wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-05-05 14:04:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2942 from dgarske/tls13_on

Browse Source 
Enable TLS v1.3 by default
This commit is contained in:
toddouska
2020-06-09 13:30:02 -07:00
committed by GitHub
parent 48783c1982 3af4316cfd
commit e993cb6cc0
21 changed files with 366 additions and 949 deletions
Download Patch File Download Diff File Expand all files Collapse all files
configure.ac
+60 -86
View File
@@ -96,6 +96,32 @@ AS_IF([test "$ax_enable_debug" = "yes"],
[AM_CFLAGS="$AM_CFLAGS -DNDEBUG"]) [AM_CFLAGS="$AM_CFLAGS -DNDEBUG"])
# FIPS
AC_ARG_ENABLE([fips],
[AS_HELP_STRING([--enable-fips],[Enable FIPS 140-2, Will NOT work w/o FIPS license (default: disabled)])],
[ENABLED_FIPS=$enableval],
[ENABLED_FIPS="no"])
AS_CASE([$ENABLED_FIPS],
["v2"],[
# FIPS v2
ENABLED_FIPS="yes"
FIPS_VERSION="v2"
],
["rand"],[
# FIPS Rand
ENABLED_FIPS="yes"
FIPS_VERSION="rand"
],
["no"],[FIPS_VERSION="none"],
[
# FIPS v1
ENABLED_FIPS="yes"
FIPS_VERSION="v1"
])
# Distro build feature subset (Debian, Ubuntu, etc.) # Distro build feature subset (Debian, Ubuntu, etc.)
AC_ARG_ENABLE([distro], AC_ARG_ENABLE([distro],
[AS_HELP_STRING([--enable-distro],[Enable wolfSSL distro build (default: disabled)])], [AS_HELP_STRING([--enable-distro],[Enable wolfSSL distro build (default: disabled)])],
@@ -119,7 +145,11 @@ AC_ARG_ENABLE([all],
if test "$ENABLED_ALL" = "yes" if test "$ENABLED_ALL" = "yes"
then then
enable_dtls=yes enable_dtls=yes
enable_tls13=yes if test "x$FIPS_VERSION" != "xv1"
then
enable_tls13=yes
enable_rsapss=yes
fi
enable_openssh=yes enable_openssh=yes
enable_opensslextra=yes enable_opensslextra=yes
enable_opensslall=yes enable_opensslall=yes
@@ -287,84 +317,24 @@ then
fi fi
# TLS v1.3 Draft 18 # TLS v1.3 Draft 18 (Note: only final TLS v1.3 supported, here for backwards build compatibility)
AC_ARG_ENABLE([tls13-draft18], AC_ARG_ENABLE([tls13-draft18],
[AS_HELP_STRING([--enable-tls13-draft18],[Enable wolfSSL TLS v1.3 Draft 18 (default: disabled)])], [AS_HELP_STRING([--enable-tls13-draft18],[Enable wolfSSL TLS v1.3 Draft 18 (default: disabled)])],
[ ENABLED_TLS13_DRAFT18=$enableval ], [ ENABLED_TLS13_DRAFT18=$enableval ],
[ ENABLED_TLS13_DRAFT18=no ] [ ENABLED_TLS13_DRAFT18=no ]
) )
if test "$ENABLED_TLS13_DRAFT18" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13_DRAFT -DWOLFSSL_TLS13_DRAFT_18 $AM_CFLAGS"
fi
# TLS v1.3 Draft 22
AC_ARG_ENABLE([tls13-draft22],
[AS_HELP_STRING([--enable-tls13-draft22],[Enable wolfSSL TLS v1.3 Draft 22 (default: disabled)])],
[ ENABLED_TLS13_DRAFT22=$enableval ],
[ ENABLED_TLS13_DRAFT22=no ]
)
if test "$ENABLED_TLS13_DRAFT22" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13_DRAFT -DWOLFSSL_TLS13_DRAFT_22 $AM_CFLAGS"
fi
# TLS v1.3 Draft 23
AC_ARG_ENABLE([tls13-draft23],
[AS_HELP_STRING([--enable-tls13-draft23],[Enable wolfSSL TLS v1.3 Draft 23 (default: disabled)])],
[ ENABLED_TLS13_DRAFT23=$enableval ],
[ ENABLED_TLS13_DRAFT23=no ]
)
if test "$ENABLED_TLS13_DRAFT23" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13_DRAFT -DWOLFSSL_TLS13_DRAFT_23 $AM_CFLAGS"
fi
# TLS v1.3 Draft 26
AC_ARG_ENABLE([tls13-draft26],
[AS_HELP_STRING([--enable-tls13-draft26],[Enable wolfSSL TLS v1.3 Draft 26 (default: disabled)])],
[ ENABLED_TLS13_DRAFT26=$enableval ],
[ ENABLED_TLS13_DRAFT26=no ]
)
if test "$ENABLED_TLS13_DRAFT26" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13_DRAFT -DWOLFSSL_TLS13_DRAFT_26 $AM_CFLAGS"
fi
# TLS v1.3 Draft 28
AC_ARG_ENABLE([tls13-draft28],
[AS_HELP_STRING([--enable-tls13-draft28],[Enable wolfSSL TLS v1.3 Draft 28 (default: disabled)])],
[ ENABLED_TLS13_DRAFT28=$enableval ],
[ ENABLED_TLS13_DRAFT28=no ]
)
if test "$ENABLED_TLS13_DRAFT28" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13_DRAFT $AM_CFLAGS"
fi
# TLS v1.3 # TLS v1.3
AC_ARG_ENABLE([tls13], AC_ARG_ENABLE([tls13],
[AS_HELP_STRING([--enable-tls13],[Enable wolfSSL TLS v1.3 (default: disabled)])], [AS_HELP_STRING([--enable-tls13],[Enable wolfSSL TLS v1.3 (default: enabled)])],
[ ENABLED_TLS13=$enableval ], [ ENABLED_TLS13=$enableval ],
[ ENABLED_TLS13=no ] [ ENABLED_TLS13=yes ]
) )
if test "x$FIPS_VERSION" = "xv1"
if test "$ENABLED_TLS13_DRAFT18" = "yes" || test "$ENABLED_TLS13_DRAFT22" = "yes" || test "$ENABLED_TLS13_DRAFT23" = "yes" || test "$ENABLED_TLS13_DRAFT26" = "yes" || test "$ENABLED_TLS13_DRAFT28" = "yes"
then then
ENABLED_TLS13="yes" ENABLED_TLS13="no"
fi fi
if test "$ENABLED_TLS13" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES $AM_CFLAGS"
fi
# Post-handshake Authentication # Post-handshake Authentication
AC_ARG_ENABLE([postauth], AC_ARG_ENABLE([postauth],
