wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

sync w/upstream; resolve merge conflict

Browse Source
This commit is contained in:
gojimmypi
2023-12-08 09:06:10 -08:00
parent 5e5286d30d 448b83697a
commit 62c0910e15
19 changed files with 1316 additions and 615 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
IDE/ARDUINO/README.md
View File

@ -2,10 +2,11 @@
##### Reformatting wolfSSL as a compatible Arduino Library
This is a shell script that will re-organize the wolfSSL library to be
compatible with Arduino projects. The Arduino IDE requires a library's source
files to be in the library's root directory with a header file in the name of
the library. This script moves all src/ files to the `IDE/ARDUINO/wolfSSL`
directory and creates a stub header file called `wolfssl.h`.
compatible with Arduino projects that use Arduino IDE 1.5.0 or newer.
The Arduino IDE requires a library's source files to be in the library's root
directory with a header file in the name of the library. This script moves all
src/ files to the `IDE/ARDUINO/wolfSSL/src` directory and creates a stub header
file called `wolfssl.h` inside that directory.
Step 1: To configure wolfSSL with Arduino, enter the following from within the
wolfssl/IDE/ARDUINO directory:
@ -15,7 +16,7 @@ wolfssl/IDE/ARDUINO directory:
Step 2: Copy the directory wolfSSL that was just created to:
`~/Documents/Arduino/libraries/` directory so the Arduino IDE can find it.
Step 3: Edit `<arduino-libraries>/wolfSSL/user_settings.h`
Step 3: Edit `<arduino-libraries>/wolfSSL/src/user_settings.h`
If building for Intel Galileo platform add: `#define INTEL_GALILEO`.
Add any other custom settings, for a good start see the examples in wolfssl root
"/examples/configs/user_settings_*.h"

61
IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino
View File

@ -19,10 +19,18 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/*
This was original tested with Intel Galileo acting as the Client, with a
laptop acting as a server using the server example provided in examples/server.
Legacy Ardunio v1.86 was used to compile and program the Galileo
*/
#define USE_CERT_BUFFERS_2048
#include <wolfssl.h>
#include <wolfssl/ssl.h>
#include <Ethernet.h>
#include <wolfssl/certs_test.h>
const char host[] = "192.168.1.148"; /* server to connect to */
const int port = 11111; /* port on server to connect to */
@ -38,8 +46,11 @@ WOLFSSL* ssl = NULL;
void setup() {
WOLFSSL_METHOD* method;
/* Initialize Return Code */
int rc;
Serial.begin(9600);
/* Delay need to ensure connection to server */
delay(4000);
method = wolfTLSv1_2_client_method();
if (method == NULL) {
@ -52,28 +63,41 @@ void setup() {
return;
}
/* initialize wolfSSL using callback functions */
wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);
rc = wolfSSL_CTX_load_verify_buffer(ctx, ca_cert_der_2048,\
sizeof_ca_cert_der_2048,\
WOLFSSL_FILETYPE_ASN1);
Serial.print("\n\n Return code of load_verify is:");
Serial.println(rc);
Serial.println("");
rc = wolfSSL_CTX_use_certificate_buffer(ctx, client_cert_der_2048,\
sizeof_client_cert_der_2048,\
WOLFSSL_FILETYPE_ASN1);
Serial.print("\n\n Return code of use_certificate_buffer is:");
Serial.println(rc);
Serial.println("");
rc = wolfSSL_CTX_use_PrivateKey_buffer(ctx, client_key_der_2048,\
sizeof_client_key_der_2048,\
WOLFSSL_FILETYPE_ASN1);
Serial.print("\n\n Return code of use_PrivateKey_buffer is:");
Serial.println(rc);
Serial.println("");
wolfSSL_SetIOSend(ctx, EthernetSend);
wolfSSL_SetIORecv(ctx, EthernetReceive);
return;
}
int EthernetSend(WOLFSSL* ssl, char* msg, int sz, void* ctx) {
int sent = 0;
sent = client.write((byte*)msg, sz);
return sent;
}
int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx) {
int ret = 0;
while (client.available() > 0 && ret < sz) {
reply[ret++] = client.read();
}
return ret;
}
@ -86,21 +110,16 @@ void loop() {
char errBuf[80];
char reply[80];
const char* cipherName;
if (reconnect) {
reconnect--;
if (client.connect(host, port)) {
Serial.print("Connected to ");
Serial.println(host);
ssl = wolfSSL_new(ctx);
if (ssl == NULL) {
Serial.println("Unable to allocate SSL object");
return;
}
err = wolfSSL_connect(ssl);
if (err != WOLFSSL_SUCCESS) {
err = wolfSSL_get_error(ssl, 0);
@ -108,16 +127,12 @@ void loop() {
Serial.print("TLS Connect Error: ");
Serial.println(errBuf);
}
Serial.print("SSL version is ");
Serial.println(wolfSSL_get_version(ssl));
cipherName = wolfSSL_get_cipher(ssl);
Serial.print("SSL cipher suite is ");
Serial.println(cipherName);
if ((wolfSSL_write(ssl, msg, msgSz)) == msgSz) {
Serial.print("Server response: ");
/* wait for data */
while (!client.available()) {}
@ -131,27 +146,29 @@ void loop() {
Serial.print("TLS Read Error: ");
Serial.println(errBuf);
break;
} else if (input > 0) {
}
else if (input > 0) {
reply[input] = '\0';
Serial.print(reply);
} else {
}
else {
Serial.println();
}
}
} else {
}
else {
err = wolfSSL_get_error(ssl, 0);
wolfSSL_ERR_error_string(err, errBuf);
Serial.print("TLS Write Error: ");
Serial.println(errBuf);
}
wolfSSL_shutdown(ssl);
wolfSSL_free(ssl);
client.stop();
Serial.println("Connection complete.");
reconnect = 0;
} else {
}
else {
Serial.println("Trying to reconnect...");
}
}

173
IDE/ARDUINO/wolfssl-arduino.sh
View File

@ -4,86 +4,141 @@
# an Arduino project
# run as bash ./wolfssl-arduino.sh
ROOT_DIR="/wolfSSL"
ROOT_SRC_DIR="${ROOT_DIR}/src"
WOLFSSL_SRC="${ROOT_SRC_DIR}/src"
WOLFSSL_HEADERS="${ROOT_SRC_DIR}/wolfssl"
WOLFCRYPT_ROOT="${ROOT_SRC_DIR}/wolfcrypt"
WOLFCRYPT_SRC="${WOLFCRYPT_ROOT}/src"
WOLFCRYPT_HEADERS="${WOLFSSL_HEADERS}/wolfcrypt"
OPENSSL_DIR="${WOLFSSL_HEADERS}/openssl"
WOLFSSL_VERSION="5.6.4"
# TOP indicates the file directory comes from the top level of the wolfssl repo
TOP_DIR="../.."
WOLFSSL_SRC_TOP="${TOP_DIR}/src"
WOLFSSL_HEADERS_TOP="${TOP_DIR}/wolfssl"
WOLFCRYPT_ROOT_TOP="${TOP_DIR}/wolfcrypt"
WOLFCRYPT_SRC_TOP="${WOLFCRYPT_ROOT_TOP}/src"
WOLFCRYPT_HEADERS_TOP="${WOLFSSL_HEADERS_TOP}/wolfcrypt"
OPENSSL_DIR_TOP="${WOLFSSL_HEADERS_TOP}/openssl"
# TODO: Parse version number
WOLFSSL_VERSION=$(grep -i "LIBWOLFSSL_VERSION_STRING" ${TOP_DIR}/wolfssl/version.h | cut -d '"' -f 2)
DIR=${PWD##*/}
space(){
echo "" >> "$1"
}
if [ "$DIR" = "ARDUINO" ]; then
if [ ! -d "wolfSSL" ]; then
mkdir wolfSSL
if [ ! -d ".${ROOT_DIR}" ]; then
mkdir .${ROOT_DIR}
fi
if [ ! -d ".${ROOT_SRC_DIR}" ]; then
mkdir .${ROOT_SRC_DIR}
fi
cp ../../src/*.c ./wolfSSL
cp ../../wolfcrypt/src/*.c ./wolfSSL
if [ ! -d ".${WOLFSSL_HEADERS}" ]; then
mkdir .${WOLFSSL_HEADERS}
fi
if [ ! -d "wolfSSL/wolfssl" ]; then
mkdir wolfSSL/wolfssl
cp ${WOLFSSL_HEADERS_TOP}/*.h .${WOLFSSL_HEADERS}
if [ ! -d ".${WOLFCRYPT_HEADERS}" ]; then
mkdir .${WOLFCRYPT_HEADERS}
fi
cp ../../wolfssl/*.h ./wolfSSL/wolfssl
if [ ! -d "wolfSSL/wolfssl/wolfcrypt" ]; then
mkdir wolfSSL/wolfssl/wolfcrypt
fi
cp ../../wolfssl/wolfcrypt/*.h ./wolfSSL/wolfssl/wolfcrypt
cp ${WOLFCRYPT_HEADERS_TOP}/*.h .${WOLFCRYPT_HEADERS}
# support misc.c as include in wolfcrypt/src
if [ ! -d "./wolfSSL/wolfcrypt" ]; then
mkdir ./wolfSSL/wolfcrypt
# Add in source files to wolfcrypt/src
if [ ! -d ".${WOLFCRYPT_ROOT}" ]; then
mkdir .${WOLFCRYPT_ROOT}
fi
if [ ! -d "./wolfSSL/wolfcrypt/src" ]; then
mkdir ./wolfSSL/wolfcrypt/src
if [ ! -d ".${WOLFCRYPT_SRC}" ]; then
mkdir .${WOLFCRYPT_SRC}
fi
cp ../../wolfcrypt/src/misc.c ./wolfSSL/wolfcrypt/src
cp ../../wolfcrypt/src/asm.c ./wolfSSL/wolfcrypt/src
cp ${WOLFCRYPT_SRC_TOP}/*.c .${WOLFCRYPT_SRC}
# Add in source files to top level src folders
if [ ! -d ".${WOLFSSL_SRC}" ]; then
mkdir .${WOLFSSL_SRC}
fi
cp ${WOLFSSL_SRC_TOP}/*.c .${WOLFSSL_SRC}
# put bio and evp as includes
mv ./wolfSSL/bio.c ./wolfSSL/wolfssl
mv ./wolfSSL/evp.c ./wolfSSL/wolfssl
cp .${WOLFSSL_SRC}/bio.c .${WOLFSSL_HEADERS}
cp .${WOLFCRYPT_SRC}/evp.c .${WOLFSSL_HEADERS}
# make a copy of evp.c and bio.c for ssl.c to include inline
cp ./wolfSSL/wolfssl/evp.c ./wolfSSL/wolfcrypt/src/evp.c
cp ./wolfSSL/wolfssl/bio.c ./wolfSSL/wolfcrypt/src/bio.c
cp .${WOLFSSL_HEADERS}/evp.c .${WOLFCRYPT_SRC}/evp.c
cp .${WOLFSSL_HEADERS}/bio.c .${WOLFCRYPT_SRC}/bio.c
# copy openssl compatibility headers to their appropriate location
if [ ! -d "./wolfSSL/wolfssl/openssl" ]; then
mkdir ./wolfSSL/wolfssl/openssl
if [ ! -d ".${OPENSSL_DIR}" ]; then
mkdir .${OPENSSL_DIR}
fi
cp ../../wolfssl/openssl/* ./wolfSSL/wolfssl/openssl
cp ${OPENSSL_DIR_TOP}/* .${OPENSSL_DIR}
echo "/* Generated wolfSSL header file for Arduino */" > ./wolfSSL/wolfssl.h
echo "#include <user_settings.h>" >> ./wolfSSL/wolfssl.h
echo "#include <wolfssl/wolfcrypt/settings.h>" >> ./wolfSSL/wolfssl.h
echo "#include <wolfssl/ssl.h>" >> ./wolfSSL/wolfssl.h
if [ ! -f "./wolfSSL/user_settings.h" ]; then
echo "/* Generated wolfSSL user_settings.h file for Arduino */" > ./wolfSSL/user_settings.h
echo "#ifndef ARDUINO_USER_SETTINGS_H" >> ./wolfSSL/user_settings.h
echo "#define ARDUINO_USER_SETTINGS_H" >> ./wolfSSL/user_settings.h
space ./wolfSSL/user_settings.h
echo "/* Platform */" >> ./wolfSSL/user_settings.h
echo "#define WOLFSSL_ARDUINO" >> ./wolfSSL/user_settings.h
space ./wolfSSL/user_settings.h
echo "/* Math library (remove this to use normal math)*/" >> ./wolfSSL/user_settings.h
echo "#define USE_FAST_MATH" >> ./wolfSSL/user_settings.h
echo "#define TFM_NO_ASM" >> ./wolfSSL/user_settings.h
space ./wolfSSL/user_settings.h
echo "/* RNG DEFAULT !!FOR TESTING ONLY!! */" >> ./wolfSSL/user_settings.h
echo "/* comment out the error below to get started w/ bad entropy source" >> ./wolfSSL/user_settings.h
echo " * This will need fixed before distribution but is OK to test with */" >> ./wolfSSL/user_settings.h
echo "#error \"needs solved, see: https://www.wolfssl.com/docs/porting-guide/\"" >> ./wolfSSL/user_settings.h
echo "#define WOLFSSL_GENSEED_FORTEST" >> ./wolfSSL/user_settings.h
space ./wolfSSL/user_settings.h
echo "#endif /* ARDUINO_USER_SETTINGS_H */" >> ./wolfSSL/user_settings.h
cat > .${ROOT_SRC_DIR}/wolfssl.h <<EOF
/* Generated wolfSSL header file for Arduino */
#include <user_settings.h>
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/ssl.h>
EOF
# Creates user_settings file if one does not exist
if [ ! -f ".${ROOT_SRC_DIR}/user_settings.h" ]; then
cat > .${ROOT_SRC_DIR}/user_settings.h <<EOF
/* Generated wolfSSL user_settings.h file for Arduino */
#ifndef ARDUINO_USER_SETTINGS_H
#define ARDUINO_USER_SETTINGS_H
/* Platform */
#define WOLFSSL_ARDUINO
/* Math library (remove this to use normal math)*/
#define USE_FAST_MATH
#define TFM_NO_ASM
#define NO_ASN_TIME
/* When using Intel Galileo Uncomment the line below */
/* #define INTEL_GALILEO */
/* RNG DEFAULT !!FOR TESTING ONLY!! */
/* comment out the error below to get started w/ bad entropy source
* This will need fixed before distribution but is OK to test with */
#error "needs solved, see: https://www.wolfssl.com/docs/porting-guide/"
#define WOLFSSL_GENSEED_FORTEST
#endif /* ARDUINO_USER_SETTINGS_H */
EOF
fi
cp wolfSSL/wolfssl/wolfcrypt/settings.h wolfSSL/wolfssl/wolfcrypt/settings.h.bak
echo " /* wolfSSL Generated ARDUINO settings */" > ./wolfSSL/wolfssl/wolfcrypt/settings.h
echo "#ifndef WOLFSSL_USER_SETTINGS" >> ./wolfSSL/wolfssl/wolfcrypt/settings.h
echo " #define WOLFSSL_USER_SETTINGS" >> ./wolfSSL/wolfssl/wolfcrypt/settings.h
echo "#endif /* WOLFSSL_USER_SETTINGS */" >> ./wolfSSL/wolfssl/wolfcrypt/settings.h
echo " /* wolfSSL Generated ARDUINO settings: END */" >> ./wolfSSL/wolfssl/wolfcrypt/settings.h
cat ./wolfSSL/wolfssl/wolfcrypt/settings.h.bak >> ./wolfSSL/wolfssl/wolfcrypt/settings.h
cp .${WOLFCRYPT_HEADERS}/settings.h .${WOLFCRYPT_HEADERS}/settings.h.bak
cat > .${WOLFCRYPT_HEADERS}/settings.h <<EOF
/*wolfSSL Generated ARDUINO settings */
#ifndef WOLFSSL_USER_SETTINGS
#define WOLFSSL_USER_SETTINGS
#endif /* WOLFSSL_USER_SETTINGS */
/*wolfSSL Generated ARDUINO settings: END */
EOF
cat .${WOLFCRYPT_HEADERS}/settings.h.bak >> .${WOLFCRYPT_HEADERS}/settings.h
#Creating library.properties file based off of:
#https://arduino.github.io/arduino-cli/0.35/library-specification/#libraryproperties-file-format
cat > .${ROOT_DIR}/library.properties <<EOF
name=wolfSSL
version=${WOLFSSL_VERSION}
author=wolfSSL inc
maintainer=wolfSSL inc <support@wolfssl.com>
sentence=A lightweight SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments.
paragraph=Manual: https://www.wolfssl.com/documentation/manuals/wolfssl/index.html.
category=Communication
url=https://www.wolfssl.com/
architectures=*
EOF
else
echo "ERROR: You must be in the IDE/ARDUINO directory to run this script"

