From a5072d09aec9e1ebcc09cf8f2ba9b83e0730f833 Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Mon, 23 Mar 2015 02:21:34 -0400 Subject: [PATCH 01/35] Ignore Visual Studio Intellisense files --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 66072cd2f..e712a00ef 100644 --- a/.gitignore +++ b/.gitignore @@ -14,6 +14,9 @@ config* *Release/ *.ncb *.suo +*.sdf +*.opensdf +ipch/ build-aux/ rpm/spec stamp-h From a24a22670c8f9ae0c4ba823a1853d7eea0ebe27b Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Tue, 31 Mar 2015 09:42:32 -0600 Subject: [PATCH 02/35] fix configure help string for arc4, chacha, poly1305 --- configure.ac | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 1aca401dc..babb4d214 100644 --- a/configure.ac +++ b/configure.ac @@ -426,7 +426,7 @@ AM_CONDITIONAL([BUILD_AESNI], [test "x$ENABLED_AESNI" = "xyes"]) # POLY1305 AC_ARG_ENABLE([poly1305], - [AS_HELP_STRING([--enable-poly1305],[Enable wolfSSL POLY1305 support (default: disabled)])], + [AS_HELP_STRING([--enable-poly1305],[Enable wolfSSL POLY1305 support (default: enabled)])], [ ENABLED_POLY1305=$enableval ], [ ENABLED_POLY1305=yes ] ) @@ -1027,7 +1027,7 @@ AM_CONDITIONAL([BUILD_DES3], [test "x$ENABLED_DES3" = "xyes"]) # ARC4 AC_ARG_ENABLE([arc4], - [ --enable-arc4 Enable ARC4 (default: enabled)], + [ --enable-arc4 Enable ARC4 (default: disabled)], [ ENABLED_ARC4=$enableval ], [ ENABLED_ARC4=no ] ) @@ -1156,7 +1156,7 @@ AM_CONDITIONAL([BUILD_RABBIT], [test "x$ENABLED_RABBIT" = "xyes"]) # CHACHA AC_ARG_ENABLE([chacha], - [ --enable-chacha Enable CHACHA (default: disabled)], + [ --enable-chacha Enable CHACHA (default: enabled)], [ ENABLED_CHACHA=$enableval ], [ ENABLED_CHACHA=yes ] ) From 0458e212111882856ec85191bd92d802134c6f1c Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 31 Mar 2015 09:51:55 -0700 Subject: [PATCH 03/35] 1. In the sniffer, replace call to strnlen with strlen and accounted for size differences (fixes issue #60) 2. fixed overrun with long SNI names in hello messages --- src/sniffer.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/sniffer.c b/src/sniffer.c index 0e81a8674..58dfa4b0b 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -1075,8 +1075,12 @@ static int SetNamedPrivateKey(const char* name, const char* address, int port, } XMEMSET(namedKey, 0, sizeof(NamedKey)); - namedKey->nameSz = (word32)strnlen(name, sizeof(namedKey->name)); - strncpy(namedKey->name, name, sizeof(namedKey->name)); + namedKey->nameSz = (word32)XSTRLEN(name); + XSTRNCPY(namedKey->name, name, sizeof(namedKey->name)); + if (namedKey->nameSz >= sizeof(namedKey->name)) { + namedKey->nameSz = sizeof(namedKey->name) - 1; + namedKey->name[namedKey->nameSz] = '\0'; + } ret = LoadKeyFile(&namedKey->key, &namedKey->keySz, keyFile, type, password); @@ -1578,6 +1582,8 @@ static int ProcessClientHello(const byte* input, int* sslBytes, if (ret == SSL_SUCCESS) { NamedKey* namedKey; + if (nameSz >= sizeof(name)) + nameSz = sizeof(name) - 1; name[nameSz] = 0; LockMutex(&session->context->namedKeysMutex); namedKey = session->context->namedKeys; From 175fd5ce17b71ec62153cc463ac85bc3fbc83d7c Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 31 Mar 2015 10:24:57 -0700 Subject: [PATCH 04/35] updated rpm/spec.in --- rpm/spec.in | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/rpm/spec.in b/rpm/spec.in index cda6e79b2..a68ab9c39 100644 --- a/rpm/spec.in +++ b/rpm/spec.in @@ -69,7 +69,7 @@ mkdir -p $RPM_BUILD_ROOT/ %{_libdir}/libwolfssl.la %{_libdir}/libwolfssl.so %{_libdir}/libwolfssl.so.0 -%{_libdir}/libwolfssl.so.0.0.0 +%{_libdir}/libwolfssl.so.0.0.1 %files devel %defattr(-,root,root,-) @@ -174,14 +174,19 @@ mkdir -p $RPM_BUILD_ROOT/ %{_includedir}/wolfssl/wolfcrypt/blake2.h %{_includedir}/wolfssl/wolfcrypt/camellia.h %{_includedir}/wolfssl/wolfcrypt/chacha.h +%{_includedir}/wolfssl/wolfcrypt/chacha20_poly1305.h %{_includedir}/wolfssl/wolfcrypt/coding.h %{_includedir}/wolfssl/wolfcrypt/compress.h +%{_includedir}/wolfssl/wolfcrypt/curve25519.h %{_includedir}/wolfssl/wolfcrypt/des3.h %{_includedir}/wolfssl/wolfcrypt/dh.h %{_includedir}/wolfssl/wolfcrypt/dsa.h %{_includedir}/wolfssl/wolfcrypt/ecc.h +%{_includedir}/wolfssl/wolfcrypt/ed25519.h %{_includedir}/wolfssl/wolfcrypt/error-crypt.h +%{_includedir}/wolfssl/wolfcrypt/fe_operations.h %{_includedir}/wolfssl/wolfcrypt/fips_test.h +%{_includedir}/wolfssl/wolfcrypt/ge_operations.h %{_includedir}/wolfssl/wolfcrypt/hc128.h %{_includedir}/wolfssl/wolfcrypt/hmac.h %{_includedir}/wolfssl/wolfcrypt/integer.h @@ -251,6 +256,8 @@ mkdir -p $RPM_BUILD_ROOT/ %{_libdir}/pkgconfig/wolfssl.pc %changelog +* Tue Mar 31 2015 John Safranek +- Added recent new wolfcrypt headers for curve25519 * Fri Jan 09 2015 John Safranek - Update for cyassl->wolfssl name change * Fri Oct 20 2012 Brian Aker From 24102eb95fe8062931202e408d32f2d774da4000 Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 31 Mar 2015 13:28:49 -0700 Subject: [PATCH 05/35] on x86_64 enable sha512, ecc, and increase max_bits by default --- configure.ac | 32 ++++++++++++++++++++++++++------ wolfssl/wolfcrypt/settings.h | 8 ++++++++ 2 files changed, 34 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac index babb4d214..2d76fdd2e 100644 --- a/configure.ac +++ b/configure.ac @@ -522,11 +522,18 @@ fi AM_CONDITIONAL([BUILD_BLAKE2], [test "x$ENABLED_BLAKE2" = "xyes"]) +# set sha512 default +SHA512_DEFAULT=no +if test "$host_cpu" = "x86_64" +then +SHA512_DEFAULT=yes +fi + # SHA512 AC_ARG_ENABLE([sha512], - [ --enable-sha512 Enable wolfSSL SHA-512 support (default: disabled)], + [AS_HELP_STRING([--enable-sha512],[Enable wolfSSL SHA-512 support (default: enabled on x86_64)])], [ ENABLED_SHA512=$enableval ], - [ ENABLED_SHA512=no ] + [ ENABLED_SHA512=$SHA512_DEFAULT ] ) if test "$ENABLED_SHA512" = "yes" @@ -638,11 +645,19 @@ fi AM_CONDITIONAL([BUILD_DSA], [test "x$ENABLED_DSA" = "xyes"]) -# ECC +# set ecc default +ECC_DEFAULT=no + +if test "$host_cpu" = "x86_64" +then +ECC_DEFAULT=yes +fi + +# ECC AC_ARG_ENABLE([ecc], - [ --enable-ecc Enable ECC (default: disabled)], + [AS_HELP_STRING([--enable-ecc],[Enable ECC (default: enabled on x86_64)])], [ ENABLED_ECC=$enableval ], - [ ENABLED_ECC=no ] + [ ENABLED_ECC=$ECC_DEFAULT ] ) if test "$ENABLED_ECC" = "yes" @@ -655,7 +670,7 @@ AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"]) if test "$ENABLED_ECC" = "yes" && test "$ENABLED_SMALL" = "yes" then - AC_MSG_ERROR([cannot enable ecc and small, ecc requires TLS which small turns off.]) + AC_MSG_ERROR([cannot enable ecc and small, ecc requires TLS which small turns off.]) fi @@ -1677,6 +1692,11 @@ then AM_CFLAGS="$AM_CFLAGS -DUSE_FAST_MATH" ENABLED_SLOWMATH="no" fi + if test "$host_cpu" = "x86_64" + then + # Have settings.h set FP_MAX_BITS higher if user didn't set directly + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_X86_64_BUILD" + fi fi diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index b2edbe206..39b75f8e9 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -748,6 +748,14 @@ #endif #endif +/* if desktop type system and fastmath increase default max bits */ +#ifdef WOLFSSL_X86_64_BUILD + #ifdef USE_FAST_MATH + #ifndef FP_MAX_BITS + #define FP_MAX_BITS 8192 + #endif + #endif +#endif /* Place any other flags or defines here */ From 5319eb8f38f8da65eb4133ddf3acb090f7d0a155 Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 31 Mar 2015 13:41:10 -0700 Subject: [PATCH 06/35] fix github issue #56, have tls layer use time_overrides for ticks if available and not using explicit user_ticks --- src/internal.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/internal.c b/src/internal.c index 1b1afe8b4..89dc78db4 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2362,6 +2362,21 @@ ProtocolVersion MakeDTLSv1_2(void) */ } #endif + +#elif defined(TIME_OVERRIDES) + + /* use same asn time overrides unless user wants tick override above */ + + #ifndef HAVE_TIME_T_TYPE + typedef long time_t; + #endif + extern time_t XTIME(time_t * timer); + + word32 LowResTimer(void) + { + return (word32) XTIME(0); + } + #else /* !USE_WINDOWS_API && !HAVE_RTP_SYS && !MICRIUM && !USER_TICKS */ #include From a5f42cc9ca6229f429d5e4a4af6f839dee514ed2 Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 31 Mar 2015 13:56:12 -0700 Subject: [PATCH 07/35] fix opensslextra time shadow on some systems --- src/ssl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 571445365..ff137967a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -8222,13 +8222,13 @@ int wolfSSL_set_compression(WOLFSSL* ssl) long wolfSSL_SSL_SESSION_set_timeout(WOLFSSL_SESSION* ses, long t) { - word32 time; + word32 tmptime; if (!ses || t < 0) return BAD_FUNC_ARG; - time = t & 0xFFFFFFFF; + tmptime = t & 0xFFFFFFFF; - ses->timeout = time; + ses->timeout = tmptime; return SSL_SUCCESS; } From d84ff836892fdafbee36bd6d413286dabf7ee16b Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 31 Mar 2015 15:55:39 -0700 Subject: [PATCH 08/35] fix leanpsk w/ new defaults --- configure.ac | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/configure.ac b/configure.ac index 2d76fdd2e..aad5ab921 100644 --- a/configure.ac +++ b/configure.ac @@ -536,6 +536,12 @@ AC_ARG_ENABLE([sha512], [ ENABLED_SHA512=$SHA512_DEFAULT ] ) +# lean pks does't need sha512 +if test "$ENABLED_SHA512" = "yes" +then + ENABLED_SHA512=no +fi + if test "$ENABLED_SHA512" = "yes" then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384" @@ -660,6 +666,12 @@ AC_ARG_ENABLE([ecc], [ ENABLED_ECC=$ECC_DEFAULT ] ) +# lean pks does't need ecc +if test "$ENABLED_ECC" = "yes" +then + ENABLED_ECC=no +fi + if test "$ENABLED_ECC" = "yes" then AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DECC_SHAMIR" From 748c5ac128f44bc2a0389df1f5f52c7732f63cf3 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 31 Mar 2015 16:23:28 -0700 Subject: [PATCH 09/35] update configure help strings for AESGCM and DH --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index aad5ab921..6b1fdad77 100644 --- a/configure.ac +++ b/configure.ac @@ -335,7 +335,7 @@ AM_CONDITIONAL([BUILD_SNIFFTEST], [ test "x$ENABLED_SNIFFTEST" = "xyes" ]) # AES-GCM AC_ARG_ENABLE([aesgcm], - [ --enable-aesgcm Enable wolfSSL AES-GCM support (default: disabled)], + [AS_HELP_STRING([--enable-aesgcm],[Enable wolfSSL AES-GCM support (default: enabled)])], [ ENABLED_AESGCM=$enableval ], [ ENABLED_AESGCM=yes ] ) @@ -884,7 +884,7 @@ AM_CONDITIONAL([BUILD_RSA], [test "x$ENABLED_RSA" = "xyes"]) # DH AC_ARG_ENABLE([dh], - [ --enable-dh Enable DH (default: disabled)], + [AS_HELP_STRING([--enable-dh],[Enable DH (default: enabled)])], [ ENABLED_DH=$enableval ], [ ENABLED_DH=yes ] ) From 1d4187e168e8534341b4268a0a62b2fbef4acce0 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Wed, 1 Apr 2015 10:02:02 -0600 Subject: [PATCH 10/35] add local struct tm for XGMTIME with TIME_OVERRIDES, fixes issue #55 --- wolfcrypt/src/asn.