wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-02 20:24:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

allow use of RSA signed ECC key certs

Browse Source
This commit is contained in:
Jacob Barthelmeh
2016-02-10 11:02:09 -07:00
parent ff7a9d9f78
commit 2f74706367
7 changed files with 154 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
certs/renewcerts.sh
View File

@@ -94,6 +94,16 @@ function run_renewcerts(){
openssl x509 -in \1024/ca-cert.pem -text > \1024/tmp.pem openssl x509 -in \1024/ca-cert.pem -text > \1024/tmp.pem
mv \1024/tmp.pem \1024/ca-cert.pem mv \1024/tmp.pem \1024/ca-cert.pem
############################################################
########## update the self-signed rsa-signed-ecc-ca.pem ####
############################################################
echo "Updating rsa-signed-ecc-ca.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL\nConsulting_rsa-ecc\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-key.pem -nodes -out ca-rsa-ecc-cert.csr
openssl x509 -req -in ca-rsa-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ca-key.pem -out rsa-signed-ecc-ca.pem
rm ca-rsa-ecc-cert.csr
########################################################### ###########################################################
########## update and sign server-cert.pem ################ ########## update and sign server-cert.pem ################
########################################################### ###########################################################
@@ -202,6 +212,17 @@ function run_renewcerts(){
openssl x509 -in server-ecc-comp.pem -text > tmp.pem openssl x509 -in server-ecc-comp.pem -text > tmp.pem
mv tmp.pem server-ecc-comp.pem mv tmp.pem server-ecc-comp.pem
############################################################
###### update rsa-signed-ecc-cert.pem ##########
############################################################
echo "Updating rsa-signed-ecc-cert.pem"
echo ""
#pipe the following arguments to openssl req...
echo -e "US\nMontana\nBozeman\nwolfSSL\nConsulting_rsa-ecc\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key rsa-ecc-key.pem -out server-rsa-signed-ecc.csr
openssl req -x509 -in server-rsa-signed-ecc.csr -days 1000 -key ca-key.pem -out rsa-signed-ecc-cert.pem
rm server-rsa-signed-ecc.csr
############################################################ ############################################################
########## make .der files from .pem files ################# ########## make .der files from .pem files #################
############################################################ ############################################################

5
certs/rsa-ecc-key.pem Normal file
View File

@@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIIdLUY+7ywLvHw3hXcRh3Yjk2isYn3xRzNzh8PL8c++doAoGCCqGSM49
AwEHoUQDQgAE5N/MA+vrmu1j6+9L9x53MwRlxQVYreEo6GbI08kMZg7Xcdo9wJ06
6EBsqo5FdrTtYLMgKLCtvXAVcwTOj8wA9A==
-----END EC PRIVATE KEY-----

28
certs/rsa-signed-ecc-ca.pem Normal file
View File

@@ -0,0 +1,28 @@
-----BEGIN CERTIFICATE-----
MIIEwTCCA6mgAwIBAgIJANSPE5wECQHCMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYD
VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQMA4G
A1UECgwHd29sZlNTTDEbMBkGA1UECwwSQ29uc3VsdGluZ19yc2EtZWNjMRgwFgYD
VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
bC5jb20wHhcNMTYwMjEwMTc0NjMxWhcNMTgxMTA2MTc0NjMxWjCBmzELMAkGA1UE
BhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNV
BAoMB3dvbGZTU0wxGzAZBgNVBAsMEkNvbnN1bHRpbmdfcnNhLWVjYzEYMBYGA1UE
AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwzKLRSyHoRCW804
H0ryTXUQ8bY1n9/KfQOY06zeA2buKvHYsH1uB1QLEJghTYDLEiDnzE/eRX3Jcncy
6sqQu2lSEAMvqPOVxfGLYlYb72dvpBBBla0Km+OlwLDScHZQMFuo6AgsfO2nonqN
OCkcrMft8nyVsJWCfUlcOM13Je+9gHVTlDw9ymNbnxW10x0TLxnRPNt2Osy4fcnl
wtfaQG/YIdxzG0ItU5z+Gvx9q3o2P5jehHwFZ85qFDiHqfGMtWjLaH9xICv1oGP1
Vi+jJtK3b7FaF9c4mQj+k1hv/sMTSQgWC6dNZwBSMWcjTpjtUUUduQTZC+zYKLNL
ve02eQIDAQABo4IBBDCCAQAwHQYDVR0OBBYEFCeOZxF0wyYdP+0zY7Ok2B0w5ejV
MIHQBgNVHSMEgcgwgcWAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGhpIGeMIGbMQsw
CQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQ
MA4GA1UECgwHd29sZlNTTDEbMBkGA1UECwwSQ29uc3VsdGluZ19yc2EtZWNjMRgw
FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
ZnNzbC5jb22CCQDUjxOcBAkBwjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA
A4IBAQCInkcGU17ednsQj9aUge/19pr8hTvIyOgSjo6jeyNFYR3dwtSCyiNp+3xy
0751Qr3bsZFypZ6KYdq262592jS1FCA8PPT0lj2b+rs7ltt0+SWwNa5gd53i6bqL
F2eGuJxB8+eaYCNtvHb+vVt4wE+xc4arEXohNOK98Ue8a1z4t5GJgld2qIO596fC
5AF51wT2W+nmkPD8Uc57qbT0dGcYMrbV1CEzRznKlEM7/lwQzosanq2WAej/LuoK
E7fFK/HsKmGNo5h9xmp8Mffrhv/FtNY8goOzGgGVLIBEJhhAXdxMD7StDJ/wO4Yn
YVhUYNYXHRfLqlfrOKTlpom0tSTm
-----END CERTIFICATE-----