285
IDE/apple-universal/build-wolfssl-framework.sh
View File

@ -20,7 +20,6 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
set -euo pipefail
WOLFSSL_DIR=$(pwd)/../../
@ -28,12 +27,9 @@ OUTDIR=$(pwd)/artifacts
LIPODIR=${OUTDIR}/lib
SDK_OUTPUT_DIR=${OUTDIR}/xcframework
CFLAGS_COMMON=""
# Optional configure flags passed in by user through -c argument
CONF_OPTS_EXTRA=""
# Base configure flags
CONF_OPTS_COMMON="--disable-shared --enable-static"
CONF_OPTS="--disable-shared --enable-static"
helpFunction()
{
@ -47,7 +43,7 @@ helpFunction()
while getopts ":c:" opt; do
case $opt in
c)
CONF_OPTS_EXTRA="$OPTARG"
CONF_OPTS+=" $OPTARG"
;;
\?)
echo "Invalid option: -$OPTARG" >&2; helpFunction
@ -55,279 +51,60 @@ while getopts ":c:" opt; do
esac
done
# Amalgamate extra CLI options with base options
CONF_OPTS="${CONF_OPTS_COMMON} ${CONF_OPTS_EXTRA}"
rm -rf $OUTDIR
mkdir -p $LIPODIR
mkdir -p $SDK_OUTPUT_DIR
buildIOSSim()
{
build() { # <ARCH=arm64|x86_64> <TYPE=iphonesimulator|iphoneos|macosx|watchos|watchsimulator|appletvos|appletvsimulator>
set -x
pushd .
cd $WOLFSSL_DIR
ARCH=$1
HOST="${ARCH}-apple-darwin"
SDK_ROOT=$(xcrun --sdk iphonesimulator --show-sdk-path)
TYPE=$2
SDK_ROOT=$(xcrun --sdk ${TYPE} --show-sdk-path)
./configure -prefix=${OUTDIR}/wolfssl-ios-simulator-${ARCH} ${CONF_OPTS} --host=${HOST} \
./configure -prefix=${OUTDIR}/wolfssl-${TYPE}-${ARCH} ${CONF_OPTS} --host=${HOST} \
CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}"
make -j
make -j src/libwolfssl.la
make install
popd
set +x
}
buildIOS()
{
set -x
pushd .
cd $WOLFSSL_DIR
XCFRAMEWORKS=
for type in iphonesimulator macosx appletvsimulator watchsimulator ; do
build arm64 ${type}
build x86_64 ${type}
ARCH=$1
HOST="${ARCH}-apple-darwin"
SDK_ROOT=$(xcrun --sdk iphoneos --show-sdk-path)
# Create universal binaries from architecture-specific static libraries
lipo \
"$OUTDIR/wolfssl-${type}-x86_64/lib/libwolfssl.a" \
"$OUTDIR/wolfssl-${type}-arm64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-${type}.a
./configure -prefix=${OUTDIR}/wolfssl-ios-${ARCH} ${CONF_OPTS} --host=${HOST} \
CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}"
make -j
make install
echo "Checking libraries"
xcrun -sdk ${type} lipo -info $LIPODIR/libwolfssl-${type}.a
XCFRAMEWORKS+=" -library ${LIPODIR}/libwolfssl-${type}.a -headers ${OUTDIR}/wolfssl-${type}-arm64/include"
done
popd
set +x
}
for type in iphoneos appletvos ; do
build arm64 ${type}
buildMacOS()
{
set -x
pushd .
cd $WOLFSSL_DIR
ARCH=$1
HOST="${ARCH}-apple-darwin"
SDK_ROOT=$(xcrun --sdk macosx --show-sdk-path)
./configure -prefix=${OUTDIR}/wolfssl-macos-${ARCH} ${CONF_OPTS} --host=${HOST} \
CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}"
make -j
make install
popd
set +x
}
buildWatchOS()
{
set -x
pushd .
cd $WOLFSSL_DIR
ARCH=$1
HOST="${ARCH}-apple-darwin"
SDK_ROOT=$(xcrun --sdk watchos --show-sdk-path)
./configure -prefix=${OUTDIR}/wolfssl-watchos-${ARCH} ${CONF_OPTS} --host=${HOST} \
CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}"
make -j
make install
popd
set +x
}
buildWatchOSSim()
{
set -x
pushd .
cd $WOLFSSL_DIR
ARCH=$1
HOST="${ARCH}-apple-darwin"
SDK_ROOT=$(xcrun --sdk watchsimulator --show-sdk-path)
./configure -prefix=${OUTDIR}/wolfssl-watchos-simulator-${ARCH} ${CONF_OPTS} --host=${HOST} \
CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}"
make -j
make install
popd
set +x
}
buildTVOS()
{
set -x
pushd .
cd $WOLFSSL_DIR
ARCH=arm64
HOST="${ARCH}-apple-darwin"
SDK_ROOT=$(xcrun --sdk appletvos --show-sdk-path)
./configure -prefix=${OUTDIR}/wolfssl-tvos-${ARCH} ${CONF_OPTS} --host=${HOST} \
CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}"
make -j
make install
popd
set +x
}
buildTVOSSim()
{
set -x
pushd .
cd $WOLFSSL_DIR
ARCH=$1
HOST="${ARCH}-apple-darwin"
SDK_ROOT=$(xcrun --sdk appletvsimulator --show-sdk-path)
./configure -prefix=${OUTDIR}/wolfssl-tvos-simulator-${ARCH} ${CONF_OPTS} --host=${HOST} \
CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}"
make -j
make install
popd
set +x
}
buildCatalyst()
{
echo "TBD"
}
############################################################################################################################################
# IOS Simulator ############################################################################################################################
############################################################################################################################################
buildIOSSim arm64
buildIOSSim x86_64
# Create universal binaries from architecture-specific static libraries
lipo \
"$OUTDIR/wolfssl-ios-simulator-x86_64/lib/libwolfssl.a" \
"$OUTDIR/wolfssl-ios-simulator-arm64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-ios-simulator.a
echo "Checking libraries"
xcrun -sdk iphonesimulator lipo -info $LIPODIR/libwolfssl-ios-simulator.a
############################################################################################################################################
# IOS ######################################################################################################################################
############################################################################################################################################
buildIOS arm64
# Create universal binaries from architecture-specific static libraries
lipo \
"$OUTDIR/wolfssl-ios-arm64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-ios.a
echo "Checking libraries"
xcrun -sdk iphoneos lipo -info $LIPODIR/libwolfssl-ios.a
############################################################################################################################################
# MacOS ####################################################################################################################################
############################################################################################################################################
buildMacOS arm64
buildMacOS x86_64
# Create universal binaries from architecture-specific static libraries
lipo \
"$OUTDIR/wolfssl-macos-x86_64/lib/libwolfssl.a" \
"$OUTDIR/wolfssl-macos-arm64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-macos.a
echo "Checking libraries"
xcrun -sdk macosx lipo -info $LIPODIR/libwolfssl-macos.a
############################################################################################################################################
# tvOS Simulator ###########################################################################################################################
############################################################################################################################################
buildTVOSSim arm64
buildTVOSSim x86_64
# Create universal binaries from architecture-specific static libraries
lipo \
"$OUTDIR/wolfssl-tvos-simulator-x86_64/lib/libwolfssl.a" \
"$OUTDIR/wolfssl-tvos-simulator-arm64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-tvos-simulator.a
echo "Checking libraries"
xcrun -sdk appletvsimulator lipo -info $LIPODIR/libwolfssl-tvos-simulator.a
############################################################################################################################################
# tvOS #####################################################################################################################################
############################################################################################################################################
buildTVOS arm64
# Create universal binaries from architecture-specific static libraries
lipo \
"$OUTDIR/wolfssl-tvos-arm64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-tvos.a
echo "Checking libraries"
xcrun -sdk appletvos lipo -info $LIPODIR/libwolfssl-tvos.a
############################################################################################################################################
# watchOS Simulator ########################################################################################################################
############################################################################################################################################
buildWatchOSSim arm64
buildWatchOSSim x86_64
# Create universal binaries from architecture-specific static libraries
lipo \
"$OUTDIR/wolfssl-watchos-simulator-arm64/lib/libwolfssl.a" \
"$OUTDIR/wolfssl-watchos-simulator-x86_64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-watchos-simulator.a
echo "Checking libraries"
xcrun -sdk watchsimulator lipo -info $LIPODIR/libwolfssl-watchos-simulator.a
############################################################################################################################################
# watchOS ##################################################################################################################################
############################################################################################################################################
buildWatchOS arm64
# Create universal binaries from architecture-specific static libraries
lipo \
"$OUTDIR/wolfssl-watchos-arm64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-watchos.a
echo "Checking libraries"
xcrun -sdk watchos lipo -info $LIPODIR/libwolfssl-watchos.a
############################################################################################################################################
# Catalyst #################################################################################################################################
############################################################################################################################################
# Create universal binaries from architecture-specific static libraries
lipo \
"$OUTDIR/wolfssl-${type}-arm64/lib/libwolfssl.a" \
-create -output $LIPODIR/libwolfssl-${type}.a
echo "Checking libraries"
xcrun -sdk ${type} lipo -info $LIPODIR/libwolfssl-${type}.a
XCFRAMEWORKS+=" -library ${LIPODIR}/libwolfssl-${type}.a -headers ${OUTDIR}/wolfssl-${type}-arm64/include"
done
############################################################################################################################################
# ********** BUILD FRAMEWORK
############################################################################################################################################
xcodebuild -create-xcframework \
-library ${LIPODIR}/libwolfssl-ios-simulator.a \
-headers ${OUTDIR}/wolfssl-ios-simulator-arm64/include \
-library ${LIPODIR}/libwolfssl-ios.a \
-headers ${OUTDIR}/wolfssl-ios-arm64/include \
-library ${LIPODIR}/libwolfssl-macos.a \
-headers ${OUTDIR}/wolfssl-macos-arm64/include \
-library ${LIPODIR}/libwolfssl-tvos.a \
-headers ${OUTDIR}/wolfssl-tvos-arm64/include \
-library ${LIPODIR}/libwolfssl-tvos-simulator.a \
-headers ${OUTDIR}/wolfssl-tvos-simulator-arm64/include \
-library ${LIPODIR}/libwolfssl-watchos.a \
-headers ${OUTDIR}/wolfssl-watchos-arm64/include \
-library ${LIPODIR}/libwolfssl-watchos-simulator.a \
-headers ${OUTDIR}/wolfssl-watchos-simulator-arm64/include \
-output ${SDK_OUTPUT_DIR}/libwolfssl.xcframework
xcodebuild -create-xcframework ${XCFRAMEWORKS} -output ${SDK_OUTPUT_DIR}/libwolfssl.xcframework