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index a79e85062..6c61fbf2a 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -2363,12 +2363,12 @@ int ValidateDate(const byte* date, byte format, int dateType) time_t ltime; struct tm certTime; struct tm* localTime; - struct tm* tmpTime; + struct tm* tmpTime = NULL; int i = 0; -#ifdef FREESCALE_MQX - struct tm mqxTime; - tmpTime = &mqxTime; +#if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES) + struct tm tmpTimeStorage; + tmpTime = &tmpTimeStorage; #else (void)tmpTime; #endif @@ -2394,9 +2394,9 @@ int ValidateDate(const byte* date, byte format, int dateType) GetTime((int*)&certTime.tm_hour, date, &i); GetTime((int*)&certTime.tm_min, date, &i); GetTime((int*)&certTime.tm_sec, date, &i); - + if (date[i] != 'Z') { /* only Zulu supported for this profile */ - WOLFSSL_MSG("Only Zulu time supported for this profile"); + WOLFSSL_MSG("Only Zulu time supported for this profile"); return 0; } @@ -5217,13 +5217,13 @@ static int SetValidity(byte* output, int daysValid) time_t ticks; time_t normalTime; struct tm* now; - struct tm* tmpTime; + struct tm* tmpTime = NULL; struct tm local; -#ifdef FREESCALE_MQX - /* for use with MQX gmtime_r */ - struct tm mqxTime; - tmpTime = &mqxTime; +#if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES) + /* for use with gmtime_r */ + struct tm tmpTimeStorage; + tmpTime = &tmpTimeStorage; #else (void)tmpTime; #endif From 3abf1952c8e8f599bda95b3c1e28b3e0e9d7aa27 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 1 Apr 2015 09:37:41 -0700 Subject: [PATCH 11/35] fix leanpsk default changes --- configure.ac | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index aad5ab921..a73cad5a9 100644 --- a/configure.ac +++ b/configure.ac @@ -340,7 +340,7 @@ AC_ARG_ENABLE([aesgcm], [ ENABLED_AESGCM=yes ] ) -# lean pks does't need gcm +# lean psk does't need gcm if test "$ENABLED_LEANPSK" = "yes" then ENABLED_AESGCM=no @@ -431,7 +431,7 @@ AC_ARG_ENABLE([poly1305], [ ENABLED_POLY1305=yes ] ) -# lean pks does't need poly1305 +# lean psk does't need poly1305 if test "$ENABLED_LEANPSK" = "yes" then ENABLED_POLY1305=no @@ -536,8 +536,8 @@ AC_ARG_ENABLE([sha512], [ ENABLED_SHA512=$SHA512_DEFAULT ] ) -# lean pks does't need sha512 -if test "$ENABLED_SHA512" = "yes" +# lean psk does't need sha512 +if test "$ENABLED_LEANPSK" = "yes" then ENABLED_SHA512=no fi @@ -666,8 +666,8 @@ AC_ARG_ENABLE([ecc], [ ENABLED_ECC=$ECC_DEFAULT ] ) -# lean pks does't need ecc -if test "$ENABLED_ECC" = "yes" +# lean psk does't need ecc +if test "$ENABLED_LEANPSK" = "yes" then ENABLED_ECC=no fi @@ -1188,7 +1188,7 @@ AC_ARG_ENABLE([chacha], [ ENABLED_CHACHA=yes ] ) -# lean pks does't need chacha +# lean psk does't need chacha if test "$ENABLED_LEANPSK" = "yes" then ENABLED_CHACHA=no From 5ecbe14d2c9e2fc9695e2023ce712ddd28b5d849 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 1 Apr 2015 11:55:49 -0700 Subject: [PATCH 12/35] Added --enable-maxstrength configure build to only allow TLSv1.2, PFS, and AEAD ciphers. --- configure.ac | 34 +++ wolfssl/internal.h | 500 ++++++++++++++++++++++++--------------------- 2 files changed, 300 insertions(+), 234 deletions(-) diff --git a/configure.ac b/configure.ac index ad9cdaa16..d2b78f39d 100644 --- a/configure.ac +++ b/configure.ac @@ -165,6 +165,13 @@ then fi +# High Strength Build +AC_ARG_ENABLE([maxstrength], + [AS_HELP_STRING([--enable-maxstrength],[Enable Max Strengh build, allows TLSv1.2-AEAD-PFS ciphers only (default: disabled)])], + [ENABLED_MAXSTRENGTH=$enableval], + [ENABLED_MAXSTRENGTH=no]) + + # IPv6 Test Apps AC_ARG_ENABLE([ipv6], [ --enable-ipv6 Enable testing of IPV6 (default: disabled)], @@ -1849,6 +1856,32 @@ fi AM_CONDITIONAL([BUILD_MCAPI], [test "x$ENABLED_MCAPI" = "xyes"]) +# Check for build-type conflicts +AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \ + test "x$ENABLED_LEANPSK" = "xyes"], + [AC_MSG_ERROR([Cannot use Max Strength and Lean PSK at the same time.])]) + + +# Update CFLAGS based on options +AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes"], + [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MAX_STRENGTH"]) + +AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" || \ + test "x$ENABLED_AESGCM" = "xyes" || \ + test "x$ENABLED_AESCCM" = "xyes" || \ + test "x$ENABLED_CHACHA" = "xyes" || \ + test "x$ENABLED_POLY1305" = "xyes"], + [AM_CFLAGS="$AM_CFLAGS -DHAVE_AEAD"]) + +AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" || \ + test "x$ENABLED_DH" = "xyes"], + [AM_CFLAGS="$AM_CFLAGS -DHAVE_PFS"]) + +AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \ + test "x$ENABLED_OLD_TLS" = "xyes"], + [AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS" + ENABLED_OLD_TLS=no]) + # OPTIMIZE FLAGS if test "$GCC" = "yes" @@ -2004,6 +2037,7 @@ echo " Features " echo " * Single threaded: $ENABLED_SINGLETHREADED" echo " * Filesystem: $ENABLED_FILESYSTEM" echo " * OpenSSL Extra API: $ENABLED_OPENSSLEXTRA" +echo " * Max Strength Build: $ENABLED_MAXSTRENGTH" echo " * fastmath: $ENABLED_FASTMATH" echo " * sniffer: $ENABLED_SNIFFER" echo " * snifftest: $ENABLED_SNIFFTEST" diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d12ed3257..ee056b850 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -181,172 +181,271 @@ typedef byte word24[3]; make sure to use at least one BUILD_SSL_xxx or BUILD_TLS_xxx is defined When adding cipher suites, add name to cipher_names, idx to cipher_name_idx + + Now that there is a maximum strength crypto build, the following BUILD_XXX + flags need to be divided into two groups selected by WOLFSSL_MAX_STRENGTH. + Those that do not use Perfect Forward Security and do not use AEAD ciphers + need to be switched off. Allowed suites use (EC)DHE, AES-GCM|CCM, or + CHACHA-POLY. */ -#if !defined(NO_RSA) && !defined(NO_RC4) - #if !defined(NO_SHA) - #define BUILD_SSL_RSA_WITH_RC4_128_SHA - #endif - #if !defined(NO_MD5) - #define BUILD_SSL_RSA_WITH_RC4_128_MD5 - #endif - #if !defined(NO_TLS) && defined(HAVE_NTRU) && !defined(NO_SHA) - #define BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA - #endif -#endif +#ifndef WOLFSSL_MAX_STRENGTH -#if !defined(NO_RSA) && !defined(NO_DES3) - #if !defined(NO_SHA) - #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA - #if !defined(NO_TLS) && defined(HAVE_NTRU) - #define BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA - #endif - #endif -#endif - -#if !defined(NO_RSA) && !defined(NO_AES) && !defined(NO_TLS) - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA - #if defined(HAVE_NTRU) - #define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA - #endif - #endif - #if !defined (NO_SHA256) - #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 - #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 - #endif - #if defined (HAVE_AESGCM) - #define BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 - #if defined (WOLFSSL_SHA384) - #define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 + #if !defined(NO_RSA) && !defined(NO_RC4) + #if !defined(NO_SHA) + #define BUILD_SSL_RSA_WITH_RC4_128_SHA + #endif + #if !defined(NO_MD5) + #define BUILD_SSL_RSA_WITH_RC4_128_MD5 + #endif + #if !defined(NO_TLS) && defined(HAVE_NTRU) && !defined(NO_SHA) + #define BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA #endif #endif - #if defined (HAVE_AESCCM) - #define BUILD_TLS_RSA_WITH_AES_128_CCM_8 - #define BUILD_TLS_RSA_WITH_AES_256_CCM_8 - #endif - #if defined(HAVE_BLAKE2) - #define BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256 - #define BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256 - #endif -#endif -#if defined(HAVE_CAMELLIA) && !defined(NO_TLS) - #ifndef NO_RSA - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 + #if !defined(NO_RSA) && !defined(NO_DES3) + #if !defined(NO_SHA) + #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA + #if !defined(NO_TLS) && defined(HAVE_NTRU) + #define BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA + #endif #endif - #if !defined(NO_DH) + #endif + + #if !defined(NO_RSA) && !defined(NO_AES) && !defined(NO_TLS) + #if !defined(NO_SHA) + #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA + #if defined(HAVE_NTRU) + #define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA + #endif + #endif + #if !defined (NO_SHA256) + #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 + #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 + #endif + #if defined (HAVE_AESGCM) + #define BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 + #if defined (WOLFSSL_SHA384) + #define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 + #endif + #endif + #if defined (HAVE_AESCCM) + #define BUILD_TLS_RSA_WITH_AES_128_CCM_8 + #define BUILD_TLS_RSA_WITH_AES_256_CCM_8 + #endif + #if defined(HAVE_BLAKE2) + #define BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256 + #define BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256 + #endif + #endif + + #if defined(HAVE_CAMELLIA) && !defined(NO_TLS) + #ifndef NO_RSA #if !defined(NO_SHA) - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA + #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA + #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA #endif #ifndef NO_SHA256 - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 + #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 + #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 + #endif + #if !defined(NO_DH) + #if !defined(NO_SHA) + #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA + #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA + #endif + #ifndef NO_SHA256 + #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 + #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 + #endif #endif #endif #endif -#endif -#if !defined(NO_PSK) && !defined(NO_AES) && !defined(NO_TLS) - #if !defined(NO_SHA) - #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA - #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 - #ifdef HAVE_AESGCM - #define BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256 + #if !defined(NO_PSK) && !defined(NO_AES) && !defined(NO_TLS) + #if !defined(NO_SHA) + #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA + #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA #endif - #ifdef HAVE_AESCCM - #define BUILD_TLS_PSK_WITH_AES_128_CCM_8 - #define BUILD_TLS_PSK_WITH_AES_256_CCM_8 - #define BUILD_TLS_PSK_WITH_AES_128_CCM - #define BUILD_TLS_PSK_WITH_AES_256_CCM - #endif - #endif - #ifdef WOLFSSL_SHA384 - #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384 - #ifdef HAVE_AESGCM - #define BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384 - #endif - #endif -#endif - -#if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER) - #if !defined(NO_RSA) - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_NULL_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_RSA_WITH_NULL_SHA256 - #endif - #endif - #if !defined(NO_PSK) - #if !defined(NO_SHA) - #define BUILD_TLS_PSK_WITH_NULL_SHA - #endif #ifndef NO_SHA256 - #define