[AS_HELP_STRING([--enable-postauth],[Enable wolfSSL Post-handshake Authentication (default: disabled)])], [AS_HELP_STRING([--enable-postauth],[Enable wolfSSL Post-handshake Authentication (default: disabled)])],
@@ -2494,14 +2464,8 @@ fi
# FIPS # FIPS
AC_ARG_ENABLE([fips], AS_CASE([$FIPS_VERSION],
[AS_HELP_STRING([--enable-fips],[Enable FIPS 140-2, Will NOT work w/o FIPS license (default: disabled)])], ["v2"],[
[ENABLED_FIPS=$enableval],
[ENABLED_FIPS="no"])
AS_CASE([$ENABLED_FIPS],
["v2"],[FIPS_VERSION="v2"
ENABLED_FIPS=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q" AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q"
ENABLED_KEYGEN="yes" ENABLED_KEYGEN="yes"
ENABLED_SHA224="yes" ENABLED_SHA224="yes"
@@ -2532,14 +2496,9 @@ AS_CASE([$ENABLED_FIPS],
[AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"]) [AM_CFLAGS="$AM_CFLAGS -DFORCE_FAILURE_RDSEED"])
], ],
["rand"],[ ["rand"],[
ENABLED_FIPS="yes"
FIPS_VERSION="rand"
AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=2" AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=2"
], ],
["no"],[FIPS_VERSION="none"], ["v1"],[
[
ENABLED_FIPS="yes"
FIPS_VERSION="v1"
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS" AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
]) ])
@@ -3178,6 +3137,21 @@ then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_REQUIRE_FFDHE" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_REQUIRE_FFDHE"
fi fi
# TLS 1.3 Requires either ECC or (RSA/DH), or CURVE25519/ED25519 or CURVE448/ED448
if test "x$ENABLED_ECC" = "xno" && \
(test "x$ENABLED_RSA" = "xno" || test "x$ENABLED_DH" = "xno") && \
(test "x$ENABLED_CURVE25519" = "xno" || test "x$ENABLED_ED25519" = "xno") && \
(test "x$ENABLED_CURVE448" = "xno" || test "x$ENABLED_ED448" = "xno")
then
# disable TLS 1.3
ENABLED_TLS13=no
fi
if test "$ENABLED_TLS13" = "yes"
then
AM_CFLAGS="-DWOLFSSL_TLS13 -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES $AM_CFLAGS"
fi
# Session Ticket Extension # Session Ticket Extension
AC_ARG_ENABLE([session-ticket], AC_ARG_ENABLE([session-ticket],
[AS_HELP_STRING([--enable-session-ticket],[Enable Session Ticket (default: disabled)])], [AS_HELP_STRING([--enable-session-ticket],[Enable Session Ticket (default: disabled)])],
@@ -3229,7 +3203,7 @@ then
ENABLED_ENCRYPT_THEN_MAC=yes ENABLED_ENCRYPT_THEN_MAC=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_ALPN -DHAVE_TRUSTED_CA" AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_ALPN -DHAVE_TRUSTED_CA"
# Check the ECC supported curves prereq # Check the ECC supported curves prereq
AS_IF([test "x$ENABLED_ECC" = "xyes" || test "x$ENABLED_CURVE25519" = "xyes"], AS_IF([test "x$ENABLED_ECC" = "xyes" || test "x$ENABLED_CURVE25519" = "xyes" || test "x$ENABLED_TLS13" = "xyes"],
[ENABLED_SUPPORTED_CURVES=yes [ENABLED_SUPPORTED_CURVES=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_SUPPORTED_CURVES"]) AM_CFLAGS="$AM_CFLAGS -DHAVE_SUPPORTED_CURVES"])
fi fi
@@ -4552,6 +4526,11 @@ AC_ARG_ENABLE([fast-rsa],
[ ENABLED_FAST_RSA=no ], [ ENABLED_FAST_RSA=no ],
) )
# Fast RSA does not support RSA-PSS
if test "$ENABLED_RSAPSS" = "yes"; then
ENABLED_FAST_RSA=no
fi
if test "$ENABLED_USER_RSA" = "no" && test "$ENABLED_FIPS" = "no"; then if test "$ENABLED_USER_RSA" = "no" && test "$ENABLED_FIPS" = "no"; then
if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then
@@ -5548,11 +5527,6 @@ echo " * Old TLS Versions: $ENABLED_OLD_TLS"
echo " * SSL version 3.0: $ENABLED_SSLV3" echo " * SSL version 3.0: $ENABLED_SSLV3"
echo " * TLS v1.0: $ENABLED_TLSV10" echo " * TLS v1.0: $ENABLED_TLSV10"
echo " * TLS v1.3: $ENABLED_TLS13" echo " * TLS v1.3: $ENABLED_TLS13"
echo " * TLS v1.3 Draft 18: $ENABLED_TLS13_DRAFT18"
echo " * TLS v1.3 Draft 22: $ENABLED_TLS13_DRAFT22"
echo " * TLS v1.3 Draft 23: $ENABLED_TLS13_DRAFT23"
echo " * TLS v1.3 Draft 26: $ENABLED_TLS13_DRAFT26"
echo " * TLS v1.3 Draft 28: $ENABLED_TLS13_DRAFT28"
echo " * Post-handshake Auth: $ENABLED_TLS13_POST_AUTH" echo " * Post-handshake Auth: $ENABLED_TLS13_POST_AUTH"
echo " * Early Data: $ENABLED_TLS13_EARLY_DATA" echo " * Early Data: $ENABLED_TLS13_EARLY_DATA"
echo " * Send State in HRR Cookie: $ENABLED_SEND_HRR_COOKIE" echo " * Send State in HRR Cookie: $ENABLED_SEND_HRR_COOKIE"
doc/dox_comments/header_files/ssl.h
+55
View File
@@ -5162,6 +5162,61 @@ WOLFSSL_API void wolfSSL_CTX_set_psk_server_callback(WOLFSSL_CTX*,
WOLFSSL_API void wolfSSL_set_psk_server_callback(WOLFSSL*, WOLFSSL_API void wolfSSL_set_psk_server_callback(WOLFSSL*,
wc_psk_server_callback); wc_psk_server_callback);
/*!