108
doc/dox_comments/header_files/ssl.h
View File

@ -14854,3 +14854,111 @@ available size need to be provided in bufferSz.
*/
int wolfSSL_dtls_cid_get_tx(WOLFSSL* ssl, unsigned char* buffer,
unsigned int bufferSz);
/*!
\ingroup TLS
\brief This function returns the raw list of ciphersuites and signature
algorithms offered by the client. The lists are only stored and returned
inside a callback setup with wolfSSL_CTX_set_cert_cb(). This is useful to
be able to dynamically load certificates and keys based on the available
ciphersuites and signature algorithms.
\param [in] ssl The WOLFSSL object to extract the lists from.
\param [out] optional suites Raw and unfiltered list of client ciphersuites
\param [out] optional suiteSz Size of suites in bytes
\param [out] optional hashSigAlgo Raw and unfiltered list of client
signature algorithms
\param [out] optional hashSigAlgoSz Size of hashSigAlgo in bytes
\return WOLFSSL_SUCCESS when suites available
\return WOLFSSL_FAILURE when suites not available
_Example_
\code
int certCB(WOLFSSL* ssl, void* arg)
{
const byte* suites = NULL;
word16 suiteSz = 0;
const byte* hashSigAlgo = NULL;
word16 hashSigAlgoSz = 0;
wolfSSL_get_client_suites_sigalgs(ssl, &suites, &suiteSz, &hashSigAlgo,
&hashSigAlgoSz);
// Choose certificate to load based on ciphersuites and sigalgs
}
WOLFSSL* ctx;
ctx = wolfSSL_CTX_new(wolfTLSv1_3_method_ex(NULL));
wolfSSL_CTX_set_cert_cb(ctx, certCB, NULL);
\endcode
\sa wolfSSL_get_ciphersuite_info
\sa wolfSSL_get_sigalg_info
*/
int wolfSSL_get_client_suites_sigalgs(const WOLFSSL* ssl,
const byte** suites, word16* suiteSz,
const byte** hashSigAlgo, word16* hashSigAlgoSz);
/*!
\ingroup TLS
\brief This returns information about the ciphersuite directly from the
raw ciphersuite bytes.
\param [in] first First byte of the ciphersuite
\param [in] second Second byte of the ciphersuite
\return WOLFSSL_CIPHERSUITE_INFO A struct containing information about the
type of authentication used in the ciphersuite.
_Example_
\code
WOLFSSL_CIPHERSUITE_INFO info =
wolfSSL_get_ciphersuite_info(suites[0], suites[1]);
if (info.rsaAuth)
haveRSA = 1;
else if (info.eccAuth)
haveECC = 1;
\endcode
\sa wolfSSL_get_client_suites_sigalgs
\sa wolfSSL_get_sigalg_info
*/
WOLFSSL_CIPHERSUITE_INFO wolfSSL_get_ciphersuite_info(byte first,
byte second);
/*!
\ingroup TLS
\brief This returns information about the hash and signature algorithm
directly from the raw ciphersuite bytes.
\param [in] first First byte of the hash and signature algorithm
\param [in] second Second byte of the hash and signature algorithm
\param [out] hashAlgo The enum wc_HashType of the MAC algorithm
\param [out] sigAlgo The enum Key_Sum of the authentication algorithm
\return 0 when info was correctly set
\return BAD_FUNC_ARG when either input paramters are NULL or the bytes
are not a recognized sigalg suite
_Example_
\code
enum wc_HashType hashAlgo;
enum Key_Sum sigAlgo;
wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], hashSigAlgo[idx+1],
&hashAlgo, &sigAlgo);
if (sigAlgo == RSAk || sigAlgo == RSAPSSk)
haveRSA = 1;
else if (sigAlgo == ECDSAk)
haveECC = 1;
\endcode
\sa wolfSSL_get_client_suites_sigalgs
\sa wolfSSL_get_ciphersuite_info
*/
int wolfSSL_get_sigalg_info(byte first, byte second,
int* hashAlgo, int* sigAlgo);

23
src/internal.c
View File

@ -4236,7 +4236,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
* hashalgo The hash algorithm.
* hsType The signature type.
*/
static WC_INLINE void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsType)
void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsType)
{
*hsType = invalid_sa_algo;
switch (input[0]) {
@ -4324,7 +4324,7 @@ static WC_INLINE void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsTy
#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
defined(HAVE_CURVE448) || (!defined(NO_RSA) && defined(WC_RSA_PSS))
static enum wc_HashType HashAlgoToType(int hashAlgo)
enum wc_HashType HashAlgoToType(int hashAlgo)
{
switch (hashAlgo) {
#ifdef WOLFSSL_SHA512
@ -11224,23 +11224,11 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
#endif /* WOLFSSL_NO_TLS12 */
#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
/* cipher requirements */
enum {
REQUIRES_RSA,
REQUIRES_DHE,
REQUIRES_ECC,
REQUIRES_ECC_STATIC,
REQUIRES_PSK,
REQUIRES_RSA_SIG,
REQUIRES_AEAD
};
/* Does this cipher suite (first, second) have the requirement
an ephemeral key exchange will still require the key for signing
the key exchange so ECDHE_RSA requires an rsa key thus rsa_kea */
static int CipherRequires(byte first, byte second, int requirement)
int CipherRequires(byte first, byte second, int requirement)
{
(void)requirement;
@ -35435,6 +35423,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif
#ifdef OPENSSL_EXTRA
ssl->clSuites = clSuites;
/* Give user last chance to provide a cert for cipher selection */
if (ret == 0 && ssl->ctx->certSetupCb != NULL)
ret = CertSetupCbWrapper(ssl);
@ -35458,7 +35447,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif
out:
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
ssl->clSuites = NULL;
#endif
#ifdef WOLFSSL_SMALL_STACK
if (clSuites != NULL)
XFREE(clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);

157
src/ssl.c
View File

@ -16303,6 +16303,163 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ctx->certSetupCbArg = arg;
}
int wolfSSL_get_client_suites_sigalgs(const WOLFSSL* ssl,
const byte** suites, word16* suiteSz,
const byte** hashSigAlgo, word16* hashSigAlgoSz)
{
WOLFSSL_ENTER("wolfSSL_get_client_suites_sigalgs");
if (suites != NULL)
*suites = NULL;
if (suiteSz != NULL)
*suiteSz = 0;
if (hashSigAlgo != NULL)
*hashSigAlgo = NULL;
if (hashSigAlgoSz != NULL)
*hashSigAlgoSz = 0;
if (ssl != NULL && ssl->clSuites != NULL) {
if (suites != NULL && suiteSz != NULL) {
*suites = ssl->clSuites->suites;
*suiteSz = ssl->clSuites->suiteSz;
}
if (hashSigAlgo != NULL && hashSigAlgoSz != NULL) {
*hashSigAlgo = ssl->clSuites->hashSigAlgo;
*hashSigAlgoSz = ssl->clSuites->hashSigAlgoSz;
}
return WOLFSSL_SUCCESS;
}
return WOLFSSL_FAILURE;
}
WOLFSSL_CIPHERSUITE_INFO wolfSSL_get_ciphersuite_info(byte first,
byte second)
{
WOLFSSL_CIPHERSUITE_INFO info;
info.rsaAuth = (byte)(CipherRequires(first, second, REQUIRES_RSA) ||
CipherRequires(first, second, REQUIRES_RSA_SIG));
info.eccAuth = (byte)(CipherRequires(first, second, REQUIRES_ECC) ||
/* Static ECC ciphers may require RSA for authentication */
(CipherRequires(first, second, REQUIRES_ECC_STATIC) &&
!CipherRequires(first, second, REQUIRES_RSA_SIG)));
info.eccStatic =
(byte)CipherRequires(first, second, REQUIRES_ECC_STATIC);
info.psk = (byte)CipherRequires(first, second, REQUIRES_PSK);
return info;
}
/**
* @param first First byte of the hash and signature algorithm
* @param second Second byte of the hash and signature algorithm
* @param hashAlgo The enum wc_HashType of the MAC algorithm
* @param sigAlgo The enum Key_Sum of the authentication algorithm
*/
int wolfSSL_get_sigalg_info(byte first, byte second,
int* hashAlgo, int* sigAlgo)
{
byte input[2];
byte hashType;
byte sigType;
if (hashAlgo == NULL || sigAlgo == NULL)
return BAD_FUNC_ARG;
input[0] = first;
input[1] = second;
DecodeSigAlg(input, &hashType, &sigType);
/* cast so that compiler reminds us of unimplemented values */
switch ((enum SignatureAlgorithm)sigType) {
case anonymous_sa_algo:
*sigAlgo = (enum Key_Sum)0;
break;
case rsa_sa_algo:
*sigAlgo = RSAk;
break;
case dsa_sa_algo:
*sigAlgo = DSAk;
break;
case ecc_dsa_sa_algo:
*sigAlgo = ECDSAk;
break;
case rsa_pss_sa_algo:
*sigAlgo = RSAPSSk;
break;
case ed25519_sa_algo:
*sigAlgo = ED25519k;
break;
case rsa_pss_pss_algo:
*sigAlgo = RSAPSSk;
break;
case ed448_sa_algo:
*sigAlgo = ED448k;
break;
case falcon_level1_sa_algo:
*sigAlgo = FALCON_LEVEL1k;
break;
case falcon_level5_sa_algo:
*sigAlgo = FALCON_LEVEL5k;
break;
case dilithium_level2_sa_algo:
*sigAlgo = DILITHIUM_LEVEL2k;
break;
case dilithium_level3_sa_algo:
*sigAlgo = DILITHIUM_LEVEL3k;
break;
case dilithium_level5_sa_algo:
*sigAlgo = DILITHIUM_LEVEL5k;
break;
case sm2_sa_algo:
*sigAlgo = SM2k;
break;
case invalid_sa_algo:
default:
*hashAlgo = WC_HASH_TYPE_NONE;
*sigAlgo = 0;
return BAD_FUNC_ARG;
}
/* cast so that compiler reminds us of unimplemented values */
switch((enum wc_MACAlgorithm)hashType) {
case no_mac:
case rmd_mac: /* Don't have a RIPEMD type in wc_HashType */
*hashAlgo = WC_HASH_TYPE_NONE;
break;
case md5_mac:
*hashAlgo = WC_HASH_TYPE_MD5;
break;
case sha_mac:
*hashAlgo = WC_HASH_TYPE_SHA;
break;
case sha224_mac:
*hashAlgo = WC_HASH_TYPE_SHA224;
break;
case sha256_mac:
*hashAlgo = WC_HASH_TYPE_SHA256;
break;
case sha384_mac:
*hashAlgo = WC_HASH_TYPE_SHA384;
break;
case sha512_mac:
*hashAlgo = WC_HASH_TYPE_SHA512;
break;
case blake2b_mac:
*hashAlgo = WC_HASH_TYPE_BLAKE2B;
break;
case sm3_mac:
#ifdef WOLFSSL_SM3
*hashAlgo = WC_HASH_TYPE_SM3;
#else
*hashAlgo = WC_HASH_TYPE_NONE;
#endif
break;
default:
*hashAlgo = WC_HASH_TYPE_NONE;
*sigAlgo = 0;
return BAD_FUNC_ARG;
}
return 0;
}
/**
* Internal wrapper for calling certSetupCb
* @param ssl The SSL/TLS Object