BUILD_TLS_PSK_WITH_NULL_SHA256 + #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 + #ifdef HAVE_AESGCM + #define BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256 + #endif + #ifdef HAVE_AESCCM + #define BUILD_TLS_PSK_WITH_AES_128_CCM_8 + #define BUILD_TLS_PSK_WITH_AES_256_CCM_8 + #define BUILD_TLS_PSK_WITH_AES_128_CCM + #define BUILD_TLS_PSK_WITH_AES_256_CCM + #endif #endif #ifdef WOLFSSL_SHA384 - #define BUILD_TLS_PSK_WITH_NULL_SHA384 - #endif - #endif -#endif - -#if !defined(NO_HC128) && !defined(NO_RSA) && !defined(NO_TLS) - #define BUILD_TLS_RSA_WITH_HC_128_MD5 - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_HC_128_SHA - #endif - #if defined(HAVE_BLAKE2) - #define BUILD_TLS_RSA_WITH_HC_128_B2B256 - #endif -#endif - -#if !defined(NO_RABBIT) && !defined(NO_TLS) && !defined(NO_RSA) - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_RABBIT_SHA - #endif -#endif - -#if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ - !defined(NO_RSA) - #if !defined(NO_SHA) - #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA - #endif - #if !defined (NO_SHA256) - #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - #if defined (HAVE_AESGCM) - #define BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - #if defined (WOLFSSL_SHA384) - #define BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384 + #ifdef HAVE_AESGCM + #define BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384 #endif #endif #endif -#endif -#if defined(HAVE_ANON) && !defined(NO_TLS) && !defined(NO_DH) && \ - !defined(NO_AES) && !defined(NO_SHA) - #define BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA + #if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER) + #if !defined(NO_RSA) + #if !defined(NO_SHA) + #define BUILD_TLS_RSA_WITH_NULL_SHA + #endif + #ifndef NO_SHA256 + #define BUILD_TLS_RSA_WITH_NULL_SHA256 + #endif + #endif + #if !defined(NO_PSK) + #if !defined(NO_SHA) + #define BUILD_TLS_PSK_WITH_NULL_SHA + #endif + #ifndef NO_SHA256 + #define BUILD_TLS_PSK_WITH_NULL_SHA256 + #endif + #ifdef WOLFSSL_SHA384 + #define BUILD_TLS_PSK_WITH_NULL_SHA384 + #endif + #endif + #endif + + #if !defined(NO_HC128) && !defined(NO_RSA) && !defined(NO_TLS) + #define BUILD_TLS_RSA_WITH_HC_128_MD5 + #if !defined(NO_SHA) + #define BUILD_TLS_RSA_WITH_HC_128_SHA + #endif + #if defined(HAVE_BLAKE2) + #define BUILD_TLS_RSA_WITH_HC_128_B2B256 + #endif + #endif + + #if !defined(NO_RABBIT) && !defined(NO_TLS) && !defined(NO_RSA) + #if !defined(NO_SHA) + #define BUILD_TLS_RSA_WITH_RABBIT_SHA + #endif + #endif + + #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ + !defined(NO_RSA) + + #if !defined(NO_SHA) + #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA + #endif + #if !defined(NO_SHA256) + #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 + #endif + #endif + + #if defined(HAVE_ANON) && !defined(NO_TLS) && !defined(NO_DH) && \ + !defined(NO_AES) && !defined(NO_SHA) + #define BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA + #endif + + #if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) + #ifndef NO_SHA256 + #define BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 + #ifdef HAVE_NULL_CIPHER + #define BUILD_TLS_DHE_PSK_WITH_NULL_SHA256 + #endif + #endif + #ifdef WOLFSSL_SHA384 + #define BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 + #ifdef HAVE_NULL_CIPHER + #define BUILD_TLS_DHE_PSK_WITH_NULL_SHA384 + #endif + #endif + #endif + + #if defined(HAVE_ECC) && !defined(NO_TLS) + #if !defined(NO_AES) + #if !defined(NO_SHA) + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA + #endif + + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA + #endif /* NO_SHA */ + #ifndef NO_SHA256 + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 + #endif + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 + #endif + + #ifdef WOLFSSL_SHA384 + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 + #endif + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 + #endif + + #if defined (HAVE_AESGCM) + #if !defined(NO_RSA) + #define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 + #if defined(WOLFSSL_SHA384) + #define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + #endif + #endif + + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 + + #if defined(WOLFSSL_SHA384) + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + #endif + #endif + #endif /* NO_AES */ + #if !defined(NO_RC4) + #if !defined(NO_SHA) + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA + #define BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA + #endif + + #define BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA + #define BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA + #endif + #endif + #if !defined(NO_DES3) + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + #define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + #endif + + #define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + #define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + #endif + #endif + +#endif /* !WOLFSSL_MAX_STRENGTH */ + +#if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ + !defined(NO_RSA) && defined(HAVE_AESGCM) + + #ifndef NO_SHA256 + #define BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 + #endif + + #ifdef WOLFSSL_SHA384 + #define BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + #endif #endif #if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) #ifndef NO_SHA256 - #define BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - #ifdef HAVE_NULL_CIPHER - #define BUILD_TLS_DHE_PSK_WITH_NULL_SHA256 - #endif #ifdef HAVE_AESGCM #define BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 #endif @@ -355,93 +454,43 @@ typedef byte word24[3]; #define BUILD_TLS_DHE_PSK_WITH_AES_256_CCM #endif #endif - #ifdef WOLFSSL_SHA384 - #define BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 - #ifdef HAVE_NULL_CIPHER - #define BUILD_TLS_DHE_PSK_WITH_NULL_SHA384 - #endif - #ifdef HAVE_AESGCM - #define BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - #endif + #if defined(WOLFSSL_SHA384) && defined(HAVE_AESGCM) + #define BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 #endif #endif -#if defined(HAVE_ECC) && !defined(NO_TLS) - #if !defined(NO_AES) - #if !defined(NO_SHA) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - #endif - - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - #endif /* NO_SHA */ +#if defined(HAVE_ECC) && !defined(NO_DH) && !defined(NO_TLS) && !defined(NO_AES) + #ifdef HAVE_AESGCM #ifndef NO_SHA256 - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 - #endif - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 - #endif - - #ifdef WOLFSSL_SHA384 - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - #endif - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 - #endif - - #if defined (HAVE_AESGCM) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - #if defined(WOLFSSL_SHA384) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 - #endif - #endif - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - - #if defined(WOLFSSL_SHA384) - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + #ifndef NO_RSA + #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 #endif #endif - #if defined (HAVE_AESCCM) - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 - #endif - #endif /* NO_AES */ - #if !defined(NO_RC4) - #if !defined(NO_SHA) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA - #define BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA + #ifdef WOLFSSL_SHA384 + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + #ifndef NO_RSA + #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 #endif - - #define BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - #define BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA #endif #endif - #if !defined(NO_DES3) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - #endif + #if defined(HAVE_AESCCM) && !defined(NO_SHA256) + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 + #endif +#endif - #define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - #define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA +#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && !defined(NO_SHA256) && \ + !defined(NO_DH) + + #ifdef HAVE_ECC + #define BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + #ifndef NO_RSA + #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + #endif + #endif + #ifndef NO_RSA + #define BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 #endif #endif @@ -499,23 +548,6 @@ typedef byte word24[3]; #ifdef HAVE_CHACHA #define CHACHA20_BLOCK_SIZE 16 - /* ChaCha - Poly AEAD suites */ - #if defined(HAVE_POLY1305) && !defined(NO_SHA256) - #if defined(HAVE_ECC) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - #endif - #define BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - #endif - #if !defined(NO_DH) && !defined(NO_RSA) - #define BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - #endif - #endif /* end of ChaCha - Poly AEAD suites */ -#endif - -#if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) || \ - (defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) - #define HAVE_AEAD #endif From cc804b110f761462ff79c8e005c636237616d757 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 1 Apr 2015 12:03:27 -0700 Subject: [PATCH 13/35] allow example client to talk with echoserver in ecc mode w/o switch --- examples/client/client.