\brief Sets a PSK user context in the WOLFSSL structure options member.
\return WOLFSSL_SUCCESS or WOLFSSL_FAILURE
\param ssl a pointer to a WOLFSSL structure, created using wolfSSL_new().
\param psk_ctx void pointer to user PSK context
\sa wolfSSL_get_psk_callback_ctx
\sa wolfSSL_CTX_set_psk_callback_ctx
\sa wolfSSL_CTX_get_psk_callback_ctx
*/
WOLFSSL_API int wolfSSL_set_psk_callback_ctx(WOLFSSL* ssl, void* psk_ctx);
/*!
\brief Sets a PSK user context in the WOLFSSL_CTX structure.
\return WOLFSSL_SUCCESS or WOLFSSL_FAILURE
\param ctx a pointer to a WOLFSSL_CTX structure, created using wolfSSL_CTX_new().
\param psk_ctx void pointer to user PSK context
\sa wolfSSL_set_psk_callback_ctx
\sa wolfSSL_get_psk_callback_ctx
\sa wolfSSL_CTX_get_psk_callback_ctx
*/
WOLFSSL_API int wolfSSL_CTX_set_psk_callback_ctx(WOLFSSL_CTX* ctx, void* psk_ctx);
/*!
\brief Get a PSK user context in the WOLFSSL structure options member.
\return void pointer to user PSK context
\param ssl a pointer to a WOLFSSL structure, created using wolfSSL_new().
\sa wolfSSL_set_psk_callback_ctx
\sa wolfSSL_CTX_set_psk_callback_ctx
\sa wolfSSL_CTX_get_psk_callback_ctx
*/
WOLFSSL_API void* wolfSSL_get_psk_callback_ctx(WOLFSSL* ssl);
/*!
\brief Get a PSK user context in the WOLFSSL_CTX structure.
\return void pointer to user PSK context
\param ctx a pointer to a WOLFSSL_CTX structure, created using wolfSSL_CTX_new().
\sa wolfSSL_CTX_set_psk_callback_ctx
\sa wolfSSL_set_psk_callback_ctx
\sa wolfSSL_get_psk_callback_ctx
*/
WOLFSSL_API void* wolfSSL_CTX_get_psk_callback_ctx(WOLFSSL_CTX* ctx);
/*! /*!
\ingroup Setup \ingroup Setup
examples/client/client.c
+24 -13
View File
@@ -802,7 +802,8 @@ static int SMTP_Shutdown(WOLFSSL* ssl, int wc_shutdown)
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
} }
static void ClientWrite(WOLFSSL* ssl, char* msg, int msgSz, const char* str) static int ClientWrite(WOLFSSL* ssl, char* msg, int msgSz, const char* str,
int exitWithRet)
{ {
int ret, err; int ret, err;
char buffer[WOLFSSL_MAX_ERROR_SZ]; char buffer[WOLFSSL_MAX_ERROR_SZ];
@@ -827,8 +828,12 @@ static void ClientWrite(WOLFSSL* ssl, char* msg, int msgSz, const char* str)
if (ret != msgSz) { if (ret != msgSz) {
printf("SSL_write%s msg error %d, %s\n", str, err, printf("SSL_write%s msg error %d, %s\n", str, err,
wolfSSL_ERR_error_string(err, buffer)); wolfSSL_ERR_error_string(err, buffer));
err_sys("SSL_write failed"); if (!exitWithRet) {
err_sys("SSL_write failed");
}
} }
return err;
} }
static int ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead, static int ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead,
@@ -2080,7 +2085,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#ifndef NO_PSK #ifndef NO_PSK
if (usePsk) { if (usePsk) {
done += 1; /* don't perform exernal tests if PSK is enabled */ done += 1; /* don't perform external tests if PSK is enabled */
} }
#endif #endif
@@ -2305,16 +2310,17 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
if (usePsk) { if (usePsk) {
#ifndef NO_PSK #ifndef NO_PSK
const char *defaultCipherList = cipherList;
wolfSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb); wolfSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb);
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
wolfSSL_CTX_set_psk_client_tls13_callback(ctx, my_psk_client_tls13_cb); wolfSSL_CTX_set_psk_client_tls13_callback(ctx, my_psk_client_tls13_cb);
#endif #endif
if (cipherList == NULL) { if (defaultCipherList == NULL) {
const char *defaultCipherList;
#if defined(HAVE_AESGCM) && !defined(NO_DH) #if defined(HAVE_AESGCM) && !defined(NO_DH)
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256:" defaultCipherList = "TLS13-AES128-GCM-SHA256:"
"TLS13-AES128-GCM-SHA256"; "DHE-PSK-AES128-GCM-SHA256:";
#else #else
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256"; defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
#endif #endif
@@ -2323,12 +2329,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#else #else
defaultCipherList = "PSK-AES128-CBC-SHA256"; defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif #endif
if (wolfSSL_CTX_set_cipher_list(ctx,defaultCipherList) if (wolfSSL_CTX_set_cipher_list(ctx, defaultCipherList)
!=WOLFSSL_SUCCESS) { !=WOLFSSL_SUCCESS) {
wolfSSL_CTX_free(ctx); ctx = NULL; wolfSSL_CTX_free(ctx); ctx = NULL;
err_sys("client can't set cipher list 2"); err_sys("client can't set cipher list 2");
} }
} }
wolfSSL_CTX_set_psk_callback_ctx(ctx, (void*)defaultCipherList);
#endif #endif
if (useClientCert) { if (useClientCert) {
useClientCert = 0; useClientCert = 0;
@@ -2364,7 +2371,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#endif #endif
#if defined(WOLFSSL_SNIFFER) #if defined(WOLFSSL_SNIFFER)
if (cipherList == NULL) { if (cipherList == NULL && version < 4) {
/* don't use EDH, can't sniff tmp keys */ /* don't use EDH, can't sniff tmp keys */
if (wolfSSL_CTX_set_cipher_list(ctx, "AES128-SHA") != WOLFSSL_SUCCESS) { if (wolfSSL_CTX_set_cipher_list(ctx, "AES128-SHA") != WOLFSSL_SUCCESS) {