18
src/tls13.c
View File

@ -5617,6 +5617,11 @@ static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo);
#endif
#ifdef OPENSSL_EXTRA
if ((ret = CertSetupCbWrapper(ssl)) != 0)
return ret;
#endif
if (OPAQUE8_LEN > size)
return BUFFER_ERROR;
@ -6594,6 +6599,9 @@ static void FreeDch13Args(WOLFSSL* ssl, void* pArgs)
XFREE(args->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);
args->clSuites = NULL;
}
#ifdef OPENSSL_EXTRA
ssl->clSuites = NULL;
#endif
}
int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
@ -6978,6 +6986,11 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
case TLS_ASYNC_DO:
{
#ifdef OPENSSL_EXTRA
ssl->clSuites = args->clSuites;
if ((ret = CertSetupCbWrapper(ssl)) != 0)
goto exit_dch;
#endif
#ifndef NO_CERTS
if (!args->usingPSK) {
if ((ret = MatchSuite(ssl, args->clSuites)) < 0) {
@ -8244,11 +8257,6 @@ static int SendTls13Certificate(WOLFSSL* ssl)
listSz = 0;
}
else {
#ifdef OPENSSL_EXTRA
if ((ret = CertSetupCbWrapper(ssl)) != 0)
return ret;
#endif
if (!ssl->buffers.certificate) {
WOLFSSL_MSG("Send Cert missing certificate buffer");
return BUFFER_ERROR;

370
tests/api.c
View File

@ -370,7 +370,7 @@
defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)) || \
defined(WOLFSSL_TEST_STATIC_BUILD) || defined(WOLFSSL_DTLS) || \
defined(HAVE_ECH) || defined(HAVE_EX_DATA) || !defined(NO_SESSION_CACHE) \
|| !defined(WOLFSSL_NO_TLS12)
|| !defined(WOLFSSL_NO_TLS12) || defined(WOLFSSL_TLS13)
/* for testing SSL_get_peer_cert_chain, or SESSION_TICKET_HINT_DEFAULT,
* for setting authKeyIdSrc in WOLFSSL_X509, or testing DTLS sequence
* number tracking */
@ -5824,8 +5824,12 @@ static WC_INLINE int test_ssl_memio_setup(test_ssl_memio_ctx *ctx)
#ifdef WOLFSSL_ENCRYPTED_KEYS
wolfSSL_CTX_set_default_passwd_cb(ctx->c_ctx, PasswordCallBack);
#endif
ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->c_ctx, caCertFile, 0),
WOLFSSL_SUCCESS);
if (ctx->c_cb.caPemFile != NULL)
ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->c_ctx,
ctx->c_cb.caPemFile, 0), WOLFSSL_SUCCESS);
else
ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->c_ctx,
caCertFile, 0), WOLFSSL_SUCCESS);
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
if (!c_sharedCtx)
#endif
@ -5889,8 +5893,12 @@ static WC_INLINE int test_ssl_memio_setup(test_ssl_memio_ctx *ctx)
wolfSSL_SetIOSend(ctx->s_ctx, test_ssl_memio_write_cb);
wolfSSL_CTX_set_verify(ctx->s_ctx, WOLFSSL_VERIFY_PEER |
WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->s_ctx, cliCertFile, 0),
WOLFSSL_SUCCESS);
if (ctx->s_cb.caPemFile != NULL)
ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->s_ctx,
ctx->s_cb.caPemFile, 0), WOLFSSL_SUCCESS);
else
ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->s_ctx,
cliCertFile, 0), WOLFSSL_SUCCESS);
#ifdef WOLFSSL_ENCRYPTED_KEYS
wolfSSL_CTX_set_default_passwd_cb(ctx->s_ctx, PasswordCallBack);
#endif
@ -44748,60 +44756,40 @@ static int test_wolfSSL_BIO_reset(void)
/* test that the callback arg is correct */
static int certCbArg = 0;
static int clientCertCb(WOLFSSL* ssl, void* arg)
{
if (ssl == NULL || arg != &certCbArg)
return 0;
if (wolfSSL_use_certificate_file(ssl, cliCertFile,
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS)
return 0;
if (wolfSSL_use_PrivateKey_file(ssl, cliKeyFile,
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS)
return 0;
return 1;
}
static int clientCertSetupCb(WOLFSSL_CTX* ctx)
{
SSL_CTX_set_cert_cb(ctx, clientCertCb, &certCbArg);
return TEST_SUCCESS;
}
/**
* This is only done because test_client_nofail has no way to stop
* certificate and key loading
*/
static int clientCertClearCb(WOLFSSL* ssl)
{
/* Clear the loaded certs to force the callbacks to set them up */
SSL_certs_clear(ssl);
return TEST_SUCCESS;
}
static int serverCertCb(WOLFSSL* ssl, void* arg)
static int certCb(WOLFSSL* ssl, void* arg)
{
if (ssl == NULL || arg != &certCbArg)
return 0;
if (wolfSSL_is_server(ssl)) {
if (wolfSSL_use_certificate_file(ssl, svrCertFile,
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS)
return 0;
if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile,
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS)
return 0;
}
else {
if (wolfSSL_use_certificate_file(ssl, cliCertFile,
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS)
return 0;
if (wolfSSL_use_PrivateKey_file(ssl, cliKeyFile,
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS)
return 0;
}
return 1;
}
static int serverCertSetupCb(WOLFSSL_CTX* ctx)
static int certSetupCb(WOLFSSL_CTX* ctx)
{
SSL_CTX_set_cert_cb(ctx, serverCertCb, &certCbArg);
SSL_CTX_set_cert_cb(ctx, certCb, &certCbArg);
return TEST_SUCCESS;
}
/**
* This is only done because test_server_nofail has no way to stop
* certificate and key loading
* This is only done because test_wolfSSL_client_server_nofail_memio has no way
* to stop certificate and key loading
*/
static int serverCertClearCb(WOLFSSL* ssl)
static int certClearCb(WOLFSSL* ssl)
{
/* Clear the loaded certs to force the callbacks to set them up */
SSL_certs_clear(ssl);
@ -44820,10 +44808,10 @@ static int test_wolfSSL_cert_cb(void)
XMEMSET(&func_cb_client, 0, sizeof(func_cb_client));
XMEMSET(&func_cb_server, 0, sizeof(func_cb_server));
func_cb_client.ctx_ready = clientCertSetupCb;
func_cb_client.ssl_ready = clientCertClearCb;
func_cb_server.ctx_ready = serverCertSetupCb;
func_cb_server.ssl_ready = serverCertClearCb;
func_cb_client.ctx_ready = certSetupCb;
func_cb_client.ssl_ready = certClearCb;
func_cb_server.ctx_ready = certSetupCb;
func_cb_server.ssl_ready = certClearCb;
ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client,
&func_cb_server, NULL), TEST_SUCCESS);
@ -44831,6 +44819,295 @@ static int test_wolfSSL_cert_cb(void)
return EXPECT_RESULT();
}
#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES)
static const char* test_wolfSSL_cert_cb_dyn_ciphers_client_cipher = NULL;
static const char* test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs = NULL;
static int test_wolfSSL_cert_cb_dyn_ciphers_client_ctx_ready(WOLFSSL_CTX* ctx)
{
EXPECT_DECLS;
ExpectIntEQ(wolfSSL_CTX_set_cipher_list(ctx,
test_wolfSSL_cert_cb_dyn_ciphers_client_cipher), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx,
test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs), WOLFSSL_SUCCESS);
return EXPECT_RESULT();
}
static int test_wolfSSL_cert_cb_dyn_ciphers_certCB(WOLFSSL* ssl, void* arg)
{
const byte* suites = NULL;
word16 suiteSz = 0;
const byte* hashSigAlgo = NULL;
word16 hashSigAlgoSz = 0;
word16 idx = 0;
int haveRSA = 0;
int haveECC = 0;
(void)arg;
if (wolfSSL_get_client_suites_sigalgs(ssl, &suites, &suiteSz, &hashSigAlgo,
&hashSigAlgoSz) != WOLFSSL_SUCCESS)
return 0;
if (suites == NULL || suiteSz == 0 || hashSigAlgo == NULL ||
hashSigAlgoSz == 0)
return 0;
for (idx = 0; idx < suiteSz; idx += 2) {
WOLFSSL_CIPHERSUITE_INFO info =
wolfSSL_get_ciphersuite_info(suites[idx], suites[idx+1]);
if (info.rsaAuth)
haveRSA = 1;
else if (info.eccAuth)
haveECC = 1;
}
if (hashSigAlgoSz > 0) {
/* sigalgs extension takes precedence over ciphersuites */
haveRSA = 0;
haveECC = 0;
}
for (idx = 0; idx < hashSigAlgoSz; idx += 2) {
int hashAlgo;
int sigAlgo;
if (wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], hashSigAlgo[idx+1],
&hashAlgo, &sigAlgo) != 0)
return 0;
if (sigAlgo == RSAk || sigAlgo == RSAPSSk)
haveRSA = 1;
else if (sigAlgo == ECDSAk)
haveECC = 1;
}
if (haveRSA) {
if (wolfSSL_use_certificate_file(ssl, svrCertFile, WOLFSSL_FILETYPE_PEM)
!= WOLFSSL_SUCCESS)
return 0;
if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, WOLFSSL_FILETYPE_PEM)
!= WOLFSSL_SUCCESS)
return 0;
}
else if (haveECC) {
if (wolfSSL_use_certificate_file(ssl, eccCertFile, WOLFSSL_FILETYPE_PEM)
!= WOLFSSL_SUCCESS)
return 0;
if (wolfSSL_use_PrivateKey_file(ssl, eccKeyFile, WOLFSSL_FILETYPE_PEM)
!= WOLFSSL_SUCCESS)
return 0;
}
return 1;
}
static int test_wolfSSL_cert_cb_dyn_ciphers_server_ctx_ready(WOLFSSL_CTX* ctx)
{
SSL_CTX_set_cert_cb(ctx, test_wolfSSL_cert_cb_dyn_ciphers_certCB, NULL);
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL);
return TEST_SUCCESS;
}
#endif
/* Testing dynamic ciphers offered by client */
static int test_wolfSSL_cert_cb_dyn_ciphers(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES)
test_ssl_cbf func_cb_client;
test_ssl_cbf func_cb_server;
struct {
method_provider client_meth;
const char* client_ciphers;
const char* client_sigalgs;
const char* client_ca;
method_provider server_meth;
} test_params[] = {
#if !defined(NO_SHA256) && defined(HAVE_AESGCM)
#ifdef WOLFSSL_TLS13
#if !defined(NO_RSA) && defined(WC_RSA_PSS)
{wolfTLSv1_3_client_method,
"TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256",
"RSA-PSS+SHA256", caCertFile, wolfTLSv1_3_server_method},
#endif
#ifdef HAVE_ECC
{wolfTLSv1_3_client_method,
"TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256",
"ECDSA+SHA256", caEccCertFile, wolfTLSv1_3_server_method},
#endif
#endif
#ifndef WOLFSSL_NO_TLS12
#if !defined(NO_RSA) && defined(WC_RSA_PSS) && !defined(NO_DH)
{wolfTLSv1_2_client_method,
"DHE-RSA-AES128-GCM-SHA256",
"RSA-PSS+SHA256", caCertFile, wolfTLSv1_2_server_method},
#endif
#ifdef HAVE_ECC
{wolfTLSv1_2_client_method,
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDSA+SHA256", caEccCertFile, wolfTLSv1_2_server_method},
#endif
#endif
#endif
};
size_t i;
for (i = 0; i < sizeof(test_params)/sizeof(*test_params); i++) {
printf("\tTesting %s ciphers with %s sigalgs\n",
test_params[i].client_ciphers, test_params[i].client_sigalgs);
XMEMSET(&func_cb_client, 0, sizeof(func_cb_client));
XMEMSET(&func_cb_server, 0, sizeof(func_cb_server));
test_wolfSSL_cert_cb_dyn_ciphers_client_cipher =
test_params[i].client_ciphers;
test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs =
test_params[i].client_sigalgs;
func_cb_client.method = test_params[i].client_meth;
func_cb_client.caPemFile = test_params[i].client_ca;
func_cb_client.ctx_ready =
test_wolfSSL_cert_cb_dyn_ciphers_client_ctx_ready;
func_cb_server.ctx_ready =
test_wolfSSL_cert_cb_dyn_ciphers_server_ctx_ready;
func_cb_server.ssl_ready = certClearCb; /* Reuse from previous test */
func_cb_server.method = test_params[i].server_meth;
ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client,
&func_cb_server, NULL), TEST_SUCCESS);
}
#endif
return EXPECT_RESULT();
}
static int test_wolfSSL_ciphersuite_auth(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
WOLFSSL_CIPHERSUITE_INFO info;
(void)info;
#ifndef WOLFSSL_NO_TLS12
#ifdef HAVE_CHACHA
info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
ExpectIntEQ(info.rsaAuth, 1);
ExpectIntEQ(info.eccAuth, 0);
ExpectIntEQ(info.eccStatic, 0);
ExpectIntEQ(info.psk, 0);
info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256);
ExpectIntEQ(info.rsaAuth, 0);
ExpectIntEQ(info.eccAuth, 1);
ExpectIntEQ(info.eccStatic, 0);
ExpectIntEQ(info.psk, 0);
info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE,
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256);
ExpectIntEQ(info.rsaAuth, 0);
ExpectIntEQ(info.eccAuth, 0);
ExpectIntEQ(info.eccStatic, 0);
ExpectIntEQ(info.psk, 1);
#endif
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
#ifndef NO_RSA
info = wolfSSL_get_ciphersuite_info(ECC_BYTE,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
ExpectIntEQ(info.rsaAuth, 1);
ExpectIntEQ(info.eccAuth, 0);
ExpectIntEQ(info.eccStatic, 0);
ExpectIntEQ(info.psk, 0);
info = wolfSSL_get_ciphersuite_info(ECC_BYTE,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA);
ExpectIntEQ(info.rsaAuth, 1);
ExpectIntEQ(info.eccAuth, 0);
ExpectIntEQ(info.eccStatic, 1);
ExpectIntEQ(info.psk, 0);
info = wolfSSL_get_ciphersuite_info(ECC_BYTE,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA);
ExpectIntEQ(info.rsaAuth, 1);
ExpectIntEQ(info.eccAuth, 0);
ExpectIntEQ(info.eccStatic, 1);
ExpectIntEQ(info.psk, 0);
#endif
info = wolfSSL_get_ciphersuite_info(ECC_BYTE,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
ExpectIntEQ(info.rsaAuth, 0);
ExpectIntEQ(info.eccAuth, 1);
ExpectIntEQ(info.eccStatic, 0);
ExpectIntEQ(info.psk, 0);
info = wolfSSL_get_ciphersuite_info(ECC_BYTE,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA);
ExpectIntEQ(info.rsaAuth, 0);
ExpectIntEQ(info.eccAuth, 1);
ExpectIntEQ(info.eccStatic, 1);
ExpectIntEQ(info.psk, 0);
info = wolfSSL_get_ciphersuite_info(ECDHE_PSK_BYTE,
TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256);
ExpectIntEQ(info.rsaAuth, 0);
ExpectIntEQ(info.eccAuth, 0);
ExpectIntEQ(info.eccStatic, 0);
ExpectIntEQ(info.psk, 1);
#endif
#endif
#ifdef WOLFSSL_TLS13
info = wolfSSL_get_ciphersuite_info(TLS13_BYTE,
TLS_AES_128_GCM_SHA256);
ExpectIntEQ(info.rsaAuth, 0);
ExpectIntEQ(info.eccAuth, 0);
ExpectIntEQ(info.eccStatic, 0);
ExpectIntEQ(info.psk, 0);
#endif
#endif
return EXPECT_RESULT();
}
static int test_wolfSSL_sigalg_info(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
byte hashSigAlgo[WOLFSSL_MAX_SIGALGO];
word16 len = 0;
word16 idx = 0;
int allSigAlgs = SIG_ECDSA | SIG_RSA | SIG_SM2 | SIG_FALCON | SIG_DILITHIUM;
InitSuitesHashSigAlgo_ex2(hashSigAlgo, allSigAlgs, 1, 0xFFFFFFFF, &len);
for (idx = 0; idx < len; idx += 2) {
int hashAlgo;
int sigAlgo;
ExpectIntEQ(wolfSSL_get_sigalg_info(hashSigAlgo[idx+0],
hashSigAlgo[idx+1], &hashAlgo, &sigAlgo), 0);
ExpectIntNE(hashAlgo, 0);
ExpectIntNE(sigAlgo, 0);
}
InitSuitesHashSigAlgo_ex2(hashSigAlgo, allSigAlgs | SIG_ANON, 1,
0xFFFFFFFF, &len);
for (idx = 0; idx < len; idx += 2) {
int hashAlgo;
int sigAlgo;
ExpectIntEQ(wolfSSL_get_sigalg_info(hashSigAlgo[idx+0],
hashSigAlgo[idx+1], &hashAlgo, &sigAlgo), 0);
ExpectIntNE(hashAlgo, 0);
}
#endif
return EXPECT_RESULT();
}
static int test_wolfSSL_SESSION(void)
{
EXPECT_DECLS;
@ -69051,6 +69328,9 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wolfSSL_check_domain),
#endif
TEST_DECL(test_wolfSSL_cert_cb),
TEST_DECL(test_wolfSSL_cert_cb_dyn_ciphers),
TEST_DECL(test_wolfSSL_ciphersuite_auth),
TEST_DECL(test_wolfSSL_sigalg_info),
/* Can't memory test as tcp_connect aborts. */
TEST_DECL(test_wolfSSL_SESSION),
TEST_DECL(test_wolfSSL_SESSION_expire_downgrade),