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 7c14d2980..48071220b 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -607,10 +607,15 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } if (!usePsk && !useAnon) { - if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS) - err_sys("can't load ca file, Please run from wolfSSL home dir"); + if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert,0) != SSL_SUCCESS) + err_sys("can't load ca file, Please run from wolfSSL home dir"); +#ifdef HAVE_ECC + /* load ecc verify too, echoserver uses it by default w/ ecc */ + if (wolfSSL_CTX_load_verify_locations(ctx, eccCert, 0) != SSL_SUCCESS) + err_sys("can't load ecc ca file, Please run from wolfSSL home dir"); +#endif /* HAVE_ECC */ } -#endif +#endif /* !NO_FILESYSTEM && !NO_CERTS */ #if !defined(NO_CERTS) if (!usePsk && !useAnon && doPeerCheck == 0) wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); From 869aeee6cb24c91889edc5ad9d366b10edf9a658 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 1 Apr 2015 12:14:48 -0700 Subject: [PATCH 14/35] allow sniffer play nice in ecc build --- examples/client/client.c | 2 +- examples/echoclient/echoclient.c | 2 +- examples/echoserver/echoserver.c | 4 ++-- examples/server/server.c | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 48071220b..d7a5e82e9 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -566,7 +566,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); #endif -#if defined(WOLFSSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC) +#if defined(WOLFSSL_SNIFFER) if (cipherList == NULL) { /* don't use EDH, can't sniff tmp keys */ if (wolfSSL_CTX_set_cipher_list(ctx, "AES256-SHA256") != SSL_SUCCESS) { diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c index 5751622d5..ff754b7e8 100644 --- a/examples/echoclient/echoclient.c +++ b/examples/echoclient/echoclient.c @@ -130,7 +130,7 @@ void echoclient_test(void* args) load_buffer(ctx, caCert, CYASSL_CA); #endif -#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC) +#if defined(CYASSL_SNIFFER) /* don't use EDH, can't sniff tmp keys */ SSL_CTX_set_cipher_list(ctx, "AES256-SHA"); #endif diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 680c11d5e..49b3933d2 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -160,7 +160,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) != SSL_SUCCESS) err_sys("can't load ntru key file, " "Please run from wolfSSL home dir"); - #elif defined(HAVE_ECC) + #elif defined(HAVE_ECC) && !defined(CYASSL_SNIFFER) /* ecc */ if (CyaSSL_CTX_use_certificate_file(ctx, eccCert, SSL_FILETYPE_PEM) != SSL_SUCCESS) @@ -193,7 +193,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) } #endif -#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC) +#if defined(CYASSL_SNIFFER) /* don't use EDH, can't sniff tmp keys */ CyaSSL_CTX_set_cipher_list(ctx, "AES256-SHA"); #endif diff --git a/examples/server/server.c b/examples/server/server.c index 9c74b26d9..df248dd6e 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -485,7 +485,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) } #endif -#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC) +#if defined(CYASSL_SNIFFER) /* don't use EDH, can't sniff tmp keys */ if (cipherList == NULL) { if (SSL_CTX_set_cipher_list(ctx, "AES256-SHA256") != SSL_SUCCESS) From 8dd1afb49c0879d2c8ed730a8ea15a022d3d323b Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 1 Apr 2015 12:30:46 -0700 Subject: [PATCH 15/35] have ./configure error out on maxstrength + sniffer --- configure.ac | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/configure.ac b/configure.ac index d2b78f39d..f5eeb2836 100644 --- a/configure.ac +++ b/configure.ac @@ -327,6 +327,12 @@ AC_ARG_ENABLE([sniffer], [ ENABLED_SNIFFER=no ] ) +# sniffer does't work in maxstrength mode +if test "$ENABLED_SNIFFER" = "yes" && test "$ENABLED_MAXSTRENGTH" = "yes" +then + AC_MSG_ERROR([cannot enable maxstrength in sniffer mode.]) +fi + ENABLED_SNIFFTEST=no AS_IF([ test "x$ENABLED_SNIFFER" = "xyes" ], [ From 3039d16e0959c8c2c44ecedd67f27eafc6b5291f Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 1 Apr 2015 13:35:13 -0700 Subject: [PATCH 16/35] 1. HAVE_AEAD and HAVE_PFS should be set in internal.h, not CFLAGS 2. Added WOLFSSL_MAX_STRENGTH as option in settings.h for non-autoconf 3. When selecting max-strength cipher suites, ECDHE is only dependent on ECC, not DH --- configure.ac | 11 ----------- wolfssl/internal.h | 21 ++++++++++++++++----- wolfssl/wolfcrypt/settings.h | 8 ++++++++ 3 files changed, 24 insertions(+), 16 deletions(-) diff --git a/configure.ac b/configure.ac index d2b78f39d..be2811325 100644 --- a/configure.ac +++ b/configure.ac @@ -1866,17 +1866,6 @@ AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \ AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes"], [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MAX_STRENGTH"]) -AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" || \ - test "x$ENABLED_AESGCM" = "xyes" || \ - test "x$ENABLED_AESCCM" = "xyes" || \ - test "x$ENABLED_CHACHA" = "xyes" || \ - test "x$ENABLED_POLY1305" = "xyes"], - [AM_CFLAGS="$AM_CFLAGS -DHAVE_AEAD"]) - -AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" || \ - test "x$ENABLED_DH" = "xyes"], - [AM_CFLAGS="$AM_CFLAGS -DHAVE_PFS"]) - AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \ test "x$ENABLED_OLD_TLS" = "xyes"], [AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS" diff --git a/wolfssl/internal.h b/wolfssl/internal.h index ee056b850..410b403de 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -459,7 +459,7 @@ typedef byte word24[3]; #endif #endif -#if defined(HAVE_ECC) && !defined(NO_DH) && !defined(NO_TLS) && !defined(NO_AES) +#if defined(HAVE_ECC) && !defined(NO_TLS) && !defined(NO_AES) #ifdef HAVE_AESGCM #ifndef NO_SHA256 #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 @@ -480,16 +480,14 @@ typedef byte word24[3]; #endif #endif -#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && !defined(NO_SHA256) && \ - !defined(NO_DH) - +#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && !defined(NO_SHA256) #ifdef HAVE_ECC #define BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 #ifndef NO_RSA #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 #endif #endif - #ifndef NO_RSA + #if !defined(NO_DH) && !defined(NO_RSA) #define BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 #endif #endif @@ -550,6 +548,19 @@ typedef byte word24[3]; #define CHACHA20_BLOCK_SIZE 16 #endif +#if defined(WOLFSSL_MAX_STRENGTH) || \ + defined(HAVE_AESGCM) || defined(HAVE_AESCCM) || \ + (defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) + + #define HAVE_AEAD +#endif + +#if defined(WOLFSSL_MAX_STRENGTH) || \ + defined(HAVE_ECC) || !defined(NO_DH) + + #define HAVE_PFS +#endif + /* actual cipher values, 2nd byte */ enum { diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 39b75f8e9..1bcc8794c 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -30,6 +30,9 @@ extern "C" { #endif +/* Uncomment next line if using Max Strength build */ +/* #define WOLFSSL_MAX_STRENGTH */ + /* Uncomment next line if using IPHONE */ /* #define IPHONE */ @@ -107,6 +110,11 @@ #include +#ifdef WOLFSSL_MAX_STRENGTH + #undef NO_OLD_TLS + #define NO_OLD_TLS +#endif + #ifdef IPHONE #define SIZEOF_LONG_LONG 8 #endif From 2b5de9bd15b8517a10e79363304fd8eac42b7a17 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 1 Apr 2015 14:14:56 -0700 Subject: [PATCH 17/35] move MAX_STRENGTH and IPHONE in settings.h per pattern --- wolfssl/wolfcrypt/settings.h | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 1bcc8794c..9ffe61acd 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -30,9 +30,6 @@ extern "C" { #endif -/* Uncomment next line if using Max Strength build */ -/* #define WOLFSSL_MAX_STRENGTH */ - /* Uncomment next line if using IPHONE */ /* #define IPHONE */ @@ -108,23 +105,21 @@ /* Uncomment next line if building for uT-Kernel */ /* #define WOLFSSL_uTKERNEL2 */ +/* Uncomment next line if using Max Strength build */ +/* #define WOLFSSL_MAX_STRENGTH */ + #include -#ifdef WOLFSSL_MAX_STRENGTH - #undef NO_OLD_TLS - #define NO_OLD_TLS -#endif - -#ifdef IPHONE - #define SIZEOF_LONG_LONG 8 -#endif - - #ifdef WOLFSSL_USER_SETTINGS #include #endif +#ifdef IPHONE + #define SIZEOF_LONG_LONG 8 +#endif + + #ifdef COMVERGE #define THREADX #define HAVE_NETX @@ -765,6 +760,12 @@ #endif #endif +/* If using the max strength build, ensure OLD TLS is disabled. */ +#ifdef WOLFSSL_MAX_STRENGTH + #undef NO_OLD_TLS + #define NO_OLD_TLS +#endif + /* Place any other flags or defines here */ From afbd517838db3cef0c3d4fee438eb6c45625271d Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 1 Apr 2015 14:32:17 -0700 Subject: [PATCH 18/35] fix issue with --enable-maxstrength --disable-ecc losing AES-GCM --- wolfssl/internal.h | 1 + 1 file changed, 1 insertion(+) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 410b403de..9dbf02c6c 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -510,6 +510,7 @@ typedef byte word24[3]; #endif #if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) || \ + defined(BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) || \ defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) || \ defined(BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256) #define BUILD_AESGCM From 50e829ea7941f275d7c8f4e2c82aade6c17470b7 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 1 Apr 2015 15:36:55 -0700 Subject: [PATCH 19/35] when keeping peer cert, alt names were getting lost for the peer name check --- src/internal.c | 6 +++--- wolfcrypt/src/asn.c | 5 ++++- wolfssl/wolfcrypt/asn.h | 1 + 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/internal.c b/src/internal.c index 89dc78db4..49e078c49 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3817,9 +3817,9 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) x509->derCert.length = dCert->maxIdx; } - x509->altNames = dCert->altNames; - dCert->altNames = NULL; /* takes ownership */ - x509->altNamesNext = x509->altNames; /* index hint */ + x509->altNames = dCert->altNames; + dCert->weOwnAltNames = 0; + x509->altNamesNext = x509->altNames; /* index hint */ x509->isCa = dCert->isCA; #ifdef OPENSSL_EXTRA diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 6c61fbf2a..231ad0ce1 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -1425,6 +1425,7 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) cert->subjectCNLen = 0; cert->subjectCNEnc = CTC_UTF8; cert->subjectCNStored = 0; + cert->weOwnAltNames = 0; cert->altNames = NULL; #ifndef IGNORE_NAME_CONSTRAINTS cert->altEmailNames = NULL; @@ -1563,7 +1564,7 @@ void FreeDecodedCert(DecodedCert* cert) XFREE(cert->subjectCN, cert->heap, DYNAMIC_TYPE_SUBJECT_CN); if (cert->pubKeyStored == 1) XFREE(cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); - if (cert->altNames) + if (cert->weOwnAltNames && cert->altNames) FreeAltNames(cert->altNames, cert->heap); #ifndef IGNORE_NAME_CONSTRAINTS if (cert->altEmailNames) @@ -3416,6 +3417,8 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) return ASN_PARSE_E; } + cert->weOwnAltNames = 1; + while (length > 0) { byte b = input[idx++]; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index bcea930ab..7511cdfc4 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -387,6 +387,7 @@ struct DecodedCert { byte extNameConstraintSet; #endif /* IGNORE_NAME_CONSTRAINTS */ byte isCA; /* CA basic constraint true */ + byte weOwnAltNames; /* altNames haven't been given to copy */ byte extKeyUsageSet; word16 extKeyUsage; /* Key usage bitfield */ byte extExtKeyUsageSet; /* Extended Key Usage */ From ad29c262d4321a0dcc392cf1d741ff6fb7b1b9e5 Mon Sep 17 00:00:00 2001 From: Vikram Adiga Date: Wed, 1 Apr 2015 16:21:48 -0700 Subject: [PATCH 20/35] use Seconds APIs instead of MYTIME APIs for TI-RTOS --- src/internal.c | 2 +- wolfcrypt/src/asn.c | 2 +- wolfssl/wolfcrypt/settings.