From c3c341913838ebcd3178977630772bdde4908211 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 22 Sep 2016 14:02:32 -0700 Subject: [PATCH 1/5] Added processing of user cert chain in DER format. Added arg check on "wolfSSL_get_certificate" to fix NULL dereference if certificate not yet set via "wolfSSL_use_certificate_buffer" or "wolfSSL_use_certificate_file". Added "wolfSSL_CTX_use_certificate_chain_buffer_format" to expose way to import certificate chain buffer as ASN1 (since "wolfSSL_CTX_use_certificate_chain_buffer" assumes PEM) . Changed ProcessFile from static and added as local in internal.h. --- src/ssl.c | 311 ++++++++++++++++++++++++++------------------- wolfssl/internal.h | 3 + wolfssl/ssl.h | 2 + 3 files changed, 184 insertions(+), 132 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 4dc82bd8a..bc6d44730 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3783,15 +3783,138 @@ int PemToDer(const unsigned char* buff, long longSz, int type, } + +/* process user cert chain to pass during the handshake */ +static int ProcessUserChain(WOLFSSL_CTX* ctx, const unsigned char* buff, + long sz, int format, int type, WOLFSSL* ssl, + long* used, EncryptedInfo* info) +{ + int ret = 0; + void* heap = ctx ? ctx->heap : ((ssl) ? ssl->heap : NULL); + + /* we may have a user cert chain, try to consume */ + if (type == CERT_TYPE && info->consumed < sz) { + #ifdef WOLFSSL_SMALL_STACK + byte staticBuffer[1]; /* force heap usage */ + #else + byte staticBuffer[FILE_BUFFER_SIZE]; /* tmp chain buffer */ + #endif + byte* chainBuffer = staticBuffer; + int dynamicBuffer = 0; + word32 bufferSz = FILE_BUFFER_SIZE; + long consumed = info->consumed; + word32 idx = 0; + int gotOne = 0; + + if ( (sz - consumed) > (int)bufferSz) { + WOLFSSL_MSG("Growing Tmp Chain Buffer"); + bufferSz = (word32)(sz - consumed); + /* will shrink to actual size */ + chainBuffer = (byte*)XMALLOC(bufferSz, heap, DYNAMIC_TYPE_FILE); + if (chainBuffer == NULL) { + return MEMORY_E; + } + dynamicBuffer = 1; + } + + WOLFSSL_MSG("Processing Cert Chain"); + while (consumed < sz) { + int eccKey = 0; + DerBuffer* part = NULL; + word32 remain = (word32)(sz - consumed); + info->consumed = 0; + + if (format == SSL_FILETYPE_PEM) { + ret = PemToDer(buff + consumed, remain, type, &part, + heap, info, &eccKey); + } + else { + int length = remain; + if (format == SSL_FILETYPE_ASN1) { + /* get length of der (read sequence) */ + word32 inOutIdx = 0; + if (GetSequence(buff + consumed, &inOutIdx, &length, remain) < 0) { + ret = SSL_NO_PEM_HEADER; + } + length += inOutIdx; /* include leading squence */ + } + info->consumed = length; + if (ret == 0) { + ret = AllocDer(&part, length, type, heap); + if (ret == 0) { + XMEMCPY(part->buffer, buff + consumed, length); + } + } + } + if (ret == 0) { + gotOne = 1; + if ((idx + part->length) > bufferSz) { + WOLFSSL_MSG(" Cert Chain bigger than buffer"); + ret = BUFFER_E; + } + else { + c32to24(part->length, &chainBuffer[idx]); + idx += CERT_HEADER_SZ; + XMEMCPY(&chainBuffer[idx], part->buffer, part->length); + idx += part->length; + consumed += info->consumed; + if (used) + *used += info->consumed; + } + } + FreeDer(&part); + + if (ret == SSL_NO_PEM_HEADER && gotOne) { + WOLFSSL_MSG("We got one good cert, so stuff at end ok"); + break; + } + + if (ret < 0) { + WOLFSSL_MSG(" Error in Cert in Chain"); + if (dynamicBuffer) + XFREE(chainBuffer, heap, DYNAMIC_TYPE_FILE); + return ret; + } + WOLFSSL_MSG(" Consumed another Cert in Chain"); + } + WOLFSSL_MSG("Finished Processing Cert Chain"); + + /* only retain actual size used */ + ret = 0; + if (idx > 0) { + if (ssl) { + if (ssl->buffers.weOwnCertChain) { + FreeDer(&ssl->buffers.certChain); + } + ret = AllocDer(&ssl->buffers.certChain, idx, type, heap); + if (ret == 0) { + XMEMCPY(ssl->buffers.certChain->buffer, chainBuffer, idx); + ssl->buffers.weOwnCertChain = 1; + } + } else if (ctx) { + FreeDer(&ctx->certChain); + ret = AllocDer(&ctx->certChain, idx, type, heap); + if (ret == 0) { + XMEMCPY(ctx->certChain->buffer, chainBuffer, idx); + } + } + } + + if (dynamicBuffer) + XFREE(chainBuffer, heap, DYNAMIC_TYPE_FILE); + } + + return ret; +} /* process the buffer buff, length sz, into ctx of format and type used tracks bytes consumed, userChain specifies a user cert chain to pass during the handshake */ -static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, +int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz, int format, int type, WOLFSSL* ssl, long* used, int userChain) { DerBuffer* der = NULL; /* holds DER or RAW (for NTRU) */ - int ret; + int ret = 0; int eccKey = 0; int rsaKey = 0; void* heap = ctx ? ctx->heap : ((ssl) ? ssl->heap : NULL); @@ -3806,6 +3929,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, if (used) *used = sz; /* used bytes default to sz, PEM chain may shorten*/ + /* check args */ if (format != SSL_FILETYPE_ASN1 && format != SSL_FILETYPE_PEM && format != SSL_FILETYPE_RAW) return SSL_BAD_FILETYPE; @@ -3826,134 +3950,44 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, if (format == SSL_FILETYPE_PEM) { ret = PemToDer(buff, sz, type, &der, heap, info, &eccKey); - - if (used) - *used = info->consumed; - - if (ret < 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(info, heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - FreeDer(&der); - return ret; + } + else { /* ASN1 (DER) or RAW (NTRU) */ + int length = (int)sz; + if (format == SSL_FILETYPE_ASN1) { + /* get length of der (read sequence) */ + word32 inOutIdx = 0; + if (GetSequence(buff, &inOutIdx, &length, (word32)sz) < 0) { + ret = ASN_PARSE_E; + } + length += inOutIdx; /* include leading squence */ } - - /* we may have a user cert chain, try to consume */ - if (userChain && type == CERT_TYPE && info->consumed < sz) { - #ifdef WOLFSSL_SMALL_STACK - byte staticBuffer[1]; /* force heap usage */ - #else - byte staticBuffer[FILE_BUFFER_SIZE]; /* tmp chain buffer */ - #endif - byte* chainBuffer = staticBuffer; - int dynamicBuffer = 0; - word32 bufferSz = sizeof(staticBuffer); - long consumed = info->consumed; - word32 idx = 0; - int gotOne = 0; - - if ( (sz - consumed) > (int)bufferSz) { - WOLFSSL_MSG("Growing Tmp Chain Buffer"); - bufferSz = (word32)(sz - consumed); - /* will shrink to actual size */ - chainBuffer = (byte*)XMALLOC(bufferSz, heap, DYNAMIC_TYPE_FILE); - if (chainBuffer == NULL) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(info, heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - FreeDer(&der); - return MEMORY_E; - } - dynamicBuffer = 1; - } - - WOLFSSL_MSG("Processing Cert Chain"); - while (consumed < sz) { - DerBuffer* part = NULL; - info->consumed = 0; - - ret = PemToDer(buff + consumed, sz - consumed, type, &part, - heap, info, &eccKey); - if (ret == 0) { - gotOne = 1; - if ( (idx + part->length) > bufferSz) { - WOLFSSL_MSG(" Cert Chain bigger than buffer"); - ret = BUFFER_E; - } - else { - c32to24(part->length, &chainBuffer[idx]); - idx += CERT_HEADER_SZ; - XMEMCPY(&chainBuffer[idx], part->buffer, part->length); - idx += part->length; - consumed += info->consumed; - if (used) - *used += info->consumed; - } - } - FreeDer(&part); - - if (ret == SSL_NO_PEM_HEADER && gotOne) { - WOLFSSL_MSG("We got one good PEM so stuff at end ok"); - break; - } - - if (ret < 0) { - WOLFSSL_MSG(" Error in Cert in Chain"); - if (dynamicBuffer) - XFREE(chainBuffer, heap, DYNAMIC_TYPE_FILE); - #ifdef WOLFSSL_SMALL_STACK - XFREE(info, heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - FreeDer(&der); - return ret; - } - WOLFSSL_MSG(" Consumed another Cert in Chain"); - } - WOLFSSL_MSG("Finished Processing Cert Chain"); - - /* only retain actual size used */ - ret = 0; - if (idx > 0) { - if (ssl) { - if (ssl->buffers.weOwnCertChain) { - FreeDer(&ssl->buffers.certChain); - } - ret = AllocDer(&ssl->buffers.certChain, idx, type, heap); - if (ret == 0) { - XMEMCPY(ssl->buffers.certChain->buffer, chainBuffer, idx); - ssl->buffers.weOwnCertChain = 1; - } - } else if (ctx) { - FreeDer(&ctx->certChain); - ret = AllocDer(&ctx->certChain, idx, type, heap); - if (ret == 0) { - XMEMCPY(ctx->certChain->buffer, chainBuffer, idx); - } - } - } - - if (dynamicBuffer) - XFREE(chainBuffer, heap, DYNAMIC_TYPE_FILE); - - if (ret < 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(info, heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - FreeDer(&der); - return ret; + info->consumed = length; + if (ret == 0) { + ret = AllocDer(&der, (word32)length, type, heap); + if (ret == 0) { + XMEMCPY(der->buffer, buff, length); } } } - else { /* ASN1 (DER) or RAW (NTRU) */ - ret = AllocDer(&der, (word32)sz, type, heap); - if (ret < 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(info, heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return ret; - } - XMEMCPY(der->buffer, buff, sz); + if (used) { + *used = info->consumed; + } + + /* process user chain */ + if (ret >= 0) { + if (userChain) { + ret = ProcessUserChain(ctx, buff, sz, format, type, ssl, used, info); + } + } + + /* check for error */ + if (ret < 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(info, heap, DYNAMIC_TYPE_TMP_BUFFER); + #endif + FreeDer(&der); + return ret; } #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) @@ -8775,12 +8809,18 