2
wolfcrypt/benchmark/benchmark.c
View File

@ -340,7 +340,7 @@
#elif defined(CONFIG_IDF_TARGET_ESP32H2)
#else
/* Other platform */
#endif
#include <esp_log.h>
#endif /* WOLFSSL_ESPIDF */

17
wolfcrypt/src/port/Espressif/esp32_mp.c
View File

@ -145,7 +145,9 @@ static portMUX_TYPE wc_rsa_reg_lock = portMUX_INITIALIZER_UNLOCKED;
static unsigned long esp_mp_mulmod_small_x_ct = 0;
static unsigned long esp_mp_mulmod_small_y_ct = 0;
#ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL
static unsigned long esp_mp_max_timeout = 0;
#ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL
static unsigned long esp_mp_mul_usage_ct = 0;
static unsigned long esp_mp_mul_error_ct = 0;
#endif /* !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */
@ -236,6 +238,13 @@ static int esp_mp_hw_wait_clean(void)
/* no HW timeout if we don't know the platform. assumes no HW */
#endif
#if defined(WOLFSSL_HW_METRICS)
{
esp_mp_max_timeout = (timeout > esp_mp_max_timeout) ? timeout :
esp_mp_max_timeout;
}
#endif
if (ESP_TIMEOUT(timeout)) {
ESP_LOGE(TAG, "esp_mp_hw_wait_clean waiting HW ready timed out.");
ret = WC_HW_WAIT_E; /* hardware is busy, MP_HW_BUSY; */
@ -1016,7 +1025,7 @@ int esp_mp_montgomery_init(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M,
}
if ((X == NULL) || (Y == NULL) || (M == NULL) ) {
/* if a bad operand passed, we cannot use HW */
ESP_LOGE(TAG, "ERROR: Bad montgomery operand, falling back to SW");
ESP_LOGE(TAG, "ERROR: Bad Montgomery operand, falling back to SW");
return MP_HW_FALLBACK;
}
XMEMSET(mph, 0, sizeof(struct esp_mp_helper));
@ -1298,7 +1307,7 @@ int esp_mp_mul(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* Z)
resultWords_sz = bits2words(Xs + Ys);
/* sanity check */
if((hwWords_sz << 5) > ESP_HW_MULTI_RSAMAX_BITS) {
if ( (hwWords_sz << 5) > ESP_HW_MULTI_RSAMAX_BITS) {
ESP_LOGW(TAG, "exceeds max bit length(2048) (a)");
ret = MP_HW_FALLBACK; /* Error: value is not able to be used. */
}
@ -3060,6 +3069,8 @@ int esp_hw_show_mp_metrics(void)
#endif /* EXPTMOD not disabled !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */
ESP_LOGI(TAG, "Max N->used: esp_mp_max_used = %lu", esp_mp_max_used);
ESP_LOGI(TAG, "Max timeout: esp_mp_max_timeout = %lu", esp_mp_max_timeout);
#else
/* no HW math, no HW math metrics */
ret = ESP_OK;