wolfSSL_CTX_free(ctx); ctx = NULL; wolfSSL_CTX_free(ctx); ctx = NULL;
@@ -3100,7 +3107,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
wolfSSL_update_keys(ssl); wolfSSL_update_keys(ssl);
#endif #endif
ClientWrite(ssl, msg, msgSz, ""); err = ClientWrite(ssl, msg, msgSz, "", exitWithRet);
if (exitWithRet && (err != 0)) {
((func_args*)args)->return_code = err;
goto exit;
}
err = ClientRead(ssl, reply, sizeof(reply)-1, 1, "", exitWithRet); err = ClientRead(ssl, reply, sizeof(reply)-1, 1, "", exitWithRet);
if (exitWithRet && (err != 0)) { if (exitWithRet && (err != 0)) {
@@ -3110,7 +3121,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#if defined(WOLFSSL_TLS13) #if defined(WOLFSSL_TLS13)
if (updateKeysIVs || postHandAuth) if (updateKeysIVs || postHandAuth)
ClientWrite(ssl, msg, msgSz, ""); (void)ClientWrite(ssl, msg, msgSz, "", 0);
#endif #endif
if (sendGET) { /* get html */ if (sendGET) { /* get html */
(void)ClientRead(ssl, reply, sizeof(reply)-1, 0, "", 0); (void)ClientRead(ssl, reply, sizeof(reply)-1, 0, "", 0);
@@ -3362,12 +3373,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
} }
#endif /* HAVE_SECURE_RENEGOTIATION */ #endif /* HAVE_SECURE_RENEGOTIATION */
ClientWrite(sslResume, resumeMsg, resumeSz, " resume"); (void)ClientWrite(sslResume, resumeMsg, resumeSz, " resume", 0);
(void)ClientRead(sslResume, reply, sizeof(reply)-1, sendGET, (void)ClientRead(sslResume, reply, sizeof(reply)-1, sendGET,
"Server resume: ", 0); "Server resume: ", 0);
/* try to send session break */ /* try to send session break */
ClientWrite(sslResume, msg, msgSz, " resume 2"); (void)ClientWrite(sslResume, msg, msgSz, " resume 2", 0);
ret = wolfSSL_shutdown(sslResume); ret = wolfSSL_shutdown(sslResume);
if (wc_shutdown && ret == WOLFSSL_SHUTDOWN_NOT_DONE) if (wc_shutdown && ret == WOLFSSL_SHUTDOWN_NOT_DONE)
examples/echoclient/echoclient.c
+15 -2
View File
@@ -121,7 +121,11 @@ void echoclient_test(void* args)
#if defined(CYASSL_DTLS) #if defined(CYASSL_DTLS)
method = DTLSv1_2_client_method(); method = DTLSv1_2_client_method();
#elif !defined(NO_TLS) #elif !defined(NO_TLS)
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_SNIFFER)
method = CyaTLSv1_2_client_method();
#else
method = CyaSSLv23_client_method(); method = CyaSSLv23_client_method();
#endif
#elif defined(WOLFSSL_ALLOW_SSLV3) #elif defined(WOLFSSL_ALLOW_SSLV3)
method = SSLv3_client_method(); method = SSLv3_client_method();
#else #else
@@ -150,8 +154,11 @@ void echoclient_test(void* args)
#endif #endif
#if defined(CYASSL_SNIFFER) #if defined(CYASSL_SNIFFER)
/* don't use EDH, can't sniff tmp keys */ /* Only set if not running testsuite */
SSL_CTX_set_cipher_list(ctx, "AES256-SHA"); if (XSTRSTR(argv[0], "testsuite") != 0) {
/* don't use EDH, can't sniff tmp keys */
SSL_CTX_set_cipher_list(ctx, "AES256-SHA");
}
#endif #endif
#ifndef NO_PSK #ifndef NO_PSK
if (doPSK) { if (doPSK) {
@@ -161,12 +168,18 @@ void echoclient_test(void* args)
#ifdef HAVE_NULL_CIPHER #ifdef HAVE_NULL_CIPHER
defaultCipherList = "PSK-NULL-SHA256"; defaultCipherList = "PSK-NULL-SHA256";
#elif defined(HAVE_AESGCM) && !defined(NO_DH) #elif defined(HAVE_AESGCM) && !defined(NO_DH)
#ifdef WOLFSSL_TLS13
defaultCipherList = "TLS13-AES128-GCM-SHA256:"
"DHE-PSK-AES128-GCM-SHA256:";
#else
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256"; defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
#endif
#else #else
defaultCipherList = "PSK-AES128-CBC-SHA256"; defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif #endif
if (CyaSSL_CTX_set_cipher_list(ctx,defaultCipherList) !=WOLFSSL_SUCCESS) if (CyaSSL_CTX_set_cipher_list(ctx,defaultCipherList) !=WOLFSSL_SUCCESS)
err_sys("client can't set cipher list 2"); err_sys("client can't set cipher list 2");
wolfSSL_CTX_set_psk_callback_ctx(ctx, (void*)defaultCipherList);
} }
#endif #endif
examples/echoserver/echoserver.c
+15 -2
View File
@@ -138,7 +138,11 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
#if defined(CYASSL_DTLS) #if defined(CYASSL_DTLS)
method = CyaDTLSv1_2_server_method(); method = CyaDTLSv1_2_server_method();
#elif !defined(NO_TLS) #elif !defined(NO_TLS)
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_SNIFFER)
method = CyaTLSv1_2_server_method();
#else
method = CyaSSLv23_server_method(); method = CyaSSLv23_server_method();
#endif
#elif defined(WOLFSSL_ALLOW_SSLV3) #elif defined(WOLFSSL_ALLOW_SSLV3)
method = CyaSSLv3_server_method(); method = CyaSSLv3_server_method();
#else #else
@@ -227,8 +231,11 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
#endif #endif
#if defined(CYASSL_SNIFFER) #if defined(CYASSL_SNIFFER)
/* don't use EDH, can't sniff tmp keys */ /* Only set if not running testsuite */
CyaSSL_CTX_set_cipher_list(ctx, "AES256-SHA"); if (XSTRSTR(argv[0], "testsuite") != 0) {
/* don't use EDH, can't sniff tmp keys */
CyaSSL_CTX_set_cipher_list(ctx, "AES256-SHA");
}
#endif #endif
if (doPSK) { if (doPSK) {
@@ -240,12 +247,18 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
#ifdef HAVE_NULL_CIPHER #ifdef HAVE_NULL_CIPHER
defaultCipherList = "PSK-NULL-SHA256"; defaultCipherList = "PSK-NULL-SHA256";
