs->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + bs->source = (byte*)XMALLOC(bs->maxIdx, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (bs->status == NULL || bs->source == NULL) { + wolfSSL_OCSP_RESPONSE_free(bs); + bs = NULL; + } + XMEMCPY(bs->status, response->status, sizeof(CertStatus)); + XMEMCPY(bs->source, response->source, response->maxIdx); + return bs; +} + +OcspRequest* wolfSSL_OCSP_REQUEST_new(void) +{ + OcspRequest* request; + + request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL, + DYNAMIC_TYPE_OPENSSL); + if (request != NULL) + XMEMSET(request, 0, sizeof(OcspRequest)); + + return request; +} + +void wolfSSL_OCSP_REQUEST_free(OcspRequest* request) +{ + FreeOcspRequest(request); + XFREE(request, 0, DYNAMIC_TYPE_OPENSSL); +} + +int wolfSSL_i2d_OCSP_REQUEST(OcspRequest* request, unsigned char** data) +{ + word32 size; + + size = EncodeOcspRequest(request, NULL, 0); + if (size <= 0 || data == NULL) + return size; + + return EncodeOcspRequest(request, *data, size); +} + +WOLFSSL_OCSP_ONEREQ* wolfSSL_OCSP_request_add0_id(OcspRequest *req, + WOLFSSL_OCSP_CERTID *cid) +{ + if (req == NULL || cid == NULL) + return NULL; + + FreeOcspRequest(req); + XMEMCPY(req, cid, sizeof(OcspRequest)); + + if (cid->serial != NULL) { + req->serial = (byte*)XMALLOC(cid->serialSz, NULL, + DYNAMIC_TYPE_OCSP_REQUEST); + req->url = (byte*)XMALLOC(cid->urlSz, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + if (req->serial == NULL || req->url == NULL) { + FreeOcspRequest(req); + return NULL; + } + + XMEMCPY(req->serial, cid->serial, cid->serialSz); + XMEMCPY(req->url, cid->url, cid->urlSz); + } + + wolfSSL_OCSP_REQUEST_free(cid); + + return req; +} + +#endif #else /* HAVE_OCSP */ diff --git a/src/ssl.c b/src/ssl.c index 2134752fe..d30a98bd0 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -93,18 +93,6 @@ #include #endif -#ifndef NO_FILESYSTEM - #if !defined(USE_WINDOWS_API) && !defined(NO_WOLFSSL_DIR) \ - && !defined(EBSNET) - #include - #include - #endif - #ifdef EBSNET - #include "vfapi.h" - #include "vfile.h" - #endif -#endif /* NO_FILESYSTEM */ - #if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_HAVE_MAX) #define WOLFSSL_HAVE_MAX @@ -529,6 +517,19 @@ int wolfSSL_get_ciphers(char* buf, int len) return SSL_SUCCESS; } +const char* wolfSSL_get_shared_ciphers(WOLFSSL* ssl, char* buf, int len) +{ + const char* cipher; + + if (ssl == NULL) + return NULL; + + cipher = wolfSSL_get_cipher_name_from_suite(ssl->options.cipherSuite0, + ssl->options.cipherSuite); + len = min(len, (int)(XSTRLEN(cipher) + 1)); + XMEMCPY(buf, cipher, len); + return buf; +} int wolfSSL_get_fd(const WOLFSSL* ssl) { @@ -1772,7 +1773,8 @@ WOLFSSL_API int wolfSSL_get_SessionTicket(WOLFSSL* ssl, return SSL_SUCCESS; } -WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL* ssl, byte* buf, word32 bufSz) +WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL* ssl, const byte* buf, + word32 bufSz) { if (ssl == NULL || (buf == NULL && bufSz > 0)) return BAD_FUNC_ARG; @@ -2062,6 +2064,66 @@ void wolfSSL_FreeArrays(WOLFSSL* ssl) } } +/* Set option to indicate that the resources are not to be freed after + * handshake. + * + * ssl The SSL/TLS object. + * returns BAD_FUNC_ARG when ssl is NULL and 0 on success. + */ +int wolfSSL_KeepHandshakeResources(WOLFSSL* ssl) +{ + if (ssl == NULL) + return BAD_FUNC_ARG; + + ssl->options.keepResources = 1; + + return 0; +} + +/* Free the handshake resources after handshake. + * + * ssl The SSL/TLS object. + * returns BAD_FUNC_ARG when ssl is NULL and 0 on success. + */ +int wolfSSL_FreeHandshakeResources(WOLFSSL* ssl) +{ + if (ssl == NULL) + return BAD_FUNC_ARG; + + FreeHandshakeResources(ssl); + + return 0; +} + +/* Use the client's order of preference when matching cipher suites. + * + * ssl The SSL/TLS context object. + * returns BAD_FUNC_ARG when ssl is NULL and 0 on success. + */ +int wolfSSL_CTX_UseClientSuites(WOLFSSL_CTX* ctx) +{ + if (ctx == NULL) + return BAD_FUNC_ARG; + + ctx->useClientOrder = 1; + + return 0; +} + +/* Use the client's order of preference when matching cipher suites. + * + * ssl The SSL/TLS object. + * returns BAD_FUNC_ARG when ssl is NULL and 0 on success. + */ +int wolfSSL_UseClientSuites(WOLFSSL* ssl) +{ + if (ssl == NULL) + return BAD_FUNC_ARG; + + ssl->options.useClientOrder = 1; + + return 0; +} const byte* wolfSSL_GetMacSecret(WOLFSSL* ssl, int verify) { @@ -2253,7 +2315,6 @@ int wolfSSL_GetHmacSize(WOLFSSL* ssl) #endif /* ATOMIC_USER */ #ifndef NO_CERTS - int AllocDer(DerBuffer** pDer, word32 length, int type, void* heap) { int ret = BAD_FUNC_ARG; @@ -2365,6 +2426,7 @@ void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm) #ifdef HAVE_OCSP if (cm->ocsp) FreeOCSP(cm->ocsp, 1); + XFREE(cm->ocspOverrideURL, cm->heap, DYNAMIC_TYPE_URL); #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) if (cm->ocsp_stapling) @@ -3357,10 +3419,14 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) ret = MEMORY_ERROR; else { signer->keyOID = cert->keyOID; - signer->publicKey = cert->publicKey; - signer->pubKeySize = cert->pubKeySize; - signer->nameLen = cert->subjectCNLen; - signer->name = cert->subjectCN; + if (cert->pubKeyStored) { + signer->publicKey = cert->publicKey; + signer->pubKeySize = cert->pubKeySize; + } + if (cert->subjectCNStored) { + signer->nameLen = cert->subjectCNLen; + signer->name = cert->subjectCN; + } signer->pathLength = cert->pathLength; signer->pathLengthSet = cert->pathLengthSet; #ifndef IGNORE_NAME_CONSTRAINTS @@ -4214,9 +4280,11 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, else if (ctx) { FreeDer(&ctx->certificate); /* Make sure previous is free'd */ #ifdef KEEP_OUR_CERT - FreeX509(ctx->ourCert); if (ctx->ourCert) { - XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); + if (ctx->ownOurCert) { + FreeX509(ctx->ourCert); + XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); + } ctx->ourCert = NULL; } #endif @@ -4475,6 +4543,25 @@ static int ProcessChainBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, ret = ProcessBuffer(ctx, buff + used, sz - used, format, type, ssl, &consumed, 0); +#ifdef WOLFSSL_WPAS +#ifdef HAVE_CRL + if (ret < 0) { + DerBuffer* der = NULL; + EncryptedInfo info; + + WOLFSSL_MSG("Trying a CRL"); + if (PemToDer(buff + used, sz - used, CRL_TYPE, &der, NULL, &info, + NULL) == 0) { + WOLFSSL_MSG(" Proccessed a CRL"); + wolfSSL_CertManagerLoadCRLBuffer(ctx->cm, der->buffer, + der->length,SSL_FILETYPE_ASN1); + FreeDer(&der); + used += info.consumed; + continue; + } + } +#endif +#endif if (ret < 0) { if(consumed > 0) { /* Made progress in file */ @@ -4625,7 +4712,12 @@ int wolfSSL_CertManagerEnableCRL(WOLFSSL_CERT_MANAGER* cm, int options) cm->crl = NULL; return SSL_FAILURE; } + + #ifdef HAVE_CRL_IO + cm->crl->crlIOCb = EmbedCrlLookup; + #endif } + cm->crlEnabled = 1; if (options & WOLFSSL_CRL_CHECKALL) cm->crlCheckAll = 1; @@ -5078,7 +5170,6 @@ int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file, int ret = SSL_SUCCESS; WOLFSSL_ENTER("wolfSSL_CTX_load_verify_locations"); - (void)path; if (ctx == NULL || (file == NULL && path == NULL) ) return SSL_FAILURE; @@ -5087,95 +5178,35 @@ int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file, ret = ProcessFile(ctx, file, SSL_FILETYPE_PEM, CA_TYPE, NULL, 0, NULL); if (ret == SSL_SUCCESS && path) { - /* try to load each regular file in path */ - #ifdef USE_WINDOWS_API - WIN32_FIND_DATAA FindFileData; - HANDLE hFind; +#ifndef NO_WOLFSSL_DIR + char* name = NULL; #ifdef WOLFSSL_SMALL_STACK - char* name = NULL; - #else - char name[MAX_FILENAME_SZ]; - #endif - - #ifdef WOLFSSL_SMALL_STACK - name = (char*)XMALLOC(MAX_FILENAME_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); + ReadDirCtx* readCtx = NULL; + readCtx = (ReadDirCtx*)XMALLOC(sizeof(ReadDirCtx), ctx->heap, + DYNAMIC_TYPE_TMP_BUFFER); if (name == NULL) return MEMORY_E; - #endif - - XMEMSET(name, 0, MAX_FILENAME_SZ); - XSTRNCPY(name, path, MAX_FILENAME_SZ - 4); - XSTRNCAT(name, "\\*", 3); - - hFind = FindFirstFileA(name, &FindFileData); - if (hFind == INVALID_HANDLE_VALUE) { - WOLFSSL_MSG("FindFirstFile for path verify locations failed"); - #ifdef WOLFSSL_SMALL_STACK - XFREE(name, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return BAD_PATH_ERROR; - } - - do { - if (FindFileData.dwFileAttributes != FILE_ATTRIBUTE_DIRECTORY) { - XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 3); - XSTRNCAT(name, "\\", 2); - XSTRNCAT(name, FindFileData.cFileName, MAX_FILENAME_SZ/2); - - ret = ProcessFile(ctx, name, SSL_FILETYPE_PEM, CA_TYPE, - NULL, 0, NULL); - } - } while (ret == SSL_SUCCESS && FindNextFileA(hFind, &FindFileData)); - - #ifdef WOLFSSL_SMALL_STACK - XFREE(name, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - - FindClose(hFind); - #elif !defined(NO_WOLFSSL_DIR) - struct dirent* entry; - DIR* dir = opendir(path); - #ifdef WOLFSSL_SMALL_STACK - char* name = NULL; #else - char name[MAX_FILENAME_SZ]; + ReadDirCtx readCtx[1]; #endif - if (dir == NULL) { - WOLFSSL_MSG("opendir path verify locations failed"); - return BAD_PATH_ERROR; + /* try to load each regular file in path */ + ret = wc_ReadDirFirst(readCtx, path, &name); + while (ret == 0 && name) { + ret = ProcessFile(ctx, name, SSL_FILETYPE_PEM, CA_TYPE, + NULL, 0, NULL); + if (ret != SSL_SUCCESS) + break; + ret = wc_ReadDirNext(readCtx, path, &name); } + wc_ReadDirClose(readCtx); #ifdef WOLFSSL_SMALL_STACK - name = (char*)XMALLOC(MAX_FILENAME_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (name == NULL) { - closedir(dir); - return MEMORY_E; - } - #endif - - while ( ret == SSL_SUCCESS && (entry = readdir(dir)) != NULL) { - struct stat s; - - XMEMSET(name, 0, MAX_FILENAME_SZ); - XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2); - XSTRNCAT(name, "/", 1); - XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2); - - if (stat(name, &s) != 0) { - WOLFSSL_MSG("stat on name failed"); - ret = BAD_PATH_ERROR; - } else if (s.st_mode & S_IFREG) - ret = ProcessFile(ctx, name, SSL_FILETYPE_PEM, CA_TYPE, - NULL, 0, NULL); - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(name, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - - closedir(dir); + XFREE(readCtx, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif +#else + ret = NOT_COMPILED_IN; +#endif } return ret; @@ -5354,6 +5385,17 @@ int wolfSSL_CertManagerSetCRL_Cb(WOLFSSL_CERT_MANAGER* cm, CbMissingCRL cb) return SSL_SUCCESS; } +#ifdef HAVE_CRL_IO +int wolfSSL_CertManagerSetCRL_IOCb(WOLFSSL_CERT_MANAGER* cm, CbCrlIO cb) +{ + if (cm == NULL) + return BAD_FUNC_ARG; + + cm->crl->crlIOCb = cb; + + return SSL_SUCCESS; +} +#endif int wolfSSL_CertManagerLoadCRL(WOLFSSL_CERT_MANAGER* cm, const char* path, int type, int monitor) @@ -5412,6 +5454,16 @@ int wolfSSL_SetCRL_Cb(WOLFSSL* ssl, CbMissingCRL cb) return BAD_FUNC_ARG; } +#ifdef HAVE_CRL_IO +int wolfSSL_SetCRL_IOCb(WOLFSSL* ssl, CbCrlIO cb) +{ + WOLFSSL_ENTER("wolfSSL_SetCRL_Cb"); + if (ssl) + return wolfSSL_CertManagerSetCRL_IOCb(ssl->ctx->cm, cb); + else + return BAD_FUNC_ARG; +} +#endif int wolfSSL_CTX_EnableCRL(WOLFSSL_CTX* ctx, int options) { @@ -5453,6 +5505,17 @@ int wolfSSL_CTX_SetCRL_Cb(WOLFSSL_CTX* ctx, CbMissingCRL cb) return BAD_FUNC_ARG; } +#ifdef HAVE_CRL_IO +int wolfSSL_CTX_SetCRL_IOCb(WOLFSSL_CTX* ctx, CbCrlIO cb) +{ + WOLFSSL_ENTER("wolfSSL_CTX_SetCRL_IOCb"); + if (ctx) + return wolfSSL_CertManagerSetCRL_IOCb(ctx->cm, cb); + else + return BAD_FUNC_ARG; +} +#endif + #endif /* HAVE_CRL */ @@ -6647,6 +6710,9 @@ int wolfSSL_SetServerID(WOLFSSL* ssl, const byte* id, int len, int newSession) session = GetSessionClient(ssl, id, len); if (session) { if (SetSession(ssl, session) != SSL_SUCCESS) { + #ifdef HAVE_EXT_CACHE + wolfSSL_SESSION_free(session); + #endif WOLFSSL_MSG("SetSession failed"); session = NULL; } @@ -6659,6 +6725,10 @@ int wolfSSL_SetServerID(WOLFSSL* ssl, const byte* id, int len, int newSession) ssl->session.idLen = (word16)min(SERVER_ID_LEN, (word32)len); XMEMCPY(ssl->session.serverID, id, ssl->session.idLen); } + #ifdef HAVE_EXT_CACHE + else + wolfSSL_SESSION_free(session); + #endif return SSL_SUCCESS; } @@ -6986,9 +7056,14 @@ long wolfSSL_CTX_set_session_cache_mode(WOLFSSL_CTX* ctx, long mode) if (mode == SSL_SESS_CACHE_OFF) ctx->sessionCacheOff = 1; - if (mode == SSL_SESS_CACHE_NO_AUTO_CLEAR) + if ((mode & SSL_SESS_CACHE_NO_AUTO_CLEAR) != 0) ctx->sessionCacheFlushOff = 1; +#ifdef HAVE_EXT_CACHE + if ((mode & SSL_SESS_CACHE_NO_INTERNAL_STORE) != 0) + ctx->internalCacheOff = 1; +#endif + return SSL_SUCCESS; } @@ -7935,7 +8010,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif /* NO_HANDSHAKE_DONE_CB */ if (!ssl->options.dtls) { - FreeHandshakeResources(ssl); + if (!ssl->options.keepResources) { + FreeHandshakeResources(ssl); + } } #ifdef WOLFSSL_DTLS else { @@ -8240,7 +8317,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif /* NO_HANDSHAKE_DONE_CB */ if (!ssl->options.dtls) { - FreeHandshakeResources(ssl); + if (!ssl->options.keepResources) { + FreeHandshakeResources(ssl); + } } #ifdef WOLFSSL_DTLS else { @@ -8288,7 +8367,6 @@ int wolfSSL_SetHsDoneCb(WOLFSSL* ssl, HandShakeDoneCb cb, void* user_ctx) #endif /* NO_HANDSHAKE_DONE_CB */ - int wolfSSL_Cleanup(void) { int ret = SSL_SUCCESS; @@ -8374,6 +8452,8 @@ int wolfSSL_set_timeout(WOLFSSL* ssl, unsigned int to) if (ssl == NULL) return BAD_FUNC_ARG; + if (to == 0) + to = WOLFSSL_SESSION_TIMEOUT; ssl->timeout = to; return SSL_SUCCESS; @@ -8386,6 +8466,8 @@ int wolfSSL_CTX_set_timeout(WOLFSSL_CTX* ctx, unsigned int to) if (ctx == NULL) return BAD_FUNC_ARG; + if (to == 0) + to = WOLFSSL_SESSION_TIMEOUT; ctx->timeout = to; return SSL_SUCCESS; @@ -8405,10 +8487,26 @@ WOLFSSL_SESSION* GetSessionClient(WOLFSSL* ssl, const byte* id, int len) WOLFSSL_ENTER("GetSessionClient"); + if (ssl->ctx->sessionCacheOff) + return NULL; + if (ssl->options.side == WOLFSSL_SERVER_END) return NULL; len = min(SERVER_ID_LEN, (word32)len); + +#ifdef HAVE_EXT_CACHE + if (ssl->ctx->get_sess_cb != NULL) { + int copy = 0; + ret = ssl->ctx->get_sess_cb(ssl, (byte*)id, len, ©); + if (ret != NULL) + return ret; + } + + if (ssl->ctx->internalCacheOff) + return NULL; +#endif + row = HashSession(id, len, &error) % SESSION_ROWS; if (error != 0) { WOLFSSL_MSG("Hash session failed"); @@ -8459,6 +8557,32 @@ WOLFSSL_SESSION* GetSessionClient(WOLFSSL* ssl, const byte* id, int len) #endif /* NO_CLIENT_CACHE */ +/* Restore the master secret and session information for certificates. + * + * ssl The SSL/TLS object. + * session The cached session to restore. + * masterSecret The master secret from the cached session. + * restoreSessionCerts Restoring session certificates is required. + */ +static INLINE void RestoreSession(WOLFSSL* ssl, WOLFSSL_SESSION* session, + byte* masterSecret, byte restoreSessionCerts) +{ + (void)ssl; + (void)restoreSessionCerts; + + if (masterSecret) + XMEMCPY(masterSecret, session->masterSecret, SECRET_LEN); +#ifdef SESSION_CERTS + /* If set, we should copy the session certs into the ssl object + * from the session we are returning so we can resume */ + if (restoreSessionCerts) { + ssl->session.chain = session->chain; + ssl->session.version = session->version; + ssl->session.cipherSuite0 = session->cipherSuite0; + ssl->session.cipherSuite = session->cipherSuite; + } +#endif /* SESSION_CERTS */ +} WOLFSSL_SESSION* GetSession(WOLFSSL* ssl, byte* masterSecret, byte restoreSessionCerts) @@ -8488,6 +8612,21 @@ WOLFSSL_SESSION* GetSession(WOLFSSL* ssl, byte* masterSecret, else id = ssl->session.sessionID; +#ifdef HAVE_EXT_CACHE + if (ssl->ctx->get_sess_cb != NULL) { + int copy = 0; + /* Attempt to retrieve the session from the external cache. */ + ret = ssl->ctx->get_sess_cb(ssl, (byte*)id, ID_LEN, ©); + if (ret != NULL) { + RestoreSession(ssl, ret, masterSecret, restoreSessionCerts); + return ret; + } + } + + if (ssl->ctx->internalCacheOff) + return NULL; +#endif + row = HashSession(id, ID_LEN, &error) % SESSION_ROWS; if (error != 0) { WOLFSSL_MSG("Hash session failed"); @@ -8517,19 +8656,7 @@ WOLFSSL_SESSION* GetSession(WOLFSSL* ssl, byte* masterSecret, if (LowResTimer() < (current->bornOn + current->timeout)) { WOLFSSL_MSG("Session valid"); ret = current; - if (masterSecret) - XMEMCPY(masterSecret, current->masterSecret, SECRET_LEN); -#ifdef SESSION_CERTS - /* If set, we should copy the session certs into the ssl object - * from the session we are returning so we can resume */ - if (restoreSessionCerts) { - ssl->session.chain = ret->chain; - ssl->session.version = ret->version; - ssl->session.cipherSuite0 = ret->cipherSuite0; - ssl->session.cipherSuite = ret->cipherSuite; - } -#endif /* SESSION_CERTS */ - + RestoreSession(ssl, ret, masterSecret, restoreSessionCerts); } else { WOLFSSL_MSG("Session timed out"); } @@ -8668,12 +8795,14 @@ static int get_locked_session_stats(word32* active, word32* total, int AddSession(WOLFSSL* ssl) { - word32 row, idx; + word32 row = 0; + word32 idx = 0; int error = 0; #ifdef HAVE_SESSION_TICKET byte* tmpBuff = NULL; int ticLen = 0; #endif + WOLFSSL_SESSION* session; if (ssl->options.sessionCacheOff) return 0; @@ -8686,12 +8815,6 @@ int AddSession(WOLFSSL* ssl) return 0; #endif - row = HashSession(ssl->arrays->sessionID, ID_LEN, &error) % SESSION_ROWS; - if (error != 0) { - WOLFSSL_MSG("Hash session failed"); - return error; - } - #ifdef HAVE_SESSION_TICKET ticLen = ssl->session.ticketLen; /* Alloc Memory here so if Malloc fails can exit outside of lock */ @@ -8703,27 +8826,56 @@ int AddSession(WOLFSSL* ssl) } #endif - if (wc_LockMutex(&session_mutex) != 0) { +#ifdef HAVE_EXT_CACHE + if (ssl->options.internalCacheOff) { + /* Create a new session object to be stored. */ + session = (WOLFSSL_SESSION*)XMALLOC(sizeof(WOLFSSL_SESSION), NULL, + DYNAMIC_TYPE_OPENSSL); + if (session == NULL) { #ifdef HAVE_SESSION_TICKET - XFREE(tmpBuff, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); + XFREE(tmpBuff, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); #endif - return BAD_MUTEX_E; + return MEMORY_E; + } + XMEMSET(session, 0, sizeof(WOLFSSL_SESSION)); + session->isAlloced = 1; + } + else +#endif + { + /* Use the session object in the cache for external cache if required. + */ + row = HashSession(ssl->arrays->sessionID, ID_LEN, &error) % + SESSION_ROWS; + if (error != 0) { + WOLFSSL_MSG("Hash session failed"); +#ifdef HAVE_SESSION_TICKET + XFREE(tmpBuff, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); +#endif + return error; + } + + if (wc_LockMutex(&session_mutex) != 0) { +#ifdef HAVE_SESSION_TICKET + XFREE(tmpBuff, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); +#endif + return BAD_MUTEX_E; + } + + idx = SessionCache[row].nextIdx++; +#ifdef SESSION_INDEX + ssl->sessionIndex = (row << SESSIDX_ROW_SHIFT) | idx; +#endif + session = &SessionCache[row].Sessions[idx]; } - idx = SessionCache[row].nextIdx++; -#ifdef SESSION_INDEX - ssl->sessionIndex = (row << SESSIDX_ROW_SHIFT) | idx; -#endif + XMEMCPY(session->masterSecret, ssl->arrays->masterSecret, SECRET_LEN); + session->haveEMS = ssl->options.haveEMS; + XMEMCPY(session->sessionID, ssl->arrays->sessionID, ID_LEN); + session->sessionIDSz = ssl->arrays->sessionIDSz; - XMEMCPY(SessionCache[row].Sessions[idx].masterSecret, - ssl->arrays->masterSecret, SECRET_LEN); - SessionCache[row].Sessions[idx].haveEMS = ssl->options.haveEMS; - XMEMCPY(SessionCache[row].Sessions[idx].sessionID, ssl->arrays->sessionID, - ID_LEN); - SessionCache[row].Sessions[idx].sessionIDSz = ssl->arrays->sessionIDSz; - - SessionCache[row].Sessions[idx].timeout = ssl->timeout; - SessionCache[row].Sessions[idx].bornOn = LowResTimer(); + session->timeout = ssl->timeout; + session->bornOn = LowResTimer(); #ifdef HAVE_SESSION_TICKET /* Check if another thread modified ticket since alloc */ @@ -8733,32 +8885,28 @@ int AddSession(WOLFSSL* ssl) if (error == 0) { /* Cleanup cache row's old Dynamic buff if exists */ - if(SessionCache[row].Sessions[idx].isDynamic) { - XFREE(SessionCache[row].Sessions[idx].ticket, - ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - SessionCache[row].Sessions[idx].ticket = NULL; + if(session->isDynamic) { + XFREE(session->ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); + session->ticket = NULL; } /* If too large to store in static buffer, use dyn buffer */ if (ticLen > SESSION_TICKET_LEN) { - SessionCache[row].Sessions[idx].ticket = tmpBuff; - SessionCache[row].Sessions[idx].isDynamic = 1; + session->ticket = tmpBuff; + session->isDynamic = 1; } else { - SessionCache[row].Sessions[idx].ticket = - SessionCache[row].Sessions[idx].staticTicket; - SessionCache[row].Sessions[idx].isDynamic = 0; + session->ticket = session->staticTicket; + session->isDynamic = 0; } } if (error == 0) { - SessionCache[row].Sessions[idx].ticketLen = ticLen; - XMEMCPY(SessionCache[row].Sessions[idx].ticket, - ssl->session.ticket, ticLen); + session->ticketLen = ticLen; + XMEMCPY(session->ticket, ssl->session.ticket, ticLen); } else { /* cleanup, reset state */ - SessionCache[row].Sessions[idx].ticket = - SessionCache[row].Sessions[idx].staticTicket; - SessionCache[row].Sessions[idx].isDynamic = 0; - SessionCache[row].Sessions[idx].ticketLen = 0; + session->ticket = session->staticTicket; + session->isDynamic = 0; + session->ticketLen = 0; if (tmpBuff) { XFREE(tmpBuff, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); tmpBuff = NULL; @@ -8768,19 +8916,24 @@ int AddSession(WOLFSSL* ssl) #ifdef SESSION_CERTS if (error == 0) { - SessionCache[row].Sessions[idx].chain.count = ssl->session.chain.count; - XMEMCPY(SessionCache[row].Sessions[idx].chain.certs, - ssl->session.chain.certs, sizeof(x509_buffer) * MAX_CHAIN_DEPTH); + session->chain.count = ssl->session.chain.count; + XMEMCPY(session->chain.certs, ssl->session.chain.certs, + sizeof(x509_buffer) * MAX_CHAIN_DEPTH); - SessionCache[row].Sessions[idx].version = ssl->version; - SessionCache[row].Sessions[idx].cipherSuite0 = ssl->options.cipherSuite0; - SessionCache[row].Sessions[idx].cipherSuite = ssl->options.cipherSuite; + session->version = ssl->version; + session->cipherSuite0 = ssl->options.cipherSuite0; + session->cipherSuite = ssl->options.cipherSuite; } #endif /* SESSION_CERTS */ - if (error == 0) { - SessionCache[row].totalCount++; - if (SessionCache[row].nextIdx == SESSIONS_PER_ROW) - SessionCache[row].nextIdx = 0; +#ifdef HAVE_EXT_CACHE + if (!ssl->options.internalCacheOff) +#endif + { + if (error == 0) { + SessionCache[row].totalCount++; + if (SessionCache[row].nextIdx == SESSIONS_PER_ROW) + SessionCache[row].nextIdx = 0; + } } #ifndef NO_CLIENT_CACHE if (error == 0) { @@ -8789,48 +8942,70 @@ int AddSession(WOLFSSL* ssl) WOLFSSL_MSG("Adding client cache entry"); - SessionCache[row].Sessions[idx].idLen = ssl->session.idLen; - XMEMCPY(SessionCache[row].Sessions[idx].serverID, - ssl->session.serverID, ssl->session.idLen); + session->idLen = ssl->session.idLen; + XMEMCPY(session->serverID, ssl->session.serverID, + ssl->session.idLen); - clientRow = HashSession(ssl->session.serverID, ssl->session.idLen, - &error) % SESSION_ROWS; - if (error != 0) { - WOLFSSL_MSG("Hash session failed"); - } else { - clientIdx = ClientCache[clientRow].nextIdx++; +#ifdef HAVE_EXT_CACHE + if (!ssl->options.internalCacheOff) +#endif + { + clientRow = HashSession(ssl->session.serverID, + ssl->session.idLen, &error) % SESSION_ROWS; + if (error != 0) { + WOLFSSL_MSG("Hash session failed"); + } else { + clientIdx = ClientCache[clientRow].nextIdx++; - ClientCache[clientRow].Clients[clientIdx].serverRow = + ClientCache[clientRow].Clients[clientIdx].serverRow = (word16)row; - ClientCache[clientRow].Clients[clientIdx].serverIdx = + ClientCache[clientRow].Clients[clientIdx].serverIdx = (word16)idx; - ClientCache[clientRow].totalCount++; - if (ClientCache[clientRow].nextIdx == SESSIONS_PER_ROW) - ClientCache[clientRow].nextIdx = 0; + ClientCache[clientRow].totalCount++; + if (ClientCache[clientRow].nextIdx == SESSIONS_PER_ROW) + ClientCache[clientRow].nextIdx = 0; + } } } else - SessionCache[row].Sessions[idx].idLen = 0; + session->idLen = 0; } #endif /* NO_CLIENT_CACHE */ #if defined(WOLFSSL_SESSION_STATS) && defined(WOLFSSL_PEAK_SESSIONS) - if (error == 0) { - word32 active = 0; +#ifdef HAVE_EXT_CACHE + if (!ssl->options.internalCacheOff) +#endif + { + if (error == 0) { + word32 active = 0; - error = get_locked_session_stats(&active, NULL, NULL); - if (error == SSL_SUCCESS) { - error = 0; /* back to this function ok */ + error = get_locked_session_stats(&active, NULL, NULL); + if (error == SSL_SUCCESS) { + error = 0; /* back to this function ok */ - if (active > PeakSessions) - PeakSessions = active; + if (active > PeakSessions) + PeakSessions = active; + } } } #endif /* defined(WOLFSSL_SESSION_STATS) && defined(WOLFSSL_PEAK_SESSIONS) */ - if (wc_UnLockMutex(&session_mutex) != 0) - return BAD_MUTEX_E; +#ifdef HAVE_EXT_CACHE + if (!ssl->options.internalCacheOff) +#endif + { + if (wc_UnLockMutex(&session_mutex) != 0) + return BAD_MUTEX_E; + } + +#ifdef HAVE_EXT_CACHE + if (error == 0 && ssl->ctx->new_sess_cb != NULL) + ssl->ctx->new_sess_cb(ssl, session); + if (ssl->options.internalCacheOff) + wolfSSL_SESSION_free(session); +#endif return error; } @@ -9569,6 +9744,14 @@ int wolfSSL_set_compression(WOLFSSL* ssl) FreeDer(&der); ret = PemToDer(buf, sz, DH_PARAM_TYPE, &der, ctx->heap, NULL, NULL); +#ifdef WOLFSSL_WPAS + #ifndef NO_DSA + if (ret < 0) { + ret = PemToDer(buf, sz, DSA_PARAM_TYPE, &der, ctx->heap, + NULL, NULL); + } + #endif +#endif } if (ret == 0) { @@ -9767,15 +9950,71 @@ int wolfSSL_set_compression(WOLFSSL* ssl) void wolfSSL_CTX_set_client_CA_list(WOLFSSL_CTX* ctx, STACK_OF(WOLFSSL_X509_NAME)* names) { - (void)ctx; - (void)names; + WOLFSSL_ENTER("wolfSSL_SSL_CTX_set_client_CA_list"); + + if (ctx != NULL) + ctx->ca_names = names; } + STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_SSL_CTX_get_client_CA_list( + const WOLFSSL_CTX *s) + { + WOLFSSL_ENTER("wolfSSL_SSL_CTX_get_client_CA_list"); + + if (s == NULL) + return NULL; + + return s->ca_names; + } STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_load_client_CA_file(const char* fname) { - (void)fname; - return 0; + WOLFSSL_STACK *list = NULL; + WOLFSSL_STACK *node; + WOLFSSL_BIO* bio; + WOLFSSL_X509 *cert = NULL; + WOLFSSL_X509_NAME *subjectName = NULL; + + WOLFSSL_ENTER("wolfSSL_load_client_CA_file"); + + bio = wolfSSL_BIO_new_file(fname, "r"); + if (bio == NULL) + return NULL; + + /* Read each certificate in the chain out of the file. */ + while (wolfSSL_PEM_read_bio_X509(bio, &cert, NULL, NULL) != NULL) { + subjectName = wolfSSL_X509_get_subject_name(cert); + if (subjectName == NULL) + break; + + node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, + DYNAMIC_TYPE_OPENSSL); + if (node == NULL) + break; + + /* Need a persistent copy of the subject name. */ + node->data.name = (WOLFSSL_X509_NAME*)XMALLOC( + sizeof(WOLFSSL_X509_NAME), NULL, DYNAMIC_TYPE_OPENSSL); + if (node->data.name == NULL) { + XFREE(node, NULL, DYNAMIC_TYPE_OPENSSL); + break; + } + XMEMCPY(node->data.name, subjectName, sizeof(WOLFSSL_X509_NAME)); + /* Clear pointers so freeing certificate doesn't free memory. */ + XMEMSET(subjectName, 0, sizeof(WOLFSSL_X509_NAME)); + + /* Put node on the front of the list. */ + node->num = (list == NULL) ? 1 : list->num + 1; + node->next = list; + list = node; + + wolfSSL_X509_free(cert); + cert = NULL; + } + + wolfSSL_X509_free(cert); + wolfSSL_BIO_free(bio); + return list; } @@ -9824,6 +10063,31 @@ int wolfSSL_set_compression(WOLFSSL* ssl) word16 havePSK = 0; WOLFSSL_ENTER("SSL_set_accept_state"); + if (ssl->options.side == WOLFSSL_CLIENT_END) { + #ifdef HAVE_ECC + ecc_key key; + word32 idx = 0; + + if (ssl->options.haveStaticECC && ssl->buffers.key != NULL) { + wc_ecc_init(&key); + if (wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &idx, &key, + ssl->buffers.key->length) != 0) { + ssl->options.haveECDSAsig = 0; + ssl->options.haveECC = 0; + ssl->options.haveStaticECC = 0; + } + wc_ecc_free(&key); + } + #endif + + #ifndef NO_DH + if (!ssl->options.haveDH && ssl->ctx->haveDH) { + ssl->buffers.serverDH_P = ssl->ctx->serverDH_P; + ssl->buffers.serverDH_G = ssl->ctx->serverDH_G; + ssl->options.haveDH = 1; + } + #endif + } ssl->options.side = WOLFSSL_SERVER_END; /* reset suites in case user switched */ @@ -9887,9 +10151,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) long wolfSSL_CTX_set_options(WOLFSSL_CTX* ctx, long opt) { - /* goahead calls with 0, do nothing */ WOLFSSL_ENTER("SSL_CTX_set_options"); - (void)ctx; + ctx->mask |= opt; return opt; } @@ -10121,12 +10384,14 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } - int wolfSSL_BIO_get_mem_data(WOLFSSL_BIO* bio, const byte** p) + int wolfSSL_BIO_get_mem_data(WOLFSSL_BIO* bio, void* p) { + WOLFSSL_ENTER("wolfSSL_BIO_get_mem_data"); + if (bio == NULL || p == NULL) return SSL_FATAL_ERROR; - *p = bio->mem; + *(byte **)p = bio->mem; return bio->memLen; } @@ -10241,6 +10506,11 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return (int)XFREAD(buf, 1, len, bio->file); } #endif + if (bio && bio->type == BIO_MEMORY) { + len = min(len, bio->memLen); + XMEMCPY(buf, bio->mem, len); + return len; + } /* already got eof, again is error */ if (bio && front->eof) @@ -10289,6 +10559,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) int ret; WOLFSSL* ssl = 0; WOLFSSL_BIO* front = bio; + byte* p; WOLFSSL_ENTER("wolfSSL_BIO_write"); @@ -10302,6 +10573,32 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } #endif + if (bio && bio->type == BIO_MEMORY) { + /* Make buffer big enough to hold new data. */ + if (bio->mem == NULL) { + bio->mem = (byte*)XMALLOC(len, bio->heap, DYNAMIC_TYPE_OPENSSL); + if (bio->mem == NULL) + return -1; + p = bio->mem; + } + else { + p = (byte*)XMALLOC(len + bio->memLen, bio->heap, + DYNAMIC_TYPE_OPENSSL); + if (p == NULL) + return -1; + XMEMCPY(p, bio->mem, bio->memLen); + XFREE(bio->mem, bio->heap, DYNAMIC_TYPE_OPENSSL); + bio->mem = p; + p += bio->memLen; + } + + /* Put data on the end of the buffer. */ + XMEMCPY(p, data, len); + bio->memLen += len; + + return len; + } + /* already got eof, again is error */ if (bio && front->eof) return SSL_FATAL_ERROR; @@ -10381,8 +10678,18 @@ int wolfSSL_set_compression(WOLFSSL* ssl) unsigned long wolfSSL_ERR_get_error(void) { - /* TODO: */ - return 0; + WOLFSSL_ENTER("wolfSSL_ERR_get_error"); + +#ifdef WOLFSSL_NGINX + { + unsigned long ret = wolfSSL_ERR_peek_error_line_data(NULL, NULL, + NULL, NULL); + wc_RemoveErrorNode(-1); + return ret; + } +#else + return (unsigned long)(0 - NOT_COMPILED_IN); +#endif } #ifndef NO_MD5 @@ -11178,7 +11485,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) /* printf("cipherType=%d\n", ctx->cipherType); */ if (ctx->cipherType == AES_128_CBC_TYPE || (type && XSTRNCMP(type, EVP_AES_128_CBC, EVP_AES_SIZE) == 0)) { - WOLFSSL_MSG(EVP_AES_128_CBC); + WOLFSSL_MSG("EVP_AES_128_CBC"); ctx->cipherType = AES_128_CBC_TYPE; ctx->flags = WOLFSSL_EVP_CIPH_CBC_MODE; ctx->keyLen = 16; @@ -11199,7 +11506,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) } else if (ctx->cipherType == AES_192_CBC_TYPE || (type && XSTRNCMP(type, EVP_AES_192_CBC, EVP_AES_SIZE) == 0)) { - WOLFSSL_MSG(EVP_AES_192_CBC); + WOLFSSL_MSG("EVP_AES_192_CBC"); ctx->cipherType = AES_192_CBC_TYPE; ctx->flags = WOLFSSL_EVP_CIPH_CBC_MODE; ctx->keyLen = 24; @@ -11220,7 +11527,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) } else if (ctx->cipherType == AES_256_CBC_TYPE || (type && XSTRNCMP(type, EVP_AES_256_CBC, EVP_AES_SIZE) == 0)) { - WOLFSSL_MSG(EVP_AES_256_CBC); + WOLFSSL_MSG("EVP_AES_256_CBC"); ctx->cipherType = AES_256_CBC_TYPE; ctx->flags = WOLFSSL_EVP_CIPH_CBC_MODE; ctx->keyLen = 32; @@ -11242,7 +11549,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) #ifdef WOLFSSL_AES_COUNTER else if (ctx->cipherType == AES_128_CTR_TYPE || (type && XSTRNCMP(type, EVP_AES_128_CTR, EVP_AES_SIZE) == 0)) { - WOLFSSL_MSG(EVP_AES_128_CTR); + WOLFSSL_MSG("EVP_AES_128_CTR"); ctx->cipherType = AES_128_CTR_TYPE; ctx->flags = WOLFSSL_EVP_CIPH_CTR_MODE; ctx->keyLen = 16; @@ -11263,7 +11570,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) } else if (ctx->cipherType == AES_192_CTR_TYPE || (type && XSTRNCMP(type, EVP_AES_192_CTR, EVP_AES_SIZE) == 0)) { - WOLFSSL_MSG(EVP_AES_192_CTR); + WOLFSSL_MSG("EVP_AES_192_CTR"); ctx->cipherType = AES_192_CTR_TYPE; ctx->flags = WOLFSSL_EVP_CIPH_CTR_MODE; ctx->keyLen = 24; @@ -11284,7 +11591,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) } else if (ctx->cipherType == AES_256_CTR_TYPE || (type && XSTRNCMP(type, EVP_AES_256_CTR, EVP_AES_SIZE) == 0)) { - WOLFSSL_MSG(EVP_AES_256_CTR); + WOLFSSL_MSG("EVP_AES_256_CTR"); ctx->cipherType = AES_256_CTR_TYPE; ctx->flags = WOLFSSL_EVP_CIPH_CTR_MODE; ctx->keyLen = 32; @@ -11306,7 +11613,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) #endif /* WOLFSSL_AES_CTR */ else if (ctx->cipherType == AES_128_ECB_TYPE || (type && XSTRNCMP(type, EVP_AES_128_ECB, EVP_AES_SIZE) == 0)) { - WOLFSSL_MSG(EVP_AES_128_ECB); + WOLFSSL_MSG("EVP_AES_128_ECB"); ctx->cipherType = AES_128_ECB_TYPE; ctx->flags = WOLFSSL_EVP_CIPH_ECB_MODE; ctx->keyLen = 16; @@ -11322,7 +11629,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) } else if (ctx->cipherType == AES_192_ECB_TYPE || (type && XSTRNCMP(type, EVP_AES_192_ECB, EVP_AES_SIZE) == 0)) { - WOLFSSL_MSG(EVP_AES_192_ECB); + WOLFSSL_MSG("EVP_AES_192_ECB"); ctx->cipherType = AES_192_ECB_TYPE; ctx->flags = WOLFSSL_EVP_CIPH_ECB_MODE; ctx->keyLen = 24; @@ -11339,7 +11646,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) } else if (ctx->cipherType == AES_256_ECB_TYPE || (type && XSTRNCMP(type, EVP_AES_256_ECB, EVP_AES_SIZE) == 0)) { - WOLFSSL_MSG(EVP_AES_256_ECB); + WOLFSSL_MSG("EVP_AES_256_ECB"); ctx->cipherType = AES_256_ECB_TYPE; ctx->flags = WOLFSSL_EVP_CIPH_ECB_MODE; ctx->keyLen = 32; @@ -11358,7 +11665,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) #ifndef NO_DES3 if (ctx->cipherType == DES_CBC_TYPE || (type && XSTRNCMP(type, EVP_DES_CBC, EVP_DES_SIZE) == 0)) { - WOLFSSL_MSG(EVP_DES_CBC); + WOLFSSL_MSG("EVP_DES_CBC"); ctx->cipherType = DES_CBC_TYPE; ctx->flags = WOLFSSL_EVP_CIPH_CBC_MODE; ctx->keyLen = 8; @@ -11378,7 +11685,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) #ifdef WOLFSSL_DES_ECB else if (ctx->cipherType == DES_ECB_TYPE || (type && XSTRNCMP(type, EVP_DES_ECB, EVP_DES_SIZE) == 0)) { - WOLFSSL_MSG(EVP_DES_ECB); + WOLFSSL_MSG("EVP_DES_ECB"); ctx->cipherType = DES_ECB_TYPE; ctx->flags = WOLFSSL_EVP_CIPH_ECB_MODE; ctx->keyLen = 8; @@ -11396,7 +11703,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) else if (ctx->cipherType == DES_EDE3_CBC_TYPE || (type && XSTRNCMP(type, EVP_DES_EDE3_CBC, EVP_DES_EDE3_SIZE) == 0)) { - WOLFSSL_MSG(EVP_DES_EDE3_CBC); + WOLFSSL_MSG("EVP_DES_EDE3_CBC"); ctx->cipherType = DES_EDE3_CBC_TYPE; ctx->flags = WOLFSSL_EVP_CIPH_CBC_MODE; ctx->keyLen = 24; @@ -11419,7 +11726,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) else if (ctx->cipherType == DES_EDE3_ECB_TYPE || (type && XSTRNCMP(type, EVP_DES_EDE3_ECB, EVP_DES_EDE3_SIZE) == 0)) { - WOLFSSL_MSG(EVP_DES_EDE3_ECB); + WOLFSSL_MSG("EVP_DES_EDE3_ECB"); ctx->cipherType = DES_EDE3_ECB_TYPE; ctx->flags = WOLFSSL_EVP_CIPH_ECB_MODE; ctx->keyLen = 24; @@ -11450,7 +11757,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) #ifdef HAVE_IDEA if (ctx->cipherType == IDEA_CBC_TYPE || (type && XSTRNCMP(type, EVP_IDEA_CBC, EVP_IDEA_SIZE) == 0)) { - WOLFSSL_MSG(EVP_IDEA_CBC); + WOLFSSL_MSG("EVP_IDEA_CBC"); ctx->cipherType = IDEA_CBC_TYPE; ctx->flags = WOLFSSL_EVP_CIPH_CBC_MODE; ctx->keyLen = IDEA_KEY_SIZE; @@ -11969,7 +12276,11 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) void wolfSSL_ERR_clear_error(void) { - /* TODO: */ + WOLFSSL_ENTER("wolfSSL_ERR_clear_error"); + +#if defined(WOLFSSL_NGINX) + wc_ClearErrorNodes(); +#endif } @@ -12101,8 +12412,47 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) int wolfSSL_clear(WOLFSSL* ssl) { - (void)ssl; - /* TODO: GetErrors().Remove(); */ + ssl->options.isClosed = 0; + ssl->options.connReset = 0; + ssl->options.sentNotify = 0; + + ssl->options.serverState = NULL_STATE; + ssl->options.clientState = NULL_STATE; + ssl->options.connectState = CONNECT_BEGIN; + ssl->options.acceptState = ACCEPT_BEGIN; + ssl->options.handShakeState = NULL_STATE; + ssl->options.handShakeDone = 0; + /* ssl->options.processReply = doProcessInit; */ + + ssl->keys.encryptionOn = 0; + XMEMSET(&ssl->msgsReceived, 0, sizeof(ssl->msgsReceived)); + +#ifndef NO_OLD_TLS +#ifndef NO_MD5 + wc_InitMd5(&ssl->hsHashes->hashMd5); +#endif +#ifndef NO_SHA + if (wc_InitSha(&ssl->hsHashes->hashSha) != 0) + return SSL_FAILURE; +#endif +#endif +#ifndef NO_SHA256 + if (wc_InitSha256(&ssl->hsHashes->hashSha256) != 0) + return SSL_FAILURE; +#endif +#ifdef WOLFSSL_SHA384 + if (wc_InitSha384(&ssl->hsHashes->hashSha384) != 0) + return SSL_FAILURE; +#endif +#ifdef WOLFSSL_SHA512 + if (wc_InitSha512(&ssl->hsHashes->hashSha512) != 0) + return SSL_FAILURE; +#endif + +#ifdef KEEP_PEER_CERT + FreeX509(&ssl->peerCert); +#endif + return SSL_SUCCESS; } @@ -12215,14 +12565,61 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) #if defined(KEEP_PEER_CERT) + #ifdef SESSION_CERTS + /* Decode the X509 DER encoded certificate into a WOLFSSL_X509 object. + * + * x509 WOLFSSL_X509 object to decode into. + * in X509 DER data. + * len Length of the X509 DER data. + * returns the new certificate on success, otherwise NULL. + */ + static int DecodeToX509(WOLFSSL_X509* x509, const byte* in, int len) + { + int ret; + #ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; + #else + DecodedCert cert[1]; + #endif + + #ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (cert == NULL) + return NULL; + #endif + + /* Create a DecodedCert object and copy fields into WOLFSSL_X509 object. + */ + InitDecodedCert(cert, (byte*)in, len, NULL); + if ((ret = ParseCertRelative(cert, CERT_TYPE, 0, NULL)) == 0) { + InitX509(x509, 0, NULL); + ret = CopyDecodedToX509(x509, cert); + FreeDecodedCert(cert); + } + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + + return ret; + } + #endif + WOLFSSL_X509* wolfSSL_get_peer_certificate(WOLFSSL* ssl) { WOLFSSL_ENTER("SSL_get_peer_certificate"); if (ssl->peerCert.issuer.sz) return &ssl->peerCert; - else - return 0; +#ifdef SESSION_CERTS + else if (ssl->session.chain.count > 0) { + if (DecodeToX509(&ssl->peerCert, ssl->session.chain.certs[0].buffer, + ssl->session.chain.certs[0].length) == 0) { + return &ssl->peerCert; + } + } +#endif + return 0; } #endif /* KEEP_PEER_CERT */ @@ -12280,7 +12677,7 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) WOLFSSL_X509_NAME* wolfSSL_X509_get_issuer_name(WOLFSSL_X509* cert) { WOLFSSL_ENTER("X509_get_issuer_name"); - if(cert) + if (cert && cert->issuer.sz != 0) return &cert->issuer; return NULL; } @@ -12289,7 +12686,7 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name(WOLFSSL_X509* cert) { WOLFSSL_ENTER("wolfSSL_X509_get_subject_name"); - if(cert) + if (cert && cert->subject.sz != 0) return &cert->subject; return NULL; } @@ -12523,8 +12920,10 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) if (buf != NULL && text != NULL) { textSz = min(textSz, len); - XMEMCPY(buf, text, textSz); - buf[textSz] = '\0'; + if (textSz > 0) { + XMEMCPY(buf, text, textSz - 1); + buf[textSz - 1] = '\0'; + } } WOLFSSL_LEAVE("wolfSSL_X509_NAME_get_text_by_NID", textSz); @@ -12547,7 +12946,8 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) if (name->fullName.fullName && name->fullName.fullNameLen > 0) { switch (nid) { case ASN_COMMON_NAME: - ret = name->fullName.cnIdx; + if (pos != name->fullName.cnIdx) + ret = name->fullName.cnIdx; break; default: WOLFSSL_MSG("NID not yet implemented"); @@ -12904,7 +13304,6 @@ void wolfSSL_sk_X509_free(STACK_OF(WOLFSSL_X509_NAME)* sk) { } #endif /* NO_CERTS && OPENSSL_EXTRA */ - WOLFSSL_X509* wolfSSL_X509_d2i(WOLFSSL_X509** x509, const byte* in, int len) { WOLFSSL_X509 *newX509 = NULL; @@ -13170,6 +13569,7 @@ WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl) ssl->ctx->ourCert = wolfSSL_X509_d2i(NULL, ssl->ctx->certificate->buffer, ssl->ctx->certificate->length); + ssl->ctx->ownOurCert = 1; } return ssl->ctx->ourCert; } @@ -13346,8 +13746,21 @@ int wolfSSL_session_reused(WOLFSSL* ssl) #ifdef OPENSSL_EXTRA void wolfSSL_SESSION_free(WOLFSSL_SESSION* session) { + if (session == NULL) + return; + +#ifdef HAVE_EXT_CACHE + if (session->isAlloced) { + #ifdef HAVE_SESSION_TICKET + if (session->isDynamic) + XFREE(session->ticket, NULL, DYNAMIC_TYPE_SESSION_TICK); + #endif + XFREE(session, NULL, DYNAMIC_TYPE_OPENSSL); + } +#else /* No need to free since cache is static */ (void)session; +#endif } #endif @@ -13453,15 +13866,264 @@ const char* wolfSSL_get_cipher_name(WOLFSSL* ssl) return wolfSSL_get_cipher_name_internal(ssl); } +#ifdef HAVE_ECC +/* Return the name of the curve used for key exchange as a printable string. + * + * ssl The SSL/TLS object. + * returns NULL if ECDH was not used, otherwise the name as a string. + */ +const char* wolfSSL_get_curve_name(WOLFSSL* ssl) +{ + if (ssl == NULL) + return NULL; + if (ssl->specs.kea != ecdhe_psk_kea && + ssl->specs.kea != ecc_diffie_hellman_kea) + return NULL; + if (ssl->ecdhCurveOID == 0) + return NULL; + return wc_ecc_get_name(wc_ecc_get_oid(ssl->ecdhCurveOID, NULL, NULL)); +} +#endif #ifdef OPENSSL_EXTRA -char* wolfSSL_CIPHER_description(WOLFSSL_CIPHER* cipher, char* in, int len) +char* wolfSSL_CIPHER_description(const WOLFSSL_CIPHER* cipher, char* in, + int len) { - (void)cipher; - (void)in; - (void)len; - return 0; + char *ret = in; + const char *keaStr, *authStr, *encStr, *macStr; + size_t strLen; + + if (cipher == NULL || in == NULL) + return NULL; + + switch (cipher->ssl->specs.kea) { + case no_kea: + keaStr = "None"; + break; +#ifndef NO_RSA + case rsa_kea: + keaStr = "RSA"; + break; +#endif +#ifndef NO_DH + case diffie_hellman_kea: + keaStr = "DHE"; + break; +#endif + case fortezza_kea: + keaStr = "FZ"; + break; +#ifndef NO_PSK + case psk_kea: + keaStr = "PSK"; + break; + #ifndef NO_DH + case dhe_psk_kea: + keaStr = "DHEPSK"; + break; + #endif + #ifdef HAVE_ECC + case ecdhe_psk_kea: + keaStr = "ECDHEPSK"; + break; + #endif +#endif +#ifdef HAVE_NTRU + case ntru_kea: + keaStr = "NTRU"; + break; +#endif +#ifdef HAVE_ECC + case ecc_diffie_hellman_kea: + keaStr = "ECDHE"; + break; + case ecc_static_diffie_hellman_kea: + keaStr = "ECDH"; + break; +#endif + default: + keaStr = "unknown"; + break; + } + + switch (cipher->ssl->specs.sig_algo) { + case anonymous_sa_algo: + authStr = "None"; + break; +#ifndef NO_RSA + case rsa_sa_algo: + authStr = "RSA"; + break; +#endif +#ifndef NO_DSA + case dsa_sa_algo: + authStr = "DSA"; + break; +#endif +#ifdef HAVE_ECC + case ecc_dsa_sa_algo: + authStr = "ECDSA"; + break; +#endif + default: + authStr = "unknown"; + break; + } + + switch (cipher->ssl->specs.bulk_cipher_algorithm) { + case wolfssl_cipher_null: + encStr = "None"; + break; +#ifndef NO_RC4 + case wolfssl_rc4: + encStr = "RC4(128)"; + break; +#endif +#ifndef NO_DES3 + case wolfssl_triple_des: + encStr = "3DES(168)"; + break; +#endif +#ifdef HAVE_IDEA + case wolfssl_idea: + encStr = "IDEA(128)"; + break; +#endif +#ifndef NO_AES + case wolfssl_aes: + if (cipher->ssl->specs.key_size == 128) + encStr = "AES(128)"; + else if (cipher->ssl->specs.key_size == 256) + encStr = "AES(256)"; + else + encStr = "AES(?)"; + break; + #ifdef HAVE_AESGCM + case wolfssl_aes_gcm: + if (cipher->ssl->specs.key_size == 128) + encStr = "AESGCM(128)"; + else if (cipher->ssl->specs.key_size == 256) + encStr = "AESGCM(256)"; + else + encStr = "AESGCM(?)"; + break; + #endif + #ifdef HAVE_AESCCM + case wolfssl_aes_ccm: + if (cipher->ssl->specs.key_size == 128) + encStr = "AESCCM(128)"; + else if (cipher->ssl->specs.key_size == 256) + encStr = "AESCCM(256)"; + else + encStr = "AESCCM(?)"; + break; + #endif +#endif +#ifdef HAVE_CHACHA + case wolfssl_chacha: + encStr = "CHACHA20/POLY1305(256)"; + break; +#endif +#ifdef HAVE_CAMELLIA + case wolfssl_camellia: + if (cipher->ssl->specs.key_size == 128) + encStr = "Camellia(128)"; + else if (cipher->ssl->specs.key_size == 256) + encStr = "Camellia(256)"; + else + encStr = "Camellia(?)"; + break; +#endif +#if defined(HAVE_HC128) && !defined(NO_HC128) + case wolfssl_hc128: + encStr = "HC128(128)"; + break; +#endif +#if defined(HAVE_RABBIT) && !defined(NO_RABBIT) + case wolfssl_rabbit: + encStr = "RABBIT(128)"; + break; +#endif + default: + encStr = "unknown"; + break; + } + + switch (cipher->ssl->specs.mac_algorithm) { + case no_mac: + macStr = "None"; + break; +#ifndef NO_MD5 + case md5_mac: + macStr = "MD5"; + break; +#endif +#ifndef NO_SHA + case sha_mac: + macStr = "SHA1"; + break; +#endif +#ifdef HAVE_SHA224 + case sha224_mac: + macStr = "SHA224"; + break; +#endif +#ifndef NO_SHA256 + case sha256_mac: + macStr = "SHA256"; + break; +#endif +#ifdef HAVE_SHA384 + case sha384_mac: + macStr = "SHA384"; + break; +#endif +#ifdef HAVE_SHA512 + case sha512_mac: + macStr = "SHA512"; + break; +#endif +#ifdef HAVE_BLAKE2 + case blake2b_mac: + macStr = "BLAKE2b"; + break; +#endif + default: + macStr = "unknown"; + break; + } + + /* Build up the string by copying onto the end. */ + XSTRNCPY(in, wolfSSL_CIPHER_get_name(cipher), len); + in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; + + XSTRNCPY(in, " ", len); + in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; + XSTRNCPY(in, wolfSSL_get_version(cipher->ssl), len); + in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; + + XSTRNCPY(in, " Kx=", len); + in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; + XSTRNCPY(in, keaStr, len); + in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; + + XSTRNCPY(in, " Au=", len); + in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; + XSTRNCPY(in, authStr, len); + in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; + + XSTRNCPY(in, " Enc=", len); + in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; + XSTRNCPY(in, encStr, len); + in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; + + XSTRNCPY(in, " Mac=", len); + in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; + XSTRNCPY(in, macStr, len); + in[len-1] = '\0'; + + return ret; } @@ -13488,15 +14150,6 @@ void wolfSSL_X509_free(WOLFSSL_X509* x509) #endif /* NO_CERTS */ -/* was do nothing */ -/* -void OPENSSL_free(void* buf) -{ - (void)buf; -} -*/ - - int wolfSSL_OCSP_parse_url(char* url, char** host, char** port, char** path, int* ssl) { @@ -13560,7 +14213,8 @@ WOLFSSL_BIO* wolfSSL_BIO_pop(WOLFSSL_BIO* top) int wolfSSL_BIO_pending(WOLFSSL_BIO* bio) { - (void)bio; + if (bio && bio->type == BIO_MEMORY) + return bio->memLen; return 0; } @@ -13691,34 +14345,90 @@ int wolfSSL_X509_LOOKUP_add_dir(WOLFSSL_X509_LOOKUP* lookup, const char* dir, int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup, - const char* file, long len) + const char* file, long type) { +#ifndef NO_FILESYSTEM + int ret = SSL_FAILURE; + XFILE fp; + long sz; + byte* pem = NULL; + WOLFSSL_X509* x509; + + if (type != X509_FILETYPE_PEM) + return BAD_FUNC_ARG; + + fp = XFOPEN(file, "r"); + if (fp == NULL) + return BAD_FUNC_ARG; + + XFSEEK(fp, 0, XSEEK_END); + sz = XFTELL(fp); + XREWIND(fp); + + if (sz <= 0) + goto end; + + pem = (byte*)XMALLOC(sz, 0, DYNAMIC_TYPE_TMP_BUFFER); + if (pem == NULL) { + ret = MEMORY_ERROR; + goto end; + } + + /* Read in file which may be a CRL or certificate. */ + if (XFREAD(pem, (size_t)sz, 1, fp) != 1) + goto end; + + if (XSTRNSTR((char*)pem, BEGIN_X509_CRL, (unsigned int)sz) != NULL) { +#ifdef HAVE_CRL + ret = wolfSSL_CertManagerLoadCRLBuffer(lookup->store->cm, pem, sz, + SSL_FILETYPE_PEM); +#endif + } + else { + x509 = wolfSSL_X509_load_certificate_buffer(pem, (int)sz, + SSL_FILETYPE_PEM); + if (x509 == NULL) + goto end; + ret = wolfSSL_X509_STORE_add_cert(lookup->store, x509); + } + +end: + if (pem != NULL) + XFREE(pem, 0, DYNAMIC_TYPE_TMP_BUFFER); + XFCLOSE(fp); + return ret; +#else (void)lookup; (void)file; - (void)len; - return 0; + (void)type; + return SSL_FAILURE; +#endif } WOLFSSL_X509_LOOKUP_METHOD* wolfSSL_X509_LOOKUP_hash_dir(void) { - return 0; + /* Method implementation in functions. */ + static WOLFSSL_X509_LOOKUP_METHOD meth = { 1 }; + return &meth; } - WOLFSSL_X509_LOOKUP_METHOD* wolfSSL_X509_LOOKUP_file(void) { - return 0; + /* Method implementation in functions. */ + static WOLFSSL_X509_LOOKUP_METHOD meth = { 0 }; + return &meth; } - WOLFSSL_X509_LOOKUP* wolfSSL_X509_STORE_add_lookup(WOLFSSL_X509_STORE* store, WOLFSSL_X509_LOOKUP_METHOD* m) { - (void)store; + /* Method is a dummy value and is not needed. */ (void)m; - return 0; + /* Make sure the lookup has a back reference to the store. */ + store->lookup.store = store; + return &store->lookup; } @@ -13726,7 +14436,7 @@ WOLFSSL_X509_LOOKUP* wolfSSL_X509_STORE_add_lookup(WOLFSSL_X509_STORE* store, WOLFSSL_X509* wolfSSL_d2i_X509_bio(WOLFSSL_BIO* bio, WOLFSSL_X509** x509) { WOLFSSL_X509* localX509 = NULL; - const unsigned char* mem = NULL; + unsigned char* mem = NULL; int ret; word32 size; @@ -13761,7 +14471,7 @@ WOLFSSL_X509* wolfSSL_d2i_X509_bio(WOLFSSL_BIO* bio, WOLFSSL_X509** x509) WC_PKCS12* wolfSSL_d2i_PKCS12_bio(WOLFSSL_BIO* bio, WC_PKCS12** pkcs12) { WC_PKCS12* localPkcs12 = NULL; - const unsigned char* mem = NULL; + unsigned char* mem = NULL; int ret; word32 size; @@ -14125,6 +14835,8 @@ WOLFSSL_X509_STORE* wolfSSL_X509_STORE_new(void) XFREE(store, NULL, DYNAMIC_TYPE_X509_STORE); store = NULL; } + else + store->isDynamic = 1; } return store; @@ -14133,7 +14845,7 @@ WOLFSSL_X509_STORE* wolfSSL_X509_STORE_new(void) void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) { - if (store != NULL) { + if (store != NULL && store->isDynamic) { if (store->cm != NULL) wolfSSL_CertManagerFree(store->cm); XFREE(store, NULL, DYNAMIC_TYPE_X509_STORE); @@ -14198,7 +14910,9 @@ int wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX* ctx, ctx->current_cert = x509; ctx->chain = sk; ctx->domain = NULL; +#ifdef HAVE_EX_DATA ctx->ex_data = NULL; +#endif ctx->userCtx = NULL; ctx->error = 0; ctx->error_depth = 0; @@ -14366,20 +15080,49 @@ WOLFSSL_X509_REVOKED* wolfSSL_sk_X509_REVOKED_value( WOLFSSL_ASN1_INTEGER* wolfSSL_X509_get_serialNumber(WOLFSSL_X509* x509) { - (void)x509; - return 0; + WOLFSSL_ASN1_INTEGER* a; + int i = 0; + + WOLFSSL_ENTER("wolfSSL_X509_get_serialNumber"); + + a = (WOLFSSL_ASN1_INTEGER*)XMALLOC(sizeof(WOLFSSL_ASN1_INTEGER), NULL, + DYNAMIC_TYPE_OPENSSL); + if (a == NULL) + return NULL; + + /* Make sure there is space for the data, ASN.1 type and length. */ + if (x509->serialSz > (int)(sizeof(WOLFSSL_ASN1_INTEGER) - 2)) { + XFREE(a, NULL, DYNAMIC_TYPE_OPENSSL); + return NULL; + } + + a->data[i++] = ASN_INTEGER; + a->data[i++] = (unsigned char)x509->serialSz; + XMEMCPY(&a->data[i], x509->serial, x509->serialSz); + + return a; } +#if defined(WOLFSSL_NGINX) int wolfSSL_ASN1_TIME_print(WOLFSSL_BIO* bio, const WOLFSSL_ASN1_TIME* asnTime) { - (void)bio; - (void)asnTime; + char buf[MAX_TIME_STRING_SZ]; + + WOLFSSL_ENTER("wolfSSL_ASN1_TIME_print"); + + if (bio == NULL || asnTime == NULL) + return BAD_FUNC_ARG; + + wolfSSL_ASN1_TIME_to_string((WOLFSSL_ASN1_TIME*)asnTime, buf, sizeof(buf)); + wolfSSL_BIO_write(bio, buf, (int)XSTRLEN(buf)); + return 0; } +#endif -#if defined(WOLFSSL_MYSQL_COMPATIBLE) +#if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) char* wolfSSL_ASN1_TIME_to_string(WOLFSSL_ASN1_TIME* time, char* buf, int len) { int format; @@ -14428,7 +15171,7 @@ long wolfSSL_ASN1_INTEGER_get(const WOLFSSL_ASN1_INTEGER* i) void* wolfSSL_X509_STORE_CTX_get_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx) { WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_ex_data"); -#if defined(FORTRESS) || defined(HAVE_STUNNEL) +#if defined(HAVE_EX_DATA) || defined(FORTRESS) if (ctx != NULL && idx == 0) return ctx->ex_data; #else @@ -14456,12 +15199,23 @@ void wolfSSL_CTX_set_info_callback(WOLFSSL_CTX* ctx, unsigned long wolfSSL_ERR_peek_error(void) { + WOLFSSL_ENTER("wolfSSL_ERR_peek_error"); + +#ifdef OPENSSL_EXTRA + return wolfSSL_ERR_peek_error_line_data(NULL, NULL, NULL, NULL); +#else return 0; +#endif } int wolfSSL_ERR_GET_REASON(unsigned long err) { +#ifdef WOLFSSL_NGINX + /* Nginx looks for this error to know to stop parsing certificates. */ + if (err == ((ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE)) + return PEM_R_NO_START_LINE; +#endif (void)err; return 0; } @@ -14523,33 +15277,40 @@ unsigned long wolfSSL_set_options(WOLFSSL* ssl, unsigned long op) op |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; } + ssl->options.mask |= op; /* by default cookie exchange is on with DTLS */ - if ((op & SSL_OP_COOKIE_EXCHANGE) == SSL_OP_COOKIE_EXCHANGE) { + if ((ssl->options.mask & SSL_OP_COOKIE_EXCHANGE) == SSL_OP_COOKIE_EXCHANGE) { WOLFSSL_MSG("\tSSL_OP_COOKIE_EXCHANGE : on by default"); } - if ((op & SSL_OP_NO_SSLv2) == SSL_OP_NO_SSLv2) { + if ((ssl->options.mask & SSL_OP_NO_SSLv2) == SSL_OP_NO_SSLv2) { WOLFSSL_MSG("\tSSL_OP_NO_SSLv2 : wolfSSL does not support SSLv2"); } - if ((op & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { + if ((ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { + WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_2"); + if (ssl->version.minor == TLSv1_2_MINOR) + ssl->version.minor = TLSv1_1_MINOR; + } + + if ((ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { + WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_1"); + if (ssl->version.minor == TLSv1_1_MINOR) + ssl->version.minor = TLSv1_MINOR; + } + + if ((ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { + WOLFSSL_MSG("\tSSL_OP_NO_TLSv1"); + if (ssl->version.minor == TLSv1_MINOR) + ssl->version.minor = SSLv3_MINOR; + } + + if ((ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { WOLFSSL_MSG("\tSSL_OP_NO_SSLv3"); } - if ((op & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { - WOLFSSL_MSG("\tSSL_OP_NO_TLSv1"); - } - - if ((op & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { - WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_1"); - } - - if ((op & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { - WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_2"); - } - - if ((op & SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION) { + if ((ssl->options.mask & SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION) { #ifdef HAVE_LIBZ WOLFSSL_MSG("SSL_OP_NO_COMPRESSION"); ssl->options.usingCompression = 0; @@ -14558,8 +15319,6 @@ unsigned long wolfSSL_set_options(WOLFSSL* ssl, unsigned long op) #endif } - ssl->options.mask |= op; - return ssl->options.mask; } @@ -14681,21 +15440,25 @@ WOLFSSL_API long wolfSSL_set_tlsext_status_ids(WOLFSSL *s, void *arg) return 0; } -/*** TBD ***/ WOLFSSL_API long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char **resp) { - (void)s; - (void)resp; - return 0; + if (s == NULL || resp == NULL) + return 0; + + *resp = s->ocspResp; + return s->ocspRespSz; } -/*** TBD ***/ -WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *resp, int len) +WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, + unsigned char *resp, int len) { - (void)s; - (void)resp; - (void)len; - return 0; + if (s == NULL) + return SSL_FAILURE; + + s->ocspResp = resp; + s->ocspRespSz = len; + + return SSL_SUCCESS; } @@ -14795,11 +15558,13 @@ long wolfSSL_CTX_sess_number(WOLFSSL_CTX* ctx) #ifndef NO_CERTS long wolfSSL_CTX_add_extra_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509) { - byte* chain; + byte* chain = NULL; long chainSz = 0; - int derSz; + int derSz; const byte* der; - int ret; + int ret; + int idx = 0; + DerBuffer *derBuffer = NULL; WOLFSSL_ENTER("wolfSSL_CTX_add_extra_chain_cert"); @@ -14814,37 +15579,61 @@ long wolfSSL_CTX_add_extra_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509) return SSL_FAILURE; } - /* adding cert to existing chain */ - if (ctx->certChain != NULL && ctx->certChain->length > 0) { - chainSz += ctx->certChain->length; - } - chainSz += derSz; - - chain = (byte*)XMALLOC(chainSz, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (chain == NULL) { - WOLFSSL_MSG("Memory Error"); - return SSL_FAILURE; - } - - if (ctx->certChain != NULL && ctx->certChain->length > 0) { - XMEMCPY(chain, ctx->certChain->buffer, ctx->certChain->length); - XMEMCPY(chain + ctx->certChain->length, der, derSz); + if (ctx->certificate == NULL) { + /* Process buffer makes first certificate the leaf. */ + ret = ProcessBuffer(ctx, der, derSz, SSL_FILETYPE_ASN1, CERT_TYPE, + NULL, NULL, 1); + if (ret != SSL_SUCCESS) { + WOLFSSL_LEAVE("wolfSSL_CTX_add_extra_chain_cert", ret); + return SSL_FAILURE; + } } else { - XMEMCPY(chain, der, derSz); - } + /* TODO: Do this elsewhere. */ + ret = AllocDer(&derBuffer, derSz, CERT_TYPE, ctx->heap); + if (ret != 0) { + WOLFSSL_MSG("Memory Error"); + return SSL_FAILURE; + } + XMEMCPY(derBuffer->buffer, der, derSz); + ret = AddCA(ctx->cm, &derBuffer, WOLFSSL_USER_CA, !ctx->verifyNone); + if (ret != SSL_SUCCESS) { + WOLFSSL_LEAVE("wolfSSL_CTX_add_extra_chain_cert", ret); + return SSL_FAILURE; + } - ret = ProcessBuffer(ctx, chain, chainSz, SSL_FILETYPE_ASN1, CERT_TYPE, - NULL, NULL, 1); - if (ret != SSL_SUCCESS) { - WOLFSSL_LEAVE("wolfSSL_CTX_add_extra_chain_cert", ret); - XFREE(chain, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER); - return SSL_FAILURE; + /* adding cert to existing chain */ + if (ctx->certChain != NULL && ctx->certChain->length > 0) { + chainSz += ctx->certChain->length; + } + chainSz += OPAQUE24_LEN + derSz; + + chain = (byte*)XMALLOC(chainSz, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER); + if (chain == NULL) { + WOLFSSL_MSG("Memory Error"); + return SSL_FAILURE; + } + + if (ctx->certChain != NULL && ctx->certChain->length > 0) { + XMEMCPY(chain, ctx->certChain->buffer, ctx->certChain->length); + idx = ctx->certChain->length; + } + c32to24(derSz, chain + idx); + idx += OPAQUE24_LEN, + XMEMCPY(chain + idx, der, derSz); + idx += derSz; + + FreeDer(&ctx->certChain); + ret = AllocDer(&ctx->certChain, idx, CERT_TYPE, ctx->heap); + if (ret == 0) { + XMEMCPY(ctx->certChain->buffer, chain, idx); + } } /* on success WOLFSSL_X509 memory is responsibility of ctx */ wolfSSL_X509_free(x509); - XFREE(chain, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER); + if (chain != NULL) + XFREE(chain, ctx->heap, CERT_TYPE); return SSL_SUCCESS; } @@ -15082,6 +15871,47 @@ int wolfSSL_ASN1_UTCTIME_print(WOLFSSL_BIO* bio, const WOLFSSL_ASN1_UTCTIME* a) return 0; } +/* Return the month as a string. + * + * n The number of the month as a two characters (1 based). + * returns the month as a string. + */ +static INLINE const char* MonthStr(const char* n) +{ + static const char monthStr[12][4] = { + "Jan", "Feb", "Mar", "Apr", "May", "Jun", + "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" }; + return monthStr[(n[0] - '0') * 10 + (n[1] - '0') - 1]; +} + +int wolfSSL_ASN1_GENERALIZEDTIME_print(WOLFSSL_BIO* bio, + const WOLFSSL_ASN1_GENERALIZEDTIME* asnTime) +{ + const char* p = (const char *)(asnTime->data + 2); + WOLFSSL_ENTER("wolfSSL_ASN1_GENERALIZEDTIME_print"); + + if (bio == NULL || asnTime == NULL) + return BAD_FUNC_ARG; + + /* GetTimeString not always available. */ + wolfSSL_BIO_write(bio, MonthStr(p + 4), 3); + wolfSSL_BIO_write(bio, " ", 1); + /* Day */ + wolfSSL_BIO_write(bio, p + 6, 2); + wolfSSL_BIO_write(bio, " ", 1); + /* Hour */ + wolfSSL_BIO_write(bio, p + 8, 2); + wolfSSL_BIO_write(bio, ":", 1); + /* Min */ + wolfSSL_BIO_write(bio, p + 10, 2); + wolfSSL_BIO_write(bio, ":", 1); + /* Secs */ + wolfSSL_BIO_write(bio, p + 12, 2); + wolfSSL_BIO_write(bio, " ", 1); + wolfSSL_BIO_write(bio, p, 4); + + return 0; +} int wolfSSL_sk_num(WOLFSSL_X509_REVOKED* rev) { @@ -15102,43 +15932,295 @@ void* wolfSSL_sk_value(WOLFSSL_X509_REVOKED* rev, int i) void wolfSSL_CTX_sess_set_get_cb(WOLFSSL_CTX* ctx, WOLFSSL_SESSION*(*f)(WOLFSSL*, unsigned char*, int, int*)) { +#ifdef HAVE_EXT_CACHE + ctx->get_sess_cb = f; +#else (void)ctx; (void)f; +#endif } void wolfSSL_CTX_sess_set_new_cb(WOLFSSL_CTX* ctx, int (*f)(WOLFSSL*, WOLFSSL_SESSION*)) { +#ifdef HAVE_EXT_CACHE + ctx->new_sess_cb = f; +#else (void)ctx; (void)f; +#endif } void wolfSSL_CTX_sess_set_remove_cb(WOLFSSL_CTX* ctx, void (*f)(WOLFSSL_CTX*, WOLFSSL_SESSION*)) { +#ifdef HAVE_EXT_CACHE + ctx->rem_sess_cb = f; +#else (void)ctx; (void)f; +#endif } +#ifdef HAVE_EXT_CACHE +/* convert 32 bit integer to opaque */ +static INLINE void c32toa(word32 u32, byte* c) +{ + c[0] = (u32 >> 24) & 0xff; + c[1] = (u32 >> 16) & 0xff; + c[2] = (u32 >> 8) & 0xff; + c[3] = u32 & 0xff; +} + +static INLINE void c16toa(word16 u16, byte* c) +{ + c[0] = (u16 >> 8) & 0xff; + c[1] = u16 & 0xff; +} +#endif int wolfSSL_i2d_SSL_SESSION(WOLFSSL_SESSION* sess, unsigned char** p) { + int size = 0; +#ifdef HAVE_EXT_CACHE + int idx = 0; +#ifdef SESSION_CERTS + int i; +#endif + unsigned char *data; + + /* bornOn | timeout | sessionID len | sessionID | masterSecret | haveEMS */ + size += OPAQUE32_LEN + OPAQUE32_LEN + OPAQUE8_LEN + sess->sessionIDSz + + SECRET_LEN + OPAQUE8_LEN; +#ifdef SESSION_CERTS + /* Peer chain */ + size += OPAQUE8_LEN; + for (i = 0; i < sess->chain.count; i++) + size += OPAQUE16_LEN + sess->chain.certs[i].length; + /* Protocol version + cipher suite */ + size += OPAQUE16_LEN + OPAQUE16_LEN; +#endif +#ifndef NO_CLIENT_CACHE + /* ServerID len | ServerID */ + size += OPAQUE16_LEN + sess->idLen; +#endif +#ifdef HAVE_SESSION_TICKET + /* ticket len | ticket */ + size += OPAQUE16_LEN + sess->ticketLen; +#endif + + if (p != NULL) { + if (*p == NULL) + *p = (unsigned char*)XMALLOC(size, NULL, DYNAMIC_TYPE_OPENSSL); + if (*p == NULL) + return 0; + data = *p; + + c32toa(sess->bornOn, data + idx); idx += OPAQUE32_LEN; + c32toa(sess->timeout, data + idx); idx += OPAQUE32_LEN; + data[idx++] = sess->sessionIDSz; + XMEMCPY(data + idx, sess->sessionID, sess->sessionIDSz); + idx += sess->sessionIDSz; + XMEMCPY(data + idx, sess->masterSecret, SECRET_LEN); idx += SECRET_LEN; + data[idx++] = sess->haveEMS; +#ifdef SESSION_CERTS + data[idx++] = sess->chain.count; + for (i = 0; i < sess->chain.count; i++) { + c16toa(sess->chain.certs[i].length, data + idx); + idx += OPAQUE16_LEN; + XMEMCPY(data + idx, sess->chain.certs[i].buffer, + sess->chain.certs[i].length); + idx += sess->chain.certs[i].length; + } + data[idx++] = sess->version.major; + data[idx++] = sess->version.minor; + data[idx++] = sess->cipherSuite0; + data[idx++] = sess->cipherSuite; +#endif +#ifndef NO_CLIENT_CACHE + c16toa(sess->idLen, data + idx); idx += OPAQUE16_LEN; + XMEMCPY(data + idx, sess->serverID, sess->idLen); + idx += sess->idLen; +#endif +#ifdef HAVE_SESSION_TICKET + c16toa(sess->ticketLen, data + idx); idx += OPAQUE16_LEN; + XMEMCPY(data + idx, sess->ticket, sess->ticketLen); + idx += sess->ticketLen; +#endif + } +#endif + (void)sess; (void)p; - return sizeof(WOLFSSL_SESSION); +#ifdef HAVE_EXT_CACHE + (void)idx; +#endif + + return size; } +#ifdef HAVE_EXT_CACHE +/* convert opaque to 16 bit integer */ +static INLINE void ato16(const byte* c, word16* u16) +{ + *u16 = (word16) ((c[0] << 8) | (c[1])); +} +/* convert opaque to 32 bit integer */ +static INLINE void ato32(const byte* c, word32* u32) +{ + *u32 = (c[0] << 24) | (c[1] << 16) | (c[2] << 8) | c[3]; +} +#endif + +/* TODO: no function to free new session. */ WOLFSSL_SESSION* wolfSSL_d2i_SSL_SESSION(WOLFSSL_SESSION** sess, const unsigned char** p, long i) { + WOLFSSL_SESSION* s = NULL; + int ret = 0; +#if defined(HAVE_EXT_CACHE) + int idx; + byte* data; +#ifdef SESSION_CERTS + int j; + word16 length; +#endif +#endif + (void)p; (void)i; - if (sess) - return *sess; - return NULL; + (void)ret; + + if (sess != NULL) + s = *sess; + +#ifdef HAVE_EXT_CACHE + if (p == NULL || *p == NULL) + return NULL; + + if (s == NULL) { + s = (WOLFSSL_SESSION*)XMALLOC(sizeof(WOLFSSL_SESSION), NULL, + DYNAMIC_TYPE_OPENSSL); + if (s == NULL) + return NULL; + s->isAlloced = 1; + s->isDynamic = 0; + } + + idx = 0; + data = (byte*)*p; + + /* bornOn | timeout | sessionID len */ + if (i < OPAQUE32_LEN + OPAQUE32_LEN + OPAQUE8_LEN) { + ret = BUFFER_ERROR; + goto end; + } + ato32(data + idx, &s->bornOn); idx += OPAQUE32_LEN; + ato32(data + idx, &s->timeout); idx += OPAQUE32_LEN; + s->sessionIDSz = data[idx++]; + + /* sessionID | secret | haveEMS */ + if (i - idx < s->sessionIDSz + SECRET_LEN + OPAQUE8_LEN) { + ret = BUFFER_ERROR; + goto end; + } + XMEMCPY(s->sessionID, data + idx, s->sessionIDSz); + idx += s->sessionIDSz; + XMEMCPY(s->masterSecret, data + idx, SECRET_LEN); idx += SECRET_LEN; + s->haveEMS = data[idx++]; + +#ifdef SESSION_CERTS + /* Certificate chain */ + if (i - idx == 0) { + ret = BUFFER_ERROR; + goto end; + } + s->chain.count = data[idx++]; + for (j = 0; j < s->chain.count; j++) { + if (i - idx < OPAQUE16_LEN) { + ret = BUFFER_ERROR; + goto end; + } + ato16(data + idx, &length); idx += OPAQUE16_LEN; + s->chain.certs[j].length = length; + if (i - idx < length) { + ret = BUFFER_ERROR; + goto end; + } + XMEMCPY(s->chain.certs[j].buffer, data + idx, length); + idx += length; + } + + /* Protocol Version | Cipher suite */ + if (i - idx < OPAQUE16_LEN + OPAQUE16_LEN) { + ret = BUFFER_ERROR; + goto end; + } + s->version.major = data[idx++]; + s->version.minor = data[idx++]; + s->cipherSuite0 = data[idx++]; + s->cipherSuite = data[idx++]; +#endif +#ifndef NO_CLIENT_CACHE + /* ServerID len */ + if (i - idx < OPAQUE16_LEN) { + ret = BUFFER_ERROR; + goto end; + } + ato16(data + idx, &s->idLen); idx += OPAQUE16_LEN; + + /* ServerID */ + if (i - idx < s->idLen) { + ret = BUFFER_ERROR; + goto end; + } + XMEMCPY(s->serverID, data + idx, s->idLen); idx += s->idLen; +#endif +#ifdef HAVE_SESSION_TICKET + /* ticket len */ + if (i - idx < OPAQUE16_LEN) { + ret = BUFFER_ERROR; + goto end; + } + ato16(data + idx, &s->ticketLen); idx += OPAQUE16_LEN; + + /* Dispose of ol dynamic ticket and ensure space for new ticket. */ + if (s->isDynamic) + XFREE(s->ticket, NULL, DYNAMIC_TYPE_SESSION_TICK); + if (s->ticketLen <= SESSION_TICKET_LEN) + s->ticket = s->staticTicket; + else { + s->ticket = (byte*)XMALLOC(s->ticketLen, NULL, + DYNAMIC_TYPE_SESSION_TICK); + if (s->ticket == NULL) { + ret = MEMORY_ERROR; + goto end; + } + s->isDynamic = 1; + } + + /* ticket */ + if (i - idx < s->ticketLen) { + ret = BUFFER_ERROR; + goto end; + } + XMEMCPY(s->ticket, data + idx, s->ticketLen); idx += s->ticketLen; +#endif + (void)idx; + + if (sess != NULL) + *sess = s; + + *p += idx; + +end: + if (ret != 0 && (sess == NULL || *sess != s)) + wolfSSL_SESSION_free(s); +#endif + return s; } @@ -16184,6 +17266,7 @@ WOLFSSL_DH* wolfSSL_DH_new(void) if (wc_InitDhKey(key) != 0) { WOLFSSL_MSG("wolfSSL_DH_new InitDhKey failure"); XFREE(key, NULL, DYNAMIC_TYPE_DH); + XFREE(external, NULL, DYNAMIC_TYPE_DH); return NULL; } external->internal = key; @@ -17585,6 +18668,14 @@ void wolfSSL_HMAC_Init(WOLFSSL_HMAC_CTX* ctx, const void* key, int keylen, } } +int wolfSSL_HMAC_Init_ex(WOLFSSL_HMAC_CTX* ctx, const void* key, int len, + const EVP_MD* md, void* impl) +{ + (void)impl; + wolfSSL_HMAC_Init(ctx, key, len, md); + return 1; +} + void wolfSSL_HMAC_Update(WOLFSSL_HMAC_CTX* ctx, const unsigned char* data, int len) @@ -17872,7 +18963,47 @@ int wolfSSL_EVP_CIPHER_CTX_iv_length(const WOLFSSL_EVP_CIPHER_CTX* ctx) return 0; } +int wolfSSL_EVP_CIPHER_iv_length(const WOLFSSL_EVP_CIPHER* cipher) +{ + const char *name = (const char *)cipher; + WOLFSSL_MSG("wolfSSL_EVP_CIPHER_iv_length"); +#ifndef NO_AES + if ((XSTRNCMP(name, EVP_AES_128_CBC, XSTRLEN(EVP_AES_128_CBC)) == 0) || + (XSTRNCMP(name, EVP_AES_192_CBC, XSTRLEN(EVP_AES_192_CBC)) == 0) || + (XSTRNCMP(name, EVP_AES_256_CBC, XSTRLEN(EVP_AES_256_CBC)) == 0)) { + return AES_BLOCK_SIZE; + } +#ifdef WOLFSSL_AES_COUNTER + if ((XSTRNCMP(name, EVP_AES_128_CTR, XSTRLEN(EVP_AES_128_CTR)) == 0) || + (XSTRNCMP(name, EVP_AES_192_CTR, XSTRLEN(EVP_AES_192_CTR)) == 0) || + (XSTRNCMP(name, EVP_AES_256_CTR, XSTRLEN(EVP_AES_256_CTR)) == 0)) { + return AES_BLOCK_SIZE; + } +#endif +#endif + +#ifndef NO_DES3 + if ((XSTRNCMP(name, EVP_DES_CBC, XSTRLEN(EVP_DES_CBC)) == 0) || + (XSTRNCMP(name, EVP_DES_EDE3_CBC, XSTRLEN(EVP_DES_EDE3_CBC)) == 0)) { + return DES_BLOCK_SIZE; + } +#endif + +#ifdef HAVE_IDEA + if (XSTRNCMP(name, EVP_IDEA_CBC, XSTRLEN(EVP_IDEA_CBC)) == 0) + return IDEA_BLOCK_SIZE; +#endif + + (void)name; + + return 0; +} + +/* Free the dynamically allocated data. + * + * p Pointer to dynamically allocated memory. + */ void wolfSSL_OPENSSL_free(void* p) { WOLFSSL_MSG("wolfSSL_OPENSSL_free"); @@ -18302,7 +19433,8 @@ static int SetECKeyExternal(WOLFSSL_EC_KEY* eckey) key = (ecc_key*)eckey->internal; - /* set group (nid and idx) */ + /* set group (OID, nid and idx) */ + eckey->group->curve_oid = ecc_sets[key->idx].oidSum; eckey->group->curve_nid = ecc_sets[key->idx].id; eckey->group->curve_idx = key->idx; @@ -18476,6 +19608,7 @@ WOLFSSL_EC_KEY *wolfSSL_EC_KEY_new_by_curve_name(int nid) for (x = 0; ecc_sets[x].size != 0; x++) if (ecc_sets[x].id == key->group->curve_nid) { key->group->curve_idx = x; + key->group->curve_oid = ecc_sets[x].oidSum; break; } @@ -18809,6 +19942,7 @@ WOLFSSL_EC_GROUP *wolfSSL_EC_GROUP_new_by_curve_name(int nid) for (x = 0; ecc_sets[x].size != 0; x++) if (ecc_sets[x].id == g->curve_nid) { g->curve_idx = x; + g->curve_oid = ecc_sets[x].oidSum; break; } @@ -20344,10 +21478,13 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) #ifndef NO_CERTS WOLFSSL_X509 *wolfSSL_PEM_read_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 **x, - pem_password_cb *cb, void *u) { + pem_password_cb *cb, void *u) + { +#ifndef NO_FILESYSTEM WOLFSSL_X509* x509 = NULL; - const unsigned char* pem = NULL; + unsigned char* pem = NULL; int pemSz; + int pemAlloced = 0; WOLFSSL_ENTER("wolfSSL_PEM_read_bio_X509"); @@ -20356,12 +21493,45 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) return NULL; } - pemSz = wolfSSL_BIO_get_mem_data(bp, &pem); - if (pemSz <= 0 || pem == NULL) { - WOLFSSL_MSG("Issue getting WOLFSSL_BIO mem"); - WOLFSSL_LEAVE("wolfSSL_PEM_read_bio_X509", pemSz); - return NULL; + if (bp->type == BIO_MEMORY) { + pemSz = wolfSSL_BIO_get_mem_data(bp, &pem); + if (pemSz <= 0 || pem == NULL) { + WOLFSSL_MSG("Issue getting WOLFSSL_BIO mem"); + WOLFSSL_LEAVE("wolfSSL_PEM_read_bio_X509", pemSz); + return NULL; + } } + else if (bp->type == BIO_FILE) { + long i; + long l; + + /* Read in next certificate from file but no more. */ + i = XFTELL(bp->file); + XFSEEK(bp->file, 0, SEEK_END); + l = XFTELL(bp->file); + XFSEEK(bp->file, i, SEEK_SET); + pem = (unsigned char*)XMALLOC(l - i, 0, DYNAMIC_TYPE_TMP_BUFFER); + if (pem == NULL) + return NULL; + pemAlloced = 1; + + i = 0; + /* TODO: Inefficient + * reading in one byte at a time until see END_CERT + */ + while ((l = wolfSSL_BIO_read(bp, (char *)&pem[i], 1)) == 1) { + i++; + if (i > 26 && XMEMCMP((char *)&pem[i-26], END_CERT, 25) == 0) + break; + } + #ifdef WOLFSSL_NGINX + if (l == 0) + WOLFSSL_ERROR(SSL_NO_PEM_HEADER); + #endif + pemSz = (int)i; + } + else + return NULL; x509 = wolfSSL_X509_load_certificate_buffer(pem, pemSz, SSL_FILETYPE_PEM); @@ -20370,10 +21540,20 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) *x = x509; } + if (pemAlloced) + XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); + (void)cb; (void)u; return x509; +#else + (void)bp; + (void)x; + (void)cb; + (void)u; + return NULL; +#endif } @@ -20397,7 +21577,16 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) } #endif /* ifndef NO_CERTS */ -#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(HAVE_STUNNEL) +#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(OPENSSL_EXTRA) + #ifndef NO_CERTS + void wolfSSL_X509_NAME_free(WOLFSSL_X509_NAME *name){ + FreeX509Name(name, NULL); + WOLFSSL_ENTER("wolfSSL_X509_NAME_free"); + } + #endif /* NO_CERTS */ +#endif + +#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) unsigned char *wolfSSL_SHA1(const unsigned char *d, size_t n, unsigned char *md) { @@ -20408,13 +21597,41 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) return NULL; } - char wolfSSL_CTX_use_certificate(WOLFSSL_CTX *ctx, WOLFSSL_X509 *x) { - (void)ctx; - (void)x; - WOLFSSL_ENTER("wolfSSL_CTX_use_certificate"); - WOLFSSL_STUB("wolfSSL_CTX_use_certificate"); + char wolfSSL_CTX_use_certificate(WOLFSSL_CTX *ctx, WOLFSSL_X509 *x) + { + int ret; - return 0; + WOLFSSL_ENTER("wolfSSL_CTX_use_certificate"); + + FreeDer(&ctx->certificate); /* Make sure previous is free'd */ + ret = AllocDer(&ctx->certificate, x->derCert->length, CERT_TYPE, + ctx->heap); + if (ret != 0) + return 0; + + XMEMCPY(ctx->certificate->buffer, x->derCert->buffer, + x->derCert->length); +#ifdef KEEP_OUR_CERT + if (ctx->ourCert != NULL && ctx->ownOurCert) { + FreeX509(ctx->ourCert); + XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); + } + ctx->ourCert = x; + ctx->ownOurCert = 0; +#endif + + /* Update the available options with public keys. */ + switch (x->pubKeyOID) { + case RSAk: + ctx->haveRSA = 1; + break; + case ECDSAk: + ctx->haveECC = 1; + ctx->pkCurveOID = x->pkCurveOID; + break; + } + + return SSL_SUCCESS; } int wolfSSL_BIO_read_filename(WOLFSSL_BIO *b, const char *name) { @@ -20452,6 +21669,11 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) int i; WOLFSSL_ENTER("wolfSSL_OBJ_osn2nid"); + /* Nginx uses this OpenSSL string. */ + if (XSTRNCMP(sn, "prime256v1", 10) == 0) + sn = "SECP256R1"; + if (XSTRNCMP(sn, "secp384r1", 10) == 0) + sn = "SECP384R1"; /* find based on name and return NID */ for (i = 0; i < ecc_sets[i].size; i++) { if (XSTRNCMP(sn, ecc_sets[i].name, ECC_MAXNAME) == 0) { @@ -20471,6 +21693,14 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) } + void wolfSSL_set_verify_depth(WOLFSSL *ssl, int depth) { + (void)ssl; + (void)depth; + WOLFSSL_ENTER("wolfSSL_set_verify_depth"); + WOLFSSL_STUB("wolfSSL_set_verify_depth"); + + } + void* wolfSSL_get_app_data( const WOLFSSL *ssl) { /* checkout exdata stuff... */ @@ -20527,14 +21757,6 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) return NULL; } -#ifndef NO_CERTS - void wolfSSL_X509_NAME_free(WOLFSSL_X509_NAME *name){ - FreeX509Name(name, NULL); - WOLFSSL_ENTER("wolfSSL_X509_NAME_free"); - WOLFSSL_STUB("wolfSSL_X509_NAME_free"); - } -#endif /* NO_CERTS */ - void wolfSSL_sk_X509_NAME_pop_free(STACK_OF(WOLFSSL_X509_NAME)* sk, void f (WOLFSSL_X509_NAME*)){ (void) sk; (void) f; @@ -20574,7 +21796,7 @@ unsigned long wolfSSL_ERR_peek_last_error_line(const char **file, int *line) (void)line; (void)file; -#if defined(DEBUG_WOLFSSL) +#if defined(WOLFSSL_NGINX) || defined(DEBUG_WOLFSSL) { int ret; @@ -20582,6 +21804,10 @@ unsigned long wolfSSL_ERR_peek_last_error_line(const char **file, int *line) WOLFSSL_MSG("Issue peeking at error node in queue"); return 0; } + #ifdef WOLFSSL_NGINX + if (ret == -SSL_NO_PEM_HEADER) + return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE; + #endif return (unsigned long)ret; } #else @@ -20609,7 +21835,7 @@ int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey) void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int idx) { WOLFSSL_ENTER("wolfSSL_CTX_get_ex_data"); - #ifdef HAVE_STUNNEL + #ifdef HAVE_EX_DATA if(ctx != NULL && idx < MAX_EX_DATA && idx >= 0) { return ctx->ex_data[idx]; } @@ -20620,24 +21846,26 @@ void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int idx) return NULL; } - int wolfSSL_CTX_get_ex_new_index(long idx, void* arg, void* a, void* b, void* c) { + static int ctx_idx = 0; + WOLFSSL_ENTER("wolfSSL_CTX_get_ex_new_index"); (void)idx; (void)arg; (void)a; (void)b; (void)c; - return 0; + + return ctx_idx++; } int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX* ctx, int idx, void* data) { WOLFSSL_ENTER("wolfSSL_CTX_set_ex_data"); - #ifdef HAVE_STUNNEL + #ifdef HAVE_EX_DATA if (ctx != NULL && idx < MAX_EX_DATA) { ctx->ex_data[idx] = data; @@ -20655,7 +21883,7 @@ int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX* ctx, int idx, void* data) int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data) { WOLFSSL_ENTER("wolfSSL_set_ex_data"); -#if defined(FORTRESS) || defined(HAVE_STUNNEL) +#if defined(HAVE_EX_DATA) || defined(FORTRESS) if (ssl != NULL && idx < MAX_EX_DATA) { ssl->ex_data[idx] = data; @@ -20673,20 +21901,23 @@ int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data) int wolfSSL_get_ex_new_index(long idx, void* data, void* cb1, void* cb2, void* cb3) { + static int ssl_idx = 0; + WOLFSSL_ENTER("wolfSSL_get_ex_new_index"); (void)idx; (void)data; (void)cb1; (void)cb2; (void)cb3; - return 0; + + return ssl_idx++; } void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx) { WOLFSSL_ENTER("wolfSSL_get_ex_data"); -#if defined(FORTRESS) || defined(HAVE_STUNNEL) +#if defined(HAVE_EX_DATA) || defined(FORTRESS) if (ssl != NULL && idx < MAX_EX_DATA && idx >= 0) return ssl->ex_data[idx]; #else @@ -20703,7 +21934,7 @@ WOLFSSL_DSA *wolfSSL_PEM_read_bio_DSAparams(WOLFSSL_BIO *bp, WOLFSSL_DSA **x, WOLFSSL_DSA* dsa; DsaKey* key; int length; - const unsigned char* buf; + unsigned char* buf; word32 bufSz; int ret; word32 idx = 0; @@ -20817,38 +22048,202 @@ int wolfSSL_OBJ_txt2nid(const char* s) { } -WOLFSSL_BIO *wolfSSL_BIO_new_file(const char *filename, const char *mode) { +WOLFSSL_BIO *wolfSSL_BIO_new_file(const char *filename, const char *mode) +{ +#ifndef NO_FILESYSTEM + WOLFSSL_BIO* bio; + XFILE fp; + + WOLFSSL_ENTER("wolfSSL_BIO_new_file"); + + fp = XFOPEN(filename, mode); + if (fp == NULL) + return NULL; + + bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); + if (bio == NULL) + return bio; + + if (wolfSSL_BIO_set_fp(bio, fp, BIO_CLOSE) != SSL_SUCCESS) { + wolfSSL_BIO_free(bio); + bio = NULL; + } + + return bio; +#else (void)filename; (void)mode; - WOLFSSL_ENTER("wolfSSL_BIO_new_file"); - WOLFSSL_STUB("wolfSSL_BIO_new_file"); - return NULL; +#endif } -WOLFSSL_DH *wolfSSL_PEM_read_bio_DHparams(WOLFSSL_BIO *bp, WOLFSSL_DH **x, +#ifndef NO_DH +WOLFSSL_DH *wolfSSL_PEM_read_bio_DHparams(WOLFSSL_BIO *bio, WOLFSSL_DH **x, pem_password_cb *cb, void *u) { - (void) bp; - (void) x; - (void) cb; - (void) u; +#ifndef NO_FILESYSTEM + WOLFSSL_DH* localDh = NULL; + unsigned char* mem = NULL; + word32 size; + long sz; + int ret; + DerBuffer *der = NULL; + byte* p = NULL; + byte* g = NULL; + word32 pSz = MAX_DH_SIZE; + word32 gSz = MAX_DH_SIZE; + int memAlloced = 0; WOLFSSL_ENTER("wolfSSL_PEM_read_bio_DHparams"); - WOLFSSL_STUB("wolfSSL_PEM_read_bio_DHparams"); + (void)cb; + (void)u; - return NULL; -} + if (bio == NULL) { + WOLFSSL_MSG("Bad Function Argument bio is NULL"); + return NULL; + } + if (bio->type == BIO_MEMORY) { + /* Use the buffer directly. */ + ret = wolfSSL_BIO_get_mem_data(bio, &mem); + if (mem == NULL || ret <= 0) { + WOLFSSL_MSG("Failed to get data from bio struct"); + goto end; + } + size = ret; + } + else if (bio->type == BIO_FILE) { + /* Read whole file into a new buffer. */ + XFSEEK(bio->file, 0, SEEK_END); + sz = XFTELL(bio->file); + XFSEEK(bio->file, 0, SEEK_SET); + if (sz <= 0L) + goto end; + mem = (unsigned char*)XMALLOC(sz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (mem == NULL) + goto end; + memAlloced = 1; -int wolfSSL_PEM_write_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x) { - (void)bp; + if (wolfSSL_BIO_read(bio, (char *)mem, (int)sz) <= 0) + goto end; + size = (word32)sz; + } + else { + WOLFSSL_MSG("BIO type not supported for reading DH parameters"); + goto end; + } + + ret = PemToDer(mem, size, DH_PARAM_TYPE, &der, NULL, NULL, NULL); + if (ret != 0) + goto end; + + /* Use the object passed in, otherwise allocate a new object */ + if (x != NULL) + localDh = *x; + if (localDh == NULL) { + localDh = (WOLFSSL_DH*)XMALLOC(sizeof(WOLFSSL_DH), NULL, + DYNAMIC_TYPE_OPENSSL); + if (localDh == NULL) + goto end; + XMEMSET(localDh, 0, sizeof(WOLFSSL_DH)); + } + + /* Load data in manually */ + p = (byte*)XMALLOC(pSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + g = (byte*)XMALLOC(gSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (p == NULL || g == NULL) + goto end; + + /* Extract the p and g as data from the DER encoded DH parameters. */ + ret = wc_DhParamsLoad(der->buffer, der->length, p, &pSz, g, &gSz); + if (ret != 0) { + if (x != NULL && localDh != *x) + XFREE(localDh, NULL, DYNAMIC_TYPE_OPENSSL); + localDh = NULL; + goto end; + } + + if (x != NULL) + *x = localDh; + + /* Put p and g in as big numbers. */ + if (localDh->p != NULL) { + wolfSSL_BN_free(localDh->p); + localDh->p = NULL; + } + if (localDh->g != NULL) { + wolfSSL_BN_free(localDh->g); + localDh->g = NULL; + } + localDh->p = wolfSSL_BN_bin2bn(p, pSz, NULL); + localDh->g = wolfSSL_BN_bin2bn(g, gSz, NULL); + if (localDh->p == NULL || localDh->g == NULL) { + if (x != NULL && localDh != *x) + wolfSSL_DH_free(localDh); + localDh = NULL; + } + +end: + if (memAlloced) XFREE(mem, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (der != NULL) FreeDer(&der); + XFREE(p, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(g, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return localDh; +#else + (void)bio; (void)x; - WOLFSSL_ENTER("wolfSSL_PEM_write_bio_X509"); - WOLFSSL_STUB("wolfSSL_PEM_write_bio_X509"); + (void)cb; + (void)u; + return NULL; +#endif +} +#endif - return 0; + +int wolfSSL_PEM_write_bio_X509(WOLFSSL_BIO *bio, WOLFSSL_X509 *cert) +{ + byte* certDer; + int derSz; + int pemSz; + int ret; + + WOLFSSL_ENTER("wolfSSL_PEM_write_bio_X509"); + + if (bio == NULL || cert == NULL) { + return SSL_FAILURE; + } + + if (bio->type != BIO_MEMORY) { + WOLFSSL_MSG("BIO type not supported for writing X509 as PEM"); + return SSL_FAILURE; + } + + certDer = cert->derCert->buffer; + derSz = cert->derCert->length; + + /* Get PEM encoded length and allocate memory for it. */ + pemSz = wc_DerToPem(certDer, derSz, NULL, 0, CERT_TYPE); + if (pemSz < 0) { + WOLFSSL_LEAVE("wolfSSL_PEM_write_bio_X509", pemSz); + return SSL_FAILURE; + } + if (bio->mem != NULL) { + XFREE(bio->mem, NULL, DYNAMIC_TYPE_OPENSSL); + } + bio->mem = (byte*)XMALLOC(pemSz, NULL, DYNAMIC_TYPE_OPENSSL); + if (bio->mem == NULL) { + return SSL_FAILURE; + } + bio->memLen = pemSz; + + ret = wc_DerToPemEx(certDer, derSz, bio->mem, bio->memLen, NULL, CERT_TYPE); + if (ret < 0) { + WOLFSSL_LEAVE("wolfSSL_PEM_write_bio_X509", ret); + return SSL_FAILURE; + } + + return SSL_SUCCESS; } @@ -20898,7 +22293,7 @@ long wolfSSL_CTX_set_tmp_dh(WOLFSSL_CTX* ctx, WOLFSSL_DH* dh) /* stunnel compatibility functions*/ -#if defined(OPENSSL_EXTRA) && defined(HAVE_STUNNEL) +#if defined(OPENSSL_EXTRA) && (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX)) void WOLFSSL_ERR_remove_thread_state(void* pid) { (void) pid; @@ -20914,10 +22309,12 @@ void wolfSSL_print_all_errors_fp(XFILE *fp) int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION* session, int idx, void* data) { WOLFSSL_ENTER("wolfSSL_SESSION_set_ex_data"); +#ifdef HAVE_EX_DATA if(session != NULL && idx < MAX_EX_DATA) { session->ex_data[idx] = data; return SSL_SUCCESS; } +#endif return SSL_FAILURE; } @@ -20943,8 +22340,10 @@ int wolfSSL_SESSION_get_ex_new_index(long idx, void* data, void* cb1, void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION* session, int idx) { WOLFSSL_ENTER("wolfSSL_SESSION_get_ex_data"); +#ifdef HAVE_EX_DATA if (session != NULL && idx < MAX_EX_DATA && idx >= 0) return session->ex_data[idx]; +#endif return NULL; } @@ -21000,11 +22399,23 @@ void wolfSSL_ERR_load_crypto_strings(void) unsigned long wolfSSL_ERR_peek_last_error(void) { - unsigned long l = 0UL; WOLFSSL_ENTER("wolfSSL_ERR_peek_last_error"); - WOLFSSL_STUB("wolfSSL_ERR_peek_last_error"); - return l; +#ifdef WOLFSSL_NGINX + { + int ret; + + if ((ret = wc_PeekErrorNode(-1, NULL, NULL, NULL)) < 0) { + WOLFSSL_MSG("Issue peeking at error node in queue"); + return 0; + } + if (ret == -SSL_NO_PEM_HEADER) + return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE; + return (unsigned long)ret; + } +#else + return (unsigned long)(0 - NOT_COMPILED_IN); +#endif } @@ -21052,35 +22463,45 @@ int wolfSSL_CIPHER_get_bits(const WOLFSSL_CIPHER *c, int *alg_bits) int wolfSSL_sk_X509_NAME_num(const STACK_OF(WOLFSSL_X509_NAME) *s) { - (void) s; WOLFSSL_ENTER("wolfSSL_sk_X509_NAME_num"); - WOLFSSL_STUB("wolfSSL_sk_X509_NAME_num"); - return SSL_FAILURE; + if (s == NULL) + return -1; + return (int)s->num; } int wolfSSL_sk_X509_num(const STACK_OF(WOLFSSL_X509) *s) { - (void) s; WOLFSSL_ENTER("wolfSSL_sk_X509_num"); - WOLFSSL_STUB("wolfSSL_sk_X509_num"); - return SSL_FAILURE; + if (s == NULL) + return -1; + return (int)s->num; } -int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* nm, +int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, int indent, unsigned long flags) { - (void)bio; - (void)nm; - (void)indent; + int i; (void)flags; WOLFSSL_ENTER("wolfSSL_X509_NAME_print_ex"); - WOLFSSL_STUB("wolfSSL_X509_NAME_print_ex"); - return SSL_FAILURE; + for (i = 0; i < indent; i++) { + if (wolfSSL_BIO_write(bio, " ", 1) != 1) + return SSL_FAILURE; + } + + if (flags == XN_FLAG_RFC2253) { + if (wolfSSL_BIO_write(bio, name->name + 1, name->sz - 2) + != name->sz - 2) + return SSL_FAILURE; + } + else if (wolfSSL_BIO_write(bio, name->name, name->sz) != name->sz) + return SSL_FAILURE; + + return SSL_SUCCESS; } @@ -21117,23 +22538,27 @@ int wolfSSL_get_state(const WOLFSSL* ssl) void* wolfSSL_sk_X509_NAME_value(const STACK_OF(WOLFSSL_X509_NAME)* sk, int i) { - (void)sk; - (void)i; WOLFSSL_ENTER("wolfSSL_sk_X509_NAME_value"); - WOLFSSL_STUB("wolfSSL_sk_X509_NAME_value"); - return NULL; + for (; sk != NULL && i > 0; i--) + sk = sk->next; + + if (i != 0 || sk == NULL) + return NULL; + return sk->data.name; } void* wolfSSL_sk_X509_value(STACK_OF(WOLFSSL_X509)* sk, int i) { - (void)sk; - (void)i; WOLFSSL_ENTER("wolfSSL_sk_X509_value"); - WOLFSSL_STUB("wolfSSL_sk_X509_value"); - return NULL; + for (; sk != NULL && i > 0; i--) + sk = sk->next; + + if (i != 0 || sk == NULL) + return NULL; + return sk->data.x509; } @@ -21251,6 +22676,16 @@ void wolfSSL_CTX_set_servername_callback(WOLFSSL_CTX* ctx, CallbackSniRecv cb) ctx->sniRecvCb = cb; } +int wolfSSL_CTX_set_tlsext_servername_callback(WOLFSSL_CTX* ctx, + CallbackSniRecv cb) +{ + WOLFSSL_ENTER("wolfSSL_CTX_set_tlsext_servername_callback"); + if (ctx) { + ctx->sniRecvCb = cb; + return 1; + } + return 0; +} void wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX* ctx, void* arg) { @@ -21287,7 +22722,7 @@ void wolfSSL_THREADID_set_numeric(void* id, unsigned long val) } -WOLFSSL_X509* wolfSSL_X509_STORE_get1_certs(WOLFSSL_X509_STORE_CTX* ctx, +STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_get1_certs(WOLFSSL_X509_STORE_CTX* ctx, WOLFSSL_X509_NAME* name) { WOLFSSL_ENTER("wolfSSL_X509_STORE_get1_certs"); @@ -21308,7 +22743,7 @@ void wolfSSL_sk_X509_pop_free(STACK_OF(WOLFSSL_X509)* sk, void f (WOLFSSL_X509*) #if (defined(OPENSSL_EXTRA) && defined(HAVE_STUNNEL)) \ - || defined(WOLFSSL_MYSQL_COMPATIBLE) + || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx) { int mode = 0; @@ -21723,6 +23158,725 @@ int wolfSSL_AsyncPoll(WOLFSSL* ssl, WOLF_EVENT_FLAG flags) } #endif /* WOLFSSL_ASYNC_CRYPT */ +#ifdef OPENSSL_EXTRA +unsigned long wolfSSL_ERR_peek_error_line_data(const char **file, int *line, + const char **data, int *flags) +{ + WOLFSSL_ENTER("wolfSSL_ERR_peek_error_line_data"); + + (void)line; + (void)file; + + /* No data or flags stored - error display only in Nginx. */ + if (data != NULL) { + *data = ""; + } + if (flags != NULL) { + *flags = 0; + } + +#if defined(WOLFSSL_NGINX) + { + int ret = 0; + + while (1) { + if ((ret = wc_PeekErrorNode(-1, file, NULL, line)) < 0) { + WOLFSSL_MSG("Issue peeking at error node in queue"); + return 0; + } + ret = -ret; + + if (ret == SSL_NO_PEM_HEADER) + return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE; + if (ret != WANT_READ && ret != WANT_WRITE && + ret != ZERO_RETURN && ret != SSL_ERROR_ZERO_RETURN && + ret != SOCKET_PEER_CLOSED_E && ret != SOCKET_ERROR_E) + break; + + wc_RemoveErrorNode(-1); + } + + return (unsigned long)ret; + } +#else + return (unsigned long)(0 - NOT_COMPILED_IN); +#endif +} +#endif + +#ifdef WOLFSSL_NGINX +void wolfSSL_OPENSSL_config(char *config_name) +{ + WOLFSSL_STUB("wolfSSL_OPENSSL_config"); + (void)config_name; +} + +int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a, void *b, void *c) +{ + static int x509_idx = 0; + + WOLFSSL_ENTER("wolfSSL_X509_get_ex_new_index"); + (void)idx; + (void)arg; + (void)a; + (void)b; + (void)c; + + return x509_idx++; +} + +void *wolfSSL_X509_get_ex_data(X509 *x509, int idx) +{ + WOLFSSL_ENTER("wolfSSL_X509_get_ex_data"); + #ifdef HAVE_EX_DATA + if (x509 != NULL && idx < MAX_EX_DATA && idx >= 0) { + return x509->ex_data[idx]; + } + #else + (void)x509; + (void)idx; + #endif + return NULL; +} +int wolfSSL_X509_set_ex_data(X509 *x509, int idx, void *data) +{ + WOLFSSL_ENTER("wolfSSL_X509_set_ex_data"); + #ifdef HAVE_EX_DATA + if (x509 != NULL && idx < MAX_EX_DATA) + { + x509->ex_data[idx] = data; + return SSL_SUCCESS; + } + #else + (void)x509; + (void)idx; + (void)data; + #endif + return SSL_FAILURE; +} +int wolfSSL_X509_NAME_digest(const WOLFSSL_X509_NAME *name, + const WOLFSSL_EVP_MD *type, unsigned char *md, unsigned int *len) +{ + WOLFSSL_ENTER("wolfSSL_X509_NAME_digest"); + + if (name == NULL || type == NULL) + return SSL_FAILURE; + + return wolfSSL_EVP_Digest((unsigned char*)name->fullName.fullName, + name->fullName.fullNameLen, md, len, type, NULL); +} + +long wolfSSL_SSL_CTX_get_timeout(const WOLFSSL_CTX *ctx) +{ + WOLFSSL_ENTER("wolfSSL_SSL_CTX_get_timeout"); + + if (ctx == NULL) + return 0; + + return ctx->timeout; +} + +#ifdef HAVE_ECC +int wolfSSL_SSL_CTX_set_tmp_ecdh(WOLFSSL_CTX *ctx, WOLFSSL_EC_KEY *ecdh) +{ + WOLFSSL_ENTER("wolfSSL_SSL_CTX_set_tmp_ecdh"); + + if (ctx == NULL || ecdh == NULL) + return BAD_FUNC_ARG; + + ctx->ecdhCurveOID = ecdh->group->curve_oid; + + return SSL_SUCCESS; +} +#endif + +/* Assumes that the session passed in is from the cache. */ +int wolfSSL_SSL_CTX_remove_session(WOLFSSL_CTX *ctx, WOLFSSL_SESSION *s) +{ + WOLFSSL_ENTER("wolfSSL_SSL_CTX_remove_session"); + + if (ctx == NULL || s == NULL) + return BAD_FUNC_ARG; + +#ifdef HAVE_EXT_CACHE + if (!ctx->internalCacheOff) +#endif + { + /* Don't remove session just timeout session. */ + s->timeout = 0; + } + +#ifdef HAVE_EXT_CACHE + if (ctx->rem_sess_cb != NULL) + ctx->rem_sess_cb(ctx, s); +#endif + + return 0; +} + +BIO *wolfSSL_SSL_get_rbio(const WOLFSSL *s) +{ + WOLFSSL_ENTER("wolfSSL_SSL_get_rbio"); + (void)s; + /* Nginx sets the buffer size if the read BIO is different to write BIO. + * The setting buffer size doesn't do anything so return NULL for both. + */ + return NULL; +} +BIO *wolfSSL_SSL_get_wbio(const WOLFSSL *s) +{ + WOLFSSL_ENTER("wolfSSL_SSL_get_wbio"); + (void)s; + /* Nginx sets the buffer size if the read BIO is different to write BIO. + * The setting buffer size doesn't do anything so return NULL for both. + */ + return NULL; +} + +int wolfSSL_SSL_do_handshake(WOLFSSL *s) +{ + WOLFSSL_ENTER("wolfSSL_SSL_do_handshake"); + + if (s == NULL) + return SSL_FAILURE; + + if (s->options.side == WOLFSSL_CLIENT_END) + return wolfSSL_connect(s); + return wolfSSL_accept(s); +} + +int wolfSSL_SSL_in_init(WOLFSSL *s) +{ + WOLFSSL_ENTER("wolfSSL_SSL_in_init"); + + if (s == NULL) + return SSL_FAILURE; + + if (s->options.side == WOLFSSL_CLIENT_END) + return s->options.connectState < SECOND_REPLY_DONE; + return s->options.acceptState < ACCEPT_THIRD_REPLY_DONE; +} + +WOLFSSL_SESSION *wolfSSL_SSL_get0_session(const WOLFSSL *ssl) +{ + WOLFSSL_SESSION *session; + + WOLFSSL_ENTER("wolfSSL_SSL_get0_session"); + + if (ssl == NULL) { + return NULL; + } + + session = wolfSSL_get_session((WOLFSSL*)ssl); + +#ifdef HAVE_EXT_CACHE + ((WOLFSSL*)ssl)->extSession = session; +#endif + + return session; +} + +int wolfSSL_X509_check_host(X509 *x, const char *chk, size_t chklen, + unsigned int flags, char **peername) +{ + int ret; + DecodedCert dCert; + + WOLFSSL_ENTER("wolfSSL_X509_check_host"); + + /* flags and peername not needed for Nginx. */ + (void)flags; + (void)peername; + + InitDecodedCert(&dCert, x->derCert->buffer, x->derCert->length, NULL); + ret = ParseCertRelative(&dCert, CERT_TYPE, 0, NULL); + if (ret != 0) + return SSL_FAILURE; + + ret = CheckHostName(&dCert, (char *)chk, chklen); + FreeDecodedCert(&dCert); + if (ret != 0) + return SSL_FAILURE; + return SSL_SUCCESS; +} + +int wolfSSL_i2a_ASN1_INTEGER(BIO *bp, const WOLFSSL_ASN1_INTEGER *a) +{ + static char num[16] = { '0', '1', '2', '3', '4', '5', '6', '7', + '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; + int i; + word32 j; + word32 len = 0; + + WOLFSSL_ENTER("wolfSSL_i2a_ASN1_INTEGER"); + + if (bp == NULL || a == NULL) + return SSL_FAILURE; + + /* Skip ASN.1 INTEGER (type) byte. */ + i = 1; + /* When indefinte length, can't determine length with data available. */ + if (a->data[i] == 0x80) + return 0; + /* One length byte if less than 0x80. */ + if (a->data[i] < 0x80) + len = a->data[i++]; + /* Multiple length byte if greater than 0x80. */ + else if (a->data[i] > 0x80) { + switch (a->data[i++] - 0x80) { + case 4: + len |= a->data[i++] << 24; + case 3: + len |= a->data[i++] << 16; + case 2: + len |= a->data[i++] << 8; + case 1: + len |= a->data[i++]; + break; + default: + /* Not supporting greater than 4 bytes of length. */ + return 0; + } + } + + /* Zero length integer is the value zero. */ + if (len == 0) { + wolfSSL_BIO_write(bp, "00", 2); + return 2; + } + + /* Don't do negative - just write out every byte. */ + for (j = 0; j < len; i++,j++) { + wolfSSL_BIO_write(bp, &num[a->data[i] >> 4], 1); + wolfSSL_BIO_write(bp, &num[a->data[i] & 0xf], 1); + } + + /* Two nibbles written for each byte. */ + return len * 2; +} + + +#ifdef HAVE_SESSION_TICKET +/* Expected return values from implementations of OpenSSL ticket key callback. + */ +#define TICKET_KEY_CB_RET_FAILURE -1 +#define TICKET_KEY_CB_RET_NOT_FOUND 0 +#define TICKET_KEY_CB_RET_OK 1 +#define TICKET_KEY_CB_RET_RENEW 2 + +/* The ticket key callback as used in OpenSSL is stored here. */ +static int (*ticketKeyCb)(WOLFSSL *ssl, unsigned char *name, unsigned char *iv, + WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc) = NULL; + +/* Implementation of session ticket encryption/decryption using OpenSSL + * callback to initialize the cipher and HMAC. + * + * ssl The SSL/TLS object. + * keyName The key name - used to identify the key to be used. + * iv The IV to use. + * mac The MAC of the encrypted data. + * enc Encrypt ticket. + * encTicket The ticket data. + * encTicketLen The length of the ticket data. + * encLen The encrypted/decrypted ticket length - output length. + * ctx Ignored. Application specific data. + * returns WOLFSSL_TICKET_RET_OK to indicate success, + * WOLFSSL_TICKET_RET_CREATE if a new ticket is required and + * WOLFSSL_TICKET_RET_FATAL on error. + */ +static int wolfSSL_TicketKeyCb(WOLFSSL* ssl, + unsigned char keyName[WOLFSSL_TICKET_NAME_SZ], + unsigned char iv[WOLFSSL_TICKET_IV_SZ], + unsigned char mac[WOLFSSL_TICKET_MAC_SZ], + int enc, unsigned char* encTicket, + int encTicketLen, int* encLen, void* ctx) +{ + byte digest[MAX_DIGEST_SIZE]; + WOLFSSL_EVP_CIPHER_CTX evpCtx; + WOLFSSL_HMAC_CTX hmacCtx; + unsigned int mdSz = 0; + int len = 0; + int ret = WOLFSSL_TICKET_RET_FATAL; + int res; + + (void)ctx; + + if (ticketKeyCb == NULL) + return WOLFSSL_TICKET_RET_FATAL; + + wolfSSL_EVP_CIPHER_CTX_init(&evpCtx); + /* Initialize the cipher and HMAC. */ + res = ticketKeyCb(ssl, keyName, iv, &evpCtx, &hmacCtx, enc); + if (res != TICKET_KEY_CB_RET_OK && res != TICKET_KEY_CB_RET_RENEW) + return WOLFSSL_TICKET_RET_FATAL; + + if (enc) + { + /* Encrypt in place. */ + if (!wolfSSL_EVP_CipherUpdate(&evpCtx, encTicket, &len, + encTicket, encTicketLen)) + goto end; + encTicketLen = len; + if (!wolfSSL_EVP_EncryptFinal(&evpCtx, &encTicket[encTicketLen], &len)) + goto end; + /* Total length of encrypted data. */ + encTicketLen += len; + *encLen = encTicketLen; + + /* HMAC the encrypted data into the parameter 'mac'. */ + wolfSSL_HMAC_Update(&hmacCtx, encTicket, encTicketLen); + wolfSSL_HMAC_Final(&hmacCtx, mac, &mdSz); + } + else + { + /* HMAC the encrypted data and compare it to the passed in data. */ + wolfSSL_HMAC_Update(&hmacCtx, encTicket, encTicketLen); + wolfSSL_HMAC_Final(&hmacCtx, digest, &mdSz); + if (XMEMCMP(mac, digest, mdSz) != 0) + goto end; + + /* Decrypt the ticket data in place. */ + if (!wolfSSL_EVP_CipherUpdate(&evpCtx, encTicket, &len, + encTicket, encTicketLen)) + goto end; + encTicketLen = len; + if (!wolfSSL_EVP_DecryptFinal(&evpCtx, &encTicket[encTicketLen], &len)) + goto end; + /* Total length of decrypted data. */ + *encLen = encTicketLen + len; + } + + ret = (res == TICKET_KEY_CB_RET_RENEW) ? WOLFSSL_TICKET_RET_CREATE : + WOLFSSL_TICKET_RET_OK; +end: + return ret; +} + +/* Set the callback to use when encrypting/decrypting tickets. + * + * ctx The SSL/TLS context object. + * cb The OpenSSL session ticket callback. + * returns SSL_SUCCESS to indicate success. + */ +int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *ctx, int (*cb)( + WOLFSSL *ssl, unsigned char *name, unsigned char *iv, + WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc)) +{ + /* Store callback in a global. */ + ticketKeyCb = cb; + /* Set the ticket encryption callback to be a wrapper around OpenSSL + * callback. + */ + ctx->ticketEncCb = wolfSSL_TicketKeyCb; + + return SSL_SUCCESS; +} +#endif /* HAVE_SESSION_TICKET */ + +#ifdef HAVE_OCSP +/* Not an OpenSSL API. */ +int wolfSSL_get_ocsp_response(WOLFSSL* ssl, byte** response) +{ + *response = ssl->ocspResp; + return ssl->ocspRespSz; +} + +/* Not an OpenSSL API. */ +char* wolfSSL_get_ocsp_url(WOLFSSL* ssl) +{ + return ssl->url; +} + +/* Not an OpenSSL API. */ +int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url) +{ + if (ssl == NULL) + return SSL_FAILURE; + + ssl->url = url; + return SSL_SUCCESS; +} + +static INLINE void ato24(const byte* c, word32* u24) +{ + *u24 = (c[0] << 16) | (c[1] << 8) | c[2]; +} + +int wolfSSL_CTX_get_extra_chain_certs(WOLFSSL_CTX* ctx, STACK_OF(X509)** chain) +{ + word32 idx; + word32 length; + WOLFSSL_STACK* node; + WOLFSSL_STACK* last = NULL; + + if (ctx == NULL || chain == NULL) { + chain = NULL; + return SSL_FAILURE; + } + if (ctx->x509Chain != NULL) { + *chain = ctx->x509Chain; + return SSL_SUCCESS; + } + + /* If there are no chains then success! */ + *chain = NULL; + if (ctx->certChain == NULL || ctx->certChain->length == 0) { + return SSL_SUCCESS; + } + + /* Create a new stack of WOLFSSL_X509 object from chain buffer. */ + for (idx = 0; idx < ctx->certChain->length; ) { + node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, + DYNAMIC_TYPE_OPENSSL); + if (node == NULL) + return SSL_FAILURE; + node->next = NULL; + + /* 3 byte length | X509 DER data */ + ato24(ctx->certChain->buffer + idx, &length); + idx += 3; + + /* Create a new X509 from DER encoded data. */ + node->data.x509 = wolfSSL_X509_d2i(NULL, ctx->certChain->buffer + idx, + length); + if (node->data.x509 == NULL) { + XFREE(node, NULL, DYNAMIC_TYPE_OPENSSL); + /* Return as much of the chain as we created. */ + ctx->x509Chain = *chain; + return SSL_FAILURE; + } + idx += length; + + /* Add object to the end of the stack. */ + if (last == NULL) { + node->num = 1; + *chain = node; + } + else { + (*chain)->num++; + last->next = node; + } + + last = node; + } + + ctx->x509Chain = *chain; + + return SSL_SUCCESS; +} + +int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx, + int(*cb)(WOLFSSL*, void*)) +{ + if (ctx == NULL || ctx->cm == NULL) + return SSL_FAILURE; + + /* Ensure stapling is on for callback to be used. */ + wolfSSL_CTX_EnableOCSPStapling(ctx); + + if (ctx->cm->ocsp_stapling == NULL) + return SSL_FAILURE; + + ctx->cm->ocsp_stapling->statusCb = cb; + return SSL_SUCCESS; +} + +int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer, + WOLFSSL_X509_STORE_CTX *ctx, WOLFSSL_X509 *x) +{ + WOLFSSL_STACK* node; + Signer* ca = NULL; +#ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; +#else + DecodedCert cert[1]; +#endif + + if (issuer == NULL || ctx == NULL || x == NULL) + return SSL_FATAL_ERROR; + + if (ctx->chain != NULL) { + for (node = ctx->chain; node != NULL; node = node->next) { + if (wolfSSL_X509_check_issued(node->data.x509, x) == X509_V_OK) { + *issuer = x; + return SSL_SUCCESS; + } + } + } + + +#ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (cert == NULL) + return NULL; +#endif + + /* Use existing CA retrieval APIs that use DecodedCert. */ + InitDecodedCert(cert, x->derCert->buffer, x->derCert->length, NULL); + if (ParseCertRelative(cert, CERT_TYPE, 0, NULL) == 0) { + #ifndef NO_SKID + if (cert->extAuthKeyIdSet) + ca = GetCA(ctx->store->cm, cert->extAuthKeyId); + if (ca == NULL) + ca = GetCAByName(ctx->store->cm, cert->issuerHash); + #else /* NO_SKID */ + ca = GetCA(ctx->store->cm, cert->issuerHash); + #endif /* NO SKID */ + } + FreeDecodedCert(cert); +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + + if (ca == NULL) + return SSL_FAILURE; + + *issuer = (WOLFSSL_X509 *)XMALLOC(sizeof(WOLFSSL_X509), 0, + DYNAMIC_TYPE_OPENSSL); + if (*issuer == NULL) + return SSL_FAILURE; + + /* Create an empty certificate as CA doesn't have a certificate. */ + XMEMSET(*issuer, 0, sizeof(WOLFSSL_X509)); + /* TODO: store the full certificate and dup when required. */ + + /* Result is ignored when passed to wolfSSL_OCSP_cert_to_id(). */ + + return SSL_SUCCESS; +} + +void wolfSSL_X509_email_free(STACK_OF(WOLFSSL_STRING) *sk) +{ + WOLFSSL_STACK *curr; + + while (sk != NULL) { + curr = sk; + sk = sk->next; + + XFREE(curr, NULL, DYNAMIC_TYPE_OPENSSL); + } +} + +STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x) +{ + WOLFSSL_STACK *list = NULL; + + if (x->authInfoSz == 0) + return NULL; + + list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, + DYNAMIC_TYPE_OPENSSL); + if (list == NULL) + return NULL; + + list->data.string = (char*)x->authInfo; + list->next = NULL; + + return list; +} + +int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer, WOLFSSL_X509 *subject) +{ + WOLFSSL_X509_NAME *issuerName = wolfSSL_X509_get_issuer_name(subject); + WOLFSSL_X509_NAME *subjectName = wolfSSL_X509_get_subject_name(issuer); + + if (issuerName == NULL || subjectName == NULL) + return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; + + /* Literal matching of encoded names and key ids. */ + if (issuerName->sz != subjectName->sz || + XMEMCMP(issuerName->name, subjectName->name, subjectName->sz) != 0) { + return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; + } + + if (subject->authKeyId != NULL && issuer->subjKeyId != NULL) { + if (subject->authKeyIdSz != issuer->subjKeyIdSz || + XMEMCMP(subject->authKeyId, issuer->subjKeyId, + issuer->subjKeyIdSz) != 0) { + return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; + } + } + + return X509_V_OK; +} + +WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x) +{ + return wolfSSL_X509_d2i(NULL, x->derCert->buffer, x->derCert->length); +} + +char* wolfSSL_sk_WOLFSSL_STRING_value(STACK_OF(WOLFSSL_STRING)* strings, + int idx) +{ + for (; idx > 0 && strings != NULL; idx--) + strings = strings->next; + if (strings == NULL) + return NULL; + return strings->data.string; +} +#endif /* HAVE_OCSP */ + +#ifdef HAVE_ALPN +void wolfSSL_get0_alpn_selected(const WOLFSSL *ssl, const unsigned char **data, + unsigned int *len) +{ + word16 nameLen; + + if (ssl != NULL && data != NULL && len != NULL) { + TLSX_ALPN_GetRequest(ssl->extensions, (void **)data, &nameLen); + *len = nameLen; + } +} + +int wolfSSL_select_next_proto(unsigned char **out, unsigned char *outLen, + const unsigned char *in, unsigned int inLen, + const unsigned char *clientNames, + unsigned int clientLen) +{ + unsigned int i, j; + byte lenIn, lenClient; + + if (out == NULL || outLen == NULL || in == NULL || clientNames == NULL) + return OPENSSL_NPN_UNSUPPORTED; + + for (i = 0; i < inLen; i += lenIn) { + lenIn = in[i++]; + for (j = 0; j < clientLen; j += lenClient) { + lenClient = clientNames[j++]; + + if (lenIn != lenClient) + continue; + + if (XMEMCMP(in + i, clientNames + j, lenIn) == 0) { + *out = (unsigned char *)(in + i); + *outLen = lenIn; + return OPENSSL_NPN_NEGOTIATED; + } + } + } + + *out = (unsigned char *)clientNames + 1; + *outLen = clientNames[0]; + return OPENSSL_NPN_NO_OVERLAP; +} + +void wolfSSL_CTX_set_alpn_select_cb(WOLFSSL_CTX *ctx, + int (*cb) (WOLFSSL *ssl, + const unsigned char **out, + unsigned char *outlen, + const unsigned char *in, + unsigned int inlen, + void *arg), void *arg) +{ + if (ctx != NULL) { + ctx->alpnSelect = cb; + ctx->alpnSelectArg = arg; + } +} +#endif /* HAVE_ALPN */ + +#endif /* WOLFSSL_NGINX */ #ifdef OPENSSL_EXTRA int wolfSSL_CTX_set_msg_callback(WOLFSSL_CTX *ctx, SSL_Msg_Cb cb) @@ -21755,4 +23909,5 @@ int wolfSSL_set_msg_callback_arg(WOLFSSL *ssl, void* arg) } #endif + #endif /* WOLFCRYPT_ONLY */ diff --git a/src/tls.c b/src/tls.c old mode 100644 new mode 100755 index 3aa5a781b..8c8437ae8 --- a/src/tls.c +++ b/src/tls.c @@ -1095,23 +1095,42 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length, TLSX *extension; ALPN *alpn = NULL, *list; + if (OPAQUE16_LEN > length) + return BUFFER_ERROR; + + ato16(input, &size); + offset += OPAQUE16_LEN; + extension = TLSX_Find(ssl->extensions, TLSX_APPLICATION_LAYER_PROTOCOL); if (extension == NULL) extension = TLSX_Find(ssl->ctx->extensions, TLSX_APPLICATION_LAYER_PROTOCOL); +#ifdef WOLFSSL_NGINX + if (ssl->alpnSelect != NULL) { + const byte* out; + unsigned char outLen; + + if (ssl->alpnSelect(ssl, &out, &outLen, input + offset, size, + ssl->alpnSelectArg) == 0) { + WOLFSSL_MSG("ALPN protocol match"); + if (TLSX_UseALPN(&ssl->extensions, (char*)out, outLen, 0, ssl->heap) + == SSL_SUCCESS) { + if (extension == NULL) { + extension = TLSX_Find(ssl->extensions, + TLSX_APPLICATION_LAYER_PROTOCOL); + } + } + } + } +#endif + if (extension == NULL || extension->data == NULL) { WOLFSSL_MSG("No ALPN extensions not used or bad"); return isRequest ? 0 /* not using ALPN */ : BUFFER_ERROR; /* unexpected ALPN response */ } - if (OPAQUE16_LEN > length) - return BUFFER_ERROR; - - ato16(input, &size); - offset += OPAQUE16_LEN; - /* validating alpn list length */ if (length != OPAQUE16_LEN + size) return BUFFER_ERROR; @@ -1371,7 +1390,7 @@ static word16 TLSX_SNI_GetSize(SNI* list) switch (sni->type) { case WOLFSSL_SNI_HOST_NAME: - length += XSTRLEN((char*)sni->data.host_name); + length += (word16)XSTRLEN((char*)sni->data.host_name); break; } } @@ -1393,7 +1412,7 @@ static word16 TLSX_SNI_Write(SNI* list, byte* output) switch (sni->type) { case WOLFSSL_SNI_HOST_NAME: - length = XSTRLEN((char*)sni->data.host_name); + length = (word16)XSTRLEN((char*)sni->data.host_name); c16toa(length, output + offset); /* sni length */ offset += OPAQUE16_LEN; @@ -1656,7 +1675,7 @@ word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data) switch (sni->type) { case WOLFSSL_SNI_HOST_NAME: *data = sni->data.host_name; - return XSTRLEN((char*)*data); + return (word16)XSTRLEN((char*)*data); } } @@ -2044,7 +2063,7 @@ static word16 TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output, /* request extensions */ if (csr->request.ocsp.nonceSz) - length = EncodeOcspRequestExtensions( + length = (word16)EncodeOcspRequestExtensions( &csr->request.ocsp, output + offset + OPAQUE16_LEN, OCSP_NONCE_EXT_SZ); @@ -2232,9 +2251,13 @@ int TLSX_CSR_ForceRequest(WOLFSSL* ssl) if (csr) { switch (csr->status_type) { case WOLFSSL_CSR_OCSP: - if (ssl->ctx->cm->ocspEnabled) + if (ssl->ctx->cm->ocspEnabled) { + #ifdef WOLFSSL_NGINX + csr->request.ocsp.ssl = ssl; + #endif return CheckOcspRequest(ssl->ctx->cm->ocsp, &csr->request.ocsp, NULL); + } else return OCSP_LOOKUP_FAIL; } @@ -2397,7 +2420,7 @@ static word16 TLSX_CSR2_Write(CertificateStatusRequestItemV2* csr2, length = 0; if (csr2->request.ocsp[0].nonceSz) - length = EncodeOcspRequestExtensions( + length = (word16)EncodeOcspRequestExtensions( &csr2->request.ocsp[0], output + offset + OPAQUE16_LEN, OCSP_NONCE_EXT_SZ); @@ -2640,9 +2663,13 @@ int TLSX_CSR2_ForceRequest(WOLFSSL* ssl) /* followed by */ case WOLFSSL_CSR2_OCSP_MULTI: - if (ssl->ctx->cm->ocspEnabled) + if (ssl->ctx->cm->ocspEnabled) { + #ifdef WOLFSSL_NGINX + csr2->request.ocsp[0].ssl = ssl; + #endif return CheckOcspRequest(ssl->ctx->cm->ocsp, &csr2->request.ocsp[0], NULL); + } else return OCSP_LOOKUP_FAIL; } @@ -2861,12 +2888,17 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) { : NULL; EllipticCurve* curve = NULL; word32 oid = 0; + word32 defOid = 0; + word32 defSz = 80; /* Maximum known curve size is 66. */ + word32 nextOid = 0; + word32 nextSz = 80; /* Maximum known curve size is 66. */ + word32 currOid = ssl->ecdhCurveOID; + int ephmSuite = 0; word16 octets = 0; /* according to 'ecc_set_type ecc_sets[];' */ int sig = 0; /* validate signature */ int key = 0; /* validate key */ (void)oid; - (void)octets; if (!extension) return 1; /* no suite restriction */ @@ -2879,155 +2911,253 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) { switch (curve->name) { #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES) #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP160R1: oid = ECC_SECP160R1_OID; octets = 20; break; + case WOLFSSL_ECC_SECP160R1: + oid = ECC_SECP160R1_OID; + octets = 20; + /* Default for 160-bits. */ + if (ssl->eccTempKeySz <= octets && defSz > octets) { + defOid = oid; + defSz = octets; + } + break; #endif /* !NO_ECC_SECP */ #ifdef HAVE_ECC_SECPR2 - case WOLFSSL_ECC_SECP160R2: oid = ECC_SECP160R2_OID; octets = 20; break; + case WOLFSSL_ECC_SECP160R2: + oid = ECC_SECP160R2_OID; + octets = 20; + break; #endif /* HAVE_ECC_SECPR2 */ #ifdef HAVE_ECC_KOBLITZ - case WOLFSSL_ECC_SECP160K1: oid = ECC_SECP160K1_OID; octets = 20; break; + case WOLFSSL_ECC_SECP160K1: + oid = ECC_SECP160K1_OID; + octets = 20; + break; #endif /* HAVE_ECC_KOBLITZ */ #endif #if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES) #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP192R1: oid = ECC_SECP192R1_OID; octets = 24; break; + case WOLFSSL_ECC_SECP192R1: + oid = ECC_SECP192R1_OID; + octets = 24; + /* Default for 192-bits. */ + if (ssl->eccTempKeySz <= octets && defSz > octets) { + defOid = oid; + defSz = octets; + } + break; #endif /* !NO_ECC_SECP */ #ifdef HAVE_ECC_KOBLITZ - case WOLFSSL_ECC_SECP192K1: oid = ECC_SECP192K1_OID; octets = 24; break; + case WOLFSSL_ECC_SECP192K1: + oid = ECC_SECP192K1_OID; + octets = 24; + break; #endif /* HAVE_ECC_KOBLITZ */ #endif #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES) #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP224R1: oid = ECC_SECP224R1_OID; octets = 28; break; + case WOLFSSL_ECC_SECP224R1: + oid = ECC_SECP224R1_OID; + octets = 28; + /* Default for 224-bits. */ + if (ssl->eccTempKeySz <= octets && defSz > octets) { + defOid = oid; + defSz = octets; + } + break; #endif /* !NO_ECC_SECP */ #ifdef HAVE_ECC_KOBLITZ - case WOLFSSL_ECC_SECP224K1: oid = ECC_SECP224K1_OID; octets = 28; break; + case WOLFSSL_ECC_SECP224K1: + oid = ECC_SECP224K1_OID; + octets = 28; + break; #endif /* HAVE_ECC_KOBLITZ */ #endif #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP256R1: oid = ECC_SECP256R1_OID; octets = 32; break; + case WOLFSSL_ECC_SECP256R1: + oid = ECC_SECP256R1_OID; + octets = 32; + /* Default for 256-bits. */ + if (ssl->eccTempKeySz <= octets && defSz > octets) { + defOid = oid; + defSz = octets; + } + break; #endif /* !NO_ECC_SECP */ #ifdef HAVE_ECC_KOBLITZ - case WOLFSSL_ECC_SECP256K1: oid = ECC_SECP256K1_OID; octets = 32; break; + case WOLFSSL_ECC_SECP256K1: + oid = ECC_SECP256K1_OID; + octets = 32; + break; #endif /* HAVE_ECC_KOBLITZ */ #ifdef HAVE_ECC_BRAINPOOL - case WOLFSSL_ECC_BRAINPOOLP256R1: oid = ECC_BRAINPOOLP256R1_OID; octets = 32; break; + case WOLFSSL_ECC_BRAINPOOLP256R1: + oid = ECC_BRAINPOOLP256R1_OID; + octets = 32; + break; #endif /* HAVE_ECC_BRAINPOOL */ #endif #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES) #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP384R1: oid = ECC_SECP384R1_OID; octets = 48; break; + case WOLFSSL_ECC_SECP384R1: + oid = ECC_SECP384R1_OID; + octets = 48; + /* Default for 384-bits. */ + if (ssl->eccTempKeySz <= octets && defSz > octets) { + defOid = oid; + defSz = octets; + } + break; #endif /* !NO_ECC_SECP */ #ifdef HAVE_ECC_BRAINPOOL - case WOLFSSL_ECC_BRAINPOOLP384R1: oid = ECC_BRAINPOOLP384R1_OID; octets = 48; break; + case WOLFSSL_ECC_BRAINPOOLP384R1: + oid = ECC_BRAINPOOLP384R1_OID; + octets = 48; + break; #endif /* HAVE_ECC_BRAINPOOL */ #endif #if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES) #ifdef HAVE_ECC_BRAINPOOL - case WOLFSSL_ECC_BRAINPOOLP512R1: oid = ECC_BRAINPOOLP512R1_OID; octets = 64; break; + case WOLFSSL_ECC_BRAINPOOLP512R1: + oid = ECC_BRAINPOOLP512R1_OID; + octets = 64; + break; #endif /* HAVE_ECC_BRAINPOOL */ #endif #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES) #ifndef NO_ECC_SECP - case WOLFSSL_ECC_SECP521R1: oid = ECC_SECP521R1_OID; octets = 66; break; + case WOLFSSL_ECC_SECP521R1: + oid = ECC_SECP521R1_OID; + octets = 66; + break; #endif /* !NO_ECC_SECP */ #endif default: continue; /* unsupported curve */ } + if (currOid == 0 && ssl->eccTempKeySz == octets) + currOid = oid; + if ((nextOid == 0 || nextSz > octets) && ssl->eccTempKeySz <= octets) { + nextOid = oid; + nextSz = octets; + } + if (first == ECC_BYTE) { - switch (second) { - /* ECDHE_ECDSA */ - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: - case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: - case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: - case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: - case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: - case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: - case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8: - sig |= ssl->pkCurveOID == oid; - key |= ssl->eccTempKeySz == octets; - break; + switch (second) { + /* ECDHE_ECDSA */ + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: + case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: + case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: + case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: + case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: + case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8: + sig |= ssl->pkCurveOID == oid; + key |= ssl->ecdhCurveOID == oid; + ephmSuite = 1; + break; #ifdef WOLFSSL_STATIC_DH - /* ECDH_ECDSA */ - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: - case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: - case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: - case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: - case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: - sig |= ssl->pkCurveOID == oid; - key |= ssl->pkCurveOID == oid; - break; + /* ECDH_ECDSA */ + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: + case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: + case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: + case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: + case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: + sig |= ssl->pkCurveOID == oid; + key |= ssl->pkCurveOID == oid; + break; #endif /* WOLFSSL_STATIC_DH */ #ifndef NO_RSA - /* ECDHE_RSA */ - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: - case TLS_ECDHE_RSA_WITH_RC4_128_SHA: - case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: - case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: - case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - sig = 1; - key |= ssl->eccTempKeySz == octets; - break; + /* ECDHE_RSA */ + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: + case TLS_ECDHE_RSA_WITH_RC4_128_SHA: + case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: + case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: + sig = 1; + key |= ssl->ecdhCurveOID == oid; + ephmSuite = 1; + break; #ifdef WOLFSSL_STATIC_DH - /* ECDH_RSA */ - case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: - case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: - case TLS_ECDH_RSA_WITH_RC4_128_SHA: - case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: - case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: - case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: - case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: - case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: - sig = 1; - key |= ssl->pkCurveOID == oid; - break; + /* ECDH_RSA */ + case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: + case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: + case TLS_ECDH_RSA_WITH_RC4_128_SHA: + case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: + case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: + case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: + case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: + sig = 1; + key |= ssl->pkCurveOID == oid; + break; #endif /* WOLFSSL_STATIC_DH */ #endif - default: - sig = 1; - key = 1; - break; - } + default: + sig = 1; + key = 1; + break; + } } /* ChaCha20-Poly1305 ECC cipher suites */ if (first == CHACHA_BYTE) { - switch (second) { - /* ECDHE_ECDSA */ - case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 : - case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - sig |= ssl->pkCurveOID == oid; - key |= ssl->eccTempKeySz == octets; - break; + switch (second) { + /* ECDHE_ECDSA */ + case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 : + case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : + sig |= ssl->pkCurveOID == oid; + key |= ssl->ecdhCurveOID == oid; + ephmSuite = 1; + break; #ifndef NO_RSA - /* ECDHE_RSA */ - case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : - case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - sig = 1; - key |= ssl->eccTempKeySz == octets; - break; + /* ECDHE_RSA */ + case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : + case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : + sig = 1; + key |= ssl->ecdhCurveOID == oid; + ephmSuite = 1; + break; #endif - default: - sig = 1; - key = 1; - break; - } + default: + sig = 1; + key = 1; + break; + } } } + /* Choose the default if it is at the required strength. */ + if (ssl->ecdhCurveOID == 0 && defSz == ssl->eccTempKeySz) { + key = 1; + ssl->ecdhCurveOID = defOid; + } + /* Choose any curve at the required strength. */ + if (ssl->ecdhCurveOID == 0) { + key = 1; + ssl->ecdhCurveOID = currOid; + } + /* Choose the default if it is at the next highest strength. */ + if (ssl->ecdhCurveOID == 0 && defSz == nextSz) + ssl->ecdhCurveOID = defOid; + /* Choose any curve at the next highest strength. */ + if (ssl->ecdhCurveOID == 0) + ssl->ecdhCurveOID = nextOid; + /* No curve and ephemeral ECC suite requires a matching curve. */ + if (ssl->ecdhCurveOID == 0 && ephmSuite) + key = 0; + return sig && key; } @@ -4568,6 +4698,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) #if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES) if (!ssl->options.userCurves && !ssl->ctx->userCurves) { + #ifndef HAVE_FIPS #if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES) #ifndef NO_ECC_SECP ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP160R1, ssl->heap); @@ -4592,6 +4723,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) if (ret != SSL_SUCCESS) return ret; #endif #endif + #endif #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES) #ifndef NO_ECC_SECP ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP224R1, ssl->heap); diff --git a/tests/api.c b/tests/api.c index 793dac59e..cd4f016d7 100644 --- a/tests/api.c +++ b/tests/api.c @@ -36,6 +36,9 @@ #ifdef HAVE_ECC #include /* wc_ecc_fp_free */ #endif +#ifndef NO_ASN + #include +#endif #include #include @@ -4126,6 +4129,52 @@ static void test_wolfSSL_BIO(void) } +/*----------------------------------------------------------------------------* + | wolfCrypt ASN + *----------------------------------------------------------------------------*/ + +static void test_wc_GetPkcs8TraditionalOffset(void) +{ +#if !defined(NO_ASN) && !defined(NO_FILESYSTEM) + int length, derSz; + word32 inOutIdx; + const char* path = "./certs/server-keyPkcs8.der"; + FILE* file; + byte der[2048]; + + printf(testingFmt, "wc_GetPkcs8TraditionalOffset"); + + file = fopen(path, "rb"); + AssertNotNull(file); + derSz = (int)fread(der, 1, sizeof(der), file); + fclose(file); + + /* valid case */ + inOutIdx = 0; + length = wc_GetPkcs8TraditionalOffset(der, &inOutIdx, derSz); + AssertIntGT(length, 0); + + /* inOutIdx > sz */ + inOutIdx = 4000; + length = wc_GetPkcs8TraditionalOffset(der, &inOutIdx, derSz); + AssertIntEQ(length, BAD_FUNC_ARG); + + /* null input */ + inOutIdx = 0; + length = wc_GetPkcs8TraditionalOffset(NULL, &inOutIdx, 0); + AssertIntEQ(length, BAD_FUNC_ARG); + + /* invalid input, fill buffer with 1's */ + XMEMSET(der, 1, sizeof(der)); + inOutIdx = 0; + length = wc_GetPkcs8TraditionalOffset(der, &inOutIdx, derSz); + AssertIntEQ(length, ASN_PARSE_E); + + printf(resultFmt, passed); +#endif /* NO_ASN */ +} + + /*----------------------------------------------------------------------------* | Main *----------------------------------------------------------------------------*/ @@ -4186,6 +4235,9 @@ void ApiTest(void) AssertIntEQ(test_wolfSSL_Cleanup(), SSL_SUCCESS); + /* wolfCrypt ASN tests */ + test_wc_GetPkcs8TraditionalOffset(); + /*wolfcrypt */ printf("\n-----------------wolfcrypt unit tests------------------\n"); AssertFalse(test_wolfCrypt_Init()); diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index c2696bc46..2bbdfdc44 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -2545,7 +2545,7 @@ void bench_ed25519KeySign(void) #endif /* HAVE_ED25519 */ -#ifdef _WIN32 +#if defined(_WIN32) && !defined(INTIME_RTOS) #define WIN32_LEAN_AND_MEAN #include diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 09c78bd4e..7b8c4b40a 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -4238,6 +4238,11 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, uint32_t keySize; status_t status; + if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { + WOLFSSL_MSG("GcmEncrypt authTagSz too small error"); + return BAD_FUNC_ARG; + } + key = (byte*)aes->key; status = wc_AesGetKeySize(aes, &keySize); @@ -4265,6 +4270,11 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, if (authTagSz > AES_BLOCK_SIZE) return BAD_FUNC_ARG; + if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { + WOLFSSL_MSG("GcmEncrypt authTagSz too small error"); + return BAD_FUNC_ARG; + } + #ifdef WOLFSSL_AESNI if (haveAESNI) { AES_GCM_encrypt(in, out, authIn, iv, authTag, diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 509364825..c23cf87b9 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -1520,34 +1520,58 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, #endif /* HAVE_USER_RSA */ #endif /* NO_RSA */ +/* Remove PKCS8 header, place inOutIdx at beginning of traditional, + * return traditional length on success, negative on error */ +int ToTraditionalInline(const byte* input, word32* inOutIdx, word32 sz) +{ + word32 idx, oid; + int version, length; + + if (input == NULL || inOutIdx == NULL) + return BAD_FUNC_ARG; + + idx = *inOutIdx; + + if (GetSequence(input, &idx, &length, sz) < 0) + return ASN_PARSE_E; + + if (GetMyVersion(input, &idx, &version, sz) < 0) + return ASN_PARSE_E; + + if (GetAlgoId(input, &idx, &oid, oidKeyType, sz) < 0) + return ASN_PARSE_E; + + if (input[idx] == ASN_OBJECT_ID) { + /* pkcs8 ecc uses slightly different format */ + idx++; /* past id */ + if (GetLength(input, &idx, &length, sz) < 0) + return ASN_PARSE_E; + idx += length; /* over sub id, key input will verify */ + } + + if (input[idx++] != ASN_OCTET_STRING) + return ASN_PARSE_E; + + if (GetLength(input, &idx, &length, sz) < 0) + return ASN_PARSE_E; + + *inOutIdx = idx; + + return length; +} + /* Remove PKCS8 header, move beginning of traditional to beginning of input */ int ToTraditional(byte* input, word32 sz) { - word32 inOutIdx = 0, oid; - int