20
certs/rsa-signed-ecc-cert.pem Normal file
View File

@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDQDCCAiigAwIBAgIJAIsWzJR4pzZ8MA0GCSqGSIb3DQEBCwUAMIGbMQswCQYD
VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQMA4G
A1UECgwHd29sZlNTTDEbMBkGA1UECwwSQ29uc3VsdGluZ19yc2EtZWNjMRgwFgYD
VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
bC5jb20wHhcNMTYwMjEwMTc0NjMxWhcNMTgxMTA2MTc0NjMxWjCBmzELMAkGA1UE
BhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNV
BAoMB3dvbGZTU0wxGzAZBgNVBAsMEkNvbnN1bHRpbmdfcnNhLWVjYzEYMBYGA1UE
AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
Y29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5N/MA+vrmu1j6+9L9x53MwRl
xQVYreEo6GbI08kMZg7Xcdo9wJ066EBsqo5FdrTtYLMgKLCtvXAVcwTOj8wA9KNQ
ME4wHQYDVR0OBBYEFJG5qzs7kKdpUhrSzNazXAYADDbDMB8GA1UdIwQYMBaAFJG5
qzs7kKdpUhrSzNazXAYADDbDMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD
ggEBAE6wOs43QszCln/y1KlG6AQz2KhnW+qWLhc7tfjHxAzH3OjgSPZ2nbVfE0w9
PKakWrbOYfDpMAPH4HHwbQpwJ6glHYb/ARqcRDobj8Myx4OKG7UsIRjwnyQl0BhR
sx1V1ATnNeJ/LEKm3PdO3OvfnyHUwSeH2iA8bXfpIE1jUirsbA/pAA88vJ04u4fC
uCFWQqpoCZSxqDqT4kBqKjbcfPR/2jP5XxbTbfboSdyZ6Zx2P7/AuoWgW/Nxej2P
up0rgYptHMbN+UPvjg6z2WPadC1gmJ81HEag5Mx9kl1HyDavUN/pgX+9eGYuKR5J
wJ9nFJSlBHlndOp+CSUHtI0cw1M=
-----END CERTIFICATE-----