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } + int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx, + const unsigned char* in, long sz, int format) + { + WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_chain_buffer_format"); + return ProcessBuffer(ctx, in, sz, format, CERT_TYPE, NULL, NULL, 1); + } + int wolfSSL_CTX_use_certificate_chain_buffer(WOLFSSL_CTX* ctx, const unsigned char* in, long sz) { - WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_chain_buffer"); - return ProcessBuffer(ctx, in, sz, SSL_FILETYPE_PEM, CERT_TYPE, NULL, - NULL, 1); + return wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, in, sz, + SSL_FILETYPE_PEM); } @@ -11833,6 +11873,10 @@ WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl) if (ssl->buffers.weOwnCert) { if (ssl->ourCert == NULL) { + if (ssl->buffers.certificate == NULL) { + WOLFSSL_MSG("Certificate buffer not set!"); + return NULL; + } ssl->ourCert = wolfSSL_X509_d2i(NULL, ssl->buffers.certificate->buffer, ssl->buffers.certificate->length); @@ -11842,16 +11886,19 @@ WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl) else { /* if cert not owned get parent ctx cert or return null */ if (ssl->ctx) { if (ssl->ctx->ourCert == NULL) { + if (ssl->ctx->certificate == NULL) { + WOLFSSL_MSG("Ctx Certificate buffer not set!"); + return NULL; + } ssl->ctx->ourCert = wolfSSL_X509_d2i(NULL, ssl->ctx->certificate->buffer, ssl->ctx->certificate->length); } return ssl->ctx->ourCert; } - else { - return NULL; - } } + + return NULL; } #endif /* OPENSSL_EXTRA && KEEP_OUR_CERT */ #endif /* NO_CERTS */ @@ -18701,7 +18748,7 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) return ecc_sets[i].id; } } - return -1; + return -1; } #endif /* HAVE_ECC */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index a6a229d2d..7055bb7b9 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2905,6 +2905,9 @@ typedef struct EncryptedInfo { DerBuffer** pDer, void* heap, EncryptedInfo* info, int* eccKey); + WOLFSSL_LOCAL int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, + long sz, int format, int type, WOLFSSL* ssl, + long* used, int userChain); WOLFSSL_LOCAL int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type, WOLFSSL* ssl, int userChain, WOLFSSL_CRL* crl); diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index b68669e16..4b0f1c8ae 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1090,6 +1090,8 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len, const unsigned char*, long, int); WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX*, const unsigned char*, long, int); + WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX*, + const unsigned char*, long, int); WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_buffer(WOLFSSL_CTX*, const unsigned char*, long); From 7a35d904c2b11af03b0aac523eeaaedb67d84d29 Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 17 Oct 2016 09:59:05 -0700 Subject: [PATCH 2/5] Added new API "wolfSSL_CIPHER_get_name_from_suite" to allow use of the cipherSuite and cipherSuite0 args directly to get cipher suite name. Changed "wolfSSL_CIPHER_get_name" to call new API (based on original). ASN change to allow ToTraditional and SetName for OPENSSL_EXTRA. --- src/ssl.c | 261 +++++++++++++++++++++------------------- wolfssl/ssl.h | 2 + wolfssl/wolfcrypt/asn.h | 22 ++-- 3 files changed, 152 insertions(+), 133 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index bc6d44730..fed907b90 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -12010,15 +12010,28 @@ WOLFSSL_CIPHER* wolfSSL_get_current_cipher(WOLFSSL* ssl) const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher) { - (void)cipher; - WOLFSSL_ENTER("SSL_CIPHER_get_name"); + + if (cipher == NULL || cipher->ssl == NULL) { + return NULL; + } + + return wolfSSL_CIPHER_get_name_from_suite(cipher->ssl->options.cipherSuite, + cipher->ssl->options.cipherSuite0); +} + +const char* wolfSSL_CIPHER_get_name_from_suite(const unsigned char cipherSuite, + const unsigned char cipherSuite0) +{ + + WOLFSSL_ENTER("wolfSSL_CIPHER_get_name_from_suite"); + #ifndef NO_ERROR_STRINGS - if (cipher) { + #if defined(HAVE_CHACHA) - if (cipher->ssl->options.cipherSuite0 == CHACHA_BYTE) { + if (cipherSuite0 == CHACHA_BYTE) { /* ChaCha suites */ - switch (cipher->ssl->options.cipherSuite) { + switch (cipherSuite) { #ifdef HAVE_POLY1305 #ifndef NO_RSA case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : @@ -12047,138 +12060,136 @@ const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher) return "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"; #endif /* NO_PSK */ #endif /* HAVE_POLY1305 */ - } - } -#endif + } /* switch */ + } /* chacha */ +#endif /* HAVE_CHACHA */ #if defined(HAVE_ECC) || defined(HAVE_AESCCM) /* Awkwardly, the ECC cipher suites use the ECC_BYTE as expected, * but the AES-CCM cipher suites also use it, even the ones that * aren't ECC. */ - if (cipher->ssl->options.cipherSuite0 == ECC_BYTE) { + if (cipherSuite0 == ECC_BYTE) { /* ECC suites */ - switch (cipher->ssl->options.cipherSuite) { + switch (cipherSuite) { #ifdef HAVE_ECC -#ifndef NO_RSA + #ifndef NO_RSA case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"; -#endif + #endif /* !NO_RSA */ case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"; -#ifndef NO_RSA + #ifndef NO_RSA case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 : return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"; -#endif + #endif /* !NO_RSA */ case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"; -#ifndef NO_RSA + #ifndef NO_RSA case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"; -#endif + #endif /* !NO_RSA */ case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"; -#ifndef NO_RSA + #ifndef NO_RSA case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 : return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"; -#endif + #endif /* !NO_RSA */ case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"; #ifndef NO_SHA -#ifndef NO_RSA + #ifndef NO_RSA case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA : return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"; case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA : return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"; -#endif + #endif /* !NO_RSA */ case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"; case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"; -#ifndef NO_RC4 - #ifndef NO_RSA + #ifndef NO_RC4 + #ifndef NO_RSA case TLS_ECDHE_RSA_WITH_RC4_128_SHA : return "TLS_ECDHE_RSA_WITH_RC4_128_SHA"; - #endif + #endif /* !NO_RSA */ case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : return "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"; -#endif -#ifndef NO_DES3 - #ifndef NO_RSA + #endif /* !NO_RC4 */ + #ifndef NO_DES3 + #ifndef NO_RSA case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA : return "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif + #endif /* !NO_RSA */ case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : return "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"; -#endif + #endif /* !NO_DES3 */ -#ifndef NO_RSA + #ifndef NO_RSA case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA : return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"; case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA : return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"; -#endif + #endif /* !NO_RSA */ case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA : return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"; case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA : return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"; -#ifndef NO_RC4 - #ifndef NO_RSA + #ifndef NO_RC4 + #ifndef NO_RSA case TLS_ECDH_RSA_WITH_RC4_128_SHA : return "TLS_ECDH_RSA_WITH_RC4_128_SHA"; - #endif + #endif /* !NO_RSA */ case TLS_ECDH_ECDSA_WITH_RC4_128_SHA : return "TLS_ECDH_ECDSA_WITH_RC4_128_SHA"; -#endif -#ifndef NO_DES3 - #ifndef NO_RSA + #endif /* !NO_RC4 */ + #ifndef NO_DES3 + #ifndef NO_RSA case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA : return "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif + #endif /* !NO_RSA */ case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA : return "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"; -#endif -#endif /* NO_SHA */ + #endif /* !NO_DES3 */ +#endif /* HAVE_ECC */ #ifdef HAVE_AESGCM -#ifndef NO_RSA + #ifndef NO_RSA case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : return "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 : return "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; -#endif + #endif /* !NO_RSA */ case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 : return "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"; case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 : return "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"; -#ifndef NO_RSA + #ifndef NO_RSA case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 : return "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"; case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 : return "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"; -#endif + #endif /* !NO_RSA */ case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 : return "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"; case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 : return "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"; -#endif +#endif /* HAVE_AESGCM */ + case TLS_ECDHE_ECDSA_WITH_NULL_SHA : return "TLS_ECDHE_ECDSA_WITH_NULL_SHA"; -#ifndef NO_PSK + #ifndef NO_PSK case TLS_ECDHE_PSK_WITH_NULL_SHA256 : return "TLS_ECDHE_PSK_WITH_NULL_SHA256"; case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 : return "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256"; -#endif -#endif /* HAVE_ECC */ - -#ifdef HAVE_AESCCM -#ifndef NO_RSA + #endif /* !NO_PSK */ + #ifndef NO_RSA case TLS_RSA_WITH_AES_128_CCM_8 : return "TLS_RSA_WITH_AES_128_CCM_8"; case TLS_RSA_WITH_AES_256_CCM_8 : return "TLS_RSA_WITH_AES_256_CCM_8"; -#endif -#ifndef NO_PSK + #endif /* !NO_RSA */ + #ifndef NO_PSK case TLS_PSK_WITH_AES_128_CCM_8 : return "TLS_PSK_WITH_AES_128_CCM_8"; case TLS_PSK_WITH_AES_256_CCM_8 : @@ -12191,53 +12202,54 @@ const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher) return "TLS_DHE_PSK_WITH_AES_128_CCM"; case TLS_DHE_PSK_WITH_AES_256_CCM : return "TLS_DHE_PSK_WITH_AES_256_CCM"; -#endif -#ifdef HAVE_ECC + #endif /* !NO_PSK */ + #ifdef HAVE_ECC case TLS_ECDHE_ECDSA_WITH_AES_128_CCM: return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM"; case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8"; case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : return "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8"; -#endif -#endif + #endif /* HAVE_ECC */ +#endif /* HAVE_AESGCM */ default: return "NONE"; - } - } -#endif /* ECC */ - if (cipher->ssl->options.cipherSuite0 != ECC_BYTE && - cipher->ssl->options.cipherSuite0 != CHACHA_BYTE) { + } /* switch */ + } /* ECC and AES CCM/GCM */ +#endif /* HAVE_ECC || HAVE_AESCCM*/ - /* normal suites */ - switch (cipher->ssl->options.cipherSuite) { + if (cipherSuite0 != ECC_BYTE && + cipherSuite0 != CHACHA_BYTE) { + + /* normal suites */ + switch (cipherSuite) { #ifndef NO_RSA -#ifndef NO_RC4 - #ifndef NO_SHA + #ifndef NO_RC4 + #ifndef NO_SHA case SSL_RSA_WITH_RC4_128_SHA : return "SSL_RSA_WITH_RC4_128_SHA"; - #endif - #ifndef NO_MD5 + #endif /* !NO_SHA */ + #ifndef NO_MD5 case SSL_RSA_WITH_RC4_128_MD5 : return "SSL_RSA_WITH_RC4_128_MD5"; - #endif -#endif -#ifndef NO_SHA - #ifndef NO_DES3 + #endif /* !NO_MD5 */ + #endif /* !NO_RC4 */ + #ifndef NO_SHA + #ifndef NO_DES3 case SSL_RSA_WITH_3DES_EDE_CBC_SHA : return "SSL_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif - #ifdef HAVE_IDEA + #endif /* !NO_DES3 */ + #ifdef HAVE_IDEA case SSL_RSA_WITH_IDEA_CBC_SHA : return "SSL_RSA_WITH_IDEA_CBC_SHA"; - #endif + #endif /* HAVE_IDEA */ case TLS_RSA_WITH_AES_128_CBC_SHA : return "TLS_RSA_WITH_AES_128_CBC_SHA"; case TLS_RSA_WITH_AES_256_CBC_SHA : return "TLS_RSA_WITH_AES_256_CBC_SHA"; -#endif + #endif /* !NO_SHA */ case TLS_RSA_WITH_AES_128_CBC_SHA256 : return "TLS_RSA_WITH_AES_128_CBC_SHA256"; case TLS_RSA_WITH_AES_256_CBC_SHA256 : @@ -12247,22 +12259,23 @@ const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher) return "TLS_RSA_WITH_AES_128_CBC_B2B256"; case TLS_RSA_WITH_AES_256_CBC_B2B256: return "TLS_RSA_WITH_AES_256_CBC_B2B256"; - #endif -#ifndef NO_SHA + #endif /* HAVE_BLAKE2 */ + #ifndef NO_SHA case TLS_RSA_WITH_NULL_SHA : return "TLS_RSA_WITH_NULL_SHA"; -#endif + #endif /* !NO_SHA */ case TLS_RSA_WITH_NULL_SHA256 : return "TLS_RSA_WITH_NULL_SHA256"; #endif /* NO_RSA */ + #ifndef NO_PSK -#ifndef NO_SHA + #ifndef NO_SHA case TLS_PSK_WITH_AES_128_CBC_SHA : return "TLS_PSK_WITH_AES_128_CBC_SHA"; case TLS_PSK_WITH_AES_256_CBC_SHA : return "TLS_PSK_WITH_AES_256_CBC_SHA"; -#endif -#ifndef NO_SHA256 + #endif /* !NO_SHA */ + #ifndef NO_SHA256 case TLS_PSK_WITH_AES_128_CBC_SHA256 : return "TLS_PSK_WITH_AES_128_CBC_SHA256"; case TLS_PSK_WITH_NULL_SHA256 : @@ -12271,14 +12284,14 @@ const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher) return "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"; case TLS_DHE_PSK_WITH_NULL_SHA256 : return "TLS_DHE_PSK_WITH_NULL_SHA256"; - #ifdef HAVE_AESGCM + #ifdef HAVE_AESGCM case TLS_PSK_WITH_AES_128_GCM_SHA256 : return "TLS_PSK_WITH_AES_128_GCM_SHA256"; case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 : return "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"; - #endif -#endif -#ifdef WOLFSSL_SHA384 + #endif /* HAVE_AESGCM */ + #endif /* !NO_SHA256 */ + #ifdef WOLFSSL_SHA384 case TLS_PSK_WITH_AES_256_CBC_SHA384 : return "TLS_PSK_WITH_AES_256_CBC_SHA384"; case TLS_PSK_WITH_NULL_SHA384 : @@ -12287,24 +12300,25 @@ const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher) return "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"; case TLS_DHE_PSK_WITH_NULL_SHA384 : return "TLS_DHE_PSK_WITH_NULL_SHA384"; - #ifdef HAVE_AESGCM + #ifdef HAVE_AESGCM case TLS_PSK_WITH_AES_256_GCM_SHA384 : return "TLS_PSK_WITH_AES_256_GCM_SHA384"; case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 : return "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"; - #endif -#endif -#ifndef NO_SHA + #endif /* HAVE_AESGCM */ + #endif /* WOLFSSL_SHA384 */ + #ifndef NO_SHA case TLS_PSK_WITH_NULL_SHA : return "TLS_PSK_WITH_NULL_SHA"; -#endif -#endif /* NO_PSK */ -#ifndef NO_RSA + #endif /* !NO_SHA */ + #endif /* NO_PSK */ + + #ifndef NO_RSA case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 : return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"; case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 : return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"; -#ifndef NO_SHA + #ifndef NO_SHA case TLS_DHE_RSA_WITH_AES_128_CBC_SHA : return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"; case TLS_DHE_RSA_WITH_AES_256_CBC_SHA : @@ -12313,45 +12327,47 @@ const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher) case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"; #endif -#endif -#ifndef NO_HC128 - #ifndef NO_MD5 + #endif /* !NO_RSA */ + #ifndef NO_HC128 + #ifndef NO_MD5 case TLS_RSA_WITH_HC_128_MD5 : return "TLS_RSA_WITH_HC_128_MD5"; - #endif - #ifndef NO_SHA + #endif /* !NO_MD5 */ + #ifndef NO_SHA case TLS_RSA_WITH_HC_128_SHA : return "TLS_RSA_WITH_HC_128_SHA"; - #endif - #ifdef HAVE_BLAKE2 + #endif /* !NO_SHA */ + #ifdef HAVE_BLAKE2 case TLS_RSA_WITH_HC_128_B2B256: return "TLS_RSA_WITH_HC_128_B2B256"; - #endif -#endif /* NO_HC128 */ -#ifndef NO_SHA - #ifndef NO_RABBIT + #endif /* HAVE_BLAKE2 */ + #endif /* !NO_HC128 */ + #ifndef NO_SHA + #ifndef NO_RABBIT case TLS_RSA_WITH_RABBIT_SHA : return "TLS_RSA_WITH_RABBIT_SHA"; - #endif - #ifdef HAVE_NTRU - #ifndef NO_RC4 + #endif /* !NO_RABBIT */ + #ifdef HAVE_NTRU + #ifndef NO_RC4 case TLS_NTRU_RSA_WITH_RC4_128_SHA : return "TLS_NTRU_RSA_WITH_RC4_128_SHA"; - #endif - #ifndef NO_DES3 + #endif /* !NO_RC4 */ + #ifndef NO_DES3 case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA : return "TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif + #endif /* !NO_DES3 */ case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA : return "TLS_NTRU_RSA_WITH_AES_128_CBC_SHA"; case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA : return "TLS_NTRU_RSA_WITH_AES_256_CBC_SHA"; - #endif /* HAVE_NTRU */ - #ifdef HAVE_QSH + #endif /* HAVE_NTRU */ + + #ifdef HAVE_QSH case TLS_QSH : return "TLS_QSH"; - #endif /* HAVE_QSH*/ -#endif /* NO_SHA */ + #endif /* HAVE_QSH */ + #endif /* !NO_SHA */ + case TLS_RSA_WITH_AES_128_GCM_SHA256 : return "TLS_RSA_WITH_AES_128_GCM_SHA256"; case TLS_RSA_WITH_AES_256_GCM_SHA384 : @@ -12360,37 +12376,38 @@ const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher) return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"; case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 : return "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"; -#ifndef NO_SHA + #ifndef NO_SHA case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA : return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"; case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA : return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"; -#endif + #endif /* !NO_SHA */ case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 : return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256"; case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 : return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"; -#ifndef NO_SHA + #ifndef NO_SHA case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA : return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA"; case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA : return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA"; -#endif + #endif /* !NO_SHA */ case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 : return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"; case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 : return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"; -#endif /* NO_RSA */ +#endif /* !NO_PSK */ + #ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA case TLS_DH_anon_WITH_AES_128_CBC_SHA : return "TLS_DH_anon_WITH_AES_128_CBC_SHA"; #endif default: return "NONE"; - } /* switch */ - } /* normal / ECC */ - } + } /* switch */ + } /* normal / PSK */ #endif /* NO_ERROR_STRINGS */ + return "NONE"; } diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 4b0f1c8ae..725ba7a34 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -456,6 +456,8 @@ WOLFSSL_API int wolfSSL_get_current_cipher_suite(WOLFSSL* ssl); WOLFSSL_API WOLFSSL_CIPHER* wolfSSL_get_current_cipher(WOLFSSL*); WOLFSSL_API char* wolfSSL_CIPHER_description(WOLFSSL_CIPHER*, char*, int); WOLFSSL_API const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher); +WOLFSSL_API const char* wolfSSL_CIPHER_get_name_from_suite( + const unsigned char cipherSuite, const unsigned char cipherSuite0); WOLFSSL_API const char* wolfSSL_get_cipher(WOLFSSL*); WOLFSSL_API WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl); /* what's ref count */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index d628211a7..b2f0c67d7 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -610,20 +610,20 @@ struct TrustedPeerCert { #endif /* WOLFSSL_TRUST_PEER_CERT */ -/* not for public consumption but may use for testing sometimes */ -#ifdef WOLFSSL_TEST_CERT - #define WOLFSSL_TEST_API WOLFSSL_API +/* for testing or custom openssl wrappers */ +#if defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) + #define WOLFSSL_ASN_API WOLFSSL_API #else - #define WOLFSSL_TEST_API WOLFSSL_LOCAL + #define WOLFSSL_ASN_API WOLFSSL_LOCAL #endif -WOLFSSL_TEST_API void FreeAltNames(DNS_entry*, void*); +WOLFSSL_ASN_API void FreeAltNames(DNS_entry*, void*); #ifndef IGNORE_NAME_CONSTRAINTS - WOLFSSL_TEST_API void FreeNameSubtrees(Base_entry*, void*); + WOLFSSL_ASN_API void FreeNameSubtrees(Base_entry*, void*); #endif /* IGNORE_NAME_CONSTRAINTS */ -WOLFSSL_TEST_API void InitDecodedCert(DecodedCert*, byte*, word32, void*); -WOLFSSL_TEST_API void FreeDecodedCert(DecodedCert*); -WOLFSSL_TEST_API int ParseCert(DecodedCert*, int type, int verify, void* cm); +WOLFSSL_ASN_API void InitDecodedCert(DecodedCert*, byte*, word32, void*); +WOLFSSL_ASN_API void FreeDecodedCert(DecodedCert*); +WOLFSSL_ASN_API int ParseCert(DecodedCert*, int type, int verify, void* cm); WOLFSSL_LOCAL int ParseCertRelative(DecodedCert*,int type,int verify,void* cm); WOLFSSL_LOCAL int DecodeToKey(DecodedCert*, int verify); @@ -636,7 +636,7 @@ WOLFSSL_LOCAL void FreeTrustedPeer(TrustedPeerCert*, void*); WOLFSSL_LOCAL void FreeTrustedPeerTable(TrustedPeerCert**, int, void*); #endif /* WOLFSSL_TRUST_PEER_CERT */ -WOLFSSL_LOCAL int ToTraditional(byte* buffer, word32 length); +WOLFSSL_ASN_API int ToTraditional(byte* buffer, word32 length); WOLFSSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*,int); WOLFSSL_LOCAL int DecryptContent(byte* input, word32 sz,const char* psw,int pswSz); @@ -650,7 +650,7 @@ WOLFSSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType); /* ASN.1 helper functions */ #ifdef WOLFSSL_CERT_GEN -WOLFSSL_TEST_API int SetName(byte* output, word32 outputSz, CertName* name); +WOLFSSL_ASN_API int SetName(byte* output, word32 outputSz, CertName* name); #endif WOLFSSL_LOCAL int GetShortInt(const byte* input, word32* inOutIdx, int* number, word32 maxIdx); From 3d920b23a0deeb364c6679f19d5e248bf3a15e14 Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 17 Oct 2016 10:15:01 -0700 Subject: [PATCH 3/5] Fix for building with NO_ERROR_STRINGS. --- src/ssl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index fed907b90..a56911d83 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -12026,6 +12026,9 @@ const char* wolfSSL_CIPHER_get_name_from_suite(const unsigned char cipherSuite, WOLFSSL_ENTER("wolfSSL_CIPHER_get_name_from_suite"); + (void)cipherSuite; + (void)cipherSuite0; + #ifndef NO_ERROR_STRINGS #if defined(HAVE_CHACHA) From 039aedcfba0756cf708dcfc846560c09eb9f9d7b Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 23 Nov 2016 11:25:01 -0800 Subject: [PATCH 4/5] Added "wolfSSL_use_certificate_chain_buffer_format". Added "wolfSSL_SESSION_CIPHER_get_name" to get cipher suite name using WOLFSSL_SESSION*. Moved the "wolfSSL_get_cipher_name_from_suite" function to internal.c. Added new server-cert-chain.der, which is combination of ca-cert.der and server-cert.der. Enhanced load_buffer to detect format using file extension. Can test use of DER cert chain with NO_FILESYSTEM defined using "./examples/server/server -c ./certs/server-cert-chain.der -k ./certs/server-key.der". --- certs/include.am | 3 +- certs/server-cert-chain.der | Bin 0 -> 2384 bytes examples/server/server.c | 14 +- src/internal.c | 395 +++++++++++++++++++++++++++++++++ src/ssl.c | 431 +++--------------------------------- wolfssl/internal.h | 3 +- wolfssl/ssl.h | 5 +- wolfssl/test.h | 21 +- 8 files changed, 459 insertions(+), 413 deletions(-) create mode 100644 certs/server-cert-chain.der diff --git a/certs/include.am b/certs/include.am index d9156eaa8..1d69d13f7 100644 --- a/certs/include.am +++ b/certs/include.am @@ -42,7 +42,8 @@ EXTRA_DIST += \ certs/ecc-key.der \ certs/ecc-keyPub.der \ certs/server-key.der \ - certs/server-cert.der + certs/server-cert.der \ + certs/server-cert-chain.der dist_doc_DATA+= certs/taoCert.txt diff --git a/certs/server-cert-chain.der b/certs/server-cert-chain.der new file mode 100644 index 0000000000000000000000000000000000000000..37a1929b63cf3ae7bff4b9cee1ad72a52580d2be GIT binary patch literal 2384 zcmXqLVwq>q#N4)knTe5!iILHOmyJ`a&7;v-}HxGMoX+c4L zQ3)kZZemnI4qQf72IeM4eg=akMlPl%Mn;AMQ#l@nJANw6-G0f{QJpdMnCrSvdsGZ| zOg*RXckP=@$DW$`zgMK!|BIOuSo*!|6#H{i{r-o0s}JbctWH@W{^wL|^{xksPmA>O z_1bPsExxrzI(TQi{dGxRRsV;{$${P6DfVlfcPy2OG15l{hJoZvo~b(!`yh8J<7!w zIhi{}E(z>RIjnVI;WV#353fi?A760bU~&b&i@AZ(v<4&PsSC?@316CC{3urSWESsX z%Y-FcHe@pW(sQ}TR$HU^C+LGsEhjRy@H_ce&9_oWM#99EOH ze`}n)dC3h~gQqX9E^M5&q;dKnO}4BNL&Fiw-sRyN=Pc}19o)qt6i@jr3`;RYuV zMuxzDTKC!OoKL0oiXPFv9lnVzmv=(i|D`H(MBX=kTC#fP$}CTXrI!ky%h=3hKkokL z#k4J7oea)dGJ0P;^kUD{miBX@vD4?DulO7`dnrfmnr};Ej=Z-*onISCwd7aniWSarUmnw(BjE#Z^?zPWdKh`%kUBk?=t7>zadI3pdua z_O&bMa~Q6TJLYvF@yk4RxkXBEi)&in{YttMV7BV-@wuxcSbo1cqmwav^U6chZX7%l zRrj5D9>;^Zn%ymK{g)?ZZQW57bH+cEamOr=1yh_)sk#SoegCp=!^Ohfr9ob)0h`wP z$v((oyz$$);n@=&bAu+9RR&GWlOQD&QpgRHl4@`ku!Ksh{XD01MK;N`I7OeekoWrJ zTPpBzo9X=fr)rsJTwZgJIqjX+#~T}J^VmbU1!gGvHk=kxcz(wJo@?#NqH?2GrzY&q z3=&}0U-5bB(U09pVbbr@^Op!XPF>42`|;8P8!i=;1sFuHc)_7l^LF{7s$L6CnKj4X zeyW+eVQN#YXN<+!a@F^H8%l$x*w~&*j-D^N^|Gw6zT`!l+htZ~cGRAHdg%Hshx{9g zcZ#K*bc5&olloJ;y2{Lc#=Vvr*7S2(A{Ol{KlW_RIGs^nsG$9ILGsry{l#jRw&!n* z62ERSljGmyi2Q$tg*`dMxR?8;GXxo?EBnoO8|W&#ljSD&n;RONz4yK~tHfSfVJnG7 zR%yjI*~7)FXj(#{YST)cQwhceiz29uFW2oGfoo&|bs+pz<9@m~kO*yydSAm7uk=8BV%Kr-I>EC8M zzIBe`2fLcr6Mw{T{%vtyve}P?N6D}-%j3lA-7n7lN*9%~YMS9}yp>O0uJecaJ?Up# z7kpXNyD`Q%K)o}+zfx4bJ-UocyF|2X3mayckQ zmt~z=`@=ei)2@zU-g%4lyvp`!*2@H&v#os@opo)y-;_l)FV^@i3$W8RnwQ}u{UkCy Q@zwEJfpcU+7nhd-04rxudjJ3c literal 0 HcmV?d00001 diff --git a/examples/server/server.c b/examples/server/server.c index de3b09960..d39db8070 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -717,12 +717,17 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); #endif -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) +#if !defined(NO_CERTS) if ((!usePsk || usePskPlus) && !useAnon) { + #if !defined(NO_FILESYSTEM) if (SSL_CTX_use_certificate_chain_file(ctx, ourCert) != SSL_SUCCESS) err_sys("can't load server cert file, check file and run from" " wolfSSL home dir"); + #else + /* loads cert chain file using buffer API */ + load_buffer(ctx, ourCert, WOLFSSL_CERT_CHAIN); + #endif } #endif @@ -750,12 +755,17 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) "Please run from wolfSSL home dir"); } #endif -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) +#if !defined(NO_CERTS) if (!useNtruKey && (!usePsk || usePskPlus) && !useAnon) { + #if !defined(NO_FILESYSTEM) if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM) != SSL_SUCCESS) err_sys("can't load server private key file, check file and run " "from wolfSSL home dir"); + #else + /* loads private key file using buffer API */ + load_buffer(ctx, ourKey, WOLFSSL_KEY); + #endif } #endif diff --git a/src/internal.c b/src/internal.c index 3b097aaa7..71924d2fd 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12656,6 +12656,401 @@ const char* wolfSSL_get_cipher_name_internal(WOLFSSL* ssl) } +const char* wolfSSL_get_cipher_name_from_suite(const unsigned char cipherSuite, + const unsigned char cipherSuite0) +{ + + WOLFSSL_ENTER("wolfSSL_get_cipher_name_from_suite"); + + (void)cipherSuite; + (void)cipherSuite0; + +#ifndef NO_ERROR_STRINGS + +#if defined(HAVE_CHACHA) + if (cipherSuite0 == CHACHA_BYTE) { + /* ChaCha suites */ + switch (cipherSuite) { +#ifdef HAVE_POLY1305 +#ifndef NO_RSA + case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : + return "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; + + case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : + return "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; + + case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : + return "TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256"; + + case TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : + return "TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256"; +#endif + case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 : + return "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"; + + case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : + return "TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256"; +#ifndef