From 2f747063671fa95ef365360c822b53e1e41e772a Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 10 Feb 2016 11:02:09 -0700 Subject: [PATCH] allow use of RSA signed ECC key certs --- certs/renewcerts.sh | 21 ++++++++ certs/rsa-ecc-key.pem | 5 ++ certs/rsa-signed-ecc-ca.pem | 28 +++++++++++ certs/rsa-signed-ecc-cert.pem | 20 ++++++++ src/internal.c | 93 ++++++++++++++++++----------------- src/ssl.c | 38 ++++++++++---- wolfssl/internal.h | 4 +- 7 files changed, 154 insertions(+), 55 deletions(-) create mode 100644 certs/rsa-ecc-key.pem create mode 100644 certs/rsa-signed-ecc-ca.pem create mode 100644 certs/rsa-signed-ecc-cert.pem diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index da7fbe49a..081e63c70 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -94,6 +94,16 @@ function run_renewcerts(){ openssl x509 -in \1024/ca-cert.pem -text > \1024/tmp.pem mv \1024/tmp.pem \1024/ca-cert.pem + ############################################################ + ########## update the self-signed rsa-signed-ecc-ca.pem #### + ############################################################ + echo "Updating rsa-signed-ecc-ca.pem" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\nMontana\nBozeman\nwolfSSL\nConsulting_rsa-ecc\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-key.pem -nodes -out ca-rsa-ecc-cert.csr + + openssl x509 -req -in ca-rsa-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ca-key.pem -out rsa-signed-ecc-ca.pem + rm ca-rsa-ecc-cert.csr ########################################################### ########## update and sign server-cert.pem ################ ########################################################### @@ -202,6 +212,17 @@ function run_renewcerts(){ openssl x509 -in server-ecc-comp.pem -text > tmp.pem mv tmp.pem server-ecc-comp.pem + ############################################################ + ###### update rsa-signed-ecc-cert.pem ########## + ############################################################ + echo "Updating rsa-signed-ecc-cert.pem" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\nMontana\nBozeman\nwolfSSL\nConsulting_rsa-ecc\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key rsa-ecc-key.pem -out server-rsa-signed-ecc.csr + + + openssl req -x509 -in server-rsa-signed-ecc.csr -days 1000 -key ca-key.pem -out rsa-signed-ecc-cert.pem + rm server-rsa-signed-ecc.csr ############################################################ ########## make .der files from .pem files ################# ############################################################ diff --git a/certs/rsa-ecc-key.pem b/certs/rsa-ecc-key.pem new file mode 100644 index 000000000..38052fc0d --- /dev/null +++ b/certs/rsa-ecc-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIIdLUY+7ywLvHw3hXcRh3Yjk2isYn3xRzNzh8PL8c++doAoGCCqGSM49 +AwEHoUQDQgAE5N/MA+vrmu1j6+9L9x53MwRlxQVYreEo6GbI08kMZg7Xcdo9wJ06 +6EBsqo5FdrTtYLMgKLCtvXAVcwTOj8wA9A== +-----END EC PRIVATE KEY----- diff --git a/certs/rsa-signed-ecc-ca.pem b/certs/rsa-signed-ecc-ca.pem new file mode 100644 index 000000000..439c6f74e --- /dev/null +++ b/certs/rsa-signed-ecc-ca.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEwTCCA6mgAwIBAgIJANSPE5wECQHCMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYD +VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQMA4G +A1UECgwHd29sZlNTTDEbMBkGA1UECwwSQ29uc3VsdGluZ19yc2EtZWNjMRgwFgYD +VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz +bC5jb20wHhcNMTYwMjEwMTc0NjMxWhcNMTgxMTA2MTc0NjMxWjCBmzELMAkGA1UE +BhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNV +BAoMB3dvbGZTU0wxGzAZBgNVBAsMEkNvbnN1bHRpbmdfcnNhLWVjYzEYMBYGA1UE +AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRCW804 +H0ryTXUQ8bY1n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3Jcncy +6sqQu2lSEAMvqPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2nonqN +OCkcrMft8nyVsJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4fcnl +wtfaQG/YIdxzG0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1oGP1 +Vi+jJtK3b7FaF9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zYKLNL +ve02eQIDAQABo4IBBDCCAQAwHQYDVR0OBBYEFCeOZxF0wyYdP+0zY7Ok2B0w5ejV +MIHQBgNVHSMEgcgwgcWAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGhpIGeMIGbMQsw +CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQ +MA4GA1UECgwHd29sZlNTTDEbMBkGA1UECwwSQ29uc3VsdGluZ19yc2EtZWNjMRgw +FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s +ZnNzbC5jb22CCQDUjxOcBAkBwjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA +A4IBAQCInkcGU17ednsQj9aUge/19pr8hTvIyOgSjo6jeyNFYR3dwtSCyiNp+3xy +0751Qr3bsZFypZ6KYdq262592jS1FCA8PPT0lj2b+rs7ltt0+SWwNa5gd53i6bqL +F2eGuJxB8+eaYCNtvHb+vVt4wE+xc4arEXohNOK98Ue8a1z4t5GJgld2qIO596fC +5AF51wT2W+nmkPD8Uc57qbT0dGcYMrbV1CEzRznKlEM7/lwQzosanq2WAej/LuoK +E7fFK/HsKmGNo5h9xmp8Mffrhv/FtNY8goOzGgGVLIBEJhhAXdxMD7StDJ/wO4Yn +YVhUYNYXHRfLqlfrOKTlpom0tSTm +-----END CERTIFICATE----- diff --git a/certs/rsa-signed-ecc-cert.pem b/certs/rsa-signed-ecc-cert.pem new file mode 100644 index 000000000..95740b6c4 --- /dev/null +++ b/certs/rsa-signed-ecc-cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQDCCAiigAwIBAgIJAIsWzJR4pzZ8MA0GCSqGSIb3DQEBCwUAMIGbMQswCQYD +VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQMA4G +A1UECgwHd29sZlNTTDEbMBkGA1UECwwSQ29uc3VsdGluZ19yc2EtZWNjMRgwFgYD +VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz +bC5jb20wHhcNMTYwMjEwMTc0NjMxWhcNMTgxMTA2MTc0NjMxWjCBmzELMAkGA1UE +BhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNV +BAoMB3dvbGZTU0wxGzAZBgNVBAsMEkNvbnN1bHRpbmdfcnNhLWVjYzEYMBYGA1UE +AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5N/MA+vrmu1j6+9L9x53MwRl +xQVYreEo6GbI08kMZg7Xcdo9wJ066EBsqo5FdrTtYLMgKLCtvXAVcwTOj8wA9KNQ +ME4wHQYDVR0OBBYEFJG5qzs7kKdpUhrSzNazXAYADDbDMB8GA1UdIwQYMBaAFJG5 +qzs7kKdpUhrSzNazXAYADDbDMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD +ggEBAE6wOs43QszCln/y1KlG6AQz2KhnW+qWLhc7tfjHxAzH3OjgSPZ2nbVfE0w9 +PKakWrbOYfDpMAPH4HHwbQpwJ6glHYb/ARqcRDobj8Myx4OKG7UsIRjwnyQl0BhR +sx1V1ATnNeJ/LEKm3PdO3OvfnyHUwSeH2iA8bXfpIE1jUirsbA/pAA88vJ04u4fC +uCFWQqpoCZSxqDqT4kBqKjbcfPR/2jP5XxbTbfboSdyZ6Zx2P7/AuoWgW/Nxej2P +up0rgYptHMbN+UPvjg6z2WPadC1gmJ81HEag5Mx9kl1HyDavUN/pgX+9eGYuKR5J +wJ9nFJSlBHlndOp+CSUHtI0cw1M= +-----END CERTIFICATE----- diff --git a/src/internal.c b/src/internal.c index 809011de4..babe2118f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -524,6 +524,7 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method) #ifdef HAVE_ECC if (method->side == WOLFSSL_CLIENT_END) { ctx->haveECDSAsig = 1; /* always on cliet side */ + ctx->haveECC = 1; /* server turns on with ECC key cert */ ctx->haveStaticECC = 1; /* server can turn on by loading key */ } #endif @@ -801,7 +802,8 @@ static void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, word16 havePSK, word16 haveDH, word16 haveNTRU, - word16 haveECDSAsig, word16 haveStaticECC, int side) + word16 haveECDSAsig, word16 haveECC, + word16 haveStaticECC, int side) { word16 idx = 0; int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR; @@ -889,14 +891,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256; } @@ -945,14 +947,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveECDSAsig && haveStaticECC) { + if (tls1_2 && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveECDSAsig && haveStaticECC) { + if (tls1_2 && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256; } @@ -1001,7 +1003,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = CHACHA_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256; } @@ -1029,7 +1031,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256; } @@ -1043,7 +1045,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 - if (tls1_2 && haveECDSAsig && haveStaticECC) { + if (tls1_2 && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256; } @@ -1057,7 +1059,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384; } @@ -1071,63 +1073,63 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 - if (tls1_2 && haveECDSAsig && haveStaticECC) { + if (tls1_2 && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - if (tls && haveECDSAsig) { + if (tls && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - if (tls && haveECDSAsig && haveStaticECC) { + if (tls && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - if (tls && haveECDSAsig) { + if (tls && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - if (tls && haveECDSAsig && haveStaticECC) { + if (tls && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - if (!dtls && tls && haveECDSAsig) { + if (!dtls && tls && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA - if (!dtls && tls && haveECDSAsig && haveStaticECC) { + if (!dtls && tls && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_RC4_128_SHA; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveECDSAsig) { + if (tls && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveECDSAsig && haveStaticECC) { + if (tls && haveECC && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA; } @@ -1190,14 +1192,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8; } @@ -1274,7 +1276,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 - if (tls1_2 && haveECDSAsig) { + if (tls1_2 && haveECC) { suites->suites[idx++] = CHACHA_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256; @@ -1296,7 +1298,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA - if (tls && haveECDSAsig) { + if (tls && haveECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_NULL_SHA; } @@ -1817,6 +1819,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) ssl->options.haveNTRU = ctx->haveNTRU; ssl->options.haveECDSAsig = ctx->haveECDSAsig; + ssl->options.haveECC = ctx->haveECC; ssl->options.haveStaticECC = ctx->haveStaticECC; #ifndef NO_PSK @@ -1880,12 +1883,13 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) if (ssl->options.side == WOLFSSL_SERVER_END) InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveStaticECC, - ssl->options.side); + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.side); else InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, TRUE, ssl->options.haveNTRU, ssl->options.haveECDSAsig, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.side); #ifndef NO_CERTS /* make sure server has cert and key unless using PSK or Anon @@ -3786,7 +3790,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) enum { REQUIRES_RSA, REQUIRES_DHE, - REQUIRES_ECC_DSA, + REQUIRES_ECC, REQUIRES_ECC_STATIC, REQUIRES_PSK, REQUIRES_NTRU, @@ -3811,7 +3815,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) break; case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -3828,7 +3832,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) break; case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -3908,7 +3912,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) #ifndef NO_DES3 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -3919,7 +3923,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) #endif #ifndef NO_RC4 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -3943,7 +3947,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) #endif case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -3953,7 +3957,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) break; case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -3963,12 +3967,12 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) break; case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -4034,19 +4038,19 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 : case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; if (requirement == REQUIRES_ECC_STATIC) return 1; @@ -4069,7 +4073,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) break; case TLS_ECDHE_ECDSA_WITH_NULL_SHA : - if (requirement == REQUIRES_ECC_DSA) + if (requirement == REQUIRES_ECC) return 1; break; @@ -15724,9 +15728,9 @@ int DoSessionTicket(WOLFSSL* ssl, } } - if (CipherRequires(first, second, REQUIRES_ECC_DSA)) { + if (CipherRequires(first, second, REQUIRES_ECC)) { WOLFSSL_MSG("Requires