Merge pull request #2942 from dgarske/tls13_on

Enable TLS v1.3 by default
This commit is contained in:
toddouska
2020-06-09 13:30:02 -07:00
committed by GitHub
21 changed files with 366 additions and 949 deletions
+60 -86
View File
@@ -96,6 +96,32 @@ AS_IF([test "$ax_enable_debug" = "yes"],
[AM_CFLAGS="$AM_CFLAGS -DNDEBUG"])
# FIPS
AC_ARG_ENABLE([fips],
[AS_HELP_STRING([--enable-fips],[Enable FIPS 140-2, Will NOT work w/o FIPS license (default: disabled)])],
[ENABLED_FIPS=$enableval],
[ENABLED_FIPS="no"])
AS_CASE([$ENABLED_FIPS],
["v2"],[
# FIPS v2
ENABLED_FIPS="yes"
FIPS_VERSION="v2"
],
["rand"],[
# FIPS Rand
ENABLED_FIPS="yes"
FIPS_VERSION="rand"
],
["no"],[FIPS_VERSION="none"],
[
# FIPS v1
ENABLED_FIPS="yes"
FIPS_VERSION="v1"
])
# Distro build feature subset (Debian, Ubuntu, etc.)
AC_ARG_ENABLE([distro],
[AS_HELP_STRING([--enable-distro],[Enable wolfSSL distro build (default: disabled)])],
@@ -119,7 +145,11 @@ AC_ARG_ENABLE([all],
if test "$ENABLED_ALL" = "yes"
then
enable_dtls=yes
enable_tls13=yes
if test "x$FIPS_VERSION" != "xv1"
then
enable_tls13=yes
enable_rsapss=yes
fi
enable_openssh=yes
enable_opensslextra=yes
enable_opensslall=yes
@@ -287,84 +317,24 @@ then
fi
# TLS v1.3 Draft 18
# TLS v1.3 Draft 18 (Note: only final TLS v1.3 supported, here for backwards build compatibility)
AC_ARG_ENABLE([tls13-draft18],
[AS_HELP_STRING([--enable-tls13-draft18],[Enable wolfSSL TLS v1.3 Draft 18 (default: disabled)])],
[ ENABLED_TLS13_DRAFT18=$enableval ],
[ ENABLED_TLS13_DRAFT18=no ]
)
if test "$ENABLED_TLS13_DRAFT18" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13_DRAFT -DWOLFSSL_TLS13_DRAFT_18 $AM_CFLAGS"
fi
# TLS v1.3 Draft 22
AC_ARG_ENABLE([tls13-draft22],
[AS_HELP_STRING([--enable-tls13-draft22],[Enable wolfSSL TLS v1.3 Draft 22 (default: disabled)])],
[ ENABLED_TLS13_DRAFT22=$enableval ],
[ ENABLED_TLS13_DRAFT22=no ]
)
if test "$ENABLED_TLS13_DRAFT22" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13_DRAFT -DWOLFSSL_TLS13_DRAFT_22 $AM_CFLAGS"
fi
# TLS v1.3 Draft 23
AC_ARG_ENABLE([tls13-draft23],
[AS_HELP_STRING([--enable-tls13-draft23],[Enable wolfSSL TLS v1.3 Draft 23 (default: disabled)])],
[ ENABLED_TLS13_DRAFT23=$enableval ],
[ ENABLED_TLS13_DRAFT23=no ]
)
if test "$ENABLED_TLS13_DRAFT23" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13_DRAFT -DWOLFSSL_TLS13_DRAFT_23 $AM_CFLAGS"
fi
# TLS v1.3 Draft 26
AC_ARG_ENABLE([tls13-draft26],
[AS_HELP_STRING([--enable-tls13-draft26],[Enable wolfSSL TLS v1.3 Draft 26 (default: disabled)])],
[ ENABLED_TLS13_DRAFT26=$enableval ],
[ ENABLED_TLS13_DRAFT26=no ]
)
if test "$ENABLED_TLS13_DRAFT26" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13_DRAFT -DWOLFSSL_TLS13_DRAFT_26 $AM_CFLAGS"
fi
# TLS v1.3 Draft 28
AC_ARG_ENABLE([tls13-draft28],
[AS_HELP_STRING([--enable-tls13-draft28],[Enable wolfSSL TLS v1.3 Draft 28 (default: disabled)])],
[ ENABLED_TLS13_DRAFT28=$enableval ],
[ ENABLED_TLS13_DRAFT28=no ]
)
if test "$ENABLED_TLS13_DRAFT28" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13_DRAFT $AM_CFLAGS"
fi
# TLS v1.3
AC_ARG_ENABLE([tls13],
[AS_HELP_STRING([--enable-tls13],[Enable wolfSSL TLS v1.3 (default: disabled)])],
[AS_HELP_STRING([--enable-tls13],[Enable wolfSSL TLS v1.3 (default: enabled)])],
[ ENABLED_TLS13=$enableval ],
[ ENABLED_TLS13=no ]
[ ENABLED_TLS13=yes ]
)
if test "$ENABLED_TLS13_DRAFT18" = "yes" || test "$ENABLED_TLS13_DRAFT22" = "yes" || test "$ENABLED_TLS13_DRAFT23" = "yes" || test "$ENABLED_TLS13_DRAFT26" = "yes" || test "$ENABLED_TLS13_DRAFT28" = "yes"
if test "x$FIPS_VERSION" = "xv1"
then
ENABLED_TLS13="yes"
ENABLED_TLS13="no"
fi
if test "$ENABLED_TLS13" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES $AM_CFLAGS"
fi
# Post-handshake Authentication
AC_ARG_ENABLE([postauth],
[AS_HELP_STRING([--enable-postauth],[Enable wolfSSL Post-handshake Authentication (default: disabled)])],
@@ -2494,14 +2464,8 @@ fi
# FIPS
AC_ARG_ENABLE([fips],
[AS_HELP_STRING([--enable-fips],[Enable FIPS 140-2, Will NOT work w/o FIPS license (default: disabled)])],
[ENABLED_FIPS=$enableval],
[ENABLED_FIPS="no"])
AS_CASE([$ENABLED_FIPS],
["v2"],[FIPS_VERSION="v2"
ENABLED_FIPS=yes
AS_CASE([$FIPS_VERSION],
["v2"],[
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
ENABLED_KEYGEN="yes"
ENABLED_SHA224="yes"
@@ -2532,14 +2496,9 @@ AS_CASE([$ENABLED_FIPS],
[AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
],
["rand"],[
ENABLED_FIPS="yes"
FIPS_VERSION="rand"
AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=2"
],
["no"],[FIPS_VERSION="none"],
[
ENABLED_FIPS="yes"
FIPS_VERSION="v1"
["v1"],[
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
])
@@ -3178,6 +3137,21 @@ then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_REQUIRE_FFDHE"
fi
# TLS 1.3 Requires either ECC or (RSA/DH), or CURVE25519/ED25519 or CURVE448/ED448
if test "x$ENABLED_ECC" = "xno" && \
(test "x$ENABLED_RSA" = "xno" || test "x$ENABLED_DH" = "xno") && \
(test "x$ENABLED_CURVE25519" = "xno" || test "x$ENABLED_ED25519" = "xno") && \
(test "x$ENABLED_CURVE448" = "xno" || test "x$ENABLED_ED448" = "xno")
then
# disable TLS 1.3
ENABLED_TLS13=no
fi
if test "$ENABLED_TLS13" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES $AM_CFLAGS"
fi
# Session Ticket Extension
AC_ARG_ENABLE([session-ticket],
[AS_HELP_STRING([--enable-session-ticket],[Enable Session Ticket (default: disabled)])],
@@ -3229,7 +3203,7 @@ then
ENABLED_ENCRYPT_THEN_MAC=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_ALPN -DHAVE_TRUSTED_CA"
# Check the ECC supported curves prereq
AS_IF([test "x$ENABLED_ECC" = "xyes" || test "x$ENABLED_CURVE25519" = "xyes"],
AS_IF([test "x$ENABLED_ECC" = "xyes" || test "x$ENABLED_CURVE25519" = "xyes" || test "x$ENABLED_TLS13" = "xyes"],
[ENABLED_SUPPORTED_CURVES=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_SUPPORTED_CURVES"])
fi
@@ -4552,6 +4526,11 @@ AC_ARG_ENABLE([fast-rsa],
[ ENABLED_FAST_RSA=no ],
)
# Fast RSA does not support RSA-PSS
if test "$ENABLED_RSAPSS" = "yes"; then
ENABLED_FAST_RSA=no
fi
if test "$ENABLED_USER_RSA" = "no" && test "$ENABLED_FIPS" = "no"; then
if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then
@@ -5548,11 +5527,6 @@ echo " * Old TLS Versions: $ENABLED_OLD_TLS"
echo " * SSL version 3.0: $ENABLED_SSLV3"
echo " * TLS v1.0: $ENABLED_TLSV10"
echo " * TLS v1.3: $ENABLED_TLS13"
echo " * TLS v1.3 Draft 18: $ENABLED_TLS13_DRAFT18"
echo " * TLS v1.3 Draft 22: $ENABLED_TLS13_DRAFT22"
echo " * TLS v1.3 Draft 23: $ENABLED_TLS13_DRAFT23"
echo " * TLS v1.3 Draft 26: $ENABLED_TLS13_DRAFT26"
echo " * TLS v1.3 Draft 28: $ENABLED_TLS13_DRAFT28"
echo " * Post-handshake Auth: $ENABLED_TLS13_POST_AUTH"
echo " * Early Data: $ENABLED_TLS13_EARLY_DATA"
echo " * Send State in HRR Cookie: $ENABLED_SEND_HRR_COOKIE"
+55
View File
@@ -5162,6 +5162,61 @@ WOLFSSL_API void wolfSSL_CTX_set_psk_server_callback(WOLFSSL_CTX*,
WOLFSSL_API void wolfSSL_set_psk_server_callback(WOLFSSL*,
wc_psk_server_callback);
/*!
