diff --git a/cyassl/test.h b/cyassl/test.h index d4a2b986f..504668d8a 100644 --- a/cyassl/test.h +++ b/cyassl/test.h @@ -106,7 +106,11 @@ #define SERVER_DEFAULT_VERSION 3 +#define SERVER_DTLS_DEFAULT_VERSION (-2) +#define SERVER_INVALID_VERSION (-99) #define CLIENT_DEFAULT_VERSION 3 +#define CLIENT_DTLS_DEFAULT_VERSION (-2) +#define CLIENT_INVALID_VERSION (-99) /* all certs relative to CyaSSL home directory now */ #define caCert "./certs/ca-cert.pem" diff --git a/examples/client/client.c b/examples/client/client.c index fa9f2dae9..fcb1ba828 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -99,7 +99,8 @@ static void Usage(void) printf("-s Use pre Shared keys\n"); printf("-d Disable peer checks\n"); printf("-g Send server HTTP GET\n"); - printf("-u Use UDP DTLS\n"); + printf("-u Use UDP DTLS," + " add -v 2 for DTLSv1 (default), -v 3 for DTLSv1.2\n"); printf("-m Match domain name in cert\n"); printf("-N Use Non-blocking sockets\n"); printf("-r Resume session\n"); @@ -129,7 +130,7 @@ void client_test(void* args) char* domain = (char*)"www.yassl.com"; int ch; - int version = CLIENT_DEFAULT_VERSION; + int version = CLIENT_INVALID_VERSION; int usePsk = 0; int sendGET = 0; int benchmark = 0; @@ -164,7 +165,6 @@ void client_test(void* args) case 'u' : doDTLS = 1; - version = -1; /* DTLS flag */ break; case 's' : @@ -190,8 +190,6 @@ void client_test(void* args) Usage(); exit(MY_EX_USAGE); } - if (doDTLS) - version = -1; /* DTLS flag */ break; case 'l' : @@ -234,6 +232,22 @@ void client_test(void* args) myoptind = 0; /* reset for test cases */ + /* sort out DTLS versus TLS versions */ + if (version == CLIENT_INVALID_VERSION) { + if (doDTLS) + version = CLIENT_DTLS_DEFAULT_VERSION; + else + version = CLIENT_DEFAULT_VERSION; + } + else { + if (doDTLS) { + if (version == 3) + version = -2; + else + version = -1; + } + } + switch (version) { #ifndef NO_OLD_TLS case 0: @@ -257,6 +271,10 @@ void client_test(void* args) case -1: method = CyaDTLSv1_client_method(); break; + + case -2: + method = CyaDTLSv1_2_client_method(); + break; #endif default: diff --git a/examples/server/server.c b/examples/server/server.c index fc22537ad..c4db51f6a 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -98,7 +98,8 @@ static void Usage(void) printf("-d Disable client cert check\n"); printf("-b Bind to any interface instead of localhost only\n"); printf("-s Use pre Shared keys\n"); - printf("-u Use UDP DTLS\n"); + printf("-u Use UDP DTLS," + " add -v 2 for DTLSv1 (default), -v 3 for DTLSv1.2\n"); printf("-N Use Non-blocking sockets\n"); } @@ -157,7 +158,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) case 'u' : doDTLS = 1; - version = -1; /* DTLS flag */ break; case 'p' : @@ -170,8 +170,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) Usage(); exit(MY_EX_USAGE); } - if (doDTLS) - version = -1; /* stay with DTLS */ break; case 'l' : @@ -202,6 +200,22 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) myoptind = 0; /* reset for test cases */ + /* sort out DTLS versus TLS versions */ + if (version == CLIENT_INVALID_VERSION) { + if (doDTLS) + version = CLIENT_DTLS_DEFAULT_VERSION; + else + version = CLIENT_DEFAULT_VERSION; + } + else { + if (doDTLS) { + if (version == 3) + version = -2; + else + version = -1; + } + } + switch (version) { #ifndef NO_OLD_TLS case 0: @@ -225,6 +239,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) case -1: method = DTLSv1_server_method(); break; + + case -2: + method = DTLSv1_2_server_method(); + break; #endif default: diff --git a/src/internal.c b/src/internal.c index 60ef85b85..d98755a50 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3375,6 +3375,7 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz) { byte additional[AES_BLOCK_SIZE]; byte nonce[AEAD_NONCE_SZ]; + const byte* additionalSrc = input - 5; XMEMSET(additional, 0, AES_BLOCK_SIZE); @@ -3384,7 +3385,11 