ECCDSA"); - if (ssl->options.haveECDSAsig == 0) { + if (ssl->options.haveECC == 0) { WOLFSSL_MSG("Don't have ECCDSA"); return 0; } @@ -15808,6 +15812,7 @@ int DoSessionTicket(WOLFSSL* ssl, if (ssl->suites->suites[i] == peerSuites->suites[j] && ssl->suites->suites[i+1] == peerSuites->suites[j+1] ) { + WOLFSSL_MSG("found one suite match"); if (VerifyServerSuite(ssl, i)) { int result; WOLFSSL_MSG("Verified suite validity"); @@ -15913,8 +15918,8 @@ int DoSessionTicket(WOLFSSL* ssl, InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveStaticECC, - ssl->options.side); + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.side); } /* suite size */ @@ -16121,8 +16126,8 @@ int DoSessionTicket(WOLFSSL* ssl, #endif InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveStaticECC, - ssl->options.side); + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.side); } /* random */ diff --git a/src/ssl.c b/src/ssl.c index 8f6f7fd20..4973ac80a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -515,7 +515,8 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz, #endif InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.side); WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0); return SSL_SUCCESS; @@ -2059,7 +2060,8 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version) InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, - ssl->options.haveStaticECC, ssl->options.side); + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.side); return SSL_SUCCESS; } @@ -3182,10 +3184,26 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, } #ifdef HAVE_ECC - if (ctx) + if (ctx) { ctx->pkCurveOID = cert->pkCurveOID; - if (ssl) + #ifndef WC_STRICT_SIG + if (cert->keyOID == ECDSAk) { + ctx->haveECC = 1; + } + #else + ctx->haveECC = ctx->haveECDSAsig; + #endif + } + if (ssl) { ssl->pkCurveOID = cert->pkCurveOID; + #ifndef WC_STRICT_SIG + if (cert->keyOID == ECDSAk) { + ssl->options.haveECC = 1; + } + #else + ssl->options.haveECC = ssl->options.haveECDSAsig; + #endif + } #endif FreeDecodedCert(cert); @@ -7180,8 +7198,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) #endif InitSuites(ssl->suites, ssl->version, haveRSA, TRUE, ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveStaticECC, - ssl->options.side); + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.side); } @@ -7207,8 +7225,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) #endif InitSuites(ssl->suites, ssl->version, haveRSA, TRUE, ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveStaticECC, - ssl->options.side); + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.side); } @@ -7613,8 +7631,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) #endif InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveStaticECC, - ssl->options.side); + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.side); } #endif diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 4c4edb962..bb835db98 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1302,7 +1302,7 @@ typedef struct Suites { WOLFSSL_LOCAL void InitSuites(Suites*, ProtocolVersion, word16, word16, word16, word16, - word16, word16, int); + word16, word16, word16, int); WOLFSSL_LOCAL int SetCipherList(Suites*, const char* list); @@ -1823,6 +1823,7 @@ struct WOLFSSL_CTX { byte sessionCacheFlushOff; byte sendVerify; /* for client side */ byte haveRSA; /* RSA available */ + byte haveECC; /* ECC available */ byte haveDH; /* server DH parms set by user */ byte haveNTRU; /* server private NTRU key loaded */ byte haveECDSAsig; /* server cert signed w/ ECDSA */ @@ -2230,6 +2231,7 @@ typedef struct Options { word16 sentNotify:1; /* we've sent a close notify */ word16 usingCompression:1; /* are we using compression */ word16 haveRSA:1; /* RSA available */ + word16 haveECC:1; /* ECC available */ word16 haveDH:1; /* server DH parms set by user */ word16 haveNTRU:1; /* server NTRU private key loaded */ word16 haveQSH:1; /* have QSH ability */