\brief Sets a PSK user context in the WOLFSSL structure options member.
\return WOLFSSL_SUCCESS or WOLFSSL_FAILURE
\param ssl a pointer to a WOLFSSL structure, created using wolfSSL_new().
\param psk_ctx void pointer to user PSK context
\sa wolfSSL_get_psk_callback_ctx
\sa wolfSSL_CTX_set_psk_callback_ctx
\sa wolfSSL_CTX_get_psk_callback_ctx
*/
WOLFSSL_API int wolfSSL_set_psk_callback_ctx(WOLFSSL* ssl, void* psk_ctx);
/*!
\brief Sets a PSK user context in the WOLFSSL_CTX structure.
\return WOLFSSL_SUCCESS or WOLFSSL_FAILURE
\param ctx a pointer to a WOLFSSL_CTX structure, created using wolfSSL_CTX_new().
\param psk_ctx void pointer to user PSK context
\sa wolfSSL_set_psk_callback_ctx
\sa wolfSSL_get_psk_callback_ctx
\sa wolfSSL_CTX_get_psk_callback_ctx
*/
WOLFSSL_API int wolfSSL_CTX_set_psk_callback_ctx(WOLFSSL_CTX* ctx, void* psk_ctx);
/*!
\brief Get a PSK user context in the WOLFSSL structure options member.
\return void pointer to user PSK context
\param ssl a pointer to a WOLFSSL structure, created using wolfSSL_new().
\sa wolfSSL_set_psk_callback_ctx
\sa wolfSSL_CTX_set_psk_callback_ctx
\sa wolfSSL_CTX_get_psk_callback_ctx
*/
WOLFSSL_API void* wolfSSL_get_psk_callback_ctx(WOLFSSL* ssl);
/*!
\brief Get a PSK user context in the WOLFSSL_CTX structure.
\return void pointer to user PSK context
\param ctx a pointer to a WOLFSSL_CTX structure, created using wolfSSL_CTX_new().
\sa wolfSSL_CTX_set_psk_callback_ctx
\sa wolfSSL_set_psk_callback_ctx
\sa wolfSSL_get_psk_callback_ctx
*/
WOLFSSL_API void* wolfSSL_CTX_get_psk_callback_ctx(WOLFSSL_CTX* ctx);
/*!
\ingroup Setup
+24 -13
View File
@@ -802,7 +802,8 @@ static int SMTP_Shutdown(WOLFSSL* ssl, int wc_shutdown)
return WOLFSSL_SUCCESS;
}
static void ClientWrite(WOLFSSL* ssl, char* msg, int msgSz, const char* str)
static int ClientWrite(WOLFSSL* ssl, char* msg, int msgSz, const char* str,
int exitWithRet)
{
int ret, err;
char buffer[WOLFSSL_MAX_ERROR_SZ];
@@ -827,8 +828,12 @@ static void ClientWrite(WOLFSSL* ssl, char* msg, int msgSz, const char* str)
if (ret != msgSz) {
printf("SSL_write%s msg error %d, %s\n", str, err,
wolfSSL_ERR_error_string(err, buffer));
err_sys("SSL_write failed");
if (!exitWithRet) {
err_sys("SSL_write failed");
}
}
return err;
}
static int ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead,
@@ -2080,7 +2085,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#ifndef NO_PSK
if (usePsk) {
done += 1; /* don't perform exernal tests if PSK is enabled */
done += 1; /* don't perform external tests if PSK is enabled */
}
#endif
@@ -2305,16 +2310,17 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
if (usePsk) {
#ifndef NO_PSK
const char *defaultCipherList = cipherList;
wolfSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb);
#ifdef WOLFSSL_TLS13
wolfSSL_CTX_set_psk_client_tls13_callback(ctx, my_psk_client_tls13_cb);
#endif
if (cipherList == NULL) {
const char *defaultCipherList;
if (defaultCipherList == NULL) {
#if defined(HAVE_AESGCM) && !defined(NO_DH)
#ifdef WOLFSSL_TLS13
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256:"
"TLS13-AES128-GCM-SHA256";
defaultCipherList = "TLS13-AES128-GCM-SHA256:"
"DHE-PSK-AES128-GCM-SHA256:";
#else
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
#endif
@@ -2323,12 +2329,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#else
defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif
if (wolfSSL_CTX_set_cipher_list(ctx,defaultCipherList)
if (wolfSSL_CTX_set_cipher_list(ctx, defaultCipherList)
!=WOLFSSL_SUCCESS) {
wolfSSL_CTX_free(ctx); ctx = NULL;
err_sys("client can't set cipher list 2");
}
}
wolfSSL_CTX_set_psk_callback_ctx(ctx, (void*)defaultCipherList);
#endif
if (useClientCert) {
useClientCert = 0;
@@ -2364,7 +2371,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#endif
#if defined(WOLFSSL_SNIFFER)
if (cipherList == NULL) {
if (cipherList == NULL && version < 4) {
/* don't use EDH, can't sniff tmp keys */
if (wolfSSL_CTX_set_cipher_list(ctx, "AES128-SHA") != WOLFSSL_SUCCESS) {
wolfSSL_CTX_free(ctx); ctx = NULL;
@@ -3100,7 +3107,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
wolfSSL_update_keys(ssl);
#endif
ClientWrite(ssl, msg, msgSz, "");
err = ClientWrite(ssl, msg, msgSz, "", exitWithRet);
if (exitWithRet && (err != 0)) {
((func_args*)args)->return_code = err;
goto exit;
}
err = ClientRead(ssl, reply, sizeof(reply)-1, 1, "", exitWithRet);
if (exitWithRet && (err != 0)) {
@@ -3110,7 +3121,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#if defined(WOLFSSL_TLS13)
if (updateKeysIVs || postHandAuth)
ClientWrite(ssl, msg, msgSz, "");
(void)ClientWrite(ssl, msg, msgSz, "", 0);
#endif
if (sendGET) { /* get html */
(void)ClientRead(ssl, reply, sizeof(reply)-1, 0, "", 0);
@@ -3362,12 +3373,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
}
#endif /* HAVE_SECURE_RENEGOTIATION */
ClientWrite(sslResume, resumeMsg, resumeSz, " resume");
(void)ClientWrite(sslResume, resumeMsg, resumeSz, " resume", 0);
(void)ClientRead(sslResume, reply, sizeof(reply)-1, sendGET,
"Server resume: ", 0);
/* try to send session break */
ClientWrite(sslResume, msg, msgSz, " resume 2");
(void)ClientWrite(sslResume, msg, msgSz, " resume 2", 0);
ret = wolfSSL_shutdown(sslResume);
if (wc_shutdown && ret == WOLFSSL_SHUTDOWN_NOT_DONE)
+15 -2
View File
@@ -121,7 +121,11 @@ void echoclient_test(void* args)
#if defined(CYASSL_DTLS)
method = DTLSv1_2_client_method();
#elif !defined(NO_TLS)
