wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-04 13:14:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

allow dh to be used w/o certs and asn

Browse Source
This commit is contained in:
toddouska
2015-03-27 14:28:05 -07:00
parent 4b8583168b
commit 495fbe087e
14 changed files with 175 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
configure.ac
View File

@@ -871,8 +871,8 @@ fi
# ASN # ASN
# turn off asn, which means no certs, no rsa, no dh, no dsa, no ecc, # turn off asn, which means no certs, no rsa, no dsa, no ecc,
# and no big int, use this to disable all public key stuff # and no big int (unless dh is on)
AC_ARG_ENABLE([asn], AC_ARG_ENABLE([asn],
[ --enable-asn Enable ASN (default: enabled)], [ --enable-asn Enable ASN (default: enabled)],
[ ENABLED_ASN=$enableval ], [ ENABLED_ASN=$enableval ],
@@ -881,7 +881,12 @@ AC_ARG_ENABLE([asn],
if test "$ENABLED_ASN" = "no" if test "$ENABLED_ASN" = "no"
then then
AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_CERTS -DNO_BIG_INT" AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_CERTS"
if test "$ENABLED_DH" = "no"
then
# DH needs bigint
AM_CFLAGS="$AM_CFLAGS -DNO_BIG_INT"
fi
else else
# turn off ASN if leanpsk on # turn off ASN if leanpsk on
if test "$ENABLED_LEANPSK" = "yes" if test "$ENABLED_LEANPSK" = "yes"
@@ -901,11 +906,6 @@ then
AC_MSG_ERROR([please disable dsa if disabling asn.]) AC_MSG_ERROR([please disable dsa if disabling asn.])
fi fi
if test "$ENABLED_DH" = "yes" && test "$ENABLED_ASN" = "no"
then
AC_MSG_ERROR([please disable dh if disabling asn.])
fi
if test "$ENABLED_ECC" = "yes" && test "$ENABLED_ASN" = "no" if test "$ENABLED_ECC" = "yes" && test "$ENABLED_ASN" = "no"
then then
AC_MSG_ERROR([please disable ecc if disabling asn.]) AC_MSG_ERROR([please disable ecc if disabling asn.])
@@ -916,7 +916,8 @@ then
AC_MSG_ERROR([please enable psk if disabling asn.]) AC_MSG_ERROR([please enable psk if disabling asn.])
fi fi
if test "$ENABLED_ASN" = "no" # DH needs bigint
if test "$ENABLED_ASN" = "no" && test "$ENABLED_DH" = "no"
then then
ENABLED_FASTMATH=no ENABLED_FASTMATH=no
ENABLED_SLOWMATH=no ENABLED_SLOWMATH=no
@@ -1623,10 +1624,16 @@ AC_ARG_ENABLE([fastmath],
if test "x$ENABLED_FASTMATH" = "xyes" if test "x$ENABLED_FASTMATH" = "xyes"
then then
# turn off fastmth if leanpsk on or asn off # turn off fastmth if leanpsk on or asn off (w/o dh)
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_ASN" = "no" if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_ASN" = "no"
then then
ENABLED_FASTMATH=no if test "$ENABLED_DH" = "no"
then
ENABLED_FASTMATH=no
else
AM_CFLAGS="$AM_CFLAGS -DUSE_FAST_MATH"
ENABLED_SLOWMATH="no"
fi
else else
AM_CFLAGS="$AM_CFLAGS -DUSE_FAST_MATH" AM_CFLAGS="$AM_CFLAGS -DUSE_FAST_MATH"
ENABLED_SLOWMATH="no" ENABLED_SLOWMATH="no"