210
wolfcrypt/src/port/Espressif/esp32_sha.c
View File

@ -50,7 +50,10 @@
#if defined(WOLFSSL_ESP32_CRYPT) && \
!defined(NO_WOLFSSL_ESP32_CRYPT_HASH)
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
#include <hal/sha_hal.h>
#include <hal/sha_ll.h>
@ -72,13 +75,16 @@
#include <wolfcrypt/src/misc.c>
#endif
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
static const char* TAG = "wolf_hw_sha";
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/* keep track of the currently active SHA hash object for interleaving */
const static word32 ** _active_digest_address = 0;
#endif
static const char* TAG = "wolf_hw_sha";
#ifdef NO_SHA
#define WC_SHA_DIGEST_SIZE 20
#endif
@ -158,11 +164,16 @@ static const char* TAG = "wolf_hw_sha";
/*
** The wolfCrypt functions for LITTLE_ENDIAN_ORDER typically
** reverse the byte order. Except when the hardware doesn't expect it.
**
** Returns 0 (FALSE) or 1 (TRUE); see wolfSSL types.h
*/
int esp_sha_need_byte_reversal(WC_ESP32SHA* ctx)
{
int ret = 1; /* assume we'll need reversal, look for exceptions */
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
int ret = TRUE; /* assume we'll need reversal, look for exceptions */
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
if (ctx == NULL) {
ESP_LOGE(TAG, " ctx is null");
/* return true for bad params */
@ -175,10 +186,10 @@ int esp_sha_need_byte_reversal(WC_ESP32SHA* ctx)
#endif
if (ctx->mode == ESP32_SHA_HW) {
ESP_LOGV(TAG, " No reversal, ESP32_SHA_HW");
ret = 0;
ret = FALSE;
}
else {
ret = 1;
ret = TRUE;
ESP_LOGV(TAG, " Need byte reversal, %d", ctx->mode);
/* return true for SW; only HW C3 skips reversal at this time. */
#ifdef WOLFSSL_HW_METRICS
@ -276,7 +287,10 @@ int esp_sha_init(WC_ESP32SHA* ctx, enum wc_HashType hash_type)
ESP_LOGW(TAG, "Unexpected hash_type in esp_sha_init");
break;
}
#elif defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
switch (hash_type) { /* check each wolfSSL hash type WC_[n] */
#ifndef NO_SHA
case WC_HASH_TYPE_SHA:
@ -312,7 +326,9 @@ int esp_sha_init(WC_ESP32SHA* ctx, enum wc_HashType hash_type)
/* other chipsets will be implemented here */
ESP_LOGW(TAG, "SW Fallback; CONFIG_IDF_TARGET = %s", CONFIG_IDF_TARGET);
ctx->mode = ESP32_SHA_SW;
#endif /* CONFIG_IDF_TARGET_ESP32 || x_ESP32S2 || x_ESP32S3 */
#endif /* CONFIG_IDF_TARGET_ESP32 ||
* CONFIG_IDF_TARGET_ESP32S2 ||
* CONFIG_IDF_TARGET_ESP32S3 */
return ret;
}
@ -541,9 +557,12 @@ int esp_sha_ctx_copy(struct wc_Sha* src, struct wc_Sha* dst)
}
if (dst->ctx.mode == ESP32_SHA_SW) {
#if defined(CONFIG_IDF_TARGET_ESP32C3) || \
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/* Reverse digest for C3 when HW enabled but fallback to SW. */
/* Reverse digest for C2/C3/C6 RISC-V platform
* only when HW enabled but fallback to SW. */
ByteReverseWords(dst->digest, dst->digest, WC_SHA_DIGEST_SIZE);
#ifdef WOLFSSL_HW_METRICS
esp_sha_reverse_words_ct++;
@ -613,7 +632,7 @@ int esp_sha256_ctx_copy(struct wc_Sha256* src, struct wc_Sha256* dst)
ESP_LOGI(TAG, "esp_sha256_ctx_copy esp_sha512_digest_process");
}
#endif
ret = esp_sha256_digest_process(dst, 0);
ret = esp_sha256_digest_process(dst, 0); /* TODO Use FALSE*/
if (ret == 0) {
/* provide init hint to possibly SW revert */
@ -624,7 +643,9 @@ int esp_sha256_ctx_copy(struct wc_Sha256* src, struct wc_Sha256* dst)
}
if (dst->ctx.mode == ESP32_SHA_SW) {
#if defined(CONFIG_IDF_TARGET_ESP32C3) || \
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
{
/* Reverse digest byte order for C3 fallback to SW. */
@ -665,9 +686,16 @@ int esp_sha256_ctx_copy(struct wc_Sha256* src, struct wc_Sha256* dst)
int esp_sha384_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst)
{
int ret = 0;
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
ESP_LOGW(TAG, "Warning: esp_sha384_ctx_copy() called for ESP32-C3!");
ESP_LOGW(TAG, "There's no SHA384 HW for the ESP32-C3");
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
{
/* We should ever be calling the HW sHA384 copy for this target. */
ESP_LOGW(TAG, "Warning: esp_sha384_ctx_copy() called for %s!",
CONFIG_IDF_TARGET);
ESP_LOGW(TAG, "There's no SHA384 HW for this CONFIG_IDF_TARGET");
}
#else
if (src->ctx.mode == ESP32_SHA_HW) {
/* Get a copy of the HW digest, but don't process it. */
@ -723,8 +751,16 @@ int esp_sha384_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst)
*/
int esp_sha512_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst)
{
int ret = 0;
#if !defined(CONFIG_IDF_TARGET_ESP32C3) && !defined(CONFIG_IDF_TARGET_ESP32C6)
int ret = ESP_OK; /* Assume success (zero) */
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/* there's no SHA512 HW on the RISC-V SoC so there's nothing to do. */
#elif defined(CONFIG_IDF_TARGET_ESP32) || \
defined(CONFIG_IDF_TARGET_ESP32S2) || \
defined(CONFIG_IDF_TARGET_ESP32S3)
if (src->ctx.mode == ESP32_SHA_HW) {
/* Get a copy of the HW digest, but don't process it. */
ESP_LOGI(TAG, "esp_sha512_ctx_copy esp_sha512_digest_process");
@ -752,7 +788,9 @@ int esp_sha512_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst)
/* reminder this happened in XMEMCOPY, above: dst->ctx = src->ctx;
** No special HW init needed when not in active HW mode.
** but we need to set our initializer breadcrumb: */
#if !defined(CONFIG_IDF_TARGET_ESP32C3) && \
/* TODO: instead of what is NOT supported, gate on what IS known to be supported */
#if !defined(CONFIG_IDF_TARGET_ESP32C2) && \
!defined(CONFIG_IDF_TARGET_ESP32C3) && \
!defined(CONFIG_IDF_TARGET_ESP32C6)
dst->ctx.initializer = &dst->ctx; /*breadcrumb is this ctx address */
#endif
@ -764,6 +802,7 @@ int esp_sha512_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst)
#endif
}
#endif
return ret;
} /* esp_sha512_ctx_copy */
#endif
@ -821,7 +860,7 @@ static word32 wc_esp_sha_digest_size(WC_ESP_SHA_TYPE type)
break;
}
#else
/* Xtnsa */
/* Xtensa */
switch (type) {
#ifndef NO_SHA
case SHA1: /* typically 20 bytes */
@ -871,7 +910,10 @@ static int wc_esp_wait_until_idle(void)
int ret = 0; /* assume success */
int loop_ct = 10000;
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/* ESP32-C3 and ESP32-C6 RISC-V */
while ((sha_ll_busy() == true) && (loop_ct > 0)) {
loop_ct--;
@ -925,16 +967,20 @@ int esp_unroll_sha_module_enable(WC_ESP32SHA* ctx)
return BAD_FUNC_ARG;
}
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
/* RISC-V Architecture */
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/************* RISC-V Architecture *************/
(void)max_unroll_count;
(void)_active_digest_address;
ets_sha_disable();
/* We don't check for unroll as done below, for Xtensa*/
#else
/* Xtensa Architecture */
/************* Xtensa Architecture *************/
/* unwind prior calls to THIS ctx. decrement ref_counts[periph] */
/* only when ref_counts[periph] == 0 does something actually happen */
/* unwind prior calls to THIS ctx. decrement ref_counts[periph]
** only when ref_counts[periph] == 0 does something actually happen. */
/* once the value we read is a 0 in the DPORT_PERI_CLK_EN_REG bit
* then we have fully unrolled the enables via ref_counts[periph]==0 */
@ -1243,8 +1289,8 @@ int esp_sha_try_hw_lock(WC_ESP32SHA* ctx)
#ifdef WOLFSSL_DEBUG_MUTEX
if (esp_sha_call_count() == 8 && WOLFSSL_TEST_STRAY) {
/* once we've locked 10 times here,
* we'll force a fallback to SW until other thread unlocks */
/* Once we've locked 10 times here,
* we'll force a fallback to SW until other thread unlocks. */
taskENTER_CRITICAL(&sha_crit_sect);
{
(void)stray_ctx;
@ -1329,10 +1375,15 @@ int esp_sha_try_hw_lock(WC_ESP32SHA* ctx)
}
#endif /* not defined(SINGLE_THREADED) */
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
{
ESP_LOGV(TAG, "ets_sha_enable for RISC-V");
ets_sha_enable();
ctx->mode = ESP32_SHA_HW;
}
#else
if (ret == 0) {
ctx->lockDepth++; /* depth for THIS ctx (there could be others!) */
@ -1361,14 +1412,15 @@ int esp_sha_try_hw_lock(WC_ESP32SHA* ctx)
*/
int esp_sha_hw_unlock(WC_ESP32SHA* ctx)
{
int ret;
int ret = ESP_OK; /* assume success (zero) */
#ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG
ESP_LOGV(TAG, "enter esp_sha_hw_unlock");
#endif
ret = 0;
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
/* ESP32-C3 and ESP32-C6 RISC-V */
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
ets_sha_disable(); /* disable also resets active, ongoing hash */
ESP_LOGV(TAG, "ets_sha_disable in esp_sha_hw_unlock()");
#else
@ -1431,9 +1483,10 @@ int esp_sha_hw_unlock(WC_ESP32SHA* ctx)
ESP_LOGE(TAG, "ERROR unlock lockDepth not zero");
ret = ESP_FAIL;
}
#ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG
#ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG
ESP_LOGI(TAG, "leave esp_sha_hw_unlock, %x", (int)ctx->initializer);
#endif
#endif
return ret;
} /* esp_sha_hw_unlock */
@ -1442,8 +1495,13 @@ int esp_sha_hw_unlock(WC_ESP32SHA* ctx)
* Assumes register already loaded.
* Returns a negative value error code upon failure.
*/
#if !defined(CONFIG_IDF_TARGET_ESP32C3) && !defined(CONFIG_IDF_TARGET_ESP32C6)
/* the ESP32-C3 HAL has built-in process start, everything else uses: */
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/* ESP32-C3 HAL has built-in process start, nothing to declare here. */
#else
/* Everything else uses esp_sha_start_process() */
static int esp_sha_start_process(WC_ESP32SHA* sha)
{
int ret = 0;
@ -1457,7 +1515,10 @@ static int esp_sha_start_process(WC_ESP32SHA* sha)
ESP_LOGV(TAG, " enter esp_sha_start_process");
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
ESP_LOGV(TAG, "SHA1 SHA_START_REG");
if (sha->isfirstblock) {
sha_ll_start_block(SHA2_256);
@ -1477,7 +1538,9 @@ static int esp_sha_start_process(WC_ESP32SHA* sha)
ESP_LOGV(TAG, " continue block #%d", this_block_num);
#endif
} /* not first block */
/***** END CONFIG_IDF_TARGET_ESP32C3 or CONFIG_IDF_TARGET_ESP32C6 *****/
/***** END CONFIG_IDF_TARGET_ESP32C2 aka ESP8684 or
* CONFIG_IDF_TARGET_ESP32C3 or
* CONFIG_IDF_TARGET_ESP32C6 *****/
#elif defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3)
/* Translate from Wolf SHA type to hardware algorithm. */
@ -1667,8 +1730,13 @@ static int wc_esp_process_block(WC_ESP32SHA* ctx, /* see ctx->sha_type */
ret = esp_sha_start_process(ctx);
/***** END CONFIG_IDF_TARGET_ESP32 */
#elif defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
/* SHA_M_1_REG is not a macro:
#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/************* RISC-V Architecture *************
*
* SHA_M_1_REG is not a macro:
* DPORT_REG_WRITE(SHA_M_1_REG + (i*sizeof(word32)), *(data + i));
*
* but we have this HAL: sha_ll_fill_text_block
@ -1710,7 +1778,10 @@ static int wc_esp_process_block(WC_ESP32SHA* ctx, /* see ctx->sha_type */
ctx->isfirstblock);
ctx->isfirstblock = 0; /* once we hash a block,
* we're no longer at the first */
/***** END CONFIG_IDF_TARGET_ESP32C3 or CONFIG_IDF_TARGET_ESP32C6 */
/***** END CONFIG_IDF_TARGET_ESP32C2 or
* CONFIG_IDF_TARGET_ESP8684 or
* CONFIG_IDF_TARGET_ESP32C3 or
* CONFIG_IDF_TARGET_ESP32C6 */
#elif defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3)
MessageSource = (word32*)data;
@ -1785,7 +1856,9 @@ int wc_esp_digest_state(WC_ESP32SHA* ctx, byte* hash)
/* sanity check */
#if defined(CONFIG_IDF_TARGET_ESP32)
if (ctx->sha_type == SHA_INVALID) {
#elif defined(CONFIG_IDF_TARGET_ESP32C3) || \
#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32S2) || \
defined(CONFIG_IDF_TARGET_ESP32S3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
@ -1805,6 +1878,7 @@ int wc_esp_digest_state(WC_ESP32SHA* ctx, byte* hash)
ESP_LOGE(TAG, "unexpected error. sha_type is invalid.");
return ESP_FAIL;
}
#if defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3)
if (ctx->isfirstblock == true) {
/* no hardware use yet. Nothing to do yet */
@ -1837,20 +1911,34 @@ int wc_esp_digest_state(WC_ESP32SHA* ctx, byte* hash)
} /* not (ctx->sha_type == SHA2_512) */
/* end if CONFIG_IDF_TARGET_ESP32S3 */
#elif defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
sha_ll_read_digest(ctx->sha_type,
#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684)
wc_esp_wait_until_idle();
sha_ll_read_digest(
ctx->sha_type,
(void *)hash,
wc_esp_sha_digest_size(ctx->sha_type) / sizeof(word32));
wc_esp_sha_digest_size(ctx->sha_type) / sizeof(word32)
);
#elif defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
wc_esp_wait_until_idle();
sha_ll_read_digest(
ctx->sha_type,
(void *)hash,
wc_esp_sha_digest_size(ctx->sha_type) / sizeof(word32)
);
#else
/* not CONFIG_IDF_TARGET_ESP32S3 */
/* wait until idle */
wc_esp_wait_until_idle();
/* each sha_type register is at a different location */
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
#elif defined(CONFIG_IDF_TARGET_ESP32S2)
/* nothing here for S2 */
#else
switch (ctx->sha_type) {
case SHA1:
@ -2051,7 +2139,13 @@ int esp_sha512_block(struct wc_Sha512* sha, const word32* data, byte isfinal)
int ret = 0; /* assume success */
ESP_LOGV(TAG, "enter esp_sha512_block");
/* start register offset */
#if !defined(CONFIG_IDF_TARGET_ESP32C3) && !defined(CONFIG_IDF_TARGET_ESP32C6)
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/* No SHA-512 HW on RISC-V SoC, so nothing to do. */
#else
/* note that in SW mode, wolfSSL uses 64 bit words */
if (sha->ctx.mode == ESP32_SHA_SW) {
ByteReverseWords64(sha->buffer,
@ -2107,8 +2201,14 @@ int esp_sha512_digest_process(struct wc_Sha512* sha, byte blockproc)
{
int ret = 0;
ESP_LOGV(TAG, "enter esp_sha512_digest_process");
#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6)
ESP_LOGW(TAG, "Warning: no SHA512 HW to digest on ESP32-C3");
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
{
ESP_LOGW(TAG, "Warning: no SHA512 HW to digest on %s",
CONFIG_IDF_TARGET);
}
#else
if (blockproc) {
word32* data = (word32*)sha->buffer;
@ -2171,6 +2271,6 @@ int esp_hw_show_sha_metrics(void)
return ret;
}
#endif /* WOLFSSL_HW_METRICS */
#endif /* WOLFSSL_ESP32_CRYPT and WOLFSSL_HW_METRICS */
#endif /* WOLFSSL_ESPIDF */
#endif /* WOLFSSL_ESPIDF (exclude entire contents for non-Espressif projects */