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_SNIFFER)
method = CyaTLSv1_2_client_method();
#else
method = CyaSSLv23_client_method();
#endif
#elif defined(WOLFSSL_ALLOW_SSLV3)
method = SSLv3_client_method();
#else
@@ -150,8 +154,11 @@ void echoclient_test(void* args)
#endif
#if defined(CYASSL_SNIFFER)
/* don't use EDH, can't sniff tmp keys */
SSL_CTX_set_cipher_list(ctx, "AES256-SHA");
/* Only set if not running testsuite */
if (XSTRSTR(argv[0], "testsuite") != 0) {
/* don't use EDH, can't sniff tmp keys */
SSL_CTX_set_cipher_list(ctx, "AES256-SHA");
}
#endif
#ifndef NO_PSK
if (doPSK) {
@@ -161,12 +168,18 @@ void echoclient_test(void* args)
#ifdef HAVE_NULL_CIPHER
defaultCipherList = "PSK-NULL-SHA256";
#elif defined(HAVE_AESGCM) && !defined(NO_DH)
#ifdef WOLFSSL_TLS13
defaultCipherList = "TLS13-AES128-GCM-SHA256:"
"DHE-PSK-AES128-GCM-SHA256:";
#else
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
#endif
#else
defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif
if (CyaSSL_CTX_set_cipher_list(ctx,defaultCipherList) !=WOLFSSL_SUCCESS)
err_sys("client can't set cipher list 2");
wolfSSL_CTX_set_psk_callback_ctx(ctx, (void*)defaultCipherList);
}
#endif
+15 -2
View File
@@ -138,7 +138,11 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
#if defined(CYASSL_DTLS)
method = CyaDTLSv1_2_server_method();
#elif !defined(NO_TLS)
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_SNIFFER)
method = CyaTLSv1_2_server_method();
#else
method = CyaSSLv23_server_method();
#endif
#elif defined(WOLFSSL_ALLOW_SSLV3)
method = CyaSSLv3_server_method();
#else
@@ -227,8 +231,11 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
#endif
#if defined(CYASSL_SNIFFER)
/* don't use EDH, can't sniff tmp keys */
CyaSSL_CTX_set_cipher_list(ctx, "AES256-SHA");
/* Only set if not running testsuite */
if (XSTRSTR(argv[0], "testsuite") != 0) {
/* don't use EDH, can't sniff tmp keys */
CyaSSL_CTX_set_cipher_list(ctx, "AES256-SHA");
}
#endif
if (doPSK) {
@@ -240,12 +247,18 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
#ifdef HAVE_NULL_CIPHER
defaultCipherList = "PSK-NULL-SHA256";
#elif defined(HAVE_AESGCM) && !defined(NO_DH)
#ifdef WOLFSSL_TLS13
defaultCipherList = "TLS13-AES128-GCM-SHA256:"
"DHE-PSK-AES128-GCM-SHA256";
#else
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
#endif
#else
defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif
if (CyaSSL_CTX_set_cipher_list(ctx, defaultCipherList) != WOLFSSL_SUCCESS)
err_sys("server can't set cipher list 2");
wolfSSL_CTX_set_psk_callback_ctx(ctx, (void*)defaultCipherList);
#endif
}
+16 -9
View File
@@ -995,7 +995,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
int noPskDheKe = 0;
#endif
int updateKeysIVs = 0;
#ifndef NO_CERTS
int mutualAuth = 0;
#endif
int postHandAuth = 0;
#ifdef WOLFSSL_EARLY_DATA
int earlyData = 0;
@@ -1017,7 +1019,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) \
|| defined(SESSION_CERTS)
/* big enough to handle most cases including session certs */
byte memory[204000];
byte memory[220000];
#else
byte memory[80000];
#endif
@@ -1081,7 +1083,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
(void)crlFlags;
(void)readySignal;
(void)updateKeysIVs;
#ifndef NO_CERTS
(void)mutualAuth;
#endif
(void)postHandAuth;
(void)mcastID;
(void)loadCertKeyIntoSSLObj;
@@ -1413,9 +1417,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#endif
break;
#ifndef NO_CERTS
case 'F' :
mutualAuth = 1;
mutualAuth = 1;
break;
#endif
case 'Q' :
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
@@ -1731,20 +1737,20 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
if (usePsk || usePskPlus) {
#ifndef NO_PSK
const char *defaultCipherList = cipherList;
SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb);
#ifdef WOLFSSL_TLS13
wolfSSL_CTX_set_psk_server_tls13_callback(ctx, my_psk_server_tls13_cb);
#endif
if (sendPskIdentityHint == 1)
SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
if (cipherList == NULL && !usePskPlus) {
const char *defaultCipherList;
if (defaultCipherList == NULL && !usePskPlus) {
#if defined(HAVE_AESGCM) && !defined(NO_DH)
#ifdef WOLFSSL_TLS13
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256:"
"TLS13-AES128-GCM-SHA256";
defaultCipherList = "TLS13-AES128-GCM-SHA256:"
"DHE-PSK-AES128-GCM-SHA256";
#else
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
#endif
@@ -1758,7 +1764,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
!= WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "server can't set cipher list 2");
}
#endif
wolfSSL_CTX_set_psk_callback_ctx(ctx, (void*)defaultCipherList);
#endif /* !NO_PSK */
}
#ifndef NO_CERTS
if (mutualAuth)
@@ -1823,7 +1830,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#if defined(WOLFSSL_SNIFFER)
/* don't use EDH, can't sniff tmp keys */
if (cipherList == NULL) {
if (cipherList == NULL && version < 4) {
if (SSL_CTX_set_cipher_list(ctx, "AES128-SHA") != WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "server can't set cipher list 3");
}
+17 -15
View File
@@ -111,22 +111,24 @@ if [ $RESULT -eq 0 ]; then
fi
echo ""
# TLS 1.3 mutual auth required but client doesn't send certificates.
echo -e "\n\nTLS v1.3 mutual auth fail"
port=0
./examples/server/server -v 4 -F -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -v 4 -x -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nIssue with requiring mutual authentication"
do_cleanup
exit 1
cat ./wolfssl/options.h | grep -- 'NO_CERTS'