7
examples/client/client.c
View File

@@ -531,12 +531,15 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
wolfSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb); wolfSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb);
if (cipherList == NULL) { if (cipherList == NULL) {
const char *defaultCipherList; const char *defaultCipherList;
#ifdef HAVE_NULL_CIPHER #if defined(HAVE_AESGCM) && !defined(NO_DH)
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
#elif defined(HAVE_NULL_CIPHER)
defaultCipherList = "PSK-NULL-SHA256"; defaultCipherList = "PSK-NULL-SHA256";
#else #else
defaultCipherList = "PSK-AES128-CBC-SHA256"; defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif #endif
if (wolfSSL_CTX_set_cipher_list(ctx,defaultCipherList) !=SSL_SUCCESS) if (wolfSSL_CTX_set_cipher_list(ctx,defaultCipherList)
!=SSL_SUCCESS)
err_sys("client can't set cipher list 2"); err_sys("client can't set cipher list 2");
} }
#endif #endif

2
examples/echoserver/echoserver.c
View File

@@ -237,7 +237,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
ssl = CyaSSL_new(ctx); ssl = CyaSSL_new(ctx);
if (ssl == NULL) err_sys("SSL_new failed"); if (ssl == NULL) err_sys("SSL_new failed");
CyaSSL_set_fd(ssl, clientfd); CyaSSL_set_fd(ssl, clientfd);
#if !defined(NO_FILESYSTEM) && !defined(NO_DH) #if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN)
CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM); CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM);
#elif !defined(NO_DH) #elif !defined(NO_DH)
SetDH(ssl); /* will repick suites with DHE, higher than PSK */ SetDH(ssl); /* will repick suites with DHE, higher than PSK */

11
examples/server/server.c
View File

@@ -168,6 +168,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
int usePsk = 0; int usePsk = 0;
int useAnon = 0; int useAnon = 0;
int doDTLS = 0; int doDTLS = 0;
int needDH = 0;
int useNtruKey = 0; int useNtruKey = 0;
int nonBlocking = 0; int nonBlocking = 0;
int trackMemory = 0; int trackMemory = 0;
@@ -201,6 +202,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#endif #endif
(void)trackMemory; (void)trackMemory;
(void)pkCallbacks; (void)pkCallbacks;
(void)needDH;
#ifdef CYASSL_TIRTOS #ifdef CYASSL_TIRTOS
fdOpenSession(Task_self()); fdOpenSession(Task_self());
@@ -444,7 +446,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
SSL_CTX_use_psk_identity_hint(ctx, "cyassl server"); SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
if (cipherList == NULL) { if (cipherList == NULL) {
const char *defaultCipherList; const char *defaultCipherList;
#ifdef HAVE_NULL_CIPHER #if defined(HAVE_AESGCM) && !defined(NO_DH)
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
needDH = 1;
#elif defined(HAVE_NULL_CIPHER)
defaultCipherList = "PSK-NULL-SHA256"; defaultCipherList = "PSK-NULL-SHA256";
#else #else
defaultCipherList = "PSK-AES128-CBC-SHA256"; defaultCipherList = "PSK-AES128-CBC-SHA256";
@@ -522,8 +527,8 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
CloseSocket(sockfd); CloseSocket(sockfd);
SSL_set_fd(ssl, clientfd); SSL_set_fd(ssl, clientfd);
if (usePsk == 0 || useAnon == 1 || cipherList != NULL) { if (usePsk == 0 || useAnon == 1 || cipherList != NULL || needDH == 1) {
#if !defined(NO_FILESYSTEM) && !defined(NO_DH) #if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN)
CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM); CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM);
#elif !defined(NO_DH) #elif !defined(NO_DH)
SetDH(ssl); /* repick suites with DHE, higher priority than PSK */ SetDH(ssl); /* repick suites with DHE, higher priority than PSK */