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index 49e078c49..176c98b3f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2349,7 +2349,7 @@ ProtocolVersion MakeDTLSv1_2(void) word32 LowResTimer(void) { - return (word32) MYTIME_gettime(); + return (word32) Seconds_get(); } #elif defined(USER_TICKS) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 231ad0ce1..399753ab3 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -363,7 +363,7 @@ time_t XTIME(time_t * timer) { time_t sec = 0; - sec = (time_t) MYTIME_gettime(); + sec = (time_t) Seconds_get(); if (timer != NULL) *timer = sec; diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 9ffe61acd..23924ca2c 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -340,7 +340,7 @@ #pragma diag_suppress=11 #endif - #include + #include #endif #ifdef EBSNET From 4a5912c7544aa1bae8544dc414d3e6b6541390c6 Mon Sep 17 00:00:00 2001 From: Vikram Adiga Date: Wed, 1 Apr 2015 16:43:05 -0700 Subject: [PATCH 21/35] fix tirtos build for wolfssl name change --- tirtos/packages/ti/net/wolfssl/package.bld | 2 +- tirtos/packages/ti/net/wolfssl/package.xdc | 3 +-- tirtos/packages/ti/net/wolfssl/package.xs | 2 +- .../wolfcrypt/benchmark/TM4C1294NC.icf | 0 .../wolfcrypt/benchmark/benchmark.cfg | 0 .../{ => EK_TM4C1294XL}/wolfcrypt/benchmark/main.c | 4 ++-- .../wolfcrypt/benchmark/package.bld | 10 +++++----- .../EK_TM4C1294XL/wolfcrypt/benchmark/package.xdc | 6 ++++++ .../wolfcrypt/test/TM4C1294NC.icf | 0 .../tests/{ => EK_TM4C1294XL}/wolfcrypt/test/main.c | 3 +-- .../{ => EK_TM4C1294XL}/wolfcrypt/test/package.bld | 10 +++++----- .../tests/EK_TM4C1294XL/wolfcrypt/test/package.xdc | 6 ++++++ .../{ => EK_TM4C1294XL}/wolfcrypt/test/test.cfg | 0 .../wolfssl/tests/wolfcrypt/benchmark/package.xdc | 6 ------ .../ti/net/wolfssl/tests/wolfcrypt/test/package.xdc | 6 ------ tirtos/wolfssl.bld | 13 ++++++++----- 16 files changed, 36 insertions(+), 35 deletions(-) rename tirtos/packages/ti/net/wolfssl/tests/{ => EK_TM4C1294XL}/wolfcrypt/benchmark/TM4C1294NC.icf (100%) rename tirtos/packages/ti/net/wolfssl/tests/{ => EK_TM4C1294XL}/wolfcrypt/benchmark/benchmark.cfg (100%) rename tirtos/packages/ti/net/wolfssl/tests/{ => EK_TM4C1294XL}/wolfcrypt/benchmark/main.c (97%) rename tirtos/packages/ti/net/wolfssl/tests/{ => EK_TM4C1294XL}/wolfcrypt/benchmark/package.bld (93%) create mode 100644 tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.xdc rename tirtos/packages/ti/net/wolfssl/tests/{ => EK_TM4C1294XL}/wolfcrypt/test/TM4C1294NC.icf (100%) rename tirtos/packages/ti/net/wolfssl/tests/{ => EK_TM4C1294XL}/wolfcrypt/test/main.c (95%) rename tirtos/packages/ti/net/wolfssl/tests/{ => EK_TM4C1294XL}/wolfcrypt/test/package.bld (92%) create mode 100644 tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.xdc rename tirtos/packages/ti/net/wolfssl/tests/{ => EK_TM4C1294XL}/wolfcrypt/test/test.cfg (100%) delete mode 100644 tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.xdc delete mode 100644 tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.xdc diff --git a/tirtos/packages/ti/net/wolfssl/package.bld b/tirtos/packages/ti/net/wolfssl/package.bld index 95d0811ac..002cb08dc 100644 --- a/tirtos/packages/ti/net/wolfssl/package.bld +++ b/tirtos/packages/ti/net/wolfssl/package.bld @@ -50,7 +50,7 @@ var wolfSSLObjList = [ for each (var targ in Build.targets) { var libOptions = {incs: wolfsslPathInclude}; - var lib = Pkg.addLibrary("lib/" + Pkg.name, targ, libOptions); + var lib = Pkg.addLibrary("lib/wolfssl", targ, libOptions); lib.addObjects(wolfSSLObjList); } diff --git a/tirtos/packages/ti/net/wolfssl/package.xdc b/tirtos/packages/ti/net/wolfssl/package.xdc index f0c4b9f83..5fe467d45 100644 --- a/tirtos/packages/ti/net/wolfssl/package.xdc +++ b/tirtos/packages/ti/net/wolfssl/package.xdc @@ -1,7 +1,6 @@ /*! * ======== ti.net.wolfssl ======== * wolfSSL library for TI-RTOS - * */ -package ti.net.wolfssl { +package ti.net.wolfssl [1, 0, 0] { } diff --git a/tirtos/packages/ti/net/wolfssl/package.xs b/tirtos/packages/ti/net/wolfssl/package.xs index 9ecf38e5b..7f5215d36 100644 --- a/tirtos/packages/ti/net/wolfssl/package.xs +++ b/tirtos/packages/ti/net/wolfssl/package.xs @@ -8,5 +8,5 @@ */ function getLibs(prog) { - return ("lib/" + this.$name + ".a" + prog.build.target.suffix); + return ("lib/wolfssl.a" + prog.build.target.suffix); } diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/TM4C1294NC.icf b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/TM4C1294NC.icf similarity index 100% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/TM4C1294NC.icf rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/TM4C1294NC.icf diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/benchmark.cfg b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/benchmark.cfg similarity index 100% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/benchmark.cfg rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/benchmark.cfg diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/main.c b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/main.c similarity index 97% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/main.c rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/main.c index 15ee1fb98..eddd432f7 100644 --- a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/main.c +++ b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/main.c @@ -1,6 +1,6 @@ /* * ======== main.c ======== - * Entry point for Benchmark application + * Entry point for Benchmark application */ /* BIOS Header files */ #include @@ -27,7 +27,7 @@ void runBenchmarks(UArg arg0, UArg arg1) { void *args = NULL; msTimer_init(); - + System_printf("Running benchmarks...\n"); System_flush(); benchmark_test(args); diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.bld b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.bld similarity index 93% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.bld rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.bld index cff396855..453fee738 100644 --- a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.bld +++ b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.bld @@ -10,7 +10,7 @@ if ((typeof(TivaWareDir) == undefined) || (TivaWareDir == "")) { var Build = xdc.useModule('xdc.bld.BuildEnvironment'); var Pkg = xdc.useModule('xdc.bld.PackageContents'); -/* make command to search for the srcs */ +/* make command to search for the srcs */ Pkg.makePrologue = "vpath %.c $(subst ;, ,$(XPKGPATH))"; var srcs = [ @@ -37,16 +37,16 @@ for each (var targ in Build.targets) { targ.$orig.lnkOpts.suffix = suffix.replace(/PrintfSmall/, "PrintfFull"); } else if (targ.$name.match(/^gnu/)) { - targ.$orig.lnkOpts.suffix += " -L" + TivaWareDir + "/driverlib/gcc " + targ.$orig.lnkOpts.suffix += " -L" + TivaWareDir + "/driverlib/gcc " + " -Wl,--start-group -ldriver -Wl,--end-group "; targ.$orig.bspLib = "rdimon"; } - - var exeOptions = { incs: wolfsslPathInclude + + var exeOptions = { incs: wolfsslPathInclude + " -DNO_MAIN_DRIVER -D_INCLUDE_NIMU_CODE -DBENCH_EMBEDDED " + " -DTIVAWARE -DPART_TM4C1294NCPDT", lopts: lnkOpts - }; + }; var exe = Pkg.addExecutable("benchmark", targ, platform, exeOptions); exe.addObjects(srcs); diff --git a/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.xdc b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.xdc new file mode 100644 index 000000000..6a93cc333 --- /dev/null +++ b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.xdc @@ -0,0 +1,6 @@ +/* + * ======== ti.net.wolfssl.tests.EK_TM4C1294XL.wolfcrypt.benchmark ======== + * wc_ Benchmark Application + */ +package ti.net.wolfssl.tests.EK_TM4C1294XL.wolfcrypt.benchmark [1, 0, 0] { +} diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/TM4C1294NC.icf b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/TM4C1294NC.icf similarity index 100% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/TM4C1294NC.icf rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/TM4C1294NC.icf diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/main.c b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/main.c similarity index 95% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/main.c rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/main.c index 41378767a..88023e4e1 100644 --- a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/main.c +++ b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/main.c @@ -1,6 +1,6 @@ /* * ======== main.c ======== - * Entry point to wolfcrypt Test Application + * Entry point to wolfcrypt Test Application */ /* XDCtools Header files */ @@ -53,4 +53,3 @@ int main(int argc, char** argv) BIOS_start(); } - diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.bld b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.bld similarity index 92% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.bld rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.bld index a76add170..adfca1c9c 100644 --- a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.bld +++ b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.bld @@ -10,7 +10,7 @@ if ((typeof(TivaWareDir) == undefined) || (TivaWareDir == "")) { var Build = xdc.useModule('xdc.bld.BuildEnvironment'); var Pkg = xdc.useModule('xdc.bld.PackageContents'); -/* make command to search for the srcs */ +/* make command to search for the srcs */ Pkg.makePrologue = "vpath %.c $(subst ;, ,$(XPKGPATH))"; var srcs = [ @@ -33,16 +33,16 @@ for each (var targ in Build.targets) { platform = "ti.platforms.tiva:TM4C1294NCPDT"; } else if (targ.$name.match(/^gnu/)) { - targ.$orig.lnkOpts.suffix += " -L" + TivaWareDir + "/driverlib/gcc " + targ.$orig.lnkOpts.suffix += " -L" + TivaWareDir + "/driverlib/gcc " + " -Wl,--start-group -ldriver -Wl,--end-group "; targ.$orig.bspLib = "rdimon"; } - - var exeOptions = { incs: wolfsslPathInclude + + var exeOptions = { incs: wolfsslPathInclude + " -DNO_MAIN_DRIVER -D_INCLUDE_NIMU_CODE -DBENCH_EMBEDDED " + " -DTIVAWARE -DPART_TM4C1294NCPDT", lopts: lnkOpts, - }; + }; var exe = Pkg.addExecutable("test", targ, platform, exeOptions); exe.addObjects(srcs); diff --git a/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.xdc b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.xdc new file mode 100644 index 000000000..0b85d5786 --- /dev/null +++ b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.xdc @@ -0,0 +1,6 @@ +/* + * ======== ti.net.wolfssl.tests.EK_TM4C1294XL.wolfcrypt.test ======== + * wolfcrypt Test Application + */ +package ti.net.wolfssl.tests.EK_TM4C1294XL.wolfcrypt.test [1, 0, 0] { +} diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/test.cfg b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/test.cfg similarity index 100% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/test.cfg rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/test.cfg diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.xdc b/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.xdc deleted file mode 100644 index c027f3203..000000000 --- a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.xdc +++ /dev/null @@ -1,6 +0,0 @@ -/* - * ======== ti.net.wolfssl.tests.wolfcrypt.benchmark ======== - * wc_ Benchmark Application - */ -package ti.net.wolfssl.tests.wolfcrypt.benchmark { -} diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.xdc b/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.xdc deleted file mode 100644 index 8b5cc1db6..000000000 --- a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.xdc +++ /dev/null @@ -1,6 +0,0 @@ -/* - * ======== ti.net.wolfssl.tests.wolfcrypt.test ======== - * wolfcrypt Test Application - */ -package ti.net.wolfssl.tests.wolfcrypt.test { -} diff --git a/tirtos/wolfssl.bld b/tirtos/wolfssl.bld index 5702b8340..696208ba0 100644 --- a/tirtos/wolfssl.bld +++ b/tirtos/wolfssl.bld @@ -32,21 +32,24 @@ */ var armOpts = " -ms "; -var gnuOpts = ""; +var gnuOpts = " -D_POSIX_SOURCE "; var iarOpts = ""; /* Uncomment the following lines to build libraries for debug mode: */ // Pkg.attrs.profile = "debug"; // armOpts += " -g -o0 "; -// gnuOpts += " -g "; +// gnuOpts += " -g -D_POSIX_SOURCE "; // iarOpts += " --debug "; var ccOpts = { - "ti.targets.arm.elf.M4F" : armOpts, + "ti.targets.arm.elf.M4" : armOpts, + "ti.targets.arm.elf.M4F" : armOpts, - "gnu.targets.arm.M4F" : gnuOpts, + "gnu.targets.arm.M4" : gnuOpts, + "gnu.targets.arm.M4F" : gnuOpts, - "iar.targets.arm.M4F" : iarOpts, + "iar.targets.arm.M4" : iarOpts, + "iar.targets.arm.M4F" : iarOpts, }; /* initialize local vars with those set in xdcpaths.mak (via XDCARGS) */ From 327a5c6dc2f1fdc9fe7ecf2c1ac0374600abb3e2 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 1 Apr 2015 19:38:03 -0700 Subject: [PATCH 22/35] added compile time check for Max Strength that all the requirements aren't disabled --- wolfssl/internal.