if [ $? -ne 0 ]; then
# TLS 1.3 mutual auth required but client doesn't send certificates.
echo -e "\n\nTLS v1.3 mutual auth fail"
port=0
./examples/server/server -v 4 -F -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -v 4 -x -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nIssue with requiring mutual authentication"
do_cleanup
exit 1
fi
echo ""
fi
echo ""
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
if [ $? -ne 0 ]; then
+12 -49
View File
@@ -5279,9 +5279,10 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
ssl->options.haveStaticECC = ctx->haveStaticECC;
#ifndef NO_PSK
ssl->options.havePSK = ctx->havePSK;
ssl->options.havePSK = ctx->havePSK;
ssl->options.client_psk_cb = ctx->client_psk_cb;
ssl->options.server_psk_cb = ctx->server_psk_cb;
ssl->options.psk_ctx = ctx->psk_ctx;
#ifdef WOLFSSL_TLS13
ssl->options.client_psk_tls13_cb = ctx->client_psk_tls13_cb;
ssl->options.server_psk_tls13_cb = ctx->server_psk_tls13_cb;
@@ -7584,7 +7585,6 @@ static int EdDSA_Update(WOLFSSL* ssl, const byte* data, int sz)
}
#endif /* (HAVE_ED25519 || HAVE_ED448) && !WOLFSSL_NO_CLIENT_AUTH */
#ifndef NO_CERTS
int HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz)
{
int ret = 0;
@@ -7635,8 +7635,6 @@ int HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz)
return ret;
}
#endif /* NO_CERTS */
/* add output to md5 and sha handshake hashes, exclude record header */
int HashOutput(WOLFSSL* ssl, const byte* output, int sz, int ivSz)
@@ -7772,11 +7770,7 @@ static void AddRecordHeader(byte* output, word32 length, byte type, WOLFSSL* ssl
rl->pvMajor = ssl->version.major; /* type and version same in each */
#ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version)) {
#ifdef WOLFSSL_TLS13_DRAFT_18
rl->pvMinor = TLSv1_MINOR;
#else
rl->pvMinor = TLSv1_2_MINOR;
#endif
}
else
#endif
@@ -8303,11 +8297,7 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#else
if (rh->pvMajor != ssl->version.major ||
(rh->pvMinor != ssl->version.minor &&
#ifdef WOLFSSL_TLS13_DRAFT_18
(!IsAtLeastTLSv1_3(ssl->version) || rh->pvMinor != TLSv1_MINOR)
#else
(!IsAtLeastTLSv1_3(ssl->version) || rh->pvMinor != TLSv1_2_MINOR)
#endif
))
#endif
{
@@ -14880,13 +14870,9 @@ int ProcessReply(WOLFSSL* ssl)
/* decrypt message */
case decryptMessage:
#if !defined(WOLFSSL_TLS13) || defined(WOLFSSL_TLS13_DRAFT_18)
if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0)
#else
if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 &&
(!IsAtLeastTLSv1_3(ssl->version) ||
ssl->curRL.type != change_cipher_spec))
#endif
{
bufferStatic* in = &ssl->buffers.inputBuffer;
@@ -14949,20 +14935,11 @@ int ProcessReply(WOLFSSL* ssl)
else
{
#ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13_DRAFT_18) || \
defined(WOLFSSL_TLS13_DRAFT_22) || \
defined(WOLFSSL_TLS13_DRAFT_23)
ret = DecryptTls13(ssl,
in->buffer + in->idx,
in->buffer + in->idx,
ssl->curSize, NULL, 0);
#else
ret = DecryptTls13(ssl,
in->buffer + in->idx,
in->buffer + in->idx,
ssl->curSize,
(byte*)&ssl->curRL, RECORD_HEADER_SZ);
#endif
#else
ret = DECRYPT_ERROR;
#endif /* WOLFSSL_TLS13 */
@@ -15033,13 +15010,9 @@ int ProcessReply(WOLFSSL* ssl)
/* verify digest of message */
case verifyMessage:
#if !defined(WOLFSSL_TLS13) || defined(WOLFSSL_TLS13_DRAFT_18)
if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0)
#else
if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 &&
(!IsAtLeastTLSv1_3(ssl->version) ||
ssl->curRL.type != change_cipher_spec))
#endif
{
if (!atomicUser
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
@@ -15200,12 +15173,6 @@ int ProcessReply(WOLFSSL* ssl)
#endif
#ifdef WOLFSSL_TLS13
#ifdef WOLFSSL_TLS13_DRAFT_18
if (IsAtLeastTLSv1_3(ssl->version)) {
SendAlert(ssl, alert_fatal, illegal_parameter);
return UNKNOWN_RECORD_TYPE;
}
#else
if (IsAtLeastTLSv1_3(ssl->version)) {
word32 i = ssl->buffers.inputBuffer.idx;
if (ssl->options.handShakeState == HANDSHAKE_DONE) {
@@ -15227,7 +15194,6 @@ int ProcessReply(WOLFSSL* ssl)
}
break;
}
#endif
#endif
#ifndef WOLFSSL_NO_TLS12
@@ -15635,9 +15601,6 @@ static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
}
#endif /* !NO_OLD_TLS && !WOLFSSL_AEAD_ONLY */
#ifndef NO_CERTS
#if !defined(NO_MD5) && !defined(NO_OLD_TLS)
static int BuildMD5_CertVerify(WOLFSSL* ssl, byte* digest)
{
@@ -15780,8 +15743,6 @@ int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes)
return ret;
}
#endif /* !NO_CERTS */
#ifndef WOLFSSL_NO_TLS12
/* Persistable BuildMessage arguments */
typedef struct BuildMsgArgs {
@@ -18762,7 +18723,15 @@ int GetCipherSuiteFromName(const char* name, byte* cipherSuite0,
{
int ret = BAD_FUNC_ARG;
int i;
unsigned long len = (unsigned long)XSTRLEN(name);
unsigned long len;
const char* nameDelim;
/* Support trailing : */
nameDelim = XSTRSTR(name, ":");
if (nameDelim)
len = (unsigned long)(nameDelim - name);
else
len = (unsigned long)XSTRLEN(name);
for (i = 0; i < GetCipherNamesSize(); i++) {
if (XSTRNCMP(name, cipher_names[i].name, len) == 0) {
@@ -20292,7 +20261,7 @@ exit_dpk:
return SetCipherSpecs(ssl);
}
#endif /* WOLFSSL_NO_TLS12 */
#endif /* !WOLFSSL_NO_TLS12 */
/* Make sure client setup is valid for this suite, true on success */
@@ -27546,9 +27515,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#ifdef WOLFSSL_TLS13
word32 ageAdd; /* Obfuscation of age */
word16 namedGroup; /* Named group used */
#ifndef WOLFSSL_TLS13_DRAFT_18
TicketNonce ticketNonce; /* Ticket nonce */
#endif
#ifdef WOLFSSL_EARLY_DATA
word32 maxEarlyDataSz; /* Max size of early data */
#endif
@@ -27604,10 +27571,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
it.timestamp = TimeNowInMilliseconds();
/* Resumption master secret. */
XMEMCPY(it.msecret, ssl->session.masterSecret, SECRET_LEN);
#ifndef WOLFSSL_TLS13_DRAFT_18
XMEMCPY(&it.ticketNonce, &ssl->session.ticketNonce,
sizeof(TicketNonce));
#endif
#endif
}
@@ -27756,10 +27721,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif
/* Resumption master secret. */
XMEMCPY(ssl->session.masterSecret, it->msecret, SECRET_LEN);
#ifndef WOLFSSL_TLS13_DRAFT_18
XMEMCPY(&ssl->session.ticketNonce, &it->ticketNonce,
sizeof(TicketNonce));
#endif
ssl->session.namedGroup = it->namedGroup;
#endif
}
+47 -66
View File
@@ -12517,10 +12517,8 @@ static int GetDeepCopySession(WOLFSSL* ssl, WOLFSSL_SESSION* copyFrom)
copyInto->namedGroup = copyFrom->namedGroup;
copyInto->ticketSeen = copyFrom->ticketSeen;
copyInto->ticketAdd = copyFrom->ticketAdd;
#ifndef WOLFSSL_TLS13_DRAFT_18
XMEMCPY(&copyInto->ticketNonce, &copyFrom->ticketNonce,
sizeof(TicketNonce));
#endif
#ifdef WOLFSSL_EARLY_DATA
copyInto->maxEarlyDataSz = copyFrom->maxEarlyDataSz;
#endif
@@ -12628,6 +12626,7 @@ int AddSession(WOLFSSL* ssl)
word32 row = 0;
word32 idx = 0;
int error = 0;
const byte* id = NULL;
#ifdef HAVE_SESSION_TICKET
byte* tmpBuff = NULL;
int ticLen = 0;
@@ -12647,10 +12646,21 @@ int AddSession(WOLFSSL* ssl)
return 0;
#endif
#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)
if (ssl->options.tls1_3)
id = ssl->session.sessionID;
else
#endif
if (ssl->arrays)
id = ssl->arrays->sessionID;
if (id == NULL) {
return BAD_FUNC_ARG;
}
#ifdef HAVE_SESSION_TICKET
ticLen = ssl->session.ticketLen;
/* Alloc Memory here so if Malloc fails can exit outside of lock */
if(ticLen > SESSION_TICKET_LEN) {
if (ticLen > SESSION_TICKET_LEN) {
tmpBuff = (byte*)XMALLOC(ticLen, ssl->heap,
DYNAMIC_TYPE_SESSION_TICK);
if(!tmpBuff)
@@ -12677,17 +12687,7 @@ int AddSession(WOLFSSL* ssl)
{
/* Use the session object in the cache for external cache if required.