27
src/internal.c
View File

@@ -29,6 +29,7 @@
#include <wolfssl/internal.h> #include <wolfssl/internal.h>
#include <wolfssl/error-ssl.h> #include <wolfssl/error-ssl.h>
#include <wolfssl/wolfcrypt/asn.h> #include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/dh.h>
#ifdef NO_INLINE #ifdef NO_INLINE
#include <wolfssl/wolfcrypt/misc.h> #include <wolfssl/wolfcrypt/misc.h>
#else #else
@@ -426,9 +427,11 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
if (ctx->suites) if (ctx->suites)
XFREE(ctx->suites, ctx->heap, DYNAMIC_TYPE_SUITES); XFREE(ctx->suites, ctx->heap, DYNAMIC_TYPE_SUITES);
#ifndef NO_CERTS #ifndef NO_DH
XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH); XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH);
XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH);
#endif
#ifndef NO_CERTS
XFREE(ctx->privateKey.buffer, ctx->heap, DYNAMIC_TYPE_KEY); XFREE(ctx->privateKey.buffer, ctx->heap, DYNAMIC_TYPE_KEY);
XFREE(ctx->certificate.buffer, ctx->heap, DYNAMIC_TYPE_CERT); XFREE(ctx->certificate.buffer, ctx->heap, DYNAMIC_TYPE_CERT);
XFREE(ctx->certChain.buffer, ctx->heap, DYNAMIC_TYPE_CERT); XFREE(ctx->certChain.buffer, ctx->heap, DYNAMIC_TYPE_CERT);
@@ -1548,15 +1551,17 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
ssl->options.quietShutdown = ctx->quietShutdown; ssl->options.quietShutdown = ctx->quietShutdown;
ssl->options.groupMessages = ctx->groupMessages; ssl->options.groupMessages = ctx->groupMessages;
#ifndef NO_DH
if (ssl->options.side == WOLFSSL_SERVER_END) {
ssl->buffers.serverDH_P = ctx->serverDH_P;
ssl->buffers.serverDH_G = ctx->serverDH_G;
}
#endif
#ifndef NO_CERTS #ifndef NO_CERTS
/* ctx still owns certificate, certChain, key, dh, and cm */ /* ctx still owns certificate, certChain, key, dh, and cm */
ssl->buffers.certificate = ctx->certificate; ssl->buffers.certificate = ctx->certificate;
ssl->buffers.certChain = ctx->certChain; ssl->buffers.certChain = ctx->certChain;
ssl->buffers.key = ctx->privateKey; ssl->buffers.key = ctx->privateKey;
if (ssl->options.side == WOLFSSL_SERVER_END) {
ssl->buffers.serverDH_P = ctx->serverDH_P;
ssl->buffers.serverDH_G = ctx->serverDH_G;
}
#endif #endif
#ifdef WOLFSSL_DTLS #ifdef WOLFSSL_DTLS
@@ -1725,7 +1730,7 @@ void SSL_ResourceFree(WOLFSSL* ssl)
XFREE(ssl->hsHashes, ssl->heap, DYNAMIC_TYPE_HASHES); XFREE(ssl->hsHashes, ssl->heap, DYNAMIC_TYPE_HASHES);
XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN); XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN);
#ifndef NO_CERTS #ifndef NO_DH
XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH);
XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH);
/* parameters (p,g) may be owned by ctx */ /* parameters (p,g) may be owned by ctx */
@@ -1733,7 +1738,8 @@ void SSL_ResourceFree(WOLFSSL* ssl)
XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_DH);
XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_DH);
} }
#endif
#ifndef NO_CERTS
if (ssl->buffers.weOwnCert) if (ssl->buffers.weOwnCert)
XFREE(ssl->buffers.certificate.buffer, ssl->heap, DYNAMIC_TYPE_CERT); XFREE(ssl->buffers.certificate.buffer, ssl->heap, DYNAMIC_TYPE_CERT);
if (ssl->buffers.weOwnCertChain) if (ssl->buffers.weOwnCertChain)
@@ -1890,7 +1896,7 @@ void FreeHandshakeResources(WOLFSSL* ssl)
ssl->eccTempKey = NULL; ssl->eccTempKey = NULL;
} }
#endif #endif
#ifndef NO_CERTS #ifndef NO_DH
XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH);
ssl->buffers.serverDH_Priv.buffer = NULL; ssl->buffers.serverDH_Priv.buffer = NULL;
XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH);
@@ -1902,7 +1908,8 @@ void FreeHandshakeResources(WOLFSSL* ssl)
XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_DH);
ssl->buffers.serverDH_P.buffer = NULL; ssl->buffers.serverDH_P.buffer = NULL;
} }
#endif
#ifndef NO_CERTS
if (ssl->buffers.weOwnCert) { if (ssl->buffers.weOwnCert) {
XFREE(ssl->buffers.certificate.buffer, ssl->heap, DYNAMIC_TYPE_CERT); XFREE(ssl->buffers.certificate.buffer, ssl->heap, DYNAMIC_TYPE_CERT);
ssl->buffers.certificate.buffer = NULL; ssl->buffers.certificate.buffer = NULL;
@@ -9896,6 +9903,8 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
byte sigAlgo = ssl->specs.sig_algo; byte sigAlgo = ssl->specs.sig_algo;
word16 verifySz = (word16) (*inOutIdx - begin); word16 verifySz = (word16) (*inOutIdx - begin);
(void)hash;
/* save message for hash verify */ /* save message for hash verify */
if (verifySz > MAX_DH_SZ) if (verifySz > MAX_DH_SZ)
ERROR_OUT(BUFFER_ERROR, done); ERROR_OUT(BUFFER_ERROR, done);