93
src/internal.c
View File

@@ -524,6 +524,7 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method)
#ifdef HAVE_ECC #ifdef HAVE_ECC
if (method->side == WOLFSSL_CLIENT_END) { if (method->side == WOLFSSL_CLIENT_END) {
ctx->haveECDSAsig = 1; /* always on cliet side */ ctx->haveECDSAsig = 1; /* always on cliet side */
ctx->haveECC = 1; /* server turns on with ECC key cert */
ctx->haveStaticECC = 1; /* server can turn on by loading key */ ctx->haveStaticECC = 1; /* server can turn on by loading key */
} }
#endif #endif
@@ -801,7 +802,8 @@ static void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig,
void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
word16 havePSK, word16 haveDH, word16 haveNTRU, word16 havePSK, word16 haveDH, word16 haveNTRU,
word16 haveECDSAsig, word16 haveStaticECC, int side) word16 haveECDSAsig, word16 haveECC,
word16 haveStaticECC, int side)
{ {
word16 idx = 0; word16 idx = 0;
int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR; int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR;
@@ -889,14 +891,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
#endif #endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
if (tls1_2 && haveECDSAsig) { if (tls1_2 && haveECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
} }
#endif #endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
if (tls1_2 && haveECDSAsig) { if (tls1_2 && haveECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
} }
@@ -945,14 +947,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
#endif #endif
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
if (tls1_2 && haveECDSAsig && haveStaticECC) { if (tls1_2 && haveECC && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384;
} }
#endif #endif
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
if (tls1_2 && haveECDSAsig && haveStaticECC) { if (tls1_2 && haveECC && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256;
} }
@@ -1001,7 +1003,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
#endif #endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
if (tls1_2 && haveECDSAsig) { if (tls1_2 && haveECC) {
suites->suites[idx++] = CHACHA_BYTE; suites->suites[idx++] = CHACHA_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256;
} }
@@ -1029,7 +1031,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
#endif #endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
if (tls1_2 && haveECDSAsig) { if (tls1_2 && haveECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256;
} }
@@ -1043,7 +1045,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
#endif #endif
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
if (tls1_2 && haveECDSAsig && haveStaticECC) { if (tls1_2 && haveECC && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256;
} }
@@ -1057,7 +1059,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
#endif #endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
if (tls1_2 && haveECDSAsig) { if (tls1_2 && haveECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384;
} }
@@ -1071,63 +1073,63 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
#endif #endif
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
if (tls1_2 && haveECDSAsig && haveStaticECC) { if (tls1_2 && haveECC && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384;
} }
#endif #endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
if (tls && haveECDSAsig) { if (tls && haveECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA;
} }
#endif #endif
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
if (tls && haveECDSAsig && haveStaticECC) { if (tls && haveECC && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA;
} }
#endif #endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
if (tls && haveECDSAsig) { if (tls && haveECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA;
} }
#endif #endif
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
if (tls && haveECDSAsig && haveStaticECC) { if (tls && haveECC && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA;
} }
#endif #endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
if (!dtls && tls && haveECDSAsig) { if (!dtls && tls && haveECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA;
} }
#endif #endif
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA #ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
if (!dtls && tls && haveECDSAsig && haveStaticECC) { if (!dtls && tls && haveECC && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_RC4_128_SHA; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_RC4_128_SHA;
} }
#endif #endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
if (tls && haveECDSAsig) { if (tls && haveECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA;
} }
#endif #endif
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA #ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
if (tls && haveECDSAsig && haveStaticECC) { if (tls && haveECC && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA;
} }
@@ -1190,14 +1192,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
#endif #endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
if (tls1_2 && haveECDSAsig) { if (tls1_2 && haveECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
} }
#endif #endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
if (tls1_2 && haveECDSAsig) { if (tls1_2 && haveECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8;
} }
@@ -1274,7 +1276,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
#endif #endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256
if (tls1_2 && haveECDSAsig) { if (tls1_2 && haveECC) {
suites->suites[idx++] = CHACHA_BYTE; suites->suites[idx++] = CHACHA_BYTE;
suites->suites[idx++] = suites->suites[idx++] =
TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256; TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256;
@@ -1296,7 +1298,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
#endif #endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA
if (tls && haveECDSAsig) { if (tls && haveECC) {
suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_NULL_SHA; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_NULL_SHA;
} }
@@ -1817,6 +1819,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
ssl->options.haveNTRU = ctx->haveNTRU; ssl->options.haveNTRU = ctx->haveNTRU;
ssl->options.haveECDSAsig = ctx->haveECDSAsig; ssl->options.haveECDSAsig = ctx->haveECDSAsig;
ssl->options.haveECC = ctx->haveECC;
ssl->options.haveStaticECC = ctx->haveStaticECC; ssl->options.haveStaticECC = ctx->haveStaticECC;
#ifndef NO_PSK #ifndef NO_PSK
@@ -1880,12 +1883,13 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
if (ssl->options.side == WOLFSSL_SERVER_END) if (ssl->options.side == WOLFSSL_SERVER_END)
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.side); ssl->options.haveStaticECC, ssl->options.side);
else else
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, TRUE, InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, TRUE,
ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.side);
#ifndef NO_CERTS #ifndef NO_CERTS
/* make sure server has cert and key unless using PSK or Anon /* make sure server has cert and key unless using PSK or Anon
@@ -3786,7 +3790,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
enum { enum {
REQUIRES_RSA, REQUIRES_RSA,
REQUIRES_DHE, REQUIRES_DHE,
REQUIRES_ECC_DSA, REQUIRES_ECC,
REQUIRES_ECC_STATIC, REQUIRES_ECC_STATIC,
REQUIRES_PSK, REQUIRES_PSK,
REQUIRES_NTRU, REQUIRES_NTRU,
@@ -3811,7 +3815,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
break; break;
case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 : case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :
if (requirement == REQUIRES_ECC_DSA) if (requirement == REQUIRES_ECC)
return 1; return 1;
break; break;
@@ -3828,7 +3832,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
break; break;
case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
if (requirement == REQUIRES_ECC_DSA) if (requirement == REQUIRES_ECC)
return 1; return 1;
break; break;
@@ -3908,7 +3912,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
#ifndef NO_DES3 #ifndef NO_DES3
case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA :
if (requirement == REQUIRES_ECC_DSA) if (requirement == REQUIRES_ECC)
return 1; return 1;
break; break;
@@ -3919,7 +3923,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
#endif #endif
#ifndef NO_RC4 #ifndef NO_RC4
case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA :
if (requirement == REQUIRES_ECC_DSA) if (requirement == REQUIRES_ECC)
return 1; return 1;
break; break;
@@ -3943,7 +3947,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
#endif #endif
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA :
if (requirement == REQUIRES_ECC_DSA) if (requirement == REQUIRES_ECC)
return 1; return 1;
break; break;
@@ -3953,7 +3957,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
break; break;
case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA :
if (requirement == REQUIRES_ECC_DSA) if (requirement == REQUIRES_ECC)
return 1; return 1;
break; break;
@@ -3963,12 +3967,12 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
break; break;
case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 : case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 :
if (requirement == REQUIRES_ECC_DSA) if (requirement == REQUIRES_ECC)
return 1; return 1;
break; break;
case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 : case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 :
if (requirement == REQUIRES_ECC_DSA) if (requirement == REQUIRES_ECC)
return 1; return 1;
break; break;
@@ -4034,19 +4038,19 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 : case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 :
case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 :
if (requirement == REQUIRES_ECC_DSA) if (requirement == REQUIRES_ECC)
return 1; return 1;
break; break;
case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 :
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 :
if (requirement == REQUIRES_ECC_DSA) if (requirement == REQUIRES_ECC)
return 1; return 1;
break; break;
case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 :
case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 :
if (requirement == REQUIRES_ECC_DSA) if (requirement == REQUIRES_ECC)
return 1; return 1;
if (requirement == REQUIRES_ECC_STATIC) if (requirement == REQUIRES_ECC_STATIC)
return 1; return 1;
@@ -4069,7 +4073,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
break; break;
case TLS_ECDHE_ECDSA_WITH_NULL_SHA : case TLS_ECDHE_ECDSA_WITH_NULL_SHA :
if (requirement == REQUIRES_ECC_DSA) if (requirement == REQUIRES_ECC)
return 1; return 1;
break; break;
@@ -15724,9 +15728,9 @@ int DoSessionTicket(WOLFSSL* ssl,
} }
} }
if (CipherRequires(first, second, REQUIRES_ECC_DSA)) { if (CipherRequires(first, second, REQUIRES_ECC)) {
WOLFSSL_MSG("Requires ECCDSA"); WOLFSSL_MSG("Requires ECCDSA");
if (ssl->options.haveECDSAsig == 0) { if (ssl->options.haveECC == 0) {
WOLFSSL_MSG("Don't have ECCDSA"); WOLFSSL_MSG("Don't have ECCDSA");
return 0; return 0;
} }
@@ -15808,6 +15812,7 @@ int DoSessionTicket(WOLFSSL* ssl,
if (ssl->suites->suites[i] == peerSuites->suites[j] && if (ssl->suites->suites[i] == peerSuites->suites[j] &&
ssl->suites->suites[i+1] == peerSuites->suites[j+1] ) { ssl->suites->suites[i+1] == peerSuites->suites[j+1] ) {
WOLFSSL_MSG("found one suite match");
if (VerifyServerSuite(ssl, i)) { if (VerifyServerSuite(ssl, i)) {
int result; int result;
WOLFSSL_MSG("Verified suite validity"); WOLFSSL_MSG("Verified suite validity");
@@ -15913,8 +15918,8 @@ int DoSessionTicket(WOLFSSL* ssl,
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.side); ssl->options.haveStaticECC, ssl->options.side);
} }
/* suite size */ /* suite size */
@@ -16121,8 +16126,8 @@ int DoSessionTicket(WOLFSSL* ssl,
#endif #endif
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.side); ssl->options.haveStaticECC, ssl->options.side);
} }
/* random */ /* random */