#elif defined(HAVE_AESGCM) && !defined(NO_DH) #elif defined(HAVE_AESGCM) && !defined(NO_DH)
#ifdef WOLFSSL_TLS13
defaultCipherList = "TLS13-AES128-GCM-SHA256:"
"DHE-PSK-AES128-GCM-SHA256";
#else
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256"; defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
#endif
#else #else
defaultCipherList = "PSK-AES128-CBC-SHA256"; defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif #endif
if (CyaSSL_CTX_set_cipher_list(ctx, defaultCipherList) != WOLFSSL_SUCCESS) if (CyaSSL_CTX_set_cipher_list(ctx, defaultCipherList) != WOLFSSL_SUCCESS)
err_sys("server can't set cipher list 2"); err_sys("server can't set cipher list 2");
wolfSSL_CTX_set_psk_callback_ctx(ctx, (void*)defaultCipherList);
#endif #endif
} }
examples/server/server.c
+16 -9
View File
@@ -995,7 +995,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
int noPskDheKe = 0; int noPskDheKe = 0;
#endif #endif
int updateKeysIVs = 0; int updateKeysIVs = 0;
#ifndef NO_CERTS
int mutualAuth = 0; int mutualAuth = 0;
#endif
int postHandAuth = 0; int postHandAuth = 0;
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
int earlyData = 0; int earlyData = 0;
@@ -1017,7 +1019,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) \ #if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) \
|| defined(SESSION_CERTS) || defined(SESSION_CERTS)
/* big enough to handle most cases including session certs */ /* big enough to handle most cases including session certs */
byte memory[204000]; byte memory[220000];
#else #else
byte memory[80000]; byte memory[80000];
#endif #endif
@@ -1081,7 +1083,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
(void)crlFlags; (void)crlFlags;
(void)readySignal; (void)readySignal;
(void)updateKeysIVs; (void)updateKeysIVs;
#ifndef NO_CERTS
(void)mutualAuth; (void)mutualAuth;
#endif
(void)postHandAuth; (void)postHandAuth;
(void)mcastID; (void)mcastID;
(void)loadCertKeyIntoSSLObj; (void)loadCertKeyIntoSSLObj;
@@ -1413,9 +1417,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#endif #endif
break; break;
#ifndef NO_CERTS
case 'F' : case 'F' :
mutualAuth = 1; mutualAuth = 1;
break; break;
#endif
case 'Q' : case 'Q' :
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
@@ -1731,20 +1737,20 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
if (usePsk || usePskPlus) { if (usePsk || usePskPlus) {
#ifndef NO_PSK #ifndef NO_PSK
const char *defaultCipherList = cipherList;
SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb); SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb);
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
wolfSSL_CTX_set_psk_server_tls13_callback(ctx, my_psk_server_tls13_cb); wolfSSL_CTX_set_psk_server_tls13_callback(ctx, my_psk_server_tls13_cb);
#endif #endif
if (sendPskIdentityHint == 1) if (sendPskIdentityHint == 1)
SSL_CTX_use_psk_identity_hint(ctx, "cyassl server"); SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
if (cipherList == NULL && !usePskPlus) { if (defaultCipherList == NULL && !usePskPlus) {
const char *defaultCipherList;
#if defined(HAVE_AESGCM) && !defined(NO_DH) #if defined(HAVE_AESGCM) && !defined(NO_DH)
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256:" defaultCipherList = "TLS13-AES128-GCM-SHA256:"
"TLS13-AES128-GCM-SHA256"; "DHE-PSK-AES128-GCM-SHA256";
#else #else
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256"; defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
#endif #endif
@@ -1758,7 +1764,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
!= WOLFSSL_SUCCESS) != WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "server can't set cipher list 2"); err_sys_ex(runWithErrors, "server can't set cipher list 2");
} }
#endif wolfSSL_CTX_set_psk_callback_ctx(ctx, (void*)defaultCipherList);
#endif /* !NO_PSK */
} }
#ifndef NO_CERTS #ifndef NO_CERTS
if (mutualAuth) if (mutualAuth)
@@ -1823,7 +1830,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#if defined(WOLFSSL_SNIFFER) #if defined(WOLFSSL_SNIFFER)
/* don't use EDH, can't sniff tmp keys */ /* don't use EDH, can't sniff tmp keys */
if (cipherList == NULL) { if (cipherList == NULL && version < 4) {
if (SSL_CTX_set_cipher_list(ctx, "AES128-SHA") != WOLFSSL_SUCCESS) if (SSL_CTX_set_cipher_list(ctx, "AES128-SHA") != WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "server can't set cipher list 3"); err_sys_ex(runWithErrors, "server can't set cipher list 3");
} }
scripts/tls13.test
+17 -15
View File
@@ -111,22 +111,24 @@ if [ $RESULT -eq 0 ]; then
fi fi
echo "" echo ""
# TLS 1.3 mutual auth required but client doesn't send certificates. cat ./wolfssl/options.h | grep -- 'NO_CERTS'
echo -e "\n\nTLS v1.3 mutual auth fail" if [ $? -ne 0 ]; then
port=0 # TLS 1.3 mutual auth required but client doesn't send certificates.
./examples/server/server -v 4 -F -R $ready_file -p $port & echo -e "\n\nTLS v1.3 mutual auth fail"
server_pid=$! port=0
create_port ./examples/server/server -v 4 -F -R $ready_file -p $port &
./examples/client/client -v 4 -x -p $port server_pid=$!