6
src/ssl.c
View File

@@ -5606,11 +5606,11 @@ static INLINE word32 HashSession(const byte* sessionID, word32 len, int* error)
byte digest[MAX_DIGEST_SIZE]; byte digest[MAX_DIGEST_SIZE];
#ifndef NO_MD5 #ifndef NO_MD5
*error = wc_Md5Hash(sessionID, len, digest); *error = wc_Md5Hash(sessionID, len, digest);
#elif !defined(NO_SHA) #elif !defined(NO_SHA)
*error = wc_ShaHash(sessionID, len, digest); *error = wc_ShaHash(sessionID, len, digest);
#elif !defined(NO_SHA256) #elif !defined(NO_SHA256)
*error = Sha256Hash(sessionID, len, digest); *error = wc_Sha256Hash(sessionID, len, digest);
#else #else
#error "We need a digest to hash the session IDs" #error "We need a digest to hash the session IDs"
#endif #endif

24
wolfcrypt/benchmark/benchmark.c
View File

@@ -93,7 +93,8 @@
#define SHOW_INTEL_CYCLES #define SHOW_INTEL_CYCLES
#endif #endif
#if defined(USE_CERT_BUFFERS_1024) || defined(USE_CERT_BUFFERS_2048) #if defined(USE_CERT_BUFFERS_1024) || defined(USE_CERT_BUFFERS_2048) \
|| !defined(NO_DH)
/* include test cert and key buffers for use with NO_FILESYSTEM */ /* include test cert and key buffers for use with NO_FILESYSTEM */
#if defined(WOLFSSL_MDK_ARM) #if defined(WOLFSSL_MDK_ARM)
#include "cert_data.h" /* use certs_test.c for initial data, #include "cert_data.h" /* use certs_test.c for initial data,
@@ -1218,6 +1219,8 @@ void bench_rsa(void)
void set_Bench_DH_File(char * cert) { certDHname = cert ; } void set_Bench_DH_File(char * cert) { certDHname = cert ; }
#elif defined(FREESCALE_MQX) #elif defined(FREESCALE_MQX)
static char *certDHname = "a:\\certs\\dh2048.der"; static char *certDHname = "a:\\certs\\dh2048.der";
#elif defined(NO_ASN)
/* do nothing, but don't need a file */
#else #else
static const char *certDHname = "certs/dh2048.der"; static const char *certDHname = "certs/dh2048.der";
#endif #endif
@@ -1240,6 +1243,9 @@ void bench_dh(void)
DhKey dhKey; DhKey dhKey;
int dhKeySz = 2048; /* used in printf */ int dhKeySz = 2048; /* used in printf */
(void)idx;
(void)tmp;
#ifdef USE_CERT_BUFFERS_1024 #ifdef USE_CERT_BUFFERS_1024
XMEMCPY(tmp, dh_key_der_1024, sizeof_dh_key_der_1024); XMEMCPY(tmp, dh_key_der_1024, sizeof_dh_key_der_1024);
@@ -1248,6 +1254,9 @@ void bench_dh(void)
#elif defined(USE_CERT_BUFFERS_2048) #elif defined(USE_CERT_BUFFERS_2048)
XMEMCPY(tmp, dh_key_der_2048, sizeof_dh_key_der_2048); XMEMCPY(tmp, dh_key_der_2048, sizeof_dh_key_der_2048);
bytes = sizeof_dh_key_der_2048; bytes = sizeof_dh_key_der_2048;
#elif defined(NO_ASN)
dhKeySz = 1024;
/* do nothing, but don't use default FILE */
#else #else
FILE* file = fopen(certDHname, "rb"); FILE* file = fopen(certDHname, "rb");
@@ -1261,12 +1270,16 @@ void bench_dh(void)