119
wolfcrypt/src/port/Espressif/esp32_util.c
View File

@ -201,7 +201,11 @@ static int ShowExtendedSystemInfo_platform_espressif(void)
WOLFSSL_VERSION_PRINTF("Xthal_have_ccount = %u",
Xthal_have_ccount);
#elif CONFIG_IDF_TARGET_ESP32C6
/* not supported at this time */
/* TODO find Xthal for C6 */
#elif CONFIG_IDF_TARGET_ESP32C2
/* TODO find Xthal for C6 */
#elif defined(CONFIG_IDF_TARGET_ESP8684)
/* TODO find Xthal for C6 */
#elif CONFIG_IDF_TARGET_ESP32C3
/* not supported at this time */
#elif CONFIG_IDF_TARGET_ESP32S3
@ -228,6 +232,9 @@ static int ShowExtendedSystemInfo_platform_espressif(void)
WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-S2.");
#elif defined(CONFIG_IDF_TARGET_ESP32S3)
WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-S3.");
#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684)
WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-C2.");
#elif defined(CONFIG_IDF_TARGET_ESP32C3)
WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-C3.");
#elif defined(CONFIG_IDF_TARGET_ESP32C6)
@ -235,7 +242,7 @@ static int ShowExtendedSystemInfo_platform_espressif(void)
#elif defined(CONFIG_IDF_TARGET_ESP32H2)
WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-H2.");
#else
/* this should have been detected & disabled in user_settins.h */
/* This should have been detected & disabled in user_settins.h */
#error "ESP32_CRYPT not yet supported on this IDF TARGET"
#endif
@ -246,12 +253,12 @@ static int ShowExtendedSystemInfo_platform_espressif(void)
#endif
#if defined(NO_WOLFSSL_ESP32_CRYPT_AES)
WOLFSSL_VERSION_PRINTF("NO_WOLFSSL_ESP32_CRYPT_AES is defined!"
WOLFSSL_VERSION_PRINTF("NO_WOLFSSL_ESP32_CRYPT_AES is defined! "
"(disabled HW AES).");
#endif
#if defined(NO_WOLFSSL_ESP32_CRYPT_RSA_PRI)
WOLFSSL_VERSION_PRINTF("NO_WOLFSSL_ESP32_CRYPT_RSA_PRI defined!"
WOLFSSL_VERSION_PRINTF("NO_WOLFSSL_ESP32_CRYPT_RSA_PRI defined! "
"(disabled HW RSA)");
#endif
#endif
@ -376,7 +383,7 @@ int esp_current_boot_count(void)
}
/* See macro helpers above; not_defined is macro name when *not* defined */
static int esp_ShowMacroStatus(char* s, char* not_defined)
static int show_macro(char* s, char* not_defined)
{
char hd1[] = "Macro Name Defined Not Defined";
char hd2[] = "------------------------- --------- -------------";
@ -397,9 +404,11 @@ static int esp_ShowMacroStatus(char* s, char* not_defined)
/* Depending on if defined, put an "x" in the appropriate column */
if (not_defined == NULL || not_defined[0] == '\0') {
msg[ESP_SMS_ENA_POS] = 'X';
msg[ESP_SMS_ENA_POS+1] = 0; /* end of line to eliminate space pad */
}
else {
msg[ESP_SMS_DIS_POS] = 'X';
msg[ESP_SMS_DIS_POS+1] = 0; /* end of line to eliminate space pad */
}
/* do we need a header? */
@ -415,35 +424,78 @@ static int esp_ShowMacroStatus(char* s, char* not_defined)
}
/* Show some interesting settings */
int esp_ShowHardwareAcclerationSettings(void)
int ShowExtendedSystemInfo_config(void)
{
esp_ShowMacroStatus_need_header = 1;
esp_ShowMacroStatus("HW_MATH_ENABLED", STR_IFNDEF(HW_MATH_ENABLED));
esp_ShowMacroStatus("RSA_LOW_MEM", STR_IFNDEF(RSA_LOW_MEM));
esp_ShowMacroStatus("WOLFSSL_SHA224", STR_IFNDEF(WOLFSSL_SHA224));
esp_ShowMacroStatus("WOLFSSL_SHA384", STR_IFNDEF(WOLFSSL_SHA384));
esp_ShowMacroStatus("WOLFSSL_SHA512", STR_IFNDEF(WOLFSSL_SHA512));
esp_ShowMacroStatus("WOLFSSL_SHA3", STR_IFNDEF(WOLFSSL_SHA3));
esp_ShowMacroStatus("HAVE_ED25519", STR_IFNDEF(HAVE_ED25519));
esp_ShowMacroStatus("USE_FAST_MATH", STR_IFNDEF(USE_FAST_MATH));
esp_ShowMacroStatus("WOLFSSL_SP_MATH_ALL", STR_IFNDEF(WOLFSSL_SP_MATH_ALL));
esp_ShowMacroStatus("WOLFSSL_SP_RISCV32", STR_IFNDEF(WOLFSSL_SP_RISCV32));
esp_ShowMacroStatus("SP_MATH", STR_IFNDEF(SP_MATH));
esp_ShowMacroStatus("WOLFSSL_HW_METRICS", STR_IFNDEF(WOLFSSL_HW_METRICS));
#ifdef USE_FAST_MATH
ESP_LOGI(TAG, "USE_FAST_MATH");
#endif /* USE_FAST_MATH */
show_macro("NO_ESPIDF_DEFAULT", STR_IFNDEF(NO_ESPIDF_DEFAULT));
#ifdef WOLFSSL_SP_MATH_ALL
#ifdef WOLFSSL_SP_RISCV32
ESP_LOGI(TAG, "WOLFSSL_SP_MATH_ALL + WOLFSSL_SP_RISCV32");
#else
ESP_LOGI(TAG, "WOLFSSL_SP_MATH_ALL");
#endif
#endif /* WOLFSSL_SP_MATH_ALL */
show_macro("HW_MATH_ENABLED", STR_IFNDEF(HW_MATH_ENABLED));
/* Features */
show_macro("WOLFSSL_SHA224", STR_IFNDEF(WOLFSSL_SHA224));
show_macro("WOLFSSL_SHA384", STR_IFNDEF(WOLFSSL_SHA384));
show_macro("WOLFSSL_SHA512", STR_IFNDEF(WOLFSSL_SHA512));
show_macro("WOLFSSL_SHA3", STR_IFNDEF(WOLFSSL_SHA3));
show_macro("HAVE_ED25519", STR_IFNDEF(HAVE_ED25519));
show_macro("HAVE_AES_ECB", STR_IFNDEF(HAVE_AES_ECB));
show_macro("HAVE_AES_DIRECT", STR_IFNDEF(HAVE_AES_DIRECT));
/* Math Library Selection */
show_macro("USE_FAST_MATH", STR_IFNDEF(USE_FAST_MATH));
show_macro("WOLFSSL_SP_MATH_ALL", STR_IFNDEF(WOLFSSL_SP_MATH_ALL));
#ifdef WOLFSSL_SP_RISCV32
show_macro("WOLFSSL_SP_RISCV32", STR_IFNDEF(WOLFSSL_SP_RISCV32));
#endif
show_macro("SP_MATH", STR_IFNDEF(SP_MATH));
/* Diagnostics */
show_macro("WOLFSSL_HW_METRICS", STR_IFNDEF(WOLFSSL_HW_METRICS));
/* Optimizations */
show_macro("RSA_LOW_MEM", STR_IFNDEF(RSA_LOW_MEM));
/* Security Hardening */
show_macro("WC_NO_HARDEN", STR_IFNDEF(WC_NO_HARDEN));
show_macro("TFM_TIMING_RESISTANT", STR_IFNDEF(TFM_TIMING_RESISTANT));
show_macro("ECC_TIMING_RESISTANT", STR_IFNDEF(ECC_TIMING_RESISTANT));
/* WC_NO_CACHE_RESISTANT is only important if another process can be
* run on the device. With embedded it is less likely to be exploitable.
* Timing attacks are usually by probe. So typically turn this on: */
show_macro("WC_NO_CACHE_RESISTANT", STR_IFNDEF(WC_NO_CACHE_RESISTANT));
/* Side channel bit slicing */
show_macro("WC_AES_BITSLICED", STR_IFNDEF(WC_AES_BITSLICED));
/* Unrolling will normally improve performance,
* so make sure WOLFSSL_AES_NO_UNROLL isn't defined unless you want it. */
show_macro("WOLFSSL_AES_NO_UNROLL", STR_IFNDEF(WOLFSSL_AES_NO_UNROLL));
show_macro("TFM_TIMING_RESISTANT", STR_IFNDEF(TFM_TIMING_RESISTANT));
show_macro("ECC_TIMING_RESISTANT", STR_IFNDEF(ECC_TIMING_RESISTANT));
show_macro("WC_RSA_BLINDING", STR_IFNDEF(WC_RSA_BLINDING));
show_macro("NO_WRITEV", STR_IFNDEF(NO_WRITEV));
/* Environment */
show_macro("FREERTOS", STR_IFNDEF(FREERTOS));
show_macro("NO_WOLFSSL_DIR", STR_IFNDEF(NO_WOLFSSL_DIR));
show_macro("WOLFSSL_NO_CURRDIR", STR_IFNDEF(WOLFSSL_NO_CURRDIR));
show_macro("WOLFSSL_LWIP", STR_IFNDEF(WOLFSSL_LWIP));
ESP_LOGI(TAG, "");
#if defined(CONFIG_COMPILER_OPTIMIZATION_DEFAULT)
ESP_LOGI(TAG, "Compiler Optimization: Default");
#elif defined(CONFIG_COMPILER_OPTIMIZATION_SIZE)
ESP_LOGI(TAG, "Compiler Optimization: Size");
#elif defined(CONFIG_COMPILER_OPTIMIZATION_PERF)
ESP_LOGI(TAG, "Compiler Optimization: Performance");
#elif defined(CONFIG_COMPILER_OPTIMIZATION_NONE)
ESP_LOGI(TAG, "Compiler Optimization: None");
#else
ESP_LOGI(TAG, "Compiler Optimization: Unknown");
#endif
ESP_LOGI(TAG, "");
return ESP_OK;
}
/*
@ -536,7 +588,7 @@ int ShowExtendedSystemInfo(void)
ESP_LOGW(TAG, "Warning: ESP_RSA_MULM_BITS not defined for ESP32");
#endif
#elif defined(CONFIG_IDF_TARGET_ESP32C2)
#elif defined(CONFIG_IDF_TARGET_ESP32C2) || defined(CONFIG_IDF_TARGET_ESP8684)
ESP_LOGI(TAG, "CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ = %u MHz",
CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ
);
@ -578,7 +630,7 @@ int ShowExtendedSystemInfo(void)
#endif
ESP_LOGI(TAG, "");
esp_ShowHardwareAcclerationSettings();
ShowExtendedSystemInfo_config();
ShowExtendedSystemInfo_git();
ShowExtendedSystemInfo_platform();
ShowExtendedSystemInfo_thread();
@ -732,18 +784,19 @@ int esp_hw_show_metrics(void)
#if defined(WOLFSSL_ESP32_CRYPT)
esp_hw_show_sha_metrics();
#else
ESP_LOGI(TAG, "WOLFSSL_ESP32_CRYPT");
ESP_LOGI(TAG, "WOLFSSL_ESP32_CRYPT not defined, "
"HW SHA hash not enabled");
#endif
#if defined(WOLFSSL_ESP32_CRYPT_RSA_PRI)
esp_hw_show_mp_metrics();
#else
ESP_LOGI(TAG, "WOLFSSL_ESP32_CRYPT_RSA_PRI not defined,"
ESP_LOGI(TAG, "WOLFSSL_ESP32_CRYPT_RSA_PRI not defined, "
"HW math not enabled");
#endif
#if defined(NO_WOLFSSL_ESP32_CRYPT_AES)
ESP_LOGI(TAG, "NO_WOLFSSL_ESP32_CRYPT_AES is defined,"
ESP_LOGI(TAG, "NO_WOLFSSL_ESP32_CRYPT_AES is defined, "
"HW AES not enabled");
#else
esp_hw_show_aes_metrics();

6
wolfcrypt/src/tfm.c
View File

@ -4051,12 +4051,16 @@ int fp_read_unsigned_bin(fp_int *a, const unsigned char *b, int c)
/* zero the int */
fp_zero (a);
if (c < 0) {
return FP_VAL;
}
if (c == 0) {
return FP_OKAY;
}
/* if input b excess max, then truncate */
if (c > 0 && (word32)c > maxC) {
if ((word32)c > maxC) {
int excess = (c - maxC);
c -= excess;
b += excess;

9
wolfcrypt/test/test.c
View File

@ -16930,7 +16930,7 @@ static wc_test_ret_t rsa_decode_test(RsaKey* keyPub)
goto done;
}
ret = wc_RsaPublicKeyDecodeRaw(n, (word32)-1, e, sizeof(e), keyPub);
#if !defined(WOLFSSL_SP_MATH) & !defined(WOLFSSL_SP_MATH_ALL)
#if defined(USE_INTEGER_HEAP_MATH)
if (ret != 0)
#else
if (ret != ASN_GETINT_E)
@ -16944,11 +16944,12 @@ static wc_test_ret_t rsa_decode_test(RsaKey* keyPub)
if (ret != 0)
return WC_TEST_RET_ENC_EC(ret);
ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), e, (word32)-1, keyPub);
#if !defined(WOLFSSL_SP_MATH) & !defined(WOLFSSL_SP_MATH_ALL)
if (ret != 0) {
#if defined(USE_INTEGER_HEAP_MATH)
if (ret != 0)
#else
if (ret != ASN_GETINT_E) {
if (ret != ASN_GETINT_E)
#endif
{
ret = WC_TEST_RET_ENC_EC(ret);
goto done;
}