RESULT=$? create_port
remove_ready_file ./examples/client/client -v 4 -x -p $port
if [ $RESULT -eq 0 ]; then RESULT=$?
echo -e "\n\nIssue with requiring mutual authentication" remove_ready_file
do_cleanup if [ $RESULT -eq 0 ]; then
exit 1 echo -e "\n\nIssue with requiring mutual authentication"
do_cleanup
exit 1
fi
echo ""
fi fi
echo ""
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' ./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
src/internal.c
+12 -49
View File
@@ -5279,9 +5279,10 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
ssl->options.haveStaticECC = ctx->haveStaticECC; ssl->options.haveStaticECC = ctx->haveStaticECC;
#ifndef NO_PSK #ifndef NO_PSK
ssl->options.havePSK = ctx->havePSK; ssl->options.havePSK = ctx->havePSK;
ssl->options.client_psk_cb = ctx->client_psk_cb; ssl->options.client_psk_cb = ctx->client_psk_cb;
ssl->options.server_psk_cb = ctx->server_psk_cb; ssl->options.server_psk_cb = ctx->server_psk_cb;
ssl->options.psk_ctx = ctx->psk_ctx;
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
ssl->options.client_psk_tls13_cb = ctx->client_psk_tls13_cb; ssl->options.client_psk_tls13_cb = ctx->client_psk_tls13_cb;
ssl->options.server_psk_tls13_cb = ctx->server_psk_tls13_cb; ssl->options.server_psk_tls13_cb = ctx->server_psk_tls13_cb;
@@ -7584,7 +7585,6 @@ static int EdDSA_Update(WOLFSSL* ssl, const byte* data, int sz)
} }
#endif /* (HAVE_ED25519 || HAVE_ED448) && !WOLFSSL_NO_CLIENT_AUTH */ #endif /* (HAVE_ED25519 || HAVE_ED448) && !WOLFSSL_NO_CLIENT_AUTH */
#ifndef NO_CERTS
int HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz) int HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz)
{ {
int ret = 0; int ret = 0;
@@ -7635,8 +7635,6 @@ int HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz)
return ret; return ret;
} }
#endif /* NO_CERTS */
/* add output to md5 and sha handshake hashes, exclude record header */ /* add output to md5 and sha handshake hashes, exclude record header */
int HashOutput(WOLFSSL* ssl, const byte* output, int sz, int ivSz) int HashOutput(WOLFSSL* ssl, const byte* output, int sz, int ivSz)
@@ -7772,11 +7770,7 @@ static void AddRecordHeader(byte* output, word32 length, byte type, WOLFSSL* ssl
rl->pvMajor = ssl->version.major; /* type and version same in each */ rl->pvMajor = ssl->version.major; /* type and version same in each */
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version)) { if (IsAtLeastTLSv1_3(ssl->version)) {
#ifdef WOLFSSL_TLS13_DRAFT_18
rl->pvMinor = TLSv1_MINOR;
#else
rl->pvMinor = TLSv1_2_MINOR; rl->pvMinor = TLSv1_2_MINOR;
#endif
} }
else else
#endif #endif
@@ -8303,11 +8297,7 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#else #else
if (rh->pvMajor != ssl->version.major || if (rh->pvMajor != ssl->version.major ||
(rh->pvMinor != ssl->version.minor && (rh->pvMinor != ssl->version.minor &&
#ifdef WOLFSSL_TLS13_DRAFT_18
(!IsAtLeastTLSv1_3(ssl->version) || rh->pvMinor != TLSv1_MINOR)
#else
(!IsAtLeastTLSv1_3(ssl->version) || rh->pvMinor != TLSv1_2_MINOR) (!IsAtLeastTLSv1_3(ssl->version) || rh->pvMinor != TLSv1_2_MINOR)
#endif
)) ))
#endif #endif
{ {
@@ -14880,13 +14870,9 @@ int ProcessReply(WOLFSSL* ssl)
/* decrypt message */ /* decrypt message */
case decryptMessage: case decryptMessage:
#if !defined(WOLFSSL_TLS13) || defined(WOLFSSL_TLS13_DRAFT_18)
if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0)
#else
if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 && if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 &&
(!IsAtLeastTLSv1_3(ssl->version) || (!IsAtLeastTLSv1_3(ssl->version) ||
ssl->curRL.type != change_cipher_spec)) ssl->curRL.type != change_cipher_spec))
#endif
{ {
bufferStatic* in = &ssl->buffers.inputBuffer; bufferStatic* in = &ssl->buffers.inputBuffer;
@@ -14949,20 +14935,11 @@ int ProcessReply(WOLFSSL* ssl)
else else
{ {
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
#if defined(WOLFSSL_TLS13_DRAFT_18) || \
defined(WOLFSSL_TLS13_DRAFT_22) || \
defined(WOLFSSL_TLS13_DRAFT_23)
ret = DecryptTls13(ssl,
in->buffer + in->idx,
in->buffer + in->idx,
ssl->curSize, NULL, 0);
#else
ret = DecryptTls13(ssl, ret = DecryptTls13(ssl,
in->buffer + in->idx, in->buffer + in->idx,
in->buffer + in->idx, in->buffer + in->idx,
ssl->curSize, ssl->curSize,
(byte*)&ssl->curRL, RECORD_HEADER_SZ); (byte*)&ssl->curRL, RECORD_HEADER_SZ);
#endif
#else #else
ret = DECRYPT_ERROR; ret = DECRYPT_ERROR;
#endif /* WOLFSSL_TLS13 */ #endif /* WOLFSSL_TLS13 */
@@ -15033,13 +15010,9 @@ int ProcessReply(WOLFSSL* ssl)
/* verify digest of message */ /* verify digest of message */
case verifyMessage: case verifyMessage:
#if !defined(WOLFSSL_TLS13) || defined(WOLFSSL_TLS13_DRAFT_18)
if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0)
#else
if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 && if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 &&
(!IsAtLeastTLSv1_3(ssl->version) || (!IsAtLeastTLSv1_3(ssl->version) ||
ssl->curRL.type != change_cipher_spec)) ssl->curRL.type != change_cipher_spec))
#endif
{ {
if (!atomicUser if (!atomicUser
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
@@ -15200,12 +15173,6 @@ int ProcessReply(WOLFSSL* ssl)
#endif #endif
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
#ifdef WOLFSSL_TLS13_DRAFT_18
if (IsAtLeastTLSv1_3(ssl->version)) {
SendAlert(ssl, alert_fatal, illegal_parameter);
return UNKNOWN_RECORD_TYPE;
}
#else
if (IsAtLeastTLSv1_3(ssl->version)) { if (IsAtLeastTLSv1_3(ssl->version)) {
word32 i = ssl->buffers.inputBuffer.idx; word32 i = ssl->buffers.inputBuffer.idx;