version, length; + word32 inOutIdx = 0; + int length; - if (GetSequence(input, &inOutIdx, &length, sz) < 0) - return ASN_PARSE_E; + if (input == NULL) + return BAD_FUNC_ARG; - if (GetMyVersion(input, &inOutIdx, &version, sz) < 0) - return ASN_PARSE_E; - - if (GetAlgoId(input, &inOutIdx, &oid, oidKeyType, sz) < 0) - return ASN_PARSE_E; - - if (input[inOutIdx] == ASN_OBJECT_ID) { - /* pkcs8 ecc uses slightly different format */ - inOutIdx++; /* past id */ - if (GetLength(input, &inOutIdx, &length, sz) < 0) - return ASN_PARSE_E; - inOutIdx += length; /* over sub id, key input will verify */ - } - - if (input[inOutIdx++] != ASN_OCTET_STRING) - return ASN_PARSE_E; - - if (GetLength(input, &inOutIdx, &length, sz) < 0) - return ASN_PARSE_E; + length = ToTraditionalInline(input, &inOutIdx, sz); + if (length < 0) + return length; XMEMMOVE(input, input + inOutIdx, length); @@ -1555,6 +1579,23 @@ int ToTraditional(byte* input, word32 sz) } +/* find beginning of traditional key inside PKCS#8 unencrypted buffer + * return traditional length on success, with inOutIdx at beginning of + * traditional + * return negative on failure/error */ +int wc_GetPkcs8TraditionalOffset(byte* input, word32* inOutIdx, word32 sz) +{ + int length; + + if (input == NULL || inOutIdx == NULL || (*inOutIdx > sz)) + return BAD_FUNC_ARG; + + length = ToTraditionalInline(input, inOutIdx, sz); + + return length; +} + + /* check that the private key is a pair for the public key in certificate * return 1 (true) on match * return 0 or negative value on failure/error @@ -2220,8 +2261,10 @@ int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, } #endif /* OPENSSL_EXTRA */ - if (GetInt(&key->n, input, inOutIdx, inSz) < 0 || - GetInt(&key->e, input, inOutIdx, inSz) < 0) { + if (GetInt(&key->n, input, inOutIdx, inSz) < 0) + return ASN_RSA_KEY_E; + if (GetInt(&key->e, input, inOutIdx, inSz) < 0) { + mp_clear(&key->n); return ASN_RSA_KEY_E; } @@ -3418,7 +3461,7 @@ static INLINE int DateLessThan(const struct tm* a, const struct tm* b) } -#if defined(WOLFSSL_MYSQL_COMPATIBLE) +#if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) int GetTimeString(byte* date, int format, char* buf, int len) { struct tm t; @@ -5300,6 +5343,18 @@ static int DecodeCertExtensions(DecodedCert* cert) #ifdef OPENSSL_EXTRA cert->extSubjKeyIdCrit = critical; #endif + #ifndef WOLFSSL_ALLOW_CRIT_SKID + /* This check is added due to RFC 5280 section 4.2.1.2 + * stating that conforming CA's must mark this extension + * as non-critical. When parsing extensions check that + * certificate was made in compliance with this. */ + if (critical) { + WOLFSSL_MSG("Critical Subject Key ID is not allowed"); + WOLFSSL_MSG("Use macro WOLFSSL_ALLOW_CRIT_SKID if wanted"); + return ASN_CRIT_EXT_E; + } + #endif + if (DecodeSubjKeyId(&input[idx], length, cert) < 0) return ASN_PARSE_E; break; @@ -5808,7 +5863,7 @@ const char* END_DSA_PRIV = "-----END DSA PRIVATE KEY-----"; const char* BEGIN_PUB_KEY = "-----BEGIN PUBLIC KEY-----"; const char* END_PUB_KEY = "-----END PUBLIC KEY-----"; -#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) +#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA) /* Used for compatibility API */ int wc_DerToPem(const byte* der, word32 derSz, @@ -9190,11 +9245,12 @@ int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key, return ret; } + int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key, word32 inSz) { int length; - int ret = 0; + byte b; if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0) return BAD_FUNC_ARG; @@ -9202,56 +9258,46 @@ int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx, if (GetSequence(input, inOutIdx, &length, inSz) < 0) return ASN_PARSE_E; -#if defined(OPENSSL_EXTRA) || defined(ECC_DECODE_EXTRA) - { - byte b = input[*inOutIdx]; - if (b != ASN_INTEGER) { - /* not from decoded cert, will have algo id, skip past */ - if (GetSequence(input, inOutIdx, &length, inSz) < 0) - return ASN_PARSE_E; + if (GetSequence(input, inOutIdx, &length, inSz) < 0) + return ASN_PARSE_E; - b = input[(*inOutIdx)++]; - if (b != ASN_OBJECT_ID) - return ASN_OBJECT_ID_E; + b = input[(*inOutIdx)++]; + if (b != ASN_OBJECT_ID) + return ASN_OBJECT_ID_E; - if (GetLength(input, inOutIdx, &length, inSz) < 0) - return ASN_PARSE_E; + if (GetLength(input, inOutIdx, &length, inSz) < 0) + return ASN_PARSE_E; - *inOutIdx += length; /* skip past */ + *inOutIdx += length; /* skip past */ - /* ecc params information */ - b = input[(*inOutIdx)++]; - if (b != ASN_OBJECT_ID) - return ASN_OBJECT_ID_E; + /* ecc params information */ + b = input[(*inOutIdx)++]; + if (b != ASN_OBJECT_ID) + return ASN_OBJECT_ID_E; - if (GetLength(input, inOutIdx, &length, inSz) <= 0) - return ASN_PARSE_E; + if (GetLength(input, inOutIdx, &length, inSz) <= 0) + return ASN_PARSE_E; - *inOutIdx += length; /* skip past */ + *inOutIdx += length; /* skip past */ - /* key header */ - b = input[*inOutIdx]; - *inOutIdx += 1; + /* key header */ + b = input[*inOutIdx]; + *inOutIdx += 1; - if (b != ASN_BIT_STRING) - ret = ASN_BITSTR_E; - else if (GetLength(input, inOutIdx, &length, inSz) <= 0) - ret = ASN_PARSE_E; - else { - b = input[*inOutIdx]; - *inOutIdx += 1; + if (b != ASN_BIT_STRING) + return ASN_BITSTR_E; + if (GetLength(input, inOutIdx, &length, inSz) <= 0) + return ASN_PARSE_E; - if (b != 0x00) - ret = ASN_EXPECT_0_E; - } - } - } /* openssl var block */ -#endif /* OPENSSL_EXTRA */ + b = input[(*inOutIdx)++]; + if (b != 0x00) + return ASN_EXPECT_0_E; + /* This is the raw point data compressed or uncompressed. */ if (wc_ecc_import_x963(input+*inOutIdx, inSz - *inOutIdx, key) != 0) return ASN_ECC_KEY_E; - return ret; + return 0; } @@ -9498,11 +9544,17 @@ static int DecodeSingleResponse(byte* source, return ASN_PARSE_E; } +#ifdef WOLFSSL_NGINX + cs->thisDateAsn = source + idx; +#endif if (GetBasicDate(source, &idx, cs->thisDate, &cs->thisDateFormat, size) < 0) return ASN_PARSE_E; + +#ifndef NO_ASN_TIME if (!XVALIDATE_DATE(cs->thisDate, cs->thisDateFormat, BEFORE)) return ASN_BEFORE_DATE_E; +#endif /* The following items are optional. Only check for them if there is more * unprocessed data in the singleResponse wrapper. */ @@ -9513,11 +9565,17 @@ static int DecodeSingleResponse(byte* source, idx++; if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; +#ifdef WOLFSSL_NGINX + cs->nextDateAsn = source + idx; +#endif if (GetBasicDate(source, &idx, cs->nextDate, &cs->nextDateFormat, size) < 0) return ASN_PARSE_E; + +#ifndef NO_ASN_TIME if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER)) return ASN_AFTER_DATE_E; +#endif } if (((int)(idx - prevIndex) < wrapperSz) && (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))) @@ -9702,7 +9760,7 @@ static int DecodeCerts(byte* source, static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, - OcspResponse* resp, word32 size, void* cm, void* heap) + OcspResponse* resp, word32 size, void* cm, void* heap, int noVerify) { int length; word32 idx = *ioIndex; @@ -9759,7 +9817,9 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, return ASN_PARSE_E; InitDecodedCert(&cert, resp->cert, resp->certSz, heap); - ret = ParseCertRelative(&cert, CERT_TYPE, VERIFY, cm); + /* Don't verify if we don't have access to Cert Manager. */ + ret = ParseCertRelative(&cert, CERT_TYPE, noVerify ? NO_VERIFY : VERIFY, + cm); if (ret < 0) { WOLFSSL_MSG("\tOCSP Responder certificate parsing failed"); FreeDecodedCert(&cert); @@ -9816,8 +9876,9 @@ void InitOcspResponse(OcspResponse* resp, CertStatus* status, } -int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap) +int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, int noVerify) { + int ret; int length = 0; word32 idx = 0; byte* source = resp->source; @@ -9860,8 +9921,9 @@ int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap) if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; - if (DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap) < 0) - return ASN_PARSE_E; + ret = DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap, noVerify); + if (ret < 0) + return ret; return 0; } @@ -9871,8 +9933,8 @@ word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size) { static const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02 }; - byte seqArray[6][MAX_SEQ_SZ]; - word32 seqSz[6], totalSz = (word32)sizeof(NonceObjId); + byte seqArray[5][MAX_SEQ_SZ]; + word32 seqSz[5], totalSz = (word32)sizeof(NonceObjId); WOLFSSL_ENTER("SetOcspReqExtensions"); @@ -9886,16 +9948,12 @@ word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size) totalSz += seqSz[2] = 1 + SetLength(sizeof(NonceObjId), &seqArray[2][1]); totalSz += seqSz[3] = SetSequence(totalSz, seqArray[3]); totalSz += seqSz[4] = SetSequence(totalSz, seqArray[4]); - totalSz += seqSz[5] = SetExplicit(2, totalSz, seqArray[5]); if (totalSz > size) return 0; totalSz = 0; - XMEMCPY(output + totalSz, seqArray[5], seqSz[5]); - totalSz += seqSz[5]; - XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); totalSz += seqSz[4]; @@ -9946,8 +10004,14 @@ int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size) snSz = SetSerialNumber(req->serial, req->serialSz, snArray); extSz = 0; - if (req->nonceSz) - extSz = EncodeOcspRequestExtensions(req, extArray, OCSP_NONCE_EXT_SZ); + if (req->nonceSz) { + /* TLS Extensions use this function too - put extensions after + * ASN.1: Context Specific [2]. + */ + extSz = EncodeOcspRequestExtensions(req, extArray + 2, + OCSP_NONCE_EXT_SZ); + extSz += SetExplicit(2, extSz, extArray); + } totalSz = algoSz + issuerSz + issuerKeySz + snSz; for (i = 4; i >= 0; i--) { @@ -9956,6 +10020,8 @@ int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size) if (i == 2) totalSz += extSz; } + if (output == NULL) + return totalSz; if (totalSz > size) return BUFFER_E; @@ -10349,10 +10415,13 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm) #endif } - if (doNextDate && !XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, - AFTER)) { - WOLFSSL_MSG("CRL after date is no longer valid"); - return ASN_AFTER_DATE_E; + if (doNextDate) { +#ifndef NO_ASN_TIME + if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) { + WOLFSSL_MSG("CRL after date is no longer valid"); + return ASN_AFTER_DATE_E; + } +#endif } if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) { diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c index 4d4427652..4bddf485b 100644 --- a/wolfcrypt/src/dh.c +++ b/wolfcrypt/src/dh.c @@ -184,6 +184,57 @@ int wc_DhGenerateKeyPair(DhKey* key, WC_RNG* rng, byte* priv, word32* privSz, return (ret != 0) ? ret : GeneratePublic(key, priv, *privSz, pub, pubSz); } + +/* Check DH Public Key for invalid numbers + * + * key DH key group parameters. + * pub Public Key. + * pubSz Public Key size. + * + * returns 0 on success or error code + */ +int wc_DhCheckPubKey(DhKey* key, const byte* pub, word32 pubSz) +{ + int ret = 0; + + mp_int x; + mp_int y; + + if (key == NULL || pub == NULL) { + return BAD_FUNC_ARG; + } + + if (mp_init_multi(&x, &y, NULL, NULL, NULL, NULL) != MP_OKAY) { + return MP_INIT_E; + } + + if (mp_read_unsigned_bin(&x, pub, pubSz) != MP_OKAY) { + ret = MP_READ_E; + } + + /* pub should not be 0 or 1 */ + if (ret == 0 && mp_cmp_d(&x, 2) == MP_LT) { + ret = MP_CMP_E; + } + + /* pub shouldn't be greater than or equal to p - 1 */ + if (ret == 0 && mp_copy(&key->p, &y) != MP_OKAY) { + ret = MP_INIT_E; + } + if (ret == 0 && mp_sub_d(&y, 2, &y) != MP_OKAY) { + ret = MP_SUB_E; + } + if (ret == 0 && mp_cmp(&x, &y) == MP_GT) { + ret = MP_CMP_E; + } + + mp_clear(&y); + mp_clear(&x); + + return ret; +} + + int wc_DhAgree(DhKey* key, byte* agree, word32* agreeSz, const byte* priv, word32 privSz, const byte* otherPub, word32 pubSz) { @@ -193,6 +244,11 @@ int wc_DhAgree(DhKey* key, byte* agree, word32* agreeSz, const byte* priv, mp_int y; mp_int z; + if (wc_DhCheckPubKey(key, otherPub, pubSz) != 0) { + WOLFSSL_MSG("wc_DhAgree wc_DhCheckPubKey failed"); + return DH_CHECK_PUB_E; + } + if (mp_init_multi(&x, &y, &z, 0, 0, 0) != MP_OKAY) return MP_INIT_E; diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index 019b96366..3405b39b5 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -953,11 +953,6 @@ static int wc_ecc_export_x963_compressed(ecc_key*, byte* out, word32* outLen); #ifndef WOLFSSL_ATECC508A -int ecc_map(ecc_point*, mp_int*, mp_digit); -int ecc_projective_add_point(ecc_point* P, ecc_point* Q, ecc_point* R, - mp_int* a, mp_int* modulus, mp_digit mp); -int ecc_projective_dbl_point(ecc_point* P, ecc_point* R, mp_int* a, - mp_int* modulus, mp_digit mp); static int ecc_check_pubkey_order(ecc_key* key, mp_int* a, mp_int* prime, mp_int* order); #ifdef ECC_SHAMIR static int ecc_mul2add(ecc_point* A, mp_int* kA, ecc_point* B, mp_int* kB, @@ -1102,12 +1097,8 @@ static int wc_ecc_curve_load(const ecc_set_type* dp, ecc_curve_spec** pCurve, return BAD_FUNC_ARG; #ifdef ECC_CACHE_CURVE - /* find ecc_set index based on curve_id */ - for (x = 0; ecc_sets[x].size != 0; x++) { - if (dp->id == ecc_sets[x].id) - break; /* found index */ - } - if (ecc_sets[x].size == 0) + x = wc_ecc_get_curve_idx(dp->id); + if (x == ECC_CURVE_INVALID) return ECC_BAD_ARG_E; /* make sure cache has been allocated */ @@ -1196,7 +1187,20 @@ void wc_ecc_curve_cache_free(void) #endif /* WOLFSSL_ATECC508A */ -static int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id) +/* Retrieve the curve name for the ECC curve id. + * + * curve_id The id of the curve. + * returns the name stored from the curve if available, otherwise NULL. + */ +const char* wc_ecc_get_name(int curve_id) +{ + int curve_idx = wc_ecc_get_curve_idx(curve_id); + if (curve_idx == ECC_CURVE_INVALID) + return NULL; + return ecc_sets[curve_idx].name; +} + +int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id) { if (keysize <= 0 && curve_id <= 0) { return BAD_FUNC_ARG; @@ -2452,52 +2456,38 @@ int wc_ecc_is_valid_idx(int n) return 0; } - -/* - * Returns the curve name that corresponds to an ecc_curve_id identifier - * - * id curve id, from ecc_curve_id enum in ecc.h - * return const char* representing curve name, from ecc_sets[] on success, - * otherwise NULL if id not found. - */ -const char* wc_ecc_get_curve_name_from_id(int id) +int wc_ecc_get_curve_idx(int curve_id) { - int i; - - for (i = 0; ecc_sets[i].size != 0; i++) { - if (id == ecc_sets[i].id) + int curve_idx; + for (curve_idx = 0; ecc_sets[curve_idx].size != 0; curve_idx++) { + if (curve_id == ecc_sets[curve_idx].id) break; } - - if (ecc_sets[i].size == 0) { - WOLFSSL_MSG("ecc_set curve not found"); - return NULL; + if (ecc_sets[curve_idx].size == 0) { + return ECC_CURVE_INVALID; } - - return ecc_sets[i].name; + return curve_idx; } +int wc_ecc_get_curve_id(int curve_idx) +{ + if (wc_ecc_is_valid_idx(curve_idx)) { + return ecc_sets[curve_idx].id; + } + return ECC_CURVE_INVALID; +} /* Returns the curve size that corresponds to a given ecc_curve_id identifier * * id curve id, from ecc_curve_id enum in ecc.h * return curve size, from ecc_sets[] on success, negative on error */ -int wc_ecc_get_curve_size_from_id(int id) +int wc_ecc_get_curve_size_from_id(int curve_id) { - int i; - - for (i = 0; ecc_sets[i].size != 0; i++) { - if (id == ecc_sets[i].id) - break; - } - - if (ecc_sets[i].size == 0) { - WOLFSSL_MSG("ecc_set curve not found"); + int curve_idx = wc_ecc_get_curve_idx(curve_id); + if (curve_idx == ECC_CURVE_INVALID) return ECC_BAD_ARG_E; - } - - return ecc_sets[i].size; + return ecc_sets[curve_idx].size; } @@ -2976,22 +2966,29 @@ int wc_ecc_make_key(WC_RNG* rng, int keysize, ecc_key* key) return wc_ecc_make_key_ex(rng, keysize, key, ECC_CURVE_DEF); } -static void wc_ecc_free_rs(ecc_key* key) +static INLINE void wc_ecc_free_rs(ecc_key* key, mp_int** r, mp_int** s) { - if (key->r) { + if (*r) { #ifndef USE_FAST_MATH - mp_clear(key->r); + mp_clear(*r); #endif - XFREE(key->r, key->heap, DYNAMIC_TYPE_BIGINT); + #ifdef WOLFSSL_ASYNC_CRYPT + XFREE(*r, key->heap, DYNAMIC_TYPE_BIGINT); key->r = NULL; - } - if (key->s) { - #ifndef USE_FAST_MATH - mp_clear(key->s); #endif - XFREE(key->s, key->heap, DYNAMIC_TYPE_BIGINT); - key->s = NULL; + *r = NULL; } + if (*s) { + #ifndef USE_FAST_MATH + mp_clear(*s); + #endif + #ifdef WOLFSSL_ASYNC_CRYPT + XFREE(*s, key->heap, DYNAMIC_TYPE_BIGINT); + key->s = NULL; + #endif + *s = NULL; + } + (void)key; } /* Setup dynamic pointers if using normal math for proper freeing */ @@ -3081,6 +3078,12 @@ int wc_ecc_sign_hash(const byte* in, word32 inlen, byte* out, word32 *outlen, WC_RNG* rng, ecc_key* key) { int err; + mp_int *r = NULL, *s = NULL; +#ifndef WOLFSSL_ASYNC_CRYPT + mp_int r_lcl, s_lcl; + r = &r_lcl; + s = &s_lcl; +#endif if (in == NULL || out == NULL || outlen == NULL || key == NULL || rng == NULL) { @@ -3111,24 +3114,28 @@ int wc_ecc_sign_hash(const byte* in, word32 inlen, byte* out, word32 *outlen, case ECC_STATE_NONE: case ECC_STATE_SIGN_DO: key->state = ECC_STATE_SIGN_DO; - if (key->r == NULL) - key->r = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, + + #ifdef WOLFSSL_ASYNC_CRYPT + if (r == NULL) + r = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_BIGINT); - if (key->s == NULL) - key->s = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, + if (s == NULL) + s = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_BIGINT); - if (key->r == NULL || key->s == NULL) { + if (r == NULL || s == NULL) { err = MEMORY_E; break; } - XMEMSET(key->r, 0, sizeof(mp_int)); - XMEMSET(key->s, 0, sizeof(mp_int)); + key->r = r; + key->s = s; + #endif + XMEMSET(r, 0, sizeof(mp_int)); + XMEMSET(s, 0, sizeof(mp_int)); - if ((err = mp_init_multi(key->r, key->s, NULL, NULL, NULL, NULL)) + if ((err = mp_init_multi(r, s, NULL, NULL, NULL, NULL)) != MP_OKAY) { break; } - #ifdef WOLFSSL_ATECC508A /* Check args */ if (inlen != ATECC_KEY_SIZE || *outlen < SIGN_RSP_SIZE) { @@ -3142,23 +3149,23 @@ int wc_ecc_sign_hash(const byte* in, word32 inlen, byte* out, word32 *outlen, } /* Load R and S */ - err = mp_read_unsigned_bin(key->r, &out[0], ATECC_KEY_SIZE); + err = mp_read_unsigned_bin(r, &out[0], ATECC_KEY_SIZE); if (err != MP_OKAY) { return err; } - err = mp_read_unsigned_bin(key->s, &out[ATECC_KEY_SIZE], ATECC_KEY_SIZE); + err = mp_read_unsigned_bin(s, &out[ATECC_KEY_SIZE], ATECC_KEY_SIZE); if (err != MP_OKAY) { return err; } /* Check for zeros */ - if (mp_iszero(key->r) || mp_iszero(key->s)) { + if (mp_iszero(r) || mp_iszero(s)) { return MP_ZERO_E; } #else - err = wc_ecc_sign_hash_ex(in, inlen, rng, key, key->r, key->s); + err = wc_ecc_sign_hash_ex(in, inlen, rng, key, r, s); if (err < 0) { break; } @@ -3169,8 +3176,13 @@ int wc_ecc_sign_hash(const byte* in, word32 inlen, byte* out, word32 *outlen, case ECC_STATE_SIGN_ENCODE: key->state = ECC_STATE_SIGN_ENCODE; + #ifdef WOLFSSL_ASYNC_CRYPT + r = key->r; + s = key->s; + #endif + /* encoded with DSA header */ - err = StoreECC_DSA_Sig(out, outlen, key->r, key->s); + err = StoreECC_DSA_Sig(out, outlen, r, s); break; default: @@ -3183,7 +3195,7 @@ int wc_ecc_sign_hash(const byte* in, word32 inlen, byte* out, word32 *outlen, return err; } - wc_ecc_free_rs(key); + wc_ecc_free_rs(key, &r, &s); key->state = ECC_STATE_NONE; @@ -3323,8 +3335,8 @@ void wc_ecc_free(ecc_key* key) if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) { wolfAsync_DevCtxFree(&key->asyncDev); } + wc_ecc_free_rs(key, &key->r, &key->s); #endif - wc_ecc_free_rs(key); #ifdef WOLFSSL_ATECC508A atmel_ecc_free(key->slot); @@ -3594,6 +3606,12 @@ int wc_ecc_verify_hash(const byte* sig, word32 siglen, const byte* hash, word32 hashlen, int* stat, ecc_key* key) { int err; + mp_int *r = NULL, *s = NULL; +#ifndef WOLFSSL_ASYNC_CRYPT + mp_int r_lcl, s_lcl; + r = &r_lcl; + s = &s_lcl; +#endif if (sig == NULL || hash == NULL || stat == NULL || key == NULL) { return ECC_BAD_ARG_E; @@ -3631,20 +3649,24 @@ int wc_ecc_verify_hash(const byte* sig, word32 siglen, const byte* hash, * If either of those don't allocate correctly, none of * the rest of this function will execute, and everything * gets cleaned up at the end. */ - if (key->r == NULL) - key->r = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, + #ifdef WOLFSSL_ASYNC_CRYPT + if (r == NULL) + r = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_BIGINT); - if (key->s == NULL) - key->s = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, + if (s == NULL) + s = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_BIGINT); - if (key->r == NULL || key->s == NULL) { + if (r == NULL || s == NULL) { err = MEMORY_E; break; } - XMEMSET(key->r, 0, sizeof(mp_int)); - XMEMSET(key->s, 0, sizeof(mp_int)); + key->r = r; + key->s = s; + #endif + XMEMSET(r, 0, sizeof(mp_int)); + XMEMSET(s, 0, sizeof(mp_int)); /* decode DSA header */ - err = DecodeECC_DSA_Sig(sig, siglen, key->r, key->s); + err = DecodeECC_DSA_Sig(sig, siglen, r, s); if (err < 0) { break; } @@ -3653,7 +3675,12 @@ int wc_ecc_verify_hash(const byte* sig, word32 siglen, const byte* hash, case ECC_STATE_VERIFY_DO: key->state = ECC_STATE_VERIFY_DO; - err = wc_ecc_verify_hash_ex(key->r, key->s, hash, hashlen, stat, + #ifdef WOLFSSL_ASYNC_CRYPT + r = key->r; + s = key->s; + #endif + + err = wc_ecc_verify_hash_ex(r, s, hash, hashlen, stat, key); if (err < 0) { break; @@ -3675,7 +3702,7 @@ int wc_ecc_verify_hash(const byte* sig, word32 siglen, const byte* hash, return err; } - wc_ecc_free_rs(key); + wc_ecc_free_rs(key, &r, &s); key->state = ECC_STATE_NONE; @@ -4758,10 +4785,38 @@ int wc_ecc_export_private_raw(ecc_key* key, byte* qx, word32* qxLen, #endif /* HAVE_ECC_KEY_EXPORT */ #ifdef HAVE_ECC_KEY_IMPORT -int wc_ecc_import_private_key_ex(const byte* priv, word32 privSz, const byte* pub, - word32 pubSz, ecc_key* key, int curve_id) +/* import private key, public part optional if (pub) passed as NULL */ +int wc_ecc_import_private_key_ex(const byte* priv, word32 privSz, + const byte* pub, word32 pubSz, ecc_key* key, + int curve_id) { - int ret = wc_ecc_import_x963_ex(pub, pubSz, key, curve_id); + int ret; + void* heap; + + /* public optional, NULL if only importing private */ + if (pub != NULL) { + + ret = wc_ecc_import_x963_ex(pub, pubSz, key, curve_id); + + } else { + + if (key == NULL || priv == NULL) + return BAD_FUNC_ARG; + + /* init key */ + heap = key->heap; + ret = wc_ecc_init_ex(key, NULL, INVALID_DEVID); + key->heap = heap; + + key->state = ECC_STATE_NONE; + + if (ret != 0) + return ret; + + /* set key size */ + ret = wc_ecc_set_curve(key, privSz-1, curve_id); + } + if (ret != 0) return ret; @@ -7070,7 +7125,8 @@ int do_mp_jacobi(mp_int* a, mp_int* n, int* c); int do_mp_jacobi(mp_int* a, mp_int* n, int* c) { - int k, s, r, res; + int k, s, res; + int r = 0; /* initialize to help static analysis out */ mp_digit residue; /* if a < 0 return MP_VAL */ diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index be37b7275..796d9e553 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -204,7 +204,7 @@ const char* wc_GetErrorString(int error) return "ASN NTRU key decode error, invalid input"; case ASN_CRIT_EXT_E: - return "X.509 Critical extension ignored"; + return "X.509 Critical extension ignored or invalid"; case ECC_BAD_ARG_E : return "ECC input argument wrong type, invalid input"; @@ -416,6 +416,12 @@ const char* wc_GetErrorString(int error) case ECC_CDH_KAT_FIPS_E: return "wolfcrypt FIPS ECC CDH Known Answer Test Failure"; + case DH_CHECK_PUB_E: + return "DH Check Public Key failure"; + + case BAD_PATH_ERROR: + return "Bad path for opendir error"; + default: return "unknown error number"; diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index fb9e56edc..9df026163 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -277,7 +277,7 @@ WOLFSSL_API int wolfSSL_EVP_CipherUpdate(WOLFSSL_EVP_CIPHER_CTX *ctx, blocks = inl / ctx->block_size; if (blocks > 0) { /* process blocks */ - if (evpCipherBlock(ctx, out, ctx->buf, blocks) == 0) + if (evpCipherBlock(ctx, out, in, blocks*ctx->block_size) == 0) return 0; PRINT_BUF(ctx->buf, ctx->block_size); PRINT_BUF(out, ctx->block_size); diff --git a/wolfcrypt/src/fe_low_mem.c b/wolfcrypt/src/fe_low_mem.c index 9caffa81f..aa6a44996 100644 --- a/wolfcrypt/src/fe_low_mem.c +++ b/wolfcrypt/src/fe_low_mem.c @@ -183,7 +183,7 @@ static void raw_add(byte *x, const byte *p) for (i = 0; i < F25519_SIZE; i++) { c += ((word16)x[i]) + ((word16)p[i]); - x[i] = c; + x[i] = (byte)c; c >>= 8; } } @@ -197,11 +197,11 @@ static void raw_try_sub(byte *x, const byte *p) for (i = 0; i < F25519_SIZE; i++) { c = ((word16)x[i]) - ((word16)p[i]) - c; - minusp[i] = c; + minusp[i] = (byte)c; c = (c >> 8) & 1; } - fprime_select(x, minusp, x, c); + fprime_select(x, minusp, x, (byte)c); } @@ -271,7 +271,7 @@ void fprime_mul(byte *r, const byte *a, const byte *b, for (j = 0; j < F25519_SIZE; j++) { c |= ((word16)r[j]) << 1; - r[j] = c; + r[j] = (byte)c; c >>= 8; } raw_try_sub(r, modulus); @@ -310,7 +310,7 @@ void fe_normalize(byte *x) for (i = 0; i < F25519_SIZE; i++) { c += x[i]; - x[i] = c; + x[i] = (byte)c; c >>= 8; } @@ -322,12 +322,12 @@ void fe_normalize(byte *x) for (i = 0; i + 1 < F25519_SIZE; i++) { c += x[i]; - minusp[i] = c; + minusp[i] = (byte)c; c >>= 8; } c += ((word16)x[i]) - 128; - minusp[31] = c; + minusp[31] = (byte)c; /* Load x-p if no underflow */ fe_select(x, minusp, x, (c >> 15) & 1); @@ -355,7 +355,7 @@ void fe_add(fe r, const fe a, const fe b) for (i = 0; i < F25519_SIZE; i++) { c >>= 8; c += ((word16)a[i]) + ((word16)b[i]); - r[i] = c; + r[i] = (byte)c; } /* Reduce with 2^255 = 19 mod p */ @@ -364,7 +364,7 @@ void fe_add(fe r, const fe a, const fe b) for (i = 0; i < F25519_SIZE; i++) { c += r[i]; - r[i] = c; + r[i] = (byte)c; c >>= 8; } } diff --git a/wolfcrypt/src/fe_operations.c b/wolfcrypt/src/fe_operations.c old mode 100644 new mode 100755 index 9dfeab093..a47ff3cfb --- a/wolfcrypt/src/fe_operations.c +++ b/wolfcrypt/src/fe_operations.c @@ -942,7 +942,7 @@ replace (f,g) with (f,g) if b == 0. Preconditions: b in {0,1}. */ -void fe_cswap(fe f,fe g,unsigned int b) +void fe_cswap(fe f, fe g, int b) { int32_t f0 = f[0]; int32_t f1 = f[1]; @@ -1353,7 +1353,7 @@ replace (f,g) with (f,g) if b == 0. Preconditions: b in {0,1}. */ -void fe_cmov(fe f,const fe g,unsigned int b) +void fe_cmov(fe f, const fe g, int b) { int32_t f0 = f[0]; int32_t f1 = f[1]; diff --git a/wolfcrypt/src/ge_operations.c b/wolfcrypt/src/ge_operations.c index 99eaeb2dc..109b77c82 100644 --- a/wolfcrypt/src/ge_operations.c +++ b/wolfcrypt/src/ge_operations.c @@ -274,38 +274,38 @@ void sc_reduce(byte* s) carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; - s[0] = s0 >> 0; - s[1] = s0 >> 8; - s[2] = (s0 >> 16) | (s1 << 5); - s[3] = s1 >> 3; - s[4] = s1 >> 11; - s[5] = (s1 >> 19) | (s2 << 2); - s[6] = s2 >> 6; - s[7] = (s2 >> 14) | (s3 << 7); - s[8] = s3 >> 1; - s[9] = s3 >> 9; - s[10] = (s3 >> 17) | (s4 << 4); - s[11] = s4 >> 4; - s[12] = s4 >> 12; - s[13] = (s4 >> 20) | (s5 << 1); - s[14] = s5 >> 7; - s[15] = (s5 >> 15) | (s6 << 6); - s[16] = s6 >> 2; - s[17] = s6 >> 10; - s[18] = (s6 >> 18) | (s7 << 3); - s[19] = s7 >> 5; - s[20] = s7 >> 13; - s[21] = s8 >> 0; - s[22] = s8 >> 8; - s[23] = (s8 >> 16) | (s9 << 5); - s[24] = s9 >> 3; - s[25] = s9 >> 11; - s[26] = (s9 >> 19) | (s10 << 2); - s[27] = s10 >> 6; - s[28] = (s10 >> 14) | (s11 << 7); - s[29] = s11 >> 1; - s[30] = s11 >> 9; - s[31] = s11 >> 17; + s[0] = (byte)(s0 >> 0); + s[1] = (byte)(s0 >> 8); + s[2] = (byte)((s0 >> 16) | (s1 << 5)); + s[3] = (byte)(s1 >> 3); + s[4] = (byte)(s1 >> 11); + s[5] = (byte)((s1 >> 19) | (s2 << 2)); + s[6] = (byte)(s2 >> 6); + s[7] = (byte)((s2 >> 14) | (s3 << 7)); + s[8] = (byte)(s3 >> 1); + s[9] = (byte)(s3 >> 9); + s[10] = (byte)((s3 >> 17) | (s4 << 4)); + s[11] = (byte)(s4 >> 4); + s[12] = (byte)(s4 >> 12); + s[13] = (byte)((s4 >> 20) | (s5 << 1)); + s[14] = (byte)(s5 >> 7); + s[15] = (byte)((s5 >> 15) | (s6 << 6)); + s[16] = (byte)(s6 >> 2); + s[17] = (byte)(s6 >> 10); + s[18] = (byte)((s6 >> 18) | (s7 << 3)); + s[19] = (byte)(s7 >> 5); + s[20] = (byte)(s7 >> 13); + s[21] = (byte)(s8 >> 0); + s[22] = (byte)(s8 >> 8); + s[23] = (byte)((s8 >> 16) | (s9 << 5)); + s[24] = (byte)(s9 >> 3); + s[25] = (byte)(s9 >> 11); + s[26] = (byte)((s9 >> 19) | (s10 << 2)); + s[27] = (byte)(s10 >> 6); + s[28] = (byte)((s10 >> 14) | (s11 << 7)); + s[29] = (byte)(s11 >> 1); + s[30] = (byte)(s11 >> 9); + s[31] = (byte)(s11 >> 17); /* hush warnings after setting values to 0 */ (void)s12; @@ -640,38 +640,38 @@ void sc_muladd(byte* s, const byte* a, const byte* b, const byte* c) carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; - s[0] = s0 >> 0; - s[1] = s0 >> 8; - s[2] = (s0 >> 16) | (s1 << 5); - s[3] = s1 >> 3; - s[4] = s1 >> 11; - s[5] = (s1 >> 19) | (s2 << 2); - s[6] = s2 >> 6; - s[7] = (s2 >> 14) | (s3 << 7); - s[8] = s3 >> 1; - s[9] = s3 >> 9; - s[10] = (s3 >> 17) | (s4 << 4); - s[11] = s4 >> 4; - s[12] = s4 >> 12; - s[13] = (s4 >> 20) | (s5 << 1); - s[14] = s5 >> 7; - s[15] = (s5 >> 15) | (s6 << 6); - s[16] = s6 >> 2; - s[17] = s6 >> 10; - s[18] = (s6 >> 18) | (s7 << 3); - s[19] = s7 >> 5; - s[20] = s7 >> 13; - s[21] = s8 >> 0; - s[22] = s8 >> 8; - s[23] = (s8 >> 16) | (s9 << 5); - s[24] = s9 >> 3; - s[25] = s9 >> 11; - s[26] = (s9 >> 19) | (s10 << 2); - s[27] = s10 >> 6; - s[28] = (s10 >> 14) | (s11 << 7); - s[29] = s11 >> 1; - s[30] = s11 >> 9; - s[31] = s11 >> 17; + s[0] = (byte)(s0 >> 0); + s[1] = (byte)(s0 >> 8); + s[2] = (byte)((s0 >> 16) | (s1 << 5)); + s[3] = (byte)(s1 >> 3); + s[4] = (byte)(s1 >> 11); + s[5] = (byte)((s1 >> 19) | (s2 << 2)); + s[6] = (byte)(s2 >> 6); + s[7] = (byte)((s2 >> 14) | (s3 << 7)); + s[8] = (byte)(s3 >> 1); + s[9] = (byte)(s3 >> 9); + s[10] = (byte)((s3 >> 17) | (s4 << 4)); + s[11] = (byte)(s4 >> 4); + s[12] = (byte)(s4 >> 12); + s[13] = (byte)((s4 >> 20) | (s5 << 1)); + s[14] = (byte)(s5 >> 7); + s[15] = (byte)((s5 >> 15) | (s6 << 6)); + s[16] = (byte)(s6 >> 2); + s[17] = (byte)(s6 >> 10); + s[18] = (byte)((s6 >> 18) | (s7 << 3)); + s[19] = (byte)(s7 >> 5); + s[20] = (byte)(s7 >> 13); + s[21] = (byte)(s8 >> 0); + s[22] = (byte)(s8 >> 8); + s[23] = (byte)((s8 >> 16) | (s9 << 5)); + s[24] = (byte)(s9 >> 3); + s[25] = (byte)(s9 >> 11); + s[26] = (byte)((s9 >> 19) | (s10 << 2)); + s[27] = (byte)(s10 >> 6); + s[28] = (byte)((s10 >> 14) | (s11 << 7)); + s[29] = (byte)(s11 >> 1); + s[30] = (byte)(s11 >> 9); + s[31] = (byte)(s11 >> 17); /* hush warnings after setting values to 0 */ (void)s12; @@ -754,7 +754,7 @@ static unsigned char negative(signed char b) unsigned long long x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */ x >>= 63; /* 1: yes; 0: no */ - return x; + return (unsigned char)x; } @@ -2272,7 +2272,7 @@ where a = a[0]+256*a[1]+...+256^31 a[31]. and b = b[0]+256*b[1]+...+256^31 b[31]. B is the Ed25519 base point (x,4/5) with x positive. */ -int ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a, +int ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A, const unsigned char *b) { signed char aslide[256]; diff --git a/wolfcrypt/src/hash.c b/wolfcrypt/src/hash.c index 87d4d0fe1..bb03cde14 100644 --- a/wolfcrypt/src/hash.c +++ b/wolfcrypt/src/hash.c @@ -166,7 +166,7 @@ int wc_Hash(enum wc_HashType hash_type, const byte* data, if (hash_len < dig_size) { return BUFFER_E; } - + /* Suppress possible unused arg if all hashing is disabled */ (void)data; (void)data_len; @@ -236,41 +236,32 @@ int wc_HashInit(wc_HashAlg* hash, enum wc_HashType type) case WC_HASH_TYPE_MD5: #ifndef NO_MD5 wc_InitMd5(&hash->md5); + ret = 0; #endif break; case WC_HASH_TYPE_SHA: #ifndef NO_SHA ret = wc_InitSha(&hash->sha); - if (ret != 0) - return ret; #endif break; case WC_HASH_TYPE_SHA224: #ifdef WOLFSSL_SHA224 ret = wc_InitSha224(&hash->sha224); - if (ret != 0) - return ret; #endif break; case WC_HASH_TYPE_SHA256: #ifndef NO_SHA256 ret = wc_InitSha256(&hash->sha256); - if (ret != 0) - return ret; #endif break; case WC_HASH_TYPE_SHA384: #ifdef WOLFSSL_SHA384 ret = wc_InitSha384(&hash->sha384); - if (ret != 0) - return ret; #endif break; case WC_HASH_TYPE_SHA512: #ifdef WOLFSSL_SHA512 ret = wc_InitSha512(&hash->sha512); - if (ret != 0) - return ret; #endif break; @@ -280,10 +271,10 @@ int wc_HashInit(wc_HashAlg* hash, enum wc_HashType type) case WC_HASH_TYPE_MD4: case WC_HASH_TYPE_NONE: default: - return BAD_FUNC_ARG; + ret = BAD_FUNC_ARG; }; - return 0; + return ret; } int wc_HashUpdate(wc_HashAlg* hash, enum wc_HashType type, const byte* data, @@ -298,41 +289,34 @@ int wc_HashUpdate(wc_HashAlg* hash, enum wc_HashType type, const byte* data, case WC_HASH_TYPE_MD5: #ifndef NO_MD5 wc_Md5Update(&hash->md5, data, dataSz); + ret = 0; #endif break; case WC_HASH_TYPE_SHA: #ifndef NO_SHA ret = wc_ShaUpdate(&hash->sha, data, dataSz); if (ret != 0) -#endif return ret; +#endif break; case WC_HASH_TYPE_SHA224: #ifdef WOLFSSL_SHA224 ret = wc_Sha224Update(&hash->sha224, data, dataSz); - if (ret != 0) - return ret; #endif break; case WC_HASH_TYPE_SHA256: #ifndef NO_SHA256 ret = wc_Sha256Update(&hash->sha256, data, dataSz); - if (ret != 0) - return ret; #endif break; case WC_HASH_TYPE_SHA384: #ifdef WOLFSSL_SHA384 ret = wc_Sha384Update(&hash->sha384, data, dataSz); - if (ret != 0) - return ret; #endif break; case WC_HASH_TYPE_SHA512: #ifdef WOLFSSL_SHA512 ret = wc_Sha512Update(&hash->sha512, data, dataSz); - if (ret != 0) - return ret; #endif break; @@ -342,10 +326,10 @@ int wc_HashUpdate(wc_HashAlg* hash, enum wc_HashType type, const byte* data, case WC_HASH_TYPE_MD4: case WC_HASH_TYPE_NONE: default: - return BAD_FUNC_ARG; + ret = BAD_FUNC_ARG; }; - return 0; + return ret; } int wc_HashFinal(wc_HashAlg* hash, enum wc_HashType type, byte* out) @@ -359,41 +343,32 @@ int wc_HashFinal(wc_HashAlg* hash, enum wc_HashType type, byte* out) case WC_HASH_TYPE_MD5: #ifndef NO_MD5 wc_Md5Final(&hash->md5, out); + ret = 0; #endif break; case WC_HASH_TYPE_SHA: #ifndef NO_SHA ret = wc_ShaFinal(&hash->sha, out); - if (ret != 0) - return ret; #endif break; case WC_HASH_TYPE_SHA224: #ifdef WOLFSSL_SHA224 ret = wc_Sha224Final(&hash->sha224, out); - if (ret != 0) - return ret; #endif break; case WC_HASH_TYPE_SHA256: #ifndef NO_SHA256 ret = wc_Sha256Final(&hash->sha256, out); - if (ret != 0) - return ret; #endif break; case WC_HASH_TYPE_SHA384: #ifdef WOLFSSL_SHA384 ret = wc_Sha384Final(&hash->sha384, out); - if (ret != 0) - return ret; #endif break; case WC_HASH_TYPE_SHA512: #ifdef WOLFSSL_SHA512 ret = wc_Sha512Final(&hash->sha512, out); - if (ret != 0) - return ret; #endif break; @@ -403,10 +378,10 @@ int wc_HashFinal(wc_HashAlg* hash, enum wc_HashType type, byte* out) case WC_HASH_TYPE_MD4: case WC_HASH_TYPE_NONE: default: - return BAD_FUNC_ARG; + ret = BAD_FUNC_ARG; }; - return 0; + return ret; } diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c index eea186392..e64fd0b4f 100644 --- a/wolfcrypt/src/hmac.c +++ b/wolfcrypt/src/hmac.c @@ -875,15 +875,11 @@ int wc_HKDF(int type, const byte* inKey, word32 inKeySz, saltSz = hashSz; } - do { ret = wc_HmacSetKey(&myHmac, type, localSalt, saltSz); - if (ret != 0) - break; - ret = wc_HmacUpdate(&myHmac, inKey, inKeySz); - if (ret != 0) - break; - ret = wc_HmacFinal(&myHmac, prk); - } while (0); + if (ret == 0) + ret = wc_HmacUpdate(&myHmac, inKey, inKeySz); + if (ret == 0) + ret = wc_HmacFinal(&myHmac, prk); if (ret == 0) { while (outIdx < outSz) { diff --git a/wolfcrypt/src/integer.c b/wolfcrypt/src/integer.c index efa0af912..63d5c0293 100644 --- a/wolfcrypt/src/integer.c +++ b/wolfcrypt/src/integer.c @@ -354,7 +354,7 @@ int mp_copy (mp_int * a, mp_int * b) } /* clear high digits */ - for (; n < b->used; n++) { + for (; n < b->used && b->dp; n++) { *tmpb++ = 0; } } @@ -542,6 +542,7 @@ void mp_rshb (mp_int *c, int x) /* set the carry to the carry bits of the current word found above */ r = rr; } + mp_clamp(c); } @@ -1638,6 +1639,11 @@ int s_mp_sub (mp_int * a, mp_int * b, mp_int * c) return res; } } + + /* sanity check on destination */ + if (c->dp == NULL) + return MP_VAL; + olduse = c->used; c->used = max_a; @@ -3767,7 +3773,7 @@ int s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs) pa = a->used; pb = b->used; - for (ix = 0; ix < pa; ix++) { + for (ix = 0; ix < pa && a->dp; ix++) { /* clear the carry */ u = 0; @@ -3840,7 +3846,7 @@ int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs) /* number of output digits to produce */ pa = a->used + b->used; _W = 0; - for (ix = digs; ix < pa; ix++) { + for (ix = digs; ix < pa && a->dp; ix++) { int tx, ty, iy; mp_digit *tmpx, *tmpy; @@ -3897,25 +3903,33 @@ int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs) } -/* set a 32-bit const */ +#ifndef MP_SET_CHUNK_BITS + #define MP_SET_CHUNK_BITS 4 +#endif int mp_set_int (mp_int * a, unsigned long b) { - int x, res; + int x, res; + + /* use direct mp_set if b is less than mp_digit max */ + if (b < MP_DIGIT_MAX) { + return mp_set (a, (mp_digit)b); + } mp_zero (a); - /* set four bits at a time */ - for (x = 0; x < 8; x++) { - /* shift the number up four bits */ - if ((res = mp_mul_2d (a, 4, a)) != MP_OKAY) { + /* set chunk bits at a time */ + for (x = 0; x < (int)(sizeof(b) * 8) / MP_SET_CHUNK_BITS; x++) { + /* shift the number up chunk bits */ + if ((res = mp_mul_2d (a, MP_SET_CHUNK_BITS, a)) != MP_OKAY) { return res; } - /* OR in the top four bits of the source */ - a->dp[0] |= (b >> 28) & 15; + /* OR in the top bits of the source */ + a->dp[0] |= (b >> ((sizeof(b) * 8) - MP_SET_CHUNK_BITS)) & + ((1 << MP_SET_CHUNK_BITS) - 1); - /* shift the source up to the next four bits */ - b <<= 4; + /* shift the source up to the next chunk bits */ + b <<= MP_SET_CHUNK_BITS; /* ensure that digits are not clamped off */ a->used += 1; @@ -4128,7 +4142,7 @@ static const int lnz[16] = { int mp_cnt_lsb(mp_int *a) { int x; - mp_digit q, qq; + mp_digit q = 0, qq; /* easy out */ if (mp_iszero(a) == MP_YES) { @@ -4137,7 +4151,8 @@ int mp_cnt_lsb(mp_int *a) /* scan lower digits until non-zero */ for (x = 0; x < a->used && a->dp[x] == 0; x++) {} - q = a->dp[x]; + if (a->dp) + q = a->dp[x]; x *= DIGIT_BIT; /* now scan this digit until a 1 is found */ @@ -4223,6 +4238,10 @@ static int mp_div_d (mp_int * a, mp_digit b, mp_int * c, mp_digit * d) q.used = a->used; q.sign = a->sign; } + else { + mp_init(&q); /* initialize to help static analysis */ + } + w = 0; for (ix = a->used - 1; ix >= 0; ix--) { @@ -4245,8 +4264,8 @@ static int mp_div_d (mp_int * a, mp_digit b, mp_int * c, mp_digit * d) if (c != NULL) { mp_clamp(&q); mp_exch(&q, c); - mp_clear(&q); } + mp_clear(&q); return res; } diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index 43c5a1aad..8aecf5f0b 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -50,6 +50,7 @@ static void* wc_error_heap; struct wc_error_queue { void* heap; /* the heap hint used with nodes creation */ struct wc_error_queue* next; + struct wc_error_queue* prev; char error[WOLFSSL_MAX_ERROR_SZ]; char file[WOLFSSL_MAX_ERROR_SZ]; int value; @@ -61,10 +62,11 @@ static struct wc_error_queue* wc_last_node; #endif -#ifdef DEBUG_WOLFSSL + +#if defined(DEBUG_WOLFSSL) /* Set these to default values initially. */ -static wolfSSL_Logging_cb log_function = 0; +static wolfSSL_Logging_cb log_function = NULL; static int loggingEnabled = 0; #endif /* DEBUG_WOLFSSL */ @@ -215,21 +217,25 @@ void WOLFSSL_LEAVE(const char* msg, int ret) wolfssl_log(LEAVE_LOG , buffer); } } - +#endif /* DEBUG_WOLFSSL */ /* * When using OPENSSL_EXTRA or DEBUG_WOLFSSL_VERBOSE macro then WOLFSSL_ERROR is * mapped to new funtion WOLFSSL_ERROR_LINE which gets the line # and function * name where WOLFSSL_ERROR is called at. */ -#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) +#if (defined(DEBUG_WOLFSSL) || defined(WOLFSSL_NGINX)) + #if (defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)) void WOLFSSL_ERROR_LINE(int error, const char* func, unsigned int line, const char* file, void* usrCtx) -#else + #else void WOLFSSL_ERROR(int error) -#endif + #endif { - if (loggingEnabled) { + #if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_NGINX) + if (loggingEnabled) + #endif + { char buffer[80]; #if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) (void)usrCtx; /* a user ctx for future flexibility */ @@ -254,11 +260,13 @@ void WOLFSSL_ERROR(int error) #else sprintf(buffer, "wolfSSL error occurred, error = %d", error); #endif + #ifdef DEBUG_WOLFSSL wolfssl_log(ERROR_LOG , buffer); + #endif } } -#endif /* DEBUG_WOLFSSL */ +#endif /* DEBUG_WOLFSSL || WOLFSSL_NGINX */ #if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) /* Internal function that is called by wolfCrypt_Init() */ @@ -305,7 +313,7 @@ int wc_LoggingCleanup(void) } -#ifdef DEBUG_WOLFSSL +#if defined(DEBUG_WOLFSSL) || defined(WOLFSSL_NGINX) /* peek at an error node * * index : if -1 then the most recent node is looked at, otherwise search @@ -424,13 +432,74 @@ int wc_AddErrorNode(int error, int line, char* buf, char* file) } else { wc_last_node->next = err; + err->prev = wc_last_node; wc_last_node = err; } } return 0; } -#endif /* DEBUG_WOLFSSL */ + +/* Removes the error node at the specified index. + * index : if -1 then the most recent node is looked at, otherwise search + * through queue for node at the given index + */ +void wc_RemoveErrorNode(int index) +{ + struct wc_error_queue* current; + + if (wc_LockMutex(&debug_mutex) != 0) { + WOLFSSL_MSG("Lock debug mutex failed"); + return; + } + + if (index == -1) + current = wc_last_node; + else { + current = (struct wc_error_queue*)wc_errors; + for (; current != NULL && index > 0; index--) + current = current->next; + } + if (current != NULL) { + if (current->prev != NULL) + current->prev->next = current->next; + if (wc_last_node == current) + wc_last_node = current->prev; + if (wc_errors == current) + wc_errors = current->next; + XFREE(current, current->heap, DYNAMIC_TYPE_LOG); + } + + wc_UnLockMutex(&debug_mutex); +} + +/* Clears out the list of error nodes. + */ +void wc_ClearErrorNodes(void) +{ + if (wc_LockMutex(&debug_mutex) != 0) { + WOLFSSL_MSG("Lock debug mutex failed"); + return; + } + + /* free all nodes from error queue */ + { + struct wc_error_queue* current; + struct wc_error_queue* next; + + current = (struct wc_error_queue*)wc_errors; + while (current != NULL) { + next = current->next; + XFREE(current, current->heap, DYNAMIC_TYPE_LOG); + current = next; + } + } + + wc_errors = NULL; + wc_last_node = NULL; + wc_UnLockMutex(&debug_mutex); +} +#endif /* DEBUG_WOLFSSL || WOLFSSL_NGINX */ int wc_SetLoggingHeap(void* h) diff --git a/wolfcrypt/src/memory.c b/wolfcrypt/src/memory.c index 3d38265cf..c5f0e47b9 100644 --- a/wolfcrypt/src/memory.c +++ b/wolfcrypt/src/memory.c @@ -539,7 +539,9 @@ void* wolfSSL_Malloc(size_t size, void* heap, int type) } /* case of using fixed IO buffers */ - if (mem->flag & WOLFMEM_IO_POOL_FIXED) { + if (mem->flag & WOLFMEM_IO_POOL_FIXED && + (type == DYNAMIC_TYPE_OUT_BUFFER || + type == DYNAMIC_TYPE_IN_BUFFER)) { if (type == DYNAMIC_TYPE_OUT_BUFFER) { pt = hint->outBuf; } @@ -547,25 +549,26 @@ void* wolfSSL_Malloc(size_t size, void* heap, int type) pt = hint->inBuf; } } - - /* check if using IO pool flag */ - if (mem->flag & WOLFMEM_IO_POOL && pt == NULL && + else { + /* check if using IO pool flag */ + if (mem->flag & WOLFMEM_IO_POOL && (type == DYNAMIC_TYPE_OUT_BUFFER || type == DYNAMIC_TYPE_IN_BUFFER)) { - if (mem->io != NULL) { - pt = mem->io; - mem->io = pt->next; + if (mem->io != NULL) { + pt = mem->io; + mem->io = pt->next; + } } - } - /* general static memory */ - if (pt == NULL) { - for (i = 0; i < WOLFMEM_MAX_BUCKETS; i++) { - if ((word32)size < mem->sizeList[i]) { - if (mem->ava[i] != NULL) { - pt = mem->ava[i]; - mem->ava[i] = pt->next; - break; + /* general static memory */ + if (pt == NULL) { + for (i = 0; i < WOLFMEM_MAX_BUCKETS; i++) { + if ((word32)size < mem->sizeList[i]) { + if (mem->ava[i] != NULL) { + pt = mem->ava[i]; + mem->ava[i] = pt->next; + break; + } } } } @@ -672,7 +675,7 @@ void wolfSSL_Free(void *ptr, void* heap, int type) /* fixed IO pools are free'd at the end of SSL lifetime using FreeFixedIO(WOLFSSL_HEAP* heap, wc_Memory** io) */ } - else if (mem->flag & WOLFMEM_IO_POOL && + else if (mem->flag & WOLFMEM_IO_POOL && pt->sz == WOLFMEM_IO_SZ && (type == DYNAMIC_TYPE_OUT_BUFFER || type == DYNAMIC_TYPE_IN_BUFFER)) { pt->next = mem->io; diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c index edcc634d5..24877b60d 100644 --- a/wolfcrypt/src/pkcs12.c +++ b/wolfcrypt/src/pkcs12.c @@ -709,6 +709,10 @@ int wc_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, } } + if (pkcs12->safe == NULL) { + WOLFSSL_MSG("No PKCS12 safes to parse"); + return BAD_FUNC_ARG; + } /* Decode content infos */ ci = pkcs12->safe->CI; diff --git a/wolfcrypt/src/poly1305.c b/wolfcrypt/src/poly1305.c index 637106b63..1a932dc4f 100644 --- a/wolfcrypt/src/poly1305.c +++ b/wolfcrypt/src/poly1305.c @@ -600,7 +600,7 @@ int wc_Poly1305_MAC(Poly1305* ctx, byte* additional, word32 addSz, if ((ret = wc_Poly1305Update(ctx, additional, addSz)) != 0) { return ret; } - paddingLen = -addSz & (WC_POLY1305_PAD_SZ - 1); + paddingLen = -((int)addSz) & (WC_POLY1305_PAD_SZ - 1); if (paddingLen) { if ((ret = wc_Poly1305Update(ctx, padding, paddingLen)) != 0) { return ret; @@ -611,7 +611,7 @@ int wc_Poly1305_MAC(Poly1305* ctx, byte* additional, word32 addSz, if ((ret = wc_Poly1305Update(ctx, input, sz)) != 0) { return ret; } - paddingLen = -sz & (WC_POLY1305_PAD_SZ - 1); + paddingLen = -((int)sz) & (WC_POLY1305_PAD_SZ - 1); if (paddingLen) { if ((ret = wc_Poly1305Update(ctx, padding, paddingLen)) != 0) { return ret; diff --git a/wolfcrypt/src/port/arm/armv8-aes.c b/wolfcrypt/src/port/arm/armv8-aes.c index e59bd2571..250411924 100644 --- a/wolfcrypt/src/port/arm/armv8-aes.c +++ b/wolfcrypt/src/port/arm/armv8-aes.c @@ -2532,6 +2532,11 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, return BAD_FUNC_ARG; } + if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { + WOLFSSL_MSG("GcmEncrypt authTagSz too small error"); + return BAD_FUNC_ARG; + } + switch (aes->rounds) { case 10: return Aes128GcmEncrypt(aes, out, in, sz, iv, ivSz, @@ -4653,5 +4658,31 @@ int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len) #endif /* HAVE_AES_DECRYPT */ #endif /* WOLFSSL_AES_DIRECT */ +int wc_AesGetKeySize(Aes* aes, word32* keySize) +{ + int ret = 0; + + if (aes == NULL || keySize == NULL) { + return BAD_FUNC_ARG; + } + + switch (aes->rounds) { + case 10: + *keySize = 16; + break; + case 12: + *keySize = 24; + break; + case 14: + *keySize = 32; + break; + default: + *keySize = 0; + ret = BAD_FUNC_ARG; + } + + return ret; +} + #endif /* NO_AES */ diff --git a/wolfcrypt/src/port/ti/ti-aes.c b/wolfcrypt/src/port/ti/ti-aes.c index 5b982c41d..cd8d2eed9 100644 --- a/wolfcrypt/src/port/ti/ti-aes.c +++ b/wolfcrypt/src/port/ti/ti-aes.c @@ -490,6 +490,9 @@ WOLFSSL_API int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz byte* authTag, word32 authTagSz, const byte* authIn, word32 authInSz) { + if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { + return BAD_FUNC_ARG; + } return AesAuthEncrypt(aes, out, in, sz, iv, ivSz, authTag, authTagSz, authIn, authInSz, AES_CFG_MODE_GCM_HY0CALC) ; } diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index 5ea961538..02bbe14e5 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -1674,6 +1674,24 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) return ret; } +#elif defined(INTIME_RTOS) + int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) + { + int ret = 0; + + (void)os; + + if (output == NULL) { + return BUFFER_E; + } + + /* Note: Investigate better solution */ + /* no return to check */ + arc4random_buf(output, sz); + + return ret; + } + #elif defined(NO_DEV_RANDOM) #error "you need to write an os specific wc_GenerateSeed() here" diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index fd9840dcd..274bcc4be 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -1484,7 +1484,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) if ((err = mp_init_multi(&p, &q, &tmp1, &tmp2, &tmp3, NULL)) != MP_OKAY) return err; - err = mp_set_int(&tmp3, (mp_digit)e); + err = mp_set_int(&tmp3, e); /* make p */ if (err == MP_OKAY) { diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c index f39728546..c857ec795 100644 --- a/wolfcrypt/src/tfm.c +++ b/wolfcrypt/src/tfm.c @@ -1963,6 +1963,41 @@ void fp_set(fp_int *a, fp_digit b) a->used = a->dp[0] ? 1 : 0; } + +#ifndef MP_SET_CHUNK_BITS + #define MP_SET_CHUNK_BITS 4 +#endif +void fp_set_int(fp_int *a, unsigned long b) +{ + int x; + + /* use direct fp_set if b is less than fp_digit max */ + if (b < FP_DIGIT_MAX) { + fp_set (a, b); + return; + } + + fp_zero (a); + + /* set chunk bits at a time */ + for (x = 0; x < (int)(sizeof(b) * 8) / MP_SET_CHUNK_BITS; x++) { + fp_mul_2d (a, MP_SET_CHUNK_BITS, a); + + /* OR in the top bits of the source */ + a->dp[0] |= (b >> ((sizeof(b) * 8) - MP_SET_CHUNK_BITS)) & + ((1 << MP_SET_CHUNK_BITS) - 1); + + /* shift the source up to the next chunk bits */ + b <<= MP_SET_CHUNK_BITS; + + /* ensure that digits are not clamped off */ + a->used += 1; + } + + /* clamp digits */ + fp_clamp(a); +} + /* check if a bit is set */ int fp_is_bit_set (fp_int *a, fp_digit b) { @@ -2043,26 +2078,26 @@ int fp_leading_bit(fp_int *a) void fp_lshd(fp_int *a, int x) { - int y; + int y; - /* move up and truncate as required */ - y = MIN(a->used + x - 1, (int)(FP_SIZE-1)); + /* move up and truncate as required */ + y = MIN(a->used + x - 1, (int)(FP_SIZE-1)); - /* store new size */ - a->used = y + 1; + /* store new size */ + a->used = y + 1; - /* move digits */ - for (; y >= x; y--) { - a->dp[y] = a->dp[y-x]; - } + /* move digits */ + for (; y >= x; y--) { + a->dp[y] = a->dp[y-x]; + } - /* zero lower digits */ - for (; y >= 0; y--) { - a->dp[y] = 0; - } + /* zero lower digits */ + for (; y >= 0; y--) { + a->dp[y] = 0; + } - /* clamp digits */ - fp_clamp(a); + /* clamp digits */ + fp_clamp(a); } @@ -2095,6 +2130,9 @@ void fp_rshb(fp_int *c, int x) /* set the carry to the carry bits of the current word found above */ r = rr; } + + /* clamp digits */ + fp_clamp(c); } @@ -2350,6 +2388,11 @@ int mp_mul_2d(fp_int *a, int b, fp_int *c) return MP_OKAY; } +int mp_div(fp_int * a, fp_int * b, fp_int * c, fp_int * d) +{ + return fp_div(a, b, c, d); +} + int mp_div_2d(fp_int* a, int b, fp_int* c, fp_int* d) { fp_div_2d(a, b, c, d); @@ -2427,9 +2470,14 @@ void mp_rshb (mp_int* a, int x) fp_rshb(a, x); } -int mp_set_int(mp_int *a, mp_digit b) +void mp_rshd (mp_int* a, int x) { - fp_set(a, b); + fp_rshd(a, x); +} + +int mp_set_int(mp_int *a, unsigned long b) +{ + fp_set_int(a, b); return MP_OKAY; } diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c old mode 100644 new mode 100755 index cf82ca674..2ca371924 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -28,6 +28,7 @@ #include #include #include +#include /* IPP header files for library initialization */ #ifdef HAVE_FAST_RSA @@ -78,6 +79,7 @@ int wolfCrypt_Init(void) WOLFSSL_MSG(ippGetStatusString(ret)); WOLFSSL_MSG("Using default fast IPP library"); ret = 0; + (void)ret; /* suppress not read warning */ } #endif @@ -125,18 +127,152 @@ int wolfCrypt_Cleanup(void) return ret; } +#if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) + +/* File Handling Helpers */ +int wc_ReadDirFirst(ReadDirCtx* ctx, const char* path, char** name) +{ + int ret = 0; + + if (name) + *name = NULL; + + if (ctx == NULL || path == NULL) { + return BAD_FUNC_ARG; + } + + XMEMSET(ctx->name, 0, MAX_FILENAME_SZ); + +#ifdef USE_WINDOWS_API + XSTRNCPY(ctx->name, path, MAX_FILENAME_SZ - 4); + XSTRNCAT(ctx->name, "\\*", 3); + + ctx->hFind = FindFirstFileA(ctx->name, &ctx->FindFileData); + if (ctx->hFind == INVALID_HANDLE_VALUE) { + WOLFSSL_MSG("FindFirstFile for path verify locations failed"); + return BAD_PATH_ERROR; + } + + do { + if (ctx->FindFileData.dwFileAttributes != FILE_ATTRIBUTE_DIRECTORY) { + XSTRNCPY(ctx->name, path, MAX_FILENAME_SZ/2 - 3); + XSTRNCAT(ctx->name, "\\", 2); + XSTRNCAT(ctx->name, ctx->FindFileData.cFileName, MAX_FILENAME_SZ/2); + if (name) + *name = ctx->name; + return 0; + } + } while (FindNextFileA(ctx->hFind, &ctx->FindFileData)); +#else + ctx->dir = opendir(path); + if (ctx->dir == NULL) { + WOLFSSL_MSG("opendir path verify locations failed"); + return BAD_PATH_ERROR; + } + + while ((ctx->entry = readdir(ctx->dir)) != NULL) { + XSTRNCPY(ctx->name, path, MAX_FILENAME_SZ/2 - 2); + XSTRNCAT(ctx->name, "/", 1); + XSTRNCAT(ctx->name, ctx->entry->d_name, MAX_FILENAME_SZ/2); + + if (stat(ctx->name, &ctx->s) != 0) { + WOLFSSL_MSG("stat on name failed"); + ret = BAD_PATH_ERROR; + break; + } else if (ctx->s.st_mode & S_IFREG) { + if (name) + *name = ctx->name; + return 0; + } + } +#endif + wc_ReadDirClose(ctx); + + return ret; +} + +int wc_ReadDirNext(ReadDirCtx* ctx, const char* path, char** name) +{ + int ret = -1; + + if (name) + *name = NULL; + + if (ctx == NULL || path == NULL) { + return BAD_FUNC_ARG; + } + + XMEMSET(ctx->name, 0, MAX_FILENAME_SZ); + +#ifdef USE_WINDOWS_API + while (FindNextFileA(ctx->hFind, &ctx->FindFileData)) { + if (ctx->FindFileData.dwFileAttributes != FILE_ATTRIBUTE_DIRECTORY) { + XSTRNCPY(ctx->name, path, MAX_FILENAME_SZ/2 - 3); + XSTRNCAT(ctx->name, "\\", 2); + XSTRNCAT(ctx->name, ctx->FindFileData.cFileName, MAX_FILENAME_SZ/2); + if (name) + *name = ctx->name; + return 0; + } + } +#else + while ((ctx->entry = readdir(ctx->dir)) != NULL) { + XSTRNCPY(ctx->name, path, MAX_FILENAME_SZ/2 - 2); + XSTRNCAT(ctx->name, "/", 1); + XSTRNCAT(ctx->name, ctx->entry->d_name, MAX_FILENAME_SZ/2); + + if (stat(ctx->name, &ctx->s) != 0) { + WOLFSSL_MSG("stat on name failed"); + ret = BAD_PATH_ERROR; + break; + } else if (ctx->s.st_mode & S_IFREG) { + if (name) + *name = ctx->name; + return 0; + } + } +#endif + + wc_ReadDirClose(ctx); + + return ret; +} + +void wc_ReadDirClose(ReadDirCtx* ctx) +{ + if (ctx == NULL) { + return; + } + +#ifdef USE_WINDOWS_API + if (ctx->hFind != INVALID_HANDLE_VALUE) { + FindClose(ctx->hFind); + ctx->hFind = INVALID_HANDLE_VALUE; + } +#else + if (ctx->dir) { + closedir(ctx->dir); + ctx->dir = NULL; + } +#endif +} + +#endif /* !NO_FILESYSTEM && !NO_WOLFSSL_DIR */ + wolfSSL_Mutex* wc_InitAndAllocMutex() { wolfSSL_Mutex* m = (wolfSSL_Mutex*) XMALLOC(sizeof(wolfSSL_Mutex), NULL, DYNAMIC_TYPE_MUTEX); - if(m && wc_InitMutex(m)) + if (m && wc_InitMutex(m) == 0) return m; + XFREE(m, NULL, DYNAMIC_TYPE_MUTEX); m = NULL; return m; } + #if WOLFSSL_CRYPT_HW_MUTEX /* Mutex for protection of cryptography hardware */ static wolfSSL_Mutex wcCryptHwMutex; @@ -176,654 +312,738 @@ int wolfSSL_CryptHwMutexUnLock(void) { #endif /* WOLFSSL_CRYPT_HW_MUTEX */ +/* ---------------------------------------------------------------------------*/ +/* Mutex Ports */ +/* ---------------------------------------------------------------------------*/ #ifdef SINGLE_THREADED -int wc_InitMutex(wolfSSL_Mutex* m) -{ - (void)m; - return 0; -} + int wc_InitMutex(wolfSSL_Mutex* m) + { + (void)m; + return 0; + } -int wc_FreeMutex(wolfSSL_Mutex *m) -{ - (void)m; - return 0; -} + int wc_FreeMutex(wolfSSL_Mutex *m) + { + (void)m; + return 0; + } -int wc_LockMutex(wolfSSL_Mutex *m) -{ - (void)m; - return 0; -} + int wc_LockMutex(wolfSSL_Mutex *m) + { + (void)m; + return 0; + } -int wc_UnLockMutex(wolfSSL_Mutex *m) -{ - (void)m; - return 0; -} + int wc_UnLockMutex(wolfSSL_Mutex *m) + { + (void)m; + return 0; + } -#else /* MULTI_THREAD */ +#elif defined(FREERTOS) || defined(FREERTOS_TCP) || \ + defined(FREESCALE_FREE_RTOS) - #if defined(FREERTOS) || defined(FREERTOS_TCP) || \ - defined(FREESCALE_FREE_RTOS) + int wc_InitMutex(wolfSSL_Mutex* m) + { + int iReturn; - int wc_InitMutex(wolfSSL_Mutex* m) - { - int iReturn; + *m = ( wolfSSL_Mutex ) xSemaphoreCreateMutex(); + if( *m != NULL ) + iReturn = 0; + else + iReturn = BAD_MUTEX_E; - *m = ( wolfSSL_Mutex ) xSemaphoreCreateMutex(); - if( *m != NULL ) - iReturn = 0; - else - iReturn = BAD_MUTEX_E; + return iReturn; + } - return iReturn; - } + int wc_FreeMutex(wolfSSL_Mutex* m) + { + vSemaphoreDelete( *m ); + return 0; + } + + int wc_LockMutex(wolfSSL_Mutex* m) + { + /* Assume an infinite block, or should there be zero block? */ + xSemaphoreTake( *m, portMAX_DELAY ); + return 0; + } + + int wc_UnLockMutex(wolfSSL_Mutex* m) + { + xSemaphoreGive( *m ); + return 0; + } + +#elif defined(WOLFSSL_SAFERTOS) + + int wc_InitMutex(wolfSSL_Mutex* m) + { + vSemaphoreCreateBinary(m->mutexBuffer, m->mutex); + if (m->mutex == NULL) + return BAD_MUTEX_E; + + return 0; + } + + int wc_FreeMutex(wolfSSL_Mutex* m) + { + (void)m; + return 0; + } + + int wc_LockMutex(wolfSSL_Mutex* m) + { + /* Assume an infinite block */ + xSemaphoreTake(m->mutex, portMAX_DELAY); + return 0; + } + + int wc_UnLockMutex(wolfSSL_Mutex* m) + { + xSemaphoreGive(m->mutex); + return 0; + } + +#elif defined(USE_WINDOWS_API) + + int wc_InitMutex(wolfSSL_Mutex* m) + { + InitializeCriticalSection(m); + return 0; + } - int wc_FreeMutex(wolfSSL_Mutex* m) - { - vSemaphoreDelete( *m ); + int wc_FreeMutex(wolfSSL_Mutex* m) + { + DeleteCriticalSection(m); + return 0; + } + + + int wc_LockMutex(wolfSSL_Mutex* m) + { + EnterCriticalSection(m); + return 0; + } + + + int wc_UnLockMutex(wolfSSL_Mutex* m) + { + LeaveCriticalSection(m); + return 0; + } + +#elif defined(WOLFSSL_PTHREADS) + + int wc_InitMutex(wolfSSL_Mutex* m) + { + if (pthread_mutex_init(m, 0) == 0) return 0; - } + else + return BAD_MUTEX_E; + } - int wc_LockMutex(wolfSSL_Mutex* m) - { - /* Assume an infinite block, or should there be zero block? */ - xSemaphoreTake( *m, portMAX_DELAY ); + + int wc_FreeMutex(wolfSSL_Mutex* m) + { + if (pthread_mutex_destroy(m) == 0) return 0; - } + else + return BAD_MUTEX_E; + } - int wc_UnLockMutex(wolfSSL_Mutex* m) - { - xSemaphoreGive( *m ); + + int wc_LockMutex(wolfSSL_Mutex* m) + { + if (pthread_mutex_lock(m) == 0) return 0; - } + else + return BAD_MUTEX_E; + } - #elif defined(WOLFSSL_SAFERTOS) - - int wc_InitMutex(wolfSSL_Mutex* m) - { - vSemaphoreCreateBinary(m->mutexBuffer, m->mutex); - if (m->mutex == NULL) - return BAD_MUTEX_E; + int wc_UnLockMutex(wolfSSL_Mutex* m) + { + if (pthread_mutex_unlock(m) == 0) return 0; - } + else + return BAD_MUTEX_E; + } - int wc_FreeMutex(wolfSSL_Mutex* m) - { - (void)m; +#elif defined(THREADX) + + int wc_InitMutex(wolfSSL_Mutex* m) + { + if (tx_mutex_create(m, "wolfSSL Mutex", TX_NO_INHERIT) == 0) return 0; - } + else + return BAD_MUTEX_E; + } - int wc_LockMutex(wolfSSL_Mutex* m) - { - /* Assume an infinite block */ - xSemaphoreTake(m->mutex, portMAX_DELAY); + + int wc_FreeMutex(wolfSSL_Mutex* m) + { + if (tx_mutex_delete(m) == 0) return 0; - } + else + return BAD_MUTEX_E; + } - int wc_UnLockMutex(wolfSSL_Mutex* m) - { - xSemaphoreGive(m->mutex); + + int wc_LockMutex(wolfSSL_Mutex* m) + { + if (tx_mutex_get(m, TX_WAIT_FOREVER) == 0) return 0; - } + else + return BAD_MUTEX_E; + } - - #elif defined(USE_WINDOWS_API) - - int wc_InitMutex(wolfSSL_Mutex* m) - { - InitializeCriticalSection(m); + int wc_UnLockMutex(wolfSSL_Mutex* m) + { + if (tx_mutex_put(m) == 0) return 0; - } + else + return BAD_MUTEX_E; + } +#elif defined(MICRIUM) - int wc_FreeMutex(wolfSSL_Mutex* m) - { - DeleteCriticalSection(m); - return 0; - } - - - int wc_LockMutex(wolfSSL_Mutex* m) - { - EnterCriticalSection(m); - return 0; - } - - - int wc_UnLockMutex(wolfSSL_Mutex* m) - { - LeaveCriticalSection(m); - return 0; - } - - #elif defined(WOLFSSL_PTHREADS) - - int wc_InitMutex(wolfSSL_Mutex* m) - { - if (pthread_mutex_init(m, 0) == 0) + int wc_InitMutex(wolfSSL_Mutex* m) + { + #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED) + if (NetSecure_OS_MutexCreate(m) == 0) return 0; else return BAD_MUTEX_E; - } + #else + return 0; + #endif + } - - int wc_FreeMutex(wolfSSL_Mutex* m) - { - if (pthread_mutex_destroy(m) == 0) + int wc_FreeMutex(wolfSSL_Mutex* m) + { + #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED) + if (NetSecure_OS_wc_FreeMutex(m) == 0) return 0; else return BAD_MUTEX_E; - } + #else + return 0; + #endif + } - - int wc_LockMutex(wolfSSL_Mutex* m) - { - if (pthread_mutex_lock(m) == 0) + int wc_LockMutex(wolfSSL_Mutex* m) + { + #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED) + if (NetSecure_OS_wc_LockMutex(m) == 0) return 0; else return BAD_MUTEX_E; - } + #else + return 0; + #endif + } - - int wc_UnLockMutex(wolfSSL_Mutex* m) - { - if (pthread_mutex_unlock(m) == 0) + int wc_UnLockMutex(wolfSSL_Mutex* m) + { + #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED) + if (NetSecure_OS_wc_UnLockMutex(m) == 0) return 0; else return BAD_MUTEX_E; + #else + return 0; + #endif + + } + +#elif defined(EBSNET) + + int wc_InitMutex(wolfSSL_Mutex* m) + { + if (rtp_sig_mutex_alloc(m, "wolfSSL Mutex") == -1) + return BAD_MUTEX_E; + else + return 0; + } + + int wc_FreeMutex(wolfSSL_Mutex* m) + { + rtp_sig_mutex_free(*m); + return 0; + } + + int wc_LockMutex(wolfSSL_Mutex* m) + { + if (rtp_sig_mutex_claim_timed(*m, RTIP_INF) == 0) + return 0; + else + return BAD_MUTEX_E; + } + + int wc_UnLockMutex(wolfSSL_Mutex* m) + { + rtp_sig_mutex_release(*m); + return 0; + } + +#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) + + int wc_InitMutex(wolfSSL_Mutex* m) + { + if (_mutex_init(m, NULL) == MQX_EOK) + return 0; + else + return BAD_MUTEX_E; + } + + int wc_FreeMutex(wolfSSL_Mutex* m) + { + if (_mutex_destroy(m) == MQX_EOK) + return 0; + else + return BAD_MUTEX_E; + } + + int wc_LockMutex(wolfSSL_Mutex* m) + { + if (_mutex_lock(m) == MQX_EOK) + return 0; + else + return BAD_MUTEX_E; + } + + int wc_UnLockMutex(wolfSSL_Mutex* m) + { + if (_mutex_unlock(m) == MQX_EOK) + return 0; + else + return BAD_MUTEX_E; + } + +#elif defined(WOLFSSL_TIRTOS) + #include + + int wc_InitMutex(wolfSSL_Mutex* m) + { + Semaphore_Params params; + Error_Block eb; + + Error_init(&eb); + Semaphore_Params_init(¶ms); + params.mode = Semaphore_Mode_BINARY; + + *m = Semaphore_create(1, ¶ms, &eb); + if (Error_check(&eb)) { + Error_raise(&eb, Error_E_generic, "Failed to Create the semaphore.", + NULL); + return BAD_MUTEX_E; } + else + return 0; + } - #elif defined(THREADX) + int wc_FreeMutex(wolfSSL_Mutex* m) + { + Semaphore_delete(m); - int wc_InitMutex(wolfSSL_Mutex* m) - { - if (tx_mutex_create(m, "wolfSSL Mutex", TX_NO_INHERIT) == 0) - return 0; - else - return BAD_MUTEX_E; + return 0; + } + + int wc_LockMutex(wolfSSL_Mutex* m) + { + Semaphore_pend(*m, BIOS_WAIT_FOREVER); + + return 0; + } + + int wc_UnLockMutex(wolfSSL_Mutex* m) + { + Semaphore_post(*m); + + return 0; + } + +#elif defined(WOLFSSL_uITRON4) + + int wc_InitMutex(wolfSSL_Mutex* m) + { + int iReturn; + m->sem.sematr = TA_TFIFO; + m->sem.isemcnt = 1; + m->sem.maxsem = 1; + m->sem.name = NULL; + + m->id = acre_sem(&m->sem); + if( m->id != E_OK ) + iReturn = 0; + else + iReturn = BAD_MUTEX_E; + + return iReturn; + } + + int wc_FreeMutex(wolfSSL_Mutex* m) + { + del_sem( m->id ); + return 0; + } + + int wc_LockMutex(wolfSSL_Mutex* m) + { + wai_sem(m->id); + return 0; + } + + int wc_UnLockMutex(wolfSSL_Mutex* m) + { + sig_sem(m->id); + return 0; + } + + /**** uITRON malloc/free ***/ + static ID ID_wolfssl_MPOOL = 0; + static T_CMPL wolfssl_MPOOL = {TA_TFIFO, 0, NULL, "wolfSSL_MPOOL"}; + + int uITRON4_minit(size_t poolsz) { + ER ercd; + wolfssl_MPOOL.mplsz = poolsz; + ercd = acre_mpl(&wolfssl_MPOOL); + if (ercd > 0) { + ID_wolfssl_MPOOL = ercd; + return 0; + } else { + return -1; } + } - - int wc_FreeMutex(wolfSSL_Mutex* m) - { - if (tx_mutex_delete(m) == 0) - return 0; - else - return BAD_MUTEX_E; - } - - - int wc_LockMutex(wolfSSL_Mutex* m) - { - if (tx_mutex_get(m, TX_WAIT_FOREVER) == 0) - return 0; - else - return BAD_MUTEX_E; - } - - - int wc_UnLockMutex(wolfSSL_Mutex* m) - { - if (tx_mutex_put(m) == 0) - return 0; - else - return BAD_MUTEX_E; - } - - #elif defined(MICRIUM) - - int wc_InitMutex(wolfSSL_Mutex* m) - { - #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED) - if (NetSecure_OS_MutexCreate(m) == 0) - return 0; - else - return BAD_MUTEX_E; - #else - return 0; - #endif - } - - - int wc_FreeMutex(wolfSSL_Mutex* m) - { - #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED) - if (NetSecure_OS_wc_FreeMutex(m) == 0) - return 0; - else - return BAD_MUTEX_E; - #else - return 0; - #endif - } - - - int wc_LockMutex(wolfSSL_Mutex* m) - { - #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED) - if (NetSecure_OS_wc_LockMutex(m) == 0) - return 0; - else - return BAD_MUTEX_E; - #else - return 0; - #endif - } - - - int wc_UnLockMutex(wolfSSL_Mutex* m) - { - #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED) - if (NetSecure_OS_wc_UnLockMutex(m) == 0) - return 0; - else - return BAD_MUTEX_E; - #else - return 0; - #endif - - } - - #elif defined(EBSNET) - - int wc_InitMutex(wolfSSL_Mutex* m) - { - if (rtp_sig_mutex_alloc(m, "wolfSSL Mutex") == -1) - return BAD_MUTEX_E; - else - return 0; - } - - int wc_FreeMutex(wolfSSL_Mutex* m) - { - rtp_sig_mutex_free(*m); + void *uITRON4_malloc(size_t sz) { + ER ercd; + void *p; + ercd = get_mpl(ID_wolfssl_MPOOL, sz, (VP)&p); + if (ercd == E_OK) { + return p; + } else { return 0; } + } - int wc_LockMutex(wolfSSL_Mutex* m) - { - if (rtp_sig_mutex_claim_timed(*m, RTIP_INF) == 0) - return 0; - else - return BAD_MUTEX_E; - } - - int wc_UnLockMutex(wolfSSL_Mutex* m) - { - rtp_sig_mutex_release(*m); - return 0; - } - - #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) - - int wc_InitMutex(wolfSSL_Mutex* m) - { - if (_mutex_init(m, NULL) == MQX_EOK) - return 0; - else - return BAD_MUTEX_E; - } - - int wc_FreeMutex(wolfSSL_Mutex* m) - { - if (_mutex_destroy(m) == MQX_EOK) - return 0; - else - return BAD_MUTEX_E; - } - - int wc_LockMutex(wolfSSL_Mutex* m) - { - if (_mutex_lock(m) == MQX_EOK) - return 0; - else - return BAD_MUTEX_E; - } - - int wc_UnLockMutex(wolfSSL_Mutex* m) - { - if (_mutex_unlock(m) == MQX_EOK) - return 0; - else - return BAD_MUTEX_E; - } - - #elif defined (WOLFSSL_TIRTOS) - #include - int wc_InitMutex(wolfSSL_Mutex* m) - { - Semaphore_Params params; - Error_Block eb; - Error_init(&eb); - Semaphore_Params_init(¶ms); - params.mode = Semaphore_Mode_BINARY; - - *m = Semaphore_create(1, ¶ms, &eb); - if( Error_check( &eb ) ) - { - Error_raise( &eb, Error_E_generic, "Failed to Create the semaphore.",NULL); - return BAD_MUTEX_E; - } else return 0; - } - - int wc_FreeMutex(wolfSSL_Mutex* m) - { - Semaphore_delete(m); - - return 0; - } - - int wc_LockMutex(wolfSSL_Mutex* m) - { - Semaphore_pend(*m, BIOS_WAIT_FOREVER); - - return 0; - } - - int wc_UnLockMutex(wolfSSL_Mutex* m) - { - Semaphore_post(*m); - - return 0; - } - - #elif defined(WOLFSSL_uITRON4) - #include "stddef.h" - #include "kernel.h" - int wc_InitMutex(wolfSSL_Mutex* m) - { - int iReturn; - m->sem.sematr = TA_TFIFO ; - m->sem.isemcnt = 1 ; - m->sem.maxsem = 1 ; - m->sem.name = NULL ; - - m->id = acre_sem(&m->sem); - if( m->id != E_OK ) - iReturn = 0; - else - iReturn = BAD_MUTEX_E; - - return iReturn; - } - - int wc_FreeMutex(wolfSSL_Mutex* m) - { - del_sem( m->id ); - return 0; - } - - int wc_LockMutex(wolfSSL_Mutex* m) - { - wai_sem(m->id); - return 0; - } - - int wc_UnLockMutex(wolfSSL_Mutex* m) - { - sig_sem(m->id); - return 0; - } - - /**** uITRON malloc/free ***/ - static ID ID_wolfssl_MPOOL = 0 ; - static T_CMPL wolfssl_MPOOL = {TA_TFIFO, 0, NULL, "wolfSSL_MPOOL"}; - - int uITRON4_minit(size_t poolsz) { - ER ercd; - wolfssl_MPOOL.mplsz = poolsz ; - ercd = acre_mpl(&wolfssl_MPOOL); - if (ercd > 0) { - ID_wolfssl_MPOOL = ercd; - return 0; - } else { - return -1; - } - } - - void *uITRON4_malloc(size_t sz) { - ER ercd; - void *p ; - ercd = get_mpl(ID_wolfssl_MPOOL, sz, (VP)&p); - if (ercd == E_OK) { - return p; - } else { - return 0 ; - } - } - - void *uITRON4_realloc(void *p, size_t sz) { - ER ercd; - void *newp ; - if(p) { - ercd = get_mpl(ID_wolfssl_MPOOL, sz, (VP)&newp); + void *uITRON4_realloc(void *p, size_t sz) { + ER ercd; + void *newp; + if(p) { + ercd = get_mpl(ID_wolfssl_MPOOL, sz, (VP)&newp); + if (ercd == E_OK) { + XMEMCPY(newp, p, sz); + ercd = rel_mpl(ID_wolfssl_MPOOL, (VP)p); if (ercd == E_OK) { - XMEMCPY(newp, p, sz) ; - ercd = rel_mpl(ID_wolfssl_MPOOL, (VP)p); - if (ercd == E_OK) { - return newp; - } + return newp; } } - return 0 ; - } + } + return 0; + } - void uITRON4_free(void *p) { - ER ercd; - ercd = rel_mpl(ID_wolfssl_MPOOL, (VP)p); - if (ercd == E_OK) { - return ; - } else { - return ; - } + void uITRON4_free(void *p) { + ER ercd; + ercd = rel_mpl(ID_wolfssl_MPOOL, (VP)p); + if (ercd == E_OK) { + return; + } else { + return; } + } #elif defined(WOLFSSL_uTKERNEL2) - #include "tk/tkernel.h" - int wc_InitMutex(wolfSSL_Mutex* m) - { - int iReturn; - m->sem.sematr = TA_TFIFO ; - m->sem.isemcnt = 1 ; - m->sem.maxsem = 1 ; - m->id = tk_cre_sem(&m->sem); - if( m->id != NULL ) - iReturn = 0; - else - iReturn = BAD_MUTEX_E; + int wc_InitMutex(wolfSSL_Mutex* m) + { + int iReturn; + m->sem.sematr = TA_TFIFO; + m->sem.isemcnt = 1; + m->sem.maxsem = 1; - return iReturn; + m->id = tk_cre_sem(&m->sem); + if( m->id != NULL ) + iReturn = 0; + else + iReturn = BAD_MUTEX_E; + + return iReturn; + } + + int wc_FreeMutex(wolfSSL_Mutex* m) + { + tk_del_sem( m->id ); + return 0; + } + + int wc_LockMutex(wolfSSL_Mutex* m) + { + tk_wai_sem(m->id, 1, TMO_FEVR); + return 0; + } + + int wc_UnLockMutex(wolfSSL_Mutex* m) + { + tk_sig_sem(m->id, 1); + return 0; + } + + /**** uT-Kernel malloc/free ***/ + static ID ID_wolfssl_MPOOL = 0; + static T_CMPL wolfssl_MPOOL = + {(void *)NULL, + TA_TFIFO , 0, "wolfSSL_MPOOL"}; + + int uTKernel_init_mpool(unsigned int sz) { + ER ercd; + wolfssl_MPOOL.mplsz = sz; + ercd = tk_cre_mpl(&wolfssl_MPOOL); + if (ercd > 0) { + ID_wolfssl_MPOOL = ercd; + return 0; + } else { + return -1; } + } - int wc_FreeMutex(wolfSSL_Mutex* m) - { - tk_del_sem( m->id ); + void *uTKernel_malloc(unsigned int sz) { + ER ercd; + void *p; + ercd = tk_get_mpl(ID_wolfssl_MPOOL, sz, (VP)&p, TMO_FEVR); + if (ercd == E_OK) { + return p; + } else { return 0; } + } - int wc_LockMutex(wolfSSL_Mutex* m) - { - tk_wai_sem(m->id, 1, TMO_FEVR); - return 0; - } - - int wc_UnLockMutex(wolfSSL_Mutex* m) - { - tk_sig_sem(m->id, 1); - return 0; - } - - /**** uT-Kernel malloc/free ***/ - static ID ID_wolfssl_MPOOL = 0 ; - static T_CMPL wolfssl_MPOOL = - {(void *)NULL, - TA_TFIFO , 0, "wolfSSL_MPOOL"}; - - int uTKernel_init_mpool(unsigned int sz) { - ER ercd; - wolfssl_MPOOL.mplsz = sz ; - ercd = tk_cre_mpl(&wolfssl_MPOOL); - if (ercd > 0) { - ID_wolfssl_MPOOL = ercd; - return 0; - } else { - return -1; - } - } - - void *uTKernel_malloc(unsigned int sz) { - ER ercd; - void *p ; - ercd = tk_get_mpl(ID_wolfssl_MPOOL, sz, (VP)&p, TMO_FEVR); - if (ercd == E_OK) { - return p; - } else { - return 0 ; - } - } - - void *uTKernel_realloc(void *p, unsigned int sz) { - ER ercd; - void *newp ; - if(p) { - ercd = tk_get_mpl(ID_wolfssl_MPOOL, sz, (VP)&newp, TMO_FEVR); + void *uTKernel_realloc(void *p, unsigned int sz) { + ER ercd; + void *newp; + if(p) { + ercd = tk_get_mpl(ID_wolfssl_MPOOL, sz, (VP)&newp, TMO_FEVR); + if (ercd == E_OK) { + XMEMCPY(newp, p, sz); + ercd = tk_rel_mpl(ID_wolfssl_MPOOL, (VP)p); if (ercd == E_OK) { - XMEMCPY(newp, p, sz) ; - ercd = tk_rel_mpl(ID_wolfssl_MPOOL, (VP)p); - if (ercd == E_OK) { - return newp; - } + return newp; } } - return 0 ; - } + } + return 0; + } - void uTKernel_free(void *p) { - ER ercd; - ercd = tk_rel_mpl(ID_wolfssl_MPOOL, (VP)p); - if (ercd == E_OK) { - return ; - } else { - return ; - } - } - #elif defined (WOLFSSL_FROSTED) - int wc_InitMutex(wolfSSL_Mutex* m) - { - *m = mutex_init(); - if (*m) - return 0; - else - return -1; + void uTKernel_free(void *p) { + ER ercd; + ercd = tk_rel_mpl(ID_wolfssl_MPOOL, (VP)p); + if (ercd == E_OK) { + return; + } else { + return; } + } - int wc_FreeMutex(wolfSSL_Mutex* m) - { - mutex_destroy(*m); - return(0) ; - } +#elif defined (WOLFSSL_FROSTED) - int wc_LockMutex(wolfSSL_Mutex* m) - { - mutex_lock(*m); + int wc_InitMutex(wolfSSL_Mutex* m) + { + *m = mutex_init(); + if (*m) return 0; - } + else + return -1; + } - int wc_UnLockMutex(wolfSSL_Mutex* m) - { - mutex_unlock(*m); + int wc_FreeMutex(wolfSSL_Mutex* m) + { + mutex_destroy(*m); + return(0); + } + + int wc_LockMutex(wolfSSL_Mutex* m) + { + mutex_lock(*m); + return 0; + } + + int wc_UnLockMutex(wolfSSL_Mutex* m) + { + mutex_unlock(*m); + return 0; + } + +#elif defined(WOLFSSL_CMSIS_RTOS) + + #define CMSIS_NMUTEX 10 + osMutexDef(wolfSSL_mt0); osMutexDef(wolfSSL_mt1); osMutexDef(wolfSSL_mt2); + osMutexDef(wolfSSL_mt3); osMutexDef(wolfSSL_mt4); osMutexDef(wolfSSL_mt5); + osMutexDef(wolfSSL_mt6); osMutexDef(wolfSSL_mt7); osMutexDef(wolfSSL_mt8); + osMutexDef(wolfSSL_mt9); + + static const osMutexDef_t *CMSIS_mutex[] = { osMutex(wolfSSL_mt0), + osMutex(wolfSSL_mt1), osMutex(wolfSSL_mt2), osMutex(wolfSSL_mt3), + osMutex(wolfSSL_mt4), osMutex(wolfSSL_mt5), osMutex(wolfSSL_mt6), + osMutex(wolfSSL_mt7), osMutex(wolfSSL_mt8), osMutex(wolfSSL_mt9) }; + + static osMutexId CMSIS_mutexID[CMSIS_NMUTEX] = {0}; + + int wc_InitMutex(wolfSSL_Mutex* m) + { + int i; + for (i=0; i /* initialize and Mutex for TI Crypt Engine */ #include /* md5, sha1, sha224, sha256 */ #endif diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 324827e50..339eb531e 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -39,6 +39,9 @@ #define HEAP_HINT NULL #endif /* WOLFSSL_STATIC_MEMORY */ +#include +#include + #ifdef WOLFSSL_TEST_CERT #include #else @@ -59,9 +62,11 @@ #endif #include +#include #include #include #include +#include #include #include #include @@ -119,6 +124,16 @@ #endif +#if defined(NO_FILESYSTEM) + #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \ + !defined(USE_CERT_BUFFERS_4096) + #define USE_CERT_BUFFERS_2048 + #endif + #if !defined(USE_CERT_BUFFERS_256) + #define USE_CERT_BUFFERS_256 + #endif +#endif + #include #if defined(WOLFSSL_MDK_ARM) @@ -173,6 +188,9 @@ typedef struct testVector { size_t outLen; } testVector; +int error_test(void); +int base64_test(void); +int asn_test(void); int md2_test(void); int md5_test(void); int md4_test(void); @@ -181,6 +199,7 @@ int sha224_test(void); int sha256_test(void); int sha512_test(void); int sha384_test(void); +int hash_test(void); int hmac_md5_test(void); int hmac_sha_test(void); int hmac_sha224_test(void); @@ -245,6 +264,9 @@ int scrypt_test(void); int pkcs7signed_test(void); int pkcs7encrypted_test(void); #endif +#if !defined(NO_ASN_TIME) && !defined(NO_RSA) && defined(WOLFSSL_TEST_CERT) +int cert_test(void); +#endif #if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT) int certext_test(void); #endif @@ -254,6 +276,14 @@ int idea_test(void); #ifdef WOLFSSL_STATIC_MEMORY int memory_test(void); #endif +#ifdef HAVE_VALGRIND +int mp_test(void); +#endif +int logging_test(void); +int mutex_test(void); +#ifdef USE_WOLFSSL_MEMORY +int memcb_test(void); +#endif #if defined(DEBUG_WOLFSSL) && !defined(HAVE_VALGRIND) && !defined(OPENSSL_EXTRA) int wolfSSL_Debugging_ON(void); @@ -356,6 +386,25 @@ int wolfcrypt_test(void* args) (void)devId; #endif /* WOLFSSL_ASYNC_CRYPT */ + if ( (ret = error_test()) != 0) + return err_sys("error test failed!\n", ret); + else + printf( "error test passed!\n"); + +#if !defined(NO_CODING) && defined(WOLFSSL_BASE64_ENCODE) + if ( (ret = base64_test()) != 0) + return err_sys("base64 test failed!\n", ret); + else + printf( "base64 test passed!\n"); +#endif + +#ifndef NO_ASN + if ( (ret = asn_test()) != 0) + return err_sys("base64 test failed!\n", ret); + else + printf( "base64 test passed!\n"); +#endif + #ifndef NO_MD5 if ( (ret = md5_test()) != 0) return err_sys("MD5 test failed!\n", ret); @@ -412,6 +461,11 @@ int wolfcrypt_test(void* args) printf( "SHA-512 test passed!\n"); #endif + if ( (ret = hash_test()) != 0) + return err_sys("Hash test failed!\n", ret); + else + printf( "Hash test passed!\n"); + #ifdef WOLFSSL_RIPEMD if ( (ret = ripemd_test()) != 0) return err_sys("RIPEMD test failed!\n", ret); @@ -616,6 +670,13 @@ int wolfcrypt_test(void* args) printf( "RSA test passed!\n"); #endif +#if !defined(NO_ASN_TIME) && !defined(NO_RSA) && defined(WOLFSSL_TEST_CERT) + if ( (ret = cert_test()) != 0) + return err_sys("CERT test failed!\n", ret); + else + printf( "CERT test passed!\n"); +#endif + #if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT) if ( (ret = certext_test()) != 0) return err_sys("CERT EXT test failed!\n", ret); @@ -728,6 +789,32 @@ int wolfcrypt_test(void* args) printf( "PKCS7encrypted test passed!\n"); #endif +#ifdef HAVE_VALGRIND + if ( (ret = mp_test()) != 0) + return err_sys("mp test failed!\n", ret); + else + printf( "mp test passed!\n"); +#endif + +#ifdef HAVE_VALGRIND + if ( (ret = logging_test()) != 0) + return err_sys("logging test failed!\n", ret); + else + printf( "logging test passed!\n"); +#endif + + if ( (ret = mutex_test()) != 0) + return err_sys("mutex test failed!\n", ret); + else + printf( "mutex test passed!\n"); + +#ifdef USE_WOLFSSL_MEMORY + if ( (ret = memcb_test()) != 0) + return err_sys("memcb test failed!\n", ret); + else + printf( "memcb test passed!\n"); +#endif + #if defined(USE_WOLFSSL_MEMORY) && defined(WOLFSSL_TRACK_MEMORY) ShowMemoryTracker(); #endif @@ -775,6 +862,190 @@ int wolfcrypt_test(void* args) #endif /* NO_MAIN_DRIVER */ +int error_test() +{ + const char* errStr; + char out[WOLFSSL_MAX_ERROR_SZ]; + const char* unknownStr = wc_GetErrorString(0); + +#ifdef NO_ERROR_STRINGS + /* Ensure a valid error code's string matches an invalid code's. + * The string is that error strings are not available. + */ + errStr = wc_GetErrorString(OPEN_RAN_E); + wc_ErrorString(OPEN_RAN_E, out); + if (XSTRNCMP(errStr, unknownStr, XSTRLEN(unknownStr)) != 0) + return -10; + if (XSTRNCMP(out, unknownStr, XSTRLEN(unknownStr)) != 0) + return -11; +#else + int i; + int j = 0; + /* Values that are not or no longer error codes. */ + int missing[] = { -122, -123, -124, -127, -128, -129, + -161, -162, -163, -164, -165, -166, -167, -168, -169, + -178, -179, -233, + 0 }; + + /* Check that all errors have a string and it's the same through the two + * APIs. Check that the values that are not errors map to the unknown + * string. + */ + for (i = OPEN_RAN_E; i >= BAD_PATH_ERROR; i--) { + errStr = wc_GetErrorString(i); + wc_ErrorString(i, out); + + if (i != missing[j]) { + if (XSTRNCMP(errStr, unknownStr, XSTRLEN(unknownStr)) == 0) + return -10; + if (XSTRNCMP(out, unknownStr, XSTRLEN(unknownStr)) == 0) + return -11; + if (XSTRNCMP(errStr, out, XSTRLEN(errStr)) != 0) + return -12; + } + else { + j++; + if (XSTRNCMP(errStr, unknownStr, XSTRLEN(unknownStr)) != 0) + return -13; + if (XSTRNCMP(out, unknownStr, XSTRLEN(unknownStr)) != 0) + return -14; + } + } + + /* Check if the next possible value has been given a string. */ + errStr = wc_GetErrorString(i); + wc_ErrorString(i, out); + if (XSTRNCMP(errStr, unknownStr, XSTRLEN(unknownStr)) != 0) + return -15; + if (XSTRNCMP(out, unknownStr, XSTRLEN(unknownStr)) != 0) + return -16; +#endif + + return 0; +} + +#if !defined(NO_CODING) && defined(WOLFSSL_BASE64_ENCODE) +int base64_test() +{ + int ret; + const byte good[] = "A+Gd\0\0\0"; + const byte goodEnd[] = "A+Gd \r\n"; + byte out[128]; + word32 outLen; + byte data[3]; + word32 dataLen; + byte longData[79] = { 0 }; + const byte symbols[] = "+/A="; + const byte badSmall[] = "AAA Gdj="; + const byte badLarge[] = "AAA~Gdj="; + const byte badEOL[] = "A+Gd "; + int i; + + /* Good Base64 encodings. */ + outLen = sizeof(out); + ret = Base64_Decode(good, sizeof(good), out, &outLen); + if (ret != 0) + return -20; + outLen = sizeof(out); + ret = Base64_Decode(goodEnd, sizeof(goodEnd), out, &outLen); + if (ret != 0) + return -21; + + /* Bad parameters. */ + outLen = 1; + ret = Base64_Decode(good, sizeof(good), out, &outLen); + if (ret != BAD_FUNC_ARG) + return -22; + + outLen = sizeof(out); + ret = Base64_Decode(badEOL, sizeof(badEOL), out, &outLen); + if (ret != ASN_INPUT_E) + return -23; + /* Bad character at each offset 0-3. */ + for (i = 0; i < 4; i++) { + outLen = sizeof(out); + ret = Base64_Decode(badSmall + i, 4, out, &outLen); + if (ret != ASN_INPUT_E) + return -24 - i; + ret = Base64_Decode(badLarge + i, 4, out, &outLen); + if (ret != ASN_INPUT_E) + return -28 - i; + } + + /* Decode and encode all symbols - non-alphanumeric. */ + dataLen = sizeof(data); + ret = Base64_Decode(symbols, sizeof(symbols), data, &dataLen); + if (ret != 0) + return -40; + outLen = sizeof(out); + ret = Base64_Encode(data, dataLen, NULL, &outLen); + if (ret != LENGTH_ONLY_E) + return -41; + outLen = sizeof(out); + ret = Base64_Encode(data, dataLen, out, &outLen); + if (ret != 0) + return -42; + outLen = 7; + ret = Base64_EncodeEsc(data, dataLen, out, &outLen); + if (ret != BUFFER_E) + return -43; + outLen = sizeof(out); + ret = Base64_EncodeEsc(data, dataLen, NULL, &outLen); + if (ret != LENGTH_ONLY_E) + return -44; + outLen = sizeof(out); + ret = Base64_EncodeEsc(data, dataLen, out, &outLen); + if (ret != 0) + return -45; + outLen = sizeof(out); + ret = Base64_Encode_NoNl(data, dataLen, out, &outLen); + if (ret != 0) + return -46; + + /* Data that results in an encoding longer than one line. */ + outLen = sizeof(out); + dataLen = sizeof(longData); + ret = Base64_Encode(longData, dataLen, out, &outLen); + if (ret != 0) + return -47; + outLen = sizeof(out); + ret = Base64_EncodeEsc(longData, dataLen, out, &outLen); + if (ret != 0) + return -48; + outLen = sizeof(out); + ret = Base64_Encode_NoNl(longData, dataLen, out, &outLen); + if (ret != 0) + return -49; + + return 0; +} +#endif + +#ifndef NO_ASN +int asn_test() +{ +#ifndef NO_ASN_TIME + { + time_t now; + + /* Parameter Validation tests. */ + if (wc_GetTime(NULL, sizeof(now)) != BAD_FUNC_ARG) + return -100; + if (wc_GetTime(&now, 0) != BUFFER_E) + return -101; + + now = 0; + if (wc_GetTime(&now, sizeof(now)) != 0) + return -102; + if (now == 0) + return -103; + } +#endif + + return 0; +} +#endif + #ifdef WOLFSSL_MD2 int md2_test() { @@ -855,6 +1126,7 @@ int md2_test() int md5_test(void) { Md5 md5; + Md5 partialMd5; byte hash[MD5_DIGEST_SIZE]; testVector a, b, c, d, e; @@ -920,6 +1192,26 @@ int md5_test(void) return -5 - i; } + /* Position restoration and getting the hash doesn't invalidate state. */ + wc_InitMd5(&md5); + wc_InitMd5(&partialMd5); + wc_Md5Update(&partialMd5, (byte*)a.input, 1); + wc_Md5RestorePos(&md5, &partialMd5); + wc_Md5GetHash(&partialMd5, hash); + wc_Md5Update(&partialMd5, (byte*)a.input + 1, (word32)a.inLen - 1); + wc_Md5Update(&md5, (byte*)a.input + 1, (word32)a.inLen - 1); + wc_Md5Final(&partialMd5, hash); + if (XMEMCMP(hash, a.output, a.outLen) != 0) + return -10; + XMEMSET(hash, 0, a.outLen); + wc_Md5Final(&md5, hash); + if (XMEMCMP(hash, a.output, a.outLen) != 0) + return -11; + if (wc_Md5Hash((byte*)a.input, (word32)a.inLen, hash) != 0) + return -12; + if (XMEMCMP(hash, a.output, a.outLen) != 0) + return -13; + return 0; } #endif /* NO_MD5 */ @@ -1008,6 +1300,7 @@ int md4_test(void) int sha_test(void) { Sha sha; + Sha partialSha; byte hash[SHA_DIGEST_SIZE]; testVector a, b, c, d; @@ -1059,6 +1352,43 @@ int sha_test(void) return -10 - i; } + /* Position restoration and getting the hash doesn't invalidate state. */ + ret = wc_InitSha(&sha); + if (ret != 0) + return -20; + ret = wc_InitSha(&partialSha); + if (ret != 0) + return -21; + ret = wc_ShaUpdate(&partialSha, (byte*)a.input, 1); + if (ret != 0) + return -22; + wc_ShaRestorePos(&sha, &partialSha); + ret = wc_ShaGetHash(&partialSha, hash); + if (ret != 0) + return -23; + ret = wc_ShaUpdate(&partialSha, (byte*)a.input + 1, (word32)a.inLen - 1); + if (ret != 0) + return -24; + ret = wc_ShaUpdate(&sha, (byte*)a.input + 1, (word32)a.inLen - 1); + if (ret != 0) + return -25; + ret = wc_ShaFinal(&partialSha, hash); + if (ret != 0) + return -26; + if (XMEMCMP(hash, a.output, a.outLen) != 0) + return -27; + XMEMSET(hash, 0, a.outLen); + ret = wc_ShaFinal(&sha, hash); + if (ret != 0) + return -28; + if (XMEMCMP(hash, a.output, a.outLen) != 0) + return -29; + ret = wc_ShaHash((byte*)a.input, (word32)a.inLen, hash); + if (ret != 0) + return -30; + if (XMEMCMP(hash, a.output, a.outLen) != 0) + return -31; + return 0; } @@ -1236,6 +1566,30 @@ int sha224_test(void) return -10 - i; } + /* Getting the hash doesn't invalidate state. */ + ret = wc_InitSha224(&sha); + if (ret != 0) + return -20; + ret = wc_Sha224Update(&sha, (byte*)a.input, 1); + if (ret != 0) + return -21; + ret = wc_Sha224GetHash(&sha, hash); + if (ret != 0) + return -22; + ret = wc_Sha224Update(&sha, (byte*)a.input + 1, (word32)(a.inLen - 1)); + if (ret != 0) + return -23; + ret = wc_Sha224Final(&sha, hash); + if (ret != 0) + return -24; + if (XMEMCMP(hash, a.output, a.outLen) != 0) + return -25; + ret = wc_Sha224Hash((byte*)a.input, (word32)a.inLen, hash); + if (ret != 0) + return -26; + if (XMEMCMP(hash, a.output, a.outLen) != 0) + return -27; + return 0; } #endif @@ -1245,6 +1599,7 @@ int sha224_test(void) int sha256_test(void) { Sha256 sha; + Sha256 partialSha; byte hash[SHA256_DIGEST_SIZE]; testVector a, b; @@ -1285,6 +1640,44 @@ int sha256_test(void) return -10 - i; } + /* Position restoration and getting the hash doesn't invalidate state. */ + ret = wc_InitSha256(&sha); + if (ret != 0) + return -20; + ret = wc_InitSha256(&partialSha); + if (ret != 0) + return -21; + ret = wc_Sha256Update(&partialSha, (byte*)a.input, 1); + if (ret != 0) + return -22; + wc_Sha256RestorePos(&sha, &partialSha); + ret = wc_Sha256GetHash(&partialSha, hash); + if (ret != 0) + return -23; + ret = wc_Sha256Update(&partialSha, (byte*)a.input + 1, (word32)a.inLen - 1); + if (ret != 0) + return -24; + ret = wc_Sha256Update(&sha, (byte*)a.input + 1, (word32)a.inLen - 1); + if (ret != 0) + return -25; + ret = wc_Sha256Final(&partialSha, hash); + if (ret != 0) + return -26; + if (XMEMCMP(hash, a.output, a.outLen) != 0) + return -27; + XMEMSET(hash, 0, a.outLen); + ret = wc_Sha256Final(&sha, hash); + if (ret != 0) + return -28; + if (XMEMCMP(hash, a.output, a.outLen) != 0) + return -29; + XMEMSET(hash, 0, a.outLen); + ret = wc_Sha256Hash((byte*)a.input, (word32)a.inLen, hash); + if (ret != 0) + return -30; + if (XMEMCMP(hash, a.output, a.outLen) != 0) + return -31; + return 0; } #endif @@ -1340,6 +1733,30 @@ int sha512_test(void) return -10 - i; } + /* Getting the hash doesn't invalidate state. */ + ret = wc_InitSha512(&sha); + if (ret != 0) + return -20; + ret = wc_Sha512Update(&sha, (byte*)a.input, 1); + if (ret != 0) + return -21; + ret = wc_Sha512GetHash(&sha, hash); + if (ret != 0) + return -22; + ret = wc_Sha512Update(&sha, (byte*)a.input + 1, (word32)a.inLen - 1); + if (ret != 0) + return -23; + ret = wc_Sha512Final(&sha, hash); + if (ret != 0) + return -24; + if (XMEMCMP(hash, a.output, a.outLen) != 0) + return -15; + ret = wc_Sha512Hash((byte*)a.input, (word32)a.inLen, hash); + if (ret != 0) + return -26; + if (XMEMCMP(hash, a.output, a.outLen) != 0) + return -27; + return 0; } #endif @@ -1393,10 +1810,196 @@ int sha384_test(void) return -10 - i; } + /* Getting the hash doesn't invalidate state. */ + ret = wc_InitSha384(&sha); + if (ret != 0) + return -20; + ret = wc_Sha384Update(&sha, (byte*)a.input, 1); + if (ret != 0) + return -21; + ret = wc_Sha384GetHash(&sha, hash); + if (ret != 0) + return -22; + ret = wc_Sha384Update(&sha, (byte*)a.input + 1, (word32)(a.inLen - 1)); + if (ret != 0) + return -23; + ret = wc_Sha384Final(&sha, hash); + if (ret != 0) + return -24; + if (XMEMCMP(hash, a.output, a.outLen) != 0) + return -25; + XMEMSET(hash, 0, a.outLen); + ret = wc_Sha384Hash((byte*)a.input, (word32)a.inLen, hash); + if (ret != 0) + return -26; + if (XMEMCMP(hash, a.output, a.outLen) != 0) + return -27; + return 0; } #endif /* WOLFSSL_SHA384 */ +int hash_test(void) +{ + wc_HashAlg hash; + int ret, exp_ret; + int i, j; + byte data[] = "0123456789abcdef0123456789abcdef012345"; + byte out[MAX_DIGEST_SIZE]; + enum wc_HashType typesGood[] = { WC_HASH_TYPE_MD5, WC_HASH_TYPE_SHA, + WC_HASH_TYPE_SHA224, WC_HASH_TYPE_SHA384, + WC_HASH_TYPE_SHA512, WC_HASH_TYPE_SHA256 }; + enum wc_HashType typesNoImpl[] = { +#ifdef NO_MD5 + WC_HASH_TYPE_MD5, +#endif +#ifdef NO_SHA + WC_HASH_TYPE_SHA, +#endif +#ifndef WOLFSSL_SHA224 + WC_HASH_TYPE_SHA224, +#endif +#ifdef NO_SHA256 + WC_HASH_TYPE_SHA256, +#endif +#ifndef WOLFSSL_SHA384 + WC_HASH_TYPE_SHA384, +#endif +#ifndef WOLFSSL_SHA512 + WC_HASH_TYPE_SHA512, +#endif + WC_HASH_TYPE_NONE + }; + enum wc_HashType typesBad[] = { WC_HASH_TYPE_NONE, WC_HASH_TYPE_MD5_SHA, + WC_HASH_TYPE_MD2, WC_HASH_TYPE_MD4 }; + + /* Parameter Validation testing. */ + ret = wc_HashInit(NULL, WC_HASH_TYPE_SHA256); + if (ret != BAD_FUNC_ARG) + return -4100; + ret = wc_HashUpdate(NULL, WC_HASH_TYPE_SHA256, NULL, sizeof(data)); + if (ret != BAD_FUNC_ARG) + return -4101; + ret = wc_HashUpdate(&hash, WC_HASH_TYPE_SHA256, NULL, sizeof(data)); + if (ret != BAD_FUNC_ARG) + return -4102; + ret = wc_HashUpdate(NULL, WC_HASH_TYPE_SHA256, data, sizeof(data)); + if (ret != BAD_FUNC_ARG) + return -4103; + ret = wc_HashFinal(NULL, WC_HASH_TYPE_SHA256, NULL); + if (ret != BAD_FUNC_ARG) + return -4104; + ret = wc_HashFinal(&hash, WC_HASH_TYPE_SHA256, NULL); + if (ret != BAD_FUNC_ARG) + return -4105; + ret = wc_HashFinal(NULL, WC_HASH_TYPE_SHA256, out); + if (ret != BAD_FUNC_ARG) + return -4106; + + /* Try invalid hash algorithms. */ + for (i = 0; i < (int)(sizeof(typesBad)/sizeof(*typesBad)); i++) { + ret = wc_HashInit(&hash, typesBad[i]); + if (ret != BAD_FUNC_ARG) + return -4110 - i; + ret = wc_HashUpdate(&hash, typesBad[i], data, sizeof(data)); + if (ret != BAD_FUNC_ARG) + return -4120 - i; + ret = wc_HashFinal(&hash, typesBad[i], out); + if (ret != BAD_FUNC_ARG) + return -4130 - i; + } + + /* Try valid hash algorithms. */ + for (i = 0, j = 0; i < (int)(sizeof(typesGood)/sizeof(*typesGood)); i++) { + exp_ret = 0; + if (typesGood[i] == typesNoImpl[j]) { + /* Recognized but no implementation compiled in. */ + exp_ret = HASH_TYPE_E; + j++; + } + ret = wc_HashInit(&hash, typesGood[i]); + if (ret != exp_ret) + return -4140 - i; + ret = wc_HashUpdate(&hash, typesGood[i], data, sizeof(data)); + if (ret != exp_ret) + return -4150 - i; + ret = wc_HashFinal(&hash, typesGood[i], out); + if (ret != exp_ret) + return -4160 - i; + ret = wc_HashGetOID(typesGood[i]); + if (ret == BAD_FUNC_ARG || + (exp_ret == 0 && ret == HASH_TYPE_E) || + (exp_ret != 0 && ret != HASH_TYPE_E)) { + return -4170 - i; + } + } + + ret = wc_HashGetOID(WC_HASH_TYPE_MD2); +#ifdef WOLFSSL_MD2 + if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG) + return -4180; +#else + if (ret != HASH_TYPE_E) + return -4180; +#endif + ret = wc_HashGetOID(WC_HASH_TYPE_MD5_SHA); +#ifndef NO_MD5 + if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG) + return -4181; +#else + if (ret != HASH_TYPE_E) + return -4181; +#endif + ret = wc_HashGetOID(WC_HASH_TYPE_MD4); + if (ret != BAD_FUNC_ARG) + return -4182; + ret = wc_HashGetOID(WC_HASH_TYPE_NONE); + if (ret != BAD_FUNC_ARG) + return -4183; + +#ifndef NO_ASN +#ifdef WOLFSSL_MD2 + ret = wc_GetCTC_HashOID(MD2); + if (ret == 0) + return -4190; +#endif +#ifndef NO_MD5 + ret = wc_GetCTC_HashOID(MD5); + if (ret == 0) + return -4191; +#endif +#ifndef NO_SHA + ret = wc_GetCTC_HashOID(SHA); + if (ret == 0) + return -4192; +#endif +#ifdef WOLFSSL_SHA224 + ret = wc_GetCTC_HashOID(SHA224); + if (ret == 0) + return -4193; +#endif +#ifndef NO_SHA256 + ret = wc_GetCTC_HashOID(SHA256); + if (ret == 0) + return -4194; +#endif +#ifdef WOLFSSL_SHA384 + ret = wc_GetCTC_HashOID(SHA384); + if (ret == 0) + return -4195; +#endif +#ifdef WOLFSSL_SHA512 + ret = wc_GetCTC_HashOID(SHA512); + if (ret == 0) + return -4196; +#endif + ret = wc_GetCTC_HashOID(-1); + if (ret != 0) + return -4197; +#endif + + return 0; +} #if !defined(NO_HMAC) && !defined(NO_MD5) int hmac_md5_test(void) @@ -1474,6 +2077,11 @@ int hmac_md5_test(void) #endif } +#ifndef HAVE_FIPS + if (wc_HmacSizeByType(MD5) != MD5_DIGEST_SIZE) + return -4018; +#endif + return 0; } #endif /* NO_HMAC && NO_MD5 */ @@ -1551,6 +2159,11 @@ int hmac_sha_test(void) #endif } +#ifndef HAVE_FIPS + if (wc_HmacSizeByType(SHA) != SHA_DIGEST_SIZE) + return -4021; +#endif + return 0; } #endif @@ -1629,6 +2242,11 @@ int hmac_sha224_test(void) #endif } +#ifndef HAVE_FIPS + if (wc_HmacSizeByType(SHA224) != SHA224_DIGEST_SIZE) + return -4024; +#endif + return 0; } #endif @@ -1710,6 +2328,15 @@ int hmac_sha256_test(void) #endif } +#ifndef HAVE_FIPS + if (wc_HmacSizeByType(SHA256) != SHA256_DIGEST_SIZE) + return -4024; + if (wc_HmacSizeByType(20) != BAD_FUNC_ARG) + return -4025; +#endif + if (wolfSSL_GetHmacMaxSize() != MAX_DIGEST_SIZE) + return -4026; + return 0; } #endif @@ -1796,6 +2423,11 @@ int hmac_blake2b_test(void) #endif } +#ifndef HAVE_FIPS + if (wc_HmacSizeByType(BLAKE2B_ID) != BLAKE2B_OUTBYTES) + return -4027; +#endif + return 0; } #endif @@ -1873,6 +2505,11 @@ int hmac_sha384_test(void) return -20 - i; } +#ifndef HAVE_FIPS + if (wc_HmacSizeByType(SHA384) != SHA384_DIGEST_SIZE) + return -4030; +#endif + return 0; } #endif @@ -1953,6 +2590,11 @@ int hmac_sha512_test(void) return -20 - i; } +#ifndef HAVE_FIPS + if (wc_HmacSizeByType(SHA512) != SHA512_DIGEST_SIZE) + return -4033; +#endif + return 0; } #endif @@ -2664,6 +3306,59 @@ int chacha20_poly1305_aead_test(void) XMEMSET(generatedAuthTag, 0, sizeof(generatedAuthTag)); XMEMSET(generatedPlaintext, 0, sizeof(generatedPlaintext)); + /* Parameter Validation testing */ + /* Encrypt */ + err = wc_ChaCha20Poly1305_Encrypt(NULL, iv1, aad1, sizeof(aad1), plaintext1, + sizeof(plaintext1), generatedCiphertext, generatedAuthTag); + if (err != BAD_FUNC_ARG) + return -1050; + err = wc_ChaCha20Poly1305_Encrypt(key1, NULL, aad1, sizeof(aad1), + plaintext1, sizeof(plaintext1), generatedCiphertext, + generatedAuthTag); + if (err != BAD_FUNC_ARG) + return -1051; + err = wc_ChaCha20Poly1305_Encrypt(key1, iv1, aad1, sizeof(aad1), NULL, + sizeof(plaintext1), generatedCiphertext, generatedAuthTag); + if (err != BAD_FUNC_ARG) + return -1052; + err = wc_ChaCha20Poly1305_Encrypt(key1, iv1, aad1, sizeof(aad1), plaintext1, + sizeof(plaintext1), NULL, generatedAuthTag); + if (err != BAD_FUNC_ARG) + return -1053; + err = wc_ChaCha20Poly1305_Encrypt(key1, iv1, aad1, sizeof(aad1), plaintext1, + sizeof(plaintext1), generatedCiphertext, NULL); + if (err != BAD_FUNC_ARG) + return -1054; + err = wc_ChaCha20Poly1305_Encrypt(key1, iv1, aad1, sizeof(aad1), plaintext1, + 0, generatedCiphertext, generatedAuthTag); + if (err != BAD_FUNC_ARG) + return -1055; + /* Decrypt */ + err = wc_ChaCha20Poly1305_Decrypt(NULL, iv2, aad2, sizeof(aad2), cipher2, + sizeof(cipher2), authTag2, generatedPlaintext); + if (err != BAD_FUNC_ARG) + return -1056; + err = wc_ChaCha20Poly1305_Decrypt(key2, NULL, aad2, sizeof(aad2), cipher2, + sizeof(cipher2), authTag2, generatedPlaintext); + if (err != BAD_FUNC_ARG) + return -1057; + err = wc_ChaCha20Poly1305_Decrypt(key2, iv2, aad2, sizeof(aad2), NULL, + sizeof(cipher2), authTag2, generatedPlaintext); + if (err != BAD_FUNC_ARG) + return -1058; + err = wc_ChaCha20Poly1305_Decrypt(key2, iv2, aad2, sizeof(aad2), cipher2, + sizeof(cipher2), NULL, generatedPlaintext); + if (err != BAD_FUNC_ARG) + return -1059; + err = wc_ChaCha20Poly1305_Decrypt(key2, iv2, aad2, sizeof(aad2), cipher2, + sizeof(cipher2), authTag2, NULL); + if (err != BAD_FUNC_ARG) + return -1060; + err = wc_ChaCha20Poly1305_Decrypt(key2, iv2, aad2, sizeof(aad2), cipher2, + 0, authTag2, generatedPlaintext); + if (err != BAD_FUNC_ARG) + return -1061; + /* Test #1 */ err = wc_ChaCha20Poly1305_Encrypt(key1, iv1, @@ -2886,6 +3581,132 @@ int des3_test(void) #ifndef NO_AES +static int aes_key_size_test(void) +{ + int ret; + Aes aes; + byte key16[] = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66 }; + byte key24[] = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37 }; + byte key32[] = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66 }; + byte iv[] = "1234567890abcdef"; +#ifndef HAVE_FIPS + word32 keySize; +#endif + +#ifdef WC_INITAES_H + ret = wc_InitAes_h(NULL, NULL); + if (ret != BAD_FUNC_ARG) + return -1100; + ret = wc_InitAes_h(&aes, NULL); + if (ret != 0) + return -1100; +#endif + +#ifndef HAVE_FIPS + /* Parameter Validation testing. */ + ret = wc_AesGetKeySize(NULL, NULL); + if (ret != BAD_FUNC_ARG) + return -1100; + ret = wc_AesGetKeySize(&aes, NULL); + if (ret != BAD_FUNC_ARG) + return -1101; + ret = wc_AesGetKeySize(NULL, &keySize); + if (ret != BAD_FUNC_ARG) + return -1102; + /* Crashes in FIPS */ + ret = wc_AesSetKey(NULL, key16, sizeof(key16), iv, AES_ENCRYPTION); + if (ret != BAD_FUNC_ARG) + return -1103; +#endif + /* NULL IV indicates to use all zeros IV. */ + ret = wc_AesSetKey(&aes, key16, sizeof(key16), NULL, AES_ENCRYPTION); + if (ret != 0) + return -1104; + ret = wc_AesSetKey(&aes, key32, sizeof(key32) - 1, iv, AES_ENCRYPTION); + if (ret != BAD_FUNC_ARG) + return -1111; +#ifndef HAVE_FIPS + /* Force invalid rounds */ + aes.rounds = 16; + ret = wc_AesGetKeySize(&aes, &keySize); + if (ret != BAD_FUNC_ARG) + return -1112; +#endif + + ret = wc_AesSetKey(&aes, key16, sizeof(key16), iv, AES_ENCRYPTION); + if (ret != 0) + return -1105; +#ifndef HAVE_FIPS + ret = wc_AesGetKeySize(&aes, &keySize); + if (ret != 0 || keySize != sizeof(key16)) + return -1106; +#endif + + ret = wc_AesSetKey(&aes, key24, sizeof(key24), iv, AES_ENCRYPTION); + if (ret != 0) + return -1107; +#ifndef HAVE_FIPS + ret = wc_AesGetKeySize(&aes, &keySize); + if (ret != 0 || keySize != sizeof(key24)) + return -1108; +#endif + + ret = wc_AesSetKey(&aes, key32, sizeof(key32), iv, AES_ENCRYPTION); + if (ret != 0) + return -1109; +#ifndef HAVE_FIPS + ret = wc_AesGetKeySize(&aes, &keySize); + if (ret != 0 || keySize != sizeof(key32)) + return -1110; +#endif + + return 0; +} + +#if defined(HAVE_AES_CBC) +static int aes_cbc_test(void) +{ + byte cipher[AES_BLOCK_SIZE]; + byte plain[AES_BLOCK_SIZE]; + int ret; + const byte msg[] = { /* "Now is the time for all " w/o trailing 0 */ + 0x6e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74, + 0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20, + 0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20 + }; + byte key[] = "0123456789abcdef "; /* align */ + byte iv[] = "1234567890abcdef "; /* align */ + + /* Parameter Validation testing. */ + ret = wc_AesCbcEncryptWithKey(cipher, msg, AES_BLOCK_SIZE, key, 17, NULL); + if (ret != BAD_FUNC_ARG) + return -1120; + ret = wc_AesCbcDecryptWithKey(plain, cipher, AES_BLOCK_SIZE, key, 17, NULL); + if (ret != BAD_FUNC_ARG) + return -1121; + + ret = wc_AesCbcEncryptWithKey(cipher, msg, AES_BLOCK_SIZE, key, + AES_BLOCK_SIZE, iv); + if (ret != 0) + return -1130; + ret = wc_AesCbcDecryptWithKey(plain, cipher, AES_BLOCK_SIZE, key, + AES_BLOCK_SIZE, iv); + if (ret != 0) + return -1131; + + if (XMEMCMP(plain, msg, AES_BLOCK_SIZE) != 0) + return -1132; + + return 0; +} +#endif + int aes_test(void) { #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_COUNTER) @@ -3242,6 +4063,16 @@ int aes_test(void) } #endif /* WOLFSSL_AES_DIRECT */ + ret = aes_key_size_test(); + if (ret != 0) + return ret; + +#if defined(HAVE_AES_CBC) + ret = aes_cbc_test(); + if (ret != 0) + return ret; +#endif + return ret; } @@ -3443,26 +4274,6 @@ int gmac_test(void) 0x8d, 0x83, 0xb0, 0xbb, 0x14, 0xb6, 0x91 }; - const byte k3[] = - { - 0xb8, 0xe4, 0x9a, 0x5e, 0x37, 0xf9, 0x98, 0x2b, - 0xb9, 0x6d, 0xd0, 0xc9, 0xb6, 0xab, 0x26, 0xac - }; - const byte iv3[] = - { - 0xe4, 0x4a, 0x42, 0x18, 0x8c, 0xae, 0x94, 0x92, - 0x6a, 0x9c, 0x26, 0xb0 - }; - const byte a3[] = - { - 0x9d, 0xb9, 0x61, 0x68, 0xa6, 0x76, 0x7a, 0x31, - 0xf8, 0x29, 0xe4, 0x72, 0x61, 0x68, 0x3f, 0x8a - }; - const byte t3[] = - { - 0x23, 0xe2, 0x9f, 0x66, 0xe4, 0xc6, 0x52, 0x48 - }; - byte tag[16]; XMEMSET(tag, 0, sizeof(tag)); @@ -3477,12 +4288,6 @@ int gmac_test(void) if (XMEMCMP(t2, tag, sizeof(t2)) != 0) return -127; - XMEMSET(tag, 0, sizeof(tag)); - wc_GmacSetKey(&gmac, k3, sizeof(k3)); - wc_GmacUpdate(&gmac, iv3, sizeof(iv3), a3, sizeof(a3), tag, sizeof(t3)); - if (XMEMCMP(t3, tag, sizeof(t3)) != 0) - return -128; - return 0; } #endif /* HAVE_AESGCM */ @@ -4239,7 +5044,12 @@ static int random_rng_test(void) ret = -38; goto exit; } - ret = 0; + + ret = wc_RNG_GenerateByte(&rng, block); + if (ret != 0) { + ret = -41; + goto exit; + } exit: /* Make sure and free RNG */ @@ -4469,92 +5279,157 @@ byte GetEntropy(ENTROPY_CMD cmd, byte* out) #endif /* HAVE_NTRU */ +#ifndef NO_FILESYSTEM + +/* Cert Paths */ +#ifdef FREESCALE_MQX + #define CERT_PREFIX "a:\\" + #define CERT_PATH_SEP "\\" +#elif defined(WOLFSSL_MKD_SHELL) + #define CERT_PREFIX "" + #define CERT_PATH_SEP "/" +#else + #define CERT_PREFIX "./" + #define CERT_PATH_SEP "/" +#endif +#define CERT_ROOT CERT_PREFIX "certs" CERT_PATH_SEP + +/* Generated Test Certs */ +#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \ + !defined(NO_ASN) + #ifndef NO_RSA + static const char* clientKey = CERT_ROOT "client-key.der"; + static const char* clientCert = CERT_ROOT "client-cert.der"; + #ifdef HAVE_PKCS7 + static const char* eccClientKey = CERT_ROOT "ecc-client-key.der"; + static const char* eccClientCert = CERT_ROOT "client-ecc-cert.der"; + #endif + #ifdef WOLFSSL_CERT_EXT + static const char* clientKeyPub = CERT_ROOT "client-keyPub.der"; + #endif + #ifdef WOLFSSL_CERT_GEN + static const char* caKeyFile = CERT_ROOT "ca-key.der"; + static const char* caCertFile = CERT_ROOT "ca-cert.pem"; + #endif + #endif /* !NO_RSA */ + #ifndef NO_DH + static const char* dhKey = CERT_ROOT "dh2048.der"; + #endif + #ifndef NO_DSA + static const char* dsaKey = CERT_ROOT "dsa2048.der"; + #endif +#endif /* !USE_CERT_BUFFER_* */ +#if !defined(USE_CERT_BUFFERS_256) && !defined(NO_ASN) + #ifdef HAVE_ECC + #ifdef WOLFSSL_CERT_GEN + static const char* eccCaCertFile = CERT_ROOT "server-ecc.pem"; + #endif + #ifdef WOLFSSL_CERT_EXT + static const char* eccCaKeyPubFile = CERT_ROOT "ecc-keyPub.der"; + #endif + #endif /* HAVE_ECC */ +#endif /* !USE_CERT_BUFFER_* */ + +/* Temporary Cert Files */ +#ifdef HAVE_ECC + #ifdef WOLFSSL_CERT_GEN + static const char* certEccPemFile = CERT_PREFIX "certecc.pem"; + #endif + #ifdef WOLFSSL_KEY_GEN + static const char* eccCaKeyPemFile = CERT_PREFIX "ecc-key.pem"; + static const char* eccPubKeyDerFile = CERT_PREFIX "ecc-public-key.der"; + #endif + #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) + static const char* eccCaKeyFile = CERT_PREFIX "ecc-key.der"; + #endif + #if defined(WOLFSSL_CERT_GEN) || \ + (defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT)) + static const char* certEccDerFile = CERT_PREFIX "certecc.der"; + #endif +#endif /* HAVE_ECC */ + +#ifndef NO_RSA + #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) + static const char* otherCertDerFile = CERT_PREFIX "othercert.der"; + static const char* certDerFile = CERT_PREFIX "cert.der"; + #endif + #ifdef WOLFSSL_CERT_GEN + static const char* otherCertPemFile = CERT_PREFIX "othercert.pem"; + static const char* certPemFile = CERT_PREFIX "cert.pem"; + #endif + #ifdef WOLFSSL_KEY_GEN + static const char* keyDerFile = CERT_PREFIX "key.der"; + static const char* keyPemFile = CERT_PREFIX "key.pem"; + #endif + #ifdef WOLFSSL_CERT_REQ + static const char* certReqDerFile = CERT_PREFIX "certreq.der"; + static const char* certReqPemFile = CERT_PREFIX "certreq.pem"; + #endif +#endif /* !NO_RSA */ + +#endif /* !NO_FILESYSTEM */ + #ifndef NO_RSA -#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) - #ifdef FREESCALE_MQX - static const char* clientKey = "a:\\certs\\client-key.der"; - static const char* clientCert = "a:\\certs\\client-cert.der"; - #ifdef HAVE_PKCS7 - static const char* eccClientKey = "a:\\certs\\ecc-client-key.der"; - static const char* eccClientCert = "a:\\certs\\client-ecc-cert.der"; - #endif - #ifdef WOLFSSL_CERT_EXT - static const char* clientKeyPub = "a:\\certs\\client-keyPub.der"; - #endif - #ifdef WOLFSSL_CERT_GEN - static const char* caKeyFile = "a:\\certs\\ca-key.der"; - #ifdef WOLFSSL_CERT_EXT - static const char* caKeyPubFile = "a:\\certs\\ca-keyPub.der"; - #endif - static const char* caCertFile = "a:\\certs\\ca-cert.pem"; - #ifdef HAVE_ECC - static const char* eccCaKeyFile = "a:\\certs\\ecc-key.der"; - #ifdef WOLFSSL_CERT_EXT - static const char* eccCaKeyPubFile = "a:\\certs\\ecc-keyPub.der"; - #endif - static const char* eccCaCertFile = "a:\\certs\\server-ecc.pem"; - #endif - #endif - #elif defined(WOLFSSL_MKD_SHELL) - static char* clientKey = "certs/client-key.der"; - static char* clientCert = "certs/client-cert.der"; - void set_clientKey(char *key) { clientKey = key ; } - void set_clientCert(char *cert) { clientCert = cert ; } - #ifdef HAVE_PKCS7 - static const char* eccClientKey = "certs/ecc-client-key.der"; - static const char* eccClientCert = "certs/client-ecc-cert.der"; - void set_eccClientKey(char* key) { eccClientKey = key ; } - void set_eccClientCert(char* cert) { eccClientCert = cert ; } - #endif - #ifdef WOLFSSL_CERT_EXT - static const char* clientKeyPub = "certs/client-keyPub.der"; - void set_clientKeyPub(char *key) { clientKeyPub = key ; } - #endif - #ifdef WOLFSSL_CERT_GEN - static char* caKeyFile = "certs/ca-key.der"; - #ifdef WOLFSSL_CERT_EXT - static const char* caKeyPubFile = "certs/ca-keyPub.der"; - void set_caKeyPubFile (char * key) { caKeyPubFile = key ; } - #endif - static char* caCertFile = "certs/ca-cert.pem"; - void set_caKeyFile (char * key) { caKeyFile = key ; } - void set_caCertFile(char * cert) { caCertFile = cert ; } - #ifdef HAVE_ECC - static const char* eccCaKeyFile = "certs/ecc-key.der"; - #ifdef WOLFSSL_CERT_EXT - static const char* eccCaKeyPubFile = "certs/ecc-keyPub.der"; - void set_eccCaKeyPubFile(char * key) { eccCaKeyPubFile = key ; } - #endif - static const char* eccCaCertFile = "certs/server-ecc.pem"; - void set_eccCaKeyFile (char * key) { eccCaKeyFile = key ; } - void set_eccCaCertFile(char * cert) { eccCaCertFile = cert ; } - #endif - #endif - #else - static const char* clientKey = "./certs/client-key.der"; - static const char* clientCert = "./certs/client-cert.der"; - #ifdef HAVE_PKCS7 - static const char* eccClientKey = "./certs/ecc-client-key.der"; - static const char* eccClientCert = "./certs/client-ecc-cert.der"; - #endif - #ifdef WOLFSSL_CERT_EXT - static const char* clientKeyPub = "./certs/client-keyPub.der"; - #endif - #ifdef WOLFSSL_CERT_GEN - static const char* caKeyFile = "./certs/ca-key.der"; - static const char* caCertFile = "./certs/ca-cert.pem"; - #ifdef HAVE_ECC - static const char* eccCaKeyFile = "./certs/ecc-key.der"; - #ifdef WOLFSSL_CERT_EXT - static const char* eccCaKeyPubFile = "./certs/ecc-keyPub.der"; - #endif - static const char* eccCaCertFile = "./certs/server-ecc.pem"; - #endif - #endif - #endif -#endif +#if !defined(NO_ASN_TIME) && defined(WOLFSSL_TEST_CERT) +int cert_test(void) +{ + DecodedCert cert; + byte* tmp; + size_t bytes; + FILE *file; + int ret; + tmp = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (tmp == NULL) + return -200; + + /* Certificate with Name Constraints extension. */ +#ifdef FREESCALE_MQX + file = fopen(".\\certs\\test\\cert-ext-nc.der", "rb"); +#else + file = fopen("./certs/test/cert-ext-nc.der", "rb"); +#endif + if (!file) { + ret = -201; + goto done; + } + bytes = fread(tmp, 1, FOURK_BUF, file); + fclose(file); + InitDecodedCert(&cert, tmp, (word32)bytes, 0); + ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL); + if (ret != 0) { + ret = -202; + goto done; + } + FreeDecodedCert(&cert); + + /* Certificate with Inhibit Any Policy extension. */ +#ifdef FREESCALE_MQX + file = fopen(".\\certs\\test\\cert-ext-ia.der", "rb"); +#else + file = fopen("./certs/test/cert-ext-ia.der", "rb"); +#endif + if (!file) { + ret = -201; + goto done; + } + bytes = fread(tmp, 1, FOURK_BUF, file); + fclose(file); + InitDecodedCert(&cert, tmp, (word32)bytes, 0); + ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL); + if (ret != 0) { + ret = -204; + goto done; + } + +done: + FreeDecodedCert(&cert); + XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + + return ret; +} +#endif #if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT) int certext_test(void) @@ -4587,12 +5462,8 @@ int certext_test(void) if (tmp == NULL) return -200; - /* load othercert.pem (Cert signed by an authority) */ -#ifdef FREESCALE_MQX - file = fopen("a:\\certs\\othercert.der", "rb"); -#else - file = fopen("./othercert.der", "rb"); -#endif + /* load othercert.der (Cert signed by an authority) */ + file = fopen(otherCertDerFile, "rb"); if (!file) { XFREE(tmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER); return -200; @@ -4638,12 +5509,8 @@ int certext_test(void) FreeDecodedCert(&cert); #ifdef HAVE_ECC - /* load certecc.pem (Cert signed by an authority) */ -#ifdef FREESCALE_MQX - file = fopen("a:\\certs\\certecc.der", "rb"); -#else - file = fopen("./certecc.der", "rb"); -#endif + /* load certecc.der (Cert signed by an authority) */ + file = fopen(certEccDerFile, "rb"); if (!file) { XFREE(tmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER); return -210; @@ -4692,12 +5559,8 @@ int certext_test(void) FreeDecodedCert(&cert); #endif /* HAVE_ECC */ - /* load cert.pem (self signed certificate) */ -#ifdef FREESCALE_MQX - file = fopen("a:\\certs\\cert.der", "rb"); -#else - file = fopen("./cert.der", "rb"); -#endif + /* load cert.der (self signed certificate) */ + file = fopen(certDerFile, "rb"); if (!file) { XFREE(tmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER); return -220; @@ -4750,6 +5613,475 @@ int certext_test(void) } #endif /* WOLFSSL_CERT_EXT && WOLFSSL_TEST_CERT */ +static int rsa_flatten_test(RsaKey* key) +{ + int ret; + byte e[256]; + byte n[256]; + word32 eSz = sizeof(e); + word32 nSz = sizeof(n); + + /* Parameter Validation testing. */ + ret = wc_RsaFlattenPublicKey(NULL, e, &eSz, n, &nSz); +#ifdef HAVE_USER_RSA + /* Implementation using IPP Libraries returns: + * -101 = USER_CRYPTO_ERROR + */ + if (ret == 0) +#else + if (ret != BAD_FUNC_ARG) +#endif + return -480; + ret = wc_RsaFlattenPublicKey(key, NULL, &eSz, n, &nSz); +#ifdef HAVE_USER_RSA + /* Implementation using IPP Libraries returns: + * -101 = USER_CRYPTO_ERROR + */ + if (ret == 0) +#else + if (ret != BAD_FUNC_ARG) +#endif + return -481; + ret = wc_RsaFlattenPublicKey(key, e, NULL, n, &nSz); +#ifdef HAVE_USER_RSA + /* Implementation using IPP Libraries returns: + * -101 = USER_CRYPTO_ERROR + */ + if (ret == 0) +#else + if (ret != BAD_FUNC_ARG) +#endif + return -482; + ret = wc_RsaFlattenPublicKey(key, e, &eSz, NULL, &nSz); +#ifdef HAVE_USER_RSA + /* Implementation using IPP Libraries returns: + * -101 = USER_CRYPTO_ERROR + */ + if (ret == 0) +#else + if (ret != BAD_FUNC_ARG) +#endif + return -483; + ret = wc_RsaFlattenPublicKey(key, e, &eSz, n, NULL); +#ifdef HAVE_USER_RSA + /* Implementation using IPP Libraries returns: + * -101 = USER_CRYPTO_ERROR + */ + if (ret == 0) +#else + if (ret != BAD_FUNC_ARG) +#endif + return -484; + ret = wc_RsaFlattenPublicKey(key, e, &eSz, n, &nSz); + if (ret != 0) + return -485; + eSz = 0; + ret = wc_RsaFlattenPublicKey(key, e, &eSz, n, &nSz); +#ifdef HAVE_USER_RSA + /* Implementation using IPP Libraries returns: + * -101 = USER_CRYPTO_ERROR + */ + if (ret == 0) +#elif defined(HAVE_FIPS) + if (ret != 0) +#else + if (ret != RSA_BUFFER_E) +#endif + return -486; + eSz = sizeof(e); + nSz = 0; + ret = wc_RsaFlattenPublicKey(key, e, &eSz, n, &nSz); +#ifdef HAVE_USER_RSA + /* Implementation using IPP Libraries returns: + * -101 = USER_CRYPTO_ERROR + */ + if (ret == 0) +#else + if (ret != RSA_BUFFER_E) +#endif + return -487; + + return 0; +} + +static int rsa_sig_test(RsaKey* key, word32 keyLen, int modLen, WC_RNG* rng) +{ + int ret; + word32 sigSz; + byte in[] = "Everyone gets Friday off."; + word32 inLen = (word32)XSTRLEN((char*)in); + byte out[256]; + + /* Parameter Validation testing. */ + ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_NONE, key, keyLen); + if (ret != BAD_FUNC_ARG) + return -490; + ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_RSA, key, 0); + if (ret != BAD_FUNC_ARG) + return -491; + + sigSz = modLen; + ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, NULL, + inLen, out, &sigSz, key, keyLen, rng); + if (ret != BAD_FUNC_ARG) + return -492; + ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in, + 0, out, &sigSz, key, keyLen, rng); + if (ret != BAD_FUNC_ARG) + return -493; + ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in, + inLen, NULL, &sigSz, key, keyLen, rng); + if (ret != BAD_FUNC_ARG) + return -494; + ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in, + inLen, out, NULL, key, keyLen, rng); + if (ret != BAD_FUNC_ARG) + return -495; + ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in, + inLen, out, &sigSz, NULL, keyLen, rng); + if (ret != BAD_FUNC_ARG) + return -496; + ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in, + inLen, out, &sigSz, key, 0, rng); + if (ret != BAD_FUNC_ARG) + return -497; + ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in, + inLen, out, &sigSz, key, keyLen, NULL); +#ifdef HAVE_USER_RSA + /* Implementation using IPP Libraries returns: + * -101 = USER_CRYPTO_ERROR + */ + if (ret == 0) +#elif defined(HAVE_FIPS) + /* FIPS140 implementation doesn't do blinding. */ + if (ret != 0) +#else + if (ret != MISSING_RNG_E) +#endif + return -498; + sigSz = 0; + ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in, + inLen, out, &sigSz, key, keyLen, rng); + if (ret != BAD_FUNC_ARG) + return -499; + + ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, NULL, + inLen, out, modLen, key, keyLen); + if (ret != BAD_FUNC_ARG) + return -500; + ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in, + 0, out, modLen, key, keyLen); + if (ret != BAD_FUNC_ARG) + return -501; + ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in, + inLen, NULL, modLen, key, keyLen); + if (ret != BAD_FUNC_ARG) + return -502; + ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in, + inLen, out, 0, key, keyLen); + if (ret != BAD_FUNC_ARG) + return -503; + ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in, + inLen, out, modLen, NULL, keyLen); + if (ret != BAD_FUNC_ARG) + return -504; + ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in, + inLen, out, modLen, key, 0); + if (ret != BAD_FUNC_ARG) + return -505; + +#ifndef HAVE_ECC + ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_ECC, key, keyLen); + if (ret != SIG_TYPE_E) + return -506; +#endif + + /* Use APIs. */ + ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_RSA, key, keyLen); + if (ret != modLen) + return -507; + ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_RSA_W_ENC, key, keyLen); + if (ret != modLen) + return -508; + + sigSz = ret; + ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in, + inLen, out, &sigSz, key, keyLen, rng); + if (ret != 0) + return -509; + + ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in, + inLen, out, modLen, key, keyLen); + if (ret != 0) + return -510; + + sigSz = sizeof(out); + ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA_W_ENC, + in, inLen, out, &sigSz, key, keyLen, rng); + if (ret != 0) + return -511; + + ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA_W_ENC, + in, inLen, out, modLen, key, keyLen); + if (ret != 0) + return -512; + + /* Wrong signature type. */ + ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in, + inLen, out, modLen, key, keyLen); + if (ret == 0) + return -513; + + return 0; +} + +#ifndef HAVE_USER_RSA +static int rsa_decode_test(void) +{ + int ret; + word32 inSz; + word32 inOutIdx; + RsaKey keyPub; + const byte n[2] = { 0x00, 0x23 }; + const byte e[2] = { 0x00, 0x03 }; + const byte good[] = { 0x30, 0x06, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 }; + const byte goodAlgId[] = { 0x30, 0x0f, 0x30, 0x0d, 0x06, 0x00, + 0x03, 0x09, 0x00, 0x30, 0x06, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 }; + const byte goodBitStrNoZero[] = { 0x30, 0x0e, 0x30, 0x0c, 0x06, 0x00, + 0x03, 0x08, 0x30, 0x06, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 }; + const byte goodAlgIdNull[] = { 0x30, 0x11, 0x30, 0x0f, 0x06, 0x00, + 0x05, 0x00, 0x03, 0x09, 0x00, 0x30, 0x06, 0x02, 0x01, 0x23, + 0x02, 0x1, 0x03 }; + const byte badAlgIdNull[] = { 0x30, 0x12, 0x30, 0x10, 0x06, 0x00, + 0x05, 0x01, 0x00, 0x03, 0x09, 0x00, 0x30, 0x06, 0x02, 0x01, 0x23, + 0x02, 0x1, 0x03 }; + const byte badNotBitString[] = { 0x30, 0x0f, 0x30, 0x0d, 0x06, 0x00, + 0x04, 0x09, 0x00, 0x30, 0x06, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 }; + const byte badBitStringLen[] = { 0x30, 0x0f, 0x30, 0x0d, 0x06, 0x00, + 0x03, 0x0a, 0x00, 0x30, 0x06, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 }; + const byte badNoSeq[] = { 0x30, 0x0d, 0x30, 0x0b, 0x06, 0x00, 0x03, 0x07, + 0x00, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 }; + const byte badNoObj[] = { + 0x30, 0x0f, 0x30, 0x0d, 0x05, 0x00, 0x03, 0x09, 0x00, 0x30, 0x06, + 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 }; + const byte badIntN[] = { 0x30, 0x06, 0x02, 0x05, 0x23, 0x02, 0x1, 0x03 }; + const byte badNotIntE[] = { 0x30, 0x06, 0x02, 0x01, 0x23, 0x04, 0x1, 0x03 }; + const byte badLength[] = { 0x30, 0x04, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 }; + + ret = wc_InitRsaKey(&keyPub, NULL); + if (ret != 0) + return -520; + + /* Parameter Validation testing. */ + ret = wc_RsaPublicKeyDecodeRaw(NULL, sizeof(n), e, sizeof(e), &keyPub); + if (ret != BAD_FUNC_ARG) { + ret = -521; + goto done; + } + ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), NULL, sizeof(e), &keyPub); + if (ret != BAD_FUNC_ARG) { + ret = -522; + goto done; + } + ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), e, sizeof(e), NULL); + if (ret != BAD_FUNC_ARG) { + ret = -523; + goto done; + } + /* TODO: probably should fail when length is -1! */ + ret = wc_RsaPublicKeyDecodeRaw(n, -1, e, sizeof(e), &keyPub); + if (ret != 0) { + ret = -525; + goto done; + } + wc_FreeRsaKey(&keyPub); + ret = wc_InitRsaKey(&keyPub, NULL); + if (ret != 0) + return -520; + ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), e, -1, &keyPub); + if (ret != 0) { + ret = -526; + goto done; + } + wc_FreeRsaKey(&keyPub); + ret = wc_InitRsaKey(&keyPub, NULL); + if (ret != 0) + return -520; + + /* Use API. */ + ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), e, sizeof(e), &keyPub); + if (ret != 0) { + ret = -527; + goto done; + } + wc_FreeRsaKey(&keyPub); + ret = wc_InitRsaKey(&keyPub, NULL); + if (ret != 0) + return -520; + + /* Parameter Validation testing. */ + inSz = sizeof(good); + ret = wc_RsaPublicKeyDecode(NULL, &inOutIdx, &keyPub, inSz); + if (ret != BAD_FUNC_ARG) { + ret = -531; + goto done; + } + ret = wc_RsaPublicKeyDecode(good, NULL, &keyPub, inSz); + if (ret != BAD_FUNC_ARG) { + ret = -532; + goto done; + } + ret = wc_RsaPublicKeyDecode(good, &inOutIdx, NULL, inSz); + if (ret != BAD_FUNC_ARG) { + ret = -533; + goto done; + } + + /* Use good data and offest to bad data. */ + inOutIdx = 2; + inSz = sizeof(good) - inOutIdx; + ret = wc_RsaPublicKeyDecode(good, &inOutIdx, &keyPub, inSz); + if (ret != ASN_PARSE_E) { + ret = -540; + goto done; + } + inOutIdx = 2; + inSz = sizeof(goodAlgId) - inOutIdx; + ret = wc_RsaPublicKeyDecode(goodAlgId, &inOutIdx, &keyPub, inSz); + if (ret != ASN_PARSE_E) { + ret = -541; + goto done; + } + /* Try different bad data. */ + inSz = sizeof(badAlgIdNull); + inOutIdx = 0; + ret = wc_RsaPublicKeyDecode(badAlgIdNull, &inOutIdx, &keyPub, inSz); + if (ret != ASN_EXPECT_0_E) { + ret = -542; + goto done; + } + inSz = sizeof(badNotBitString); + inOutIdx = 0; + ret = wc_RsaPublicKeyDecode(badNotBitString, &inOutIdx, &keyPub, inSz); + if (ret != ASN_BITSTR_E) { + ret = -543; + goto done; + } + inSz = sizeof(badBitStringLen); + inOutIdx = 0; + ret = wc_RsaPublicKeyDecode(badBitStringLen, &inOutIdx, &keyPub, inSz); + if (ret != ASN_PARSE_E) { + ret = -544; + goto done; + } + inSz = sizeof(badNoSeq); + inOutIdx = 0; + ret = wc_RsaPublicKeyDecode(badNoSeq, &inOutIdx, &keyPub, inSz); + if (ret != ASN_PARSE_E) { + ret = -545; + goto done; + } + inSz = sizeof(badNoObj); + inOutIdx = 0; + ret = wc_RsaPublicKeyDecode(badNoObj, &inOutIdx, &keyPub, inSz); + if (ret != ASN_PARSE_E) { + ret = -546; + goto done; + } + inSz = sizeof(badIntN); + inOutIdx = 0; + ret = wc_RsaPublicKeyDecode(badIntN, &inOutIdx, &keyPub, inSz); + if (ret != ASN_RSA_KEY_E) { + ret = -547; + goto done; + } + inSz = sizeof(badNotIntE); + inOutIdx = 0; + ret = wc_RsaPublicKeyDecode(badNotIntE, &inOutIdx, &keyPub, inSz); + if (ret != ASN_RSA_KEY_E) { + ret = -548; + goto done; + } + /* TODO: Shouldn't pass as the sequence length is too small. */ + inSz = sizeof(badLength); + inOutIdx = 0; + ret = wc_RsaPublicKeyDecode(badLength, &inOutIdx, &keyPub, inSz); + if (ret != 0) { + ret = -549; + goto done; + } + /* TODO: Shouldn't ignore object id's data. */ + wc_FreeRsaKey(&keyPub); + ret = wc_InitRsaKey(&keyPub, NULL); + if (ret != 0) + return -520; + + /* Valid data cases. */ + inSz = sizeof(good); + inOutIdx = 0; + ret = wc_RsaPublicKeyDecode(good, &inOutIdx, &keyPub, inSz); + if (ret != 0) { + ret = -550; + goto done; + } + if (inOutIdx != inSz) { + ret = -551; + goto done; + } + wc_FreeRsaKey(&keyPub); + ret = wc_InitRsaKey(&keyPub, NULL); + if (ret != 0) + return -520; + + inSz = sizeof(goodAlgId); + inOutIdx = 0; + ret = wc_RsaPublicKeyDecode(goodAlgId, &inOutIdx, &keyPub, inSz); + if (ret != 0) { + ret = -552; + goto done; + } + if (inOutIdx != inSz) { + ret = -553; + goto done; + } + wc_FreeRsaKey(&keyPub); + ret = wc_InitRsaKey(&keyPub, NULL); + if (ret != 0) + return -520; + + inSz = sizeof(goodAlgIdNull); + inOutIdx = 0; + ret = wc_RsaPublicKeyDecode(goodAlgIdNull, &inOutIdx, &keyPub, inSz); + if (ret != 0) { + ret = -554; + goto done; + } + if (inOutIdx != inSz) { + ret = -555; + goto done; + } + wc_FreeRsaKey(&keyPub); + ret = wc_InitRsaKey(&keyPub, NULL); + if (ret != 0) + return -520; + + inSz = sizeof(goodBitStrNoZero); + inOutIdx = 0; + ret = wc_RsaPublicKeyDecode(goodBitStrNoZero, &inOutIdx, &keyPub, inSz); + if (ret != 0) { + ret = -556; + goto done; + } + if (inOutIdx != inSz) { + ret = -557; + goto done; + } + +done: + wc_FreeRsaKey(&keyPub); + return ret; +} +#endif int rsa_test(void) { @@ -4766,13 +6098,21 @@ int rsa_test(void) word32 inLen = (word32)XSTRLEN((char*)in); byte out[256]; byte plain[256]; -#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) + byte* res; +#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) \ + && !defined(NO_FILESYSTEM) FILE *file, *file2; #endif #ifdef WOLFSSL_TEST_CERT DecodedCert cert; #endif +#ifndef HAVE_USER_RSA + ret = rsa_decode_test(); + if (ret != 0) + return ret; +#endif + tmp = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (tmp == NULL) return -40; @@ -4783,9 +6123,8 @@ int rsa_test(void) #elif defined(USE_CERT_BUFFERS_2048) XMEMCPY(tmp, client_key_der_2048, sizeof_client_key_der_2048); bytes = sizeof_client_key_der_2048; -#else +#elif !defined(NO_FILESYSTEM) file = fopen(clientKey, "rb"); - if (!file) { err_sys("can't open ./certs/client-key.der, " "Please run from wolfSSL home dir", -40); @@ -4795,6 +6134,9 @@ int rsa_test(void) bytes = fread(tmp, 1, FOURK_BUF, file); fclose(file); +#else + /* No key to use. */ + return -40; #endif /* USE_CERT_BUFFERS */ ret = wc_InitRsaKey_ex(&key, HEAP_HINT, devId); @@ -4813,6 +6155,10 @@ int rsa_test(void) return -42; } + ret = rsa_sig_test(&key, sizeof(RsaKey), wc_RsaEncryptSize(&key), &rng); + if (ret != 0) + return ret; + do { #if defined(WOLFSSL_ASYNC_CRYPT) ret = wc_RsaAsyncWait(ret, &key); @@ -4860,6 +6206,20 @@ int rsa_test(void) wc_FreeRng(&rng); return -45; } + do { +#if defined(WOLFSSL_ASYNC_CRYPT) + ret = wc_RsaAsyncWait(ret, key); +#endif + if (ret >= 0) { + ret = wc_RsaPrivateDecryptInline(out, idx, &res, &key); + } + } while (ret == WC_PENDING_E); + if (ret < 0) + return -473; + if (ret != (int)inLen) + return -473; + if (XMEMCMP(res, in, inLen)) + return -474; do { #if defined(WOLFSSL_ASYNC_CRYPT) @@ -4981,6 +6341,22 @@ int rsa_test(void) return -245; } + do { +#if defined(WOLFSSL_ASYNC_CRYPT) + ret = wc_RsaAsyncWait(ret, key); +#endif + if (ret >= 0) { + ret = wc_RsaPrivateDecryptInline_ex(out, idx, &res, &key, + WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, NULL, 0); + } + } while (ret == WC_PENDING_E); + if (ret < 0) + return -473; + if (ret != (int)inLen) + return -474; + if (XMEMCMP(res, in, inLen)) + return -475; + /* check fails if not using the same optional label */ XMEMSET(plain, 0, sizeof(plain)); do { @@ -5166,18 +6542,22 @@ int rsa_test(void) } while (ret == WC_PENDING_E); if (ret < 0) { XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -444; } if (XMEMCMP(plain, in, inLen)) { XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -445; } #endif /* !HAVE_FAST_RSA && !HAVE_FIPS */ #endif /* WC_NO_RSA_OAEP */ + ret = rsa_flatten_test(&key); + if (ret != 0) + return ret; + #if defined(WOLFSSL_MDK_ARM) #define sizeof(s) XSTRLEN((char *)(s)) #endif @@ -5188,16 +6568,19 @@ int rsa_test(void) #elif defined(USE_CERT_BUFFERS_2048) XMEMCPY(tmp, client_cert_der_2048, sizeof_client_cert_der_2048); bytes = sizeof_client_cert_der_2048; -#else +#elif !defined(NO_FILESYSTEM) file2 = fopen(clientCert, "rb"); if (!file2) { XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -49; } bytes = fread(tmp, 1, FOURK_BUF, file2); fclose(file2); +#else + /* No certificate to use. */ + return -49; #endif #ifdef sizeof @@ -5234,7 +6617,7 @@ int rsa_test(void) err_sys("can't open ./certs/client-keyPub.der, " "Please run from wolfSSL home dir", -40); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -50; } @@ -5245,7 +6628,7 @@ int rsa_test(void) ret = wc_InitRsaKey(&keypub, HEAP_HINT); if (ret != 0) { XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -51; } idx = 0; @@ -5254,7 +6637,7 @@ int rsa_test(void) if (ret != 0) { XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&keypub); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -52; } #endif /* WOLFSSL_CERT_EXT */ @@ -5267,19 +6650,21 @@ int rsa_test(void) int pemSz = 0; RsaKey derIn; RsaKey genKey; + #ifndef NO_FILESYSTEM FILE* keyFile; FILE* pemFile; + #endif ret = wc_InitRsaKey(&genKey, HEAP_HINT); if (ret != 0) { XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -300; } ret = wc_MakeRsaKey(&genKey, 1024, 65537, &rng); if (ret != 0) { XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -301; } @@ -5287,7 +6672,7 @@ int rsa_test(void) if (der == NULL) { XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&genKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -307; } pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -5295,7 +6680,7 @@ int rsa_test(void) XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&genKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -308; } @@ -5304,21 +6689,18 @@ int rsa_test(void) XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -302; } -#ifdef FREESCALE_MQX - keyFile = fopen("a:\\certs\\key.der", "wb"); -#else - keyFile = fopen("./key.der", "wb"); -#endif + #ifndef NO_FILESYSTEM + keyFile = fopen(keyDerFile, "wb"); if (!keyFile) { XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&genKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -303; } ret = (int)fwrite(der, 1, derSz, keyFile); @@ -5328,9 +6710,10 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&genKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -313; } + #endif pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, PRIVATEKEY_TYPE); if (pemSz < 0) { @@ -5338,21 +6721,18 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&genKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -304; } -#ifdef FREESCALE_MQX - pemFile = fopen("a:\\certs\\key.pem", "wb"); -#else - pemFile = fopen("./key.pem", "wb"); -#endif + #ifndef NO_FILESYSTEM + pemFile = fopen(keyPemFile, "wb"); if (!pemFile) { XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&genKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -305; } ret = (int)fwrite(pem, 1, pemSz, pemFile); @@ -5362,9 +6742,10 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&genKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -314; } + #endif ret = wc_InitRsaKey(&derIn, HEAP_HINT); if (ret != 0) { @@ -5372,7 +6753,7 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&genKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -3060; } idx = 0; @@ -5383,7 +6764,7 @@ int rsa_test(void) XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&derIn); wc_FreeRsaKey(&genKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -306; } @@ -5412,14 +6793,14 @@ int rsa_test(void) DYNAMIC_TYPE_TMP_BUFFER); if (derCert == NULL) { XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -309; } pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER); if (pem == NULL) { XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -310; } @@ -5435,7 +6816,7 @@ int rsa_test(void) myCert.isCA = 1; myCert.sigType = CTC_SHA256wRSA; -#ifdef WOLFSSL_CERT_EXT + #ifdef WOLFSSL_CERT_EXT /* add Policies */ strncpy(myCert.certPolicies[0], "2.16.840.1.101.3.4.1.42", CTC_MAX_CERTPOL_SZ); @@ -5448,7 +6829,7 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -398; } @@ -5457,7 +6838,7 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -399; } @@ -5466,43 +6847,40 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -400; } -#endif /* WOLFSSL_CERT_EXT */ + #endif /* WOLFSSL_CERT_EXT */ certSz = wc_MakeSelfCert(&myCert, derCert, FOURK_BUF, &key, &rng); if (certSz < 0) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -401; } -#ifdef WOLFSSL_TEST_CERT + #ifdef WOLFSSL_TEST_CERT InitDecodedCert(&decode, derCert, certSz, HEAP_HINT); ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0); if (ret != 0) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -402; } FreeDecodedCert(&decode); -#endif + #endif -#ifdef FREESCALE_MQX - derFile = fopen("a:\\certs\\cert.der", "wb"); -#else - derFile = fopen("./cert.der", "wb"); -#endif + #ifndef NO_FILESYSTEM + derFile = fopen(certDerFile, "wb"); if (!derFile) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -403; } ret = (int)fwrite(derCert, 1, certSz, derFile); @@ -5511,29 +6889,27 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -414; } + #endif pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE); if (pemSz < 0) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -404; } -#ifdef FREESCALE_MQX - pemFile = fopen("a:\\certs\\cert.pem", "wb"); -#else - pemFile = fopen("./cert.pem", "wb"); -#endif + #ifndef NO_FILESYSTEM + pemFile = fopen(certPemFile, "wb"); if (!pemFile) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -405; } ret = (int)fwrite(pem, 1, pemSz, pemFile); @@ -5542,9 +6918,11 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -406; } + #endif + XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); } @@ -5560,45 +6938,54 @@ int rsa_test(void) int pemSz; size_t bytes3; word32 idx3 = 0; - FILE* file3 ; -#ifdef WOLFSSL_TEST_CERT + #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) + FILE* file3; + #endif + #ifdef WOLFSSL_TEST_CERT DecodedCert decode; -#endif + #endif derCert = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (derCert == NULL) { XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -311; } pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER); if (pem == NULL) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -312; } + #ifdef USE_CERT_BUFFERS_1024 + XMEMCPY(tmp, ca_key_der_1024, sizeof_ca_key_der_1024); + bytes3 = sizeof_ca_key_der_1024; + #elif defined(USE_CERT_BUFFERS_2048) + XMEMCPY(tmp, ca_key_der_2048, sizeof_ca_key_der_2048); + bytes3 = sizeof_ca_key_der_2048; + #else file3 = fopen(caKeyFile, "rb"); - if (!file3) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -412; } bytes3 = fread(tmp, 1, FOURK_BUF, file3); fclose(file3); + #endif /* USE_CERT_BUFFERS */ ret = wc_InitRsaKey(&caKey, HEAP_HINT); if (ret != 0) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -411; } ret = wc_RsaPrivateKeyDecode(tmp, &idx3, &caKey, (word32)bytes3); @@ -5607,15 +6994,15 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&caKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -413; } wc_InitCert(&myCert); -#ifdef NO_SHA + #ifdef NO_SHA myCert.sigType = CTC_SHA256wRSA; -#endif + #endif strncpy(myCert.subject.country, "US", CTC_NAME_SIZE); strncpy(myCert.subject.state, "OR", CTC_NAME_SIZE); @@ -5625,7 +7012,7 @@ int rsa_test(void) strncpy(myCert.subject.commonName, "www.yassl.com", CTC_NAME_SIZE); strncpy(myCert.subject.email, "info@yassl.com", CTC_NAME_SIZE); -#ifdef WOLFSSL_CERT_EXT + #ifdef WOLFSSL_CERT_EXT /* add Policies */ strncpy(myCert.certPolicies[0], "2.16.840.1.101.3.4.1.42", CTC_MAX_CERTPOL_SZ); @@ -5636,16 +7023,25 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -398; } /* add AKID from the CA certificate */ - if (wc_SetAuthKeyId(&myCert, caCertFile) != 0) { + #if defined(USE_CERT_BUFFERS_2048) + ret = wc_SetAuthKeyIdFromCert(&myCert, ca_cert_der_2048, + sizeof_ca_cert_der_2048); + #elif defined(USE_CERT_BUFFERS_1024) + ret = wc_SetAuthKeyIdFromCert(&myCert, ca_cert_der_1024, + sizeof_ca_cert_der_1024); + #else + ret = wc_SetAuthKeyId(&myCert, caCertFile); + #endif + if (ret != 0) { XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -399; } @@ -5654,18 +7050,26 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -400; } -#endif /* WOLFSSL_CERT_EXT */ + #endif /* WOLFSSL_CERT_EXT */ + #if defined(USE_CERT_BUFFERS_2048) + ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_2048, + sizeof_ca_cert_der_2048); + #elif defined(USE_CERT_BUFFERS_1024) + ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_1024, + sizeof_ca_cert_der_1024); + #else ret = wc_SetIssuer(&myCert, caCertFile); + #endif if (ret < 0) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&caKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -405; } @@ -5675,7 +7079,7 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&caKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -407; } @@ -5686,11 +7090,11 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&caKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -408; } -#ifdef WOLFSSL_TEST_CERT + #ifdef WOLFSSL_TEST_CERT InitDecodedCert(&decode, derCert, certSz, HEAP_HINT); ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0); if (ret != 0) { @@ -5698,23 +7102,20 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&caKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -409; } FreeDecodedCert(&decode); -#endif + #endif -#ifdef FREESCALE_MQX - derFile = fopen("a:\\certs\\othercert.der", "wb"); -#else - derFile = fopen("./othercert.der", "wb"); -#endif +#ifndef NO_FILESYSTEM + derFile = fopen(otherCertDerFile, "wb"); if (!derFile) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&caKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -410; } ret = (int)fwrite(derCert, 1, certSz, derFile); @@ -5724,7 +7125,7 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&caKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -416; } @@ -5734,21 +7135,17 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&caKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -411; } -#ifdef FREESCALE_MQX - pemFile = fopen("a:\\certs\\othercert.pem", "wb"); -#else - pemFile = fopen("./othercert.pem", "wb"); -#endif + pemFile = fopen(otherCertPemFile, "wb"); if (!pemFile) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&caKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -412; } ret = (int)fwrite(pem, 1, pemSz, pemFile); @@ -5758,10 +7155,12 @@ int rsa_test(void) XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); fclose(pemFile); wc_FreeRsaKey(&caKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -415; } fclose(pemFile); +#endif /* !NO_FILESYSTEM */ + XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&caKey); @@ -5779,41 +7178,48 @@ int rsa_test(void) int pemSz; size_t bytes3; word32 idx3 = 0; + #ifndef USE_CERT_BUFFERS_256 FILE* file3; -#ifdef WOLFSSL_CERT_EXT + #endif + #ifdef WOLFSSL_CERT_EXT ecc_key caKeyPub; -#endif -#ifdef WOLFSSL_TEST_CERT + #endif + #ifdef WOLFSSL_TEST_CERT DecodedCert decode; -#endif + #endif derCert = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (derCert == NULL) { XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5311; } pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER); if (pem == NULL) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5312; } + #ifdef USE_CERT_BUFFERS_256 + XMEMCPY(tmp, ecc_key_der_256, sizeof_ecc_key_der_256); + bytes3 = sizeof_ecc_key_der_256; + #else file3 = fopen(eccCaKeyFile, "rb"); if (!file3) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5412; } bytes3 = fread(tmp, 1, FOURK_BUF, file3); fclose(file3); + #endif /* USE_CERT_BUFFERS_256 */ wc_ecc_init(&caKey); ret = wc_EccPrivateKeyDecode(tmp, &idx3, &caKey, (word32)bytes3); @@ -5821,7 +7227,7 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5413; } @@ -5844,25 +7250,29 @@ int rsa_test(void) CTC_MAX_CERTPOL_SZ); myCert.certPoliciesNb = 2; - + #ifdef USE_CERT_BUFFERS_256 + XMEMCPY(tmp, ecc_key_pub_der_256, sizeof_ecc_key_pub_der_256); + bytes3 = sizeof_ecc_key_pub_der_256; + #else file3 = fopen(eccCaKeyPubFile, "rb"); if (!file3) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5500; } bytes3 = fread(tmp, 1, FOURK_BUF, file3); fclose(file3); + #endif wc_ecc_init(&caKeyPub); if (ret != 0) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5501; } @@ -5873,7 +7283,7 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_ecc_free(&caKeyPub); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5502; } @@ -5883,7 +7293,7 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_ecc_free(&caKeyPub); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5503; } @@ -5893,7 +7303,7 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_ecc_free(&caKeyPub); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5504; } wc_ecc_free(&caKeyPub); @@ -5903,18 +7313,23 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5505; } #endif /* WOLFSSL_CERT_EXT */ + #if defined(USE_CERT_BUFFERS_256) + ret = wc_SetIssuerBuffer(&myCert, serv_ecc_der_256, + sizeof_serv_ecc_der_256); + #else ret = wc_SetIssuer(&myCert, eccCaCertFile); + #endif if (ret < 0) { XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_ecc_free(&caKey); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5405; } @@ -5924,7 +7339,7 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_ecc_free(&caKey); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5407; } @@ -5935,7 +7350,7 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_ecc_free(&caKey); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5408; } @@ -5947,23 +7362,19 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_ecc_free(&caKey); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5409; } FreeDecodedCert(&decode); #endif -#ifdef FREESCALE_MQX - derFile = fopen("a:\\certs\\certecc.der", "wb"); -#else - derFile = fopen("./certecc.der", "wb"); -#endif + derFile = fopen(certEccDerFile, "wb"); if (!derFile) { XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_ecc_free(&caKey); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5410; } ret = (int)fwrite(derCert, 1, certSz, derFile); @@ -5973,7 +7384,7 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_ecc_free(&caKey); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5414; } @@ -5983,21 +7394,17 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_ecc_free(&caKey); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5411; } -#ifdef FREESCALE_MQX - pemFile = fopen("a:\\certs\\certecc.pem", "wb"); -#else - pemFile = fopen("./certecc.pem", "wb"); -#endif + pemFile = fopen(certEccPemFile, "wb"); if (!pemFile) { XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_ecc_free(&caKey); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5412; } ret = (int)fwrite(pem, 1, pemSz, pemFile); @@ -6006,7 +7413,7 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_ecc_free(&caKey); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -5415; } @@ -6024,26 +7431,28 @@ int rsa_test(void) byte* pem; FILE* derFile; FILE* pemFile; + #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) FILE* caFile; + #endif FILE* ntruPrivFile; int certSz; int pemSz; word32 idx3 = 0; -#ifdef WOLFSSL_TEST_CERT + #ifdef WOLFSSL_TEST_CERT DecodedCert decode; -#endif + #endif derCert = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (derCert == NULL) { XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -311; } pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER); if (pem == NULL) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -312; } @@ -6061,7 +7470,7 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -448; } @@ -6072,7 +7481,7 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -449; } @@ -6083,7 +7492,7 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -450; } @@ -6093,29 +7502,36 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -451; } + #ifdef USE_CERT_BUFFERS_1024 + XMEMCPY(tmp, ca_key_der_1024, sizeof_ca_key_der_1024); + bytes = sizeof_ca_key_der_1024; + #elif defined(USE_CERT_BUFFERS_2048) + XMEMCPY(tmp, ca_key_der_2048, sizeof_ca_key_der_2048); + bytes = sizeof_ca_key_der_2048; + #else caFile = fopen(caKeyFile, "rb"); - if (!caFile) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -452; } bytes = fread(tmp, 1, FOURK_BUF, caFile); fclose(caFile); + #endif /* USE_CERT_BUFFERS */ ret = wc_InitRsaKey(&caKey, HEAP_HINT); if (ret != 0) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -453; } ret = wc_RsaPrivateKeyDecode(tmp, &idx3, &caKey, (word32)bytes); @@ -6123,7 +7539,7 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -454; } @@ -6138,24 +7554,32 @@ int rsa_test(void) strncpy(myCert.subject.email, "info@yassl.com", CTC_NAME_SIZE); myCert.daysValid = 1000; -#ifdef WOLFSSL_CERT_EXT - + #ifdef WOLFSSL_CERT_EXT /* add SKID from the Public Key */ if (wc_SetSubjectKeyIdFromNtruPublicKey(&myCert, public_key, public_key_len) != 0) { XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -496; } /* add AKID from the CA certificate */ - if (wc_SetAuthKeyId(&myCert, caCertFile) != 0) { + #if defined(USE_CERT_BUFFERS_2048) + ret = wc_SetAuthKeyIdFromCert(&myCert, ca_cert_der_2048, + sizeof_ca_cert_der_2048); + #elif defined(USE_CERT_BUFFERS_1024) + ret = wc_SetAuthKeyIdFromCert(&myCert, ca_cert_der_1024, + sizeof_ca_cert_der_1024); + #else + ret = wc_SetAuthKeyId(&myCert, caCertFile); + #endif + if (ret != 0) { XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -495; } @@ -6165,18 +7589,26 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -494; } -#endif /* WOLFSSL_CERT_EXT */ + #endif /* WOLFSSL_CERT_EXT */ + #if defined(USE_CERT_BUFFERS_2048) + ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_2048, + sizeof_ca_cert_der_2048); + #elif defined(USE_CERT_BUFFERS_1024) + ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_1024, + sizeof_ca_cert_der_1024); + #else ret = wc_SetIssuer(&myCert, caCertFile); + #endif if (ret < 0) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&caKey); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -455; } @@ -6187,7 +7619,7 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_FreeRsaKey(&caKey); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -456; } @@ -6198,29 +7630,31 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -457; } -#ifdef WOLFSSL_TEST_CERT + #ifdef WOLFSSL_TEST_CERT InitDecodedCert(&decode, derCert, certSz, HEAP_HINT); ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0); if (ret != 0) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -458; } FreeDecodedCert(&decode); -#endif + #endif + + #ifndef NO_FILESYSTEM derFile = fopen("./ntru-cert.der", "wb"); if (!derFile) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -459; } ret = (int)fwrite(derCert, 1, certSz, derFile); @@ -6229,25 +7663,27 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -473; } + #endif pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE); if (pemSz < 0) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -460; } + #ifndef NO_FILESYSTEM pemFile = fopen("./ntru-cert.pem", "wb"); if (!pemFile) { XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -461; } ret = (int)fwrite(pem, 1, pemSz, pemFile); @@ -6256,7 +7692,7 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -474; } @@ -6265,7 +7701,7 @@ int rsa_test(void) XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -462; } ret = (int)fwrite(private_key, 1, private_key_len, ntruPrivFile); @@ -6274,9 +7710,11 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -475; } + #endif + XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); } @@ -6293,14 +7731,14 @@ int rsa_test(void) der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER); if (der == NULL) { XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -463; } pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER); if (pem == NULL) { XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -464; } @@ -6318,13 +7756,13 @@ int rsa_test(void) strncpy(req.subject.email, "info@yassl.com", CTC_NAME_SIZE); req.sigType = CTC_SHA256wRSA; -#ifdef WOLFSSL_CERT_EXT + #ifdef WOLFSSL_CERT_EXT /* add SKID from the Public Key */ if (wc_SetSubjectKeyIdFromPublicKey(&req, &keypub, NULL) != 0) { XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -496; } @@ -6334,17 +7772,17 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -494; } -#endif /* WOLFSSL_CERT_EXT */ + #endif /* WOLFSSL_CERT_EXT */ derSz = wc_MakeCertReq(&req, der, FOURK_BUF, &key, NULL); if (derSz < 0) { XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -465; } @@ -6354,7 +7792,7 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -466; } @@ -6363,20 +7801,17 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -467; } -#ifdef FREESCALE_MQX - reqFile = fopen("a:\\certs\\certreq.der", "wb"); -#else - reqFile = fopen("./certreq.der", "wb"); -#endif + #ifndef NO_FILESYSTEM + reqFile = fopen(certReqDerFile, "wb"); if (!reqFile) { XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -468; } @@ -6386,20 +7821,16 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -471; } -#ifdef FREESCALE_MQX - reqFile = fopen("a:\\certs\\certreq.pem", "wb"); -#else - reqFile = fopen("./certreq.pem", "wb"); -#endif + reqFile = fopen(certReqPemFile, "wb"); if (!reqFile) { XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -469; } ret = (int)fwrite(pem, 1, pemSz, reqFile); @@ -6408,9 +7839,10 @@ int rsa_test(void) XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRng(&rng); + wc_FreeRng(&rng); return -470; } + #endif XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -6436,15 +7868,47 @@ int rsa_test(void) #ifndef NO_DH -#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) - #ifdef FREESCALE_MQX - static const char* dhKey = "a:\\certs\\dh2048.der"; - #elif defined(NO_ASN) - /* don't use file, no DER parsing */ - #else - static const char* dhKey = "./certs/dh2048.der"; - #endif -#endif +static int dh_generate_test(WC_RNG *rng) +{ + int ret; + DhKey smallKey; + byte p[2] = { 0, 5 }; + byte g[2] = { 0, 2 }; + byte priv[2]; + word32 privSz = sizeof(priv); + byte pub[2]; + word32 pubSz = sizeof(pub); + + wc_InitDhKey(&smallKey); + + /* Parameter Validation testing. */ + ret = wc_DhSetKey(NULL, p, sizeof(p), g, sizeof(g)); + if (ret != BAD_FUNC_ARG) + return -100; + ret = wc_DhSetKey(&smallKey, NULL, sizeof(p), g, sizeof(g)); + if (ret != BAD_FUNC_ARG) + return -100; + ret = wc_DhSetKey(&smallKey, p, 0, g, sizeof(g)); + if (ret != BAD_FUNC_ARG) + return -100; + ret = wc_DhSetKey(&smallKey, p, sizeof(p), NULL, sizeof(g)); + if (ret != BAD_FUNC_ARG) + return -100; + ret = wc_DhSetKey(&smallKey, p, sizeof(p), g, 0); + if (ret != BAD_FUNC_ARG) + return -100; + ret = wc_DhSetKey(&smallKey, p, sizeof(p), g, sizeof(g)); + if (ret != 0) + return -101; + + /* Use API. */ + ret = wc_DhGenerateKeyPair(&smallKey, rng, priv, &privSz, pub, &pubSz); + wc_FreeDhKey(&smallKey); + if (ret != 0) + return -102; + + return 0; +} int dh_test(void) { @@ -6470,14 +7934,16 @@ int dh_test(void) bytes = sizeof_dh_key_der_2048; #elif defined(NO_ASN) /* don't use file, no DER parsing */ -#else +#elif !defined(NO_FILESYSTEM) FILE* file = fopen(dhKey, "rb"); - if (!file) return -50; bytes = (word32) fread(tmp, 1, sizeof(tmp), file); fclose(file); +#else + /* No DH key to use. */ + return -50; #endif /* USE_CERT_BUFFERS */ (void)idx; @@ -6527,6 +7993,10 @@ int dh_test(void) if (XMEMCMP(agree, agree2, agreeSz)) return -56; + ret = dh_generate_test(&rng); + if (ret != 0) + return -57; + wc_FreeDhKey(&key); wc_FreeDhKey(&key2); wc_FreeRng(&rng); @@ -6539,14 +8009,6 @@ int dh_test(void) #ifndef NO_DSA -#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) - #ifdef FREESCALE_MQX - static const char* dsaKey = "a:\\certs\\dsa2048.der"; - #else - static const char* dsaKey = "./certs/dsa2048.der"; - #endif -#endif - int dsa_test(void) { int ret, answer; @@ -6559,7 +8021,6 @@ int dsa_test(void) byte hash[SHA_DIGEST_SIZE]; byte signature[40]; - #ifdef USE_CERT_BUFFERS_1024 XMEMCPY(tmp, dsa_key_der_1024, sizeof_dsa_key_der_1024); bytes = sizeof_dsa_key_der_1024; @@ -6568,7 +8029,6 @@ int dsa_test(void) bytes = sizeof_dsa_key_der_2048; #else FILE* file = fopen(dsaKey, "rb"); - if (!file) return -60; @@ -6608,8 +8068,10 @@ int dsa_test(void) int pemSz = 0; DsaKey derIn; DsaKey genKey; +#ifndef NO_FILESYSTEM FILE* keyFile; FILE* pemFile; +#endif ret = wc_InitDsaKey(&genKey); if (ret != 0) return -361; @@ -6645,11 +8107,8 @@ int dsa_test(void) return -366; } -#ifdef FREESCALE_MQX - keyFile = fopen("a:\\certs\\key.der", "wb"); -#else - keyFile = fopen("./key.der", "wb"); -#endif +#ifndef NO_FILESYSTEM + keyFile = fopen(keyDerFile, "wb"); if (!keyFile) { XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -6664,6 +8123,7 @@ int dsa_test(void) wc_FreeDsaKey(&genKey); return -368; } +#endif pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, DSA_PRIVATEKEY_TYPE); if (pemSz < 0) { @@ -6673,11 +8133,8 @@ int dsa_test(void) return -369; } -#ifdef FREESCALE_MQX - pemFile = fopen("a:\\certs\\key.pem", "wb"); -#else - pemFile = fopen("./key.pem", "wb"); -#endif +#ifndef NO_FILESYSTEM + pemFile = fopen(keyPemFile, "wb"); if (!pemFile) { XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -6692,6 +8149,7 @@ int dsa_test(void) wc_FreeDsaKey(&genKey); return -371; } +#endif ret = wc_InitDsaKey(&derIn); if (ret != 0) { @@ -7493,7 +8951,7 @@ int openssl_test(void) return -3407; total += outlen; if(total != 32) - return 3408; + return -3408; total = 0; EVP_CIPHER_CTX_init(&de); @@ -7525,7 +8983,7 @@ int openssl_test(void) total += outlen; if(total != 18) - return 3427; + return -3427; if (XMEMCMP(plain, cbcPlain, 18)) return -3428; @@ -8297,8 +9755,10 @@ static int ecc_test_key_gen(WC_RNG* rng, int keySize) int derSz, pemSz; byte der[FOURK_BUF]; byte pem[FOURK_BUF]; +#ifndef NO_FILESYSTEM FILE* keyFile; FILE* pemFile; +#endif ecc_key userA; @@ -8317,7 +9777,8 @@ static int ecc_test_key_gen(WC_RNG* rng, int keySize) ERROR_OUT(derSz, done); } - keyFile = fopen("./ecc-key.der", "wb"); +#ifndef NO_FILESYSTEM + keyFile = fopen(eccCaKeyFile, "wb"); if (!keyFile) { ERROR_OUT(-1025, done); } @@ -8326,13 +9787,15 @@ static int ecc_test_key_gen(WC_RNG* rng, int keySize) if (ret != derSz) { ERROR_OUT(-1026, done); } +#endif pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, ECC_PRIVATEKEY_TYPE); if (pemSz < 0) { ERROR_OUT(pemSz, done); } - pemFile = fopen("./ecc-key.pem", "wb"); +#ifndef NO_FILESYSTEM + pemFile = fopen(eccCaKeyPemFile, "wb"); if (!pemFile) { ERROR_OUT(-1028, done); } @@ -8341,6 +9804,7 @@ static int ecc_test_key_gen(WC_RNG* rng, int keySize) if (ret != pemSz) { ERROR_OUT(-1029, done); } +#endif /* test export of public key */ derSz = wc_EccPublicKeyToDer(&userA, der, FOURK_BUF, 1); @@ -8350,11 +9814,9 @@ static int ecc_test_key_gen(WC_RNG* rng, int keySize) if (derSz == 0) { ERROR_OUT(-5416, done); } -#ifdef FREESCALE_MQX - keyFile = fopen("a:\\certs\\ecc-public-key.der", "wb"); -#else - keyFile = fopen("./ecc-public-key.der", "wb"); -#endif + +#ifndef NO_FILESYSTEM + keyFile = fopen(eccPubKeyDerFile, "wb"); if (!keyFile) { ERROR_OUT(-5417, done); } @@ -8363,6 +9825,8 @@ static int ecc_test_key_gen(WC_RNG* rng, int keySize) if (ret != derSz) { ERROR_OUT(-5418, done); } +#endif + ret = 0; done: @@ -8462,7 +9926,7 @@ static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount, #ifdef HAVE_ECC_KEY_EXPORT x = sizeof(exportBuf); - ret = wc_ecc_export_x963(&userA, exportBuf, &x); + ret = wc_ecc_export_x963_ex(&userA, exportBuf, &x, 0); if (ret != 0) goto done; @@ -8601,11 +10065,555 @@ static int ecc_test_curve(WC_RNG* rng, int keySize) return 0; } +#if !defined(WOLFSSL_ATECC508A) && defined(HAVE_ECC_KEY_IMPORT) && \ + defined(HAVE_ECC_KEY_EXPORT) +static int ecc_point_test(void) +{ + int ret; + ecc_point* point; + ecc_point* point2; + word32 outLen; + byte out[65]; + byte der[] = { 0x04, /* = Uncompressed */ + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 }; +#ifdef HAVE_COMP_KEY + byte derComp0[] = { 0x02, /* = Compressed, y even */ + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 }; + byte derComp1[] = { 0x03, /* = Compressed, y odd */ + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 }; +#endif + byte altDer[] = { 0x04, /* = Uncompressed */ + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; + int curve_idx = wc_ecc_get_curve_idx(ECC_SECP256R1); + + /* if curve P256 is not enabled then test should not fail */ + if (curve_idx == ECC_CURVE_INVALID) + return 0; + + outLen = sizeof(out); + point = wc_ecc_new_point(); + if (point == NULL) + return -1035; + point2 = wc_ecc_new_point(); + if (point2 == NULL) { + wc_ecc_del_point(point); + return -1036; + } + + /* Parameter Validation testing. */ + wc_ecc_del_point(NULL); + ret = wc_ecc_import_point_der(NULL, sizeof(der), curve_idx, point); + if (ret != ECC_BAD_ARG_E) { + ret = -1037; + goto done; + } + ret = wc_ecc_import_point_der(der, sizeof(der), ECC_CURVE_INVALID, point); + if (ret != ECC_BAD_ARG_E) { + ret = -1038; + goto done; + } + ret = wc_ecc_import_point_der(der, sizeof(der), curve_idx, NULL); + if (ret != ECC_BAD_ARG_E) { + ret = -1039; + goto done; + } + ret = wc_ecc_export_point_der(-1, point, out, &outLen); + if (ret != ECC_BAD_ARG_E) { + ret = -1040; + goto done; + } + ret = wc_ecc_export_point_der(curve_idx, NULL, out, &outLen); + if (ret != ECC_BAD_ARG_E) { + ret = -1041; + goto done; + } + ret = wc_ecc_export_point_der(curve_idx, point, NULL, &outLen); + if (ret != LENGTH_ONLY_E || outLen != sizeof(out)) { + ret = -1042; + goto done; + } + ret = wc_ecc_export_point_der(curve_idx, point, out, NULL); + if (ret != ECC_BAD_ARG_E) { + ret = -1043; + goto done; + } + outLen = 0; + ret = wc_ecc_export_point_der(curve_idx, point, out, &outLen); + if (ret != BUFFER_E) { + ret = -1044; + goto done; + } + ret = wc_ecc_copy_point(NULL, NULL); + if (ret != ECC_BAD_ARG_E) { + ret = -1045; + goto done; + } + ret = wc_ecc_copy_point(NULL, point2); + if (ret != ECC_BAD_ARG_E) { + ret = -1046; + goto done; + } + ret = wc_ecc_copy_point(point, NULL); + if (ret != ECC_BAD_ARG_E) { + ret = -1047; + goto done; + } + ret = wc_ecc_cmp_point(NULL, NULL); + if (ret != BAD_FUNC_ARG) { + ret = -1048; + goto done; + } + ret = wc_ecc_cmp_point(NULL, point2); + if (ret != BAD_FUNC_ARG) { + ret = -1049; + goto done; + } + ret = wc_ecc_cmp_point(point, NULL); + if (ret != BAD_FUNC_ARG) { + ret = -1050; + goto done; + } + + /* Use API. */ + ret = wc_ecc_import_point_der(der, sizeof(der), curve_idx, point); + if (ret != 0) { + ret = -1051; + goto done; + } + + outLen = sizeof(out); + ret = wc_ecc_export_point_der(curve_idx, point, out, &outLen); + if (ret != 0) { + ret = -1052; + goto done; + } + if (outLen != sizeof(der)) { + ret = -1053; + goto done; + } + if (XMEMCMP(out, der, outLen) != 0) { + ret = -1054; + goto done; + } + + ret = wc_ecc_copy_point(point2, point); + if (ret != MP_OKAY) { + ret = -1055; + goto done; + } + ret = wc_ecc_cmp_point(point2, point); + if (ret != MP_EQ) { + ret = -1056; + goto done; + } + + ret = wc_ecc_import_point_der(altDer, sizeof(altDer), curve_idx, point2); + if (ret != 0) { + ret = -1057; + goto done; + } + ret = wc_ecc_cmp_point(point2, point); + if (ret != MP_GT) { + ret = -1058; + goto done; + } + +#ifdef HAVE_COMP_KEY + /* TODO: Doesn't work. */ + ret = wc_ecc_import_point_der(derComp0, sizeof(der), curve_idx, point); + if (ret != 0) { + ret = -1059; + goto done; + } + + ret = wc_ecc_import_point_der(derComp1, sizeof(der), curve_idx, point); + if (ret != 0) { + ret = -1060; + goto done; + } +#endif + +done: + wc_ecc_del_point(point2); + wc_ecc_del_point(point); + + return ret; +} +#endif /* !WOLFSSL_ATECC508A && HAVE_ECC_KEY_IMPORT && HAVE_ECC_KEY_EXPORT */ + +#ifndef NO_SIG_WRAPPER +static int ecc_sig_test(WC_RNG* rng, ecc_key* key) +{ + int ret; + word32 sigSz; + int size; + byte out[ECC_MAX_SIG_SIZE]; + byte in[] = "Everyone gets Friday off."; + word32 inLen = (word32)XSTRLEN((char*)in); + + size = wc_ecc_sig_size(key); + + ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_ECC, key, sizeof(*key)); + if (ret != size) + return -1030; + + sigSz = ret; + ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_ECC, in, + inLen, out, &sigSz, key, sizeof(*key), rng); + if (ret != 0) + return -1031; + + ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_ECC, in, + inLen, out, sigSz, key, sizeof(*key)); + if (ret != 0) + return -1032; + + return 0; +} +#endif + +#if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT) +static int ecc_exp_imp_test(ecc_key* key) +{ + int ret; + int curve_id; + ecc_key keyImp; + byte priv[32]; + word32 privLen; + byte pub[65]; + word32 pubLen; + const char qx[] = "01020304050607080102030405060708" + "01020304050607080102030405060708"; + const char qy[] = "01020304050607080102030405060708" + "01020304050607080102030405060708"; + const char d[] = "01020304050607080102030405060708"; + + wc_ecc_init(&keyImp); + + privLen = sizeof(priv); + ret = wc_ecc_export_private_only(key, priv, &privLen); + if (ret != 0) { + ret = -1070; + goto done; + } + pubLen = sizeof(pub); + ret = wc_ecc_export_point_der(key->idx, &key->pubkey, pub, &pubLen); + if (ret != 0) { + ret = -1071; + goto done; + } + + ret = wc_ecc_import_private_key(priv, privLen, pub, pubLen, &keyImp); + if (ret != 0) { + ret = -1072; + goto done; + } + + wc_ecc_free(&keyImp); + wc_ecc_init(&keyImp); + + ret = wc_ecc_import_raw_ex(&keyImp, qx, qy, d, ECC_SECP256R1); + if (ret != 0) { + ret = -1073; + goto done; + } + + wc_ecc_free(&keyImp); + wc_ecc_init(&keyImp); + + curve_id = wc_ecc_get_curve_id(key->idx); + if (curve_id < 0) + return -1074; + + /* test import private only */ + ret = wc_ecc_import_private_key_ex(priv, privLen, NULL, 0, &keyImp, + curve_id); + if (ret != 0) + return -1075; + +done: + wc_ecc_free(&keyImp); + return ret; +} +#endif /* HAVE_ECC_KEY_IMPORT && HAVE_ECC_KEY_EXPORT */ + +#ifdef HAVE_ECC_KEY_IMPORT +static int ecc_mulmod_test(ecc_key* key1) +{ + int ret; + ecc_key key2; + ecc_key key3; + + wc_ecc_init(&key2); + wc_ecc_init(&key3); + + /* TODO: Use test data. */ + /* Need base point (Gx,Gy) and parameter A - load them as the public and + * private key in key2. + */ + ret = wc_ecc_import_raw_ex(&key2, key1->dp->Gx, key1->dp->Gy, key1->dp->Af, + ECC_SECP256R1); + if (ret != 0) + goto done; + + /* Need a point (Gx,Gy) and prime - load them as the public and private key + * in key3. + */ + ret = wc_ecc_import_raw_ex(&key3, key1->dp->Gx, key1->dp->Gy, + key1->dp->prime, ECC_SECP256R1); + if (ret != 0) + goto done; + + ret = wc_ecc_mulmod(&key1->k, &key2.pubkey, &key3.pubkey, &key2.k, &key3.k, + 1); + if (ret != 0) { + ret = -1080; + goto done; + } + +done: + wc_ecc_free(&key3); + wc_ecc_free(&key2); + return ret; +} +#endif + +#ifndef WOLFSSL_ATECC508A +static int ecc_ssh_test(ecc_key* key) +{ + int ret; + byte out[128]; + word32 outLen = sizeof(out); + + /* Parameter Validation testing. */ + ret = wc_ecc_shared_secret_ssh(NULL, &key->pubkey, out, &outLen); + if (ret != BAD_FUNC_ARG) + return -1090; + ret = wc_ecc_shared_secret_ssh(key, NULL, out, &outLen); + if (ret != BAD_FUNC_ARG) + return -1091; + ret = wc_ecc_shared_secret_ssh(key, &key->pubkey, NULL, &outLen); + if (ret != BAD_FUNC_ARG) + return -1092; + ret = wc_ecc_shared_secret_ssh(key, &key->pubkey, out, NULL); + if (ret != BAD_FUNC_ARG) + return -1093; + + /* Use API. */ + ret = wc_ecc_shared_secret_ssh(key, &key->pubkey, out, &outLen); + if (ret != 0) + return -1094; + return 0; +} +#endif + +static int ecc_def_curve_test(WC_RNG *rng) +{ + int ret; + ecc_key key; + + wc_ecc_init(&key); + + ret = wc_ecc_make_key(rng, 32, &key); + if (ret != 0) { + ret = -1030; + goto done; + } + +#ifndef NO_SIG_WRAPPER + ret = ecc_sig_test(rng, &key); + if (ret < 0) + goto done; +#endif +#if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT) + ret = ecc_exp_imp_test(&key); + if (ret < 0) + goto done; +#endif +#ifdef HAVE_ECC_KEY_IMPORT + ret = ecc_mulmod_test(&key); + if (ret < 0) + goto done; +#endif +#ifndef WOLFSSL_ATECC508A + ret = ecc_ssh_test(&key); + if (ret < 0) + goto done; +#endif +done: + wc_ecc_free(&key); + return ret; +} + +#ifdef WOLFSSL_CERT_EXT +static int ecc_decode_test(void) +{ + int ret; + word32 inSz; + word32 inOutIdx; + ecc_key key; + const byte good[] = { 0x30, 0x0d, 0x30, 0x0b, 0x06, 0x00, 0x06, 0x01, 0x01, + 0x03, 0x04, 0x00, 0x04, 0x01, 0x01 }; + const byte badNoObjId[] = { 0x30, 0x08, 0x30, 0x06, 0x03, 0x04, + 0x00, 0x04, 0x01, 0x01 }; + const byte badOneObjId[] = { 0x30, 0x0a, 0x30, 0x08, 0x06, 0x00, 0x03, 0x04, + 0x00, 0x04, 0x01, 0x01 }; + const byte badObjId1Len[] = { 0x30, 0x0c, 0x30, 0x0a, 0x06, 0x09, + 0x06, 0x00, 0x03, 0x04, 0x00, 0x04, 0x01, 0x01 }; + const byte badObj2d1Len[] = { 0x30, 0x0c, 0x30, 0x0a, 0x06, 0x00, + 0x06, 0x07, 0x03, 0x04, 0x00, 0x04, 0x01, 0x01 }; + const byte badNotBitStr[] = { 0x30, 0x0d, 0x30, 0x0b, 0x06, 0x00, + 0x06, 0x01, 0x01, 0x04, 0x04, 0x00, 0x04, 0x01, 0x01 }; + const byte badBitStrLen[] = { 0x30, 0x0d, 0x30, 0x0b, 0x06, 0x00, + 0x06, 0x01, 0x01, 0x03, 0x05, 0x00, 0x04, 0x01, 0x01 }; + const byte badNoBitStrZero[] = { 0x30, 0x0c, 0x30, 0x0a, 0x06, 0x00, + 0x06, 0x01, 0x01, 0x03, 0x03, 0x04, 0x01, 0x01 }; + const byte badPoint[] = { 0x30, 0x0b, 0x30, 0x09, 0x06, 0x00, 0x06, 0x01, + 0x01, 0x03, 0x03, 0x00, 0x04, 0x01 }; + + XMEMSET(&key, 0, sizeof(key)); + wc_ecc_init(&key); + + inSz = sizeof(good); + ret = wc_EccPublicKeyDecode(NULL, &inOutIdx, &key, inSz); + if (ret != BAD_FUNC_ARG) { + ret = -1100; + goto done; + } + ret = wc_EccPublicKeyDecode(good, NULL, &key, inSz); + if (ret != BAD_FUNC_ARG) { + ret = -1101; + goto done; + } + ret = wc_EccPublicKeyDecode(good, &inOutIdx, NULL, inSz); + if (ret != BAD_FUNC_ARG) { + ret = -1102; + goto done; + } + ret = wc_EccPublicKeyDecode(good, &inOutIdx, &key, 0); + if (ret != BAD_FUNC_ARG) { + ret = -1103; + goto done; + } + + /* Change offset to produce bad input data. */ + inOutIdx = 2; + inSz = sizeof(good) - inOutIdx; + ret = wc_EccPublicKeyDecode(good, &inOutIdx, &key, inSz); + if (ret != ASN_PARSE_E) { + ret = -1104; + goto done; + } + inOutIdx = 4; + inSz = sizeof(good) - inOutIdx; + ret = wc_EccPublicKeyDecode(good, &inOutIdx, &key, inSz); + if (ret != ASN_PARSE_E) { + ret = -1105; + goto done; + } + /* Bad data. */ + inSz = sizeof(badNoObjId); + inOutIdx = 0; + ret = wc_EccPublicKeyDecode(badNoObjId, &inOutIdx, &key, inSz); + if (ret != ASN_OBJECT_ID_E) { + ret = -1106; + goto done; + } + inSz = sizeof(badOneObjId); + inOutIdx = 0; + ret = wc_EccPublicKeyDecode(badOneObjId, &inOutIdx, &key, inSz); + if (ret != ASN_OBJECT_ID_E) { + ret = -1107; + goto done; + } + inSz = sizeof(badObjId1Len); + inOutIdx = 0; + ret = wc_EccPublicKeyDecode(badObjId1Len, &inOutIdx, &key, inSz); + if (ret != ASN_PARSE_E) { + ret = -1108; + goto done; + } + inSz = sizeof(badObj2d1Len); + inOutIdx = 0; + ret = wc_EccPublicKeyDecode(badObj2d1Len, &inOutIdx, &key, inSz); + if (ret != ASN_PARSE_E) { + ret = -1109; + goto done; + } + inSz = sizeof(badNotBitStr); + inOutIdx = 0; + ret = wc_EccPublicKeyDecode(badNotBitStr, &inOutIdx, &key, inSz); + if (ret != ASN_BITSTR_E) { + ret = -1110; + goto done; + } + inSz = sizeof(badBitStrLen); + inOutIdx = 0; + ret = wc_EccPublicKeyDecode(badBitStrLen, &inOutIdx, &key, inSz); + if (ret != ASN_PARSE_E) { + ret = -1111; + goto done; + } + inSz = sizeof(badNoBitStrZero); + inOutIdx = 0; + ret = wc_EccPublicKeyDecode(badNoBitStrZero, &inOutIdx, &key, inSz); + if (ret != ASN_EXPECT_0_E) { + ret = -1112; + goto done; + } + inSz = sizeof(badPoint); + inOutIdx = 0; + ret = wc_EccPublicKeyDecode(badPoint, &inOutIdx, &key, inSz); + if (ret != ASN_ECC_KEY_E) { + ret = -1113; + goto done; + } + + inSz = sizeof(good); + inOutIdx = 0; + ret = wc_EccPublicKeyDecode(good, &inOutIdx, &key, inSz); + if (ret != 0) { + ret = -1120; + goto done; + } + +done: + wc_ecc_free(&key); + return ret; +} +#endif /* WOLFSSL_CERT_EXT */ + int ecc_test(void) { int ret; WC_RNG rng; +#ifdef WOLFSSL_CERT_EXT + ret = ecc_decode_test(); + if (ret < 0) + return ret; +#endif + ret = wc_InitRng(&rng); if (ret != 0) return -1001; @@ -8651,6 +10659,17 @@ int ecc_test(void) if (ret < 0) { goto done; } +#if !defined(WOLFSSL_ATECC508A) && defined(HAVE_ECC_KEY_IMPORT) && \ + defined(HAVE_ECC_KEY_EXPORT) + ret = ecc_point_test(); + if (ret < 0) { + goto done; + } +#endif + ret = ecc_def_curve_test(&rng); + if (ret < 0) { + goto done; + } #endif /* !NO_ECC256 */ #if defined(HAVE_ECC320) || defined(HAVE_ALL_CURVES) ret = ecc_test_curve(&rng, 40); @@ -8847,9 +10866,6 @@ int ecc_test_buffers() { size_t bytes; ecc_key cliKey; ecc_key servKey; -#ifdef WOLFSSL_CERT_EXT - ecc_key keypub; -#endif WC_RNG rng; word32 idx = 0; int ret; @@ -8915,6 +10931,7 @@ int ecc_test_buffers() { if (XMEMCMP(plain, in, ret)) return -48; +#ifdef WOLFSSL_CERT_EXT idx = 0; bytes = sizeof_ecc_clikeypub_der_256; @@ -8923,6 +10940,7 @@ int ecc_test_buffers() { (word32) bytes); if (ret != 0) return -52; +#endif return 0; } @@ -10023,8 +12041,10 @@ int pkcs7enveloped_test(void) size_t rsaPrivKeySz = 0; size_t eccPrivKeySz = 0; +#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) FILE* certFile; FILE* keyFile; +#endif #ifndef NO_RSA /* read client RSA cert and key in DER format */ @@ -10038,6 +12058,13 @@ int pkcs7enveloped_test(void) return -202; } +#ifdef USE_CERT_BUFFERS_1024 + XMEMCPY(rsaCert, client_cert_der_1024, sizeof_client_cert_der_1024); + rsaCertSz = sizeof_client_cert_der_1024; +#elif defined(USE_CERT_BUFFERS_2048) + XMEMCPY(rsaCert, client_cert_der_2048, sizeof_client_cert_der_2048); + rsaCertSz = sizeof_client_cert_der_2048; +#else certFile = fopen(clientCert, "rb"); if (!certFile) { XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -10049,7 +12076,15 @@ int pkcs7enveloped_test(void) rsaCertSz = fread(rsaCert, 1, FOURK_BUF, certFile); fclose(certFile); +#endif +#ifdef USE_CERT_BUFFERS_1024 + XMEMCPY(rsaPrivKey, client_key_der_1024, sizeof_client_key_der_1024); + rsaPrivKeySz = sizeof_client_key_der_1024; +#elif defined(USE_CERT_BUFFERS_2048) + XMEMCPY(rsaPrivKey, client_key_der_2048, sizeof_client_key_der_2048); + rsaPrivKeySz = sizeof_client_key_der_2048; +#else keyFile = fopen(clientKey, "rb"); if (!keyFile) { XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -10061,6 +12096,8 @@ int pkcs7enveloped_test(void) rsaPrivKeySz = fread(rsaPrivKey, 1, FOURK_BUF, keyFile); fclose(keyFile); +#endif /* USE_CERT_BUFFERS */ + #endif /* NO_RSA */ #ifdef HAVE_ECC @@ -10080,6 +12117,10 @@ int pkcs7enveloped_test(void) return -206; } +#ifdef USE_CERT_BUFFERS_256 + XMEMCPY(eccCert, cliecc_cert_der_256, sizeof_cliecc_cert_der_256); + eccCertSz = sizeof_cliecc_cert_der_256; +#else certFile = fopen(eccClientCert, "rb"); if (!certFile) { XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -10090,10 +12131,14 @@ int pkcs7enveloped_test(void) "Please run from wolfSSL home dir", -42); return -207; } - eccCertSz = fread(eccCert, 1, FOURK_BUF, certFile); fclose(certFile); +#endif /* USE_CERT_BUFFERS_256 */ +#ifdef USE_CERT_BUFFERS_256 + XMEMCPY(eccPrivKey, ecc_clikey_der_256, sizeof_ecc_clikey_der_256); + eccPrivKeySz = sizeof_ecc_clikey_der_256; +#else keyFile = fopen(eccClientKey, "rb"); if (!keyFile) { XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -10104,9 +12149,9 @@ int pkcs7enveloped_test(void) "Please run from wolfSSL home dir", -43); return -208; } - eccPrivKeySz = fread(eccPrivKey, 1, FOURK_BUF, keyFile); fclose(keyFile); +#endif /* USE_CERT_BUFFERS_256 */ #endif /* HAVE_ECC */ ret = pkcs7enveloped_run_vectors(rsaCert, (word32)rsaCertSz, @@ -10333,8 +12378,9 @@ int pkcs7encrypted_test(void) int pkcs7signed_test(void) { int ret = 0; - +#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) FILE* file; +#endif byte* certDer; byte* keyDer; byte* out; @@ -10385,6 +12431,13 @@ int pkcs7signed_test(void) } /* read in DER cert of recipient, into cert of size certSz */ +#ifdef USE_CERT_BUFFERS_1024 + XMEMCPY(certDer, client_cert_der_1024, sizeof_client_cert_der_1024); + certDerSz = sizeof_client_cert_der_1024; +#elif defined(USE_CERT_BUFFERS_2048) + XMEMCPY(certDer, client_cert_der_2048, sizeof_client_cert_der_2048); + certDerSz = sizeof_client_cert_der_2048; +#else file = fopen(clientCert, "rb"); if (!file) { XFREE(certDer, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -10396,7 +12449,15 @@ int pkcs7signed_test(void) } certDerSz = (word32)fread(certDer, 1, FOURK_BUF, file); fclose(file); +#endif /* USE_CERT_BUFFER_ */ +#ifdef USE_CERT_BUFFERS_1024 + XMEMCPY(keyDer, client_key_der_1024, sizeof_client_key_der_1024); + keyDerSz = sizeof_client_key_der_1024; +#elif defined(USE_CERT_BUFFERS_2048) + XMEMCPY(keyDer, client_key_der_2048, sizeof_client_key_der_2048); + keyDerSz = sizeof_client_key_der_2048; +#else file = fopen(clientKey, "rb"); if (!file) { XFREE(certDer, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -10408,6 +12469,7 @@ int pkcs7signed_test(void) } keyDerSz = (word32)fread(keyDer, 1, FOURK_BUF, file); fclose(file); +#endif /* USE_CERT_BUFFER_ */ ret = wc_InitRng(&rng); if (ret != 0) { @@ -10540,6 +12602,321 @@ int pkcs7signed_test(void) #endif /* HAVE_PKCS7 */ +#ifdef HAVE_VALGRIND +/* Need a static build to have access to symbols. */ + +/* Maximum number of bytes in a number to test. */ +#define MP_MAX_TEST_BYTE_LEN 16 + +#if defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN) +static int randNum(mp_int* n, int len, WC_RNG* rng, void* heap) +{ + byte d[MP_MAX_TEST_BYTE_LEN]; + int ret; + + (void)heap; + + do { + ret = wc_RNG_GenerateBlock(rng, d, len); + if (ret != 0) + return ret; + ret = mp_read_unsigned_bin(n, d, len); + if (ret != 0) + return ret; + } while (mp_iszero(n)); + + return 0; +} +#endif + +int mp_test() +{ + WC_RNG rng; + int ret; +#if defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN) + int i, j, k; +#endif + mp_int a, b, r1, r2, p; + mp_digit d; + + ret = mp_init_multi(&a, &b, &r1, &r2, NULL, NULL); + if (ret != 0) + return -10000; + + mp_init_copy(&p, &a); + + ret = wc_InitRng(&rng); + if (ret != 0) + goto done; + +#if defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN) + mp_set_int(&a, 0); + if (a.used != 0 || a.dp[0] != 0) + return -10001; + + for (j = 1; j <= MP_MAX_TEST_BYTE_LEN; j++) { + for (i = 0; i < 4 * j; i++) { + /* New values to use. */ + ret = randNum(&p, j, &rng, NULL); + if (ret != 0) + return -11000; + ret = randNum(&a, j, &rng, NULL); + if (ret != 0) + return -11001; + ret = randNum(&b, j, &rng, NULL); + if (ret != 0) + return -11002; + ret = wc_RNG_GenerateBlock(&rng, (byte*)&d, sizeof(d)); + if (ret != 0) + return -11003; + d &= MP_MASK; + + /* Ensure sqrmod produce same result as mulmod. */ + ret = mp_sqrmod(&a, &p, &r1); + if (ret != 0) + return -11005; + ret = mp_mulmod(&a, &a, &p, &r2); + if (ret != 0) + return -11006; + if (mp_cmp(&r1, &r2) != 0) + return -11007; + + /* Ensure add with mod produce same result as sub with mod. */ + ret = mp_addmod(&a, &b, &p, &r1); + if (ret != 0) + return -11010; + b.sign ^= 1; + ret = mp_submod(&a, &b, &p, &r2); + if (ret != 0) + return -11011; + if (mp_cmp(&r1, &r2) != 0) + return -11012; + + /* Ensure add digit produce same result as sub digit. */ + ret = mp_add_d(&a, d, &r1); + if (ret != 0) + return -11015; + ret = mp_sub_d(&r1, d, &r2); + if (ret != 0) + return -11016; + if (mp_cmp(&a, &r2) != 0) + return -11017; + + /* Invert - if p is even it will use the slow impl. + * - if p and a are even it will fail. + */ + ret = mp_invmod(&a, &p, &r1); + if (ret != 0 && ret != MP_VAL) + return -11019; + ret = 0; + + /* Shift up and down number all bits in a digit. */ + for (k = 0; k < DIGIT_BIT; k++) { + mp_mul_2d(&a, k, &r1); + mp_div_2d(&r1, k, &r2, &p); + if (mp_cmp(&a, &r2) != 0) + return -11020; + if (!mp_iszero(&p)) + return -11021; + mp_rshb(&r1, k); + if (mp_cmp(&a, &r1) != 0) + return -11022; + } + } + } + + /* Check that setting a 32-bit digit works. */ + d &= 0xffffffff; + mp_set_int(&a, d); + if (a.used != 1 || a.dp[0] != d) + return -11025; + + /* Check setting a bit and testing a bit works. */ + for (i = 0; i < MP_MAX_TEST_BYTE_LEN * 8; i++) { + mp_zero(&a); + mp_set_bit(&a, i); + if (!mp_is_bit_set(&a, i)) + return -11030; + } +#endif + +done: + mp_clear(&p); + mp_clear(&r2); + mp_clear(&r1); + mp_clear(&b); + mp_clear(&a); + wc_FreeRng(&rng); + return ret; +} +#endif + +#ifdef HAVE_VALGRIND +/* Need a static build to have access to symbols. */ + +#ifndef WOLFSSL_SSL_H +/* APIs hiding in ssl.h */ +extern int wolfSSL_Debugging_ON(void); +extern void wolfSSL_Debugging_OFF(void); +#endif + +#ifdef DEBUG_WOLFSSL +static int log_cnt = 0; +static void my_Logging_cb(const int logLevel, const char *const logMessage) +{ + (void)logLevel; + (void)logMessage; + log_cnt++; +} +#endif + +int logging_test() +{ +#ifdef DEBUG_WOLFSSL + const char* msg = "Testing, testing. 1, 2, 3, 4 ..."; + byte a[8] = { 1, 2, 3, 4, 5, 6, 7, 8 }; + byte b[256]; + size_t i; + + for (i = 0; i < sizeof(b); i++) + b[i] = i; + + if (wolfSSL_Debugging_ON() != 0) + return -12000; + if (wolfSSL_SetLoggingCb(NULL) != BAD_FUNC_ARG) + return -12002; + + WOLFSSL_MSG(msg); + WOLFSSL_BUFFER(a, sizeof(a)); + WOLFSSL_BUFFER(b, sizeof(b)); + WOLFSSL_BUFFER(NULL, 0); + + wolfSSL_Debugging_OFF(); + + WOLFSSL_MSG(msg); + WOLFSSL_BUFFER(b, sizeof(b)); + + if (wolfSSL_SetLoggingCb(my_Logging_cb) != 0) + return -12003; + + wolfSSL_Debugging_OFF(); + + WOLFSSL_MSG(msg); + WOLFSSL_BUFFER(b, sizeof(b)); + + if (log_cnt != 0) + return -12005; + if (wolfSSL_Debugging_ON() != 0) + return -12006; + + WOLFSSL_MSG(msg); + WOLFSSL_BUFFER(b, sizeof(b)); + + /* One call for each line of output. */ + if (log_cnt != 17) + return -12007; +#else + if (wolfSSL_Debugging_ON() != NOT_COMPILED_IN) + return -12000; + wolfSSL_Debugging_OFF(); + if (wolfSSL_SetLoggingCb(NULL) != NOT_COMPILED_IN) + return -12001; +#endif + return 0; +} +#endif + +int mutex_test() +{ +#ifdef WOLFSSL_PTHREADS + wolfSSL_Mutex m; +#endif + wolfSSL_Mutex *mm = wc_InitAndAllocMutex(); + if (mm == NULL) + return -12020; + wc_FreeMutex(mm); + XFREE(mm, NULL, DYNAMIC_TYPE_MUTEX); + +#ifdef WOLFSSL_PTHREADS + if (wc_InitMutex(&m) != 0) + return -12021; + if (wc_LockMutex(&m) != 0) + return -12022; + if (wc_FreeMutex(&m) != BAD_MUTEX_E) + return -12023; + if (wc_UnLockMutex(&m) != 0) + return -12024; + if (wc_FreeMutex(&m) != 0) + return -12025; + if (wc_LockMutex(&m) != BAD_MUTEX_E) + return -12026; + if (wc_UnLockMutex(&m) != BAD_MUTEX_E) + return -12027; +#endif + + return 0; +} + +#ifdef USE_WOLFSSL_MEMORY +static int malloc_cnt = 0; +static int realloc_cnt = 0; +static int free_cnt = 0; + +static void *my_Malloc_cb(size_t size) +{ + malloc_cnt++; + return malloc(size); +} +static void my_Free_cb(void *ptr) +{ + free_cnt++; + free(ptr); +} +static void *my_Realloc_cb(void *ptr, size_t size) +{ + realloc_cnt++; + return realloc(ptr, size); +} + +int memcb_test() +{ + byte* b = NULL; + + b = (byte*)XREALLOC(b, 1024, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER); + b = NULL; + + /* Parameter Validation testing. */ + if (wolfSSL_SetAllocators(NULL, (wolfSSL_Free_cb)&my_Free_cb, + (wolfSSL_Realloc_cb)&my_Realloc_cb) != BAD_FUNC_ARG) + return -12100; + if (wolfSSL_SetAllocators((wolfSSL_Malloc_cb)&my_Malloc_cb, NULL, + (wolfSSL_Realloc_cb)&my_Realloc_cb) != BAD_FUNC_ARG) + return -12101; + if (wolfSSL_SetAllocators((wolfSSL_Malloc_cb)&my_Malloc_cb, + (wolfSSL_Free_cb)&my_Free_cb, NULL) != BAD_FUNC_ARG) + return -12102; + + /* Use API. */ + if (wolfSSL_SetAllocators((wolfSSL_Malloc_cb)&my_Malloc_cb, + (wolfSSL_Free_cb)&my_Free_cb, (wolfSSL_Realloc_cb)my_Realloc_cb) + != 0) + return -12100; + + b = (byte*)XMALLOC(1024, NULL, DYNAMIC_TYPE_TMP_BUFFER); + b = (byte*)XREALLOC(b, 1024, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER); + +#ifndef WOLFSSL_STATIC_MEMORY + if (malloc_cnt != 1 || free_cnt != 1 || realloc_cnt != 1) +#else + if (malloc_cnt != 0 || free_cnt != 0 || realloc_cnt != 0) +#endif + return -12110; + return 0; +} +#endif + #undef ERROR_OUT #else diff --git a/wolfcrypt/user-crypto/src/rsa.c b/wolfcrypt/user-crypto/src/rsa.c index fdee5f5a2..3040211bd 100644 --- a/wolfcrypt/user-crypto/src/rsa.c +++ b/wolfcrypt/user-crypto/src/rsa.c @@ -1950,13 +1950,13 @@ int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n, if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL) return USER_CRYPTO_ERROR; - bytSz = sizeof(byte); + bytSz = sizeof(byte) * 8; ret = ippsExtGet_BN(NULL, &sz, NULL, key->e); if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; /* sz is in bits change to bytes */ - sz = (sz / bytSz) + (sz % bytSz); + sz = (sz / bytSz) + ((sz % bytSz)? 1 : 0); if (*eSz < (word32)sz) return USER_CRYPTO_ERROR; @@ -1973,7 +1973,7 @@ int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n, return USER_CRYPTO_ERROR; /* sz is in bits change to bytes */ - sz = (sz / bytSz) + (sz % bytSz); + sz = (sz / bytSz) + ((sz % bytSz)? 