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 9dbf02c6c..55af1d1b9 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -188,6 +188,19 @@ typedef byte word24[3]; need to be switched off. Allowed suites use (EC)DHE, AES-GCM|CCM, or CHACHA-POLY. */ + +/* Check that if WOLFSSL_MAX_STRENGTH is set that all the required options are + * not turned off. */ +#if defined(WOLFSSL_MAX_STRENGTH) && \ + ((!defined(HAVE_ECC) && (defined(NO_DH) || defined(NO_RSA))) || \ + (!defined(HAVE_AESGCM) && !defined(HAVE_AESCCM) && \ + (!defined(HAVE_POLY1305) || !defined(HAVE_CHACHA))) || \ + (defined(NO_SHA256) && !defined(WOLFSSL_SHA384)) || \ + !defined(NO_OLD_TLS)) + + #error "You are trying to build max strength with requirements disabled." +#endif + #ifndef WOLFSSL_MAX_STRENGTH #if !defined(NO_RSA) && !defined(NO_RC4) From e1beca3e6018039f423ee3c78539e30ac25238a6 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 2 Apr 2015 08:14:48 -0700 Subject: [PATCH 23/35] fix with ecc w/o dh functions --- wolfssl/ssl.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index afee66e47..62ef01a09 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -882,7 +882,6 @@ WOLFSSL_API int wolfSSL_SetTmpDH(WOLFSSL*, const unsigned char* p, int pSz, const unsigned char* g, int gSz); WOLFSSL_API int wolfSSL_SetTmpDH_buffer(WOLFSSL*, const unsigned char* b, long sz, int format); -WOLFSSL_API int wolfSSL_SetTmpEC_DHE_Sz(WOLFSSL*, unsigned short); #ifndef NO_FILESYSTEM WOLFSSL_API int wolfSSL_SetTmpDH_file(WOLFSSL*, const char* f, int format); #endif @@ -900,6 +899,9 @@ WOLFSSL_API int wolfSSL_CTX_SetTmpEC_DHE_Sz(WOLFSSL_CTX*, unsigned short); #endif #endif /* NO_DH */ +WOLFSSL_API int wolfSSL_SetTmpEC_DHE_Sz(WOLFSSL*, unsigned short); +WOLFSSL_API int wolfSSL_CTX_SetTmpEC_DHE_Sz(WOLFSSL_CTX*, unsigned short); + /* keyblock size in bytes or -1 */ /* need to call wolfSSL_KeepArrays before handshake to save keys */ WOLFSSL_API int wolfSSL_get_keyblock_size(WOLFSSL*); From a54c916c8f6150cad2c177451550ecba9688a325 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 2 Apr 2015 09:40:22 -0700 Subject: [PATCH 24/35] fix chacha on bigendian, touchups --- wolfcrypt/src/chacha.c | 29 +++++++++++++++-------------- wolfssl/wolfcrypt/settings.h | 6 +++--- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/wolfcrypt/src/chacha.c b/wolfcrypt/src/chacha.c index 25e42a1d4..ab148597d 100644 --- a/wolfcrypt/src/chacha.c +++ b/wolfcrypt/src/chacha.c @@ -78,10 +78,6 @@ int wc_Chacha_SetIV(ChaCha* ctx, const byte* inIv, word32 counter) { word32 temp[3]; /* used for alignment of memory */ - XMEMSET(temp, 0, 12); - - if (ctx == NULL) - return BAD_FUNC_ARG; #ifdef CHACHA_AEAD_TEST word32 i; @@ -92,12 +88,15 @@ int wc_Chacha_SetIV(ChaCha* ctx, const byte* inIv, word32 counter) printf("\n\n"); #endif + if (ctx == NULL) + return BAD_FUNC_ARG; + XMEMCPY(temp, inIv, 12); - ctx->X[12] = counter; /* block counter */ - ctx->X[13] = temp[0]; /* fixed variable from nonce */ - ctx->X[14] = temp[1]; /* counter from nonce */ - ctx->X[15] = temp[2]; /* counter from nonce */ + ctx->X[12] = LITTLE32(counter); /* block counter */ + ctx->X[13] = LITTLE32(temp[0]); /* fixed variable from nonce */ + ctx->X[14] = LITTLE32(temp[1]); /* counter from nonce */ + ctx->X[15] = LITTLE32(temp[2]); /* counter from nonce */ return 0; } @@ -115,14 +114,20 @@ int wc_Chacha_SetKey(ChaCha* ctx, const byte* key, word32 keySz) const word32* constants; const byte* k; +#ifdef XSTREAM_ALIGN + word32 alignKey[8]; +#endif + if (ctx == NULL) return BAD_FUNC_ARG; + if (keySz != 16 && keySz != 32) + return BAD_FUNC_ARG; + #ifdef XSTREAM_ALIGN - word32 alignKey[keySz / 4]; if ((wolfssl_word)key % 4) { WOLFSSL_MSG("wc_ChachaSetKey unaligned key"); - XMEMCPY(alignKey, key, sizeof(alignKey)); + XMEMCPY(alignKey, key, keySz); k = (byte*)alignKey; } else { @@ -152,10 +157,6 @@ int wc_Chacha_SetKey(ChaCha* ctx, const byte* key, word32 keySz) constants = sigma; } else { - /* key size of 128 */ - if (keySz != 16) - return BAD_FUNC_ARG; - constants = tau; } ctx->X[ 8] = U8TO32_LITTLE(k + 0); diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 23924ca2c..4a773844a 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -703,11 +703,11 @@ /* stream ciphers except arc4 need 32bit alignment, intel ok without */ -#ifndef XSTREAM_ALIGNMENT +#ifndef XSTREAM_ALIGN #if defined(__x86_64__) || defined(__ia64__) || defined(__i386__) - #define NO_XSTREAM_ALIGNMENT + #define NO_XSTREAM_ALIGN #else - #define XSTREAM_ALIGNMENT + #define XSTREAM_ALIGN #endif #endif From ee4b063b42908771e4ddc95c173f38da467e6950 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 2 Apr 2015 10:01:09 -0700 Subject: [PATCH 25/35] remove double define --- wolfssl/ssl.h | 1 - 1 file changed, 1 deletion(-) diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 62ef01a09..a5e0a64d8 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -891,7 +891,6 @@ WOLFSSL_API int wolfSSL_CTX_SetTmpDH(WOLFSSL_CTX*, const unsigned char* p, int pSz, const unsigned char* g, int gSz); WOLFSSL_API int wolfSSL_CTX_SetTmpDH_buffer(WOLFSSL_CTX*, const unsigned char* b, long sz, int format); -WOLFSSL_API int wolfSSL_CTX_SetTmpEC_DHE_Sz(WOLFSSL_CTX*, unsigned short); #ifndef NO_FILESYSTEM WOLFSSL_API int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX*, const char* f, From d2c816f32202e6a3e494dc9905ae525b330595b5 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 2 Apr 2015 10:52:58 -0700 Subject: [PATCH 26/35] fix github issue #63, intelasm checkin broke MMCAU sha256 --- wolfcrypt/src/sha256.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index fd853633c..9993dcc88 100755 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -446,9 +446,9 @@ int wc_Sha256Update(Sha256* sha256, const byte* data, word32 len) if (sha256->buffLen == SHA256_BLOCK_SIZE) { int ret; - #if defined(LITTLE_ENDIAN_ORDER) + #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU) #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) - if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2) + if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2) #endif ByteReverseWords(sha256->buffer, sha256->buffer, SHA256_BLOCK_SIZE); @@ -481,7 +481,7 @@ int wc_Sha256Final(Sha256* sha256, byte* hash) XMEMSET(&local[sha256->buffLen], 0, SHA256_BLOCK_SIZE - sha256->buffLen); sha256->buffLen += SHA256_BLOCK_SIZE - sha256->buffLen; - #if defined(LITTLE_ENDIAN_ORDER) + #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU) #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2) #endif @@ -502,7 +502,7 @@ int wc_Sha256Final(Sha256* sha256, byte* hash) sha256->loLen = sha256->loLen << 3; /* store lengths */ - #if defined(LITTLE_ENDIAN_ORDER) + #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU) #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2) #endif @@ -512,7 +512,7 @@ int wc_Sha256Final(Sha256* sha256, byte* hash) XMEMCPY(&local[SHA256_PAD_SIZE], &sha256->hiLen, sizeof(word32)); XMEMCPY(&local[SHA256_PAD_SIZE + sizeof(word32)], &sha256->loLen, sizeof(word32)); - + #if defined(FREESCALE_MMCAU) || defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) /* Kinetis requires only these bytes reversed */ #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) From 9437a3a303683c63b94864c867453eff17db27ae Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 2 Apr 2015 11:26:55 -0700 Subject: [PATCH 27/35] fix tirtos distcheck --- tirtos/include.am | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tirtos/include.am b/tirtos/include.am index 46bdd4323..03f87e4bf 100644 --- a/tirtos/include.am +++ b/tirtos/include.am @@ -9,14 +9,14 @@ EXTRA_DIST += \ tirtos/packages/ti/net/wolfssl/package.bld \ tirtos/packages/ti/net/wolfssl/package.xdc \ tirtos/packages/ti/net/wolfssl/package.xs \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.bld \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.xdc \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/test.cfg \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/TM4C1294NC.icf \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/main.c \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.bld \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.xdc \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/benchmark.cfg \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/TM4C1294NC.icf \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/main.c + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.bld \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.xdc \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/test.cfg \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/TM4C1294NC.icf \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/main.c \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.bld \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.xdc \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/benchmark.cfg \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/TM4C1294NC.icf \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/main.c From 7552764fbb3d324bfac0481bc8c530f239277016 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 2 Apr 2015 11:34:17 -0700 Subject: [PATCH 28/35] turn off chacha on big endian --- configure.ac | 8 +++++++- support/wolfssl.pc | 2 +- wolfcrypt/src/chacha.c | 1 + wolfssl/version.h | 4 ++-- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index 36d1794df..566492b74 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([wolfssl],[3.4.6],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) +AC_INIT([wolfssl],[3.4.7],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) AC_CONFIG_AUX_DIR([build-aux]) @@ -1201,6 +1201,12 @@ AC_ARG_ENABLE([chacha], [ ENABLED_CHACHA=yes ] ) +# not ready for big endian yet +if test "x$ac_cv_c_bigendian" = "xyes" +then + ENABLED_CHACHA=no +fi + # lean psk does't need chacha if test "$ENABLED_LEANPSK" = "yes" then diff --git a/support/wolfssl.pc b/support/wolfssl.pc index 7b18d95e5..1265e7ce0 100644 --- a/support/wolfssl.pc +++ b/support/wolfssl.pc @@ -5,6 +5,6 @@ includedir=${prefix}/include Name: wolfssl Description: wolfssl C library. -Version: 3.4.6 +Version: 3.4.7 Libs: -L${libdir} -lwolfssl Cflags: -I${includedir} diff --git a/wolfcrypt/src/chacha.c b/wolfcrypt/src/chacha.c index ab148597d..fb8ace64c 100644 --- a/wolfcrypt/src/chacha.c +++ b/wolfcrypt/src/chacha.c @@ -48,6 +48,7 @@ #ifdef BIG_ENDIAN_ORDER #define LITTLE32(x) ByteReverseWord32(x) + #error "CHACHA Not ready for Big Endian yet" #else #define LITTLE32(x) (x) #endif diff --git a/wolfssl/version.h b/wolfssl/version.h index ed8aadbf7..54e92ffc0 100644 --- a/wolfssl/version.h +++ b/wolfssl/version.h @@ -26,8 +26,8 @@ extern "C" { #endif -#define LIBWOLFSSL_VERSION_STRING "3.4.6" -#define LIBWOLFSSL_VERSION_HEX 0x03004006 +#define LIBWOLFSSL_VERSION_STRING "3.4.7" +#define LIBWOLFSSL_VERSION_HEX 0x03004007 #ifdef __cplusplus } From b1316796f9b0759b6899d0be19f9506c0d3e620b Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 2 Apr 2015 11:54:16 -0700 Subject: [PATCH 29/35] allow CTX set tmp dh w/o asn and certs too --- src/ssl.c | 64 ++++++++++++++++++++++++++++--------------------------- 1 file changed, 33 insertions(+), 31 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index ff137967a..5902555c5 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -475,6 +475,39 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz, WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0); return SSL_SUCCESS; } + +/* server ctx Diffie-Hellman parameters, SSL_SUCCESS on ok */ +int wolfSSL_CTX_SetTmpDH(WOLFSSL_CTX* ctx, const unsigned char* p, int pSz, + const unsigned char* g, int gSz) +{ + WOLFSSL_ENTER("wolfSSL_CTX_SetTmpDH"); + if (ctx == NULL || p == NULL || g == NULL) return BAD_FUNC_ARG; + + XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); + XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH); + + ctx->serverDH_P.buffer = (byte*)XMALLOC(pSz, ctx->heap,DYNAMIC_TYPE_DH); + if (ctx->serverDH_P.buffer == NULL) + return MEMORY_E; + + ctx->serverDH_G.buffer = (byte*)XMALLOC(gSz, ctx->heap,DYNAMIC_TYPE_DH); + if (ctx->serverDH_G.buffer == NULL) { + XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); + return MEMORY_E; + } + + ctx->serverDH_P.length = pSz; + ctx->serverDH_G.length = gSz; + + XMEMCPY(ctx->serverDH_P.buffer, p, pSz); + XMEMCPY(ctx->serverDH_G.buffer, g, gSz); + + ctx->haveDH = 1; + + WOLFSSL_LEAVE("wolfSSL_CTX_SetTmpDH", 0); + return SSL_SUCCESS; +} + #endif /* !NO_DH */ @@ -3822,37 +3855,6 @@ int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX* ctx, const char* fname, int format) } - /* server ctx Diffie-Hellman parameters, SSL_SUCCESS on ok */ - int wolfSSL_CTX_SetTmpDH(WOLFSSL_CTX* ctx, const unsigned char* p, int pSz, - const unsigned char* g, int gSz) - { - WOLFSSL_ENTER("wolfSSL_CTX_SetTmpDH"); - if (ctx == NULL || p == NULL || g == NULL) return BAD_FUNC_ARG; - - XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); - XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH); - - ctx->serverDH_P.buffer = (byte*)XMALLOC(pSz, ctx->heap,DYNAMIC_TYPE_DH); - if (ctx->serverDH_P.buffer == NULL) - return MEMORY_E; - - ctx->serverDH_G.buffer = (byte*)XMALLOC(gSz, ctx->heap,DYNAMIC_TYPE_DH); - if (ctx->serverDH_G.buffer == NULL) { - XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); - return MEMORY_E; - } - - ctx->serverDH_P.length = pSz; - ctx->serverDH_G.length = gSz; - - XMEMCPY(ctx->serverDH_P.buffer, p, pSz); - XMEMCPY(ctx->serverDH_G.buffer, g, gSz); - - ctx->haveDH = 1; - - WOLFSSL_LEAVE("wolfSSL_CTX_SetTmpDH", 0); - return SSL_SUCCESS; - } #endif /* NO_DH */ From 523775fcd61c632f4528fea344159d5af96c84e0 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 3 Apr 2015 09:54:15 -0700 Subject: [PATCH 30/35] updated the iOS readme --- IDE/iOS/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/IDE/iOS/README.md b/IDE/iOS/README.md index 0c20d3fa7..e9e781b49 100644 --- a/IDE/iOS/README.md +++ b/IDE/iOS/README.md @@ -66,7 +66,6 @@ for "Preprocessor Macros" and add the following under both `Release` and * `HAVE_AESGCM` * `WOLFSSL_SHA512` * `WOLFSSL_SHA384` -* `NO_PWDBASED` -- for now, can drop later # Using the FIPS library @@ -80,3 +79,8 @@ libraries like this, so static builds are required. This creates a problem. Every time the application is changed, the FIPS checksum will change, because the FIPS library's position in the executable may change. +You need to add something to your application that will output the verifyCore +value to be used. The verifyCore in fips_test.c will need to be updated with this +value, the library rebuilt, and relinked into your application. The application +should not be changed during this process or the verifyCore check will fail again. + From 10f853ae4d4e5f94b7bb1388ac32a7c7370c476a Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 3 Apr 2015 12:19:40 -0600 Subject: [PATCH 31/35] adjustment to chacha for big endian --- configure.ac | 6 ------ wolfcrypt/src/chacha.c | 9 ++++----- 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/configure.ac b/configure.ac index 566492b74..45a687368 100644 --- a/configure.ac +++ b/configure.ac @@ -1201,12 +1201,6 @@ AC_ARG_ENABLE([chacha], [ ENABLED_CHACHA=yes ] ) -# not ready for big endian yet -if test "x$ac_cv_c_bigendian" = "xyes" -then - ENABLED_CHACHA=no -fi - # lean psk does't need chacha if test "$ENABLED_LEANPSK" = "yes" then diff --git a/wolfcrypt/src/chacha.c b/wolfcrypt/src/chacha.c index fb8ace64c..4e95bdbd0 100644 --- a/wolfcrypt/src/chacha.c +++ b/wolfcrypt/src/chacha.c @@ -48,7 +48,6 @@ #ifdef BIG_ENDIAN_ORDER #define LITTLE32(x) ByteReverseWord32(x) - #error "CHACHA Not ready for Big Endian yet" #else #define LITTLE32(x) (x) #endif @@ -164,10 +163,10 @@ int wc_Chacha_SetKey(ChaCha* ctx, const byte* key, word32 keySz) ctx->X[ 9] = U8TO32_LITTLE(k + 4); ctx->X[10] = U8TO32_LITTLE(k + 8); ctx->X[11] = U8TO32_LITTLE(k + 12); - ctx->X[ 0] = U8TO32_LITTLE(constants + 0); - ctx->X[ 1] = U8TO32_LITTLE(constants + 1); - ctx->X[ 2] = U8TO32_LITTLE(constants + 2); - ctx->X[ 3] = U8TO32_LITTLE(constants + 3); + ctx->X[ 0] = constants[0]; + ctx->X[ 1] = constants[1]; + ctx->X[ 2] = constants[2]; + ctx->X[ 3] = constants[3]; return 0; } From e39abffc5eda18707584a519908509d790d75a68 Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 3 Apr 2015 12:11:29 -0700 Subject: [PATCH 32/35] add GNU ld bug error and solution --- README | 3 +++ README.md | 3 +++ 2 files changed, 6 insertions(+) diff --git a/README b/README index 380575265..d9e982f38 100644 --- a/README +++ b/README @@ -34,6 +34,9 @@ before calling wolfSSL_new(); Though it's not recommended. *** end Notes *** +- GNU Binutils 2.24 ld has problems with some debug builds, to fix an ld error + add -fdebug-types-section to C_EXTRA_FLAGS + wolfSSL (Formerly CyaSSL) Release 3.4.6 (03/30/2015) Release 3.4.6 of wolfSSL has bug fixes and new features including: diff --git a/README.md b/README.md index 65be1b0f2..59c77e37c 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,9 @@ wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); before calling wolfSSL_new(); Though it's not recommended. ``` +- GNU Binutils 2.24 ld has problems with some debug builds, to fix an ld error + add -fdebug-types-section to C_EXTRA_FLAGS + #wolfSSL (Formerly CyaSSL) Release 3.4.6 (03/30/2015) ##Release 3.4.6 of wolfSSL has bug fixes and new features including: From 44a3011328dc0c5f742eb426338dba3c0e280472 Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 3 Apr 2015 13:25:51 -0700 Subject: [PATCH 33/35] fix STREAM_ALIGN consistency --- wolfssl/wolfcrypt/settings.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 4a773844a..23c19486d 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -723,7 +723,7 @@ #ifndef WOLFSSL_GENERAL_ALIGNMENT #ifdef WOLFSSL_AESNI #define WOLFSSL_GENERAL_ALIGNMENT 16 - #elif defined(XSTREAM_ALIGNMENT) + #elif defined(XSTREAM_ALIGN) #define WOLFSSL_GENERAL_ALIGNMENT 4 #elif defined(FREESCALE_MMCAU) #define WOLFSSL_GENERAL_ALIGNMENT WOLFSSL_MMCAU_ALIGNMENT From a7d004e47ddcca633dad272468dc579bc864ec9c Mon Sep 17 00:00:00 2001 From: toddouska Date: Sat, 4 Apr 2015 09:49:34 -0700 Subject: [PATCH 34/35] add sha512 sig_algo processing for server_key_exchange and cert_verify messages --- src/internal.c | 203 +++++++++++++++++++++++++++++++++++++++++++++ src/ssl.c | 19 +++++ wolfssl/internal.h | 6 ++ 3 files changed, 228 insertions(+) diff --git a/src/internal.c b/src/internal.c index 176c98b3f..4f644fd2f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -588,6 +588,10 @@ static void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int idx = 0; if (haveECDSAsig) { + #ifdef WOLFSSL_SHA512 + suites->hashSigAlgo[idx++] = sha512_mac; + suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; + #endif #ifdef WOLFSSL_SHA384 suites->hashSigAlgo[idx++] = sha384_mac; suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; @@ -603,6 +607,10 @@ static void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, } if (haveRSAsig) { + #ifdef WOLFSSL_SHA512 + suites->hashSigAlgo[idx++] = sha512_mac; + suites->hashSigAlgo[idx++] = rsa_sa_algo; + #endif #ifdef WOLFSSL_SHA384 suites->hashSigAlgo[idx++] = sha384_mac; suites->hashSigAlgo[idx++] = rsa_sa_algo; @@ -1622,6 +1630,12 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) return ret; } #endif +#ifdef WOLFSSL_SHA512 + ret = wc_InitSha512(&ssl->hsHashes->hashSha512); + if (ret != 0) { + return ret; + } +#endif /* increment CTX reference count */ if (LockMutex(&ctx->countMutex) != 0) { @@ -2427,6 +2441,11 @@ static int HashOutput(WOLFSSL* ssl, const byte* output, int sz, int ivSz) ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, adj, sz); if (ret != 0) return ret; +#endif +#ifdef WOLFSSL_SHA512 + ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, adj, sz); + if (ret != 0) + return ret; #endif } @@ -2468,6 +2487,11 @@ static int HashInput(WOLFSSL* ssl, const byte* input, int sz) ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, adj, sz); if (ret != 0) return ret; +#endif +#ifdef WOLFSSL_SHA512 + ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, adj, sz); + if (ret != 0) + return ret; #endif } @@ -3018,6 +3042,7 @@ static void BuildSHA(WOLFSSL* ssl, Hashes* hashes, const byte* sender) #endif +/* Finished doesn't support SHA512, not SHA512 cipher suites yet */ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) { int ret = 0; @@ -6881,6 +6906,9 @@ static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes) #ifdef WOLFSSL_SHA384 Sha384 