21
wolfssl/internal.h
View File

@ -2352,7 +2352,8 @@ WOLFSSL_LOCAL void InitSuitesHashSigAlgo_ex(byte* hashSigAlgo, int haveECDSAsig,
int haveRSAsig, int haveFalconSig,
int haveDilithiumSig, int haveAnon,
int tls1_2, int keySz, word16* len);
WOLFSSL_LOCAL void InitSuitesHashSigAlgo_ex2(byte* hashSigAlgo, int have,
/* use wolfSSL_API visibility to be able to test in tests/api.c */
WOLFSSL_API void InitSuitesHashSigAlgo_ex2(byte* hashSigAlgo, int have,
int tls1_2, int keySz,
word16* len);
WOLFSSL_LOCAL int AllocateCtxSuites(WOLFSSL_CTX* ctx);
@ -5389,6 +5390,9 @@ struct WOLFSSL {
* re-using the context's object. When WOLFSSL
* object needs separate instance of suites use
* AllocateSuites(). */
#ifdef OPENSSL_EXTRA
const Suites* clSuites;
#endif
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
WOLF_STACK_OF(WOLFSSL_CIPHER)* suitesStack; /* stack of available cipher
* suites */
@ -6011,6 +6015,16 @@ enum ProvisionSide {
PROVISION_CLIENT_SERVER = 3
};
/* cipher requirements */
enum {
REQUIRES_RSA,
REQUIRES_DHE,
REQUIRES_ECC,
REQUIRES_ECC_STATIC,
REQUIRES_PSK,
REQUIRES_RSA_SIG,
REQUIRES_AEAD
};
static const byte kTlsClientStr[SIZEOF_SENDER+1] = { 0x43, 0x4C, 0x4E, 0x54, 0x00 }; /* CLNT */
static const byte kTlsServerStr[SIZEOF_SENDER+1] = { 0x53, 0x52, 0x56, 0x52, 0x00 }; /* SRVR */
@ -6102,6 +6116,7 @@ WOLFSSL_LOCAL void ShrinkInputBuffer(WOLFSSL* ssl, int forcedFree);
WOLFSSL_LOCAL void ShrinkOutputBuffer(WOLFSSL* ssl);
WOLFSSL_LOCAL byte* GetOutputBuffer(WOLFSSL* ssl);
WOLFSSL_LOCAL int CipherRequires(byte first, byte second, int requirement);
WOLFSSL_LOCAL int VerifyClientSuite(word16 havePSK, byte cipherSuite0,
byte cipherSuite);
@ -6311,6 +6326,10 @@ WOLFSSL_LOCAL word32 LowResTimer(void);
WOLFSSL_LOCAL int FindSuiteSSL(const WOLFSSL* ssl, byte* suite);
WOLFSSL_LOCAL void DecodeSigAlg(const byte* input, byte* hashAlgo,
byte* hsType);
WOLFSSL_LOCAL enum wc_HashType HashAlgoToType(int hashAlgo);
#ifndef NO_CERTS
WOLFSSL_LOCAL void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag,
void* heap);

13
wolfssl/ssl.h
View File

@ -2121,6 +2121,19 @@ WOLFSSL_API void wolfSSL_CTX_set_client_cert_cb(WOLFSSL_CTX *ctx, client_cert_cb
typedef int (*CertSetupCallback)(WOLFSSL* ssl, void*);
WOLFSSL_API void wolfSSL_CTX_set_cert_cb(WOLFSSL_CTX* ctx,
CertSetupCallback cb, void *arg);
WOLFSSL_API int wolfSSL_get_client_suites_sigalgs(const WOLFSSL* ssl,
const byte** suites, word16* suiteSz,
const byte** hashSigAlgo, word16* hashSigAlgoSz);
typedef struct WOLFSSL_CIPHERSUITE_INFO {
byte rsaAuth:1;
byte eccAuth:1;
byte eccStatic:1;
byte psk:1;
} WOLFSSL_CIPHERSUITE_INFO;
WOLFSSL_API WOLFSSL_CIPHERSUITE_INFO wolfSSL_get_ciphersuite_info(byte first,
byte second);
WOLFSSL_API int wolfSSL_get_sigalg_info(byte first,
byte second, int* hashAlgo, int* sigAlgo);
WOLFSSL_LOCAL int CertSetupCbWrapper(WOLFSSL* ssl);
WOLFSSL_API void* wolfSSL_X509_STORE_CTX_get_ex_data(

87
wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h
View File

@ -22,9 +22,17 @@
#define __ESP32_CRYPT_H__
/* WOLFSSL_USER_SETTINGS must be defined, typically in the CMakeLists.txt:
*
* set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") */
#include <wolfssl/wolfcrypt/settings.h> /* references user_settings.h */
#if defined(WOLFSSL_ESPIDF) /* Entire file is only for Espressif EDP-IDF */
#ifndef WOLFSSL_USER_SETTINGS
#error "WOLFSSL_USER_SETTINGS must be defined for Espressif targts"
#endif
#include "sdkconfig.h" /* ensure ESP-IDF settings are available everywhere */
/* wolfSSL */
@ -72,6 +80,12 @@ enum {
**
** Primary Settings:
**
** WC_NO_HARDEN
** Disables some timing resistance / side-channel attack prevention.
**
** NO_ESPIDF_DEFAULT
** When defined, disables some default definitions. See wolfcrypt/settings.h
**
** NO_ESP32_CRYPT
** When defined, disables all hardware acceleration on the ESP32
**
@ -143,11 +157,15 @@ enum {
** WOLFSSL_HW_METRICS
** Enables metric counters for calls to HW, success, fall back, oddities.
**
** WOLFSSL_HAS_METRICS
** Indicates that we actually have metrics to show. Useful for old wolfSSL
** libraries tested with newer examples, or when all HW turned off.
**
** DEBUG_WOLFSSL
** Turns on development testing. Validates HW accelerated results to software
** - Automatically turns on WOLFSSL_HW_METRICS
**
** WOLFSSL_DEBUG_MUTEX
** DEBUG_WOLFSSL_SHA_MUTEX
** Turns on diagnostic messages for SHA mutex. Note that given verbosity,
** there may be TLS timing issues encountered. Use with caution.
**
@ -203,10 +221,12 @@ enum {
**
** CONFIG_IDF_TARGET_[SoC]
** CONFIG_IDF_TARGET_ESP32
** CONFIG_IDF_TARGET_ESP32S2
** CONFIG_IDF_TARGET_ESP32S3
** CONFIG_IDF_TARGET_ESP32C2
** CONFIG_IDF_TARGET_ESP32C3
** CONFIG_IDF_TARGET_ESP32C6
** CONFIG_IDF_TARGET_ESP32S2
** CONFIG_IDF_TARGET_ESP32S3
** CONFIG_IDF_TARGET_ESP32H2
**
]*******************************************************************************
** Informative settings. Not meant to be edited:
@ -254,6 +274,60 @@ enum {
#define ESP_PROHIBIT_SMALL_X FALSE
/***** END CONFIG_IDF_TARGET_ESP32 *****/
#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684)
/* ESP8684 is essentially ESP32-C2 chip + flash embedded together in a
* single QFN 4x4 mm package. Out of released documentation, Technical
* Reference Manual as well as ESP-IDF Programming Guide is applicable
* to both ESP32-C2 and ESP8684.
*
* Note there is not currently an expected CONFIG_IDF_TARGET_ESP8684.
* The ESP8684 is detected with CONFIG_IDF_TARGET_ESP32C2.
* The macro is included for clarity, and possible future rename. */
/* #define NO_ESP32_CRYPT */
/* #define NO_WOLFSSL_ESP32_CRYPT_HASH */
#define NO_WOLFSSL_ESP32_CRYPT_AES /* No AES HW */
#define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI /* No RSA HW*/
#define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL /* No RSA, so no mp_mul */
#define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD /* No RSA, so no mp_mulmod */
#define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD /* No RSA, no mp_exptmod */
#include <soc/dport_access.h>
#include <soc/hwcrypto_reg.h>
#if ESP_IDF_VERSION_MAJOR < 5
#include <soc/cpu.h>
#endif
#if defined(ESP_IDF_VERSION_MAJOR) && ESP_IDF_VERSION_MAJOR >= 5
#include <esp_private/periph_ctrl.h>
#else
#include <driver/periph_ctrl.h>
#endif
#if ESP_IDF_VERSION_MAJOR >= 4
/* #include <esp32/rom/ets_sys.h> */
#else
#include <rom/ets_sys.h>
#endif
/* If for some reason there's a desire to disable specific HW on the C2: */
/* #undef NO_WOLFSSL_ESP32_CRYPT_HASH_SHA */
/* #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA there is SHA HW on C2 */
/* #undef NO_WOLFSSL_ESP32_CRYPT_HASH_SHA224 */
/* #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA224 there is SHA224 HW on C2 */
/* #undef NO_WOLFSSL_ESP32_CRYPT_HASH_SHA256 */
/* #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA256 there is SHA256 HW on C2 */
/* Code will fall back to SW with warning if these are removed:
* Note there is no SHA384/SHA512 HW on ESP32-C3 */
#undef NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384
#define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384
#undef NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512
#define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512
/***** END CONFIG_IDF_TARGET_ESP32C2 aka CONFIG_IDF_TARGET_ESP8684 *****/
#elif defined(CONFIG_IDF_TARGET_ESP32C3)
#include <soc/dport_access.h>
#include <soc/hwcrypto_reg.h>
@ -499,7 +573,8 @@ extern "C"
#if defined(CONFIG_IDF_TARGET_ESP32)
#include "esp32/rom/sha.h"
#define WC_ESP_SHA_TYPE enum SHA_TYPE
#elif defined(CONFIG_IDF_TARGET_ESP32C2)
#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP8684)
#include "esp32c2/rom/sha.h"
#define WC_ESP_SHA_TYPE SHA_TYPE
#elif defined(CONFIG_IDF_TARGET_ESP32C3)
@ -686,6 +761,8 @@ extern "C"
*******************************************************************************
*/
#ifdef WOLFSSL_HW_METRICS
#define WOLFSSL_HAS_METRICS
/* Allow sha256 code to keep track of SW fallback during active HW */
WOLFSSL_LOCAL int esp_sw_sha256_count_add();
@ -780,6 +857,6 @@ extern "C"
}
#endif
#endif /* WOLFSSL_ESPIDF */
#endif /* WOLFSSL_ESPIDF (entire contents excluded when not Espressif ESP-IDF) */
#endif /* __ESP32_CRYPT_H__ */

37
wolfssl/wolfcrypt/settings.h
View File

@ -378,16 +378,19 @@
#endif
#if defined(WOLFSSL_ESPIDF)
#define SIZEOF_LONG_LONG 8
#ifndef NO_ESPIDF_DEFAULT
#define FREERTOS
#define WOLFSSL_LWIP
#define NO_WRITEV
#define SIZEOF_LONG_LONG 8
#define NO_WOLFSSL_DIR
#define WOLFSSL_NO_CURRDIR
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING
#define WC_NO_CACHE_RESISTANT
#endif /* !WOLFSSL_ESPIDF_NO_DEFAULT */
#if defined(WOLFSSL_ESPWROOM32)
/* WOLFSSL_ESPWROOM32 is a legacy macro gate.
@ -396,6 +399,32 @@
#define WOLFSSL_ESP32
#endif
#if defined(NO_ESP32WROOM32_CRYPT)
#undef NO_ESP32WROOM32_CRYPT
#define NO_ESP32_CRYPT
#error "Please use NO_ESP32_CRYPT not NO_ESP32WROOM32_CRYPT"
#endif
#if defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
#undef NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH
#define NO_WOLFSSL_ESP32_CRYPT_HASH
#error "Please use NO_WOLFSSL_ESP32_CRYPT_HASH not NO_ESP32WROOM32_CRYPT"
#endif
#if defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES)
#undef NO_WOLFSSL_ESP32WROOM32_CRYPT_AES
#define NO_WOLFSSL_ESP32_CRYPT_AES
#error "Please use NO_WOLFSSL_ESP32_CRYPT_AES" \
" not " "NO_WOLFSSL_ESP32WROOM32_CRYPT_AES"
#endif
#if defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
#undef NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI
#define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
#error "Please use NO_WOLFSSL_ESP32_CRYPT_RSA_PRI" \
" not " "NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI"
#endif
#if defined(WOLFSSL_ESP32) || defined(WOLFSSL_ESPWROOM32SE)
#ifndef NO_ESP32_CRYPT
#define WOLFSSL_ESP32_CRYPT
@ -407,9 +436,9 @@
#endif
#if defined(WOLFSSL_SP_RISCV32)
#if defined(CONFIG_IDF_TARGET_ESP32C2) \
|| defined(CONFIG_IDF_TARGET_ESP32C3) \
|| defined(CONFIG_IDF_TARGET_ESP32C6)
#if defined(CONFIG_IDF_TARGET_ESP32C2) || \
defined(CONFIG_IDF_TARGET_ESP32C3) || \
defined(CONFIG_IDF_TARGET_ESP32C6)
/* ok, only the known C2, C3, C6 chips allowed */
#else
#error "WOLFSSL_SP_RISCV32 can only be used on RISC-V architecture"