1: 0); if (*nSz < (word32)sz) return USER_CRYPTO_ERROR; diff --git a/wolfssl/certs_test.h b/wolfssl/certs_test.h index 2d52511d7..64d10e50d 100644 --- a/wolfssl/certs_test.h +++ b/wolfssl/certs_test.h @@ -1219,6 +1219,132 @@ static const unsigned char rsa_key_der_2048[] = }; static const int sizeof_rsa_key_der_2048 = sizeof(rsa_key_der_2048); +/* ./certs/ca-key.der, 2048-bit */ +static const unsigned char ca_key_der_2048[] = +{ + 0x30, 0x82, 0x04, 0xA4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, + 0x01, 0x00, 0xBF, 0x0C, 0xCA, 0x2D, 0x14, 0xB2, 0x1E, 0x84, + 0x42, 0x5B, 0xCD, 0x38, 0x1F, 0x4A, 0xF2, 0x4D, 0x75, 0x10, + 0xF1, 0xB6, 0x35, 0x9F, 0xDF, 0xCA, 0x7D, 0x03, 0x98, 0xD3, + 0xAC, 0xDE, 0x03, 0x66, 0xEE, 0x2A, 0xF1, 0xD8, 0xB0, 0x7D, + 0x6E, 0x07, 0x54, 0x0B, 0x10, 0x98, 0x21, 0x4D, 0x80, 0xCB, + 0x12, 0x20, 0xE7, 0xCC, 0x4F, 0xDE, 0x45, 0x7D, 0xC9, 0x72, + 0x77, 0x32, 0xEA, 0xCA, 0x90, 0xBB, 0x69, 0x52, 0x10, 0x03, + 0x2F, 0xA8, 0xF3, 0x95, 0xC5, 0xF1, 0x8B, 0x62, 0x56, 0x1B, + 0xEF, 0x67, 0x6F, 0xA4, 0x10, 0x41, 0x95, 0xAD, 0x0A, 0x9B, + 0xE3, 0xA5, 0xC0, 0xB0, 0xD2, 0x70, 0x76, 0x50, 0x30, 0x5B, + 0xA8, 0xE8, 0x08, 0x2C, 0x7C, 0xED, 0xA7, 0xA2, 0x7A, 0x8D, + 0x38, 0x29, 0x1C, 0xAC, 0xC7, 0xED, 0xF2, 0x7C, 0x95, 0xB0, + 0x95, 0x82, 0x7D, 0x49, 0x5C, 0x38, 0xCD, 0x77, 0x25, 0xEF, + 0xBD, 0x80, 0x75, 0x53, 0x94, 0x3C, 0x3D, 0xCA, 0x63, 0x5B, + 0x9F, 0x15, 0xB5, 0xD3, 0x1D, 0x13, 0x2F, 0x19, 0xD1, 0x3C, + 0xDB, 0x76, 0x3A, 0xCC, 0xB8, 0x7D, 0xC9, 0xE5, 0xC2, 0xD7, + 0xDA, 0x40, 0x6F, 0xD8, 0x21, 0xDC, 0x73, 0x1B, 0x42, 0x2D, + 0x53, 0x9C, 0xFE, 0x1A, 0xFC, 0x7D, 0xAB, 0x7A, 0x36, 0x3F, + 0x98, 0xDE, 0x84, 0x7C, 0x05, 0x67, 0xCE, 0x6A, 0x14, 0x38, + 0x87, 0xA9, 0xF1, 0x8C, 0xB5, 0x68, 0xCB, 0x68, 0x7F, 0x71, + 0x20, 0x2B, 0xF5, 0xA0, 0x63, 0xF5, 0x56, 0x2F, 0xA3, 0x26, + 0xD2, 0xB7, 0x6F, 0xB1, 0x5A, 0x17, 0xD7, 0x38, 0x99, 0x08, + 0xFE, 0x93, 0x58, 0x6F, 0xFE, 0xC3, 0x13, 0x49, 0x08, 0x16, + 0x0B, 0xA7, 0x4D, 0x67, 0x00, 0x52, 0x31, 0x67, 0x23, 0x4E, + 0x98, 0xED, 0x51, 0x45, 0x1D, 0xB9, 0x04, 0xD9, 0x0B, 0xEC, + 0xD8, 0x28, 0xB3, 0x4B, 0xBD, 0xED, 0x36, 0x79, 0x02, 0x03, + 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x3D, 0x6E, 0x4E, + 0x60, 0x1A, 0x84, 0x7F, 0x9D, 0x85, 0x7C, 0xE1, 0x4B, 0x07, + 0x7C, 0xE0, 0xD6, 0x99, 0x2A, 0xDE, 0x9D, 0xF9, 0x36, 0x34, + 0x0E, 0x77, 0x0E, 0x3E, 0x08, 0xEA, 0x4F, 0xE5, 0x06, 0x26, + 0xD4, 0xF6, 0x38, 0xF7, 0xDF, 0x0D, 0x0F, 0x1C, 0x2E, 0x06, + 0xA2, 0xF4, 0x2A, 0x68, 0x9C, 0x63, 0x72, 0xE3, 0x35, 0xE6, + 0x04, 0x91, 0x91, 0xB5, 0xC1, 0xB1, 0xA4, 0x54, 0xAC, 0xD7, + 0xC6, 0xFB, 0x41, 0xA0, 0xD6, 0x75, 0x6F, 0xBD, 0x0B, 0x4E, + 0xBF, 0xB1, 0x52, 0xE8, 0x5F, 0x49, 0x26, 0x98, 0x56, 0x47, + 0xC7, 0xDE, 0xE9, 0xEA, 0x3C, 0x60, 0x01, 0xBF, 0x28, 0xDC, + 0x31, 0xBF, 0x49, 0x5F, 0x93, 0x49, 0x87, 0x7A, 0x81, 0x5B, + 0x96, 0x4B, 0x4D, 0xCA, 0x5C, 0x38, 0x4F, 0xB7, 0xE1, 0xB2, + 0xD3, 0xC7, 0x21, 0xDA, 0x3C, 0x12, 0x87, 0x07, 0xE4, 0x1B, + 0xDC, 0x43, 0xEC, 0xE8, 0xEC, 0x54, 0x61, 0xE7, 0xF6, 0xED, + 0xA6, 0x0B, 0x2E, 0xF5, 0xDF, 0x82, 0x7F, 0xC6, 0x1F, 0x61, + 0x19, 0x9C, 0xA4, 0x83, 0x39, 0xDF, 0x21, 0x85, 0x89, 0x6F, + 0x77, 0xAF, 0x86, 0x15, 0x32, 0x08, 0xA2, 0x5A, 0x0B, 0x26, + 0x61, 0xFB, 0x70, 0x0C, 0xCA, 0x9C, 0x38, 0x7D, 0xBC, 0x22, + 0xEE, 0xEB, 0xA3, 0xA8, 0x16, 0x00, 0xF9, 0x8A, 0x80, 0x1E, + 0x00, 0x84, 0xA8, 0x4A, 0x41, 0xF8, 0x84, 0x03, 0x67, 0x2F, + 0x23, 0x5B, 0x2F, 0x9B, 0x6B, 0x26, 0xC3, 0x07, 0x34, 0x94, + 0xA3, 0x03, 0x3B, 0x72, 0xD5, 0x9F, 0x72, 0xE0, 0xAD, 0xCC, + 0x34, 0xAB, 0xBD, 0xC7, 0xD5, 0xF5, 0x26, 0x30, 0x85, 0x0F, + 0x30, 0x23, 0x39, 0x52, 0xFF, 0x3C, 0xCB, 0x99, 0x21, 0x4D, + 0x88, 0xA5, 0xAB, 0xEE, 0x62, 0xB9, 0xC7, 0xE0, 0xBB, 0x47, + 0x87, 0xC1, 0x69, 0xCF, 0x73, 0xF3, 0x30, 0xBE, 0xCE, 0x39, + 0x04, 0x9C, 0xE5, 0x02, 0x81, 0x81, 0x00, 0xE1, 0x76, 0x45, + 0x80, 0x59, 0xB6, 0xD3, 0x49, 0xDF, 0x0A, 0xEF, 0x12, 0xD6, + 0x0F, 0xF0, 0xB7, 0xCB, 0x2A, 0x37, 0xBF, 0xA7, 0xF8, 0xB5, + 0x4D, 0xF5, 0x31, 0x35, 0xAD, 0xE4, 0xA3, 0x94, 0xA1, 0xDB, + 0xF1, 0x96, 0xAD, 0xB5, 0x05, 0x64, 0x85, 0x83, 0xFC, 0x1B, + 0x5B, 0x29, 0xAA, 0xBE, 0xF8, 0x26, 0x3F, 0x76, 0x7E, 0xAD, + 0x1C, 0xF0, 0xCB, 0xD7, 0x26, 0xB4, 0x1B, 0x05, 0x8E, 0x56, + 0x86, 0x7E, 0x08, 0x62, 0x21, 0xC1, 0x86, 0xD6, 0x47, 0x79, + 0x3E, 0xB7, 0x5D, 0xA4, 0xC6, 0x3A, 0xD7, 0xB1, 0x74, 0x20, + 0xF6, 0x50, 0x97, 0x41, 0x04, 0x53, 0xED, 0x3F, 0x26, 0xD6, + 0x6F, 0x91, 0xFA, 0x68, 0x26, 0xEC, 0x2A, 0xDC, 0x9A, 0xF1, + 0xE7, 0xDC, 0xFB, 0x73, 0xF0, 0x79, 0x43, 0x1B, 0x21, 0xA3, + 0x59, 0x04, 0x63, 0x52, 0x07, 0xC9, 0xD7, 0xE6, 0xD1, 0x1B, + 0x5D, 0x5E, 0x96, 0xFA, 0x53, 0x02, 0x81, 0x81, 0x00, 0xD8, + 0xED, 0x4E, 0x64, 0x61, 0x6B, 0x91, 0x0C, 0x61, 0x01, 0xB5, + 0x0F, 0xBB, 0x44, 0x67, 0x53, 0x1E, 0xDC, 0x07, 0xC4, 0x24, + 0x7E, 0x9E, 0x6C, 0x84, 0x23, 0x91, 0x0C, 0xE4, 0x12, 0x04, + 0x16, 0x4D, 0x78, 0x98, 0xCC, 0x96, 0x3D, 0x20, 0x4E, 0x0F, + 0x45, 0x9A, 0xB6, 0xF8, 0xB3, 0x93, 0x0D, 0xB2, 0xA2, 0x1B, + 0x29, 0xF2, 0x26, 0x79, 0xC8, 0xC5, 0xD2, 0x78, 0x7E, 0x5E, + 0x73, 0xF2, 0xD7, 0x70, 0x61, 0xBB, 0x40, 0xCE, 0x61, 0x05, + 0xFE, 0x69, 0x1E, 0x82, 0x29, 0xE6, 0x14, 0xB8, 0xA1, 0xE7, + 0x96, 0xD0, 0x23, 0x3F, 0x05, 0x93, 0x00, 0xF2, 0xE1, 0x4D, + 0x7E, 0xED, 0xB7, 0x96, 0x6C, 0xF7, 0xF0, 0xE4, 0xD1, 0xCF, + 0x01, 0x98, 0x4F, 0xDC, 0x74, 0x54, 0xAA, 0x6D, 0x5E, 0x5A, + 0x41, 0x31, 0xFE, 0xFF, 0x9A, 0xB6, 0xA0, 0x05, 0xDD, 0xA9, + 0x10, 0x54, 0xF8, 0x6B, 0xD0, 0xAA, 0x83, 0x02, 0x81, 0x80, + 0x21, 0xD3, 0x04, 0x8A, 0x44, 0xEB, 0x50, 0xB7, 0x7C, 0x66, + 0xBF, 0x87, 0x2B, 0xE6, 0x28, 0x4E, 0xEA, 0x83, 0xE2, 0xE9, + 0x35, 0xE1, 0xF2, 0x11, 0x47, 0xFF, 0xA1, 0xF5, 0xFC, 0x9F, + 0x2D, 0xE5, 0x3A, 0x81, 0xFC, 0x01, 0x03, 0x6F, 0x53, 0xAD, + 0x54, 0x27, 0xB6, 0x52, 0xEE, 0xE5, 0x56, 0xD1, 0x13, 0xAB, + 0xE1, 0xB3, 0x0F, 0x75, 0x90, 0x0A, 0x84, 0xB4, 0xA1, 0xC0, + 0x8C, 0x0C, 0xD6, 0x9E, 0x46, 0xBA, 0x2B, 0x3E, 0xB5, 0x31, + 0xED, 0x63, 0xBB, 0xA4, 0xD5, 0x0D, 0x8F, 0x72, 0xCD, 0xD1, + 0x1E, 0x26, 0x35, 0xEB, 0xBE, 0x1B, 0x72, 0xFD, 0x9B, 0x39, + 0xB4, 0x87, 0xB7, 0x13, 0xF5, 0xEA, 0x83, 0x45, 0x93, 0x98, + 0xBA, 0x8F, 0xE4, 0x4A, 0xCC, 0xB4, 0x4C, 0xA8, 0x7F, 0x08, + 0xBA, 0x41, 0x49, 0xA8, 0x49, 0x28, 0x3D, 0x5E, 0x3D, 0xC1, + 0xCE, 0x37, 0x00, 0xCB, 0xF9, 0x2C, 0xDD, 0x51, 0x02, 0x81, + 0x81, 0x00, 0xA1, 0x57, 0x9F, 0x3E, 0xB9, 0xD6, 0xAF, 0x83, + 0x6D, 0x83, 0x3F, 0x8F, 0xFB, 0xD0, 0xDC, 0xA8, 0xCE, 0x03, + 0x09, 0x23, 0xB1, 0xA1, 0x1B, 0x63, 0xCA, 0xC4, 0x49, 0x56, + 0x35, 0x2B, 0xD1, 0x2E, 0x65, 0x60, 0x95, 0x05, 0x55, 0x99, + 0x11, 0x35, 0xFD, 0xD5, 0xDF, 0x44, 0xC7, 0xA5, 0x88, 0x72, + 0x5F, 0xB2, 0x82, 0x51, 0xA8, 0x71, 0x45, 0x93, 0x36, 0xCF, + 0x5C, 0x1F, 0x61, 0x51, 0x0C, 0x05, 0x80, 0xE8, 0xAF, 0xC5, + 0x7B, 0xBA, 0x5E, 0x22, 0xE3, 0x3C, 0x75, 0xC3, 0x84, 0x05, + 0x55, 0x6D, 0xD6, 0x3A, 0x2D, 0x84, 0x89, 0x93, 0x33, 0xCB, + 0x38, 0xDA, 0xAA, 0x31, 0x05, 0xCD, 0xCE, 0x6C, 0x2D, 0xDD, + 0x55, 0xD3, 0x57, 0x0B, 0xF0, 0xA5, 0x35, 0x6A, 0xB0, 0xAE, + 0x31, 0xBA, 0x43, 0x96, 0xCA, 0x00, 0xC7, 0x4B, 0xE3, 0x19, + 0x12, 0x43, 0xD3, 0x42, 0xFA, 0x6F, 0xEA, 0x80, 0xC0, 0xD1, + 0x02, 0x81, 0x81, 0x00, 0xB9, 0xDB, 0x89, 0x20, 0x34, 0x27, + 0x70, 0x62, 0x34, 0xEA, 0x5F, 0x25, 0x62, 0x12, 0xF3, 0x9D, + 0x81, 0xBF, 0x48, 0xEE, 0x9A, 0x0E, 0xC1, 0x8D, 0x10, 0xFF, + 0x65, 0x9A, 0x9D, 0x2D, 0x1A, 0x8A, 0x94, 0x5A, 0xC8, 0xC0, + 0xA5, 0xA5, 0x84, 0x61, 0x9E, 0xD4, 0x24, 0xB9, 0xEF, 0xA9, + 0x9D, 0xC9, 0x77, 0x0B, 0xC7, 0x70, 0x66, 0x3D, 0xBA, 0xC8, + 0x54, 0xDF, 0xD2, 0x33, 0xE1, 0xF5, 0x7F, 0xF9, 0x27, 0x61, + 0xBE, 0x57, 0x45, 0xDD, 0xB7, 0x45, 0x17, 0x24, 0xF5, 0x23, + 0xE4, 0x38, 0x0E, 0x91, 0x27, 0xEE, 0xE3, 0x20, 0xD8, 0x14, + 0xC8, 0x94, 0x47, 0x77, 0x40, 0x77, 0x45, 0x18, 0x9E, 0x0D, + 0xCE, 0x79, 0x3F, 0x57, 0x31, 0x56, 0x09, 0x49, 0x67, 0xBE, + 0x94, 0x58, 0x4F, 0xF6, 0xC4, 0xAB, 0xE2, 0x89, 0xE3, 0xE3, + 0x8A, 0xC0, 0x05, 0x55, 0x2C, 0x24, 0xC0, 0x4A, 0x97, 0x04, + 0x27, 0x9A +}; +static const int sizeof_ca_key_der_2048 = sizeof(ca_key_der_2048); + /* ./certs/ca-cert.der, 2048-bit */ static const unsigned char ca_cert_der_2048[] = { diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index 77d964e88..236e4dfb7 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -90,7 +90,7 @@ enum wolfSSL_ErrorCodes { ECC_EXPORT_ERROR = -354, /* Bad ECC Export Key */ ECC_SHARED_ERROR = -355, /* Bad ECC Shared Secret */ NOT_CA_ERROR = -357, /* Not a CA cert error */ - BAD_PATH_ERROR = -358, /* Bad path for opendir */ + BAD_CERT_MANAGER_ERROR = -359, /* Bad Cert Manager */ OCSP_CERT_REVOKED = -360, /* OCSP Certificate revoked */ CRL_CERT_REVOKED = -361, /* CRL Certificate revoked */ @@ -152,6 +152,7 @@ enum wolfSSL_ErrorCodes { EXT_MASTER_SECRET_NEEDED_E = -414, /* need EMS enabled to resume */ DTLS_POOL_SZ_E = -415, /* exceeded DTLS pool size */ DECODE_E = -416, /* decode handshake message error */ + HTTP_TIMEOUT = -417, /* HTTP timeout for OCSP or CRL req */ /* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */ /* begin negotiation parameter errors */ diff --git a/wolfssl/include.am b/wolfssl/include.am index 03883b086..029bc3d17 100644 --- a/wolfssl/include.am +++ b/wolfssl/include.am @@ -17,7 +17,8 @@ nobase_include_HEADERS+= \ wolfssl/test.h \ wolfssl/version.h \ wolfssl/ocsp.h \ - wolfssl/crl.h + wolfssl/crl.h \ + wolfssl/io.h noinst_HEADERS+= \ wolfssl/internal.h diff --git a/wolfssl/internal.h b/wolfssl/internal.h old mode 100644 new mode 100755 index a752edeee..23db8760f --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -140,6 +140,8 @@ #elif defined(MBED) #elif defined(WOLFSSL_TIRTOS) /* do nothing */ +#elif defined(INTIME_RTOS) + #include #else #ifndef SINGLE_THREADED #define WOLFSSL_PTHREADS @@ -187,13 +189,6 @@ #endif -#ifdef USE_WINDOWS_API - typedef unsigned int SOCKET_T; -#else - typedef int SOCKET_T; -#endif - - typedef byte word24[3]; /* Define or comment out the cipher suites you'd like to be compiled in @@ -1058,13 +1053,12 @@ enum Misc { MAX_WOLFSSL_FILE_SIZE = 1024 * 1024 * 4, /* 4 mb file size alloc limit */ -#if defined(FORTRESS) || defined (HAVE_STUNNEL) - MAX_EX_DATA = 3, /* allow for three items of ex_data */ +#if defined(HAVE_EX_DATA) || defined(FORTRESS) + MAX_EX_DATA = 5, /* allow for five items of ex_data */ #endif MAX_X509_SIZE = 2048, /* max static x509 buffer size */ CERT_MIN_SIZE = 256, /* min PEM cert size with header/footer */ - MAX_FILENAME_SZ = 256, /* max file name length */ FILE_BUFFER_SIZE = 1024, /* default static file buffer size for input, will use dynamic buffer if not big enough */ @@ -1420,11 +1414,6 @@ int SetCipherList(Suites*, const char* list); unsigned char* exportBuffer, unsigned int sz, void* userCtx); #endif -#ifdef HAVE_NETX - WOLFSSL_LOCAL int NetX_Receive(WOLFSSL *ssl, char *buf, int sz, void *ctx); - WOLFSSL_LOCAL int NetX_Send(WOLFSSL *ssl, char *buf, int sz, void *ctx); -#endif /* HAVE_NETX */ - /* wolfSSL Cipher type just points back to SSL */ struct WOLFSSL_CIPHER { @@ -1463,6 +1452,9 @@ struct WOLFSSL_OCSP { WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */ OcspEntry* ocspList; /* OCSP response list */ wolfSSL_Mutex ocspLock; /* OCSP list lock */ +#ifdef WOLFSSL_NGINX + int(*statusCb)(WOLFSSL*, void*); +#endif }; #ifndef MAX_DATE_SIZE @@ -1517,6 +1509,9 @@ struct CRL_Monitor { struct WOLFSSL_CRL { WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */ CRL_Entry* crlList; /* our CRL list */ +#ifdef HAVE_CRL_IO + CbCrlIO crlIOCb; +#endif wolfSSL_Mutex crlLock; /* CRL list lock */ CRL_Monitor monitors[2]; /* PEM and DER possible */ #ifdef HAVE_CRL_MONITOR @@ -1944,11 +1939,18 @@ struct WOLFSSL_CTX { DerBuffer* certificate; DerBuffer* certChain; /* chain after self, in DER, with leading size for each cert */ + #ifdef OPENSSL_EXTRA + STACK_OF(WOLFSSL_X509_NAME)* ca_names; + #endif + #ifdef WOLFSSL_NGINX + STACK_OF(WOLFSSL_X509)* x509Chain; + #endif DerBuffer* privateKey; WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */ #endif #ifdef KEEP_OUR_CERT WOLFSSL_X509* ourCert; /* keep alive a X509 struct of cert */ + int ownOurCert; /* Dispose of certificate if we own */ #endif Suites* suites; /* make dynamic, user may not need/set */ void* heap; /* for user memory overrides */ @@ -1958,6 +1960,9 @@ struct WOLFSSL_CTX { byte failNoCertxPSK; /* fail if no cert with the exception of PSK*/ byte sessionCacheOff; byte sessionCacheFlushOff; +#ifdef HAVE_EXT_CACHE + byte internalCacheOff; +#endif byte sendVerify; /* for client side */ byte haveRSA; /* RSA available */ byte haveECC; /* ECC available */ @@ -1970,6 +1975,7 @@ struct WOLFSSL_CTX { byte groupMessages; /* group handshake messages before sending */ byte minDowngrade; /* minimum downgrade version */ byte haveEMS; /* have extended master secret extension */ + byte useClientOrder; /* Use client's cipher preference order */ #if defined(WOLFSSL_SCTP) && defined(WOLFSSL_DTLS) byte dtlsSctp; /* DTLS-over-SCTP mode */ word16 dtlsMtuSz; /* DTLS MTU size */ @@ -1982,6 +1988,9 @@ struct WOLFSSL_CTX { #endif #ifdef HAVE_ECC short minEccKeySz; /* minimum ECC key size */ +#endif +#ifdef OPENSSL_EXTRA + unsigned long mask; /* store SSL_OP_ flags */ #endif CallbackIORecv CBIORecv; CallbackIOSend CBIOSend; @@ -1997,6 +2006,7 @@ struct WOLFSSL_CTX { word32 timeout; /* session timeout */ #ifdef HAVE_ECC word16 eccTempKeySz; /* in octets 20 - 66 */ + word32 ecdhCurveOID; /* curve Ecc_Sum */ word32 pkCurveOID; /* curve Ecc_Sum */ #endif #ifndef NO_PSK @@ -2015,8 +2025,14 @@ struct WOLFSSL_CTX { byte readAhead; void* userPRFArg; /* passed to prf callback */ #endif /* OPENSSL_EXTRA */ -#ifdef HAVE_STUNNEL +#ifdef HAVE_EX_DATA void* ex_data[MAX_EX_DATA]; +#endif +#if defined(HAVE_ALPN) && defined(WOLFSSL_NGINX) + CallbackALPNSelect alpnSelect; + void* alpnSelectArg; +#endif +#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) CallbackSniRecv sniRecvCb; void* sniRecvCbArg; #endif @@ -2064,6 +2080,11 @@ struct WOLFSSL_CTX { #ifdef HAVE_WOLF_EVENT WOLF_EVENT_QUEUE event_queue; #endif /* HAVE_WOLF_EVENT */ +#ifdef HAVE_EXT_CACHE + WOLFSSL_SESSION*(*get_sess_cb)(WOLFSSL*, unsigned char*, int, int*); + int (*new_sess_cb)(WOLFSSL*, WOLFSSL_SESSION*); + void (*rem_sess_cb)(WOLFSSL_CTX*, WOLFSSL_SESSION*); +#endif }; @@ -2261,30 +2282,33 @@ struct WOLFSSL_X509_CHAIN { /* wolfSSL session type */ struct WOLFSSL_SESSION { - word32 bornOn; /* create time in seconds */ - word32 timeout; /* timeout in seconds */ - byte sessionID[ID_LEN]; /* id for protocol */ - byte sessionIDSz; - byte masterSecret[SECRET_LEN]; /* stored secret */ - word16 haveEMS; /* ext master secret flag */ + word32 bornOn; /* create time in seconds */ + word32 timeout; /* timeout in seconds */ + byte sessionID[ID_LEN]; /* id for protocol */ + byte sessionIDSz; + byte masterSecret[SECRET_LEN]; /* stored secret */ + word16 haveEMS; /* ext master secret flag */ #ifdef SESSION_CERTS - WOLFSSL_X509_CHAIN chain; /* peer cert chain, static */ - ProtocolVersion version; /* which version was used */ - byte cipherSuite0; /* first byte, normally 0 */ - byte cipherSuite; /* 2nd byte, actual suite */ + WOLFSSL_X509_CHAIN chain; /* peer cert chain, static */ + ProtocolVersion version; /* which version was used */ + byte cipherSuite0; /* first byte, normally 0 */ + byte cipherSuite; /* 2nd byte, actual suite */ #endif #ifndef NO_CLIENT_CACHE - word16 idLen; /* serverID length */ - byte serverID[SERVER_ID_LEN]; /* for easier client lookup */ + word16 idLen; /* serverID length */ + byte serverID[SERVER_ID_LEN]; /* for easier client lookup */ #endif #ifdef HAVE_SESSION_TICKET - byte* ticket; - word16 ticketLen; - byte staticTicket[SESSION_TICKET_LEN]; - byte isDynamic; + byte* ticket; + word16 ticketLen; + byte staticTicket[SESSION_TICKET_LEN]; + byte isDynamic; #endif -#ifdef HAVE_STUNNEL - void* ex_data[MAX_EX_DATA]; +#ifdef HAVE_EXT_CACHE + byte isAlloced; +#endif +#ifdef HAVE_EX_DATA + void* ex_data[MAX_EX_DATA]; #endif }; @@ -2402,6 +2426,9 @@ typedef struct Options { word16 sendVerify:2; /* false = 0, true = 1, sendBlank = 2 */ word16 sessionCacheOff:1; word16 sessionCacheFlushOff:1; +#ifdef HAVE_EXT_CACHE + word16 internalCacheOff:1; +#endif word16 side:1; /* client or server end */ word16 verifyPeer:1; word16 verifyNone:1; @@ -2459,6 +2486,8 @@ typedef struct Options { #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_SUPPORTED_CURVES) word16 userCurves:1; /* indicates user called wolfSSL_UseSupportedCurve */ #endif + word16 keepResources:1; /* Keep resources after handshake */ + word16 useClientOrder:1; /* Use client's cipher order */ /* need full byte values for this section */ byte processReply; /* nonblocking resume */ @@ -2522,9 +2551,11 @@ struct WOLFSSL_STACK { unsigned long num; /* number of nodes in stack * (saftey measure for freeing and shortcut for count) */ union { - WOLFSSL_X509* x509; - WOLFSSL_BIO* bio; + WOLFSSL_X509* x509; + WOLFSSL_X509_NAME* name; + WOLFSSL_BIO* bio; WOLFSSL_ASN1_OBJECT* obj; + char* string; } data; WOLFSSL_STACK* next; }; @@ -2593,6 +2624,9 @@ struct WOLFSSL_X509 { int certPoliciesNb; #endif /* WOLFSSL_CERT_EXT */ #ifdef OPENSSL_EXTRA +#ifdef HAVE_EX_DATA + void* ex_data[MAX_EX_DATA]; +#endif word32 pathLength; word16 keyUsage; byte CRLdistSet; @@ -2752,6 +2786,9 @@ struct WOLFSSL { Ciphers decrypt; Buffers buffers; WOLFSSL_SESSION session; +#ifdef HAVE_EXT_CACHE + WOLFSSL_SESSION* extSession; +#endif WOLFSSL_ALERT_HISTORY alert_history; int error; int rfd; /* read file descriptor */ @@ -2803,6 +2840,7 @@ struct WOLFSSL { ecc_key* peerEccDsaKey; /* peer's ECDSA key */ ecc_key* eccTempKey; /* private ECDHE key */ word32 pkCurveOID; /* curve Ecc_Sum */ + word32 ecdhCurveOID; /* curve Ecc_Sum */ word16 eccTempKeySz; /* in octets 20 - 66 */ byte peerEccKeyPresent; byte peerEccDsaKeyPresent; @@ -2847,8 +2885,8 @@ struct WOLFSSL { flag found in buffers.weOwnCert) */ #endif byte keepCert; /* keep certificate after handshake */ -#if defined(FORTRESS) || defined(HAVE_STUNNEL) - void* ex_data[MAX_EX_DATA]; /* external data, for Fortress */ +#if defined(HAVE_EX_DATA) || defined(FORTRESS) + void* ex_data[MAX_EX_DATA]; /* external data, for Fortress */ #endif int devId; /* async device id to use */ #ifdef HAVE_ONE_TIME_AUTH @@ -2874,6 +2912,10 @@ struct WOLFSSL { #endif /* user turned on */ #ifdef HAVE_ALPN char* alpn_client_list; /* keep the client's list */ + #ifdef WOLFSSL_NGINX + CallbackALPNSelect alpnSelect; + void* alpnSelectArg; + #endif #endif /* of accepted protocols */ #if !defined(NO_WOLFSSL_CLIENT) && defined(HAVE_SESSION_TICKET) CallbackSessionTicket session_ticket_cb; @@ -2881,6 +2923,13 @@ struct WOLFSSL { byte expect_session_ticket; #endif #endif /* HAVE_TLS_EXTENSIONS */ +#ifdef OPENSSL_EXTRA + byte* ocspResp; + int ocspRespSz; +#ifdef WOLFSSL_NGINX + char* url; +#endif +#endif #ifdef HAVE_NETX NetX_Ctx nxCtx; /* NetX IO Context */ #endif @@ -2957,6 +3006,11 @@ typedef struct EncryptedInfo { WOLFSSL_LOCAL int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type, WOLFSSL* ssl, int userChain, WOLFSSL_CRL* crl); + + #ifdef OPENSSL_EXTRA + WOLFSSL_LOCAL int CheckHostName(DecodedCert* dCert, char *domainName, + size_t domainNameLen); + #endif #endif diff --git a/wolfssl/io.h b/wolfssl/io.h new file mode 100644 index 000000000..c036a8327 --- /dev/null +++ b/wolfssl/io.h @@ -0,0 +1,402 @@ +/* io.h + * + * Copyright (C) 2006-2016 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + + +#ifndef WOLFSSL_IO_H +#define WOLFSSL_IO_H + +#ifdef __cplusplus + extern "C" { +#endif + +/* OCSP and CRL_IO require HTTP client */ +#if defined(HAVE_OCSP) || defined(HAVE_CRL_IO) + #ifndef HAVE_HTTP_CLIENT + #define HAVE_HTTP_CLIENT + #endif +#endif + +#if !defined(WOLFSSL_USER_IO) + #ifndef USE_WOLFSSL_IO + #define USE_WOLFSSL_IO + #endif +#endif + + +#if defined(USE_WOLFSSL_IO) || defined(HAVE_HTTP_CLIENT) + +#ifdef HAVE_LIBZ + #include "zlib.h" +#endif + +#ifndef USE_WINDOWS_API + #ifdef WOLFSSL_LWIP + /* lwIP needs to be configured to use sockets API in this mode */ + /* LWIP_SOCKET 1 in lwip/opt.h or in build */ + #include "lwip/sockets.h" + #include + #ifndef LWIP_PROVIDE_ERRNO + #define LWIP_PROVIDE_ERRNO 1 + #endif + #elif defined(FREESCALE_MQX) + #include + #include + #elif defined(FREESCALE_KSDK_MQX) + #include + #elif defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET) + #if !defined(WOLFSSL_MDK_ARM) + #include "cmsis_os.h" + #include "rl_net.h" + #else + #include + #endif + #include "errno.h" + #define SOCKET_T int + #elif defined(WOLFSSL_TIRTOS) + #include + #elif defined(FREERTOS_TCP) + #include "FreeRTOS_Sockets.h" + #elif defined(WOLFSSL_IAR_ARM) + /* nothing */ + #elif defined(WOLFSSL_VXWORKS) + #include + #include + #elif defined(WOLFSSL_ATMEL) + #include "socket/include/socket.h" + #elif defined(INTIME_RTOS) + #undef MIN + #undef MAX + #include + #include + #include + #include + #include + #include + #elif !defined(WOLFSSL_NO_SOCK) + #include + #include + #ifndef EBSNET + #include + #endif + #include + + #if defined(HAVE_RTP_SYS) + #include + #elif defined(EBSNET) + #include "rtipapi.h" /* errno */ + #include "socket.h" + #elif !defined(DEVKITPRO) && !defined(WOLFSSL_PICOTCP) + #include + #include + #include + #include + #ifdef __PPU + #include + #else + #include + #endif + #endif + #endif +#endif /* USE_WINDOWS_API */ + +#ifdef __sun + #include +#endif + +#ifdef USE_WINDOWS_API + /* no epipe yet */ + #ifndef WSAEPIPE + #define WSAEPIPE -12345 + #endif + #define SOCKET_EWOULDBLOCK WSAEWOULDBLOCK + #define SOCKET_EAGAIN WSAETIMEDOUT + #define SOCKET_ECONNRESET WSAECONNRESET + #define SOCKET_EINTR WSAEINTR + #define SOCKET_EPIPE WSAEPIPE + #define SOCKET_ECONNREFUSED WSAENOTCONN + #define SOCKET_ECONNABORTED WSAECONNABORTED + #define close(s) closesocket(s) +#elif defined(__PPU) + #define SOCKET_EWOULDBLOCK SYS_NET_EWOULDBLOCK + #define SOCKET_EAGAIN SYS_NET_EAGAIN + #define SOCKET_ECONNRESET SYS_NET_ECONNRESET + #define SOCKET_EINTR SYS_NET_EINTR + #define SOCKET_EPIPE SYS_NET_EPIPE + #define SOCKET_ECONNREFUSED SYS_NET_ECONNREFUSED + #define SOCKET_ECONNABORTED SYS_NET_ECONNABORTED +#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) + #if MQX_USE_IO_OLD + /* RTCS old I/O doesn't have an EWOULDBLOCK */ + #define SOCKET_EWOULDBLOCK EAGAIN + #define SOCKET_EAGAIN EAGAIN + #define SOCKET_ECONNRESET RTCSERR_TCP_CONN_RESET + #define SOCKET_EINTR EINTR + #define SOCKET_EPIPE EPIPE + #define SOCKET_ECONNREFUSED RTCSERR_TCP_CONN_REFUSED + #define SOCKET_ECONNABORTED RTCSERR_TCP_CONN_ABORTED + #else + #define SOCKET_EWOULDBLOCK NIO_EWOULDBLOCK + #define SOCKET_EAGAIN NIO_EAGAIN + #define SOCKET_ECONNRESET NIO_ECONNRESET + #define SOCKET_EINTR NIO_EINTR + #define SOCKET_EPIPE NIO_EPIPE + #define SOCKET_ECONNREFUSED NIO_ECONNREFUSED + #define SOCKET_ECONNABORTED NIO_ECONNABORTED + #endif +#elif defined(WOLFSSL_MDK_ARM)|| defined(WOLFSSL_KEIL_TCP_NET) + #if !defined(WOLFSSL_MDK_ARM) + #define SOCKET_EWOULDBLOCK BSD_ERROR_WOULDBLOCK + #define SOCKET_EAGAIN BSD_ERROR_LOCKED + #define SOCKET_ECONNRESET BSD_ERROR_CLOSED + #define SOCKET_EINTR BSD_ERROR + #define SOCKET_EPIPE BSD_ERROR + #define SOCKET_ECONNREFUSED BSD_ERROR + #define SOCKET_ECONNABORTED BSD_ERROR + #else + #define SOCKET_EWOULDBLOCK SCK_EWOULDBLOCK + #define SOCKET_EAGAIN SCK_ELOCKED + #define SOCKET_ECONNRESET SCK_ECLOSED + #define SOCKET_EINTR SCK_ERROR + #define SOCKET_EPIPE SCK_ERROR + #define SOCKET_ECONNREFUSED SCK_ERROR + #define SOCKET_ECONNABORTED SCK_ERROR + #endif +#elif defined(WOLFSSL_PICOTCP) + #define SOCKET_EWOULDBLOCK PICO_ERR_EAGAIN + #define SOCKET_EAGAIN PICO_ERR_EAGAIN + #define SOCKET_ECONNRESET PICO_ERR_ECONNRESET + #define SOCKET_EINTR PICO_ERR_EINTR + #define SOCKET_EPIPE PICO_ERR_EIO + #define SOCKET_ECONNREFUSED PICO_ERR_ECONNREFUSED + #define SOCKET_ECONNABORTED PICO_ERR_ESHUTDOWN +#elif defined(FREERTOS_TCP) + #define SOCKET_EWOULDBLOCK FREERTOS_EWOULDBLOCK + #define SOCKET_EAGAIN FREERTOS_EWOULDBLOCK + #define SOCKET_ECONNRESET FREERTOS_SOCKET_ERROR + #define SOCKET_EINTR FREERTOS_SOCKET_ERROR + #define SOCKET_EPIPE FREERTOS_SOCKET_ERROR + #define SOCKET_ECONNREFUSED FREERTOS_SOCKET_ERROR + #define SOCKET_ECONNABORTED FREERTOS_SOCKET_ERROR +#else + #define SOCKET_EWOULDBLOCK EWOULDBLOCK + #define SOCKET_EAGAIN EAGAIN + #define SOCKET_ECONNRESET ECONNRESET + #define SOCKET_EINTR EINTR + #define SOCKET_EPIPE EPIPE + #define SOCKET_ECONNREFUSED ECONNREFUSED + #define SOCKET_ECONNABORTED ECONNABORTED +#endif /* USE_WINDOWS_API */ + + +#ifdef DEVKITPRO + /* from network.h */ + int net_send(int, const void*, int, unsigned int); + int net_recv(int, void*, int, unsigned int); + #define SEND_FUNCTION net_send + #define RECV_FUNCTION net_recv +#elif defined(WOLFSSL_LWIP) + #define SEND_FUNCTION lwip_send + #define RECV_FUNCTION lwip_recv +#elif defined(WOLFSSL_PICOTCP) + #define SEND_FUNCTION pico_send + #define RECV_FUNCTION pico_recv +#elif defined(FREERTOS_TCP) + #define RECV_FUNCTION(a,b,c,d) FreeRTOS_recv((Socket_t)(a),(void*)(b), (size_t)(c), (BaseType_t)(d)) + #define SEND_FUNCTION(a,b,c,d) FreeRTOS_send((Socket_t)(a),(void*)(b), (size_t)(c), (BaseType_t)(d)) +#else + #define SEND_FUNCTION send + #define RECV_FUNCTION recv + #if !defined(HAVE_SOCKADDR) && !defined(WOLFSSL_NO_SOCK) + #define HAVE_SOCKADDR + #endif +#endif + +#ifdef USE_WINDOWS_API + typedef unsigned int SOCKET_T; +#else + typedef int SOCKET_T; +#endif + +#ifndef WOLFSSL_NO_SOCK + #ifndef XSOCKLENT + #ifdef USE_WINDOWS_API + #define XSOCKLENT int + #else + #define XSOCKLENT socklen_t + #endif + #endif + + /* Socket Addr Support */ + #ifdef HAVE_SOCKADDR + typedef struct sockaddr SOCKADDR; + typedef struct sockaddr_storage SOCKADDR_S; + typedef struct sockaddr_in SOCKADDR_IN; + #ifdef WOLFSSL_IPV6 + typedef struct sockaddr_in6 SOCKADDR_IN6; + #endif + typedef struct hostent HOSTENT; + #endif /* HAVE_SOCKADDR */ + + #ifdef HAVE_GETADDRINFO + typedef struct addrinfo ADDRINFO; + #endif +#endif /* WOLFSSL_NO_SOCK */ + + +/* IO API's */ +#ifdef HAVE_IO_TIMEOUT + WOLFSSL_API int wolfIO_SetBlockingMode(SOCKET_T sockfd, int non_blocking); + WOLFSSL_API void wolfIO_SetTimeout(int to_sec);; + WOLFSSL_API int wolfIO_Select(SOCKET_T sockfd, int to_sec); +#endif +WOLFSSL_API int wolfIO_TcpConnect(SOCKET_T* sockfd, const char* ip, + unsigned short port, int to_sec); +WOLFSSL_API int wolfIO_Send(SOCKET_T sd, char *buf, int sz, int wrFlags); +WOLFSSL_API int wolfIO_Recv(SOCKET_T sd, char *buf, int sz, int rdFlags); + +#endif /* USE_WOLFSSL_IO || HAVE_HTTP_CLIENT */ + + +#if defined(USE_WOLFSSL_IO) + /* default IO callbacks */ + WOLFSSL_API int EmbedReceive(WOLFSSL* ssl, char* buf, int sz, void* ctx); + WOLFSSL_API int EmbedSend(WOLFSSL* ssl, char* buf, int sz, void* ctx); + + #ifdef WOLFSSL_DTLS + WOLFSSL_API int EmbedReceiveFrom(WOLFSSL* ssl, char* buf, int sz, void*); + WOLFSSL_API int EmbedSendTo(WOLFSSL* ssl, char* buf, int sz, void* ctx); + WOLFSSL_API int EmbedGenerateCookie(WOLFSSL* ssl, unsigned char* buf, + int sz, void*); + #ifdef WOLFSSL_SESSION_EXPORT + WOLFSSL_API int EmbedGetPeer(WOLFSSL* ssl, char* ip, int* ipSz, + unsigned short* port, int* fam); + WOLFSSL_API int EmbedSetPeer(WOLFSSL* ssl, char* ip, int ipSz, + unsigned short port, int fam); + #endif /* WOLFSSL_SESSION_EXPORT */ + #endif /* WOLFSSL_DTLS */ +#endif /* USE_WOLFSSL_IO */ + +#ifdef HAVE_OCSP + WOLFSSL_API int wolfIO_HttpBuildRequestOcsp(const char* domainName, + const char* path, int ocspReqSz, unsigned char* buf, int bufSize); + WOLFSSL_API int wolfIO_HttpProcessResponseOcsp(int sfd, + unsigned char** respBuf, unsigned char* httpBuf, int httpBufSz, + void* heap); + + WOLFSSL_API int EmbedOcspLookup(void*, const char*, int, unsigned char*, + int, unsigned char**); + WOLFSSL_API void EmbedOcspRespFree(void*, unsigned char*); +#endif + +#ifdef HAVE_CRL_IO + WOLFSSL_API int wolfIO_HttpBuildRequestCrl(const char* url, int urlSz, + const char* domainName, unsigned char* buf, int bufSize); + WOLFSSL_API int wolfIO_HttpProcessResponseCrl(WOLFSSL_CRL* crl, int sfd, + unsigned char* httpBuf, int httpBufSz); + + WOLFSSL_API int EmbedCrlLookup(WOLFSSL_CRL* crl, const char* url, + int urlSz); +#endif + + +#if defined(HAVE_HTTP_CLIENT) + WOLFSSL_API int wolfIO_DecodeUrl(const char* url, int urlSz, char* outName, + char* outPath, unsigned short* outPort); + + WOLFSSL_API int wolfIO_HttpBuildRequest(const char* reqType, + const char* domainName, const char* path, int pathLen, int reqSz, + const char* contentType, unsigned char* buf, int bufSize); + WOLFSSL_API int wolfIO_HttpProcessResponse(int sfd, const char* appStr, + unsigned char** respBuf, unsigned char* httpBuf, int httpBufSz, + int dynType, void* heap); +#endif /* HAVE_HTTP_CLIENT */ + + +/* I/O callbacks */ +typedef int (*CallbackIORecv)(WOLFSSL *ssl, char *buf, int sz, void *ctx); +typedef int (*CallbackIOSend)(WOLFSSL *ssl, char *buf, int sz, void *ctx); +WOLFSSL_API void wolfSSL_SetIORecv(WOLFSSL_CTX*, CallbackIORecv); +WOLFSSL_API void wolfSSL_SetIOSend(WOLFSSL_CTX*, CallbackIOSend); + +WOLFSSL_API void wolfSSL_SetIOReadCtx( WOLFSSL* ssl, void *ctx); +WOLFSSL_API void wolfSSL_SetIOWriteCtx(WOLFSSL* ssl, void *ctx); + +WOLFSSL_API void* wolfSSL_GetIOReadCtx( WOLFSSL* ssl); +WOLFSSL_API void* wolfSSL_GetIOWriteCtx(WOLFSSL* ssl); + +WOLFSSL_API void wolfSSL_SetIOReadFlags( WOLFSSL* ssl, int flags); +WOLFSSL_API void wolfSSL_SetIOWriteFlags(WOLFSSL* ssl, int flags); + + +#ifdef HAVE_NETX + WOLFSSL_LOCAL int NetX_Receive(WOLFSSL *ssl, char *buf, int sz, void *ctx); + WOLFSSL_LOCAL int NetX_Send(WOLFSSL *ssl, char *buf, int sz, void *ctx); + + WOLFSSL_API void wolfSSL_SetIO_NetX(WOLFSSL* ssl, NX_TCP_SOCKET* nxsocket, + ULONG waitoption); +#endif /* HAVE_NETX */ + +#ifdef WOLFSSL_DTLS + typedef int (*CallbackGenCookie)(WOLFSSL* ssl, unsigned char* buf, int sz, + void* ctx); + WOLFSSL_API void wolfSSL_CTX_SetGenCookie(WOLFSSL_CTX*, CallbackGenCookie); + WOLFSSL_API void wolfSSL_SetCookieCtx(WOLFSSL* ssl, void *ctx); + WOLFSSL_API void* wolfSSL_GetCookieCtx(WOLFSSL* ssl); + + #ifdef WOLFSSL_SESSION_EXPORT + typedef int (*CallbackGetPeer)(WOLFSSL* ssl, char* ip, int* ipSz, + unsigned short* port, int* fam); + typedef int (*CallbackSetPeer)(WOLFSSL* ssl, char* ip, int ipSz, + unsigned short port, int fam); + + WOLFSSL_API void wolfSSL_CTX_SetIOGetPeer(WOLFSSL_CTX*, CallbackGetPeer); + WOLFSSL_API void wolfSSL_CTX_SetIOSetPeer(WOLFSSL_CTX*, CallbackSetPeer); + #endif /* WOLFSSL_SESSION_EXPORT */ +#endif + + + +#ifndef XINET_NTOP + #define XINET_NTOP(a,b,c,d) inet_ntop((a),(b),(c),(d)) +#endif +#ifndef XINET_PTON + #define XINET_PTON(a,b,c) inet_pton((a),(b),(c)) +#endif +#ifndef XHTONS + #define XHTONS(a) htons((a)) +#endif +#ifndef XNTOHS + #define XNTOHS(a) ntohs((a)) +#endif + +#ifndef WOLFSSL_IP4 + #define WOLFSSL_IP4 AF_INET +#endif +#ifndef WOLFSSL_IP6 + #define WOLFSSL_IP6 AF_INET6 +#endif + + +#ifdef __cplusplus + } /* extern "C" */ +#endif + +#endif /* WOLFSSL_IO_H */ diff --git a/wolfssl/ocsp.h b/wolfssl/ocsp.h index 5331245c9..03d50fb92 100644 --- a/wolfssl/ocsp.h +++ b/wolfssl/ocsp.h @@ -37,6 +37,14 @@ typedef struct WOLFSSL_OCSP WOLFSSL_OCSP; +#ifdef WOLFSSL_NGINX +typedef struct OcspResponse WOLFSSL_OCSP_BASICRESP; + +typedef struct OcspRequest WOLFSSL_OCSP_CERTID; + +typedef struct OcspRequest WOLFSSL_OCSP_ONEREQ; +#endif + WOLFSSL_LOCAL int InitOCSP(WOLFSSL_OCSP*, WOLFSSL_CERT_MANAGER*); WOLFSSL_LOCAL void FreeOCSP(WOLFSSL_OCSP*, int dynamic); @@ -45,6 +53,48 @@ WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*, WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, WOLFSSL_BUFFER_INFO* responseBuffer); + +#ifdef WOLFSSL_NGINX + +WOLFSSL_API int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs, + WOLFSSL_OCSP_CERTID* id, int* status, int* reason, + WOLFSSL_ASN1_TIME** revtime, WOLFSSL_ASN1_TIME** thisupd, + WOLFSSL_ASN1_TIME** nextupd); +WOLFSSL_API const char *wolfSSL_OCSP_cert_status_str(long s); +WOLFSSL_API int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME* thisupd, + WOLFSSL_ASN1_TIME* nextupd, long sec, long maxsec); + +WOLFSSL_API void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* certId); +WOLFSSL_API WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id( + const WOLFSSL_EVP_MD *dgst, const WOLFSSL_X509 *subject, + const WOLFSSL_X509 *issuer); + +WOLFSSL_API void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse); +WOLFSSL_API int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs, + STACK_OF(WOLFSSL_X509) *certs, WOLFSSL_X509_STORE *st, unsigned long flags); + +WOLFSSL_API void wolfSSL_OCSP_RESPONSE_free(OcspResponse* response); +WOLFSSL_API OcspResponse* wolfSSL_d2i_OCSP_RESPONSE_bio(WOLFSSL_BIO* bio, + OcspResponse** response); +WOLFSSL_API OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response, + const unsigned char** data, int len); +WOLFSSL_API int wolfSSL_i2d_OCSP_RESPONSE(OcspResponse* response, + unsigned char** data); +WOLFSSL_API int wolfSSL_OCSP_response_status(OcspResponse *response); +WOLFSSL_API const char *wolfSSL_OCSP_response_status_str(long s); +WOLFSSL_API WOLFSSL_OCSP_BASICRESP* wolfSSL_OCSP_response_get1_basic( + OcspResponse* response); + +WOLFSSL_API OcspRequest* wolfSSL_OCSP_REQUEST_new(void); +WOLFSSL_API void wolfSSL_OCSP_REQUEST_free(OcspRequest* request); +WOLFSSL_API int wolfSSL_i2d_OCSP_REQUEST(OcspRequest* request, + unsigned char** data); +WOLFSSL_API WOLFSSL_OCSP_ONEREQ* wolfSSL_OCSP_request_add0_id(OcspRequest *req, + WOLFSSL_OCSP_CERTID *cid); + +#endif + + #ifdef __cplusplus } /* extern "C" */ #endif diff --git a/wolfssl/openssl/crypto.h b/wolfssl/openssl/crypto.h index 7032c24df..04afe897a 100644 --- a/wolfssl/openssl/crypto.h +++ b/wolfssl/openssl/crypto.h @@ -3,6 +3,7 @@ #ifndef WOLFSSL_CRYPTO_H_ #define WOLFSSL_CRYPTO_H_ +#include #include @@ -23,7 +24,7 @@ WOLFSSL_API unsigned long wolfSSLeay(void); #define SSLEAY_VERSION 0x0090600fL #define SSLEAY_VERSION_NUMBER SSLEAY_VERSION -#ifdef HAVE_STUNNEL +#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) #define CRYPTO_set_mem_ex_functions wolfSSL_CRYPTO_set_mem_ex_functions #define FIPS_mode wolfSSL_FIPS_mode #define FIPS_mode_set wolfSSL_FIPS_mode_set @@ -41,7 +42,9 @@ typedef void (CRYPTO_free_func)(void*parent, void*ptr, CRYPTO_EX_DATA *ad, int i #define CRYPTO_THREAD_r_lock wc_LockMutex #define CRYPTO_THREAD_unlock wc_UnLockMutex -#endif /* HAVE_STUNNEL */ +#define OPENSSL_malloc(a) XMALLOC(a, NULL, DYNAMIC_TYPE_OPENSSL) + +#endif /* HAVE_STUNNEL || WOLFSSL_NGINX */ #endif /* header */ diff --git a/wolfssl/openssl/dsa.h b/wolfssl/openssl/dsa.h index 98048bd9c..a4c4a5f54 100644 --- a/wolfssl/openssl/dsa.h +++ b/wolfssl/openssl/dsa.h @@ -4,13 +4,19 @@ #ifndef WOLFSSL_DSA_H_ #define WOLFSSL_DSA_H_ -#include #include #ifdef __cplusplus extern "C" { #endif +#ifndef WOLFSSL_DSA_TYPE_DEFINED /* guard on redeclaration */ +typedef struct WOLFSSL_DSA WOLFSSL_DSA; +#define WOLFSSL_DSA_TYPE_DEFINED +#endif + +typedef WOLFSSL_DSA DSA; + struct WOLFSSL_DSA { WOLFSSL_BIGNUM* p; WOLFSSL_BIGNUM* q; diff --git a/wolfssl/openssl/ec.h b/wolfssl/openssl/ec.h index 27fa7a600..9802c3db3 100644 --- a/wolfssl/openssl/ec.h +++ b/wolfssl/openssl/ec.h @@ -3,7 +3,6 @@ #ifndef WOLFSSL_EC_H_ #define WOLFSSL_EC_H_ -#include #include #include @@ -44,6 +43,17 @@ enum { OPENSSL_EC_NAMED_CURVE = 0x001 }; +#ifndef WOLFSSL_EC_TYPE_DEFINED /* guard on redeclaration */ +typedef struct WOLFSSL_EC_KEY WOLFSSL_EC_KEY; +typedef struct WOLFSSL_EC_POINT WOLFSSL_EC_POINT; +typedef struct WOLFSSL_EC_GROUP WOLFSSL_EC_GROUP; +#define WOLFSSL_EC_TYPE_DEFINED +#endif + +typedef WOLFSSL_EC_KEY EC_KEY; +typedef WOLFSSL_EC_GROUP EC_GROUP; +typedef WOLFSSL_EC_POINT EC_POINT; + struct WOLFSSL_EC_POINT { WOLFSSL_BIGNUM *X; WOLFSSL_BIGNUM *Y; @@ -57,6 +67,7 @@ struct WOLFSSL_EC_POINT { struct WOLFSSL_EC_GROUP { int curve_idx; /* index of curve, used by WolfSSL as reference */ int curve_nid; /* NID of curve, used by OpenSSL/OpenSSH as reference */ + int curve_oid; /* OID of curve, used by OpenSSL/OpenSSH as reference */ }; struct WOLFSSL_EC_KEY { diff --git a/wolfssl/openssl/ecdsa.h b/wolfssl/openssl/ecdsa.h index a92841fff..a56d26d3a 100644 --- a/wolfssl/openssl/ecdsa.h +++ b/wolfssl/openssl/ecdsa.h @@ -3,7 +3,6 @@ #ifndef WOLFSSL_ECDSA_H_ #define WOLFSSL_ECDSA_H_ -#include #include @@ -11,6 +10,13 @@ extern "C" { #endif +#ifndef WOLFSSL_ECDSA_TYPE_DEFINED /* guard on redeclaration */ +typedef struct WOLFSSL_ECDSA_SIG WOLFSSL_ECDSA_SIG; +#define WOLFSSL_ECDSA_TYPE_DEFINED +#endif + +typedef WOLFSSL_ECDSA_SIG ECDSA_SIG; + struct WOLFSSL_ECDSA_SIG { WOLFSSL_BIGNUM *r; WOLFSSL_BIGNUM *s; diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h index 086e82c4c..bdd01b733 100644 --- a/wolfssl/openssl/evp.h +++ b/wolfssl/openssl/evp.h @@ -56,6 +56,7 @@ #endif typedef char WOLFSSL_EVP_CIPHER; +typedef char WOLFSSL_EVP_MD; #ifndef NO_MD5 WOLFSSL_API const WOLFSSL_EVP_MD* wolfSSL_EVP_md5(void); @@ -173,6 +174,24 @@ typedef struct WOLFSSL_EVP_CIPHER_CTX { int lastUsed; } WOLFSSL_EVP_CIPHER_CTX; + +#ifndef WOLFSSL_EVP_PKEY_TYPE_DEFINED /* guard on redeclaration */ +typedef struct WOLFSSL_EVP_PKEY WOLFSSL_EVP_PKEY; +#define WOLFSSL_EVP_PKEY_TYPE_DEFINED +#endif + +struct WOLFSSL_EVP_PKEY { + int type; /* openssh dereference */ + int save_type; /* openssh dereference */ + int pkey_sz; + union { + char* ptr; /* der format of key / or raw for NTRU */ + } pkey; + #ifdef HAVE_ECC + int pkey_curve; + #endif +}; + typedef int WOLFSSL_ENGINE ; typedef WOLFSSL_ENGINE ENGINE; @@ -210,6 +229,7 @@ WOLFSSL_API void wolfSSL_EVP_CIPHER_CTX_init(WOLFSSL_EVP_CIPHER_CTX* ctx); WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_cleanup(WOLFSSL_EVP_CIPHER_CTX* ctx); WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_iv_length(const WOLFSSL_EVP_CIPHER_CTX*); +WOLFSSL_API int wolfSSL_EVP_CIPHER_iv_length(const WOLFSSL_EVP_CIPHER*); WOLFSSL_API int wolfSSL_EVP_CipherInit(WOLFSSL_EVP_CIPHER_CTX* ctx, @@ -370,6 +390,8 @@ typedef WOLFSSL_EVP_CIPHER_CTX EVP_CIPHER_CTX; #define EVP_CIPHER_CTX_set_key_length wolfSSL_EVP_CIPHER_CTX_set_key_length #define EVP_CIPHER_CTX_mode wolfSSL_EVP_CIPHER_CTX_mode +#define EVP_CIPHER_iv_length wolfSSL_EVP_CIPHER_iv_length + #define EVP_CipherInit wolfSSL_EVP_CipherInit #define EVP_CipherInit_ex wolfSSL_EVP_CipherInit_ex #define EVP_EncryptInit wolfSSL_EVP_EncryptInit diff --git a/wolfssl/openssl/hmac.h b/wolfssl/openssl/hmac.h index 76d2481bf..3cf92fe1c 100644 --- a/wolfssl/openssl/hmac.h +++ b/wolfssl/openssl/hmac.h @@ -57,6 +57,8 @@ typedef struct WOLFSSL_HMAC_CTX { WOLFSSL_API void wolfSSL_HMAC_Init(WOLFSSL_HMAC_CTX* ctx, const void* key, int keylen, const EVP_MD* type); +WOLFSSL_API int wolfSSL_HMAC_Init_ex(WOLFSSL_HMAC_CTX* ctx, const void* key, + int len, const EVP_MD* md, void* impl); WOLFSSL_API void wolfSSL_HMAC_Update(WOLFSSL_HMAC_CTX* ctx, const unsigned char* data, int len); WOLFSSL_API void wolfSSL_HMAC_Final(WOLFSSL_HMAC_CTX* ctx, unsigned char* hash, @@ -69,6 +71,7 @@ typedef struct WOLFSSL_HMAC_CTX HMAC_CTX; #define HMAC(a,b,c,d,e,f,g) wolfSSL_HMAC((a),(b),(c),(d),(e),(f),(g)) #define HMAC_Init wolfSSL_HMAC_Init +#define HMAC_Init_ex wolfSSL_HMAC_Init_ex #define HMAC_Update wolfSSL_HMAC_Update #define HMAC_Final wolfSSL_HMAC_Final #define HMAC_cleanup wolfSSL_HMAC_cleanup diff --git a/wolfssl/openssl/include.am b/wolfssl/openssl/include.am index d6d743835..e4dcdf80a 100644 --- a/wolfssl/openssl/include.am +++ b/wolfssl/openssl/include.am @@ -33,6 +33,7 @@ nobase_include_HEADERS+= \ wolfssl/openssl/rand.h \ wolfssl/openssl/rsa.h \ wolfssl/openssl/sha.h \ + wolfssl/openssl/ssl23.h \ wolfssl/openssl/ssl.h \ wolfssl/openssl/stack.h \ wolfssl/openssl/ui.h \ diff --git a/wolfssl/openssl/ocsp.h b/wolfssl/openssl/ocsp.h index 7463eec96..98f2c9c81 100644 --- a/wolfssl/openssl/ocsp.h +++ b/wolfssl/openssl/ocsp.h @@ -1 +1,44 @@ /* ocsp.h for libcurl */ + +#ifndef WOLFSSL_OCSP_H_ +#define WOLFSSL_OCSP_H_ + +#ifdef HAVE_OCSP +#include + +#define OCSP_REQUEST OcspRequest +#define OCSP_RESPONSE OcspResponse +#define OCSP_BASICRESP WOLFSSL_OCSP_BASICRESP +#define OCSP_CERTID WOLFSSL_OCSP_CERTID +#define OCSP_ONEREQ WOLFSSL_OCSP_ONEREQ + +#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0 +#define V_OCSP_CERTSTATUS_GOOD 0 + +#define OCSP_resp_find_status wolfSSL_OCSP_resp_find_status +#define OCSP_cert_status_str wolfSSL_OCSP_cert_status_str +#define OCSP_check_validity wolfSSL_OCSP_check_validity + +#define OCSP_CERTID_free wolfSSL_OCSP_CERTID_free +#define OCSP_cert_to_id wolfSSL_OCSP_cert_to_id + +#define OCSP_BASICRESP_free wolfSSL_OCSP_BASICRESP_free +#define OCSP_basic_verify wolfSSL_OCSP_basic_verify + +#define OCSP_RESPONSE_free wolfSSL_OCSP_RESPONSE_free +#define d2i_OCSP_RESPONSE_bio wolfSSL_d2i_OCSP_RESPONSE_bio +#define d2i_OCSP_RESPONSE wolfSSL_d2i_OCSP_RESPONSE +#define i2d_OCSP_RESPONSE wolfSSL_i2d_OCSP_RESPONSE +#define OCSP_response_status wolfSSL_OCSP_response_status +#define OCSP_response_status_str wolfSSL_OCSP_response_status_str +#define OCSP_response_get1_basic wolfSSL_OCSP_response_get1_basic + +#define OCSP_REQUEST_new wolfSSL_OCSP_REQUEST_new +#define OCSP_REQUEST_free wolfSSL_OCSP_REQUEST_free +#define i2d_OCSP_REQUEST wolfSSL_i2d_OCSP_REQUEST +#define OCSP_request_add0_id wolfSSL_OCSP_request_add0_id + +#endif /* HAVE_OCSP */ + +#endif /* WOLFSSL_OCSP_H_ */ + diff --git a/wolfssl/openssl/opensslv.h b/wolfssl/openssl/opensslv.h index 48955f9ec..80f9a799c 100644 --- a/wolfssl/openssl/opensslv.h +++ b/wolfssl/openssl/opensslv.h @@ -5,7 +5,7 @@ /* api version compatibility */ -#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) +#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) || defined(WOLFSSL_NGINX) /* version number can be increased for Lighty after compatibility for ECDH is added */ #define OPENSSL_VERSION_NUMBER 0x10001000L diff --git a/wolfssl/openssl/rsa.h b/wolfssl/openssl/rsa.h index 210a24e4c..7c8d4e63e 100644 --- a/wolfssl/openssl/rsa.h +++ b/wolfssl/openssl/rsa.h @@ -4,7 +4,6 @@ #ifndef WOLFSSL_RSA_H_ #define WOLFSSL_RSA_H_ -#include #include @@ -24,6 +23,13 @@ enum { NID_sha512 = 674 }; +#ifndef WOLFSSL_RSA_TYPE_DEFINED /* guard on redeclaration */ +typedef struct WOLFSSL_RSA WOLFSSL_RSA; +#define WOLFSSL_RSA_TYPE_DEFINED +#endif + +typedef WOLFSSL_RSA RSA; + struct WOLFSSL_RSA { WOLFSSL_BIGNUM* n; WOLFSSL_BIGNUM* e; diff --git a/wolfssl/openssl/sha.h b/wolfssl/openssl/sha.h index 632862089..d9e168129 100644 --- a/wolfssl/openssl/sha.h +++ b/wolfssl/openssl/sha.h @@ -5,6 +5,7 @@ #define WOLFSSL_SHA_H_ #include +#include #ifdef WOLFSSL_PREFIX #include "prefix_sha.h" diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 6e63fed55..60b1ea647 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -32,6 +32,8 @@ /* wolfssl_openssl compatibility layer */ #include +#include + #ifdef __cplusplus extern "C" { #endif @@ -61,39 +63,34 @@ typedef WOLFSSL_X509_CHAIN X509_CHAIN; #define WOLFSSL_TYPES_DEFINED -typedef WOLFSSL_EVP_PKEY EVP_PKEY; -typedef WOLFSSL_RSA RSA; -typedef WOLFSSL_DSA DSA; -typedef WOLFSSL_EC_KEY EC_KEY; -typedef WOLFSSL_EC_GROUP EC_GROUP; -typedef WOLFSSL_EC_POINT EC_POINT; -typedef WOLFSSL_ECDSA_SIG ECDSA_SIG; -typedef WOLFSSL_BIO BIO; -typedef WOLFSSL_BIO_METHOD BIO_METHOD; -typedef WOLFSSL_CIPHER SSL_CIPHER; -typedef WOLFSSL_X509_LOOKUP X509_LOOKUP; -typedef WOLFSSL_X509_LOOKUP_METHOD X509_LOOKUP_METHOD; -typedef WOLFSSL_X509_CRL X509_CRL; -typedef WOLFSSL_X509_EXTENSION X509_EXTENSION; -typedef WOLFSSL_ASN1_TIME ASN1_TIME; -typedef WOLFSSL_ASN1_INTEGER ASN1_INTEGER; -typedef WOLFSSL_ASN1_OBJECT ASN1_OBJECT; -typedef WOLFSSL_ASN1_STRING ASN1_STRING; -typedef WOLFSSL_dynlock_value CRYPTO_dynlock_value; -typedef WOLFSSL_BUF_MEM BUF_MEM; +typedef WOLFSSL_EVP_PKEY EVP_PKEY; +typedef WOLFSSL_BIO BIO; +typedef WOLFSSL_BIO_METHOD BIO_METHOD; +typedef WOLFSSL_CIPHER SSL_CIPHER; +typedef WOLFSSL_X509_LOOKUP X509_LOOKUP; +typedef WOLFSSL_X509_LOOKUP_METHOD X509_LOOKUP_METHOD; +typedef WOLFSSL_X509_CRL X509_CRL; +typedef WOLFSSL_X509_EXTENSION X509_EXTENSION; +typedef WOLFSSL_ASN1_TIME ASN1_TIME; +typedef WOLFSSL_ASN1_INTEGER ASN1_INTEGER; +typedef WOLFSSL_ASN1_OBJECT ASN1_OBJECT; +typedef WOLFSSL_ASN1_STRING ASN1_STRING; +typedef WOLFSSL_dynlock_value CRYPTO_dynlock_value; +typedef WOLFSSL_BUF_MEM BUF_MEM; /* GENERAL_NAME and BASIC_CONSTRAINTS structs may need implemented as * compatibility layer expands. For now treating them as an ASN1_OBJECT */ typedef WOLFSSL_ASN1_OBJECT GENERAL_NAME; typedef WOLFSSL_ASN1_OBJECT BASIC_CONSTRAINTS; -#define ASN1_UTCTIME WOLFSSL_ASN1_TIME +#define ASN1_UTCTIME WOLFSSL_ASN1_TIME +#define ASN1_GENERALIZEDTIME WOLFSSL_ASN1_TIME typedef WOLFSSL_MD4_CTX MD4_CTX; typedef WOLFSSL_COMP_METHOD COMP_METHOD; -typedef WOLFSSL_X509_STORE X509_STORE; typedef WOLFSSL_X509_REVOKED X509_REVOKED; typedef WOLFSSL_X509_OBJECT X509_OBJECT; +typedef WOLFSSL_X509_STORE X509_STORE; typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define CRYPTO_free XFREE @@ -104,7 +101,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define SSL_get_cipher_list(ctx,i) wolfSSL_get_cipher_list((i)) #define SSL_get_cipher_name(ctx) wolfSSL_get_cipher((ctx)) #define SSL_get_shared_ciphers(ctx,buf,len) \ - strncpy(buf, "Not Implemented, SSLv2 only", len) + wolfSSL_get_shared_ciphers((ctx),(buf),(len)) #define ERR_print_errors_fp(file) wolfSSL_ERR_dump_errors_fp((file)) @@ -335,7 +332,8 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define X509_get_serialNumber wolfSSL_X509_get_serialNumber -#define ASN1_TIME_print wolfSSL_ASN1_TIME_print +#define ASN1_TIME_print wolfSSL_ASN1_TIME_print +#define ASN1_GENERALIZEDTIME_print wolfSSL_ASN1_GENERALIZEDTIME_print #define ASN1_INTEGER_cmp wolfSSL_ASN1_INTEGER_cmp #define ASN1_INTEGER_get wolfSSL_ASN1_INTEGER_get @@ -343,6 +341,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define SSL_load_client_CA_file wolfSSL_load_client_CA_file +#define SSL_CTX_get_client_CA_list wolfSSL_SSL_CTX_get_client_CA_list #define SSL_CTX_set_client_CA_list wolfSSL_CTX_set_client_CA_list #define SSL_CTX_set_cert_store wolfSSL_CTX_set_cert_store #define SSL_CTX_get_cert_store wolfSSL_CTX_get_cert_store @@ -472,7 +471,9 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; /* Lighthttp compatibility */ -#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(HAVE_STUNNEL) +#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) \ + || defined(HAVE_STUNNEL) \ + || defined(WOLFSSL_NGINX) typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define X509_NAME_free wolfSSL_X509_NAME_free @@ -484,6 +485,7 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define OBJ_obj2nid wolfSSL_OBJ_obj2nid #define OBJ_sn2nid wolfSSL_OBJ_sn2nid #define SSL_CTX_set_verify_depth wolfSSL_CTX_set_verify_depth +#define SSL_set_verify_depth wolfSSL_set_verify_depth #define SSL_get_app_data wolfSSL_get_app_data #define SSL_set_app_data wolfSSL_set_app_data #define X509_NAME_entry_count wolfSSL_X509_NAME_entry_count @@ -501,16 +503,17 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define NID_commonName 0x03 /* matchs ASN_COMMON_NAME in asn.h */ #endif -#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) \ - || defined(WOLFSSL_MYSQL_COMPATIBLE) +#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) \ + || defined(HAVE_STUNNEL) \ + || defined(WOLFSSL_NGINX) #define OBJ_nid2ln wolfSSL_OBJ_nid2ln #define OBJ_txt2nid wolfSSL_OBJ_txt2nid #define PEM_read_bio_DHparams wolfSSL_PEM_read_bio_DHparams #define PEM_read_bio_DSAparams wolfSSL_PEM_read_bio_DSAparams -#define PEM_write_bio_X509 PEM_write_bio_WOLFSSL_X509 +#define PEM_write_bio_X509 wolfSSL_PEM_write_bio_X509 -#endif /* HAVE_STUNNEL || HAVE_LIGHTY || WOLFSSL_MYSQL_COMPATIBLE */ +#endif /* HAVE_STUNNEL || HAVE_LIGHTY || WOLFSSL_MYSQL_COMPATIBLE || WOLFSSL_NGINX */ #define SSL_CTX_set_tmp_dh wolfSSL_CTX_set_tmp_dh #define BIO_new_file wolfSSL_BIO_new_file @@ -590,15 +593,18 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define SSL_CTRL_GET_READ_AHEAD 40 #define SSL_CTRL_SET_READ_AHEAD 41 +#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64 +#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82 + #define SSL_ctrl wolfSSL_ctrl #define SSL_CTX_ctrl wolfSSL_CTX_ctrl #define X509_V_FLAG_CRL_CHECK WOLFSSL_CRL_CHECK #define X509_V_FLAG_CRL_CHECK_ALL WOLFSSL_CRL_CHECKALL -#ifdef HAVE_STUNNEL +#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) #include #define SSL2_VERSION 0x0002 @@ -646,7 +652,7 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; #define SSL_get_servername wolfSSL_get_servername #define SSL_set_SSL_CTX wolfSSL_set_SSL_CTX #define SSL_CTX_get_verify_callback wolfSSL_CTX_get_verify_callback -#define SSL_CTX_set_tlsext_servername_callback wolfSSL_CTX_set_servername_callback +#define SSL_CTX_set_tlsext_servername_callback wolfSSL_CTX_set_tlsext_servername_callback #define SSL_CTX_set_tlsext_servername_arg wolfSSL_CTX_set_servername_arg #define PSK_MAX_PSK_LEN 256 @@ -655,7 +661,7 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; #define SSL_CTX_clear_options wolfSSL_CTX_clear_options -#endif /* HAVE_STUNNEL */ +#endif /* HAVE_STUNNEL || WOLFSSL_NGINX */ #define SSL_CTX_get_default_passwd_cb wolfSSL_CTX_get_default_passwd_cb #define SSL_CTX_get_default_passwd_cb_userdata wolfSSL_CTX_get_default_passwd_cb_userdata @@ -683,6 +689,98 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; #define SSL_CTX_set_msg_callback_arg wolfSSL_CTX_set_msg_callback_arg #define SSL_set_msg_callback_arg wolfSSL_set_msg_callback_arg +/* certificate extension NIDs */ +#define NID_basic_constraints 133 +#define NID_key_usage 129 /* 2.5.29.15 */ +#define NID_ext_key_usage 151 /* 2.5.29.37 */ +#define NID_subject_key_identifier 128 +#define NID_authority_key_identifier 149 +#define NID_private_key_usage_period 130 /* 2.5.29.16 */ +#define NID_subject_alt_name 131 +#define NID_issuer_alt_name 132 +#define NID_info_access 69 +#define NID_sinfo_access 79 /* id-pe 11 */ +#define NID_name_constraints 144 /* 2.5.29.30 */ +#define NID_certificate_policies 146 +#define NID_policy_mappings 147 +#define NID_policy_constraints 150 +#define NID_inhibit_any_policy 168 /* 2.5.29.54 */ +#define NID_tlsfeature 92 /* id-pe 24 */ + +#ifdef WOLFSSL_NGINX +#include + +#define OPENSSL_STRING WOLFSSL_STRING + +#define TLSEXT_TYPE_application_layer_protocol_negotiation 16 + +#define OPENSSL_NPN_UNSUPPORTED 0 +#define OPENSSL_NPN_NEGOTIATED 1 +#define OPENSSL_NPN_NO_OVERLAP 2 + + +/* Nginx checks these to see if the error was a handshake error. */ +#define SSL_R_BAD_CHANGE_CIPHER_SPEC LENGTH_ERROR +#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG BUFFER_E +#define SSL_R_DIGEST_CHECK_FAILED VERIFY_MAC_ERROR +#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST SUITES_ERROR +#define SSL_R_EXCESSIVE_MESSAGE_SIZE BUFFER_ERROR +#define SSL_R_LENGTH_MISMATCH LENGTH_ERROR +#define SSL_R_NO_CIPHERS_SPECIFIED SUITES_ERROR +#define SSL_R_NO_COMPRESSION_SPECIFIED COMPRESSION_ERROR +#define SSL_R_NO_SHARED_CIPHER MATCH_SUITE_ERROR +#define SSL_R_RECORD_LENGTH_MISMATCH HANDSHAKE_SIZE_ERROR +#define SSL_R_UNEXPECTED_MESSAGE OUT_OF_ORDER_E +#define SSL_R_UNEXPECTED_RECORD SANITY_MSG_E +#define SSL_R_UNKNOWN_ALERT_TYPE BUFFER_ERROR +#define SSL_R_UNKNOWN_PROTOCOL VERSION_ERROR +#define SSL_R_WRONG_VERSION_NUMBER VERSION_ERROR +#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC ENCRYPT_ERROR + +/* Nginx uses this to determine if reached end of certs in file. + * PEM_read_bio_X509 is called and the return error is lost. + * The error that needs to be detected is: SSL_NO_PEM_HEADER. + */ +#define ERR_GET_LIB(l) (int)((((unsigned long)l)>>24L)&0xffL) +#define PEM_R_NO_START_LINE 108 +#define ERR_LIB_PEM 9 + +#ifdef HAVE_SESSION_TICKET +#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72 +#endif + +#define OPENSSL_config wolfSSL_OPENSSL_config +#define X509_get_ex_new_index wolfSSL_X509_get_ex_new_index +#define X509_get_ex_data wolfSSL_X509_get_ex_data +#define X509_set_ex_data wolfSSL_X509_set_ex_data +#define X509_NAME_digest wolfSSL_X509_NAME_digest +#define SSL_CTX_get_timeout wolfSSL_SSL_CTX_get_timeout +#define SSL_CTX_set_tmp_ecdh wolfSSL_SSL_CTX_set_tmp_ecdh +#define SSL_CTX_remove_session wolfSSL_SSL_CTX_remove_session +#define SSL_get_rbio wolfSSL_SSL_get_rbio +#define SSL_get_wbio wolfSSL_SSL_get_wbio +#define SSL_do_handshake wolfSSL_SSL_do_handshake +#define SSL_in_init wolfSSL_SSL_in_init +#define SSL_get0_session wolfSSL_SSL_get0_session +#define X509_check_host wolfSSL_X509_check_host +#define i2a_ASN1_INTEGER wolfSSL_i2a_ASN1_INTEGER +#define ERR_peek_error_line_data wolfSSL_ERR_peek_error_line_data +#define SSL_CTX_set_tlsext_ticket_key_cb wolfSSL_CTX_set_tlsext_ticket_key_cb +#define X509_email_free wolfSSL_X509_email_free +#define X509_get1_ocsp wolfSSL_X509_get1_ocsp +#define SSL_CTX_set_tlsext_status_cb wolfSSL_CTX_set_tlsext_status_cb +#define X509_check_issued wolfSSL_X509_check_issued +#define X509_dup wolfSSL_X509_dup +#define X509_STORE_CTX_new wolfSSL_X509_STORE_CTX_new +#define X509_STORE_CTX_free wolfSSL_X509_STORE_CTX_free +#define SSL_CTX_get_extra_chain_certs wolfSSL_CTX_get_extra_chain_certs +#define X509_STORE_CTX_get1_issuer wolfSSL_X509_STORE_CTX_get1_issuer +#define sk_OPENSSL_STRING_value wolfSSL_sk_WOLFSSL_STRING_value +#define SSL_get0_alpn_selected wolfSSL_get0_alpn_selected +#define SSL_select_next_proto wolfSSL_select_next_proto +#define SSL_CTX_set_alpn_select_cb wolfSSL_CTX_set_alpn_select_cb + +#endif #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/openssl/ssl23.h b/wolfssl/openssl/ssl23.h new file mode 100644 index 000000000..fc3ddfb5f --- /dev/null +++ b/wolfssl/openssl/ssl23.h @@ -0,0 +1 @@ +/* ssl23.h for openssl */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 6b94cac52..6e8bd8068 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -61,6 +61,7 @@ #ifdef OPENSSL_EXTRA #include + #include #endif #ifdef __cplusplus @@ -80,10 +81,13 @@ typedef struct WOLFSSL_X509_CHAIN WOLFSSL_X509_CHAIN; typedef struct WOLFSSL_CERT_MANAGER WOLFSSL_CERT_MANAGER; typedef struct WOLFSSL_SOCKADDR WOLFSSL_SOCKADDR; +typedef struct WOLFSSL_CRL WOLFSSL_CRL; /* redeclare guard */ #define WOLFSSL_TYPES_DEFINED +#include + #ifndef WOLFSSL_RSA_TYPE_DEFINED /* guard on redeclaration */ typedef struct WOLFSSL_RSA WOLFSSL_RSA; @@ -95,15 +99,28 @@ typedef struct WOLFSSL_RSA WOLFSSL_RSA; #define WC_RNG_TYPE_DEFINED #endif +#ifndef WOLFSSL_DSA_TYPE_DEFINED /* guard on redeclaration */ typedef struct WOLFSSL_DSA WOLFSSL_DSA; +#define WOLFSSL_DSA_TYPE_DEFINED +#endif + +#ifndef WOLFSSL_EC_TYPE_DEFINED /* guard on redeclaration */ typedef struct WOLFSSL_EC_KEY WOLFSSL_EC_KEY; typedef struct WOLFSSL_EC_POINT WOLFSSL_EC_POINT; typedef struct WOLFSSL_EC_GROUP WOLFSSL_EC_GROUP; +#define WOLFSSL_EC_TYPE_DEFINED +#endif + +#ifndef WOLFSSL_ECDSA_TYPE_DEFINED /* guard on redeclaration */ typedef struct WOLFSSL_ECDSA_SIG WOLFSSL_ECDSA_SIG; +#define WOLFSSL_ECDSA_TYPE_DEFINED +#endif + typedef struct WOLFSSL_CIPHER WOLFSSL_CIPHER; typedef struct WOLFSSL_X509_LOOKUP WOLFSSL_X509_LOOKUP; typedef struct WOLFSSL_X509_LOOKUP_METHOD WOLFSSL_X509_LOOKUP_METHOD; typedef struct WOLFSSL_X509_CRL WOLFSSL_X509_CRL; +typedef struct WOLFSSL_X509_STORE WOLFSSL_X509_STORE; typedef struct WOLFSSL_BIO WOLFSSL_BIO; typedef struct WOLFSSL_BIO_METHOD WOLFSSL_BIO_METHOD; typedef struct WOLFSSL_X509_EXTENSION WOLFSSL_X509_EXTENSION; @@ -117,7 +134,8 @@ typedef struct WOLFSSL_DH WOLFSSL_DH; typedef struct WOLFSSL_ASN1_BIT_STRING WOLFSSL_ASN1_BIT_STRING; typedef unsigned char* WOLFSSL_BUF_MEM; -#define WOLFSSL_ASN1_UTCTIME WOLFSSL_ASN1_TIME +#define WOLFSSL_ASN1_UTCTIME WOLFSSL_ASN1_TIME +#define WOLFSSL_ASN1_GENERALIZEDTIME WOLFSSL_ASN1_TIME struct WOLFSSL_ASN1_INTEGER { /* size can be increased set at 20 for tag, length then to hold at least 16 @@ -126,18 +144,16 @@ struct WOLFSSL_ASN1_INTEGER { /* ASN_INTEGER | LENGTH | hex of number */ }; -typedef char WOLFSSL_EVP_MD; -typedef struct WOLFSSL_EVP_PKEY { - int type; /* openssh dereference */ - int save_type; /* openssh dereference */ - int pkey_sz; - union { - char* ptr; /* der format of key / or raw for NTRU */ - } pkey; - #ifdef HAVE_ECC - int pkey_curve; - #endif -} WOLFSSL_EVP_PKEY; +struct WOLFSSL_ASN1_TIME { + /* MAX_DATA_SIZE is 32 */ + unsigned char data[32 + 2]; + /* ASN_TIME | LENGTH | date bytes */ +}; + +#ifndef WOLFSSL_EVP_PKEY_TYPE_DEFINED /* guard on redeclaration */ +typedef struct WOLFSSL_EVP_PKEY WOLFSSL_EVP_PKEY; +#define WOLFSSL_EVP_PKEY_TYPE_DEFINED +#endif typedef struct WOLFSSL_MD4_CTX { int buffer[32]; /* big enough to hold, check size in Init */ @@ -148,11 +164,22 @@ typedef struct WOLFSSL_COMP_METHOD { int type; /* stunnel dereference */ } WOLFSSL_COMP_METHOD; +struct WOLFSSL_X509_LOOKUP_METHOD { + int type; +}; -typedef struct WOLFSSL_X509_STORE { - int cache; /* stunnel dereference */ +struct WOLFSSL_X509_LOOKUP { + WOLFSSL_X509_STORE *store; +}; + +struct WOLFSSL_X509_STORE { + int cache; /* stunnel dereference */ WOLFSSL_CERT_MANAGER* cm; -} WOLFSSL_X509_STORE; + WOLFSSL_X509_LOOKUP lookup; +#ifdef OPENSSL_EXTRA + int isDynamic; +#endif +}; typedef struct WOLFSSL_ALERT { int code; @@ -196,6 +223,7 @@ typedef struct WOLFSSL_X509_STORE_CTX { WOLFSSL_BUFFER_INFO* certs; /* peer certs */ } WOLFSSL_X509_STORE_CTX; +typedef char* WOLFSSL_STRING; /* Valid Alert types from page 16/17 */ enum AlertDescription { @@ -347,6 +375,9 @@ WOLFSSL_API int wolfSSL_set_read_fd (WOLFSSL*, int); WOLFSSL_API char* wolfSSL_get_cipher_list(int priority); WOLFSSL_API int wolfSSL_get_ciphers(char*, int); WOLFSSL_API const char* wolfSSL_get_cipher_name(WOLFSSL* ssl); +WOLFSSL_API const char* wolfSSL_get_shared_ciphers(WOLFSSL* ssl, char* buf, + int len); +WOLFSSL_API const char* wolfSSL_get_curve_name(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_get_fd(const WOLFSSL*); WOLFSSL_API void wolfSSL_set_using_nonblock(WOLFSSL*, int); WOLFSSL_API int wolfSSL_get_using_nonblock(WOLFSSL*); @@ -475,7 +506,7 @@ WOLFSSL_API int wolfSSL_is_init_finished(WOLFSSL*); WOLFSSL_API const char* wolfSSL_get_version(WOLFSSL*); WOLFSSL_API int wolfSSL_get_current_cipher_suite(WOLFSSL* ssl); WOLFSSL_API WOLFSSL_CIPHER* wolfSSL_get_current_cipher(WOLFSSL*); -WOLFSSL_API char* wolfSSL_CIPHER_description(WOLFSSL_CIPHER*, char*, int); +WOLFSSL_API char* wolfSSL_CIPHER_description(const WOLFSSL_CIPHER*, char*, int); WOLFSSL_API const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher); WOLFSSL_API const char* wolfSSL_SESSION_CIPHER_get_name(WOLFSSL_SESSION* session); WOLFSSL_API const char* wolfSSL_get_cipher(WOLFSSL*); @@ -517,7 +548,7 @@ WOLFSSL_API WOLFSSL_BIO_METHOD* wolfSSL_BIO_s_mem(void); WOLFSSL_API WOLFSSL_BIO_METHOD* wolfSSL_BIO_f_base64(void); WOLFSSL_API void wolfSSL_BIO_set_flags(WOLFSSL_BIO*, int); -WOLFSSL_API int wolfSSL_BIO_get_mem_data(WOLFSSL_BIO* bio,const unsigned char** p); +WOLFSSL_API int wolfSSL_BIO_get_mem_data(WOLFSSL_BIO* bio,void* p); WOLFSSL_API WOLFSSL_BIO* wolfSSL_BIO_new_mem_buf(void* buf, int len); @@ -662,6 +693,8 @@ WOLFSSL_API WOLFSSL_BIGNUM *wolfSSL_ASN1_INTEGER_to_BN(const WOLFSSL_ASN1_INTEGE WOLFSSL_API STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_load_client_CA_file(const char*); #endif +WOLFSSL_API STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_SSL_CTX_get_client_CA_list( + const WOLFSSL_CTX *s); WOLFSSL_API void wolfSSL_CTX_set_client_CA_list(WOLFSSL_CTX*, STACK_OF(WOLFSSL_X509_NAME)*); WOLFSSL_API void* wolfSSL_X509_STORE_CTX_get_ex_data(WOLFSSL_X509_STORE_CTX*, int); @@ -737,36 +770,35 @@ WOLFSSL_API long wolfSSL_get_verify_result(const WOLFSSL *ssl); /* seperated out from other enums because of size */ enum { - /* bit flags (ie 0001 vs 0010) : each is 2 times previous value */ - SSL_OP_MICROSOFT_SESS_ID_BUG = 1, - SSL_OP_NETSCAPE_CHALLENGE_BUG = 2, - SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 4, - SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = 8, - SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = 16, - SSL_OP_MSIE_SSLV2_RSA_PADDING = 32, - SSL_OP_SSLEAY_080_CLIENT_DH_BUG = 64, - SSL_OP_TLS_D5_BUG = 128, - SSL_OP_TLS_BLOCK_PADDING_BUG = 256, - SSL_OP_TLS_ROLLBACK_BUG = 512, - SSL_OP_ALL = 1024, - SSL_OP_EPHEMERAL_RSA = 2048, - SSL_OP_NO_SSLv3 = 4096, - SSL_OP_NO_TLSv1 = 8192, - SSL_OP_PKCS1_CHECK_1 = 16384, - SSL_OP_PKCS1_CHECK_2 = 32768, - SSL_OP_NETSCAPE_CA_DN_BUG = 65536, - SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = 131072, - SSL_OP_SINGLE_DH_USE = 262144, - SSL_OP_NO_TICKET = 524288, - SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = 1048576, - SSL_OP_NO_QUERY_MTU = 2097152, - SSL_OP_COOKIE_EXCHANGE = 4194304, - SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 8388608, - SSL_OP_SINGLE_ECDH_USE = 16777216, - SSL_OP_CIPHER_SERVER_PREFERENCE = 33554432, - SSL_OP_NO_TLSv1_1 = 67108864, - SSL_OP_NO_TLSv1_2 = 134217728, - SSL_OP_NO_COMPRESSION = 268435456, + SSL_OP_MICROSOFT_SESS_ID_BUG = 0x00000001, + SSL_OP_NETSCAPE_CHALLENGE_BUG = 0x00000002, + SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 0x00000004, + SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = 0x00000008, + SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = 0x00000010, + SSL_OP_MSIE_SSLV2_RSA_PADDING = 0x00000020, + SSL_OP_SSLEAY_080_CLIENT_DH_BUG = 0x00000040, + SSL_OP_TLS_D5_BUG = 0x00000080, + SSL_OP_TLS_BLOCK_PADDING_BUG = 0x00000100, + SSL_OP_TLS_ROLLBACK_BUG = 0x00000200, + SSL_OP_ALL = 0x00000400, + SSL_OP_EPHEMERAL_RSA = 0x00000800, + SSL_OP_NO_SSLv3 = 0x00001000, + SSL_OP_NO_TLSv1 = 0x00002000, + SSL_OP_PKCS1_CHECK_1 = 0x00004000, + SSL_OP_PKCS1_CHECK_2 = 0x00008000, + SSL_OP_NETSCAPE_CA_DN_BUG = 0x00010000, + SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = 0x00020000, + SSL_OP_SINGLE_DH_USE = 0x00040000, + SSL_OP_NO_TICKET = 0x00080000, + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = 0x00100000, + SSL_OP_NO_QUERY_MTU = 0x00200000, + SSL_OP_COOKIE_EXCHANGE = 0x00400000, + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 0x00800000, + SSL_OP_SINGLE_ECDH_USE = 0x01000000, + SSL_OP_CIPHER_SERVER_PREFERENCE = 0x02000000, + SSL_OP_NO_TLSv1_1 = 0x04000000, + SSL_OP_NO_TLSv1_2 = 0x08000000, + SSL_OP_NO_COMPRESSION = 0x10000000, }; @@ -830,18 +862,25 @@ enum { X509_LU_X509 = 9, X509_LU_CRL = 12, - X509_V_OK = 0, - X509_V_ERR_CRL_SIGNATURE_FAILURE = 13, - X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = 14, - X509_V_ERR_CRL_HAS_EXPIRED = 15, - X509_V_ERR_CERT_REVOKED = 16, - X509_V_ERR_CERT_CHAIN_TOO_LONG = 17, - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = 18, - X509_V_ERR_CERT_NOT_YET_VALID = 19, - X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = 20, - X509_V_ERR_CERT_HAS_EXPIRED = 21, - X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = 22, - X509_V_ERR_CERT_REJECTED = 23, + X509_V_OK = 0, + X509_V_ERR_CRL_SIGNATURE_FAILURE = 13, + X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = 14, + X509_V_ERR_CRL_HAS_EXPIRED = 15, + X509_V_ERR_CERT_REVOKED = 16, + X509_V_ERR_CERT_CHAIN_TOO_LONG = 17, + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = 18, + X509_V_ERR_CERT_NOT_YET_VALID = 19, + X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = 20, + X509_V_ERR_CERT_HAS_EXPIRED = 21, + X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = 22, + X509_V_ERR_CERT_REJECTED = 23, + /* Required for Nginx */ + X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = 24, + X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN = 25, + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = 26, + X509_V_ERR_CERT_UNTRUSTED = 27, + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = 28, + X509_V_ERR_SUBJECT_ISSUER_MISMATCH = 29, /* additional X509_V_ERR_* enums not used in wolfSSL */ X509_V_ERR_UNABLE_TO_GET_CRL, X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, @@ -851,15 +890,9 @@ enum { X509_V_ERR_CRL_NOT_YET_VALID, X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, X509_V_ERR_OUT_OF_MEM, - X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, - X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, - X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, X509_V_ERR_INVALID_CA, X509_V_ERR_PATH_LENGTH_EXCEEDED, X509_V_ERR_INVALID_PURPOSE, - X509_V_ERR_CERT_UNTRUSTED, - X509_V_ERR_SUBJECT_ISSUER_MISMATCH, X509_V_ERR_AKID_SKID_MISMATCH, X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH, X509_V_ERR_KEYUSAGE_NO_CERTSIGN, @@ -878,6 +911,7 @@ enum { XN_FLAG_SPC_EQ = (1 << 23), XN_FLAG_ONELINE = 0, + XN_FLAG_RFC2253 = 1, CRYPTO_LOCK = 1, CRYPTO_NUM_LOCKS = 10, @@ -924,12 +958,14 @@ enum { /* ssl Constants */ SSL_VERIFY_CLIENT_ONCE = 4, SSL_VERIFY_FAIL_EXCEPT_PSK = 8, - SSL_SESS_CACHE_OFF = 30, - SSL_SESS_CACHE_CLIENT = 31, - SSL_SESS_CACHE_SERVER = 32, - SSL_SESS_CACHE_BOTH = 33, - SSL_SESS_CACHE_NO_AUTO_CLEAR = 34, - SSL_SESS_CACHE_NO_INTERNAL_LOOKUP = 35, + SSL_SESS_CACHE_OFF = 0x0000, + SSL_SESS_CACHE_CLIENT = 0x0001, + SSL_SESS_CACHE_SERVER = 0x0002, + SSL_SESS_CACHE_BOTH = 0x0003, + SSL_SESS_CACHE_NO_AUTO_CLEAR = 0x0008, + SSL_SESS_CACHE_NO_INTERNAL_LOOKUP = 0x0100, + SSL_SESS_CACHE_NO_INTERNAL_STORE = 0x0200, + SSL_SESS_CACHE_NO_INTERNAL = 0x0300, SSL_ERROR_WANT_READ = 2, SSL_ERROR_WANT_WRITE = 3, @@ -1037,6 +1073,8 @@ WOLFSSL_API int wolfSSL_want_write(WOLFSSL*); WOLFSSL_API int wolfSSL_BIO_printf(WOLFSSL_BIO*, const char*, ...); WOLFSSL_API int wolfSSL_ASN1_UTCTIME_print(WOLFSSL_BIO*, const WOLFSSL_ASN1_UTCTIME*); +WOLFSSL_API int wolfSSL_ASN1_GENERALIZEDTIME_print(WOLFSSL_BIO*, + const WOLFSSL_ASN1_GENERALIZEDTIME*); WOLFSSL_API int wolfSSL_sk_num(WOLFSSL_X509_REVOKED*); WOLFSSL_API void* wolfSSL_sk_value(WOLFSSL_X509_REVOKED*, int); @@ -1260,9 +1298,6 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len, WOLFSSL_API int wolfSSL_CTX_set_group_messages(WOLFSSL_CTX*); WOLFSSL_API int wolfSSL_set_group_messages(WOLFSSL*); -/* I/O callbacks */ -typedef int (*CallbackIORecv)(WOLFSSL *ssl, char *buf, int sz, void *ctx); -typedef int (*CallbackIOSend)(WOLFSSL *ssl, char *buf, int sz, void *ctx); #ifdef HAVE_FUZZER enum fuzzer_type { @@ -1279,64 +1314,7 @@ typedef int (*CallbackFuzzer)(WOLFSSL* ssl, const unsigned char* buf, int sz, WOLFSSL_API void wolfSSL_SetFuzzerCb(WOLFSSL* ssl, CallbackFuzzer cbf, void* fCtx); #endif -WOLFSSL_API void wolfSSL_SetIORecv(WOLFSSL_CTX*, CallbackIORecv); -WOLFSSL_API void wolfSSL_SetIOSend(WOLFSSL_CTX*, CallbackIOSend); -WOLFSSL_API void wolfSSL_SetIOReadCtx( WOLFSSL* ssl, void *ctx); -WOLFSSL_API void wolfSSL_SetIOWriteCtx(WOLFSSL* ssl, void *ctx); - -WOLFSSL_API void* wolfSSL_GetIOReadCtx( WOLFSSL* ssl); -WOLFSSL_API void* wolfSSL_GetIOWriteCtx(WOLFSSL* ssl); - -WOLFSSL_API void wolfSSL_SetIOReadFlags( WOLFSSL* ssl, int flags); -WOLFSSL_API void wolfSSL_SetIOWriteFlags(WOLFSSL* ssl, int flags); - -#ifndef WOLFSSL_USER_IO - /* default IO callbacks */ - WOLFSSL_API int EmbedReceive(WOLFSSL* ssl, char* buf, int sz, void* ctx); - WOLFSSL_API int EmbedSend(WOLFSSL* ssl, char* buf, int sz, void* ctx); - - #ifdef HAVE_OCSP - WOLFSSL_API int EmbedOcspLookup(void*, const char*, int, unsigned char*, - int, unsigned char**); - WOLFSSL_API void EmbedOcspRespFree(void*, unsigned char*); - #endif - - #ifdef WOLFSSL_DTLS - WOLFSSL_API int EmbedReceiveFrom(WOLFSSL* ssl, char* buf, int sz, void*); - WOLFSSL_API int EmbedSendTo(WOLFSSL* ssl, char* buf, int sz, void* ctx); - WOLFSSL_API int EmbedGenerateCookie(WOLFSSL* ssl, unsigned char* buf, - int sz, void*); - #ifdef WOLFSSL_SESSION_EXPORT - WOLFSSL_API int EmbedGetPeer(WOLFSSL* ssl, char* ip, int* ipSz, - unsigned short* port, int* fam); - WOLFSSL_API int EmbedSetPeer(WOLFSSL* ssl, char* ip, int ipSz, - unsigned short port, int fam); - - typedef int (*CallbackGetPeer)(WOLFSSL* ssl, char* ip, int* ipSz, - unsigned short* port, int* fam); - typedef int (*CallbackSetPeer)(WOLFSSL* ssl, char* ip, int ipSz, - unsigned short port, int fam); - - WOLFSSL_API void wolfSSL_CTX_SetIOGetPeer(WOLFSSL_CTX*, - CallbackGetPeer); - WOLFSSL_API void wolfSSL_CTX_SetIOSetPeer(WOLFSSL_CTX*, - CallbackSetPeer); - #endif /* WOLFSSL_SESSION_EXPORT */ - #endif /* WOLFSSL_DTLS */ -#endif /* WOLFSSL_USER_IO */ - - -#ifdef HAVE_NETX - WOLFSSL_API void wolfSSL_SetIO_NetX(WOLFSSL* ssl, NX_TCP_SOCKET* nxsocket, - ULONG waitoption); -#endif - -typedef int (*CallbackGenCookie)(WOLFSSL* ssl, unsigned char* buf, int sz, - void* ctx); -WOLFSSL_API void wolfSSL_CTX_SetGenCookie(WOLFSSL_CTX*, CallbackGenCookie); -WOLFSSL_API void wolfSSL_SetCookieCtx(WOLFSSL* ssl, void *ctx); -WOLFSSL_API void* wolfSSL_GetCookieCtx(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_DTLS_SetCookieSecret(WOLFSSL*, const unsigned char*, unsigned int); @@ -1394,6 +1372,10 @@ typedef int (*CbOCSPIO)(void*, const char*, int, unsigned char*, int, unsigned char**); typedef void (*CbOCSPRespFree)(void*,unsigned char*); +#ifdef HAVE_CRL_IO +typedef int (*CbCrlIO)(WOLFSSL_CRL* crl, const char* url, int urlSz); +#endif + /* User Atomic Record Layer CallBacks */ typedef int (*CallbackMacEncrypt)(WOLFSSL* ssl, unsigned char* macOut, const unsigned char* macIn, unsigned int macInSz, int macContent, @@ -1565,6 +1547,10 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); const unsigned char*, long sz, int); WOLFSSL_API int wolfSSL_CertManagerSetCRL_Cb(WOLFSSL_CERT_MANAGER*, CbMissingCRL); +#ifdef HAVE_CRL_IO + WOLFSSL_API int wolfSSL_CertManagerSetCRL_IOCb(WOLFSSL_CERT_MANAGER*, + CbCrlIO); +#endif WOLFSSL_API int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER*, unsigned char*, int sz); WOLFSSL_API int wolfSSL_CertManagerEnableOCSP(WOLFSSL_CERT_MANAGER*, @@ -1584,6 +1570,9 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_LoadCRLBuffer(WOLFSSL*, const unsigned char*, long sz, int); WOLFSSL_API int wolfSSL_SetCRL_Cb(WOLFSSL*, CbMissingCRL); +#ifdef HAVE_CRL_IO + WOLFSSL_API int wolfSSL_SetCRL_IOCb(WOLFSSL* ssl, CbCrlIO cb); +#endif WOLFSSL_API int wolfSSL_EnableOCSP(WOLFSSL*, int options); WOLFSSL_API int wolfSSL_DisableOCSP(WOLFSSL*); WOLFSSL_API int wolfSSL_SetOCSP_OverrideURL(WOLFSSL*, const char*); @@ -1595,6 +1584,9 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_CTX_LoadCRLBuffer(WOLFSSL_CTX*, const unsigned char*, long sz, int); WOLFSSL_API int wolfSSL_CTX_SetCRL_Cb(WOLFSSL_CTX*, CbMissingCRL); +#ifdef HAVE_CRL_IO + WOLFSSL_API int wolfSSL_CTX_SetCRL_IOCb(WOLFSSL_CTX*, CbCrlIO); +#endif WOLFSSL_API int wolfSSL_CTX_EnableOCSP(WOLFSSL_CTX*, int options); WOLFSSL_API int wolfSSL_CTX_DisableOCSP(WOLFSSL_CTX*); WOLFSSL_API int wolfSSL_CTX_SetOCSP_OverrideURL(WOLFSSL_CTX*, const