wc_InitDhKey(&dhKey); wc_InitDhKey(&dhKey);
#ifdef NO_ASN
bytes = wc_DhSetKey(&dhKey, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g));
#else
bytes = wc_DhKeyDecode(tmp, &idx, &dhKey, (word32)bytes); bytes = wc_DhKeyDecode(tmp, &idx, &dhKey, (word32)bytes);
#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
fclose(file);
#endif
#endif
if (bytes != 0) { if (bytes != 0) {
printf("dhekydecode failed, can't benchmark\n"); printf("dhekydecode failed, can't benchmark\n");
#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
fclose(file);
#endif
return; return;
} }
@@ -1295,9 +1308,6 @@ void bench_dh(void)
printf("DH %d key agreement %6.3f milliseconds, avg over %d" printf("DH %d key agreement %6.3f milliseconds, avg over %d"
" iterations\n", dhKeySz, milliEach, ntimes); " iterations\n", dhKeySz, milliEach, ntimes);
#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
fclose(file);
#endif
wc_FreeDhKey(&dhKey); wc_FreeDhKey(&dhKey);
} }
#endif #endif

34
wolfcrypt/src/asn.c
View File

@@ -1318,40 +1318,6 @@ int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz)
return 0; return 0;
} }
int wc_DhSetKey(DhKey* key, const byte* p, word32 pSz, const byte* g, word32 gSz)
{
if (key == NULL || p == NULL || g == NULL || pSz == 0 || gSz == 0)
return BAD_FUNC_ARG;
/* may have leading 0 */
if (p[0] == 0) {
pSz--; p++;
}
if (g[0] == 0) {
gSz--; g++;
}
if (mp_init(&key->p) != MP_OKAY)
return MP_INIT_E;
if (mp_read_unsigned_bin(&key->p, p, pSz) != 0) {
mp_clear(&key->p);
return ASN_DH_KEY_E;
}
if (mp_init(&key->g) != MP_OKAY) {
mp_clear(&key->p);
return MP_INIT_E;
}
if (mp_read_unsigned_bin(&key->g, g, gSz) != 0) {
mp_clear(&key->g);
mp_clear(&key->p);
return ASN_DH_KEY_E;
}
return 0;
}
int wc_DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz, int wc_DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz,
byte* g, word32* gInOutSz) byte* g, word32* gInOutSz)

37
wolfcrypt/src/dh.c
View File

@@ -174,5 +174,42 @@ int wc_DhAgree(DhKey* key, byte* agree, word32* agreeSz, const byte* priv,
} }
/* not in asn anymore since no actual asn types used */
int wc_DhSetKey(DhKey* key, const byte* p, word32 pSz, const byte* g,
word32 gSz)
{
if (key == NULL || p == NULL || g == NULL || pSz == 0 || gSz == 0)
return BAD_FUNC_ARG;
/* may have leading 0 */
if (p[0] == 0) {
pSz--; p++;
}
if (g[0] == 0) {
gSz--; g++;
}
if (mp_init(&key->p) != MP_OKAY)
return MP_INIT_E;
if (mp_read_unsigned_bin(&key->p, p, pSz) != 0) {
mp_clear(&key->p);
return ASN_DH_KEY_E;
}
if (mp_init(&key->g) != MP_OKAY) {
mp_clear(&key->p);
return MP_INIT_E;
}
if (mp_read_unsigned_bin(&key->g, g, gSz) != 0) {
mp_clear(&key->g);
mp_clear(&key->p);
return ASN_DH_KEY_E;
}
return 0;
}
#endif /* NO_DH */ #endif /* NO_DH */