NO_PSK + case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 : + return "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"; + case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 : + return "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"; + case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 : + return "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"; +#endif /* NO_PSK */ +#endif /* HAVE_POLY1305 */ + } /* switch */ + } /* chacha */ +#endif /* HAVE_CHACHA */ + +#if defined(HAVE_ECC) || defined(HAVE_AESCCM) + /* Awkwardly, the ECC cipher suites use the ECC_BYTE as expected, + * but the AES-CCM cipher suites also use it, even the ones that + * aren't ECC. */ + if (cipherSuite0 == ECC_BYTE) { + /* ECC suites */ + switch (cipherSuite) { +#ifdef HAVE_ECC + #ifndef NO_RSA + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : + return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"; + #endif /* !NO_RSA */ + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : + return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"; + #ifndef NO_RSA + case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 : + return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"; + #endif /* !NO_RSA */ + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : + return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"; + #ifndef NO_RSA + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : + return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"; + #endif /* !NO_RSA */ + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : + return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"; + #ifndef NO_RSA + case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 : + return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"; + #endif /* !NO_RSA */ + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : + return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"; +#ifndef NO_SHA + #ifndef NO_RSA + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA : + return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"; + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA : + return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"; + #endif /* !NO_RSA */ + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : + return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"; + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : + return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"; + #ifndef NO_RC4 + #ifndef NO_RSA + case TLS_ECDHE_RSA_WITH_RC4_128_SHA : + return "TLS_ECDHE_RSA_WITH_RC4_128_SHA"; + #endif /* !NO_RSA */ + case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : + return "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"; + #endif /* !NO_RC4 */ + #ifndef NO_DES3 + #ifndef NO_RSA + case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA : + return "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"; + #endif /* !NO_RSA */ + case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : + return "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"; + #endif /* !NO_DES3 */ + + #ifndef NO_RSA + case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA : + return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"; + case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA : + return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"; + #endif /* !NO_RSA */ + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA : + return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"; + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA : + return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"; + #ifndef NO_RC4 + #ifndef NO_RSA + case TLS_ECDH_RSA_WITH_RC4_128_SHA : + return "TLS_ECDH_RSA_WITH_RC4_128_SHA"; + #endif /* !NO_RSA */ + case TLS_ECDH_ECDSA_WITH_RC4_128_SHA : + return "TLS_ECDH_ECDSA_WITH_RC4_128_SHA"; + #endif /* !NO_RC4 */ + #ifndef NO_DES3 + #ifndef NO_RSA + case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA : + return "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"; + #endif /* !NO_RSA */ + case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA : + return "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"; + #endif /* !NO_DES3 */ +#endif /* HAVE_ECC */ + +#ifdef HAVE_AESGCM + #ifndef NO_RSA + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : + return "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; + case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 : + return "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; + #endif /* !NO_RSA */ + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 : + return "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"; + case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 : + return "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"; + #ifndef NO_RSA + case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 : + return "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"; + case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 : + return "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"; + #endif /* !NO_RSA */ + case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 : + return "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"; + case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 : + return "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"; +#endif /* HAVE_AESGCM */ + + case TLS_ECDHE_ECDSA_WITH_NULL_SHA : + return "TLS_ECDHE_ECDSA_WITH_NULL_SHA"; + #ifndef NO_PSK + case TLS_ECDHE_PSK_WITH_NULL_SHA256 : + return "TLS_ECDHE_PSK_WITH_NULL_SHA256"; + case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 : + return "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256"; + #endif /* !NO_PSK */ + #ifndef NO_RSA + case TLS_RSA_WITH_AES_128_CCM_8 : + return "TLS_RSA_WITH_AES_128_CCM_8"; + case TLS_RSA_WITH_AES_256_CCM_8 : + return "TLS_RSA_WITH_AES_256_CCM_8"; + #endif /* !NO_RSA */ + #ifndef NO_PSK + case TLS_PSK_WITH_AES_128_CCM_8 : + return "TLS_PSK_WITH_AES_128_CCM_8"; + case TLS_PSK_WITH_AES_256_CCM_8 : + return "TLS_PSK_WITH_AES_256_CCM_8"; + case TLS_PSK_WITH_AES_128_CCM : + return "TLS_PSK_WITH_AES_128_CCM"; + case TLS_PSK_WITH_AES_256_CCM : + return "TLS_PSK_WITH_AES_256_CCM"; + case TLS_DHE_PSK_WITH_AES_128_CCM : + return "TLS_DHE_PSK_WITH_AES_128_CCM"; + case TLS_DHE_PSK_WITH_AES_256_CCM : + return "TLS_DHE_PSK_WITH_AES_256_CCM"; + #endif /* !NO_PSK */ + #ifdef HAVE_ECC + case TLS_ECDHE_ECDSA_WITH_AES_128_CCM: + return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM"; + case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: + return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8"; + case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : + return "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8"; + #endif /* HAVE_ECC */ +#endif /* HAVE_AESGCM */ + + default: + return "NONE"; + } /* switch */ + } /* ECC and AES CCM/GCM */ +#endif /* HAVE_ECC || HAVE_AESCCM*/ + + if (cipherSuite0 != ECC_BYTE && + cipherSuite0 != CHACHA_BYTE) { + + /* normal suites */ + switch (cipherSuite) { +#ifndef NO_RSA + #ifndef NO_RC4 + #ifndef NO_SHA + case SSL_RSA_WITH_RC4_128_SHA : + return "SSL_RSA_WITH_RC4_128_SHA"; + #endif /* !NO_SHA */ + #ifndef NO_MD5 + case SSL_RSA_WITH_RC4_128_MD5 : + return "SSL_RSA_WITH_RC4_128_MD5"; + #endif /* !NO_MD5 */ + #endif /* !NO_RC4 */ + #ifndef NO_SHA + #ifndef NO_DES3 + case SSL_RSA_WITH_3DES_EDE_CBC_SHA : + return "SSL_RSA_WITH_3DES_EDE_CBC_SHA"; + #endif /* !NO_DES3 */ + #ifdef HAVE_IDEA + case SSL_RSA_WITH_IDEA_CBC_SHA : + return "SSL_RSA_WITH_IDEA_CBC_SHA"; + #endif /* HAVE_IDEA */ + + case TLS_RSA_WITH_AES_128_CBC_SHA : + return "TLS_RSA_WITH_AES_128_CBC_SHA"; + case TLS_RSA_WITH_AES_256_CBC_SHA : + return "TLS_RSA_WITH_AES_256_CBC_SHA"; + #endif /* !NO_SHA */ + case TLS_RSA_WITH_AES_128_CBC_SHA256 : + return "TLS_RSA_WITH_AES_128_CBC_SHA256"; + case TLS_RSA_WITH_AES_256_CBC_SHA256 : + return "TLS_RSA_WITH_AES_256_CBC_SHA256"; + #ifdef HAVE_BLAKE2 + case TLS_RSA_WITH_AES_128_CBC_B2B256: + return "TLS_RSA_WITH_AES_128_CBC_B2B256"; + case TLS_RSA_WITH_AES_256_CBC_B2B256: + return "TLS_RSA_WITH_AES_256_CBC_B2B256"; + #endif /* HAVE_BLAKE2 */ + #ifndef NO_SHA + case TLS_RSA_WITH_NULL_SHA : + return "TLS_RSA_WITH_NULL_SHA"; + #endif /* !NO_SHA */ + case TLS_RSA_WITH_NULL_SHA256 : + return "TLS_RSA_WITH_NULL_SHA256"; +#endif /* NO_RSA */ + +#ifndef NO_PSK + #ifndef NO_SHA + case TLS_PSK_WITH_AES_128_CBC_SHA : + return "TLS_PSK_WITH_AES_128_CBC_SHA"; + case TLS_PSK_WITH_AES_256_CBC_SHA : + return "TLS_PSK_WITH_AES_256_CBC_SHA"; + #endif /* !NO_SHA */ + #ifndef NO_SHA256 + case TLS_PSK_WITH_AES_128_CBC_SHA256 : + return "TLS_PSK_WITH_AES_128_CBC_SHA256"; + case TLS_PSK_WITH_NULL_SHA256 : + return "TLS_PSK_WITH_NULL_SHA256"; + case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 : + return "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"; + case TLS_DHE_PSK_WITH_NULL_SHA256 : + return "TLS_DHE_PSK_WITH_NULL_SHA256"; + #ifdef HAVE_AESGCM + case TLS_PSK_WITH_AES_128_GCM_SHA256 : + return "TLS_PSK_WITH_AES_128_GCM_SHA256"; + case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 : + return "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"; + #endif /* HAVE_AESGCM */ + #endif /* !NO_SHA256 */ + #ifdef WOLFSSL_SHA384 + case TLS_PSK_WITH_AES_256_CBC_SHA384 : + return "TLS_PSK_WITH_AES_256_CBC_SHA384"; + case TLS_PSK_WITH_NULL_SHA384 : + return "TLS_PSK_WITH_NULL_SHA384"; + case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 : + return "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"; + case TLS_DHE_PSK_WITH_NULL_SHA384 : + return "TLS_DHE_PSK_WITH_NULL_SHA384"; + #ifdef HAVE_AESGCM + case TLS_PSK_WITH_AES_256_GCM_SHA384 : + return "TLS_PSK_WITH_AES_256_GCM_SHA384"; + case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 : + return "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"; + #endif /* HAVE_AESGCM */ + #endif /* WOLFSSL_SHA384 */ + #ifndef NO_SHA + case TLS_PSK_WITH_NULL_SHA : + return "TLS_PSK_WITH_NULL_SHA"; + #endif /* !NO_SHA */ + #endif /* NO_PSK */ + + #ifndef NO_RSA + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 : + return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"; + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 : + return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"; + #ifndef NO_SHA + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA : + return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"; + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA : + return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"; + #ifndef NO_DES3 + case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: + return "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"; + #endif + #endif /* !NO_RSA */ + #ifndef NO_HC128 + #ifndef NO_MD5 + case TLS_RSA_WITH_HC_128_MD5 : + return "TLS_RSA_WITH_HC_128_MD5"; + #endif /* !NO_MD5 */ + #ifndef NO_SHA + case TLS_RSA_WITH_HC_128_SHA : + return "TLS_RSA_WITH_HC_128_SHA"; + #endif /* !NO_SHA */ + #ifdef HAVE_BLAKE2 + case TLS_RSA_WITH_HC_128_B2B256: + return "TLS_RSA_WITH_HC_128_B2B256"; + #endif /* HAVE_BLAKE2 */ + #endif /* !NO_HC128 */ + #ifndef NO_SHA + #ifndef NO_RABBIT + case TLS_RSA_WITH_RABBIT_SHA : + return "TLS_RSA_WITH_RABBIT_SHA"; + #endif /* !NO_RABBIT */ + #ifdef HAVE_NTRU + #ifndef NO_RC4 + case TLS_NTRU_RSA_WITH_RC4_128_SHA : + return "TLS_NTRU_RSA_WITH_RC4_128_SHA"; + #endif /* !NO_RC4 */ + #ifndef NO_DES3 + case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA : + return "TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA"; + #endif /* !NO_DES3 */ + case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA : + return "TLS_NTRU_RSA_WITH_AES_128_CBC_SHA"; + case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA : + return "TLS_NTRU_RSA_WITH_AES_256_CBC_SHA"; + #endif /* HAVE_NTRU */ + + #ifdef HAVE_QSH + case TLS_QSH : + return "TLS_QSH"; + #endif /* HAVE_QSH */ + #endif /* !NO_SHA */ + + case TLS_RSA_WITH_AES_128_GCM_SHA256 : + return "TLS_RSA_WITH_AES_128_GCM_SHA256"; + case TLS_RSA_WITH_AES_256_GCM_SHA384 : + return "TLS_RSA_WITH_AES_256_GCM_SHA384"; + case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 : + return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"; + case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 : + return "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"; + #ifndef NO_SHA + case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA : + return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"; + case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA : + return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"; + #endif /* !NO_SHA */ + case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 : + return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256"; + case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 : + return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"; + #ifndef NO_SHA + case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA : + return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA"; + case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA : + return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA"; + #endif /* !NO_SHA */ + case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 : + return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"; + case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 : + return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"; +#endif /* !NO_PSK */ + +#ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA + case TLS_DH_anon_WITH_AES_128_CBC_SHA : + return "TLS_DH_anon_WITH_AES_128_CBC_SHA"; +#endif + default: + return "NONE"; + } /* switch */ + } /* normal / PSK */ +#endif /* NO_ERROR_STRINGS */ + + return "NONE"; +} + + /** Set the enabled cipher suites. diff --git a/src/ssl.c b/src/ssl.c index a56911d83..c02016ed9 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -4079,13 +4079,13 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, } else if (ctx) { FreeDer(&ctx->certificate); /* Make sure previous is free'd */ - #ifdef KEEP_OUR_CERT - FreeX509(ctx->ourCert); - if (ctx->ourCert) { - XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); - ctx->ourCert = NULL; - } - #endif + #ifdef KEEP_OUR_CERT + FreeX509(ctx->ourCert); + if (ctx->ourCert) { + XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); + ctx->ourCert = NULL; + } + #endif ctx->certificate = der; } } @@ -8931,13 +8931,19 @@ int wolfSSL_set_compression(WOLFSSL* ssl) ssl, NULL, 0); } + int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL* ssl, + const unsigned char* in, long sz, int format) + { + WOLFSSL_ENTER("wolfSSL_use_certificate_chain_buffer_format"); + return ProcessBuffer(ssl->ctx, in, sz, format, CERT_TYPE, + ssl, NULL, 1); + } int wolfSSL_use_certificate_chain_buffer(WOLFSSL* ssl, const unsigned char* in, long sz) { - WOLFSSL_ENTER("wolfSSL_use_certificate_chain_buffer"); - return ProcessBuffer(ssl->ctx, in, sz, SSL_FILETYPE_PEM, CERT_TYPE, - ssl, NULL, 1); + return wolfSSL_use_certificate_chain_buffer_format(ssl, in, sz, + SSL_FILETYPE_PEM); } @@ -12016,405 +12022,24 @@ const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher) return NULL; } - return wolfSSL_CIPHER_get_name_from_suite(cipher->ssl->options.cipherSuite, + return wolfSSL_get_cipher_name_from_suite(cipher->ssl->options.cipherSuite, cipher->ssl->options.cipherSuite0); } -const char* wolfSSL_CIPHER_get_name_from_suite(const unsigned char cipherSuite, - const unsigned char cipherSuite0) +const char* wolfSSL_SESSION_CIPHER_get_name(WOLFSSL_SESSION* session) { + if (session == NULL) { + return NULL; + } - WOLFSSL_ENTER("wolfSSL_CIPHER_get_name_from_suite"); - - (void)cipherSuite; - (void)cipherSuite0; - -#ifndef NO_ERROR_STRINGS - -#if defined(HAVE_CHACHA) - if (cipherSuite0 == CHACHA_BYTE) { - /* ChaCha suites */ - switch (cipherSuite) { -#ifdef HAVE_POLY1305 -#ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; - - case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; - - case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - return "TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256"; - - case TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - return "TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256"; +#ifdef SESSION_CERTS + return wolfSSL_get_cipher_name_from_suite(session->cipherSuite, + session->cipherSuite0); +#else + return NULL; #endif - case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"; - - case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : - return "TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256"; -#ifndef NO_PSK - case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"; - case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"; - case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 : - return "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"; -#endif /* NO_PSK */ -#endif /* HAVE_POLY1305 */ - } /* switch */ - } /* chacha */ -#endif /* HAVE_CHACHA */ - -#if defined(HAVE_ECC) || defined(HAVE_AESCCM) - /* Awkwardly, the ECC cipher suites use the ECC_BYTE as expected, - * but the AES-CCM cipher suites also use it, even the ones that - * aren't ECC. */ - if (cipherSuite0 == ECC_BYTE) { - /* ECC suites */ - switch (cipherSuite) { -#ifdef HAVE_ECC - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : - return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : - return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"; - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 : - return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : - return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"; - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : - return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : - return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"; - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 : - return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : - return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"; -#ifndef NO_SHA - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA : - return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"; - case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA : - return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : - return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"; - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : - return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"; - #ifndef