if (ssl->options.handShakeState == HANDSHAKE_DONE) { if (ssl->options.handShakeState == HANDSHAKE_DONE) {
@@ -15227,7 +15194,6 @@ int ProcessReply(WOLFSSL* ssl)
} }
break; break;
} }
#endif
#endif #endif
#ifndef WOLFSSL_NO_TLS12 #ifndef WOLFSSL_NO_TLS12
@@ -15635,9 +15601,6 @@ static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
} }
#endif /* !NO_OLD_TLS && !WOLFSSL_AEAD_ONLY */ #endif /* !NO_OLD_TLS && !WOLFSSL_AEAD_ONLY */
#ifndef NO_CERTS
#if !defined(NO_MD5) && !defined(NO_OLD_TLS) #if !defined(NO_MD5) && !defined(NO_OLD_TLS)
static int BuildMD5_CertVerify(WOLFSSL* ssl, byte* digest) static int BuildMD5_CertVerify(WOLFSSL* ssl, byte* digest)
{ {
@@ -15780,8 +15743,6 @@ int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes)
return ret; return ret;
} }
#endif /* !NO_CERTS */
#ifndef WOLFSSL_NO_TLS12 #ifndef WOLFSSL_NO_TLS12
/* Persistable BuildMessage arguments */ /* Persistable BuildMessage arguments */
typedef struct BuildMsgArgs { typedef struct BuildMsgArgs {
@@ -18762,7 +18723,15 @@ int GetCipherSuiteFromName(const char* name, byte* cipherSuite0,
{ {
int ret = BAD_FUNC_ARG; int ret = BAD_FUNC_ARG;
int i; int i;
unsigned long len = (unsigned long)XSTRLEN(name); unsigned long len;
const char* nameDelim;
/* Support trailing : */
nameDelim = XSTRSTR(name, ":");
if (nameDelim)
len = (unsigned long)(nameDelim - name);
else
len = (unsigned long)XSTRLEN(name);
for (i = 0; i < GetCipherNamesSize(); i++) { for (i = 0; i < GetCipherNamesSize(); i++) {
if (XSTRNCMP(name, cipher_names[i].name, len) == 0) { if (XSTRNCMP(name, cipher_names[i].name, len) == 0) {
@@ -20292,7 +20261,7 @@ exit_dpk:
return SetCipherSpecs(ssl); return SetCipherSpecs(ssl);
} }
#endif /* WOLFSSL_NO_TLS12 */ #endif /* !WOLFSSL_NO_TLS12 */
/* Make sure client setup is valid for this suite, true on success */ /* Make sure client setup is valid for this suite, true on success */
@@ -27546,9 +27515,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
word32 ageAdd; /* Obfuscation of age */ word32 ageAdd; /* Obfuscation of age */
word16 namedGroup; /* Named group used */ word16 namedGroup; /* Named group used */
#ifndef WOLFSSL_TLS13_DRAFT_18
TicketNonce ticketNonce; /* Ticket nonce */ TicketNonce ticketNonce; /* Ticket nonce */
#endif
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
word32 maxEarlyDataSz; /* Max size of early data */ word32 maxEarlyDataSz; /* Max size of early data */
#endif #endif
@@ -27604,10 +27571,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
it.timestamp = TimeNowInMilliseconds(); it.timestamp = TimeNowInMilliseconds();
/* Resumption master secret. */ /* Resumption master secret. */
XMEMCPY(it.msecret, ssl->session.masterSecret, SECRET_LEN); XMEMCPY(it.msecret, ssl->session.masterSecret, SECRET_LEN);
#ifndef WOLFSSL_TLS13_DRAFT_18
XMEMCPY(&it.ticketNonce, &ssl->session.ticketNonce, XMEMCPY(&it.ticketNonce, &ssl->session.ticketNonce,
sizeof(TicketNonce)); sizeof(TicketNonce));
#endif
#endif #endif
} }
@@ -27756,10 +27721,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif #endif
/* Resumption master secret. */ /* Resumption master secret. */
XMEMCPY(ssl->session.masterSecret, it->msecret, SECRET_LEN); XMEMCPY(ssl->session.masterSecret, it->msecret, SECRET_LEN);
#ifndef WOLFSSL_TLS13_DRAFT_18
XMEMCPY(&ssl->session.ticketNonce, &it->ticketNonce, XMEMCPY(&ssl->session.ticketNonce, &it->ticketNonce,
sizeof(TicketNonce)); sizeof(TicketNonce));
#endif
ssl->session.namedGroup = it->namedGroup; ssl->session.namedGroup = it->namedGroup;
#endif #endif
} }
src/ssl.c
+47 -66
View File
@@ -12517,10 +12517,8 @@ static int GetDeepCopySession(WOLFSSL* ssl, WOLFSSL_SESSION* copyFrom)
copyInto->namedGroup = copyFrom->namedGroup; copyInto->namedGroup = copyFrom->namedGroup;
copyInto->ticketSeen = copyFrom->ticketSeen; copyInto->ticketSeen = copyFrom->ticketSeen;
copyInto->ticketAdd = copyFrom->ticketAdd; copyInto->ticketAdd = copyFrom->ticketAdd;
#ifndef WOLFSSL_TLS13_DRAFT_18
XMEMCPY(&copyInto->ticketNonce, &copyFrom->ticketNonce, XMEMCPY(&copyInto->ticketNonce, &copyFrom->ticketNonce,
sizeof(TicketNonce)); sizeof(TicketNonce));
#endif
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
copyInto->maxEarlyDataSz = copyFrom->maxEarlyDataSz; copyInto->maxEarlyDataSz = copyFrom->maxEarlyDataSz;
#endif #endif
@@ -12628,6 +12626,7 @@ int AddSession(WOLFSSL* ssl)
word32 row = 0; word32 row = 0;
word32 idx = 0; word32 idx = 0;
int error = 0; int error = 0;
const byte* id = NULL;
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
byte* tmpBuff = NULL; byte* tmpBuff = NULL;
int ticLen = 0; int ticLen = 0;
@@ -12647,10 +12646,21 @@ int AddSession(WOLFSSL* ssl)
return 0; return 0;
#endif #endif
#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)
if (ssl->options.tls1_3)
id = ssl->session.sessionID;
else
#endif
if (ssl->arrays)
id = ssl->arrays->sessionID;
if (id == NULL) {
return BAD_FUNC_ARG;
}
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
ticLen = ssl->session.ticketLen; ticLen = ssl->session.ticketLen;
/* Alloc Memory here so if Malloc fails can exit outside of lock */ /* Alloc Memory here so if Malloc fails can exit outside of lock */
if(ticLen > SESSION_TICKET_LEN) { if (ticLen > SESSION_TICKET_LEN) {
tmpBuff = (byte*)XMALLOC(ticLen, ssl->heap, tmpBuff = (byte*)XMALLOC(ticLen, ssl->heap,
DYNAMIC_TYPE_SESSION_TICK); DYNAMIC_TYPE_SESSION_TICK);
if(!tmpBuff) if(!tmpBuff)
@@ -12677,17 +12687,7 @@ int AddSession(WOLFSSL* ssl)
{ {
/* Use the session object in the cache for external cache if required. /* Use the session object in the cache for external cache if required.