20
wolfcrypt/test/test.c
View File

@@ -95,7 +95,8 @@
#endif #endif
#if defined(USE_CERT_BUFFERS_1024) || defined(USE_CERT_BUFFERS_2048) #if defined(USE_CERT_BUFFERS_1024) || defined(USE_CERT_BUFFERS_2048) \
|| !defined(NO_DH)
/* include test cert and key buffers for use with NO_FILESYSTEM */ /* include test cert and key buffers for use with NO_FILESYSTEM */
#if defined(WOLFSSL_MDK_ARM) #if defined(WOLFSSL_MDK_ARM)
#include "cert_data.h" #include "cert_data.h"
@@ -4241,6 +4242,8 @@ int rsa_test(void)
#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
#ifdef FREESCALE_MQX #ifdef FREESCALE_MQX
static const char* dhKey = "a:\\certs\\dh2048.der"; static const char* dhKey = "a:\\certs\\dh2048.der";
#elif defined(NO_ASN)
/* don't use file, no DER parsing */
#else #else
static const char* dhKey = "./certs/dh2048.der"; static const char* dhKey = "./certs/dh2048.der";
#endif #endif
@@ -4262,6 +4265,9 @@ int dh_test(void)
DhKey key2; DhKey key2;
RNG rng; RNG rng;
(void)idx;
(void)tmp;
(void)bytes;
#ifdef USE_CERT_BUFFERS_1024 #ifdef USE_CERT_BUFFERS_1024
XMEMCPY(tmp, dh_key_der_1024, sizeof_dh_key_der_1024); XMEMCPY(tmp, dh_key_der_1024, sizeof_dh_key_der_1024);
@@ -4269,6 +4275,8 @@ int dh_test(void)
#elif defined(USE_CERT_BUFFERS_2048) #elif defined(USE_CERT_BUFFERS_2048)
XMEMCPY(tmp, dh_key_der_2048, sizeof_dh_key_der_2048); XMEMCPY(tmp, dh_key_der_2048, sizeof_dh_key_der_2048);
bytes = sizeof_dh_key_der_2048; bytes = sizeof_dh_key_der_2048;
#elif defined(NO_ASN)
/* don't use file, no DER parsing */
#else #else
FILE* file = fopen(dhKey, "rb"); FILE* file = fopen(dhKey, "rb");
@@ -4281,6 +4289,15 @@ int dh_test(void)
wc_InitDhKey(&key); wc_InitDhKey(&key);
wc_InitDhKey(&key2); wc_InitDhKey(&key2);
#ifdef NO_ASN
ret = wc_DhSetKey(&key, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g));
if (ret != 0)
return -51;
ret = wc_DhSetKey(&key2, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g));
if (ret != 0)
return -51;
#else
ret = wc_DhKeyDecode(tmp, &idx, &key, bytes); ret = wc_DhKeyDecode(tmp, &idx, &key, bytes);
if (ret != 0) if (ret != 0)
return -51; return -51;
@@ -4289,6 +4306,7 @@ int dh_test(void)
ret = wc_DhKeyDecode(tmp, &idx, &key2, bytes); ret = wc_DhKeyDecode(tmp, &idx, &key2, bytes);
if (ret != 0) if (ret != 0)
return -52; return -52;
#endif
ret = wc_InitRng(&rng); ret = wc_InitRng(&rng);
if (ret != 0) if (ret != 0)