*/
#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)
if (ssl->options.tls1_3) {
row = HashSession(ssl->session.sessionID, ID_LEN, &error) %
SESSION_ROWS;
}
else
#endif
{
row = HashSession(ssl->arrays->sessionID, ID_LEN, &error) %
SESSION_ROWS;
}
row = HashSession(id, ID_LEN, &error) % SESSION_ROWS;
if (error != 0) {
WOLFSSL_MSG("Hash session failed");
#ifdef HAVE_SESSION_TICKET
@@ -12704,21 +12704,11 @@ int AddSession(WOLFSSL* ssl)
}
for (i=0; i<SESSIONS_PER_ROW; i++) {
if (ssl->options.tls1_3) {
if (XMEMCMP(ssl->session.sessionID, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) {
WOLFSSL_MSG("Session already exists. Overwriting.");
overwrite = 1;
idx = i;
break;
}
}
else {
if (XMEMCMP(ssl->arrays->sessionID, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) {
WOLFSSL_MSG("Session already exists. Overwriting.");
overwrite = 1;
idx = i;
break;
}
if (XMEMCMP(id, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) {
WOLFSSL_MSG("Session already exists. Overwriting.");
overwrite = 1;
idx = i;
break;
}
}
@@ -12731,22 +12721,19 @@ int AddSession(WOLFSSL* ssl)
session = &SessionCache[row].Sessions[idx];
}
if (!ssl->options.tls1_3)
XMEMCPY(session->masterSecret, ssl->arrays->masterSecret, SECRET_LEN);
else
XMEMCPY(session->masterSecret, ssl->session.masterSecret, SECRET_LEN);
session->haveEMS = ssl->options.haveEMS;
#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)
#ifdef WOLFSSL_TLS13
if (ssl->options.tls1_3) {
XMEMCPY(session->sessionID, ssl->session.sessionID, ID_LEN);
XMEMCPY(session->masterSecret, ssl->session.masterSecret, SECRET_LEN);
session->sessionIDSz = ID_LEN;
}
else
#endif
{
XMEMCPY(session->sessionID, ssl->arrays->sessionID, ID_LEN);
XMEMCPY(session->masterSecret, ssl->arrays->masterSecret, SECRET_LEN);
session->sessionIDSz = ssl->arrays->sessionIDSz;
}
XMEMCPY(session->sessionID, id, ID_LEN);
session->haveEMS = ssl->options.haveEMS;
#ifdef OPENSSL_EXTRA
/* If using compatibility layer then check for and copy over session context
@@ -12767,7 +12754,7 @@ int AddSession(WOLFSSL* ssl)
if (error == 0) {
/* Cleanup cache row's old Dynamic buff if exists */
if(session->isDynamic) {
if (session->isDynamic) {
XFREE(session->ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
session->ticket = NULL;
}
@@ -12829,10 +12816,8 @@ int AddSession(WOLFSSL* ssl)
if (error == 0) {
session->ticketSeen = ssl->session.ticketSeen;
session->ticketAdd = ssl->session.ticketAdd;
#ifndef WOLFSSL_TLS13_DRAFT_18
XMEMCPY(&session->ticketNonce, &ssl->session.ticketNonce,
sizeof(TicketNonce));
#endif
#ifdef WOLFSSL_EARLY_DATA
session->maxEarlyDataSz = ssl->session.maxEarlyDataSz;
#endif
@@ -13462,7 +13447,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ctx->client_psk_cb = cb;
}
void wolfSSL_set_psk_client_callback(WOLFSSL* ssl,wc_psk_client_callback cb)
{
byte haveRSA = 1;
@@ -13488,7 +13472,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ssl->options.haveStaticECC, ssl->options.side);
}
void wolfSSL_CTX_set_psk_server_callback(WOLFSSL_CTX* ctx,
wc_psk_server_callback cb)
{
@@ -13499,7 +13482,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ctx->server_psk_cb = cb;
}
void wolfSSL_set_psk_server_callback(WOLFSSL* ssl,wc_psk_server_callback cb)
{
byte haveRSA = 1;
@@ -13524,7 +13506,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ssl->options.haveStaticECC, ssl->options.side);
}
const char* wolfSSL_get_psk_identity_hint(const WOLFSSL* ssl)
{
WOLFSSL_ENTER("SSL_get_psk_identity_hint");
@@ -13546,7 +13527,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return ssl->arrays->client_identity;
}
int wolfSSL_CTX_use_psk_identity_hint(WOLFSSL_CTX* ctx, const char* hint)
{
WOLFSSL_ENTER("SSL_CTX_use_psk_identity_hint");
@@ -13563,7 +13543,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return WOLFSSL_SUCCESS;
}
int wolfSSL_use_psk_identity_hint(WOLFSSL* ssl, const char* hint)
{
WOLFSSL_ENTER("SSL_use_psk_identity_hint");
@@ -13581,6 +13560,28 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return WOLFSSL_SUCCESS;
}
void* wolfSSL_get_psk_callback_ctx(WOLFSSL* ssl)
{
return ssl ? ssl->options.psk_ctx : NULL;
}
void* wolfSSL_CTX_get_psk_callback_ctx(WOLFSSL_CTX* ctx)
{
return ctx ? ctx->psk_ctx : NULL;
}
int wolfSSL_set_psk_callback_ctx(WOLFSSL* ssl, void* psk_ctx)
{
if (ssl == NULL)
return WOLFSSL_FAILURE;
ssl->options.psk_ctx = psk_ctx;
return WOLFSSL_SUCCESS;
}
int wolfSSL_CTX_set_psk_callback_ctx(WOLFSSL_CTX* ctx, void* psk_ctx)
{
if (ctx == NULL)
return WOLFSSL_FAILURE;
ctx->psk_ctx = psk_ctx;
return WOLFSSL_SUCCESS;
}
#endif /* NO_PSK */
@@ -19293,21 +19294,7 @@ static const char* wolfSSL_internal_get_version(const ProtocolVersion* version)
case TLSv1_2_MINOR :
return "TLSv1.2";
case TLSv1_3_MINOR :
#ifdef WOLFSSL_TLS13_DRAFT
#ifdef WOLFSSL_TLS13_DRAFT_18
return "TLSv1.3 (Draft 18)";
#elif defined(WOLFSSL_TLS13_DRAFT_22)
return "TLSv1.3 (Draft 22)";
#elif defined(WOLFSSL_TLS13_DRAFT_23)
return "TLSv1.3 (Draft 23)";
#elif defined(WOLFSSL_TLS13_DRAFT_26)
return "TLSv1.3 (Draft 26)";
#else
return "TLSv1.3 (Draft 28)";
#endif
#else
return "TLSv1.3";
#endif
default:
return "unknown";
}
@@ -27043,11 +27030,9 @@ int wolfSSL_i2d_SSL_SESSION(WOLFSSL_SESSION* sess, unsigned char** p)
#ifdef WOLFSSL_TLS13
/* ticketSeen | ticketAdd */
size += OPAQUE32_LEN + OPAQUE32_LEN;
#ifndef WOLFSSL_TLS13_DRAFT_18
/* ticketNonce */
size += OPAQUE8_LEN + sess->ticketNonce.len;
#endif
#endif
#ifdef WOLFSSL_EARLY_DATA
size += OPAQUE32_LEN;
#endif
@@ -27111,12 +27096,10 @@ int wolfSSL_i2d_SSL_SESSION(WOLFSSL_SESSION* sess, unsigned char** p)
idx += OPAQUE32_LEN;
c32toa(sess->ticketAdd, data + idx);
idx += OPAQUE32_LEN;
#ifndef WOLFSSL_TLS13_DRAFT_18
data[idx++] = sess->ticketNonce.len;
XMEMCPY(data + idx, sess->ticketNonce.data, sess->ticketNonce.len);
idx += sess->ticketNonce.len;
#endif
#endif
#ifdef WOLFSSL_EARLY_DATA
c32toa(sess->maxEarlyDataSz, data + idx);
idx += OPAQUE32_LEN;
@@ -27296,7 +27279,6 @@ WOLFSSL_SESSION* wolfSSL_d2i_SSL_SESSION(WOLFSSL_SESSION** sess,
idx += OPAQUE32_LEN;
ato32(data + idx, &s->ticketAdd);
idx += OPAQUE32_LEN;
#ifndef WOLFSSL_TLS13_DRAFT_18
if (i - idx < OPAQUE8_LEN) {
ret = BUFFER_ERROR;
goto end;
@@ -27310,7 +27292,6 @@ WOLFSSL_SESSION* wolfSSL_d2i_SSL_SESSION(WOLFSSL_SESSION** sess,
XMEMCPY(s->ticketNonce.data, data + idx, s->ticketNonce.len);
idx += s->ticketNonce.len;
#endif
#endif
#ifdef WOLFSSL_EARLY_DATA
if (i - idx < OPAQUE32_LEN) {
ret = BUFFER_ERROR;
+11 -54
View File
@@ -3744,7 +3744,7 @@ int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type,
&& !defined(HAVE_FFDHE)
#error Elliptic Curves Extension requires Elliptic Curve Cryptography. \
Use --enable-ecc in the configure script or define HAVE_ECC. \
Alternatively use FFDHE for DH ciperhsuites.