char*); @@ -1615,6 +1607,11 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); WOLFSSL_API void wolfSSL_KeepArrays(WOLFSSL*); WOLFSSL_API void wolfSSL_FreeArrays(WOLFSSL*); +WOLFSSL_API int wolfSSL_KeepHandshakeResources(WOLFSSL* ssl); +WOLFSSL_API int wolfSSL_FreeHandshakeResources(WOLFSSL* ssl); + +WOLFSSL_API int wolfSSL_CTX_UseClientSuites(WOLFSSL_CTX* ctx); +WOLFSSL_API int wolfSSL_UseClientSuites(WOLFSSL* ssl); /* async additions */ WOLFSSL_API int wolfSSL_UseAsync(WOLFSSL*, int devId); @@ -1690,6 +1687,12 @@ enum { WOLFSSL_MAX_ALPN_NUMBER = 257 }; +#ifdef WOLFSSL_NGINX +typedef int (*CallbackALPNSelect)(WOLFSSL* ssl, const unsigned char** out, + unsigned char* outLen, const unsigned char* in, unsigned int inLen, + void *arg); +#endif + WOLFSSL_API int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list, unsigned int protocol_name_listSz, unsigned char options); @@ -1839,7 +1842,7 @@ WOLFSSL_API int wolfSSL_Rehandshake(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_UseSessionTicket(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_CTX_UseSessionTicket(WOLFSSL_CTX* ctx); WOLFSSL_API int wolfSSL_get_SessionTicket(WOLFSSL*, unsigned char*, unsigned int*); -WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL*, unsigned char*, unsigned int); +WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL*, const unsigned char*, unsigned int); typedef int (*CallbackSessionTicket)(WOLFSSL*, const unsigned char*, int, void*); WOLFSSL_API int wolfSSL_set_SessionTicket_cb(WOLFSSL*, CallbackSessionTicket, void*); @@ -1960,7 +1963,7 @@ WOLFSSL_API int wolfSSL_accept_ex(WOLFSSL*, HandShakeCallBack, TimeoutCallBack, WOLFSSL_API void wolfSSL_cert_service(void); #endif -#if defined(WOLFSSL_MYSQL_COMPATIBLE) +#if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) WOLFSSL_API char* wolfSSL_ASN1_TIME_to_string(WOLFSSL_ASN1_TIME* time, char* buf, int len); #endif /* WOLFSSL_MYSQL_COMPATIBLE */ @@ -2028,7 +2031,10 @@ struct WOLFSSL_X509_NAME_ENTRY { int size; }; -#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(HAVE_STUNNEL) +#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) \ + || defined(HAVE_STUNNEL) \ + || defined(WOLFSSL_NGINX) \ + || defined(OPENSSL_EXTRA) WOLFSSL_API void wolfSSL_X509_NAME_free(WOLFSSL_X509_NAME *name); WOLFSSL_API char wolfSSL_CTX_use_certificate(WOLFSSL_CTX *ctx, WOLFSSL_X509 *x); WOLFSSL_API int wolfSSL_BIO_read_filename(WOLFSSL_BIO *b, const char *name); @@ -2037,6 +2043,7 @@ WOLFSSL_API const char * wolfSSL_OBJ_nid2sn(int n); WOLFSSL_API int wolfSSL_OBJ_obj2nid(const WOLFSSL_ASN1_OBJECT *o); WOLFSSL_API int wolfSSL_OBJ_sn2nid(const char *sn); WOLFSSL_API void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx,int depth); +WOLFSSL_API void wolfSSL_set_verify_depth(WOLFSSL *ssl,int depth); WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl); WOLFSSL_API void wolfSSL_set_app_data(WOLFSSL *ssl, void *arg); WOLFSSL_API WOLFSSL_ASN1_OBJECT * wolfSSL_X509_NAME_ENTRY_get_object(WOLFSSL_X509_NAME_ENTRY *ne); @@ -2070,7 +2077,7 @@ WOLFSSL_API long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx); #endif /* HAVE_STUNNEL || HAVE_LIGHTY */ -#ifdef HAVE_STUNNEL +#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) #include @@ -2145,6 +2152,8 @@ WOLFSSL_API VerifyCallback wolfSSL_CTX_get_verify_callback(WOLFSSL_CTX*); WOLFSSL_API void wolfSSL_CTX_set_servername_callback(WOLFSSL_CTX *, CallbackSniRecv); +WOLFSSL_API int wolfSSL_CTX_set_tlsext_servername_callback(WOLFSSL_CTX *, + CallbackSniRecv); WOLFSSL_API void wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX *, void*); @@ -2160,13 +2169,14 @@ WOLFSSL_API void wolfSSL_THREADID_set_callback(void (*threadid_func)(void*)); WOLFSSL_API void wolfSSL_THREADID_set_numeric(void* id, unsigned long val); -WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_STORE_get1_certs(WOLFSSL_X509_STORE_CTX*, - WOLFSSL_X509_NAME*); +WOLFSSL_API STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_get1_certs( + WOLFSSL_X509_STORE_CTX*, WOLFSSL_X509_NAME*); WOLFSSL_API void wolfSSL_sk_X509_pop_free(STACK_OF(WOLFSSL_X509)* sk, void f (WOLFSSL_X509*)); -#endif /* HAVE_STUNNEL */ +#endif /* HAVE_STUNNEL || WOLFSSL_NGINX */ -#if defined(HAVE_STUNNEL) || defined(WOLFSSL_MYSQL_COMPATIBLE) +#if defined(HAVE_STUNNEL) || defined(WOLFSSL_MYSQL_COMPATIBLE) \ + || defined(WOLFSSL_NGINX) WOLFSSL_API int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx); @@ -2194,6 +2204,91 @@ WOLFSSL_API int wolfSSL_CTX_set_msg_callback_arg(WOLFSSL_CTX *ctx, void* arg); WOLFSSL_API int wolfSSL_set_msg_callback_arg(WOLFSSL *ssl, void* arg); #endif +#ifdef OPENSSL_EXTRA +WOLFSSL_API unsigned long wolfSSL_ERR_peek_error_line_data(const char **file, + int *line, const char **data, int *flags); +#endif + +#ifdef WOLFSSL_NGINX +/* Not an OpenSSL API. */ +WOLFSSL_LOCAL int wolfSSL_get_ocsp_response(WOLFSSL* ssl, byte** response); +/* Not an OpenSSL API. */ +WOLFSSL_LOCAL char* wolfSSL_get_ocsp_url(WOLFSSL* ssl); +/* Not an OpenSSL API. */ +WOLFSSL_API int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url); + +WOLFSSL_API void wolfSSL_OPENSSL_config(char *config_name); +WOLFSSL_API int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a, + void *b, void *c); +WOLFSSL_API void *wolfSSL_X509_get_ex_data(WOLFSSL_X509 *x509, int idx); +WOLFSSL_API int wolfSSL_X509_set_ex_data(WOLFSSL_X509 *x509, int idx, + void *data); + +WOLFSSL_API int wolfSSL_X509_NAME_digest(const WOLFSSL_X509_NAME *data, + const WOLFSSL_EVP_MD *type, unsigned char *md, unsigned int *len); + +WOLFSSL_API long wolfSSL_SSL_CTX_get_timeout(const WOLFSSL_CTX *ctx); +WOLFSSL_API int wolfSSL_SSL_CTX_set_tmp_ecdh(WOLFSSL_CTX *ctx, + WOLFSSL_EC_KEY *ecdh); +WOLFSSL_API int wolfSSL_SSL_CTX_remove_session(WOLFSSL_CTX *, + WOLFSSL_SESSION *c); + +WOLFSSL_API WOLFSSL_BIO *wolfSSL_SSL_get_rbio(const WOLFSSL *s); +WOLFSSL_API WOLFSSL_BIO *wolfSSL_SSL_get_wbio(const WOLFSSL *s); +WOLFSSL_API int wolfSSL_SSL_do_handshake(WOLFSSL *s); +WOLFSSL_API int wolfSSL_SSL_in_init(WOLFSSL *a); /* #define in OpenSSL */ +WOLFSSL_API WOLFSSL_SESSION *wolfSSL_SSL_get0_session(const WOLFSSL *s); +WOLFSSL_API int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, + size_t chklen, unsigned int flags, char **peername); + +WOLFSSL_API int wolfSSL_i2a_ASN1_INTEGER(WOLFSSL_BIO *bp, + const WOLFSSL_ASN1_INTEGER *a); + +#ifdef HAVE_SESSION_TICKET +WOLFSSL_API int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *, int (*)( + WOLFSSL *ssl, unsigned char *name, unsigned char *iv, + WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc)); +#endif + +#ifdef HAVE_OCSP +WOLFSSL_API int wolfSSL_CTX_get_extra_chain_certs(WOLFSSL_CTX* ctx, + STACK_OF(X509)** chain); +WOLFSSL_API int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx, + int(*)(WOLFSSL*, void*)); + +WOLFSSL_API int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer, + WOLFSSL_X509_STORE_CTX *ctx, WOLFSSL_X509 *x); + +WOLFSSL_API void wolfSSL_X509_email_free(STACK_OF(WOLFSSL_STRING) *sk); +WOLFSSL_API STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x); + +WOLFSSL_API int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer, + WOLFSSL_X509 *subject); + +WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x); + +WOLFSSL_API char* wolfSSL_sk_WOLFSSL_STRING_value( + STACK_OF(WOLFSSL_STRING)* strings, int idx); +#endif /* HAVE_OCSP */ + +WOLFSSL_API int PEM_write_bio_WOLFSSL_X509(WOLFSSL_BIO *bio, + WOLFSSL_X509 *cert); +#endif /* WOLFSSL_NGINX */ + +WOLFSSL_API void wolfSSL_get0_alpn_selected(const WOLFSSL *ssl, + const unsigned char **data, unsigned int *len); +WOLFSSL_API int wolfSSL_select_next_proto(unsigned char **out, + unsigned char *outlen, + const unsigned char *in, unsigned int inlen, + const unsigned char *client, + unsigned int client_len); +WOLFSSL_API void wolfSSL_CTX_set_alpn_select_cb(WOLFSSL_CTX *ctx, + int (*cb) (WOLFSSL *ssl, + const unsigned char **out, + unsigned char *outlen, + const unsigned char *in, + unsigned int inlen, + void *arg), void *arg); #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/test.h b/wolfssl/test.h index e0b03c3b3..d47300a3d 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -514,6 +514,12 @@ static INLINE void showPeer(WOLFSSL* ssl) { WOLFSSL_CIPHER* cipher; +#ifdef HAVE_ECC + const char *name; +#endif +#ifndef NO_DH + int bits; +#endif #ifdef KEEP_PEER_CERT WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl); if (peer) @@ -535,6 +541,16 @@ static INLINE void showPeer(WOLFSSL* ssl) #else printf("SSL cipher suite is %s\n", wolfSSL_CIPHER_get_name(cipher)); #endif +#ifdef HAVE_ECC + if ((name = wolfSSL_get_curve_name(ssl)) != NULL) + printf("SSL curve name is %s\n", name); +#endif +#ifndef NO_DH + if ((bits = wolfSSL_GetDhKey_Sz(ssl)) > 0) + printf("SSL DH size is %d bits\n", bits); +#endif + if (wolfSSL_session_reused(ssl)) + printf("SSL reused session\n"); #if defined(SESSION_CERTS) && defined(SHOW_CERTS) { @@ -608,7 +624,7 @@ static INLINE void build_addr(SOCKADDR_IN_T* addr, const char* peer, #else addr->sin_family = AF_INET_V; #endif - addr->sin_port = htons(port); + addr->sin_port = XHTONS(port); if (peer == INADDR_ANY) addr->sin_addr.s_addr = INADDR_ANY; else { @@ -617,7 +633,7 @@ static INLINE void build_addr(SOCKADDR_IN_T* addr, const char* peer, } #else addr->sin6_family = AF_INET_V; - addr->sin6_port = htons(port); + addr->sin6_port = XHTONS(port); if (peer == INADDR_ANY) addr->sin6_addr = in6addr_any; else { @@ -808,9 +824,9 @@ static INLINE void tcp_listen(SOCKET_T* sockfd, word16* port, int useAnyAddr, socklen_t len = sizeof(addr); if (getsockname(*sockfd, (struct sockaddr*)&addr, &len) == 0) { #ifndef TEST_IPV6 - *port = ntohs(addr.sin_port); + *port = XNTOHS(addr.sin_port); #else - *port = ntohs(addr.sin6_port); + *port = XNTOHS(addr.sin6_port); #endif } } @@ -869,9 +885,9 @@ static INLINE void udp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd, socklen_t len = sizeof(addr); if (getsockname(*sockfd, (struct sockaddr*)&addr, &len) == 0) { #ifndef TEST_IPV6 - port = ntohs(addr.sin_port); + port = XNTOHS(addr.sin_port); #else - port = ntohs(addr.sin6_port); + port = XNTOHS(addr.sin6_port); #endif } } @@ -1285,10 +1301,6 @@ static INLINE void CaCb(unsigned char* der, int sz, int type) /* Wolf Root Directory Helper */ /* KEIL-RL File System does not support relative directory */ #if !defined(WOLFSSL_MDK_ARM) && !defined(WOLFSSL_KEIL_FS) && !defined(WOLFSSL_TIRTOS) - #ifndef MAX_PATH - #define MAX_PATH 256 - #endif - /* Maximum depth to search for WolfSSL root */ #define MAX_WOLF_ROOT_DEPTH 5 @@ -2016,7 +2028,7 @@ static INLINE const char* mymktemp(char *tempfn, int len, int num) (void)userCtx; int ret; - word16 sLen = htons(inLen); + word16 sLen = XHTONS(inLen); byte aad[WOLFSSL_TICKET_NAME_SZ + WOLFSSL_TICKET_IV_SZ + 2]; int aadSz = WOLFSSL_TICKET_NAME_SZ + WOLFSSL_TICKET_IV_SZ + 2; byte* tmp = aad; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 1eb4b6d90..f1419a1d2 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -188,7 +188,7 @@ enum Misc_ASN { MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */ MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ, #endif - OCSP_NONCE_EXT_SZ = 37, /* OCSP Nonce Extension size */ + OCSP_NONCE_EXT_SZ = 35, /* OCSP Nonce Extension size */ MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */ MAX_OCSP_NONCE_SZ = 16, /* OCSP Nonce size */ EIGHTK_BUF = 8192, /* Tmp buffer size */ @@ -196,7 +196,10 @@ enum Misc_ASN { /* use bigger NTRU size */ HEADER_ENCRYPTED_KEY_SIZE = 88,/* Extra header size for encrypted key */ TRAILING_ZERO = 1, /* Used for size of zero pad */ - MIN_VERSION_SZ = 3 /* Min bytes needed for GetMyVersion */ + MIN_VERSION_SZ = 3, /* Min bytes needed for GetMyVersion */ +#if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) + MAX_TIME_STRING_SZ = 21, /* Max length of formatted time string */ +#endif }; @@ -677,11 +680,13 @@ WOLFSSL_LOCAL void FreeTrustedPeerTable(TrustedPeerCert**, int, void*); #endif /* WOLFSSL_TRUST_PEER_CERT */ WOLFSSL_ASN_API int ToTraditional(byte* buffer, word32 length); +WOLFSSL_LOCAL int ToTraditionalInline(const byte* input, word32* inOutIdx, + word32 length); WOLFSSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*,int); WOLFSSL_LOCAL int DecryptContent(byte* input, word32 sz,const char* psw,int pswSz); typedef struct tm wolfssl_tm; -#if defined(WOLFSSL_MYSQL_COMPATIBLE) +#if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) WOLFSSL_LOCAL int GetTimeString(byte* date, int format, char* buf, int len); #endif WOLFSSL_LOCAL int ExtractDate(const unsigned char* date, unsigned char format, @@ -807,6 +812,10 @@ struct CertStatus { byte nextDate[MAX_DATE_SIZE]; byte thisDateFormat; byte nextDateFormat; +#ifdef WOLFSSL_NGINX + byte* thisDateAsn; + byte* nextDateAsn; +#endif byte* rawOcspResponse; word32 rawOcspResponseSz; @@ -853,11 +862,15 @@ struct OcspRequest { byte nonce[MAX_OCSP_NONCE_SZ]; int nonceSz; void* heap; + +#ifdef WOLFSSL_NGINX + void* ssl; +#endif }; WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32); -WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*, void* heap); +WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*, void* heap, int); WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte, void*); WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*); diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index 576d2d28f..78c48c684 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -240,7 +240,8 @@ WOLFSSL_API int wc_SetKeyUsage(Cert *cert, const char *value); #endif /* WOLFSSL_PEMPUBKEY_TODER_DEFINED */ #endif /* WOLFSSL_CERT_EXT || WOLFSSL_PUB_PEM_TO_DER */ -#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) || !defined(NO_DSA) +#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) || !defined(NO_DSA) \ + || defined(OPENSSL_EXTRA) WOLFSSL_API int wc_DerToPem(const byte* der, word32 derSz, byte* output, word32 outputSz, int type); WOLFSSL_API int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, @@ -267,6 +268,9 @@ WOLFSSL_API word32 wc_EncodeSignature(byte* out, const byte* digest, word32 digSz, int hashOID); WOLFSSL_API int wc_GetCTC_HashOID(int type); +WOLFSSL_API int wc_GetPkcs8TraditionalOffset(byte* input, + word32* inOutIdx, word32 sz); + /* Time */ /* Returns seconds (Epoch/UTC) * timePtr: is "time_t", which is typically "long" diff --git a/wolfssl/wolfcrypt/dh.h b/wolfssl/wolfcrypt/dh.h index 332d460f0..2410ab777 100644 --- a/wolfssl/wolfcrypt/dh.h +++ b/wolfssl/wolfcrypt/dh.h @@ -56,6 +56,7 @@ WOLFSSL_API int wc_DhSetKey(DhKey* key, const byte* p, word32 pSz, const byte* g word32 gSz); WOLFSSL_API int wc_DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz, byte* g, word32* gInOutSz); +WOLFSSL_API int wc_DhCheckPubKey(DhKey* key, const byte* pub, word32 pubSz); #ifdef __cplusplus diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h index 177d7003f..fb4701940 100644 --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h @@ -110,7 +110,8 @@ enum { /* Curve Types */ typedef enum ecc_curve_id { - ECC_CURVE_DEF, /* NIST or SECP */ + ECC_CURVE_INVALID = -1, + ECC_CURVE_DEF = 0, /* NIST or SECP */ /* NIST Prime Curves */ ECC_SECP192R1, @@ -274,10 +275,9 @@ typedef struct ecc_key { ecc_point pubkey; /* public key */ mp_int k; /* private key */ #endif +#ifdef WOLFSSL_ASYNC_CRYPT mp_int* r; /* sign/verify temps */ mp_int* s; - -#ifdef WOLFSSL_ASYNC_CRYPT AsyncCryptDev asyncDev; #endif } ecc_key; @@ -286,6 +286,24 @@ typedef struct ecc_key { /* ECC predefined curve sets */ extern const ecc_set_type ecc_sets[]; +WOLFSSL_API +const char* wc_ecc_get_name(int curve_id); + +#ifndef WOLFSSL_ATECC508A + +#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL + #define ECC_API WOLFSSL_API +#else + #define ECC_API WOLFSSL_LOCAL +#endif + +ECC_API int ecc_map(ecc_point*, mp_int*, mp_digit); +ECC_API int ecc_projective_add_point(ecc_point* P, ecc_point* Q, ecc_point* R, + mp_int* a, mp_int* modulus, mp_digit mp); +ECC_API int ecc_projective_dbl_point(ecc_point* P, ecc_point* R, mp_int* a, + mp_int* modulus, mp_digit mp); + +#endif WOLFSSL_API int wc_ecc_make_key(WC_RNG* rng, int keysize, ecc_key* key); @@ -339,10 +357,16 @@ int wc_ecc_set_flags(ecc_key* key, word32 flags); WOLFSSL_API void wc_ecc_fp_free(void); +WOLFSSL_API +int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id); + WOLFSSL_API int wc_ecc_is_valid_idx(int n); WOLFSSL_API -const char* wc_ecc_get_curve_name_from_id(int curve_id); +int wc_ecc_get_curve_idx(int curve_id); +WOLFSSL_API +int wc_ecc_get_curve_id(int curve_idx); +#define wc_ecc_get_curve_name_from_id wc_ecc_get_name WOLFSSL_API int wc_ecc_get_curve_size_from_id(int curve_id); diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index 8a5080d57..075336911 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -183,6 +183,8 @@ enum { BAD_KEYWRAP_IV_E = -240, /* Decrypted AES key wrap IV incorrect */ WC_CLEANUP_E = -241, /* wolfcrypt cleanup failed */ ECC_CDH_KAT_FIPS_E = -242, /* ECC CDH Known Answer Test failure */ + DH_CHECK_PUB_E = -243, /* DH Check Pub Key error */ + BAD_PATH_ERROR = -244, /* Bad path for opendir */ MIN_CODE_E = -300 /* errors -101 - -299 */ diff --git a/wolfssl/wolfcrypt/fe_operations.h b/wolfssl/wolfcrypt/fe_operations.h index ae15dab1f..0696b6789 100644 --- a/wolfssl/wolfcrypt/fe_operations.h +++ b/wolfssl/wolfcrypt/fe_operations.h @@ -71,9 +71,9 @@ WOLFSSL_LOCAL void fe_tobytes(unsigned char *, const fe); WOLFSSL_LOCAL void fe_sq(fe, const fe); WOLFSSL_LOCAL void fe_sq2(fe,const fe); WOLFSSL_LOCAL void fe_frombytes(fe,const unsigned char *); -WOLFSSL_LOCAL void fe_cswap(fe,fe,unsigned int); +WOLFSSL_LOCAL void fe_cswap(fe, fe, int); WOLFSSL_LOCAL void fe_mul121666(fe,fe); -WOLFSSL_LOCAL void fe_cmov(fe,const fe,unsigned int); +WOLFSSL_LOCAL void fe_cmov(fe,const fe, int); WOLFSSL_LOCAL void fe_pow22523(fe,const fe); /* 64 type needed for SHA512 */ diff --git a/wolfssl/wolfcrypt/integer.h b/wolfssl/wolfcrypt/integer.h index 52fda71b2..543a832bc 100644 --- a/wolfssl/wolfcrypt/integer.h +++ b/wolfssl/wolfcrypt/integer.h @@ -45,6 +45,12 @@ #include +#ifdef WOLFSSL_PUBLIC_MP + #define MP_API WOLFSSL_API +#else + #define MP_API +#endif + #ifndef MIN #define MIN(x,y) ((x)<(y)?(x):(y)) #endif @@ -234,114 +240,115 @@ typedef int ltm_prime_callback(unsigned char *dst, int len, void *dat); extern const char *mp_s_rmap; /* 6 functions needed by Rsa */ -int mp_init (mp_int * a); -void mp_clear (mp_int * a); -void mp_forcezero(mp_int * a); -int mp_unsigned_bin_size(mp_int * a); -int mp_read_unsigned_bin (mp_int * a, const unsigned char *b, int c); -int mp_to_unsigned_bin_at_pos(int x, mp_int *t, unsigned char *b); -int mp_to_unsigned_bin (mp_int * a, unsigned char *b); -int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y); +MP_API int mp_init (mp_int * a); +MP_API void mp_clear (mp_int * a); +MP_API void mp_forcezero(mp_int * a); +MP_API int mp_unsigned_bin_size(mp_int * a); +MP_API int mp_read_unsigned_bin (mp_int * a, const unsigned char *b, int c); +MP_API int mp_to_unsigned_bin_at_pos(int x, mp_int *t, unsigned char *b); +MP_API int mp_to_unsigned_bin (mp_int * a, unsigned char *b); +MP_API int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y); /* end functions needed by Rsa */ /* functions added to support above needed, removed TOOM and KARATSUBA */ -int mp_count_bits (mp_int * a); -int mp_leading_bit (mp_int * a); -int mp_init_copy (mp_int * a, mp_int * b); -int mp_copy (mp_int * a, mp_int * b); -int mp_grow (mp_int * a, int size); -int mp_div_2d (mp_int * a, int b, mp_int * c, mp_int * d); -void mp_zero (mp_int * a); -void mp_clamp (mp_int * a); -void mp_exch (mp_int * a, mp_int * b); -void mp_rshd (mp_int * a, int b); -void mp_rshb (mp_int * a, int b); -int mp_mod_2d (mp_int * a, int b, mp_int * c); -int mp_mul_2d (mp_int * a, int b, mp_int * c); -int mp_lshd (mp_int * a, int b); -int mp_abs (mp_int * a, mp_int * b); -int mp_invmod (mp_int * a, mp_int * b, mp_int * c); +MP_API int mp_count_bits (mp_int * a); +MP_API int mp_leading_bit (mp_int * a); +MP_API int mp_init_copy (mp_int * a, mp_int * b); +MP_API int mp_copy (mp_int * a, mp_int * b); +MP_API int mp_grow (mp_int * a, int size); +MP_API int mp_div_2d (mp_int * a, int b, mp_int * c, mp_int * d); +MP_API void mp_zero (mp_int * a); +MP_API void mp_clamp (mp_int * a); +MP_API void mp_exch (mp_int * a, mp_int * b); +MP_API void mp_rshd (mp_int * a, int b); +MP_API void mp_rshb (mp_int * a, int b); +MP_API int mp_mod_2d (mp_int * a, int b, mp_int * c); +MP_API int mp_mul_2d (mp_int * a, int b, mp_int * c); +MP_API int mp_lshd (mp_int * a, int b); +MP_API int mp_abs (mp_int * a, mp_int * b); +MP_API int mp_invmod (mp_int * a, mp_int * b, mp_int * c); int fast_mp_invmod (mp_int * a, mp_int * b, mp_int * c); -int mp_invmod_slow (mp_int * a, mp_int * b, mp_int * c); -int mp_cmp_mag (mp_int * a, mp_int * b); -int mp_cmp (mp_int * a, mp_int * b); -int mp_cmp_d(mp_int * a, mp_digit b); -int mp_set (mp_int * a, mp_digit b); -int mp_is_bit_set (mp_int * a, mp_digit b); -int mp_mod (mp_int * a, mp_int * b, mp_int * c); -int mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d); -int mp_div_2(mp_int * a, mp_int * b); -int mp_add (mp_int * a, mp_int * b, mp_int * c); +MP_API int mp_invmod_slow (mp_int * a, mp_int * b, mp_int * c); +MP_API int mp_cmp_mag (mp_int * a, mp_int * b); +MP_API int mp_cmp (mp_int * a, mp_int * b); +MP_API int mp_cmp_d(mp_int * a, mp_digit b); +MP_API int mp_set (mp_int * a, mp_digit b); +MP_API int mp_is_bit_set (mp_int * a, mp_digit b); +MP_API int mp_mod (mp_int * a, mp_int * b, mp_int * c); +MP_API int mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d); +MP_API int mp_div_2(mp_int * a, mp_int * b); +MP_API int mp_add (mp_int * a, mp_int * b, mp_int * c); int s_mp_add (mp_int * a, mp_int * b, mp_int * c); int s_mp_sub (mp_int * a, mp_int * b, mp_int * c); -int mp_sub (mp_int * a, mp_int * b, mp_int * c); -int mp_reduce_is_2k_l(mp_int *a); -int mp_reduce_is_2k(mp_int *a); -int mp_dr_is_modulus(mp_int *a); -int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int); -int mp_montgomery_setup (mp_int * n, mp_digit * rho); +MP_API int mp_sub (mp_int * a, mp_int * b, mp_int * c); +MP_API int mp_reduce_is_2k_l(mp_int *a); +MP_API int mp_reduce_is_2k(mp_int *a); +MP_API int mp_dr_is_modulus(mp_int *a); +MP_API int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, + int); +MP_API int mp_montgomery_setup (mp_int * n, mp_digit * rho); int fast_mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho); -int mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho); -void mp_dr_setup(mp_int *a, mp_digit *d); -int mp_dr_reduce (mp_int * x, mp_int * n, mp_digit k); -int mp_reduce_2k(mp_int *a, mp_int *n, mp_digit d); +MP_API int mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho); +MP_API void mp_dr_setup(mp_int *a, mp_digit *d); +MP_API int mp_dr_reduce (mp_int * x, mp_int * n, mp_digit k); +MP_API int mp_reduce_2k(mp_int *a, mp_int *n, mp_digit d); int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs); int s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs); -int mp_reduce_2k_setup_l(mp_int *a, mp_int *d); -int mp_reduce_2k_l(mp_int *a, mp_int *n, mp_int *d); -int mp_reduce (mp_int * x, mp_int * m, mp_int * mu); -int mp_reduce_setup (mp_int * a, mp_int * b); +MP_API int mp_reduce_2k_setup_l(mp_int *a, mp_int *d); +MP_API int mp_reduce_2k_l(mp_int *a, mp_int *n, mp_int *d); +MP_API int mp_reduce (mp_int * x, mp_int * m, mp_int * mu); +MP_API int mp_reduce_setup (mp_int * a, mp_int * b); int s_mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode); -int mp_montgomery_calc_normalization (mp_int * a, mp_int * b); +MP_API int mp_montgomery_calc_normalization (mp_int * a, mp_int * b); int s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs); int s_mp_sqr (mp_int * a, mp_int * b); int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs); int fast_s_mp_sqr (mp_int * a, mp_int * b); -int mp_init_size (mp_int * a, int size); -int mp_div_3 (mp_int * a, mp_int *c, mp_digit * d); -int mp_mul_2(mp_int * a, mp_int * b); -int mp_mul (mp_int * a, mp_int * b, mp_int * c); -int mp_sqr (mp_int * a, mp_int * b); -int mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d); -int mp_submod (mp_int* a, mp_int* b, mp_int* c, mp_int* d); -int mp_addmod (mp_int* a, mp_int* b, mp_int* c, mp_int* d); -int mp_mul_d (mp_int * a, mp_digit b, mp_int * c); -int mp_2expt (mp_int * a, int b); -int mp_set_bit (mp_int * a, int b); -int mp_reduce_2k_setup(mp_int *a, mp_digit *d); -int mp_add_d (mp_int* a, mp_digit b, mp_int* c); -int mp_set_int (mp_int * a, unsigned long b); -int mp_sub_d (mp_int * a, mp_digit b, mp_int * c); +MP_API int mp_init_size (mp_int * a, int size); +MP_API int mp_div_3 (mp_int * a, mp_int *c, mp_digit * d); +MP_API int mp_mul_2(mp_int * a, mp_int * b); +MP_API int mp_mul (mp_int * a, mp_int * b, mp_int * c); +MP_API int mp_sqr (mp_int * a, mp_int * b); +MP_API int mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d); +MP_API int mp_submod (mp_int* a, mp_int* b, mp_int* c, mp_int* d); +MP_API int mp_addmod (mp_int* a, mp_int* b, mp_int* c, mp_int* d); +MP_API int mp_mul_d (mp_int * a, mp_digit b, mp_int * c); +MP_API int mp_2expt (mp_int * a, int b); +MP_API int mp_set_bit (mp_int * a, int b); +MP_API int mp_reduce_2k_setup(mp_int *a, mp_digit *d); +MP_API int mp_add_d (mp_int* a, mp_digit b, mp_int* c); +MP_API int mp_set_int (mp_int * a, unsigned long b); +MP_API int mp_sub_d (mp_int * a, mp_digit b, mp_int * c); /* end support added functions */ /* added */ -int mp_init_multi(mp_int* a, mp_int* b, mp_int* c, mp_int* d, mp_int* e, - mp_int* f); -int mp_toradix (mp_int *a, char *str, int radix); -int mp_radix_size (mp_int * a, int radix, int *size); +MP_API int mp_init_multi(mp_int* a, mp_int* b, mp_int* c, mp_int* d, mp_int* e, + mp_int* f); +MP_API int mp_toradix (mp_int *a, char *str, int radix); +MP_API int mp_radix_size (mp_int * a, int radix, int *size); #ifdef WOLFSSL_DEBUG_MATH - void mp_dump(const char* desc, mp_int* a, byte verbose); + MP_API void mp_dump(const char* desc, mp_int* a, byte verbose); #else #define mp_dump(desc, a, verbose) #endif #if defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN) - int mp_sqrmod(mp_int* a, mp_int* b, mp_int* c); + MP_API int mp_sqrmod(mp_int* a, mp_int* b, mp_int* c); #endif #if defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN) - int mp_read_radix(mp_int* a, const char* str, int radix); + MP_API int mp_read_radix(mp_int* a, const char* str, int radix); #endif #ifdef WOLFSSL_KEY_GEN - int mp_prime_is_prime (mp_int * a, int t, int *result); - int mp_gcd (mp_int * a, mp_int * b, mp_int * c); - int mp_lcm (mp_int * a, mp_int * b, mp_int * c); - int mp_rand_prime(mp_int* N, int len, WC_RNG* rng, void* heap); + MP_API int mp_prime_is_prime (mp_int * a, int t, int *result); + MP_API int mp_gcd (mp_int * a, mp_int * b, mp_int * c); + MP_API int mp_lcm (mp_int * a, mp_int * b, mp_int * c); + MP_API int mp_rand_prime(mp_int* N, int len, WC_RNG* rng, void* heap); #endif -int mp_cnt_lsb(mp_int *a); -int mp_mod_d(mp_int* a, mp_digit b, mp_digit* c); +MP_API int mp_cnt_lsb(mp_int *a); +MP_API int mp_mod_d(mp_int* a, mp_digit b, mp_digit* c); /* wolf big int and common functions */ diff --git a/wolfssl/wolfcrypt/logging.h b/wolfssl/wolfcrypt/logging.h old mode 100644 new mode 100755 index c8f9a657a..43df62ff6 --- a/wolfssl/wolfcrypt/logging.h +++ b/wolfssl/wolfcrypt/logging.h @@ -53,6 +53,8 @@ WOLFSSL_API int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb log_function); char* file); WOLFSSL_LOCAL int wc_PeekErrorNode(int index, const char **file, const char **reason, int *line); + WOLFSSL_LOCAL void wc_RemoveErrorNode(int index); + WOLFSSL_LOCAL void wc_ClearErrorNodes(void); WOLFSSL_API int wc_SetLoggingHeap(void* h); #if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) WOLFSSL_API void wc_ERR_print_errors_fp(FILE* fp); @@ -60,6 +62,14 @@ WOLFSSL_API int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb log_function); #endif /* defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) */ #ifdef DEBUG_WOLFSSL + #if defined(_WIN32) + #if defined(INTIME_RTOS) + #define __func__ NULL + #else + #define __func__ __FUNCTION__ + #endif + #endif + /* a is prepended to m and b is appended, creating a log msg a + m + b */ #define WOLFSSL_LOG_CAT(a, m, b) #a " " m " " #b @@ -68,13 +78,6 @@ WOLFSSL_API int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb log_function); #define WOLFSSL_STUB(m) \ WOLFSSL_MSG(WOLFSSL_LOG_CAT(wolfSSL Stub, m, not implemented)) -#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) - void WOLFSSL_ERROR_LINE(int err, const char* func, unsigned int line, - const char* file, void* ctx); - #define WOLFSSL_ERROR(x) WOLFSSL_ERROR_LINE((x), __func__, __LINE__, __FILE__,NULL) -#else - void WOLFSSL_ERROR(int); -#endif void WOLFSSL_MSG(const char* msg); void WOLFSSL_BUFFER(byte* buffer, word32 length); @@ -84,12 +87,23 @@ WOLFSSL_API int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb log_function); #define WOLFSSL_LEAVE(m, r) #define WOLFSSL_STUB(m) - #define WOLFSSL_ERROR(e) #define WOLFSSL_MSG(m) #define WOLFSSL_BUFFER(b, l) #endif /* DEBUG_WOLFSSL */ +#if (defined(DEBUG_WOLFSSL) || defined(WOLFSSL_NGINX)) + #if (defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)) + void WOLFSSL_ERROR_LINE(int err, const char* func, unsigned int line, + const char* file, void* ctx); + #define WOLFSSL_ERROR(x) WOLFSSL_ERROR_LINE((x), __func__, __LINE__, __FILE__,NULL) + #else + void WOLFSSL_ERROR(int); + #endif +#else + #define WOLFSSL_ERROR(e) +#endif + #ifdef __cplusplus } #endif diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index e1c93cd75..4cf535103 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -440,7 +440,7 @@ /* Micrium will use Visual Studio for compilation but not the Win32 API */ #if defined(_WIN32) && !defined(MICRIUM) && !defined(FREERTOS) && \ !defined(FREERTOS_TCP) && !defined(EBSNET) && !defined(WOLFSSL_EROAD) && \ - !defined(WOLFSSL_UTASKER) + !defined(WOLFSSL_UTASKER) && !defined(INTIME_RTOS) #define USE_WINDOWS_API #endif @@ -730,12 +730,12 @@ static char *fgets(char *buff, int sz, FILE *fp) /* WOLFSSL_DH_CONST */ #define NO_FILESYSTEM #define WOLFSSL_CRYPT_HW_MUTEX 1 - + #if !defined(XMALLOC_USER) && !defined(NO_WOLFSSL_MEMORY) #define XMALLOC(s, h, type) pvPortMalloc((s)) #define XFREE(p, h, type) vPortFree((p)) #endif - + //#define USER_TICKS /* Allows use of DH with fixed points if uncommented and NO_DH is removed */ /* WOLFSSL_DH_CONST */ @@ -854,7 +854,7 @@ static char *fgets(char *buff, int sz, FILE *fp) #if defined(FSL_FEATURE_LTC_HAS_GCM) && FSL_FEATURE_LTC_HAS_GCM #define FREESCALE_LTC_AES_GCM #endif - + #if defined(FSL_FEATURE_LTC_HAS_SHA) && FSL_FEATURE_LTC_HAS_SHA #define FREESCALE_LTC_SHA #endif @@ -869,12 +869,12 @@ static char *fgets(char *buff, int sz, FILE *fp) #define LTC_MAX_INT_BYTES (256) #endif - /* This FREESCALE_LTC_TFM_RSA_4096_ENABLE macro can be defined. + /* This FREESCALE_LTC_TFM_RSA_4096_ENABLE macro can be defined. * In such a case both software and hardware algorithm * for TFM is linked in. The decision for which algorithm is used is determined at runtime * from size of inputs. If inputs and result can fit into LTC (see LTC_MAX_INT_BYTES) * then we call hardware algorithm, otherwise we call software algorithm. - * + * * Chinese reminder theorem is used to break RSA 4096 exponentiations (both public and private key) * into several computations with 2048-bit modulus and exponents. */ @@ -886,7 +886,7 @@ static char *fgets(char *buff, int sz, FILE *fp) #define ECC_TIMING_RESISTANT /* the LTC PKHA hardware limit is 512 bits (64 bytes) for ECC. - the LTC_MAX_ECC_BITS defines the size of local variables that hold ECC parameters + the LTC_MAX_ECC_BITS defines the size of local variables that hold ECC parameters and point coordinates */ #ifndef LTC_MAX_ECC_BITS #define LTC_MAX_ECC_BITS (384) @@ -1396,6 +1396,12 @@ static char *fgets(char *buff, int sz, FILE *fp) #define NO_OLD_TLS #endif + +/* Default AES minimum auth tag sz, allow user to override */ +#ifndef WOLFSSL_MIN_AUTH_TAG_SZ + #define WOLFSSL_MIN_AUTH_TAG_SZ 12 +#endif + /* If not forcing ARC4 as the DRBG or using custom RNG block gen, enable Hash_DRBG */ #undef HAVE_HASHDRBG #if !defined(WOLFSSL_FORCE_RC4_DRBG) && !defined(CUSTOM_RAND_GENERATE_BLOCK) @@ -1487,6 +1493,15 @@ static char *fgets(char *buff, int sz, FILE *fp) #endif #endif +#if !defined(NO_OLD_TLS) && (defined(NO_SHA) || defined(NO_MD5)) + #error old TLS requires MD5 and SHA +#endif + +/* for backwards compatibility */ +#if defined(TEST_IPV6) && !defined(WOLFSSL_IPV6) + #define WOLFSSL_IPV6 +#endif + /* Place any other flags or defines here */ @@ -1495,6 +1510,27 @@ static char *fgets(char *buff, int sz, FILE *fp) #undef HAVE_GMTIME_R /* don't trust macro with windows */ #endif /* WOLFSSL_MYSQL_COMPATIBLE */ +#ifdef WOLFSSL_NGINX + #define SSL_OP_NO_COMPRESSION SSL_OP_NO_COMPRESSION + #define OPENSSL_NO_ENGINE + #define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT + #ifndef OPENSSL_EXTRA + #define OPENSSL_EXTRA + #endif + #ifndef HAVE_SESSION_TICKET + #define HAVE_SESSION_TICKET + #endif + #ifndef HAVE_OCSP + #define HAVE_OCSP + #endif + #ifndef KEEP_OUR_CERT + #define KEEP_OUR_CERT + #endif + #ifndef HAVE_SNI + #define HAVE_SNI + #endif + #define SSL_CTRL_SET_TLSEXT_HOSTNAME +#endif #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/wolfcrypt/tfm.h b/wolfssl/wolfcrypt/tfm.h index 6fe7c03bb..a614169ff 100644 --- a/wolfssl/wolfcrypt/tfm.h +++ b/wolfssl/wolfcrypt/tfm.h @@ -47,6 +47,12 @@ extern "C" { #endif +#ifdef WOLFSSL_PUBLIC_MP + #define MP_API WOLFSSL_API +#else + #define MP_API +#endif + #ifndef MIN #define MIN(x,y) ((x)<(y)?(x):(y)) #endif @@ -260,6 +266,7 @@ #endif #define FP_MASK (fp_digit)(-1) +#define FP_DIGIT_MAX FP_MASK #define FP_SIZE (FP_MAX_SIZE/DIGIT_BIT) /* signs */ @@ -369,8 +376,8 @@ typedef struct fp_int { /* initialize [or zero] an fp int */ void fp_init(fp_int *a); -void fp_zero(fp_int *a); -void fp_clear(fp_int *a); /* uses ForceZero to clear sensitive memory */ +MP_API void fp_zero(fp_int *a); +MP_API void fp_clear(fp_int *a); /* uses ForceZero to clear sensitive memory */ /* zero/even/odd ? */ #define fp_iszero(a) (((a)->used == 0) ? FP_YES : FP_NO) @@ -382,6 +389,7 @@ void fp_clear(fp_int *a); /* uses ForceZero to clear sensitive memory */ /* set to a small digit */ void fp_set(fp_int *a, fp_digit b); +void fp_set_int(fp_int *a, unsigned long b); /* check if a bit is set */ int fp_is_bit_set(fp_int *a, fp_digit b); @@ -608,89 +616,93 @@ typedef fp_int mp_int; #define MP_YES FP_YES /* yes/no result */ #define MP_ZPOS FP_ZPOS #define MP_NEG FP_NEG +#define MP_MASK FP_MASK /* Prototypes */ #define mp_zero(a) fp_zero(a) #define mp_isone(a) fp_isone(a) #define mp_iseven(a) fp_iseven(a) #define mp_isneg(a) fp_isneg(a) -int mp_init (mp_int * a); -void mp_clear (mp_int * a); +MP_API int mp_init (mp_int * a); +MP_API void mp_clear (mp_int * a); #define mp_forcezero(a) fp_clear(a) -int mp_init_multi(mp_int* a, mp_int* b, mp_int* c, mp_int* d, mp_int* e, mp_int* f); +MP_API int mp_init_multi(mp_int* a, mp_int* b, mp_int* c, mp_int* d, mp_int* e, + mp_int* f); -int mp_add (mp_int * a, mp_int * b, mp_int * c); -int mp_sub (mp_int * a, mp_int * b, mp_int * c); -int mp_add_d (mp_int * a, mp_digit b, mp_int * c); +MP_API int mp_add (mp_int * a, mp_int * b, mp_int * c); +MP_API int mp_sub (mp_int * a, mp_int * b, mp_int * c); +MP_API int mp_add_d (mp_int * a, mp_digit b, mp_int * c); -int mp_mul (mp_int * a, mp_int * b, mp_int * c); -int mp_mul_d (mp_int * a, mp_digit b, mp_int * c); -int mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d); -int mp_submod (mp_int* a, mp_int* b, mp_int* c, mp_int* d); -int mp_addmod (mp_int* a, mp_int* b, mp_int* c, mp_int* d); -int mp_mod(mp_int *a, mp_int *b, mp_int *c); -int mp_invmod(mp_int *a, mp_int *b, mp_int *c); -int mp_exptmod (mp_int * g, mp_int * x, mp_int * p, mp_int * y); -int mp_mul_2d(mp_int *a, int b, mp_int *c); +MP_API int mp_mul (mp_int * a, mp_int * b, mp_int * c); +MP_API int mp_mul_d (mp_int * a, mp_digit b, mp_int * c); +MP_API int mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d); +MP_API int mp_submod (mp_int* a, mp_int* b, mp_int* c, mp_int* d); +MP_API int mp_addmod (mp_int* a, mp_int* b, mp_int* c, mp_int* d); +MP_API int mp_mod(mp_int *a, mp_int *b, mp_int *c); +MP_API int mp_invmod(mp_int *a, mp_int *b, mp_int *c); +MP_API int mp_exptmod (mp_int * g, mp_int * x, mp_int * p, mp_int * y); +MP_API int mp_mul_2d(mp_int *a, int b, mp_int *c); +MP_API int mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d); -int mp_cmp(mp_int *a, mp_int *b); -int mp_cmp_d(mp_int *a, mp_digit b); +MP_API int mp_cmp(mp_int *a, mp_int *b); +MP_API int mp_cmp_d(mp_int *a, mp_digit b); -int mp_unsigned_bin_size(mp_int * a); -int mp_read_unsigned_bin (mp_int * a, const unsigned char *b, int c); -int mp_to_unsigned_bin_at_pos(int x, mp_int *t, unsigned char *b); -int mp_to_unsigned_bin (mp_int * a, unsigned char *b); +MP_API int mp_unsigned_bin_size(mp_int * a); +MP_API int mp_read_unsigned_bin (mp_int * a, const unsigned char *b, int c); +MP_API int mp_to_unsigned_bin_at_pos(int x, mp_int *t, unsigned char *b); +MP_API int mp_to_unsigned_bin (mp_int * a, unsigned char *b); -int mp_sub_d(fp_int *a, fp_digit b, fp_int *c); -int mp_copy(fp_int* a, fp_int* b); -int mp_isodd(mp_int* a); -int mp_iszero(mp_int* a); -int mp_count_bits(mp_int *a); -int mp_leading_bit(mp_int *a); -int mp_set_int(mp_int *a, mp_digit b); -int mp_is_bit_set (mp_int * a, mp_digit b); -int mp_set_bit (mp_int * a, mp_digit b); -void mp_rshb(mp_int *a, int x); -int mp_toradix (mp_int *a, char *str, int radix); -int mp_radix_size (mp_int * a, int radix, int *size); +MP_API int mp_sub_d(fp_int *a, fp_digit b, fp_int *c); +MP_API int mp_copy(fp_int* a, fp_int* b); +MP_API int mp_isodd(mp_int* a); +MP_API int mp_iszero(mp_int* a); +MP_API int mp_count_bits(mp_int *a); +MP_API int mp_leading_bit(mp_int *a); +MP_API int mp_set_int(mp_int *a, unsigned long b); +MP_API int mp_is_bit_set (mp_int * a, mp_digit b); +MP_API int mp_set_bit (mp_int * a, mp_digit b); +MP_API void mp_rshb(mp_int *a, int x); +MP_API void mp_rshd(mp_int *a, int x); +MP_API int mp_toradix (mp_int *a, char *str, int radix); +MP_API int mp_radix_size (mp_int * a, int radix, int *size); #ifdef WOLFSSL_DEBUG_MATH - void mp_dump(const char* desc, mp_int* a, byte verbose); + MP_API void mp_dump(const char* desc, mp_int* a, byte verbose); #else #define mp_dump(desc, a, verbose) #endif #ifdef HAVE_ECC - int mp_read_radix(mp_int* a, const char* str, int radix); - int mp_sqr(fp_int *a, fp_int *b); - int mp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp); - int mp_montgomery_setup(fp_int *a, fp_digit *rho); - int mp_div_2(fp_int * a, fp_int * b); - int mp_init_copy(fp_int * a, fp_int * b); + MP_API int mp_read_radix(mp_int* a, const char* str, int radix); + MP_API int mp_sqr(fp_int *a, fp_int *b); + MP_API int mp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp); + MP_API int mp_montgomery_setup(fp_int *a, fp_digit *rho); + MP_API int mp_div_2(fp_int * a, fp_int * b); + MP_API int mp_init_copy(fp_int * a, fp_int * b); #endif #if defined(HAVE_ECC) || !defined(NO_RSA) || !defined(NO_DSA) - int mp_set(fp_int *a, fp_digit b); + MP_API int mp_set(fp_int *a, fp_digit b); #endif #if defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN) - int mp_sqrmod(mp_int* a, mp_int* b, mp_int* c); - int mp_montgomery_calc_normalization(mp_int *a, mp_int *b); + MP_API int mp_sqrmod(mp_int* a, mp_int* b, mp_int* c); + MP_API int mp_montgomery_calc_normalization(mp_int *a, mp_int *b); #endif #ifdef WOLFSSL_KEY_GEN -int mp_gcd(fp_int *a, fp_int *b, fp_int *c); -int mp_lcm(fp_int *a, fp_int *b, fp_int *c); -int mp_prime_is_prime(mp_int* a, int t, int* result); -int mp_rand_prime(mp_int* N, int len, WC_RNG* rng, void* heap); -int mp_exch(mp_int *a, mp_int *b); +MP_API int mp_gcd(fp_int *a, fp_int *b, fp_int *c); +MP_API int mp_lcm(fp_int *a, fp_int *b, fp_int *c); +MP_API int mp_prime_is_prime(mp_int* a, int t, int* result); +MP_API int mp_rand_prime(mp_int* N, int len, WC_RNG* rng, void* heap); +MP_API int mp_exch(mp_int *a, mp_int *b); #endif /* WOLFSSL_KEY_GEN */ -int mp_cnt_lsb(fp_int *a); -int mp_div_2d(fp_int *a, int b, fp_int *c, fp_int *d); -int mp_mod_d(fp_int* a, fp_digit b, fp_digit* c); -int mp_lshd (mp_int * a, int b); +MP_API int mp_cnt_lsb(fp_int *a); +MP_API int mp_div_2d(fp_int *a, int b, fp_int *c, fp_int *d); +MP_API int mp_mod_d(fp_int* a, fp_digit b, fp_digit* c); +MP_API int mp_lshd (mp_int * a, int b); WOLFSSL_API word32 CheckRunTimeFastMath(void); diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 00b184668..5e405dd21 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -133,7 +133,8 @@ /* set up rotate style */ - #if (defined(_MSC_VER) || defined(__BCPLUSPLUS__)) && !defined(WOLFSSL_SGX) + #if (defined(_MSC_VER) || defined(__BCPLUSPLUS__)) && \ + !defined(WOLFSSL_SGX) && !defined(INTIME_RTOS) #define INTEL_INTRINSICS #define FAST_ROTATE #elif defined(__MWERKS__) && TARGET_CPU_PPC @@ -163,7 +164,8 @@ /* Micrium will use Visual Studio for compilation but not the Win32 API */ #if defined(_WIN32) && !defined(MICRIUM) && !defined(FREERTOS) && \ - !defined(FREERTOS_TCP) && !defined(EBSNET) && !defined(WOLFSSL_UTASKER) + !defined(FREERTOS_TCP) && !defined(EBSNET) && \ + !defined(WOLFSSL_UTASKER) && !defined(INTIME_RTOS) #define USE_WINDOWS_API #endif @@ -242,7 +244,7 @@ #define XSTRNCASECMP(s1,s2,n) _strnicmp((s1),(s2),(n)) #endif - #if defined(WOLFSSL_MYSQL_COMPATIBLE) + #if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) #ifndef USE_WINDOWS_API #define XSNPRINTF snprintf #else @@ -252,7 +254,7 @@ #if defined(WOLFSSL_CERT_EXT) || defined(HAVE_ALPN) /* use only Thread Safe version of strtok */ - #ifndef USE_WINDOWS_API + #if !defined(USE_WINDOWS_API) && !defined(INTIME_RTOS) #define XSTRTOK strtok_r #else #define XSTRTOK strtok_s diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h index 8d673c6c0..574700b69 100644 --- a/wolfssl/wolfcrypt/wc_port.h +++ b/wolfssl/wolfcrypt/wc_port.h @@ -38,14 +38,14 @@ #ifndef WIN32_LEAN_AND_MEAN #define WIN32_LEAN_AND_MEAN #endif - #ifndef WOLFSSL_SGX - #if defined(_WIN32_WCE) || defined(WIN32_LEAN_AND_MEAN) - /* On WinCE winsock2.h must be included before windows.h */ - #include - #endif - #include + #ifndef WOLFSSL_SGX + #if defined(_WIN32_WCE) || defined(WIN32_LEAN_AND_MEAN) + /* On WinCE winsock2.h must be included before windows.h */ + #include + #endif + #include + #endif /* WOLFSSL_SGX */ #endif - #endif /* WOLFSSL_SGX */ #elif defined(THREADX) #ifndef SINGLE_THREADED #include "tx_api.h" @@ -61,12 +61,13 @@ #elif defined(FREESCALE_FREE_RTOS) #include "fsl_os_abstraction.h" #elif defined(WOLFSSL_uITRON4) + #include "stddef.h" #include "kernel.h" #elif defined(WOLFSSL_uTKERNEL2) #include "tk/tkernel.h" #elif defined(WOLFSSL_MDK_ARM) #if defined(WOLFSSL_MDK5) - #include "cmsis_os.h" + #include "cmsis_os.h" #else #include #endif @@ -77,6 +78,9 @@ #include #elif defined(WOLFSSL_FROSTED) #include +#elif defined(INTIME_RTOS) + #include + #include #else #ifndef SINGLE_THREADED #define WOLFSSL_PTHREADS @@ -146,6 +150,8 @@ typedef ti_sysbios_knl_Semaphore_Handle wolfSSL_Mutex; #elif defined(WOLFSSL_FROSTED) typedef mutex_t * wolfSSL_Mutex; + #elif defined(INTIME_RTOS) + typedef RTHANDLE wolfSSL_Mutex; #else #error Need a mutex type in multithreaded mode #endif /* USE_WINDOWS_API */ @@ -192,6 +198,9 @@ WOLFSSL_API int wolfCrypt_Cleanup(void); #ifndef NO_FILESYSTEM #if defined(EBSNET) + #include "vfapi.h" + #include "vfile.h" + #define XFILE int #define XFOPEN(NAME, MODE) vf_open((const char *)NAME, VO_RDONLY, 0); #define XFSEEK vf_lseek @@ -202,6 +211,7 @@ WOLFSSL_API int wolfCrypt_Cleanup(void); #define XFCLOSE vf_close #define XSEEK_END VSEEK_END #define XBADFILE -1 + #define XFGETS(b,s,f) -2 /* Not ported yet */ #elif defined(LSR_FS) #include #define XFILE struct fs_file* @@ -214,6 +224,7 @@ WOLFSSL_API int wolfCrypt_Cleanup(void); #define XFCLOSE fs_close #define XSEEK_END 0 #define XBADFILE NULL + #define XFGETS(b,s,f) -2 /* Not ported yet */ #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) #define XFILE MQX_FILE_PTR #define XFOPEN fopen @@ -225,6 +236,7 @@ WOLFSSL_API int wolfCrypt_Cleanup(void); #define XFCLOSE fclose #define XSEEK_END IO_SEEK_END #define XBADFILE NULL + #define XFGETS fgets #elif defined(MICRIUM) #include #define XFILE FS_FILE* @@ -237,6 +249,7 @@ WOLFSSL_API int wolfCrypt_Cleanup(void); #define XFCLOSE fs_fclose #define XSEEK_END FS_SEEK_END #define XBADFILE NULL + #define XFGETS(b,s,f) -2 /* Not ported yet */ #else /* stdio, default case */ #include @@ -255,9 +268,41 @@ WOLFSSL_API int wolfCrypt_Cleanup(void); #define XFCLOSE fclose #define XSEEK_END SEEK_END #define XBADFILE NULL + #define XFGETS fgets + + #if !defined(USE_WINDOWS_API) && !defined(NO_WOLFSSL_DIR) + #include + #include + #include + #endif #endif -#endif /* NO_FILESYSTEM */ + #ifndef MAX_FILENAME_SZ + #define MAX_FILENAME_SZ 256 /* max file name length */ + #endif + #ifndef MAX_PATH + #define MAX_PATH 256 + #endif + +#if !defined(NO_WOLFSSL_DIR) + typedef struct ReadDirCtx { + #ifdef USE_WINDOWS_API + WIN32_FIND_DATAA FindFileData; + HANDLE hFind; + #else + struct dirent* entry; + DIR* dir; + struct stat s; + #endif + char name[MAX_FILENAME_SZ]; + } ReadDirCtx; + + WOLFSSL_API int wc_ReadDirFirst(ReadDirCtx* ctx, const char* path, char** name); + WOLFSSL_API int wc_ReadDirNext(ReadDirCtx* ctx, const char* path, char** name); + WOLFSSL_API void wc_ReadDirClose(ReadDirCtx* ctx); +#endif /* !NO_WOLFSSL_DIR */ + +#endif /* !NO_FILESYSTEM */ /* Windows API defines its own min() macro. */ diff --git a/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs index c87288f87..5d05a6441 100644 --- a/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs +++ b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs @@ -193,6 +193,8 @@ namespace wolfSSL.CSharp { [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] private extern static int wolfSSL_CTX_use_certificate_file(IntPtr ctx, string file, int type); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + private extern static int wolfSSL_CTX_load_verify_locations(IntPtr ctx, string file, string path); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] private extern static int wolfSSL_CTX_use_PrivateKey_file(IntPtr ctx, string file, int type); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] private extern static void wolfSSL_CTX_free(IntPtr ctx); @@ -1565,6 +1567,33 @@ namespace wolfSSL.CSharp { } + /// + /// Used to load in the peer trusted root file + /// + /// CTX structure for TLS/SSL connections + /// Name of the file to load including absolute path + /// path to multiple certificates (try to load all in path) + /// 1 on success + public static int CTX_load_verify_locations(IntPtr ctx, string fileCert, string path) + { + try + { + IntPtr local_ctx = unwrap(ctx); + if (local_ctx == IntPtr.Zero) + { + log(ERROR_LOG, "CTX load verify locations certificate file error"); + return FAILURE; + } + + return wolfSSL_CTX_load_verify_locations(local_ctx, fileCert, path); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl ctx load verify locations file error " + e.ToString()); + return FAILURE; + } + } + /// /// Used to load in the private key from a file /// From 88679a6a0c8dd0a5e50d46ba00cce583ed51b7cf Mon Sep 17 00:00:00 2001 From: jrblixt Date: Tue, 21 Mar 2017 15:33:40 -0600 Subject: [PATCH 17/33] Merge wolfSSL master. --- src/internal.c | 279 +++++++----------------------------------- src/ssl.c | 77 ++---------- wolfcrypt/test/test.c | 17 +-- 3 files changed, 62 insertions(+), 311 deletions(-) diff --git a/src/internal.c b/src/internal.c index 1f6f302ba..6e0275f73 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3576,10 +3576,7 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) #ifndef NO_OLD_TLS #ifndef NO_MD5 - ret = wc_InitMd5(&ssl->hsHashes->hashMd5); - if (ret != 0) { - return ret; - } + wc_InitMd5(&ssl->hsHashes->hashMd5); #endif #ifndef NO_SHA ret = wc_InitSha(&ssl->hsHashes->hashSha); @@ -4800,10 +4797,7 @@ static int HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz) wc_ShaUpdate(&ssl->hsHashes->hashSha, output, sz); #endif #ifndef NO_MD5 - ret = wc_Md5Update(&ssl->hsHashes->hashMd5, output, sz); - if (ret != 0) { - return ret; - } + wc_Md5Update(&ssl->hsHashes->hashMd5, output, sz); #endif #endif /* NO_OLD_TLS */ @@ -4851,16 +4845,10 @@ static int HashOutput(WOLFSSL* ssl, const byte* output, int sz, int ivSz) #endif #ifndef NO_OLD_TLS #ifndef NO_SHA - ret = wc_ShaUpdate(&ssl->hsHashes->hashSha, adj, sz); - if (ret != 0) { - return ret; - } + wc_ShaUpdate(&ssl->hsHashes->hashSha, adj, sz); #endif #ifndef NO_MD5 - ret = wc_Md5Update(&ssl->hsHashes->hashMd5, adj, sz); - if (ret != 0) { - return ret; - } + wc_Md5Update(&ssl->hsHashes->hashMd5, adj, sz); #endif #endif @@ -5530,7 +5518,7 @@ static const byte PAD2[PAD_MD5] = static int BuildMD5(WOLFSSL* ssl, Hashes* hashes, const byte* sender) { - int ret; + byte md5_result[MD5_DIGEST_SIZE]; #ifdef WOLFSSL_SMALL_STACK @@ -5554,75 +5542,18 @@ static int BuildMD5(WOLFSSL* ssl, Hashes* hashes, const byte* sender) /* make md5 inner */ md5[0] = ssl->hsHashes->hashMd5 ; /* Save current position */ - ret = wc_Md5Update(&ssl->hsHashes->hashMd5, sender, SIZEOF_SENDER); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } - ret = wc_Md5Update(&ssl->hsHashes->hashMd5, ssl->arrays->masterSecret, - SECRET_LEN); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } - ret = wc_Md5Update(&ssl->hsHashes->hashMd5, PAD1, PAD_MD5); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } + wc_Md5Update(&ssl->hsHashes->hashMd5, sender, SIZEOF_SENDER); + wc_Md5Update(&ssl->hsHashes->hashMd5, ssl->arrays->masterSecret,SECRET_LEN); + wc_Md5Update(&ssl->hsHashes->hashMd5, PAD1, PAD_MD5); wc_Md5GetHash(&ssl->hsHashes->hashMd5, md5_result); wc_Md5RestorePos(&ssl->hsHashes->hashMd5, md5) ; /* Restore current position */ /* make md5 outer */ - ret = wc_InitMd5(md5_2) ; - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } - ret = wc_Md5Update(md5_2, ssl->arrays->masterSecret,SECRET_LEN); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } - ret = wc_Md5Update(md5_2, PAD2, PAD_MD5); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } - ret = wc_Md5Update(md5_2, md5_result, MD5_DIGEST_SIZE); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } - ret = wc_Md5Final(md5_2, hashes->md5); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } + wc_InitMd5(md5_2) ; + wc_Md5Update(md5_2, ssl->arrays->masterSecret,SECRET_LEN); + wc_Md5Update(md5_2, PAD2, PAD_MD5); + wc_Md5Update(md5_2, md5_result, MD5_DIGEST_SIZE); + wc_Md5Final(md5_2, hashes->md5); #ifdef WOLFSSL_SMALL_STACK XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -10217,9 +10148,10 @@ static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, byte result[MAX_DIGEST_SIZE]; word32 digestSz = ssl->specs.hash_size; /* actual sizes */ word32 padSz = ssl->specs.pad_size; + int ret = 0; + Md5 md5; Sha sha; - int ret; /* data */ byte seq[SEQ_SZ]; @@ -10237,109 +10169,45 @@ static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, WriteSEQ(ssl, verify, seq); if (ssl->specs.mac_algorithm == md5_mac) { - ret = wc_InitMd5(&md5); - if (ret != 0) { - return ret; - } + wc_InitMd5(&md5); /* inner */ - ret = wc_Md5Update(&md5, macSecret, digestSz); - if (ret != 0) { - return ret; - } - ret = wc_Md5Update(&md5, PAD1, padSz); - if (ret != 0) { - return ret; - } - ret = wc_Md5Update(&md5, seq, SEQ_SZ); - if (ret != 0) { - return ret; - } - ret = wc_Md5Update(&md5, conLen, sizeof(conLen)); - if (ret != 0) { - return ret; - } + wc_Md5Update(&md5, macSecret, digestSz); + wc_Md5Update(&md5, PAD1, padSz); + wc_Md5Update(&md5, seq, SEQ_SZ); + wc_Md5Update(&md5, conLen, sizeof(conLen)); /* in buffer */ - ret = wc_Md5Update(&md5, in, sz); - if (ret != 0) { - return ret; - } - ret = wc_Md5Final(&md5, result); - if (ret != 0) { - return ret; - } + wc_Md5Update(&md5, in, sz); + wc_Md5Final(&md5, result); /* outer */ - ret = wc_Md5Update(&md5, macSecret, digestSz); - if (ret != 0) { - return ret; - } - ret = wc_Md5Update(&md5, PAD2, padSz); - if (ret != 0) { - return ret; - } - ret = wc_Md5Update(&md5, result, digestSz); - if (ret != 0) { - return ret; - } - ret = wc_Md5Final(&md5, digest); - if (ret != 0) { - return ret; - } + wc_Md5Update(&md5, macSecret, digestSz); + wc_Md5Update(&md5, PAD2, padSz); + wc_Md5Update(&md5, result, digestSz); + wc_Md5Final(&md5, digest); } else { ret = wc_InitSha(&sha); if (ret != 0) return ret; /* inner */ - ret = wc_ShaUpdate(&sha, macSecret, digestSz); - if (ret != 0) { - return ret; - } - ret = wc_ShaUpdate(&sha, PAD1, padSz); - if (ret != 0) { - return ret; - } - ret = wc_ShaUpdate(&sha, seq, SEQ_SZ); - if (ret != 0) { - return ret; - } - ret = wc_ShaUpdate(&sha, conLen, sizeof(conLen)); - if (ret != 0) { - return ret; - } + wc_ShaUpdate(&sha, macSecret, digestSz); + wc_ShaUpdate(&sha, PAD1, padSz); + wc_ShaUpdate(&sha, seq, SEQ_SZ); + wc_ShaUpdate(&sha, conLen, sizeof(conLen)); /* in buffer */ - ret = wc_ShaUpdate(&sha, in, sz); - if (ret != 0) { - return ret; - } - ret = wc_ShaFinal(&sha, result); - if (ret != 0) { - return ret; - } + wc_ShaUpdate(&sha, in, sz); + wc_ShaFinal(&sha, result); /* outer */ - ret = wc_ShaUpdate(&sha, macSecret, digestSz); - if (ret != 0) { - return ret; - } - ret = wc_ShaUpdate(&sha, PAD2, padSz); - if (ret != 0) { - return ret; - } - ret = wc_ShaUpdate(&sha, result, digestSz); - if (ret != 0) { - return ret; - } - ret = wc_ShaFinal(&sha, digest); - if (ret != 0) { - return ret; - } + wc_ShaUpdate(&sha, macSecret, digestSz); + wc_ShaUpdate(&sha, PAD2, padSz); + wc_ShaUpdate(&sha, result, digestSz); + wc_ShaFinal(&sha, digest); } - return ret; + return 0; } #ifndef NO_CERTS -static int BuildMD5_CertVerify(WOLFSSL* ssl, byte* digest) +static void BuildMD5_CertVerify(WOLFSSL* ssl, byte* digest) { - int ret; byte md5_result[MD5_DIGEST_SIZE]; #ifdef WOLFSSL_SMALL_STACK @@ -10352,75 +10220,23 @@ static int BuildMD5_CertVerify(WOLFSSL* ssl, byte* digest) /* make md5 inner */ md5[0] = ssl->hsHashes->hashMd5 ; /* Save current position */ - ret = wc_Md5Update(&ssl->hsHashes->hashMd5, ssl->arrays->masterSecret, - SECRET_LEN); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } - ret = wc_Md5Update(&ssl->hsHashes->hashMd5, PAD1, PAD_MD5); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } + wc_Md5Update(&ssl->hsHashes->hashMd5, ssl->arrays->masterSecret,SECRET_LEN); + wc_Md5Update(&ssl->hsHashes->hashMd5, PAD1, PAD_MD5); wc_Md5GetHash(&ssl->hsHashes->hashMd5, md5_result); wc_Md5RestorePos(&ssl->hsHashes->hashMd5, md5) ; /* Restore current position */ /* make md5 outer */ - ret = wc_InitMd5(md5_2) ; - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } - ret = wc_Md5Update(md5_2, ssl->arrays->masterSecret, SECRET_LEN); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } - ret = wc_Md5Update(md5_2, PAD2, PAD_MD5); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } - ret = wc_Md5Update(md5_2, md5_result, MD5_DIGEST_SIZE); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } + wc_InitMd5(md5_2) ; + wc_Md5Update(md5_2, ssl->arrays->masterSecret, SECRET_LEN); + wc_Md5Update(md5_2, PAD2, PAD_MD5); + wc_Md5Update(md5_2, md5_result, MD5_DIGEST_SIZE); - ret = wc_Md5Final(md5_2, digest); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } + wc_Md5Final(md5_2, digest); #ifdef WOLFSSL_SMALL_STACK XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(md5_2, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - - return ret; } @@ -10497,10 +10313,7 @@ static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes) } #if ! defined( NO_OLD_TLS ) else { - ret = BuildMD5_CertVerify(ssl, hashes->md5); - if (ret != 0) { - return ret; - } + BuildMD5_CertVerify(ssl, hashes->md5); BuildSHA_CertVerify(ssl, hashes->sha); } #endif diff --git a/src/ssl.c b/src/ssl.c index d30a98bd0..2d5fb50a5 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1669,10 +1669,7 @@ int wolfSSL_Rehandshake(WOLFSSL* ssl) #ifndef NO_OLD_TLS #ifndef NO_MD5 - ret = wc_InitMd5(&ssl->hsHashes->hashMd5); - if (ret != 0) { - return ret; - } + wc_InitMd5(&ssl->hsHashes->hashMd5); #endif #ifndef NO_SHA ret = wc_InitSha(&ssl->hsHashes->hashSha); @@ -7768,9 +7765,6 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, int wolfSSL_connect(WOLFSSL* ssl) { int neededState; - #if !defined(NO_OLD_TLS) && defined(WOLFSSL_DTLS) - int ret; - #endif WOLFSSL_ENTER("SSL_connect()"); @@ -7862,17 +7856,14 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifdef WOLFSSL_DTLS if (IsDtlsNotSctpMode(ssl)) { /* re-init hashes, exclude first hello and verify request */ - #ifndef NO_OLD_TLS - ret = wc_InitMd5(&ssl->hsHashes->hashMd5); - if (ret) { - return ret; - } +#ifndef NO_OLD_TLS + wc_InitMd5(&ssl->hsHashes->hashMd5); if ( (ssl->error = wc_InitSha(&ssl->hsHashes->hashSha)) != 0) { WOLFSSL_ERROR(ssl->error); return SSL_FATAL_ERROR; } - #endif +#endif if (IsAtLeastTLSv1_2(ssl)) { #ifndef NO_SHA256 if ( (ssl->error = wc_InitSha256( @@ -10704,7 +10695,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl) int keyLeft; int ivLeft; int keyOutput = 0; - int ret; byte digest[MD5_DIGEST_SIZE]; #ifdef WOLFSSL_SMALL_STACK Md5* md5 = NULL; @@ -10721,10 +10711,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) (void)type; WOLFSSL_ENTER("wolfSSL_EVP_BytesToKey"); - ret = wc_InitMd5(md5); - if (ret != 0) { - return ret; - } + wc_InitMd5(md5); /* only support MD5 for now */ if (XSTRNCMP(md, "MD5", 3) != 0) return 0; @@ -10769,56 +10756,18 @@ int wolfSSL_set_compression(WOLFSSL* ssl) while (keyOutput < (keyLen + ivLen)) { int digestLeft = MD5_DIGEST_SIZE; /* D_(i - 1) */ - if (keyOutput) { /* first time D_0 is empty */ - ret = wc_Md5Update(md5, digest, MD5_DIGEST_SIZE); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } - } + if (keyOutput) /* first time D_0 is empty */ + wc_Md5Update(md5, digest, MD5_DIGEST_SIZE); /* data */ - ret = wc_Md5Update(md5, data, sz); - if (ret !