23
wolfssl/certs_test.h
View File

@@ -1192,5 +1192,28 @@ const int sizeof_server_cert_der_2048 = sizeof(server_cert_der_2048);
#endif /* USE_CERT_BUFFERS_1024 */ #endif /* USE_CERT_BUFFERS_1024 */
/* dh1024 p */
static unsigned char dh_p[] =
{
0xE6, 0x96, 0x9D, 0x3D, 0x49, 0x5B, 0xE3, 0x2C, 0x7C, 0xF1, 0x80, 0xC3,
0xBD, 0xD4, 0x79, 0x8E, 0x91, 0xB7, 0x81, 0x82, 0x51, 0xBB, 0x05, 0x5E,
0x2A, 0x20, 0x64, 0x90, 0x4A, 0x79, 0xA7, 0x70, 0xFA, 0x15, 0xA2, 0x59,
0xCB, 0xD5, 0x23, 0xA6, 0xA6, 0xEF, 0x09, 0xC4, 0x30, 0x48, 0xD5, 0xA2,
0x2F, 0x97, 0x1F, 0x3C, 0x20, 0x12, 0x9B, 0x48, 0x00, 0x0E, 0x6E, 0xDD,
0x06, 0x1C, 0xBC, 0x05, 0x3E, 0x37, 0x1D, 0x79, 0x4E, 0x53, 0x27, 0xDF,
0x61, 0x1E, 0xBB, 0xBE, 0x1B, 0xAC, 0x9B, 0x5C, 0x60, 0x44, 0xCF, 0x02,
0x3D, 0x76, 0xE0, 0x5E, 0xEA, 0x9B, 0xAD, 0x99, 0x1B, 0x13, 0xA6, 0x3C,
0x97, 0x4E, 0x9E, 0xF1, 0x83, 0x9E, 0xB5, 0xDB, 0x12, 0x51, 0x36, 0xF7,
0x26, 0x2E, 0x56, 0xA8, 0x87, 0x15, 0x38, 0xDF, 0xD8, 0x23, 0xC6, 0x50,
0x50, 0x85, 0xE2, 0x1F, 0x0D, 0xD5, 0xC8, 0x6B,
};
/* dh1024 g */
static unsigned char dh_g[] =
{
0x02,
};
#endif /* CYASSL_CERTS_TEST_H */ #endif /* CYASSL_CERTS_TEST_H */

25
wolfssl/internal.h
View File

@@ -463,7 +463,8 @@ typedef byte word24[3];
#endif #endif
#if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) || \ #if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) || \
defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) || \
defined(BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256)
#define BUILD_AESGCM #define BUILD_AESGCM
#endif #endif
@@ -1417,13 +1418,15 @@ struct WOLFSSL_CTX {
WOLFSSL_METHOD* method; WOLFSSL_METHOD* method;
wolfSSL_Mutex countMutex; /* reference count mutex */ wolfSSL_Mutex countMutex; /* reference count mutex */
int refCount; /* reference count */ int refCount; /* reference count */
#ifndef NO_DH
buffer serverDH_P;
buffer serverDH_G;
#endif
#ifndef NO_CERTS #ifndef NO_CERTS
buffer certificate; buffer certificate;
buffer certChain; buffer certChain;
/* chain after self, in DER, with leading size for each cert */ /* chain after self, in DER, with leading size for each cert */
buffer privateKey; buffer privateKey;
buffer serverDH_P;
buffer serverDH_G;
WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */ WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */
#endif #endif
Suites* suites; /* make dynamic, user may not need/set */ Suites* suites; /* make dynamic, user may not need/set */
@@ -1753,16 +1756,18 @@ typedef struct Buffers {
byte weOwnCertChain; /* SSL own cert chain flag */ byte weOwnCertChain; /* SSL own cert chain flag */
byte weOwnKey; /* SSL own key flag */ byte weOwnKey; /* SSL own key flag */
byte weOwnDH; /* SSL own dh (p,g) flag */ byte weOwnDH; /* SSL own dh (p,g) flag */
#ifndef NO_CERTS #ifndef NO_DH
buffer certificate; /* WOLFSSL_CTX owns, unless we own */ buffer serverDH_P; /* WOLFSSL_CTX owns, unless we own */
buffer key; /* WOLFSSL_CTX owns, unless we own */ buffer serverDH_G; /* WOLFSSL_CTX owns, unless we own */
buffer certChain; /* WOLFSSL_CTX owns, unless we own */
/* chain after self, in DER, with leading size for each cert */
buffer serverDH_P; /* WOLFSSL_CTX owns, unless we own */
buffer serverDH_G; /* WOLFSSL_CTX owns, unless we own */
buffer serverDH_Pub; buffer serverDH_Pub;
buffer serverDH_Priv; buffer serverDH_Priv;
#endif #endif
#ifndef NO_CERTS
buffer certificate; /* WOLFSSL_CTX owns, unless we own */
buffer key; /* WOLFSSL_CTX owns, unless we own */
buffer certChain; /* WOLFSSL_CTX owns, unless we own */
/* chain after self, in DER, with leading size for each cert */
#endif
#ifdef WOLFSSL_DTLS #ifdef WOLFSSL_DTLS
WOLFSSL_DTLS_CTX dtlsCtx; /* DTLS connection context */ WOLFSSL_DTLS_CTX dtlsCtx; /* DTLS connection context */
#endif #endif