Alternatively use FFDHE for DH ciphersuites.
#endif
static int TLSX_SupportedCurve_New(SupportedCurve** curve, word16 name,
@@ -3901,7 +3901,7 @@ static void TLSX_PointFormat_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
}
#endif
#endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */
#ifndef NO_WOLFSSL_SERVER
@@ -3933,7 +3933,8 @@ static void TLSX_PointFormat_ValidateResponse(WOLFSSL* ssl, byte* semaphore)
#endif
}
#endif
#endif /* !NO_WOLFSSL_SERVER */
#ifndef NO_WOLFSSL_CLIENT
static word16 TLSX_SupportedCurve_GetSize(SupportedCurve* list)
@@ -4117,7 +4118,7 @@ int TLSX_SupportedCurve_CheckPriority(WOLFSSL* ssl)
return 0;
}
#endif
#endif /* WOLFSSL_TLS13 && !WOLFSSL_NO_SERVER_GROUPS_EXT */
#if defined(HAVE_FFDHE) && !defined(WOLFSSL_NO_TLS12)
/* Set the highest priority common FFDHE group on the server as compared to
@@ -4267,7 +4268,7 @@ int TLSX_SupportedCurve_Preferred(WOLFSSL* ssl, int checkSupported)
return BAD_FUNC_ARG;
}
#endif
#endif /* HAVE_SUPPORTED_CURVES */
#ifndef NO_WOLFSSL_SERVER
@@ -5912,10 +5913,8 @@ static int TLSX_SupportedVersions_GetSize(void* data, byte msgType, word16* pSz)
*pSz += (word16)(OPAQUE8_LEN + cnt * OPAQUE16_LEN);
}
#ifndef WOLFSSL_TLS13_DRAFT_18
else if (msgType == server_hello || msgType == hello_retry_request)
*pSz += OPAQUE16_LEN;
#endif
else
return SANITY_MSG_E;
@@ -5993,24 +5992,12 @@ static int TLSX_SupportedVersions_Write(void* data, byte* output,
*pSz += (word16)(OPAQUE8_LEN + *cnt);
}
#ifndef WOLFSSL_TLS13_DRAFT_18
else if (msgType == server_hello || msgType == hello_retry_request) {
#ifdef WOLFSSL_TLS13_DRAFT
if (ssl->version.major == SSLv3_MAJOR &&
ssl->version.minor == TLSv1_3_MINOR) {
output[0] = TLS_DRAFT_MAJOR;
output[1] = TLS_DRAFT_MINOR;
}
else
#endif
{
output[0] = ssl->version.major;
output[1] = ssl->version.minor;
}
output[0] = ssl->version.major;
output[1] = ssl->version.minor;
*pSz += OPAQUE16_LEN;
}
#endif
else
return SANITY_MSG_E;
@@ -6092,9 +6079,7 @@ static int TLSX_SupportedVersions_Parse(WOLFSSL* ssl, byte* input,
if (ret != 0) {
return ret;
}
#ifndef WOLFSSL_TLS13_DRAFT_18
TLSX_SetResponse(ssl, TLSX_SUPPORTED_VERSIONS);
#endif
}
if (minor > newMinor) {
ssl->version.minor = minor;
@@ -6115,7 +6100,6 @@ static int TLSX_SupportedVersions_Parse(WOLFSSL* ssl, byte* input,
return VERSION_ERROR;
}
}
#ifndef WOLFSSL_TLS13_DRAFT_18
else if (msgType == server_hello || msgType == hello_retry_request) {
/* Must contain one version. */
if (length != OPAQUE16_LEN)
@@ -6124,13 +6108,6 @@ static int TLSX_SupportedVersions_Parse(WOLFSSL* ssl, byte* input,
major = input[0];
minor = input[OPAQUE8_LEN];
#ifdef WOLFSSL_TLS13_DRAFT
if (major == TLS_DRAFT_MAJOR && minor == TLS_DRAFT_MINOR) {
major = SSLv3_MAJOR;
minor = TLSv1_3_MINOR;
}
#endif
if (major != pv.major)
return VERSION_ERROR;
@@ -6160,7 +6137,6 @@ static int TLSX_SupportedVersions_Parse(WOLFSSL* ssl, byte* input,
ssl->version.minor = minor;
}
}
#endif
else
return SANITY_MSG_E;
@@ -6494,7 +6470,6 @@ static int TLSX_SetSignatureAlgorithms(TLSX** extensions, const void* data,
/******************************************************************************/
#ifdef WOLFSSL_TLS13
#if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
/* Return the size of the SignatureAlgorithms extension's data.