NO_RC4 - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_RC4_128_SHA : - return "TLS_ECDHE_RSA_WITH_RC4_128_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : - return "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"; - #endif /* !NO_RC4 */ - #ifndef NO_DES3 - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA : - return "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : - return "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_DES3 */ - - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA : - return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"; - case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA : - return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA : - return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"; - case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA : - return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"; - #ifndef NO_RC4 - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_RC4_128_SHA : - return "TLS_ECDH_RSA_WITH_RC4_128_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_RC4_128_SHA : - return "TLS_ECDH_ECDSA_WITH_RC4_128_SHA"; - #endif /* !NO_RC4 */ - #ifndef NO_DES3 - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA : - return "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA : - return "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_DES3 */ -#endif /* HAVE_ECC */ - -#ifdef HAVE_AESGCM - #ifndef NO_RSA - case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : - return "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; - case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 : - return "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; - #endif /* !NO_RSA */ - case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 : - return "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"; - case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 : - return "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"; - #ifndef NO_RSA - case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 : - return "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"; - case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 : - return "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"; - #endif /* !NO_RSA */ - case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 : - return "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"; - case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 : - return "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"; -#endif /* HAVE_AESGCM */ - - case TLS_ECDHE_ECDSA_WITH_NULL_SHA : - return "TLS_ECDHE_ECDSA_WITH_NULL_SHA"; - #ifndef NO_PSK - case TLS_ECDHE_PSK_WITH_NULL_SHA256 : - return "TLS_ECDHE_PSK_WITH_NULL_SHA256"; - case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 : - return "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256"; - #endif /* !NO_PSK */ - #ifndef NO_RSA - case TLS_RSA_WITH_AES_128_CCM_8 : - return "TLS_RSA_WITH_AES_128_CCM_8"; - case TLS_RSA_WITH_AES_256_CCM_8 : - return "TLS_RSA_WITH_AES_256_CCM_8"; - #endif /* !NO_RSA */ - #ifndef NO_PSK - case TLS_PSK_WITH_AES_128_CCM_8 : - return "TLS_PSK_WITH_AES_128_CCM_8"; - case TLS_PSK_WITH_AES_256_CCM_8 : - return "TLS_PSK_WITH_AES_256_CCM_8"; - case TLS_PSK_WITH_AES_128_CCM : - return "TLS_PSK_WITH_AES_128_CCM"; - case TLS_PSK_WITH_AES_256_CCM : - return "TLS_PSK_WITH_AES_256_CCM"; - case TLS_DHE_PSK_WITH_AES_128_CCM : - return "TLS_DHE_PSK_WITH_AES_128_CCM"; - case TLS_DHE_PSK_WITH_AES_256_CCM : - return "TLS_DHE_PSK_WITH_AES_256_CCM"; - #endif /* !NO_PSK */ - #ifdef HAVE_ECC - case TLS_ECDHE_ECDSA_WITH_AES_128_CCM: - return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM"; - case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: - return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8"; - case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : - return "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8"; - #endif /* HAVE_ECC */ -#endif /* HAVE_AESGCM */ - - default: - return "NONE"; - } /* switch */ - } /* ECC and AES CCM/GCM */ -#endif /* HAVE_ECC || HAVE_AESCCM*/ - - if (cipherSuite0 != ECC_BYTE && - cipherSuite0 != CHACHA_BYTE) { - - /* normal suites */ - switch (cipherSuite) { -#ifndef NO_RSA - #ifndef NO_RC4 - #ifndef NO_SHA - case SSL_RSA_WITH_RC4_128_SHA : - return "SSL_RSA_WITH_RC4_128_SHA"; - #endif /* !NO_SHA */ - #ifndef NO_MD5 - case SSL_RSA_WITH_RC4_128_MD5 : - return "SSL_RSA_WITH_RC4_128_MD5"; - #endif /* !NO_MD5 */ - #endif /* !NO_RC4 */ - #ifndef NO_SHA - #ifndef NO_DES3 - case SSL_RSA_WITH_3DES_EDE_CBC_SHA : - return "SSL_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_DES3 */ - #ifdef HAVE_IDEA - case SSL_RSA_WITH_IDEA_CBC_SHA : - return "SSL_RSA_WITH_IDEA_CBC_SHA"; - #endif /* HAVE_IDEA */ - - case TLS_RSA_WITH_AES_128_CBC_SHA : - return "TLS_RSA_WITH_AES_128_CBC_SHA"; - case TLS_RSA_WITH_AES_256_CBC_SHA : - return "TLS_RSA_WITH_AES_256_CBC_SHA"; - #endif /* !NO_SHA */ - case TLS_RSA_WITH_AES_128_CBC_SHA256 : - return "TLS_RSA_WITH_AES_128_CBC_SHA256"; - case TLS_RSA_WITH_AES_256_CBC_SHA256 : - return "TLS_RSA_WITH_AES_256_CBC_SHA256"; - #ifdef HAVE_BLAKE2 - case TLS_RSA_WITH_AES_128_CBC_B2B256: - return "TLS_RSA_WITH_AES_128_CBC_B2B256"; - case TLS_RSA_WITH_AES_256_CBC_B2B256: - return "TLS_RSA_WITH_AES_256_CBC_B2B256"; - #endif /* HAVE_BLAKE2 */ - #ifndef NO_SHA - case TLS_RSA_WITH_NULL_SHA : - return "TLS_RSA_WITH_NULL_SHA"; - #endif /* !NO_SHA */ - case TLS_RSA_WITH_NULL_SHA256 : - return "TLS_RSA_WITH_NULL_SHA256"; -#endif /* NO_RSA */ - -#ifndef NO_PSK - #ifndef NO_SHA - case TLS_PSK_WITH_AES_128_CBC_SHA : - return "TLS_PSK_WITH_AES_128_CBC_SHA"; - case TLS_PSK_WITH_AES_256_CBC_SHA : - return "TLS_PSK_WITH_AES_256_CBC_SHA"; - #endif /* !NO_SHA */ - #ifndef NO_SHA256 - case TLS_PSK_WITH_AES_128_CBC_SHA256 : - return "TLS_PSK_WITH_AES_128_CBC_SHA256"; - case TLS_PSK_WITH_NULL_SHA256 : - return "TLS_PSK_WITH_NULL_SHA256"; - case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 : - return "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"; - case TLS_DHE_PSK_WITH_NULL_SHA256 : - return "TLS_DHE_PSK_WITH_NULL_SHA256"; - #ifdef HAVE_AESGCM - case TLS_PSK_WITH_AES_128_GCM_SHA256 : - return "TLS_PSK_WITH_AES_128_GCM_SHA256"; - case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 : - return "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"; - #endif /* HAVE_AESGCM */ - #endif /* !NO_SHA256 */ - #ifdef WOLFSSL_SHA384 - case TLS_PSK_WITH_AES_256_CBC_SHA384 : - return "TLS_PSK_WITH_AES_256_CBC_SHA384"; - case TLS_PSK_WITH_NULL_SHA384 : - return "TLS_PSK_WITH_NULL_SHA384"; - case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 : - return "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"; - case TLS_DHE_PSK_WITH_NULL_SHA384 : - return "TLS_DHE_PSK_WITH_NULL_SHA384"; - #ifdef HAVE_AESGCM - case TLS_PSK_WITH_AES_256_GCM_SHA384 : - return "TLS_PSK_WITH_AES_256_GCM_SHA384"; - case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 : - return "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"; - #endif /* HAVE_AESGCM */ - #endif /* WOLFSSL_SHA384 */ - #ifndef NO_SHA - case TLS_PSK_WITH_NULL_SHA : - return "TLS_PSK_WITH_NULL_SHA"; - #endif /* !NO_SHA */ - #endif /* NO_PSK */ - - #ifndef NO_RSA - case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 : - return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"; - case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 : - return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"; - #ifndef NO_SHA - case TLS_DHE_RSA_WITH_AES_128_CBC_SHA : - return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"; - case TLS_DHE_RSA_WITH_AES_256_CBC_SHA : - return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"; - #ifndef NO_DES3 - case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: - return "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif - #endif /* !NO_RSA */ - #ifndef NO_HC128 - #ifndef NO_MD5 - case TLS_RSA_WITH_HC_128_MD5 : - return "TLS_RSA_WITH_HC_128_MD5"; - #endif /* !NO_MD5 */ - #ifndef NO_SHA - case TLS_RSA_WITH_HC_128_SHA : - return "TLS_RSA_WITH_HC_128_SHA"; - #endif /* !NO_SHA */ - #ifdef HAVE_BLAKE2 - case TLS_RSA_WITH_HC_128_B2B256: - return "TLS_RSA_WITH_HC_128_B2B256"; - #endif /* HAVE_BLAKE2 */ - #endif /* !NO_HC128 */ - #ifndef NO_SHA - #ifndef NO_RABBIT - case TLS_RSA_WITH_RABBIT_SHA : - return "TLS_RSA_WITH_RABBIT_SHA"; - #endif /* !NO_RABBIT */ - #ifdef HAVE_NTRU - #ifndef NO_RC4 - case TLS_NTRU_RSA_WITH_RC4_128_SHA : - return "TLS_NTRU_RSA_WITH_RC4_128_SHA"; - #endif /* !NO_RC4 */ - #ifndef NO_DES3 - case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA : - return "TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA"; - #endif /* !NO_DES3 */ - case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA : - return "TLS_NTRU_RSA_WITH_AES_128_CBC_SHA"; - case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA : - return "TLS_NTRU_RSA_WITH_AES_256_CBC_SHA"; - #endif /* HAVE_NTRU */ - - #ifdef HAVE_QSH - case TLS_QSH : - return "TLS_QSH"; - #endif /* HAVE_QSH */ - #endif /* !NO_SHA */ - - case TLS_RSA_WITH_AES_128_GCM_SHA256 : - return "TLS_RSA_WITH_AES_128_GCM_SHA256"; - case TLS_RSA_WITH_AES_256_GCM_SHA384 : - return "TLS_RSA_WITH_AES_256_GCM_SHA384"; - case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 : - return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"; - case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 : - return "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"; - #ifndef NO_SHA - case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA : - return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"; - case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA : - return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"; - #endif /* !NO_SHA */ - case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 : - return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256"; - case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 : - return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"; - #ifndef NO_SHA - case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA : - return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA"; - case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA : - return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA"; - #endif /* !NO_SHA */ - case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 : - return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"; - case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 : - return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"; -#endif /* !NO_PSK */ - -#ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA - case TLS_DH_anon_WITH_AES_128_CBC_SHA : - return "TLS_DH_anon_WITH_AES_128_CBC_SHA"; -#endif - default: - return "NONE"; - } /* switch */ - } /* normal / PSK */ -#endif /* NO_ERROR_STRINGS */ - - return "NONE"; } - const char* wolfSSL_get_cipher(WOLFSSL* ssl) { WOLFSSL_ENTER("wolfSSL_get_cipher"); @@ -12427,10 +12052,10 @@ const char* wolfSSL_get_cipher_name(WOLFSSL* ssl) /* get access to cipher_name_idx in internal.c */ return wolfSSL_get_cipher_name_internal(ssl); } + + #ifdef OPENSSL_EXTRA - - char* wolfSSL_CIPHER_description(WOLFSSL_CIPHER* cipher, char* in, int len) { (void)cipher; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 7055bb7b9..2ecbd06ce 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3130,7 +3130,8 @@ WOLFSSL_LOCAL const char* const* GetCipherNames(void); WOLFSSL_LOCAL int GetCipherNamesSize(void); WOLFSSL_LOCAL const char* GetCipherNameInternal(const char* cipherName, int cipherSuite); WOLFSSL_LOCAL const char* wolfSSL_get_cipher_name_internal(WOLFSSL* ssl); - +WOLFSSL_LOCAL const char* wolfSSL_get_cipher_name_from_suite( + const unsigned char cipherSuite, const unsigned char cipherSuite0); enum encrypt_side { ENCRYPT_SIDE_ONLY = 1, diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 725ba7a34..839200393 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -456,8 +456,7 @@ WOLFSSL_API int wolfSSL_get_current_cipher_suite(WOLFSSL* ssl); WOLFSSL_API WOLFSSL_CIPHER* wolfSSL_get_current_cipher(WOLFSSL*); WOLFSSL_API char* wolfSSL_CIPHER_description(WOLFSSL_CIPHER*, char*, int); WOLFSSL_API const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher); -WOLFSSL_API const char* wolfSSL_CIPHER_get_name_from_suite( - const unsigned char cipherSuite, const unsigned char cipherSuite0); +WOLFSSL_API const char* wolfSSL_SESSION_CIPHER_get_name(WOLFSSL_SESSION* session); WOLFSSL_API const char* wolfSSL_get_cipher(WOLFSSL*); WOLFSSL_API WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl); /* what's ref count */ @@ -1102,6 +1101,8 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len, long, int); WOLFSSL_API int wolfSSL_use_PrivateKey_buffer(WOLFSSL*, const unsigned char*, long, int); + WOLFSSL_API int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL*, + const unsigned char*, long, int); WOLFSSL_API int wolfSSL_use_certificate_chain_buffer(WOLFSSL*, const unsigned char*, long); WOLFSSL_API int wolfSSL_UnloadCertsKeys(WOLFSSL*); diff --git a/wolfssl/test.h b/wolfssl/test.h index 63b245479..8fea48176 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1085,11 +1085,14 @@ static INLINE unsigned int my_psk_server_cb(WOLFSSL* ssl, const char* identity, enum { WOLFSSL_CA = 1, WOLFSSL_CERT = 2, - WOLFSSL_KEY = 3 + WOLFSSL_KEY = 3, + WOLFSSL_CERT_CHAIN = 4, }; static INLINE void load_buffer(WOLFSSL_CTX* ctx, const char* fname, int type) { + int format = SSL_FILETYPE_PEM; + /* test buffer load */ long sz = 0; byte buff[10000]; @@ -1103,21 +1106,31 @@ static INLINE unsigned int my_psk_server_cb(WOLFSSL* ssl, const char* identity, rewind(file); fread(buff, sizeof(buff), 1, file); + /* determine format */ + if (strstr(fname, ".der")) + format = SSL_FILETYPE_ASN1; + if (type == WOLFSSL_CA) { - if (wolfSSL_CTX_load_verify_buffer(ctx, buff, sz, SSL_FILETYPE_PEM) + if (wolfSSL_CTX_load_verify_buffer(ctx, buff, sz, format) != SSL_SUCCESS) err_sys("can't load buffer ca file"); } else if (type == WOLFSSL_CERT) { if (wolfSSL_CTX_use_certificate_buffer(ctx, buff, sz, - SSL_FILETYPE_PEM) != SSL_SUCCESS) + format) != SSL_SUCCESS) err_sys("can't load buffer cert file"); } else if (type == WOLFSSL_KEY) { if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, sz, - SSL_FILETYPE_PEM) != SSL_SUCCESS) + format) != SSL_SUCCESS) err_sys("can't load buffer key file"); } + else if (type == WOLFSSL_CERT_CHAIN) { + if (wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, buff, sz, + format) != SSL_SUCCESS) + err_sys("can't load cert chain buffer"); + } + fclose(file); } From 650ddb8d23dbf30b9e5c3613ef6995381928684b Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 23 Nov 2016 17:19:54 -0800 Subject: [PATCH 5/5] Fixes so make check works with NO_FILESYSTEM and FORCE_BUFFER_TEST. Example: ./configure CFLAGS="-DNO_FILESYSTEM -DFORCE_BUFFER_TEST" --- examples/client/client.c | 23 +++++++++++++++++------ wolfssl/test.h | 14 +++++++------- 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 23574d8f3..7d5b43e2a 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -1186,8 +1186,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifdef VERIFY_CALLBACK wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify); #endif -#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) +#if !defined(NO_CERTS) if (useClientCert){ +#if !defined(NO_FILESYSTEM) if (wolfSSL_CTX_use_certificate_chain_file(ctx, ourCert) != SSL_SUCCESS) err_sys("can't load client cert file, check file and run from" " wolfSSL home dir"); @@ -1196,32 +1197,42 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) != SSL_SUCCESS) err_sys("can't load client private key file, check file and run " "from wolfSSL home dir"); +#else + load_buffer(ctx, ourCert, WOLFSSL_CERT_CHAIN); + load_buffer(ctx, ourKey, WOLFSSL_KEY); +#endif /* !defined(NO_FILESYSTEM) */ } if (!usePsk && !useAnon) { +#if !defined(NO_FILESYSTEM) if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert,0) != SSL_SUCCESS) err_sys("can't load ca file, Please run from wolfSSL home dir"); +#else + load_buffer(ctx, verifyCert, WOLFSSL_CA); +#endif /* !defined(NO_FILESYSTEM) */ #ifdef HAVE_ECC /* load ecc verify too, echoserver uses it by default w/ ecc */ +#if !defined(NO_FILESYSTEM) if (wolfSSL_CTX_load_verify_locations(ctx, eccCert, 0) != SSL_SUCCESS) err_sys("can't load ecc ca file, Please run from wolfSSL home dir"); +#else + load_buffer(ctx, eccCert, WOLFSSL_CA); +#endif /* !defined(NO_FILESYSTEM) */ #endif /* HAVE_ECC */ -#ifdef WOLFSSL_TRUST_PEER_CERT +#if defined(WOLFSSL_TRUST_PEER_CERT) && !defined(NO_FILESYSTEM) if (trustCert) { if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert, SSL_FILETYPE_PEM)) != SSL_SUCCESS) { err_sys("can't load trusted peer cert file"); } } -#endif /* WOLFSSL_TRUST_PEER_CERT */ +#endif /* WOLFSSL_TRUST_PEER_CERT && !NO_FILESYSTEM */ } -#endif /* !NO_FILESYSTEM && !NO_CERTS */ -#if !defined(NO_CERTS) if (!usePsk && !useAnon && doPeerCheck == 0) wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); if (!usePsk && !useAnon && overrideDateErrors == 1) wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myDateCb); -#endif +#endif /* !defined(NO_CERTS) */ #ifdef WOLFSSL_ASYNC_CRYPT ret = wolfAsync_DevOpen(&devId); diff --git a/wolfssl/test.h b/wolfssl/test.h index 8fea48176..a488418f1 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -934,7 +934,7 @@ static INLINE void tcp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd, #endif if (ready_file) { - #ifndef NO_FILESYSTEM + #if !defined(NO_FILESYSTEM) || defined(FORCE_BUFFER_TEST) FILE* srf = NULL; if (args) ready = args->signal; @@ -1080,7 +1080,7 @@ static INLINE unsigned int my_psk_server_cb(WOLFSSL* ssl, const char* identity, #endif /* USE_WINDOWS_API */ -#if defined(NO_FILESYSTEM) && !defined(NO_CERTS) +#if defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(FORCE_BUFFER_TEST) enum { WOLFSSL_CA = 1, @@ -1291,13 +1291,13 @@ static INLINE void CaCb(unsigned char* der, int sz, int type) static INLINE int ChangeToWolfRoot(void) { - #if !defined(NO_FILESYSTEM) + #if !defined(NO_FILESYSTEM) || defined(FORCE_BUFFER_TEST) int depth, res; - XFILE file; + FILE* file; for(depth = 0; depth <= MAX_WOLF_ROOT_DEPTH; depth++) { - file = XFOPEN(ntruKey, "rb"); - if (file != XBADFILE) { - XFCLOSE(file); + file = fopen(ntruKey, "rb"); + if (file != NULL) { + fclose(file); return depth; } #ifdef USE_WINDOWS_API