sha384 = ssl->hsHashes->hashSha384; #endif + #ifdef WOLFSSL_SHA512 + Sha512 sha512 = ssl->hsHashes->hashSha512; + #endif if (ssl->options.tls) { #if ! defined( NO_OLD_TLS ) @@ -6900,6 +6928,11 @@ static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes) if (ret != 0) return ret; #endif + #ifdef WOLFSSL_SHA512 + ret = wc_Sha512Final(&ssl->hsHashes->hashSha512,hashes->sha512); + if (ret != 0) + return ret; + #endif } } #if ! defined( NO_OLD_TLS ) @@ -6919,6 +6952,9 @@ static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes) #ifdef WOLFSSL_SHA384 ssl->hsHashes->hashSha384 = sha384; #endif + #ifdef WOLFSSL_SHA512 + ssl->hsHashes->hashSha512 = sha512; + #endif } return 0; @@ -8881,6 +8917,12 @@ static void PickHashSigAlgo(WOLFSSL* ssl, break; } #endif + #ifdef WOLFSSL_SHA512 + else if (hashSigAlgo[i] == sha512_mac) { + ssl->suites->hashAlgo = sha512_mac; + break; + } + #endif } } } @@ -9907,6 +9949,15 @@ static void PickHashSigAlgo(WOLFSSL* ssl, byte hash384[SHA384_DIGEST_SIZE]; #endif #endif +#ifdef WOLFSSL_SHA512 +#ifdef WOLFSSL_SMALL_STACK + Sha512* sha512 = NULL; + byte* hash512 = NULL; +#else + Sha512 sha512[1]; + byte hash512[SHA512_DIGEST_SIZE]; +#endif +#endif #ifdef WOLFSSL_SMALL_STACK byte* hash = NULL; byte* messageVerify = NULL; @@ -10026,6 +10077,24 @@ static void PickHashSigAlgo(WOLFSSL* ssl, goto done; #endif +#ifdef WOLFSSL_SHA512 + #ifdef WOLFSSL_SMALL_STACK + sha512 = (Sha512*)XMALLOC(sizeof(Sha512), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + hash512 = (byte*)XMALLOC(SHA512_DIGEST_SIZE, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (sha512 == NULL || hash512 == NULL) + ERROR_OUT(MEMORY_E, done); + #endif + if (!(ret = wc_InitSha512(sha512)) + && !(ret = wc_Sha512Update(sha512, ssl->arrays->clientRandom, RAN_LEN)) + && !(ret = wc_Sha512Update(sha512, ssl->arrays->serverRandom, RAN_LEN)) + && !(ret = wc_Sha512Update(sha512, messageVerify, verifySz))) + ret = wc_Sha512Final(sha512, hash512); + if (ret != 0) + goto done; +#endif + #ifndef NO_RSA /* rsa */ if (sigAlgo == rsa_sa_algo) @@ -10094,6 +10163,13 @@ static void PickHashSigAlgo(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = hash512; + typeH = SHA512h; + digestSz = SHA512_DIGEST_SIZE; + #endif + } #ifdef WOLFSSL_SMALL_STACK encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, @@ -10159,6 +10235,12 @@ static void PickHashSigAlgo(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = hash512; + digestSz = SHA512_DIGEST_SIZE; + #endif + } } if (doUserEcc) { #ifdef HAVE_PK_CALLBACKS @@ -10198,6 +10280,10 @@ static void PickHashSigAlgo(WOLFSSL* ssl, #ifdef WOLFSSL_SHA384 XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(hash384, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + #ifdef WOLFSSL_SHA512 + XFREE(sha512, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(hash512, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif XFREE(hash, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(messageVerify, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -10887,6 +10973,12 @@ static void PickHashSigAlgo(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (ssl->suites->hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = ssl->hsHashes->certHashes.sha512; + digestSz = SHA512_DIGEST_SIZE; + #endif + } } if (doUserEcc) { @@ -10955,6 +11047,14 @@ static void PickHashSigAlgo(WOLFSSL* ssl, didSet = 1; #endif } + else if (ssl->suites->hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = ssl->hsHashes->certHashes.sha512; + typeH = SHA512h; + digestSz = SHA512_DIGEST_SIZE; + didSet = 1; + #endif + } if (didSet == 0) { /* defaults */ @@ -11685,6 +11785,15 @@ int DoSessionTicket(WOLFSSL* ssl, byte hash384[SHA384_DIGEST_SIZE]; #endif #endif + #ifdef WOLFSSL_SHA512 + #ifdef WOLFSSL_SMALL_STACK + Sha512* sha512 = NULL; + byte* hash512 = NULL; + #else + Sha512 sha512[1]; + byte hash512[SHA512_DIGEST_SIZE]; + #endif + #endif #ifdef WOLFSSL_SMALL_STACK hash = (byte*)XMALLOC(FINISHED_SZ, NULL, @@ -11765,6 +11874,28 @@ int DoSessionTicket(WOLFSSL* ssl, goto done_a2; #endif + #ifdef WOLFSSL_SHA512 + #ifdef WOLFSSL_SMALL_STACK + sha512 = (Sha512*)XMALLOC(sizeof(Sha512), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + hash512 = (byte*)XMALLOC(SHA512_DIGEST_SIZE, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (sha512 == NULL || hash512 == NULL) + ERROR_OUT(MEMORY_E, done_a2); + #endif + + if (!(ret = wc_InitSha512(sha512)) + && !(ret = wc_Sha512Update(sha512, ssl->arrays->clientRandom, + RAN_LEN)) + && !(ret = wc_Sha512Update(sha512, ssl->arrays->serverRandom, + RAN_LEN)) + && !(ret = wc_Sha512Update(sha512, output + preSigIdx, preSigSz))) + ret = wc_Sha512Final(sha512, hash512); + + if (ret != 0) + goto done_a2; + #endif + #ifndef NO_RSA if (ssl->suites->sigAlgo == rsa_sa_algo) { byte* signBuffer = hash; @@ -11807,6 +11938,13 @@ int DoSessionTicket(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (ssl->suites->hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = hash512; + typeH = SHA512h; + digestSz = SHA512_DIGEST_SIZE; + #endif + } signSz = wc_EncodeSignature(encodedSig, digest, digestSz, typeH); @@ -11877,6 +12015,12 @@ int DoSessionTicket(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (ssl->suites->hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = hash512; + digestSz = SHA512_DIGEST_SIZE; + #endif + } } if (doUserEcc) { @@ -11923,6 +12067,10 @@ int DoSessionTicket(WOLFSSL* ssl, XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(hash384, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif + #ifdef WOLFSSL_SHA512 + XFREE(sha512, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(hash512, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif #endif if (ret < 0) @@ -12126,6 +12274,15 @@ int DoSessionTicket(WOLFSSL* ssl, byte hash384[SHA384_DIGEST_SIZE]; #endif #endif + #ifdef WOLFSSL_SHA512 + #ifdef WOLFSSL_SMALL_STACK + Sha512* sha512 = NULL; + byte* hash512 = NULL; + #else + Sha512 sha512[1]; + byte hash512[SHA512_DIGEST_SIZE]; + #endif + #endif /* Add hash/signature algo ID */ if (IsAtLeastTLSv1_2(ssl)) { @@ -12220,6 +12377,28 @@ int DoSessionTicket(WOLFSSL* ssl, goto done_b; #endif + #ifdef WOLFSSL_SHA512 + #ifdef WOLFSSL_SMALL_STACK + sha512 = (Sha512*)XMALLOC(sizeof(Sha512), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + hash512 = (byte*)XMALLOC(SHA512_DIGEST_SIZE, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (sha512 == NULL || hash512 == NULL) + ERROR_OUT(MEMORY_E, done_b); + #endif + + if (!(ret = wc_InitSha512(sha512)) + && !(ret = wc_Sha512Update(sha512, ssl->arrays->clientRandom, + RAN_LEN)) + && !(ret = wc_Sha512Update(sha512, ssl->arrays->serverRandom, + RAN_LEN)) + && !(ret = wc_Sha512Update(sha512, output + preSigIdx, preSigSz))) + ret = wc_Sha512Final(sha512, hash512); + + if (ret != 0) + goto done_b; + #endif + #ifndef NO_RSA if (ssl->suites->sigAlgo == rsa_sa_algo) { byte* signBuffer = hash; @@ -12262,6 +12441,13 @@ int DoSessionTicket(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (ssl->suites->hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = hash512; + typeH = SHA512h; + digestSz = SHA512_DIGEST_SIZE; + #endif + } signSz = wc_EncodeSignature(encodedSig, digest, digestSz, typeH); @@ -12304,6 +12490,10 @@ int DoSessionTicket(WOLFSSL* ssl, XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(hash384, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif + #ifdef WOLFSSL_SHA512 + XFREE(sha512, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(hash512, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif #endif if (ret < 0) return ret; @@ -13045,6 +13235,13 @@ int DoSessionTicket(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = ssl->hsHashes->certHashes.sha512; + typeH = SHA512h; + digestSz = SHA512_DIGEST_SIZE; + #endif + } sigSz = wc_EncodeSignature(encodedSig, digest, digestSz, typeH); @@ -13097,6 +13294,12 @@ int DoSessionTicket(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = ssl->hsHashes->certHashes.sha512; + digestSz = SHA512_DIGEST_SIZE; + #endif + } } if (doUserEcc) { diff --git a/src/ssl.c b/src/ssl.c index 5902555c5..d907f443a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -849,6 +849,11 @@ int wolfSSL_Rehandshake(WOLFSSL* ssl) if (ret !=0) return ret; #endif +#ifdef WOLFSSL_SHA512 + ret = wc_InitSha512(&ssl->hsHashes->hashSha512); + if (ret !=0) + return ret; +#endif ret = wolfSSL_negotiate(ssl); return ret; @@ -5167,6 +5172,13 @@ int wolfSSL_dtls_got_timeout(WOLFSSL* ssl) return SSL_FATAL_ERROR; } #endif + #ifdef WOLFSSL_SHA512 + if ( (ssl->error = wc_InitSha512( + &ssl->hsHashes->hashSha512)) != 0) { + WOLFSSL_ERROR(ssl->error); + return SSL_FATAL_ERROR; + } + #endif } if ( (ssl->error = SendClientHello(ssl)) != 0) { WOLFSSL_ERROR(ssl->error); @@ -5446,6 +5458,13 @@ int wolfSSL_dtls_got_timeout(WOLFSSL* ssl) return SSL_FATAL_ERROR; } #endif + #ifdef WOLFSSL_SHA512 + if ( (ssl->error = wc_InitSha512( + &ssl->hsHashes->hashSha512)) != 0) { + WOLFSSL_ERROR(ssl->error); + return SSL_FATAL_ERROR; + } + #endif } while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 55af1d1b9..3ead47d88 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1714,6 +1714,9 @@ typedef struct Hashes { #ifdef WOLFSSL_SHA384 byte sha384[SHA384_DIGEST_SIZE]; #endif + #ifdef WOLFSSL_SHA512 + byte sha512[SHA512_DIGEST_SIZE]; + #endif } Hashes; @@ -2090,6 +2093,9 @@ typedef struct HS_Hashes { #ifdef WOLFSSL_SHA384 Sha384 hashSha384; /* sha384 hash of handshake msgs */ #endif +#ifdef WOLFSSL_SHA512 + Sha512 hashSha512; /* sha512 hash of handshake msgs */ +#endif } HS_Hashes; From d67a031132b87fc01f0808f161eda0e3101dbba7 Mon Sep 17 00:00:00 2001 From: toddouska Date: Sun, 5 Apr 2015 09:13:11 -0700 Subject: [PATCH 35/35] fix scr gcm mode --- src/keys.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/src/keys.c b/src/keys.c index d83619681..b06debb28 100644 --- a/src/keys.c +++ b/src/keys.c @@ -2407,11 +2407,33 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side) /* Initialize the AES-GCM/CCM explicit IV to a zero. */ XMEMCPY(ssl->keys.aead_exp_IV, keys->aead_exp_IV, AEAD_EXP_IV_SZ); + + /* Initialize encrypt implicit IV by encrypt side */ + if (ssl->options.side == WOLFSSL_CLIENT_END) { + XMEMCPY(ssl->keys.aead_enc_imp_IV, + keys->client_write_IV, AEAD_IMP_IV_SZ); + } else { + XMEMCPY(ssl->keys.aead_enc_imp_IV, + keys->server_write_IV, AEAD_IMP_IV_SZ); + } } #endif } - if (wc_decrypt) + if (wc_decrypt) { ssl->keys.peer_sequence_number = keys->peer_sequence_number; + #ifdef HAVE_AEAD + if (ssl->specs.cipher_type == aead) { + /* Initialize decrypt implicit IV by decrypt side */ + if (ssl->options.side == WOLFSSL_SERVER_END) { + XMEMCPY(ssl->keys.aead_dec_imp_IV, + keys->client_write_IV, AEAD_IMP_IV_SZ); + } else { + XMEMCPY(ssl->keys.aead_dec_imp_IV, + keys->server_write_IV, AEAD_IMP_IV_SZ); + } + } + #endif + } ssl->secure_renegotiation->cache_status++; } #endif /* HAVE_SECURE_RENEGOTIATION */