*
* data Unused
@@ -6581,7 +6556,6 @@ static int TLSX_SetSignatureAlgorithmsCert(TLSX** extensions, const void* data,
#define SAC_GET_SIZE TLSX_SignatureAlgorithmsCert_GetSize
#define SAC_WRITE TLSX_SignatureAlgorithmsCert_Write
#define SAC_PARSE TLSX_SignatureAlgorithmsCert_Parse
#endif /* !WOLFSSL_TLS13_DRAFT_18 && !WOLFSSL_TLS13_DRAFT_22 */
#endif /* WOLFSSL_TLS13 */
@@ -9233,10 +9207,8 @@ void TLSX_FreeAll(TLSX* list, void* heap)
break;
#endif
#if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
case TLSX_SIGNATURE_ALGORITHMS_CERT:
break;
#endif
case TLSX_KEY_SHARE:
KS_FREE_ALL((KeyShareEntry*)extension->data, heap);
@@ -9380,11 +9352,9 @@ static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType,
break;
#endif
#if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
case TLSX_SIGNATURE_ALGORITHMS_CERT:
length += SAC_GET_SIZE(extension->data);
break;
#endif
case TLSX_KEY_SHARE:
length += KS_GET_SIZE((KeyShareEntry*)extension->data, msgType);
@@ -9558,12 +9528,10 @@ static int TLSX_Write(TLSX* list, byte* output, byte* semaphore,
break;
#endif
#if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
case TLSX_SIGNATURE_ALGORITHMS_CERT:
WOLFSSL_MSG("Signature Algorithms extension to write");
offset += SAC_WRITE(extension->data, output + offset);
break;
#endif
case TLSX_KEY_SHARE:
WOLFSSL_MSG("Key Share extension to write");
@@ -9789,8 +9757,6 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
{
int ret = WOLFSSL_SUCCESS;
#ifdef WOLFSSL_TLS13
int i;
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (ssl->options.resuming && ssl->session.namedGroup != 0) {
return TLSX_UseSupportedCurve(extensions, ssl->session.namedGroup,
@@ -9798,7 +9764,9 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
}
#endif
#ifdef HAVE_SUPPORTED_CURVES
if (ssl->numGroups != 0) {
int i;
for (i = 0; i < ssl->numGroups; i++) {
ret = TLSX_UseSupportedCurve(extensions, ssl->group[i], ssl->heap);
if (ret != WOLFSSL_SUCCESS)
@@ -9806,6 +9774,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
}
return WOLFSSL_SUCCESS;
}
#endif /* HAVE_SUPPORTED_CURVES */
#endif /* WOLFSSL_TLS13 */
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
@@ -10125,7 +10094,6 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
}
#endif /* (HAVE_ECC || CURVE25519 || CURVE448) && HAVE_SUPPORTED_CURVES */
#if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
if (ssl->certHashSigAlgoSz > 0) {
WOLFSSL_MSG("Adding signature algorithms cert extension");
if ((ret = TLSX_SetSignatureAlgorithmsCert(&ssl->extensions,
@@ -10133,7 +10101,6 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
return ret;
}
}
#endif /* !WOLFSSL_TLS13_DRAFT_18 && !WOLFSSL_TLS13_DRAFT_22 */
if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) {
word16 namedGroup;
@@ -10511,10 +10478,8 @@ int TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType, word16* pLength)
#ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version)) {
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
#ifndef WOLFSSL_TLS13_DRAFT_18
TURN_OFF(semaphore,
TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#endif
if (!ssl->options.noPskDheKe)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
@@ -10533,9 +10498,7 @@ int TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType, word16* pLength)
#ifdef WOLFSSL_TLS13
case hello_retry_request:
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
#ifndef WOLFSSL_TLS13_DRAFT_18
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#endif
if (!ssl->options.noPskDheKe)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
@@ -10631,10 +10594,8 @@ int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset
#ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version)) {
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
#ifndef WOLFSSL_TLS13_DRAFT_18
TURN_OFF(semaphore,
TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#endif
if (!ssl->options.noPskDheKe)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
@@ -10653,9 +10614,7 @@ int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset
#ifdef WOLFSSL_TLS13
case hello_retry_request:
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
#ifndef WOLFSSL_TLS13_DRAFT_18
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#endif
if (!ssl->options.noPskDheKe)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
/* Cookie is written below as last extension. */
@@ -11182,7 +11141,6 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
break;
#endif
#if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
case TLSX_SIGNATURE_ALGORITHMS_CERT:
WOLFSSL_MSG("Signature Algorithms extension received");
#ifdef WOLFSSL_DEBUG_TLS
@@ -11203,7 +11161,6 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
ret = SAC_PARSE(ssl, input + offset, size, isRequest);
break;
#endif
case TLSX_KEY_SHARE:
WOLFSSL_MSG("Key Share extension received");
+54 -613
View File
File diff suppressed because it is too large Load Diff
+5
View File
@@ -25461,7 +25461,12 @@ static void test_wolfSSL_SESSION(void)
char msg[80];
printf(testingFmt, "wolfSSL_SESSION()");
/* TLS v1.3 requires session tickets */
#if defined(WOLFSSL_TLS13) && !defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_TLS12)
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()));
#else
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
#endif
AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM));
AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM));
+4 -2
View File
@@ -467,14 +467,16 @@ static int execute_test_case(int svr_argc, char** svr_argv,
/* verify results */
if ((cliArgs.return_code != 0 && cliTestShouldFail == 0) ||
(cliArgs.return_code == 0 && cliTestShouldFail != 0)) {
printf("client_test failed\n");
printf("client_test failed %d %s\n", cliArgs.return_code,
cliTestShouldFail ? "(should fail)" : "");
XEXIT(EXIT_FAILURE);
}
join_thread(serverThread);
if ((svrArgs.return_code != 0 && svrTestShouldFail == 0) ||
(svrArgs.return_code == 0 && svrTestShouldFail != 0)) {
printf("server_test failed\n");
printf("server_test failed %d %s\n", svrArgs.return_code,
svrTestShouldFail ? "(should fail)" : "");
XEXIT(EXIT_FAILURE);
}
+1
View File
@@ -164,6 +164,7 @@
# client TLSv1.3
-v 4
-l TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-CCM-SHA256:TLS13-AES128-CCM-8-SHA256
# server TLSv1.3 KeyUpdate
-v 4
+1 -1
View File
@@ -152,7 +152,7 @@ int testsuite_test(int argc, char** argv)
return EXIT_FAILURE;
}
strcpy(arg[0], "echoclient");
strcpy(arg[0], "testsuite");
strcpy(arg[1], "input");
strcpy(arg[2], outputName);
+2 -2
View File
@@ -11781,7 +11781,7 @@ done:
}
#endif
#ifdef WC_RSA_PSS
#if defined(WC_RSA_PSS) && !defined(HAVE_FIPS_VERSION) /* not supported with FIPSv1 */
static int rsa_pss_test(WC_RNG* rng, RsaKey* key)
{
byte digest[WC_MAX_DIGEST_SIZE];
@@ -13917,7 +13917,7 @@ int rsa_test(void)
#endif /* WOLFSSL_CERT_REQ */
#endif /* WOLFSSL_CERT_GEN */
#ifdef WC_RSA_PSS
#if defined(WC_RSA_PSS) && !defined(HAVE_FIPS_VERSION) /* not supported with FIPSv1 */
ret = rsa_pss_test(&rng, &key);
#endif
+2 -27
View File
@@ -1210,19 +1210,6 @@ enum Misc {
TLSv1_2_MINOR = 3, /* TLSv1_2 minor version number */
TLSv1_3_MINOR = 4, /* TLSv1_3 minor version number */
TLS_DRAFT_MAJOR = 0x7f, /* Draft TLS major version number */
#ifdef WOLFSSL_TLS13_DRAFT
#ifdef WOLFSSL_TLS13_DRAFT_18
TLS_DRAFT_MINOR = 0x12, /* Minor version number of TLS draft */
#elif defined(WOLFSSL_TLS13_DRAFT_22)
TLS_DRAFT_MINOR = 0x16, /* Minor version number of TLS draft */
#elif defined(WOLFSSL_TLS13_DRAFT_23)
TLS_DRAFT_MINOR = 0x17, /* Minor version number of TLS draft */
#elif defined(WOLFSSL_TLS13_DRAFT_26)
TLS_DRAFT_MINOR = 0x1a, /* Minor version number of TLS draft */
#else
TLS_DRAFT_MINOR = 0x1c, /* Minor version number of TLS draft */
#endif
#endif
OLD_HELLO_ID = 0x01, /* SSLv2 Client Hello Indicator */
INVALID_BYTE = 0xff, /* Used to initialize cipher specs values */
NO_COMPRESSION = 0,
@@ -2187,12 +2174,8 @@ typedef enum {
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
TLSX_POST_HANDSHAKE_AUTH = 0x0031,
#endif
#if defined(WOLFSSL_TLS13_DRAFT_18) || defined(WOLFSSL_TLS13_DRAFT_22)
TLSX_KEY_SHARE = 0x0028,
#else
TLSX_SIGNATURE_ALGORITHMS_CERT = 0x0032,
TLSX_KEY_SHARE = 0x0033,
#endif
#endif
TLSX_RENEGOTIATION_INFO = 0xff01
} TLSX_Type;
@@ -2534,7 +2517,6 @@ WOLFSSL_LOCAL int TLSX_KeyShare_DeriveSecret(WOLFSSL* ssl);
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
#ifndef WOLFSSL_TLS13_DRAFT_18
/* Ticket nonce - for deriving PSK.