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz) /* Store the type, version. Unfortunately, they are in * the input buffer ahead of the plaintext. */ - XMEMCPY(additional + AEAD_TYPE_OFFSET, input - 5, 3); + #ifdef CYASSL_DTLS + if (ssl->options.dtls) + additionalSrc -= DTLS_HANDSHAKE_EXTRA; + #endif + XMEMCPY(additional + AEAD_TYPE_OFFSET, additionalSrc, 3); /* Store the length of the plain text minus the explicit * IV length minus the authentication tag size. */ @@ -3411,6 +3416,7 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz) { byte additional[AES_BLOCK_SIZE]; byte nonce[AEAD_NONCE_SZ]; + const byte* additionalSrc = input - 5; XMEMSET(additional, 0, AES_BLOCK_SIZE); @@ -3420,7 +3426,11 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz) /* Store the type, version. Unfortunately, they are in * the input buffer ahead of the plaintext. */ - XMEMCPY(additional + AEAD_TYPE_OFFSET, input - 5, 3); + #ifdef CYASSL_DTLS + if (ssl->options.dtls) + additionalSrc -= DTLS_HANDSHAKE_EXTRA; + #endif + XMEMCPY(additional + AEAD_TYPE_OFFSET, additionalSrc, 3); /* Store the length of the plain text minus the explicit * IV length minus the authentication tag size. */ diff --git a/tests/include.am b/tests/include.am index 374e1676b..43d31afb1 100644 --- a/tests/include.am +++ b/tests/include.am @@ -27,9 +27,11 @@ EXTRA_DIST += tests/test.conf \ tests/test-ecc-sha384.conf \ tests/test-aesgcm.conf \ tests/test-aesgcm-ecc.conf \ + tests/test-aesgcm-ecc-dtls.conf \ tests/test-aesgcm-openssl.conf \ tests/test-aesccm.conf \ tests/test-aesccm-ecc.conf \ + tests/test-aesccm-ecc-dtls.conf \ tests/test-camellia.conf \ tests/test-camellia-openssl.conf \ tests/test-dtls.conf \ diff --git a/tests/suites.c b/tests/suites.c index 459e1e063..11c4e4588 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -400,6 +400,16 @@ int SuiteTest(void) printf("error from script %d\n", args.return_code); exit(EXIT_FAILURE); } + #ifdef CYASSL_DTLS + /* add aesgcm ecc dtls extra suites */ + strcpy(argv0[1], "tests/test-aesgcm-ecc-dtls.conf"); + printf("starting aesgcm ecc dtls extra cipher suite tests\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + exit(EXIT_FAILURE); + } + #endif #endif #if defined(HAVE_AESCCM) @@ -420,6 +430,16 @@ int SuiteTest(void) printf("error from script %d\n", args.return_code); exit(EXIT_FAILURE); } + #ifdef CYASSL_DTLS + /* add aesccm ecc dtls extra suites */ + strcpy(argv0[1], "tests/test-aesccm-ecc-dtls.conf"); + printf("starting aesccm ecc dtls cipher suite tests\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + exit(EXIT_FAILURE); + } + #endif #endif #endif diff --git a/tests/test-aesccm-ecc-dtls.conf b/tests/test-aesccm-ecc-dtls.conf new file mode 100644 index 000000000..0fef28d82 --- /dev/null +++ b/tests/test-aesccm-ecc-dtls.conf @@ -0,0 +1,56 @@ +# server DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 +-u +-v 3 +-l ECDHE-ECDSA-AES128-CCM-8-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 +-u +-v 3 +-l ECDHE-ECDSA-AES128-CCM-8-SHA256 +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-CCM-8-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-CCM-8-SHA384 +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 NON-BLOCKING +-u +-v 3 +-l ECDHE-ECDSA-AES128-CCM-8-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem +-N + +# client DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 NON-BLOCKING +-u +-v 3 +-l ECDHE-ECDSA-AES128-CCM-8-SHA256 +-A ./certs/server-ecc.pem +-N + +# server DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 NON-BLOCKING +-u +-v 3 +-l ECDHE-ECDSA-AES256-CCM-8-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem +-N + +# client DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 NON-BLOCKING +-u +-v 3 +-l ECDHE-ECDSA-AES256-CCM-8-SHA384 +-A ./certs/server-ecc.pem +-N + diff --git a/tests/test-aesgcm-ecc-dtls.conf b/tests/test-aesgcm-ecc-dtls.conf new