=0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } + wc_Md5Update(md5, data, sz); /* salt */ - if (salt) { - ret = wc_Md5Update(md5, salt, EVP_SALT_SIZE); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } - } - ret = wc_Md5Final(md5, digest); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } + if (salt) + wc_Md5Update(md5, salt, EVP_SALT_SIZE); + wc_Md5Final(md5, digest); /* count */ for (j = 1; j < count; j++) { - ret = wc_Md5Update(md5, digest, MD5_DIGEST_SIZE); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } - ret = wc_Md5Final(md5, digest); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } + wc_Md5Update(md5, digest, MD5_DIGEST_SIZE); + wc_Md5Final(md5, digest); } if (keyLeft) { diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 339eb531e..326d89971 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -1132,7 +1132,6 @@ int md5_test(void) testVector a, b, c, d, e; testVector test_md5[5]; int times = sizeof(test_md5) / sizeof(testVector), i; - int ret; a.input = "abc"; a.output = "\x90\x01\x50\x98\x3c\xd2\x4f\xb0\xd6\x96\x3f\x7d\x28\xe1\x7f" @@ -1172,21 +1171,11 @@ int md5_test(void) test_md5[3] = d; test_md5[4] = e; - ret = wc_InitMd5(&md5); - if (ret != 0) { - return ret; - } + wc_InitMd5(&md5); for (i = 0; i < times; ++i) { - ret = wc_Md5Update(&md5, (byte*)test_md5[i].input, - (word32)test_md5[i].inLen); - if (ret != 0) { - return ret; - } - ret = wc_Md5Final(&md5, hash); - if (ret != 0){ - return ret; - } + wc_Md5Update(&md5, (byte*)test_md5[i].input, (word32)test_md5[i].inLen); + wc_Md5Final(&md5, hash); if (XMEMCMP(hash, test_md5[i].output, MD5_DIGEST_SIZE) != 0) return -5 - i; From 706c02deed07e5dce31a4b83d0166fb41e75123e Mon Sep 17 00:00:00 2001 From: jrblixt Date: Thu, 6 Apr 2017 10:53:14 -0600 Subject: [PATCH 18/33] Changes Chris requested. --- tests/api.c | 60 ++++++++++++++--------------------------------------- 1 file changed, 15 insertions(+), 45 deletions(-) diff --git a/tests/api.c b/tests/api.c index ade2416bb..1297d659a 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2296,10 +2296,8 @@ static int test_wc_InitMd5 (void) printf(resultFmt, flag == 0 ? passed : failed); - return 0; -#else - return 0; #endif + return 0; } /* END test_wc_InitMd5 */ /* @@ -2331,10 +2329,8 @@ static int test_wc_InitSha(void) printf(resultFmt, flag == 0 ? passed : failed); - return 0; -#else - return 0; #endif + return 0; } /* END test_wc_InitSha */ @@ -2367,10 +2363,8 @@ static int test_wc_InitSha256 (void) printf(resultFmt, flag == 0 ? passed : failed); - return 0; -#else - return 0; #endif + return 0; } /* END test_wc_InitSha256 */ @@ -2403,10 +2397,8 @@ static int test_wc_InitSha512 (void) printf(resultFmt, flag == 0 ? passed : failed); - return 0; -#else - return 0; #endif + return 0; } /* END test_wc_InitSha512 */ @@ -2439,10 +2431,8 @@ static int test_wc_InitSha384 (void) printf(resultFmt, flag == 0 ? passed : failed); - return 0; -#else - return 0; #endif + return 0; } /* END test_wc_InitSha384 */ @@ -2544,10 +2534,8 @@ static int test_wc_Md5Update (void) printf(resultFmt, flag == 0 ? passed : failed); - return 0; -#else - return 0; #endif + return 0; } /* END test_wc_Md5Update() */ /* @@ -2649,10 +2637,8 @@ static int test_wc_ShaUpdate (void) /* If not returned then the unit test passed test vectors. */ printf(resultFmt, flag == 0 ? passed : failed); - return 0; -#else - return 0; #endif + return 0; } /* END test_wc_ShaUpdate() */ @@ -2756,10 +2742,8 @@ static int test_wc_Sha256Update (void) /* If not returned then the unit test passed. */ printf(resultFmt, flag == 0 ? passed : failed); - return 0; -#else - return 0; #endif + return 0; } /* END test_wc_Sha256Update */ @@ -2864,10 +2848,8 @@ static int test_wc_Sha384Update (void) /* If not returned then the unit test passed test vectors. */ printf(resultFmt, flag == 0 ? passed : failed); - return 0; -#else - return 0; #endif + return 0; } /* END test_wc_Sha384Update */ /* @@ -2972,10 +2954,8 @@ static int test_wc_Sha512Update (void) /* If not returned then the unit test passed test vectors. */ printf(resultFmt, flag == 0 ? passed : failed); - return 0; -#else - return 0; #endif + return 0; } /* END test_wc_Sha512Update */ @@ -3046,10 +3026,8 @@ static int test_wc_Md5Final (void) printf(resultFmt, flag == 0 ? passed : failed); - return 0; -#else - return 0; #endif + return 0; } /* @@ -3117,10 +3095,8 @@ static int test_wc_ShaFinal (void) printf(resultFmt, flag == 0 ? passed : failed); - return 0; -#else - return 0; #endif + return 0; } /* END test_wc_ShaFinal */ /* @@ -3188,10 +3164,8 @@ static int test_wc_Sha256Final (void) printf(resultFmt, flag == 0 ? passed : failed); - return 0; -#else - return 0; #endif + return 0; } /* END test_wc_Sha256Final */ @@ -3258,10 +3232,8 @@ static int test_wc_Sha512Final (void) printf(resultFmt, flag == 0 ? passed : failed); - return 0; -#else - return 0; #endif + return 0; } /* END test_wc_Sha512Final */ /* @@ -3329,10 +3301,8 @@ static int test_wc_Sha384Final (void) printf(resultFmt, flag == 0 ? passed : failed); - return 0; -#else - return 0; #endif + return 0; } /* END test_wc_Sha384Final */ From d62d0aaa26da48c0c4364b5c793fd1f0e52fd351 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Thu, 6 Apr 2017 14:42:42 -0600 Subject: [PATCH 19/33] Changes made per Todd's instruction. --- src/keys.c | 93 +++------------ src/sniffer.c | 306 +++++++++++++++++++++++++------------------------- 2 files changed, 166 insertions(+), 233 deletions(-) diff --git a/src/keys.c b/src/keys.c index 949d9fcc4..1e5203944 100644 --- a/src/keys.c +++ b/src/keys.c @@ -1053,7 +1053,7 @@ int SetCipherSpecs(WOLFSSL* ssl) return UNSUPPORTED_SUITE; } /* switch */ } /* if */ - if (ssl->options.cipherSuite0 != ECC_BYTE && + if (ssl->options.cipherSuite0 != ECC_BYTE && ssl->options.cipherSuite0 != CHACHA_BYTE) { /* normal suites */ switch (ssl->options.cipherSuite) { @@ -1653,7 +1653,7 @@ int SetCipherSpecs(WOLFSSL* ssl) break; #endif - + #ifdef BUILD_TLS_RSA_WITH_HC_128_SHA case TLS_RSA_WITH_HC_128_SHA : ssl->specs.bulk_cipher_algorithm = wolfssl_hc128; @@ -1667,7 +1667,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.key_size = HC_128_KEY_SIZE; ssl->specs.block_size = 0; ssl->specs.iv_size = HC_128_IV_SIZE; - + break; #endif @@ -1684,7 +1684,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.key_size = HC_128_KEY_SIZE; ssl->specs.block_size = 0; ssl->specs.iv_size = HC_128_IV_SIZE; - + break; #endif @@ -1701,7 +1701,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.iv_size = AES_IV_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - + break; #endif @@ -1718,7 +1718,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.iv_size = AES_IV_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; - + break; #endif @@ -1827,7 +1827,7 @@ int SetCipherSpecs(WOLFSSL* ssl) break; #endif - + #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA : ssl->specs.bulk_cipher_algorithm = wolfssl_camellia; @@ -1978,7 +1978,7 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->specs.key_size = IDEA_KEY_SIZE; ssl->specs.block_size = IDEA_BLOCK_SIZE; ssl->specs.iv_size = IDEA_IV_SIZE; - + break; #endif @@ -2049,7 +2049,7 @@ static int SetPrefix(byte* sha_input, int idx) break; default: WOLFSSL_MSG("Set Prefix error, bad input"); - return 0; + return 0; } return 1; } @@ -2105,7 +2105,7 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, } #endif - + #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) /* Check that the max implicit iv size is suffecient */ #if (AEAD_MAX_IMP_SZ < 12) /* CHACHA20_IMP_IV_SZ */ @@ -2215,7 +2215,7 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, dec->setup = 1; } #endif - + #ifdef BUILD_RABBIT /* check that buffer sizes are sufficient */ #if (MAX_WRITE_IV_SZ < 8) /* RABBIT_IV_SIZE */ @@ -2264,7 +2264,7 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, dec->setup = 1; } #endif - + #ifdef BUILD_DES3 /* check that buffer sizes are sufficient */ #if (MAX_WRITE_IV_SZ < 8) /* DES_IV_SIZE */ @@ -2892,7 +2892,7 @@ int StoreKeys(WOLFSSL* ssl, const byte* keyData) #ifndef NO_OLD_TLS int DeriveKeys(WOLFSSL* ssl) { - int length = 2 * ssl->specs.hash_size + + int length = 2 * ssl->specs.hash_size + 2 * ssl->specs.key_size + 2 * ssl->specs.iv_size; int rounds = (length + MD5_DIGEST_SIZE - 1 ) / MD5_DIGEST_SIZE, i; @@ -2915,7 +2915,7 @@ int DeriveKeys(WOLFSSL* ssl) #endif #ifdef WOLFSSL_SMALL_STACK - shaOutput = (byte*)XMALLOC(SHA_DIGEST_SIZE, + shaOutput = (byte*)XMALLOC(SHA_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); md5Input = (byte*)XMALLOC(SECRET_LEN + SHA_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -2940,17 +2940,6 @@ int DeriveKeys(WOLFSSL* ssl) #endif ret = wc_InitMd5(md5); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(keyData, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } ret = wc_InitSha(sha); @@ -2977,30 +2966,9 @@ int DeriveKeys(WOLFSSL* ssl) wc_ShaFinal(sha, shaOutput); XMEMCPY(md5Input + SECRET_LEN, shaOutput, SHA_DIGEST_SIZE); + ret = wc_Md5Update(md5, md5Input, SECRET_LEN + SHA_DIGEST_SIZE); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(keyData, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } ret = wc_Md5Final(md5, keyData + i * MD5_DIGEST_SIZE); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(keyData, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } } if (ret == 0) @@ -3092,16 +3060,6 @@ static int MakeSslMasterSecret(WOLFSSL* ssl) #endif ret = wc_InitMd5(md5); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } ret = wc_InitSha(sha); @@ -3131,28 +3089,9 @@ static int MakeSslMasterSecret(WOLFSSL* ssl) idx = pmsSz; /* preSz */ XMEMCPY(md5Input + idx, shaOutput, SHA_DIGEST_SIZE); idx += SHA_DIGEST_SIZE; + ret = wc_Md5Update(md5, md5Input, idx); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } ret = wc_Md5Final(md5, &ssl->arrays->masterSecret[i * MD5_DIGEST_SIZE]); - if (ret != 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } } #ifdef SHOW_SECRETS diff --git a/src/sniffer.c b/src/sniffer.c index f558a41b7..f50ecc4e6 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -193,21 +193,21 @@ static const char* const msgTable[] = "Got an Alert msg", "Another msg to Process", "Removing Session From Table", - + /* 46 */ "Bad Key File", "Wrong IP Version", "Wrong Protocol type", "Packet Short for header processing", "Got Unknown Record Type", - + /* 51 */ "Can't Open Trace File", "Session in Fatal Error State", "Partial SSL record received", "Buffer Error, malformed input", "Added to Partial Input", - + /* 56 */ "Received a Duplicate Packet", "Received an Out of Order Packet", @@ -478,7 +478,7 @@ static void FreePacketList(PacketBuffer* in) if (in) { PacketBuffer* del; PacketBuffer* packet = in; - + while (packet) { del = packet; packet = packet->next; @@ -494,7 +494,7 @@ static void FreeSnifferSession(SnifferSession* session) if (session) { SSL_free(session->sslClient); SSL_free(session->sslServer); - + FreePacketList(session->cliReassemblyList); FreePacketList(session->srvReassemblyList); @@ -518,7 +518,7 @@ void ssl_FreeSniffer(void) wc_LockMutex(&ServerListMutex); wc_LockMutex(&SessionMutex); - + srv = ServerList; while (srv) { removeServer = srv; @@ -568,9 +568,6 @@ static int HashInit(HsHashes* hash) #ifndef NO_MD5 if (ret == 0) { ret = wc_InitMd5(&hash->hashMd5); - if (ret != 0) { - return ret; - } } #endif #endif @@ -602,9 +599,6 @@ static int HashUpdate(HsHashes* hash, const byte* input, int sz) #ifndef NO_MD5 if (ret == 0) { ret = wc_Md5Update(&hash->hashMd5, input, sz); - if (ret !=0) { - return ret; - } } #endif #endif @@ -712,7 +706,7 @@ static void InitSession(SnifferSession* session) session->srvReassemblyMemory = 0; session->next = 0; session->ticketID = 0; - + InitFlags(&session->flags); InitFinCapture(&session->finCaputre); #ifdef HAVE_EXTENDED_MASTER @@ -766,9 +760,9 @@ static int SetPassword(char* passwd, int sz, int rw, void* userdata) /* Ethernet Header */ typedef struct EthernetHdr { - byte dst[ETHER_IF_ADDR_LEN]; /* destination host address */ - byte src[ETHER_IF_ADDR_LEN]; /* source host address */ - word16 type; /* IP, ARP, etc */ + byte dst[ETHER_IF_ADDR_LEN]; /* destination host address */ + byte src[ETHER_IF_ADDR_LEN]; /* source host address */ + word16 type; /* IP, ARP, etc */ } EthernetHdr; @@ -794,8 +788,8 @@ typedef struct IpHdr { typedef struct TcpHdr { word16 srcPort; /* source port */ word16 dstPort; /* destination port */ - word32 sequence; /* sequence number */ - word32 ack; /* acknoledgment number */ + word32 sequence; /* sequence number */ + word32 ack; /* acknoledgment number */ byte offset; /* data offset, reserved */ byte flags; /* option flags */ word16 window; /* window */ @@ -813,8 +807,8 @@ typedef struct TcpHdr { -/* Use platform specific GetError to write to tracfile if tracing */ -static void Trace(int idx) +/* Use platform specific GetError to write to tracfile if tracing */ +static void Trace(int idx) { if (TraceOn) { char myBuffer[MAX_ERROR_LEN]; @@ -879,9 +873,9 @@ static void TracePacket(void) static char* IpToS(word32 addr, char* str) { byte* p = (byte*)&addr; - + SNPRINTF(str, TRACE_MSG_SZ, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]); - + return str; } @@ -1039,7 +1033,7 @@ static int IsServerRegistered(word32 addr) SnifferServer* sniffer; wc_LockMutex(&ServerListMutex); - + sniffer = ServerList; while (sniffer) { if (sniffer->server == addr) { @@ -1048,7 +1042,7 @@ static int IsServerRegistered(word32 addr) } sniffer = sniffer->next; } - + wc_UnLockMutex(&ServerListMutex); return ret; @@ -1061,18 +1055,18 @@ static int IsPortRegistered(word32 port) { int ret = 0; /* false */ SnifferServer* sniffer; - + wc_LockMutex(&ServerListMutex); - + sniffer = ServerList; while (sniffer) { if (sniffer->port == (int)port) { - ret = 1; + ret = 1; break; } sniffer = sniffer->next; } - + wc_UnLockMutex(&ServerListMutex); return ret; @@ -1083,9 +1077,9 @@ static int IsPortRegistered(word32 port) static SnifferServer* GetSnifferServer(IpInfo* ipInfo, TcpInfo* tcpInfo) { SnifferServer* sniffer; - + wc_LockMutex(&ServerListMutex); - + sniffer = ServerList; while (sniffer) { if (sniffer->port == tcpInfo->srcPort && sniffer->server == ipInfo->src) @@ -1094,9 +1088,9 @@ static SnifferServer* GetSnifferServer(IpInfo* ipInfo, TcpInfo* tcpInfo) break; sniffer = sniffer->next; } - + wc_UnLockMutex(&ServerListMutex); - + return sniffer; } @@ -1106,7 +1100,7 @@ static word32 SessionHash(IpInfo* ipInfo, TcpInfo* tcpInfo) { word32 hash = ipInfo->src * ipInfo->dst; hash *= tcpInfo->srcPort * tcpInfo->dstPort; - + return hash % HASH_SIZE; } @@ -1115,13 +1109,13 @@ static word32 SessionHash(IpInfo* ipInfo, TcpInfo* tcpInfo) static SnifferSession* GetSnifferSession(IpInfo* ipInfo, TcpInfo* tcpInfo) { SnifferSession* session; - time_t currTime = time(NULL); + time_t currTime = time(NULL); word32 row = SessionHash(ipInfo, tcpInfo); assert(row <= HASH_SIZE); - + wc_LockMutex(&SessionMutex); - + session = SessionTable[row]; while (session) { if (session->server == ipInfo->src && session->client == ipInfo->dst && @@ -1132,15 +1126,15 @@ static SnifferSession* GetSnifferSession(IpInfo* ipInfo, TcpInfo* tcpInfo) session->cliPort == tcpInfo->srcPort && session->srvPort == tcpInfo->dstPort) break; - + session = session->next; } if (session) session->lastUsed= currTime; /* keep session alive, remove stale will */ - /* leave alone */ + /* leave alone */ wc_UnLockMutex(&SessionMutex); - + /* determine side */ if (session) { if (ipInfo->dst == session->context->server && @@ -1148,8 +1142,8 @@ static SnifferSession* GetSnifferSession(IpInfo* ipInfo, TcpInfo* tcpInfo) session->flags.side = WOLFSSL_SERVER_END; else session->flags.side = WOLFSSL_CLIENT_END; - } - + } + return session; } @@ -1392,11 +1386,11 @@ static int CheckIpHdr(IpHdr* iphdr, IpInfo* info, int length, char* error) Trace(IP_CHECK_STR); if (version != IPV4) { - SetError(BAD_IPVER_STR, error, NULL, 0); + SetError(BAD_IPVER_STR, error, NULL, 0); return -1; } - if (iphdr->protocol != TCP_PROTOCOL) { + if (iphdr->protocol != TCP_PROTOCOL) { SetError(BAD_PROTO_STR, error, NULL, 0); return -1; } @@ -1433,7 +1427,7 @@ static int CheckTcpHdr(TcpHdr* tcphdr, TcpInfo* info, char* error) info->syn = tcphdr->flags & TCP_SYN; info->ack = tcphdr->flags & TCP_ACK; if (info->ack) - info->ackNumber = ntohl(tcphdr->ack); + info->ackNumber = ntohl(tcphdr->ack); if (!IsPortRegistered(info->srcPort) && !IsPortRegistered(info->dstPort)) { SetError(SERVER_PORT_NOT_REG_STR, error, NULL, 0); @@ -1918,12 +1912,12 @@ static int ProcessClientHello(const byte* input, int* sslBytes, } input += bLen; *sslBytes -= bLen; - + if (*sslBytes == 0) { /* no extensions */ return 0; } - + /* skip extensions until session ticket */ /* make sure can read len */ if (SUITE_LEN > *sslBytes) { @@ -1996,7 +1990,7 @@ static int ProcessFinished(const byte* input, int size, int* sslBytes, SSL* ssl; word32 inOutIdx = 0; int ret; - + if (session->flags.side == WOLFSSL_SERVER_END) ssl = session->sslServer; else @@ -2010,7 +2004,7 @@ static int ProcessFinished(const byte* input, int size, int* sslBytes, SetError(BAD_FINISHED_MSG, error, session, FATAL_ERROR_STATE); return ret; } - + if (ret == 0 && session->flags.cached == 0) { if (session->sslServer->options.haveSessionId) { WOLFSSL_SESSION* sess = GetSession(session->sslServer, NULL, 0); @@ -2046,7 +2040,7 @@ static int DoHandShake(const byte* input, int* sslBytes, } type = input[0]; size = (input[1] << 16) | (input[2] << 8) | input[3]; - + input += HANDSHAKE_HEADER_SZ; *sslBytes -= HANDSHAKE_HEADER_SZ; startBytes = *sslBytes; @@ -2063,7 +2057,7 @@ static int DoHandShake(const byte* input, int* sslBytes, SetError(NO_SECURE_RENEGOTIATION, error, session, FATAL_ERROR_STATE); return -1; } - + #ifdef HAVE_EXTENDED_MASTER if (session->hash) { if (HashUpdate(session->hash, input, size) != 0) { @@ -2173,32 +2167,32 @@ static int Decrypt(SSL* ssl, byte* output, const byte* input, word32 sz) wc_Arc4Process(ssl->decrypt.arc4, output, input, sz); break; #endif - + #ifdef BUILD_DES3 case wolfssl_triple_des: ret = wc_Des3_CbcDecrypt(ssl->decrypt.des3, output, input, sz); break; #endif - + #ifdef BUILD_AES case wolfssl_aes: ret = wc_AesCbcDecrypt(ssl->decrypt.aes, output, input, sz); break; #endif - + #ifdef HAVE_HC128 case wolfssl_hc128: wc_Hc128_Process(ssl->decrypt.hc128, output, input, sz); break; #endif - + #ifdef BUILD_RABBIT case wolfssl_rabbit: wc_RabbitProcess(ssl->decrypt.rabbit, output, input, sz); break; #endif - #ifdef HAVE_CAMELLIA + #ifdef HAVE_CAMELLIA case wolfssl_camellia: wc_CamelliaCbcDecrypt(ssl->decrypt.cam, output, input, sz); break; @@ -2274,7 +2268,7 @@ static const byte* DecryptMessage(SSL* ssl, const byte* input, word32 sz, if (ssl->specs.cipher_type == block) ssl->keys.padSz += *(output + sz - ivExtra - 1) + 1; - + return output; } @@ -2287,20 +2281,20 @@ static void RemoveSession(SnifferSession* session, IpInfo* ipInfo, SnifferSession* current; word32 row = rowHint; int haveLock = 0; - + if (ipInfo && tcpInfo) row = SessionHash(ipInfo, tcpInfo); else haveLock = 1; - + assert(row <= HASH_SIZE); Trace(REMOVE_SESSION_STR); - + if (!haveLock) wc_LockMutex(&SessionMutex); - + current = SessionTable[row]; - + while (current) { if (current == session) { if (previous) @@ -2314,7 +2308,7 @@ static void RemoveSession(SnifferSession* session, IpInfo* ipInfo, previous = current; current = current->next; } - + if (!haveLock) wc_UnLockMutex(&SessionMutex); } @@ -2325,11 +2319,11 @@ static void RemoveStaleSessions(void) { word32 i; SnifferSession* session; - + for (i = 0; i < HASH_SIZE; i++) { session = SessionTable[i]; while (session) { - SnifferSession* next = session->next; + SnifferSession* next = session->next; if (time(NULL) >= session->lastUsed + WOLFSSL_SNIFFER_TIMEOUT) { TraceStaleSession(); RemoveSession(session, NULL, NULL, i); @@ -2346,7 +2340,7 @@ static SnifferSession* CreateSession(IpInfo* ipInfo, TcpInfo* tcpInfo, { SnifferSession* session = 0; int row; - + Trace(NEW_SESSION_STR); /* create a new one */ session = (SnifferSession*)malloc(sizeof(SnifferSession)); @@ -2378,14 +2372,14 @@ static SnifferSession* CreateSession(IpInfo* ipInfo, TcpInfo* tcpInfo, session->cliSeqStart = tcpInfo->sequence; session->cliExpected = 1; /* relative */ session->lastUsed= time(NULL); - + session->context = GetSnifferServer(ipInfo, tcpInfo); if (session->context == NULL) { SetError(SERVER_NOT_REG_STR, error, NULL, 0); free(session); return 0; } - + session->sslServer = SSL_new(session->context->ctx); if (session->sslServer == NULL) { SetError(BAD_NEW_SSL_STR, error, session, FATAL_ERROR_STATE); @@ -2403,31 +2397,31 @@ static SnifferSession* CreateSession(IpInfo* ipInfo, TcpInfo* tcpInfo, } /* put server back into server mode */ session->sslServer->options.side = WOLFSSL_SERVER_END; - + row = SessionHash(ipInfo, tcpInfo); - + /* add it to the session table */ wc_LockMutex(&SessionMutex); - + session->next = SessionTable[row]; SessionTable[row] = session; - + SessionCount++; - + if ( (SessionCount % HASH_SIZE) == 0) { TraceFindingStale(); RemoveStaleSessions(); } - + wc_UnLockMutex(&SessionMutex); - + /* determine headed side */ if (ipInfo->dst == session->context->server && tcpInfo->dstPort == session->context->port) session->flags.side = WOLFSSL_SERVER_END; else - session->flags.side = WOLFSSL_CLIENT_END; - + session->flags.side = WOLFSSL_CLIENT_END; + return session; } @@ -2456,16 +2450,16 @@ static int DoOldHello(SnifferSession* session, const byte* sslFrame, } ret = ProcessOldClientHello(session->sslServer, input, &idx, *sslBytes, - (word16)*rhSize); + (word16)*rhSize); if (ret < 0 && ret != MATCH_SUITE_ERROR) { SetError(BAD_OLD_CLIENT_STR, error, session, FATAL_ERROR_STATE); return -1; } - + Trace(OLD_CLIENT_OK_STR); XMEMCPY(session->sslClient->arrays->clientRandom, session->sslServer->arrays->clientRandom, RAN_LEN); - + *sslBytes -= *rhSize; return 0; } @@ -2488,38 +2482,38 @@ int TcpChecksum(IpInfo* ipInfo, TcpInfo* tcpInfo, int dataLen, const word16* data = (word16*)&pseudo; word32 sum = 0; word16 checksum; - + pseudo.src = ipInfo->src; pseudo.dst = ipInfo->dst; pseudo.rsv = 0; pseudo.protocol = TCP_PROTO; pseudo.length = htons(tcpInfo->length + dataLen); - + /* pseudo header sum */ while (count >= 2) { sum += *data++; count -= 2; } - + count = tcpInfo->length + dataLen; data = (word16*)packet; - + /* main sum */ while (count > 1) { sum += *data++; count -=2; } - + /* get left-over, if any */ packet = (byte*)data; if (count > 0) { sum += *packet; } - + /* fold 32bit sum into 16 bits */ while (sum >> 16) sum = (sum & 0xffff) + (sum >> 16); - + checksum = (word16)~sum; /* checksum should now equal 0, since included already calcd checksum */ /* field, but tcp checksum offloading could negate calculation */ @@ -2545,23 +2539,23 @@ static int CheckHeaders(IpInfo* ipInfo, TcpInfo* tcpInfo, const byte* packet, } if (CheckIpHdr((IpHdr*)packet, ipInfo, length, error) != 0) return -1; - - /* tcp header */ + + /* tcp header */ if (length < (ipInfo->length + TCP_HDR_SZ)) { SetError(PACKET_HDR_SHORT_STR, error, NULL, 0); return -1; } if (CheckTcpHdr((TcpHdr*)(packet + ipInfo->length), tcpInfo, error) != 0) return -1; - - /* setup */ + + /* setup */ *sslFrame = packet + ipInfo->length + tcpInfo->length; if (*sslFrame > packet + length) { SetError(PACKET_HDR_SHORT_STR, error, NULL, 0); return -1; } *sslBytes = (int)(packet + length - *sslFrame); - + return 0; } @@ -2580,7 +2574,7 @@ static int CheckSession(IpInfo* ipInfo, TcpInfo* tcpInfo, int sslBytes, /* already had existing, so OK */ if (*session) return 1; - + SetError(MEMORY_STR, error, NULL, 0); return -1; } @@ -2596,10 +2590,10 @@ static int CheckSession(IpInfo* ipInfo, TcpInfo* tcpInfo, int sslBytes, /* don't worry about duplicate ACKs either */ if (sslBytes == 0 && tcpInfo->ack) return 1; - + SetError(BAD_SESSION_STR, error, NULL, 0); return -1; - } + } } return 0; } @@ -2610,27 +2604,27 @@ static PacketBuffer* CreateBuffer(word32* begin, word32 end, const byte* data, int* bytesLeft) { PacketBuffer* pb; - + int added = end - *begin + 1; assert(*begin <= end); - + pb = (PacketBuffer*)malloc(sizeof(PacketBuffer)); if (pb == NULL) return NULL; - + pb->next = 0; pb->begin = *begin; pb->end = end; pb->data = (byte*)malloc(added); - + if (pb->data == NULL) { free(pb); return NULL; } XMEMCPY(pb->data, data, added); - + *bytesLeft -= added; *begin = pb->end + 1; - + return pb; } @@ -2645,7 +2639,7 @@ static int AddToReassembly(byte from, word32 seq, const byte* sslFrame, &session->cliReassemblyList: &session->srvReassemblyList; PacketBuffer* curr = *front; PacketBuffer* prev = curr; - + word32* reassemblyMemory = (from == WOLFSSL_SERVER_END) ? &session->cliReassemblyMemory : &session->srvReassemblyMemory; word32 startSeq = seq; @@ -2668,14 +2662,14 @@ static int AddToReassembly(byte from, word32 seq, const byte* sslFrame, *reassemblyMemory += sslBytes; return 1; } - + /* add to front if before current front, up to next->begin */ if (seq < curr->begin) { word32 end = seq + sslBytes - 1; - + if (end >= curr->begin) end = curr->begin - 1; - + if (MaxRecoveryMemory -1 && (int)(*reassemblyMemory + sslBytes) > MaxRecoveryMemory) { SetError(REASSEMBLY_MAX_STR, error, session, FATAL_ERROR_STATE); @@ -2690,7 +2684,7 @@ static int AddToReassembly(byte from, word32 seq, const byte* sslFrame, *front = add; *reassemblyMemory += sslBytes; } - + /* while we have bytes left, try to find a gap to fill */ while (bytesLeft > 0) { /* get previous packet in list */ @@ -2698,7 +2692,7 @@ static int AddToReassembly(byte from, word32 seq, const byte* sslFrame, prev = curr; curr = curr->next; } - + /* don't add duplicate data */ if (prev->end >= seq) { if ( (seq + bytesLeft - 1) <= prev->end) @@ -2706,18 +2700,18 @@ static int AddToReassembly(byte from, word32 seq, const byte* sslFrame, seq = prev->end + 1; bytesLeft = startSeq + sslBytes - seq; } - + if (!curr) /* we're at the end */ added = bytesLeft; - else + else /* we're in between two frames */ added = min((word32)bytesLeft, curr->begin - seq); - + /* data already there */ if (added == 0) continue; - + if (MaxRecoveryMemory != -1 && (int)(*reassemblyMemory + added) > MaxRecoveryMemory) { SetError(REASSEMBLY_MAX_STR, error, session, FATAL_ERROR_STATE); @@ -2758,7 +2752,7 @@ static int AddFinCapture(SnifferSession* session, word32 sequence) static int AdjustSequence(TcpInfo* tcpInfo, SnifferSession* session, int* sslBytes, const byte** sslFrame, char* error) { - word32 seqStart = (session->flags.side == WOLFSSL_SERVER_END) ? + word32 seqStart = (session->flags.side == WOLFSSL_SERVER_END) ? session->cliSeqStart :session->srvSeqStart; word32 real = tcpInfo->sequence - seqStart; word32* expected = (session->flags.side == WOLFSSL_SERVER_END) ? @@ -2768,19 +2762,19 @@ static int AdjustSequence(TcpInfo* tcpInfo, SnifferSession* session, byte skipPartial = (session->flags.side == WOLFSSL_SERVER_END) ? session->flags.srvSkipPartial : session->flags.cliSkipPartial; - + /* handle rollover of sequence */ if (tcpInfo->sequence < seqStart) real = 0xffffffffU - seqStart + tcpInfo->sequence; - + TraceRelativeSequence(*expected, real); - + if (real < *expected) { Trace(DUPLICATE_STR); if (real + *sslBytes > *expected) { int overlap = *expected - real; Trace(OVERLAP_DUPLICATE_STR); - + /* adjust to expected, remove duplicate */ *sslFrame += overlap; *sslBytes -= overlap; @@ -2790,16 +2784,16 @@ static int AdjustSequence(TcpInfo* tcpInfo, SnifferSession* session, * block be sure to also update the block below. */ if (reassemblyList) { word32 newEnd = *expected + *sslBytes; - + if (newEnd > reassemblyList->begin) { Trace(OVERLAP_REASSEMBLY_BEGIN_STR); - + /* remove bytes already on reassembly list */ *sslBytes -= newEnd - reassemblyList->begin; } if (newEnd > reassemblyList->end) { Trace(OVERLAP_REASSEMBLY_END_STR); - + /* may be past reassembly list end (could have more on list) so try to add what's past the front->end */ AddToReassembly(session->flags.side, reassemblyList->end +1, @@ -2863,7 +2857,7 @@ static int AdjustSequence(TcpInfo* tcpInfo, SnifferSession* session, *expected += *sslBytes; if (tcpInfo->fin) *expected += 1; - + return 0; } @@ -2983,16 +2977,16 @@ static int FixSequence(TcpInfo* tcpInfo, SnifferSession* session) static int CheckAck(TcpInfo* tcpInfo, SnifferSession* session) { if (tcpInfo->ack) { - word32 seqStart = (session->flags.side == WOLFSSL_SERVER_END) ? + word32 seqStart = (session->flags.side == WOLFSSL_SERVER_END) ? session->srvSeqStart :session->cliSeqStart; word32 real = tcpInfo->ackNumber - seqStart; word32 expected = (session->flags.side == WOLFSSL_SERVER_END) ? session->srvExpected : session->cliExpected; - + /* handle rollover of sequence */ if (tcpInfo->ackNumber < seqStart) real = 0xffffffffU - seqStart + tcpInfo->ackNumber; - + TraceAck(real, expected); if (real > expected) @@ -3020,13 +3014,13 @@ static int CheckSequence(IpInfo* ipInfo, TcpInfo* tcpInfo, TraceServerSyn(tcpInfo->sequence); return 1; } - + /* adjust potential ethernet trailer */ actualLen = ipInfo->total - ipInfo->length - tcpInfo->length; if (*sslBytes > actualLen) { *sslBytes = actualLen; } - + TraceSequence(tcpInfo->sequence, *sslBytes); if (CheckAck(tcpInfo, session) < 0) { if (!RecoveryEnabled) { @@ -3043,13 +3037,13 @@ static int CheckSequence(IpInfo* ipInfo, TcpInfo* tcpInfo, return FixSequence(tcpInfo, session); } } - + if (*ackFault) { Trace(CLEAR_ACK_FAULT); *ackFault = 0; } - return AdjustSequence(tcpInfo, session, sslBytes, sslFrame, error); + return AdjustSequence(tcpInfo, session, sslBytes, sslFrame, error); } @@ -3072,19 +3066,19 @@ static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo, (*session)->flags.finCount += 1; else if (tcpInfo->rst) (*session)->flags.finCount += 2; - + if ((*session)->flags.finCount >= 2) { RemoveSession(*session, ipInfo, tcpInfo, 0); *session = NULL; return 1; } } - + if ((*session)->flags.fatalError == FATAL_ERROR_STATE) { SetError(FATAL_ERROR_STR, error, NULL, 0); return -1; } - + if (skipPartial) { if (FindNextRecordInAssembly(*session, sslFrame, sslBytes, end, error) < 0) { @@ -3096,13 +3090,13 @@ static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo, Trace(NO_DATA_STR); return 1; } - + /* if current partial data, add to end of partial */ /* if skipping, the data is already at the end of partial */ if ( !skipPartial && (length = ssl->buffers.inputBuffer.length) ) { Trace(PARTIAL_ADD_STR); - + if ( (*sslBytes + length) > ssl->buffers.inputBuffer.bufferSize) { if (GrowInputBuffer(ssl, *sslBytes, length) < 0) { SetError(MEMORY_STR, error, *session, FATAL_ERROR_STATE); @@ -3166,7 +3160,7 @@ static int HaveMoreInput(SnifferSession* session, const byte** sslFrame, session->sslServer : session->sslClient; word32* reassemblyMemory = (session->flags.side == WOLFSSL_SERVER_END) ? &session->cliReassemblyMemory : &session->srvReassemblyMemory; - + while (*front && ((*front)->begin == *expected) ) { word32 room = *bufferSize - *length; word32 packetLen = (*front)->end - (*front)->begin + 1; @@ -3178,21 +3172,21 @@ static int HaveMoreInput(SnifferSession* session, const byte** sslFrame, } room = *bufferSize - *length; /* bufferSize is now bigger */ } - + if (packetLen <= room) { PacketBuffer* del = *front; byte* buf = *myBuffer; - + XMEMCPY(&buf[*length], (*front)->data, packetLen); *length += packetLen; *expected += packetLen; - + /* remove used packet */ *front = (*front)->next; *reassemblyMemory -= packetLen; FreePacketBuffer(del); - + moreInput = 1; } else @@ -3205,7 +3199,7 @@ static int HaveMoreInput(SnifferSession* session, const byte** sslFrame, } return moreInput; } - + /* Process Message(s) from sslFrame */ @@ -3244,11 +3238,11 @@ doMessage: if (notEnough || rhSize > (sslBytes - RECORD_HEADER_SZ)) { /* don't have enough input yet to process full SSL record */ Trace(PARTIAL_INPUT_STR); - + /* store partial if not there already or we advanced */ if (ssl->buffers.inputBuffer.length == 0 || sslBegin != sslFrame) { if (sslBytes > (int)ssl->buffers.inputBuffer.bufferSize) { - if (GrowInputBuffer(ssl, sslBytes, 0) < 0) { + if (GrowInputBuffer(ssl, sslBytes, 0) < 0) { SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE); return -1; } @@ -3264,7 +3258,7 @@ doMessage: sslBytes -= RECORD_HEADER_SZ; recordEnd = sslFrame + rhSize; /* may have more than one record */ inRecordEnd = recordEnd; - + /* decrypt if needed */ if ((session->flags.side == WOLFSSL_SERVER_END && session->flags.serverCipherOn) @@ -3292,7 +3286,7 @@ doMessage: } doPart: - + switch ((enum ContentType)rh.type) { case handshake: { @@ -3332,7 +3326,7 @@ doPart: Trace(GOT_APP_DATA_STR); { word32 inOutIdx = 0; - + ret = DoApplicationData(ssl, (byte*)sslFrame, &inOutIdx); if (ret == 0) { ret = ssl->buffers.clearOutputBuffer.length; @@ -3396,26 +3390,26 @@ doPart: sslBytes = (int)(end - recordEnd); goto doMessage; } - + /* clear used input */ ssl->buffers.inputBuffer.length = 0; - + /* could have more input ready now */ if (HaveMoreInput(session, &sslFrame, &sslBytes, &end, error)) goto doMessage; if (ssl->buffers.inputBuffer.dynamicFlag) ShrinkInputBuffer(ssl, NO_FORCED_FREE); - + return decoded; } /* See if we need to process any pending FIN captures */ -static void CheckFinCapture(IpInfo* ipInfo, TcpInfo* tcpInfo, +static void CheckFinCapture(IpInfo* ipInfo, TcpInfo* tcpInfo, SnifferSession* session) { - if (session->finCaputre.cliFinSeq && session->finCaputre.cliFinSeq <= + if (session->finCaputre.cliFinSeq && session->finCaputre.cliFinSeq <= session->cliExpected) { if (session->finCaputre.cliCounted == 0) { session->flags.finCount += 1; @@ -3423,8 +3417,8 @@ static void CheckFinCapture(IpInfo* ipInfo, TcpInfo* tcpInfo, TraceClientFin(session->finCaputre.cliFinSeq, session->cliExpected); } } - - if (session->finCaputre.srvFinSeq && session->finCaputre.srvFinSeq <= + + if (session->finCaputre.srvFinSeq && session->finCaputre.srvFinSeq <= session->srvExpected) { if (session->finCaputre.srvCounted == 0) { session->flags.finCount += 1; @@ -3432,13 +3426,13 @@ static void CheckFinCapture(IpInfo* ipInfo, TcpInfo* tcpInfo, TraceServerFin(session->finCaputre.srvFinSeq, session->srvExpected); } } - - if (session->flags.finCount >= 2) + + if (session->flags.finCount >= 2) RemoveSession(session, ipInfo, tcpInfo, 0); } -/* If session is in fatal error state free resources now +/* If session is in fatal error state free resources now return true if removed, 0 otherwise */ static int RemoveFatalSession(IpInfo* ipInfo, TcpInfo* tcpInfo, SnifferSession* session, char* error) @@ -3467,17 +3461,17 @@ int ssl_DecodePacket(const byte* packet, int length, byte** data, char* error) if (CheckHeaders(&ipInfo, &tcpInfo, packet, length, &sslFrame, &sslBytes, error) != 0) return -1; - + ret = CheckSession(&ipInfo, &tcpInfo, sslBytes, &session, error); if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1; else if (ret == -1) return -1; else if (ret == 1) return 0; /* done for now */ - + ret = CheckSequence(&ipInfo, &tcpInfo, session, &sslBytes, &sslFrame,error); if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1; else if (ret == -1) return -1; else if (ret == 1) return 0; /* done for now */ - + ret = CheckPreRecord(&ipInfo, &tcpInfo, &sslFrame, &session, &sslBytes, &end, error); if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1; @@ -3531,7 +3525,7 @@ int ssl_Trace(const char* traceFile, char* error) } TraceOn = 1; } - else + else TraceOn = 0; return 0; From 6e16410e25748b0cc090a44e75ea7badb5706d6e Mon Sep 17 00:00:00 2001 From: jrblixt Date: Thu, 6 Apr 2017 15:47:53 -0600 Subject: [PATCH 20/33] Modifications per Todd's requests. --- src/keys.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/src/keys.c b/src/keys.c index 1e5203944..2b7d068ec 100644 --- a/src/keys.c +++ b/src/keys.c @@ -2940,9 +2940,9 @@ int DeriveKeys(WOLFSSL* ssl) #endif ret = wc_InitMd5(md5); - - ret = wc_InitSha(sha); - + if (ret == 0) { + ret = wc_InitSha(sha); + } if (ret == 0) { XMEMCPY(md5Input, ssl->arrays->masterSecret, SECRET_LEN); @@ -2968,7 +2968,9 @@ int DeriveKeys(WOLFSSL* ssl) XMEMCPY(md5Input + SECRET_LEN, shaOutput, SHA_DIGEST_SIZE); ret = wc_Md5Update(md5, md5Input, SECRET_LEN + SHA_DIGEST_SIZE); - ret = wc_Md5Final(md5, keyData + i * MD5_DIGEST_SIZE); + if (ret == 0) { + ret = wc_Md5Final(md5, keyData + i * MD5_DIGEST_SIZE); + } } if (ret == 0) @@ -3060,9 +3062,9 @@ static int MakeSslMasterSecret(WOLFSSL* ssl) #endif ret = wc_InitMd5(md5); - - ret = wc_InitSha(sha); - + if (ret == 0) { + ret = wc_InitSha(sha); + } if (ret == 0) { XMEMCPY(md5Input, ssl->arrays->preMasterSecret, pmsSz); @@ -3091,7 +3093,10 @@ static int MakeSslMasterSecret(WOLFSSL* ssl) idx += SHA_DIGEST_SIZE; ret = wc_Md5Update(md5, md5Input, idx); - ret = wc_Md5Final(md5, &ssl->arrays->masterSecret[i * MD5_DIGEST_SIZE]); + if (ret == 0) { + ret = wc_Md5Final(md5, + &ssl->arrays->masterSecret[i * MD5_DIGEST_SIZE]); + } } #ifdef SHOW_SECRETS From 3478c9b93715bd9f2be4e0e16438cf4d933b3095 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Fri, 7 Apr 2017 14:15:53 -0600 Subject: [PATCH 21/33] Added return checks to src/keys.c. --- src/keys.c | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/src/keys.c b/src/keys.c index 2b7d068ec..240460524 100644 --- a/src/keys.c +++ b/src/keys.c @@ -2960,14 +2960,18 @@ int DeriveKeys(WOLFSSL* ssl) XMEMCPY(shaInput + idx, ssl->arrays->serverRandom, RAN_LEN); idx += RAN_LEN; XMEMCPY(shaInput + idx, ssl->arrays->clientRandom, RAN_LEN); - - wc_ShaUpdate(sha, shaInput, (KEY_PREFIX + SECRET_LEN + 2 * RAN_LEN) - - KEY_PREFIX + j); - wc_ShaFinal(sha, shaOutput); + if (ret == 0) { /* ret could be PREFIX_ERROR. */ + ret = wc_ShaUpdate(sha, shaInput, + (KEY_PREFIX + SECRET_LEN + 2 * RAN_LEN) - KEY_PREFIX + j); + } + if (ret == 0) { + ret = wc_ShaFinal(sha, shaOutput); + } XMEMCPY(md5Input + SECRET_LEN, shaOutput, SHA_DIGEST_SIZE); - - ret = wc_Md5Update(md5, md5Input, SECRET_LEN + SHA_DIGEST_SIZE); + if (ret == 0) { + ret = wc_Md5Update(md5, md5Input, SECRET_LEN + SHA_DIGEST_SIZE); + } if (ret == 0) { ret = wc_Md5Final(md5, keyData + i * MD5_DIGEST_SIZE); } @@ -3085,14 +3089,18 @@ static int MakeSslMasterSecret(WOLFSSL* ssl) idx += RAN_LEN; XMEMCPY(shaInput + idx, ssl->arrays->serverRandom, RAN_LEN); idx += RAN_LEN; - wc_ShaUpdate(sha, shaInput, idx); - wc_ShaFinal(sha, shaOutput); - + if (ret == 0) { /* ret could be PREFIX_ERROR. */ + ret = wc_ShaUpdate(sha, shaInput, idx); + } + if (ret == 0) { + ret = wc_ShaFinal(sha, shaOutput); + } idx = pmsSz; /* preSz */ XMEMCPY(md5Input + idx, shaOutput, SHA_DIGEST_SIZE); idx += SHA_DIGEST_SIZE; - - ret = wc_Md5Update(md5, md5Input, idx); + if (ret == 0) { + ret = wc_Md5Update(md5, md5Input, idx); + } if (ret == 0) { ret = wc_Md5Final(md5, &ssl->arrays->masterSecret[i * MD5_DIGEST_SIZE]); From ac6b840dc5131da2952576ca0078fd627f177f3c Mon Sep 17 00:00:00 2001 From: jrblixt Date: Thu, 13 Apr 2017 16:51:08 -0600 Subject: [PATCH 22/33] Merge Conflict with wolfSSL master. --- wolfcrypt/src/sha256.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index 4b5fbd877..40fc57e53 100755 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -38,7 +38,7 @@ int wc_InitSha256(Sha256* sha) { - if (sha == NULL) { + if (sha == NULL) { return BAD_FUNC_ARG; } return InitSha256_fips(sha); From 00ea50875149124f833689919c53d1226a01f9f2 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Fri, 14 Apr 2017 02:16:04 -0600 Subject: [PATCH 23/33] Param check fix in hash files. --- wolfcrypt/src/md5.c | 3 +++ wolfcrypt/src/sha.c | 6 ++++++ wolfcrypt/src/sha256.c | 11 +++++++++++ wolfcrypt/src/sha512.c | 11 ++++++++++- 4 files changed, 30 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/md5.c b/wolfcrypt/src/md5.c index 342aea466..fcaa73965 100755 --- a/wolfcrypt/src/md5.c +++ b/wolfcrypt/src/md5.c @@ -447,6 +447,9 @@ int wc_Md5Final(Md5* md5, byte* hash) int wc_InitMd5(Md5* md5) { + if (md5 == NULL) { + return BAD_FUNC_ARG; + } return wc_InitMd5_ex(md5, NULL, INVALID_DEVID); } diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index f98cb7272..e35c5ba7d 100755 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -42,6 +42,9 @@ } int wc_InitSha_ex(Sha* sha, void* heap, int devId) { + if (sha == NULL) { + return BAD_FUNC_ARG; + } (void)heap; (void)devId; return InitSha_fips(sha); @@ -543,6 +546,9 @@ int wc_ShaFinal(Sha* sha, byte* hash) int wc_InitSha(Sha* sha) { + if (sha == NULL) { + return BAD_FUNC_ARG; + } return wc_InitSha_ex(sha, NULL, INVALID_DEVID); } diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index 40fc57e53..40eb0f421 100755 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -45,6 +45,9 @@ } int wc_InitSha256_ex(Sha256* sha, void* heap, int devId) { + if (sha == NULL) { + return BAD_FUNC_ARG; + } (void)heap; (void)devId; return InitSha256_fips(sha); @@ -562,9 +565,14 @@ static int InitSha256(Sha256* sha256) static INLINE int Sha256Final(Sha256* sha256) { + int ret; byte* local = (byte*)sha256->buffer; + if (sha256 == NULL) { + return BAD_FUNC_ARG; + } + SAVE_XMM_YMM; /* for Intel AVX */ AddLength(sha256, sha256->buffLen); /* before adding pads */ @@ -1918,6 +1926,9 @@ static int Transform_AVX2(Sha256* sha256) int wc_InitSha256(Sha256* sha256) { + if (sha256 == NULL) { + return BAD_FUNC_ARG; + } return wc_InitSha256_ex(sha256, NULL, INVALID_DEVID); } diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index 9d9233605..8b560d04c 100755 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -44,6 +44,9 @@ } int wc_InitSha512_ex(Sha512* sha, void* heap, int devId) { + if (sha == NULL) { + return BAD_FUNC_ARG; + } (void)heap; (void)devId; return InitSha512_fips(sha); @@ -537,7 +540,9 @@ static INLINE void AddLength(Sha512* sha512, word32 len) static INLINE int Sha512Update(Sha512* sha512, const byte* data, word32 len) { int ret = 0; - + if (sha512 == NULL || (data == NULL && len > 0)) { + return BAD_FUNC_ARG; + } /* do block size increments */ byte* local = (byte*)sha512->buffer; @@ -598,6 +603,10 @@ static INLINE int Sha512Final(Sha512* sha512) byte* local = (byte*)sha512->buffer; int ret; + if (sha512 == NULL) { + return BAD_FUNC_ARG; + } + SAVE_XMM_YMM ; /* for Intel AVX */ AddLength(sha512, sha512->buffLen); /* before adding pads */ From 609ca3c823d564353400223afd5d0be7661aa78a Mon Sep 17 00:00:00 2001 From: jrblixt Date: Fri, 14 Apr 2017 02:34:31 -0600 Subject: [PATCH 24/33] Jenkin's Visual Studio status check correction. --- wolfcrypt/src/sha512.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index 8b560d04c..3951550d2 100755 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -540,11 +540,12 @@ static INLINE void AddLength(Sha512* sha512, word32 len) static INLINE int Sha512Update(Sha512* sha512, const byte* data, word32 len) { int ret = 0; + /* do block size increments */ + byte* local = (byte*)sha512->buffer; + if (sha512 == NULL || (data == NULL && len > 0)) { return BAD_FUNC_ARG; } - /* do block size increments */ - byte* local = (byte*)sha512->buffer; /* check that internal buffLen is valid */ if (sha512->buffLen > SHA512_BLOCK_SIZE) From 5b5c8f1e958989a6dffe378a48cef8d079f8f5d0 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Fri, 14 Apr 2017 16:12:29 -0600 Subject: [PATCH 25/33] Updated mcapi/mcapi_test.c ; wolfcrypt/src/md5.c ; wolfcrypt/src/pwdbased.c. --- mcapi/mcapi_test.c | 47 ++++++++++++++++++---------------------- wolfcrypt/src/md5.c | 4 ---- wolfcrypt/src/pwdbased.c | 30 +++++++++++++++++-------- 3 files changed, 42 insertions(+), 39 deletions(-) diff --git a/mcapi/mcapi_test.c b/mcapi/mcapi_test.c index 75f86c3f5..5f1e4549e 100644 --- a/mcapi/mcapi_test.c +++ b/mcapi/mcapi_test.c @@ -220,26 +220,21 @@ static int check_md5(void) CRYPT_MD5_Initialize(&mcMd5); ret = wc_InitMd5(&defMd5); - if (ret != 0) { - return ret; + + if (ret == 0) { + CRYPT_MD5_DataAdd(&mcMd5, ourData, OUR_DATA_SIZE); + ret = wc_Md5Update(&defMd5, ourData, OUR_DATA_SIZE); } - CRYPT_MD5_DataAdd(&mcMd5, ourData, OUR_DATA_SIZE); - ret = wc_Md5Update(&defMd5, ourData, OUR_DATA_SIZE); - if (ret != 0) { - return ret; - } - - CRYPT_MD5_Finalize(&mcMd5, mcDigest); - ret = wc_Md5Final(&defMd5, defDigest); - if (ret != 0) { - return ret; + if (ret == 0) { + CRYPT_MD5_Finalize(&mcMd5, mcDigest); + ret = wc_Md5Final(&defMd5, defDigest); } if (memcmp(mcDigest, defDigest, CRYPT_MD5_DIGEST_SIZE) != 0) { printf("md5 final memcmp fialed\n"); return -1; - } + } printf("md5 mcapi test passed\n"); return ret; @@ -271,7 +266,7 @@ static int check_sha(void) if (memcmp(mcDigest, defDigest, CRYPT_SHA_DIGEST_SIZE) != 0) { printf("sha final memcmp failed\n"); return -1; - } + } printf("sha mcapi test passed\n"); return 0; @@ -311,7 +306,7 @@ static int check_sha256(void) if (memcmp(mcDigest, defDigest, CRYPT_SHA256_DIGEST_SIZE) != 0) { printf("sha256 final memcmp fialed\n"); return -1; - } + } printf("sha256 mcapi test passed\n"); return 0; @@ -351,7 +346,7 @@ static int check_sha384(void) if (memcmp(mcDigest, defDigest, CRYPT_SHA384_DIGEST_SIZE) != 0) { printf("sha384 final memcmp fialed\n"); return -1; - } + } printf("sha384 mcapi test passed\n"); return 0; @@ -391,7 +386,7 @@ static int check_sha512(void) if (memcmp(mcDigest, defDigest, CRYPT_SHA512_DIGEST_SIZE) != 0) { printf("sha512 final memcmp fialed\n"); return -1; - } + } printf("sha512 mcapi test passed\n"); return 0; @@ -434,7 +429,7 @@ static int check_hmac(void) if (memcmp(mcDigest, defDigest, CRYPT_SHA_DIGEST_SIZE) != 0) { printf("hmac sha final memcmp fialed\n"); return -1; - } + } printf("hmac sha mcapi test passed\n"); /* SHA-256 */ @@ -462,7 +457,7 @@ static int check_hmac(void) if (memcmp(mcDigest, defDigest, CRYPT_SHA256_DIGEST_SIZE) != 0) { printf("hmac sha256 final memcmp fialed\n"); return -1; - } + } printf("hmac sha256 mcapi test passed\n"); /* SHA-384 */ @@ -490,7 +485,7 @@ static int check_hmac(void) if (memcmp(mcDigest, defDigest, CRYPT_SHA384_DIGEST_SIZE) != 0) { printf("hmac sha384 final memcmp fialed\n"); return -1; - } + } printf("hmac sha384 mcapi test passed\n"); /* SHA-512 */ @@ -518,7 +513,7 @@ static int check_hmac(void) if (memcmp(mcDigest, defDigest, CRYPT_SHA512_DIGEST_SIZE) != 0) { printf("hmac sha512 final memcmp fialed\n"); return -1; - } + } printf("hmac sha512 mcapi test passed\n"); return 0; @@ -631,7 +626,7 @@ static int check_compress(void) static int check_rng(void) { int ret; - int i; + int i; byte in[RANDOM_BYTE_SZ]; byte out[RANDOM_BYTE_SZ]; @@ -1336,7 +1331,7 @@ static int check_rsa(void) return -1; } - ret = CRYPT_RSA_PrivateDecrypt(&mcRsa, out2, sizeof(out2), out1, ret); + ret = CRYPT_RSA_PrivateDecrypt(&mcRsa, out2, sizeof(out2), out1, ret); if (ret < 0) { printf("mcapi rsa private derypt failed\n"); return -1; @@ -1358,7 +1353,7 @@ static int check_rsa(void) printf("mcapi rsa free failed\n"); return -1; } - + printf("rsa mcapi test passed\n"); return 0; @@ -1368,7 +1363,7 @@ static int check_rsa(void) /* check mcapi ecc */ static int check_ecc(void) { - CRYPT_ECC_CTX userA; + CRYPT_ECC_CTX userA; CRYPT_ECC_CTX userB; int ret; byte sharedA[100]; @@ -1473,7 +1468,7 @@ static int check_ecc(void) printf("mcapi ecc public export failed\n"); return -1; } - + ret = CRYPT_ECC_PublicImport(&userB, sharedA, usedA); if (ret != 0) { printf("mcapi ecc public import failed\n"); diff --git a/wolfcrypt/src/md5.c b/wolfcrypt/src/md5.c index fcaa73965..1df247d50 100755 --- a/wolfcrypt/src/md5.c +++ b/wolfcrypt/src/md5.c @@ -305,10 +305,6 @@ static int _InitMd5(Md5* md5) { int ret = 0; - if (md5 == NULL) { - return BAD_FUNC_ARG; - } - md5->digest[0] = 0x67452301L; md5->digest[1] = 0xefcdab89L; md5->digest[2] = 0x98badcfeL; diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c index 0a34697f2..6df35b1cf 100644 --- a/wolfcrypt/src/pwdbased.c +++ b/wolfcrypt/src/pwdbased.c @@ -322,25 +322,25 @@ int DoPKCS12Hash(int hashType, byte* buffer, word32 totalLen, Md5 md5; ret = wc_InitMd5(&md5); if (ret != 0) { - return ret; + break; } ret = wc_Md5Update(&md5, buffer, totalLen); if (ret != 0) { - return ret; + break; } ret = wc_Md5Final(&md5, Ai); if (ret != 0) { - return ret; + break; } for (i = 1; i < iterations; i++) { ret = wc_Md5Update(&md5, Ai, u); if (ret != 0) { - return ret; + break; } ret = wc_Md5Final(&md5, Ai); if (ret != 0) { - return ret; + break; } } } @@ -353,12 +353,24 @@ int DoPKCS12Hash(int hashType, byte* buffer, word32 totalLen, ret = wc_InitSha(&sha); if (ret != 0) break; - wc_ShaUpdate(&sha, buffer, totalLen); - wc_ShaFinal(&sha, Ai); + ret = wc_ShaUpdate(&sha, buffer, totalLen); + if (ret != 0) { + break; + } + ret = wc_ShaFinal(&sha, Ai); + if (ret != 0) { + break; + } for (i = 1; i < iterations; i++) { - wc_ShaUpdate(&sha, Ai, u); - wc_ShaFinal(&sha, Ai); + ret = wc_ShaUpdate(&sha, Ai, u); + if (ret != 0) { + break; + } + ret = wc_ShaFinal(&sha, Ai); + if (ret != 0) { + break; + } } } break; From 3749988ee2a3327c06576dfe7912feeade7e1d86 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Fri, 14 Apr 2017 16:24:25 -0600 Subject: [PATCH 26/33] Updated wolfcrypt/src/sha.c. --- wolfcrypt/src/sha.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index e35c5ba7d..267fafb21 100755 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -42,11 +42,11 @@ } int wc_InitSha_ex(Sha* sha, void* heap, int devId) { + (void)heap; + (void)devId; if (sha == NULL) { return BAD_FUNC_ARG; } - (void)heap; - (void)devId; return InitSha_fips(sha); } @@ -277,9 +277,6 @@ { int ret = 0; - if (sha == NULL) { - return BAD_FUNC_ARG; - } sha->digest[0] = 0x67452301L; sha->digest[1] = 0xEFCDAB89L; sha->digest[2] = 0x98BADCFEL; @@ -546,9 +543,6 @@ int wc_ShaFinal(Sha* sha, byte* hash) int wc_InitSha(Sha* sha) { - if (sha == NULL) { - return BAD_FUNC_ARG; - } return wc_InitSha_ex(sha, NULL, INVALID_DEVID); } From f7c58b06437097920949f099241078bb03c635b1 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Fri, 14 Apr 2017 16:42:18 -0600 Subject: [PATCH 27/33] Updated wolfcrypt/src/sha256.c. --- wolfcrypt/src/sha256.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index 40eb0f421..4f8e8b011 100755 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -45,11 +45,11 @@ } int wc_InitSha256_ex(Sha256* sha, void* heap, int devId) { + (void)heap; + (void)devId; if (sha == NULL) { return BAD_FUNC_ARG; } - (void)heap; - (void)devId; return InitSha256_fips(sha); } int wc_Sha256Update(Sha256* sha, const byte* data, word32 len) @@ -1926,9 +1926,6 @@ static int Transform_AVX2(Sha256* sha256) int wc_InitSha256(Sha256* sha256) { - if (sha256 == NULL) { - return BAD_FUNC_ARG; - } return wc_InitSha256_ex(sha256, NULL, INVALID_DEVID); } From 5486a60326e9bb555aeba7ab85f5b9c21f6253c7 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Tue, 18 Apr 2017 11:18:29 -0600 Subject: [PATCH 28/33] sha512.c updates. --- wolfcrypt/src/sha512.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index 3951550d2..b680c6c11 100755 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -1433,10 +1433,11 @@ int wc_Sha384Update(Sha384* sha384, const byte* data, word32 len) int wc_Sha384Final(Sha384* sha384, byte* hash) { + int ret; + if (sha384 == NULL || hash == NULL) { return BAD_FUNC_ARG; } - int ret; #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA384) if (sha384->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA384) { From 4a8259b2ad9fcbaebe9ca856a7722557223dccd1 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Tue, 18 Apr 2017 11:29:35 -0600 Subject: [PATCH 29/33] Jenkin's Fips corrections. --- wolfcrypt/src/sha512.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index b680c6c11..dae3fb5d8 100755 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -44,11 +44,11 @@ } int wc_InitSha512_ex(Sha512* sha, void* heap, int devId) { + (void)heap; + (void)devId; if (sha == NULL) { return BAD_FUNC_ARG; } - (void)heap; - (void)devId; return InitSha512_fips(sha); } int wc_Sha512Update(Sha512* sha, const byte* data, word32 len) From 1215203c3929954bdd5b68788e06170bd87b43c3 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Tue, 18 Apr 2017 12:53:54 -0600 Subject: [PATCH 30/33] Update sha384 fips. --- wolfcrypt/src/sha512.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index dae3fb5d8..a66e99677 100755 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -76,20 +76,32 @@ #if defined(WOLFSSL_SHA384) || defined(HAVE_AESGCM) int wc_InitSha384(Sha384* sha) { + if (sha == NULL) { + return BAD_FUNC_ARG; + } return InitSha384_fips(sha); } int wc_InitSha384_ex(Sha384* sha, void* heap, int devId) { (void)heap; (void)devId; + if (sha == NULL) { + return BAD_FUNC_ARG; + } return InitSha384_fips(sha); } int wc_Sha384Update(Sha384* sha, const byte* data, word32 len) { + if (sha == NULL || (data == NULL && len > 0)) { + return BAD_FUNC_ARG; + } return Sha384Update_fips(sha, data, len); } int wc_Sha384Final(Sha384* sha, byte* out) { + if (sha == NULL || out == NULL) { + return BAD_FUNC_ARG; + } return Sha384Final_fips(sha, out); } void wc_Sha384Free(Sha384* sha) From 289f60e2c9881aad5e8c24f8caa32532f39debda Mon Sep 17 00:00:00 2001 From: jrblixt Date: Tue, 16 May 2017 10:04:30 -0600 Subject: [PATCH 31/33] Changes from Todd's code review. --- src/keys.c | 6 +++--- wolfcrypt/src/sha256.c | 10 +++++----- wolfcrypt/src/sha512.c | 18 +++++++++--------- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/src/keys.c b/src/keys.c index 8ef2285f8..92b03d651 100644 --- a/src/keys.c +++ b/src/keys.c @@ -1153,7 +1153,7 @@ int SetCipherSpecs(WOLFSSL* ssl) } } - if (ssl->options.cipherSuite0 != ECC_BYTE && + if (ssl->options.cipherSuite0 != ECC_BYTE && ssl->options.cipherSuite0 != CHACHA_BYTE && ssl->options.cipherSuite0 != TLS13_BYTE) { /* normal suites */ switch (ssl->options.cipherSuite) { @@ -3108,7 +3108,7 @@ int DeriveKeys(WOLFSSL* ssl) XMEMCPY(shaInput + idx, ssl->arrays->serverRandom, RAN_LEN); idx += RAN_LEN; XMEMCPY(shaInput + idx, ssl->arrays->clientRandom, RAN_LEN); - if (ret == 0) { /* ret could be PREFIX_ERROR. */ + if (ret == 0) { ret = wc_ShaUpdate(sha, shaInput, (KEY_PREFIX + SECRET_LEN + 2 * RAN_LEN) - KEY_PREFIX + j); } @@ -3237,7 +3237,7 @@ static int MakeSslMasterSecret(WOLFSSL* ssl) idx += RAN_LEN; XMEMCPY(shaInput + idx, ssl->arrays->serverRandom, RAN_LEN); idx += RAN_LEN; - if (ret == 0) { /* ret could be PREFIX_ERROR. */ + if (ret == 0) { ret = wc_ShaUpdate(sha, shaInput, idx); } if (ret == 0) { diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index e22406b64..d02290c15 100755 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -54,16 +54,16 @@ } int wc_Sha256Update(Sha256* sha, const byte* data, word32 len) { - if (sha == NULL || (data == NULL && len > 0)) { - return BAD_FUNC_ARG; + if (sha == NULL || (data == NULL && len > 0)) { + return BAD_FUNC_ARG; } return Sha256Update_fips(sha, data, len); } int wc_Sha256Final(Sha256* sha, byte* out) { - if (sha == NULL || out == NULL) { - return BAD_FUNC_ARG; - } + if (sha == NULL || out == NULL) { + return BAD_FUNC_ARG; + } return Sha256Final_fips(sha, out); } void wc_Sha256Free(Sha256* sha) diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index 40e8eb4e3..f011e2616 100755 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -36,9 +36,9 @@ #ifdef HAVE_FIPS int wc_InitSha512(Sha512* sha) { - if (sha == NULL) { - return BAD_FUNC_ARG; - } + if (sha == NULL) { + return BAD_FUNC_ARG; + } return InitSha512_fips(sha); } @@ -53,17 +53,17 @@ } int wc_Sha512Update(Sha512* sha, const byte* data, word32 len) { - if (sha == NULL || (data == NULL && len > 0)) { - return BAD_FUNC_ARG; - } + if (sha == NULL || (data == NULL && len > 0)) { + return BAD_FUNC_ARG; + } return Sha512Update_fips(sha, data, len); } int wc_Sha512Final(Sha512* sha, byte* out) { - if (sha == NULL || out == NULL) { - return BAD_FUNC_ARG; - } + if (sha == NULL || out == NULL) { + return BAD_FUNC_ARG; + } return Sha512Final_fips(sha, out); } From 6acd5dafa75274a10781ccd66401612a26d3afd8 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Tue, 16 May 2017 10:04:30 -0600 Subject: [PATCH 32/33] Changes from Todd's code review. --- src/keys.c | 6 +-- wolfcrypt/src/sha.c | 22 ++++----- wolfcrypt/src/sha256.c | 18 ++++---- wolfcrypt/src/sha512.c | 102 ++++++++++++++++++++--------------------- 4 files changed, 74 insertions(+), 74 deletions(-) diff --git a/src/keys.c b/src/keys.c index 8ef2285f8..92b03d651 100644 --- a/src/keys.c +++ b/src/keys.c @@ -1153,7 +1153,7 @@ int SetCipherSpecs(WOLFSSL* ssl) } } - if (ssl->options.cipherSuite0 != ECC_BYTE && + if (ssl->options.cipherSuite0 != ECC_BYTE && ssl->options.cipherSuite0 != CHACHA_BYTE && ssl->options.cipherSuite0 != TLS13_BYTE) { /* normal suites */ switch (ssl->options.cipherSuite) { @@ -3108,7 +3108,7 @@ int DeriveKeys(WOLFSSL* ssl) XMEMCPY(shaInput + idx, ssl->arrays->serverRandom, RAN_LEN); idx += RAN_LEN; XMEMCPY(shaInput + idx, ssl->arrays->clientRandom, RAN_LEN); - if (ret == 0) { /* ret could be PREFIX_ERROR. */ + if (ret == 0) { ret = wc_ShaUpdate(sha, shaInput, (KEY_PREFIX + SECRET_LEN + 2 * RAN_LEN) - KEY_PREFIX + j); } @@ -3237,7 +3237,7 @@ static int MakeSslMasterSecret(WOLFSSL* ssl) idx += RAN_LEN; XMEMCPY(shaInput + idx, ssl->arrays->serverRandom, RAN_LEN); idx += RAN_LEN; - if (ret == 0) { /* ret could be PREFIX_ERROR. */ + if (ret == 0) { ret = wc_ShaUpdate(sha, shaInput, idx); } if (ret == 0) { diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index d6239637e..1affcce6e 100755 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -33,13 +33,13 @@ /* fips wrapper calls, user can call direct */ #ifdef HAVE_FIPS - int wc_InitSha(Sha* sha) - { + int wc_InitSha(Sha* sha) + { if (sha == NULL) { return BAD_FUNC_ARG; } - return InitSha_fips(sha); - } + return InitSha_fips(sha); + } int wc_InitSha_ex(Sha* sha, void* heap, int devId) { (void)heap; @@ -50,20 +50,20 @@ return InitSha_fips(sha); } - int wc_ShaUpdate(Sha* sha, const byte* data, word32 len) - { + int wc_ShaUpdate(Sha* sha, const byte* data, word32 len) + { if (sha == NULL || (data == NULL && len > 0)) { return BAD_FUNC_ARG; } - return ShaUpdate_fips(sha, data, len); - } + return ShaUpdate_fips(sha, data, len); + } - int wc_ShaFinal(Sha* sha, byte* out) - { + int wc_ShaFinal(Sha* sha, byte* out) + { if (sha == NULL || out == NULL) { return BAD_FUNC_ARG; } - return ShaFinal_fips(sha,out); + return ShaFinal_fips(sha,out); } void wc_ShaFree(Sha* sha) { diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index e22406b64..268e30d2a 100755 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -38,9 +38,9 @@ int wc_InitSha256(Sha256* sha) { - if (sha == NULL) { - return BAD_FUNC_ARG; - } + if (sha == NULL) { + return BAD_FUNC_ARG; + } return InitSha256_fips(sha); } int wc_InitSha256_ex(Sha256* sha, void* heap, int devId) @@ -54,16 +54,16 @@ } int wc_Sha256Update(Sha256* sha, const byte* data, word32 len) { - if (sha == NULL || (data == NULL && len > 0)) { - return BAD_FUNC_ARG; - } + if (sha == NULL || (data == NULL && len > 0)) { + return BAD_FUNC_ARG; + } return Sha256Update_fips(sha, data, len); } int wc_Sha256Final(Sha256* sha, byte* out) { - if (sha == NULL || out == NULL) { - return BAD_FUNC_ARG; - } + if (sha == NULL || out == NULL) { + return BAD_FUNC_ARG; + } return Sha256Final_fips(sha, out); } void wc_Sha256Free(Sha256* sha) diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index 40e8eb4e3..62364152d 100755 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -36,9 +36,9 @@ #ifdef HAVE_FIPS int wc_InitSha512(Sha512* sha) { - if (sha == NULL) { - return BAD_FUNC_ARG; - } + if (sha == NULL) { + return BAD_FUNC_ARG; + } return InitSha512_fips(sha); } @@ -53,17 +53,17 @@ } int wc_Sha512Update(Sha512* sha, const byte* data, word32 len) { - if (sha == NULL || (data == NULL && len > 0)) { - return BAD_FUNC_ARG; - } + if (sha == NULL || (data == NULL && len > 0)) { + return BAD_FUNC_ARG; + } return Sha512Update_fips(sha, data, len); } int wc_Sha512Final(Sha512* sha, byte* out) { - if (sha == NULL || out == NULL) { - return BAD_FUNC_ARG; - } + if (sha == NULL || out == NULL) { + return BAD_FUNC_ARG; + } return Sha512Final_fips(sha, out); } @@ -322,8 +322,8 @@ static int InitSha512(Sha512* sha512) if(cpuid_flag(7, 0, EBX, 8)) { cpuid_flags |= CPUID_BMI2 ; } if(cpuid_flag(1, 0, ECX, 30)){ cpuid_flags |= CPUID_RDRAND ; } if(cpuid_flag(7, 0, EBX, 18)){ cpuid_flags |= CPUID_RDSEED ; } - cpuid_check = 1 ; - return 0 ; + cpuid_check = 1 ; + return 0 ; } return 1 ; } @@ -412,46 +412,46 @@ static int InitSha512(Sha512* sha512) #endif static const word64 K512[80] = { - W64LIT(0x428a2f98d728ae22), W64LIT(0x7137449123ef65cd), - W64LIT(0xb5c0fbcfec4d3b2f), W64LIT(0xe9b5dba58189dbbc), - W64LIT(0x3956c25bf348b538), W64LIT(0x59f111f1b605d019), - W64LIT(0x923f82a4af194f9b), W64LIT(0xab1c5ed5da6d8118), - W64LIT(0xd807aa98a3030242), W64LIT(0x12835b0145706fbe), - W64LIT(0x243185be4ee4b28c), W64LIT(0x550c7dc3d5ffb4e2), - W64LIT(0x72be5d74f27b896f), W64LIT(0x80deb1fe3b1696b1), - W64LIT(0x9bdc06a725c71235), W64LIT(0xc19bf174cf692694), - W64LIT(0xe49b69c19ef14ad2), W64LIT(0xefbe4786384f25e3), - W64LIT(0x0fc19dc68b8cd5b5), W64LIT(0x240ca1cc77ac9c65), - W64LIT(0x2de92c6f592b0275), W64LIT(0x4a7484aa6ea6e483), - W64LIT(0x5cb0a9dcbd41fbd4), W64LIT(0x76f988da831153b5), - W64LIT(0x983e5152ee66dfab), W64LIT(0xa831c66d2db43210), - W64LIT(0xb00327c898fb213f), W64LIT(0xbf597fc7beef0ee4), - W64LIT(0xc6e00bf33da88fc2), W64LIT(0xd5a79147930aa725), - W64LIT(0x06ca6351e003826f), W64LIT(0x142929670a0e6e70), - W64LIT(0x27b70a8546d22ffc), W64LIT(0x2e1b21385c26c926), - W64LIT(0x4d2c6dfc5ac42aed), W64LIT(0x53380d139d95b3df), - W64LIT(0x650a73548baf63de), W64LIT(0x766a0abb3c77b2a8), - W64LIT(0x81c2c92e47edaee6), W64LIT(0x92722c851482353b), - W64LIT(0xa2bfe8a14cf10364), W64LIT(0xa81a664bbc423001), - W64LIT(0xc24b8b70d0f89791), W64LIT(0xc76c51a30654be30), - W64LIT(0xd192e819d6ef5218), W64LIT(0xd69906245565a910), - W64LIT(0xf40e35855771202a), W64LIT(0x106aa07032bbd1b8), - W64LIT(0x19a4c116b8d2d0c8), W64LIT(0x1e376c085141ab53), - W64LIT(0x2748774cdf8eeb99), W64LIT(0x34b0bcb5e19b48a8), - W64LIT(0x391c0cb3c5c95a63), W64LIT(0x4ed8aa4ae3418acb), - W64LIT(0x5b9cca4f7763e373), W64LIT(0x682e6ff3d6b2b8a3), - W64LIT(0x748f82ee5defb2fc), W64LIT(0x78a5636f43172f60), - W64LIT(0x84c87814a1f0ab72), W64LIT(0x8cc702081a6439ec), - W64LIT(0x90befffa23631e28), W64LIT(0xa4506cebde82bde9), - W64LIT(0xbef9a3f7b2c67915), W64LIT(0xc67178f2e372532b), - W64LIT(0xca273eceea26619c), W64LIT(0xd186b8c721c0c207), - W64LIT(0xeada7dd6cde0eb1e), W64LIT(0xf57d4f7fee6ed178), - W64LIT(0x06f067aa72176fba), W64LIT(0x0a637dc5a2c898a6), - W64LIT(0x113f9804bef90dae), W64LIT(0x1b710b35131c471b), - W64LIT(0x28db77f523047d84), W64LIT(0x32caab7b40c72493), - W64LIT(0x3c9ebe0a15c9bebc), W64LIT(0x431d67c49c100d4c), - W64LIT(0x4cc5d4becb3e42b6), W64LIT(0x597f299cfc657e2a), - W64LIT(0x5fcb6fab3ad6faec), W64LIT(0x6c44198c4a475817) + W64LIT(0x428a2f98d728ae22), W64LIT(0x7137449123ef65cd), + W64LIT(0xb5c0fbcfec4d3b2f), W64LIT(0xe9b5dba58189dbbc), + W64LIT(0x3956c25bf348b538), W64LIT(0x59f111f1b605d019), + W64LIT(0x923f82a4af194f9b), W64LIT(0xab1c5ed5da6d8118), + W64LIT(0xd807aa98a3030242), W64LIT(0x12835b0145706fbe), + W64LIT(0x243185be4ee4b28c), W64LIT(0x550c7dc3d5ffb4e2), + W64LIT(0x72be5d74f27b896f), W64LIT(0x80deb1fe3b1696b1), + W64LIT(0x9bdc06a725c71235), W64LIT(0xc19bf174cf692694), + W64LIT(0xe49b69c19ef14ad2), W64LIT(0xefbe4786384f25e3), + W64LIT(0x0fc19dc68b8cd5b5), W64LIT(0x240ca1cc77ac9c65), + W64LIT(0x2de92c6f592b0275), W64LIT(0x4a7484aa6ea6e483), + W64LIT(0x5cb0a9dcbd41fbd4), W64LIT(0x76f988da831153b5), + W64LIT(0x983e5152ee66dfab), W64LIT(0xa831c66d2db43210), + W64LIT(0xb00327c898fb213f), W64LIT(0xbf597fc7beef0ee4), + W64LIT(0xc6e00bf33da88fc2), W64LIT(0xd5a79147930aa725), + W64LIT(0x06ca6351e003826f), W64LIT(0x142929670a0e6e70), + W64LIT(0x27b70a8546d22ffc), W64LIT(0x2e1b21385c26c926), + W64LIT(0x4d2c6dfc5ac42aed), W64LIT(0x53380d139d95b3df), + W64LIT(0x650a73548baf63de), W64LIT(0x766a0abb3c77b2a8), + W64LIT(0x81c2c92e47edaee6), W64LIT(0x92722c851482353b), + W64LIT(0xa2bfe8a14cf10364), W64LIT(0xa81a664bbc423001), + W64LIT(0xc24b8b70d0f89791), W64LIT(0xc76c51a30654be30), + W64LIT(0xd192e819d6ef5218), W64LIT(0xd69906245565a910), + W64LIT(0xf40e35855771202a), W64LIT(0x106aa07032bbd1b8), + W64LIT(0x19a4c116b8d2d0c8), W64LIT(0x1e376c085141ab53), + W64LIT(0x2748774cdf8eeb99), W64LIT(0x34b0bcb5e19b48a8), + W64LIT(0x391c0cb3c5c95a63), W64LIT(0x4ed8aa4ae3418acb), + W64LIT(0x5b9cca4f7763e373), W64LIT(0x682e6ff3d6b2b8a3), + W64LIT(0x748f82ee5defb2fc), W64LIT(0x78a5636f43172f60), + W64LIT(0x84c87814a1f0ab72), W64LIT(0x8cc702081a6439ec), + W64LIT(0x90befffa23631e28), W64LIT(0xa4506cebde82bde9), + W64LIT(0xbef9a3f7b2c67915), W64LIT(0xc67178f2e372532b), + W64LIT(0xca273eceea26619c), W64LIT(0xd186b8c721c0c207), + W64LIT(0xeada7dd6cde0eb1e), W64LIT(0xf57d4f7fee6ed178), + W64LIT(0x06f067aa72176fba), W64LIT(0x0a637dc5a2c898a6), + W64LIT(0x113f9804bef90dae), W64LIT(0x1b710b35131c471b), + W64LIT(0x28db77f523047d84), W64LIT(0x32caab7b40c72493), + W64LIT(0x3c9ebe0a15c9bebc), W64LIT(0x431d67c49c100d4c), + W64LIT(0x4cc5d4becb3e42b6), W64LIT(0x597f299cfc657e2a), + W64LIT(0x5fcb6fab3ad6faec), W64LIT(0x6c44198c4a475817) }; From cb3b10054d56f4ae32928ae7a1ae32f08fbccf66 Mon Sep 17 00:00:00 2001 From: jrblixt Date: Tue, 16 May 2017 13:13:53 -0600 Subject: [PATCH 33/33] unwanted removal added back. --- wolfcrypt/src/sha512.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index 62364152d..cb1fe3aed 100755 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -322,8 +322,8 @@ static int InitSha512(Sha512* sha512) if(cpuid_flag(7, 0, EBX, 8)) { cpuid_flags |= CPUID_BMI2 ; } if(cpuid_flag(1, 0, ECX, 30)){ cpuid_flags |= CPUID_RDRAND ; } if(cpuid_flag(7, 0, EBX, 18)){ cpuid_flags |= CPUID_RDSEED ; } - cpuid_check = 1 ; - return 0 ; + cpuid_check = 1 ; + return 0 ; } return 1 ; }