* Length allowed to be: 1..255. Only support 4 bytes.
*/
@@ -2542,7 +2524,6 @@ typedef struct TicketNonce {
byte len;
byte data[MAX_TICKET_NONCE_SZ];
} TicketNonce;
#endif
/* The PreSharedKey extension information - entry in a linked list. */
typedef struct PreSharedKey {
@@ -2767,6 +2748,7 @@ struct WOLFSSL_CTX {
wc_psk_client_tls13_callback client_psk_tls13_cb; /* client callback */
wc_psk_server_tls13_callback server_psk_tls13_cb; /* server callback */
#endif
void* psk_ctx;
char server_hint[MAX_PSK_ID_LEN + NULL_TERM_LEN];
#endif /* HAVE_SESSION_TICKET || !NO_PSK */
#ifdef WOLFSSL_TLS13
@@ -3169,9 +3151,7 @@ struct WOLFSSL_SESSION {
#ifdef WOLFSSL_TLS13
word32 ticketSeen; /* Time ticket seen (ms) */
word32 ticketAdd; /* Added by client */
#ifndef WOLFSSL_TLS13_DRAFT_18
TicketNonce ticketNonce; /* Nonce used to derive PSK */
#endif
#endif
#ifdef WOLFSSL_EARLY_DATA
word32 maxEarlyDataSz;
@@ -3358,6 +3338,7 @@ typedef struct Options {
wc_psk_client_tls13_callback client_psk_tls13_cb; /* client callback */
wc_psk_server_tls13_callback server_psk_tls13_cb; /* server callback */
#endif
void* psk_ctx;
#endif /* NO_PSK */
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
unsigned long mask; /* store SSL_OP_ flags */
@@ -3983,11 +3964,9 @@ struct WOLFSSL {
#endif
word16 pssAlgo;
#ifdef WOLFSSL_TLS13
#if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
word16 certHashSigAlgoSz; /* SigAlgoCert ext length in bytes */
byte certHashSigAlgo[WOLFSSL_MAX_SIGALGO]; /* cert sig/algo to
* offer */
#endif /* !WOLFSSL_TLS13_DRAFT_18 && !WOLFSSL_TLS13_DRAFT_22 */
#endif
#ifdef HAVE_NTRU
word16 peerNtruKeyLen;
@@ -4345,12 +4324,8 @@ WOLFSSL_LOCAL int SendTicket(WOLFSSL*);
WOLFSSL_LOCAL int DoClientTicket(WOLFSSL*, const byte*, word32);
WOLFSSL_LOCAL int SendData(WOLFSSL*, const void*, int);
#ifdef WOLFSSL_TLS13
#ifdef WOLFSSL_TLS13_DRAFT_18
WOLFSSL_LOCAL int SendTls13HelloRetryRequest(WOLFSSL*);
#else
WOLFSSL_LOCAL int SendTls13ServerHello(WOLFSSL*, byte);
#endif
#endif
WOLFSSL_LOCAL int SendCertificate(WOLFSSL*);
WOLFSSL_LOCAL int SendCertificateRequest(WOLFSSL*);
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+5
View File
@@ -1950,6 +1950,11 @@ enum { /* ssl Constants */
WOLFSSL_API void wolfSSL_set_psk_server_tls13_callback(WOLFSSL*,
wc_psk_server_tls13_callback);
#endif
WOLFSSL_API void* wolfSSL_get_psk_callback_ctx(WOLFSSL*);
WOLFSSL_API int wolfSSL_set_psk_callback_ctx(WOLFSSL*, void*);
WOLFSSL_API void* wolfSSL_CTX_get_psk_callback_ctx(WOLFSSL_CTX*);
WOLFSSL_API int wolfSSL_CTX_set_psk_callback_ctx(WOLFSSL_CTX*, void*);
#define PSK_TYPES_DEFINED
#endif /* NO_PSK */
+9 -7
View File
@@ -1302,7 +1302,7 @@ static WC_INLINE unsigned int my_psk_client_cb(WOLFSSL* ssl, const char* hint,
(void)key_max_len;
/* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
strncpy(identity, kIdentityStr, id_max_len);
XSTRNCPY(identity, kIdentityStr, id_max_len);
if (wolfSSL_GetVersion(ssl) < WOLFSSL_TLSV1_3) {
/* test key in hex is 0x1a2b3c4d , in decimal 439,041,101 , we're using
@@ -1336,7 +1336,7 @@ static WC_INLINE unsigned int my_psk_server_cb(WOLFSSL* ssl, const char* identit
(void)key_max_len;
/* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
if (strncmp(identity, kIdentityStr, strlen(kIdentityStr)) != 0)
if (XSTRNCMP(identity, kIdentityStr, XSTRLEN(kIdentityStr)) != 0)
return 0;
if (wolfSSL_GetVersion(ssl) < WOLFSSL_TLSV1_3) {
@@ -1370,13 +1370,14 @@ static WC_INLINE unsigned int my_psk_client_tls13_cb(WOLFSSL* ssl,
{
int i;
int b = 0x01;
const char* userCipher = (const char*)wolfSSL_get_psk_callback_ctx(ssl);
(void)ssl;
(void)hint;
(void)key_max_len;
/* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
strncpy(identity, kIdentityStr, id_max_len);
XSTRNCPY(identity, kIdentityStr, id_max_len);
for (i = 0; i < 32; i++, b += 0x22) {
if (b >= 0x100)
@@ -1384,7 +1385,7 @@ static WC_INLINE unsigned int my_psk_client_tls13_cb(WOLFSSL* ssl,
key[i] = b;
}
*ciphersuite = "TLS13-AES128-GCM-SHA256";
*ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256";
return 32; /* length of key in octets or 0 for error */
}
@@ -1396,12 +1397,13 @@ static WC_INLINE unsigned int my_psk_server_tls13_cb(WOLFSSL* ssl,
{
int i;
int b = 0x01;
const char* userCipher = (const char*)wolfSSL_get_psk_callback_ctx(ssl);
(void)ssl;
(void)key_max_len;
/* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
if (strncmp(identity, kIdentityStr, strlen(kIdentityStr)) != 0)
if (XSTRNCMP(identity, kIdentityStr, XSTRLEN(kIdentityStr)) != 0)
return 0;
for (i = 0; i < 32; i++, b += 0x22) {
@@ -1410,12 +1412,12 @@ static WC_INLINE unsigned int my_psk_server_tls13_cb(WOLFSSL* ssl,
key[i] = b;
}
*ciphersuite = "TLS13-AES128-GCM-SHA256";
*ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256";
return 32; /* length of key in octets or 0 for error */
}
#endif /* NO_PSK */
#endif /* !NO_PSK */
#if defined(WOLFSSL_USER_CURRTIME)
+5 -1
View File
@@ -110,7 +110,11 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb*,
#elif defined (OPENSSL_EXTRA)
/* extra storage in structs for multiple attributes and order */
#ifndef LARGEST_MEM_BUCKET
#define LARGEST_MEM_BUCKET 25600
#ifdef WOLFSSL_TLS13
#define LARGEST_MEM_BUCKET 25792
#else
#define LARGEST_MEM_BUCKET 25600
#endif
#endif
#define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3360,4480,\
LARGEST_MEM_BUCKET
+6
View File
@@ -2244,6 +2244,12 @@ extern void uITRON4_free(void *p) ;
#define WOLFSSL_NO_CONSTCHARCONST
#endif
/* FIPS v1 does not support TLS v1.3 (requires RSA PSS and HKDF) */
#if defined(HAVE_FIPS) && !defined(HAVE_FIPS_VERSION)
#undef WC_RSA_PSS
#undef WOLFSSL_TLS13
#endif
#ifdef __cplusplus
} /* extern "C" */