file mode 100644 index 000000000..dd2a8cc77 --- /dev/null +++ b/tests/test-aesgcm-ecc-dtls.conf @@ -0,0 +1,96 @@ +# server DTLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDH-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDH-ECDSA-AES256-GCM-SHA384 +-A ./certs/server-ecc.pem + +# server DTLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 + +# client DTLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 + +# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# server DTLSv1.2 ECDH-RSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDH-RSA-AES128-GCM-SHA256 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-RSA-AES128-GCM-SHA256 +-u +-v 3 +-l ECDH-RSA-AES128-GCM-SHA256 + +# server DTLSv1.2 ECDH-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDH-RSA-AES256-GCM-SHA384 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDH-RSA-AES256-GCM-SHA384 +-u +-v 3 +-l ECDH-RSA-AES256-GCM-SHA384 + diff --git a/tests/test-dtls.conf b/tests/test-dtls.conf index d733e0ecf..29e50509a 100644 --- a/tests/test-dtls.conf +++ b/tests/test-dtls.conf @@ -1,98 +1,240 @@ # server DTLSv1 RC4-SHA -u +-v 2 -l RC4-SHA # client DTLSv1 RC4-SHA -u +-v 2 +-l RC4-SHA + +# server DTLSv1.2 RC4-SHA +-u +-v 3 +-l RC4-SHA + +# client DTLSv1.2 RC4-SHA +-u +-v 3 -l RC4-SHA # server DTLSv1 DES-CBC3-SHA -u +-v 2 -l DES-CBC3-SHA # client DTLSv1 DES-CBC3-SHA -u +-v 2 +-l DES-CBC3-SHA + +# server DTLSv1.2 DES-CBC3-SHA +-u +-v 3 +-l DES-CBC3-SHA + +# client DTLSv1.2 DES-CBC3-SHA +-u +-v 3 -l DES-CBC3-SHA # server DTLSv1 AES128-SHA -u +-v 2 -l AES128-SHA # client DTLSv1 AES128-SHA -u +-v 2 +-l AES128-SHA + +# server DTLSv1.2 AES128-SHA +-u +-v 3 +-l AES128-SHA + +# client DTLSv1.2 AES128-SHA +-u +-v 3 -l AES128-SHA # server DTLSv1 AES256-SHA -u +-v 2 -l AES256-SHA # client DTLSv1 AES256-SHA -u +-v 2 +-l AES256-SHA + +# server DTLSv1.2 AES256-SHA +-u +-v 3 +-l AES256-SHA + +# client DTLSv1.2 AES256-SHA +-u +-v 3 -l AES256-SHA # server DTLSv1 AES128-SHA256 -u +-v 2 -l AES128-SHA256 # client DTLSv1 AES128-SHA256 -u +-v 2 +-l AES128-SHA256 + +# server DTLSv1.2 AES128-SHA256 +-u +-v 3 +-l AES128-SHA256 + +# client DTLSv1.2 AES128-SHA256 +-u +-v 3 -l AES128-SHA256 # server DTLSv1 AES256-SHA256 -u +-v 2 -l AES256-SHA256 # client DTLSv1 AES256-SHA256 -u +-v 2 +-l AES256-SHA256 + +# server DTLSv1.2 AES256-SHA256 +-u +-v 3 +-l AES256-SHA256 + +# client DTLSv1.2 AES256-SHA256 +-u +-v 3 -l AES256-SHA256 # server DTLSv1 DES-CBC3-SHA NON-BLOCKING -u +-v 2 -l DES-CBC3-SHA -N # client DTLSv1 DES-CBC3-SHA NON-BLOCKING -u +-v 2 +-l DES-CBC3-SHA +-N + +# server DTLSv1.2 DES-CBC3-SHA NON-BLOCKING +-u +-v 3 +-l DES-CBC3-SHA +-N + +# client DTLSv1.2 DES-CBC3-SHA NON-BLOCKING +-u +-v 3 -l DES-CBC3-SHA -N # server DTLSv1 AES128-SHA NON-BLOCKING -u +-v 2 -l AES128-SHA -N # client DTLSv1 AES128-SHA NON-BLOCKING -u +-v 2 +-l AES128-SHA +-N + +# server DTLSv1.2 AES128-SHA NON-BLOCKING +-u +-v 3 +-l AES128-SHA +-N + +# client DTLSv1.2 AES128-SHA NON-BLOCKING +-u +-v 3 -l AES128-SHA -N # server DTLSv1 AES256-SHA NON-BLOCKING -u +-v 2 -l AES256-SHA -N # client DTLSv1 AES256-SHA NON-BLOCKING -u +-v 2 +-l AES256-SHA +-N + +# server DTLSv1.2 AES256-SHA NON-BLOCKING +-u +-v 3 +-l AES256-SHA +-N + +# client DTLSv1.2 AES256-SHA NON-BLOCKING +-u +-v 3 -l AES256-SHA -N # server DTLSv1 AES128-SHA256 NON-BLOCKING -u +-v 2 -l AES128-SHA256 -N # client DTLSv1 AES128-SHA256 NON-BLOCKING -u +-v 2 +-l AES128-SHA256 +-N + +# server DTLSv1.2 AES128-SHA256 NON-BLOCKING +-u +-v 3 +-l AES128-SHA256 +-N + +# client DTLSv1.2 AES128-SHA256 NON-BLOCKING +-u +-v 3 -l AES128-SHA256 -N # server DTLSv1 AES256-SHA256 NON-BLOCKING -u +-v 2 -l AES256-SHA256 -N # client DTLSv1 AES256-SHA256 NON-BLOCKING -u +-v 2 +-l AES256-SHA256 +-N + +# server DTLSv1.2 AES256-SHA256 NON-BLOCKING +-u +-v 3 +-l AES256-SHA256 +-N + +# client DTLSv1.2 AES256-SHA256 NON-BLOCKING +-u +-v 3 -l AES256-SHA256 -N