38
src/ssl.c
View File

@@ -515,7 +515,8 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz,
#endif #endif
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH, InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH,
ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.side);
WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0); WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0);
return SSL_SUCCESS; return SSL_SUCCESS;
@@ -2059,7 +2060,8 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version)
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH, InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, ssl->options.haveDH,
ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveECC, ssl->options.haveStaticECC,
ssl->options.side);
return SSL_SUCCESS; return SSL_SUCCESS;
} }
@@ -3182,10 +3184,26 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
} }
#ifdef HAVE_ECC #ifdef HAVE_ECC
if (ctx) if (ctx) {
ctx->pkCurveOID = cert->pkCurveOID; ctx->pkCurveOID = cert->pkCurveOID;
if (ssl) #ifndef WC_STRICT_SIG
if (cert->keyOID == ECDSAk) {
ctx->haveECC = 1;
}
#else
ctx->haveECC = ctx->haveECDSAsig;
#endif
}
if (ssl) {
ssl->pkCurveOID = cert->pkCurveOID; ssl->pkCurveOID = cert->pkCurveOID;
#ifndef WC_STRICT_SIG
if (cert->keyOID == ECDSAk) {
ssl->options.haveECC = 1;
}
#else
ssl->options.haveECC = ssl->options.haveECDSAsig;
#endif
}
#endif #endif
FreeDecodedCert(cert); FreeDecodedCert(cert);
@@ -7180,8 +7198,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
#endif #endif
InitSuites(ssl->suites, ssl->version, haveRSA, TRUE, InitSuites(ssl->suites, ssl->version, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.side); ssl->options.haveStaticECC, ssl->options.side);
} }
@@ -7207,8 +7225,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
#endif #endif
InitSuites(ssl->suites, ssl->version, haveRSA, TRUE, InitSuites(ssl->suites, ssl->version, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.side); ssl->options.haveStaticECC, ssl->options.side);
} }
@@ -7613,8 +7631,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
#endif #endif
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.side); ssl->options.haveStaticECC, ssl->options.side);
} }
#endif #endif

4
wolfssl/internal.h
View File

@@ -1302,7 +1302,7 @@ typedef struct Suites {
WOLFSSL_LOCAL WOLFSSL_LOCAL
void InitSuites(Suites*, ProtocolVersion, word16, word16, word16, word16, void InitSuites(Suites*, ProtocolVersion, word16, word16, word16, word16,
word16, word16, int); word16, word16, word16, int);
WOLFSSL_LOCAL WOLFSSL_LOCAL
int SetCipherList(Suites*, const char* list); int SetCipherList(Suites*, const char* list);
@@ -1823,6 +1823,7 @@ struct WOLFSSL_CTX {
byte sessionCacheFlushOff; byte sessionCacheFlushOff;
byte sendVerify; /* for client side */ byte sendVerify; /* for client side */
byte haveRSA; /* RSA available */ byte haveRSA; /* RSA available */
byte haveECC; /* ECC available */
byte haveDH; /* server DH parms set by user */ byte haveDH; /* server DH parms set by user */
byte haveNTRU; /* server private NTRU key loaded */ byte haveNTRU; /* server private NTRU key loaded */
byte haveECDSAsig; /* server cert signed w/ ECDSA */ byte haveECDSAsig; /* server cert signed w/ ECDSA */
@@ -2230,6 +2231,7 @@ typedef struct Options {
word16 sentNotify:1; /* we've sent a close notify */ word16 sentNotify:1; /* we've sent a close notify */
word16 usingCompression:1; /* are we using compression */ word16 usingCompression:1; /* are we using compression */
word16 haveRSA:1; /* RSA available */ word16 haveRSA:1; /* RSA available */
word16 haveECC:1; /* ECC available */
word16 haveDH:1; /* server DH parms set by user */ word16 haveDH:1; /* server DH parms set by user */
word16 haveNTRU:1; /* server NTRU private key loaded */ word16 haveNTRU:1; /* server NTRU private key loaded */
word16 haveQSH:1; /* have QSH ability */ word16 haveQSH:1; /* have QSH ability */