5
wolfssl/ssl.h
View File

@@ -876,8 +876,7 @@ WOLFSSL_API WOLFSSL_X509*
/* connect enough to get peer cert */ /* connect enough to get peer cert */
WOLFSSL_API int wolfSSL_connect_cert(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_connect_cert(WOLFSSL* ssl);
/* XXX This should be #ifndef NO_DH */ #ifndef NO_DH
#ifndef NO_CERTS
/* server Diffie-Hellman parameters */ /* server Diffie-Hellman parameters */
WOLFSSL_API int wolfSSL_SetTmpDH(WOLFSSL*, const unsigned char* p, int pSz, WOLFSSL_API int wolfSSL_SetTmpDH(WOLFSSL*, const unsigned char* p, int pSz,
const unsigned char* g, int gSz); const unsigned char* g, int gSz);
@@ -899,7 +898,7 @@ WOLFSSL_API int wolfSSL_CTX_SetTmpEC_DHE_Sz(WOLFSSL_CTX*, unsigned short);
WOLFSSL_API int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX*, const char* f, WOLFSSL_API int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX*, const char* f,
int format); int format);
#endif #endif
#endif #endif /* NO_DH */
/* keyblock size in bytes or -1 */ /* keyblock size in bytes or -1 */
/* need to call wolfSSL_KeepArrays before handshake to save keys */ /* need to call wolfSSL_KeepArrays before handshake to save keys */

18
wolfssl/test.h
View File

@@ -965,15 +965,6 @@ static INLINE void CRL_CallBack(const char* url)
#endif #endif
#ifndef NO_CERTS
static INLINE void CaCb(unsigned char* der, int sz, int type)
{
(void)der;
printf("Got CA cache add callback, derSz = %d, type = %d\n", sz, type);
}
#ifndef NO_DH #ifndef NO_DH
static INLINE void SetDH(WOLFSSL* ssl) static INLINE void SetDH(WOLFSSL* ssl)
{ {
@@ -1029,6 +1020,15 @@ static INLINE void SetDHCtx(WOLFSSL_CTX* ctx)
wolfSSL_CTX_SetTmpDH(ctx, p, sizeof(p), g, sizeof(g)); wolfSSL_CTX_SetTmpDH(ctx, p, sizeof(p), g, sizeof(g));
} }
#endif /* NO_DH */ #endif /* NO_DH */
#ifndef NO_CERTS
static INLINE void CaCb(unsigned char* der, int sz, int type)
{
(void)der;
printf("Got CA cache add callback, derSz = %d, type = %d\n", sz, type);
}
#endif /* !NO_CERTS */ #endif /* !NO_CERTS */
#ifdef HAVE_CAVIUM #ifdef HAVE_CAVIUM