*/ */
#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) row = HashSession(id, ID_LEN, &error) % SESSION_ROWS;
if (ssl->options.tls1_3) {
row = HashSession(ssl->session.sessionID, ID_LEN, &error) %
SESSION_ROWS;
}
else
#endif
{
row = HashSession(ssl->arrays->sessionID, ID_LEN, &error) %
SESSION_ROWS;
}
if (error != 0) { if (error != 0) {
WOLFSSL_MSG("Hash session failed"); WOLFSSL_MSG("Hash session failed");
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
@@ -12704,21 +12704,11 @@ int AddSession(WOLFSSL* ssl)
} }
for (i=0; i<SESSIONS_PER_ROW; i++) { for (i=0; i<SESSIONS_PER_ROW; i++) {
if (ssl->options.tls1_3) { if (XMEMCMP(id, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) {
if (XMEMCMP(ssl->session.sessionID, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) { WOLFSSL_MSG("Session already exists. Overwriting.");
WOLFSSL_MSG("Session already exists. Overwriting."); overwrite = 1;
overwrite = 1; idx = i;
idx = i; break;
break;
}
}
else {
if (XMEMCMP(ssl->arrays->sessionID, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) {
WOLFSSL_MSG("Session already exists. Overwriting.");
overwrite = 1;
idx = i;
break;
}
} }
} }
@@ -12731,22 +12721,19 @@ int AddSession(WOLFSSL* ssl)
session = &SessionCache[row].Sessions[idx]; session = &SessionCache[row].Sessions[idx];
} }
if (!ssl->options.tls1_3) #ifdef WOLFSSL_TLS13
XMEMCPY(session->masterSecret, ssl->arrays->masterSecret, SECRET_LEN);
else
XMEMCPY(session->masterSecret, ssl->session.masterSecret, SECRET_LEN);
session->haveEMS = ssl->options.haveEMS;
#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)
if (ssl->options.tls1_3) { if (ssl->options.tls1_3) {
XMEMCPY(session->sessionID, ssl->session.sessionID, ID_LEN); XMEMCPY(session->masterSecret, ssl->session.masterSecret, SECRET_LEN);
session->sessionIDSz = ID_LEN; session->sessionIDSz = ID_LEN;
} }
else else
#endif #endif
{ {
XMEMCPY(session->sessionID, ssl->arrays->sessionID, ID_LEN); XMEMCPY(session->masterSecret, ssl->arrays->masterSecret, SECRET_LEN);
session->sessionIDSz = ssl->arrays->sessionIDSz; session->sessionIDSz = ssl->arrays->sessionIDSz;
} }
XMEMCPY(session->sessionID, id, ID_LEN);
session->haveEMS = ssl->options.haveEMS;
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
/* If using compatibility layer then check for and copy over session context /* If using compatibility layer then check for and copy over session context
@@ -12767,7 +12754,7 @@ int AddSession(WOLFSSL* ssl)
if (error == 0) { if (error == 0) {
/* Cleanup cache row's old Dynamic buff if exists */ /* Cleanup cache row's old Dynamic buff if exists */
if(session->isDynamic) { if (session->isDynamic) {
XFREE(session->ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); XFREE(session->ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
session->ticket = NULL; session->ticket = NULL;
} }
@@ -12829,10 +12816,8 @@ int AddSession(WOLFSSL* ssl)
if (error == 0) { if (error == 0) {
session->ticketSeen = ssl->session.ticketSeen; session->ticketSeen = ssl->session.ticketSeen;
session->ticketAdd = ssl->session.ticketAdd; session->ticketAdd = ssl->session.ticketAdd;
#ifndef WOLFSSL_TLS13_DRAFT_18
XMEMCPY(&session->ticketNonce, &ssl->session.ticketNonce, XMEMCPY(&session->ticketNonce, &ssl->session.ticketNonce,
sizeof(TicketNonce)); sizeof(TicketNonce));
#endif
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
session->maxEarlyDataSz = ssl->session.maxEarlyDataSz; session->maxEarlyDataSz = ssl->session.maxEarlyDataSz;
#endif #endif
@@ -13462,7 +13447,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ctx->client_psk_cb = cb; ctx->client_psk_cb = cb;
} }
void wolfSSL_set_psk_client_callback(WOLFSSL* ssl,wc_psk_client_callback cb) void wolfSSL_set_psk_client_callback(WOLFSSL* ssl,wc_psk_client_callback cb)
{ {
byte haveRSA = 1; byte haveRSA = 1;
@@ -13488,7 +13472,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveStaticECC, ssl->options.side);
} }
void wolfSSL_CTX_set_psk_server_callback(WOLFSSL_CTX* ctx, void wolfSSL_CTX_set_psk_server_callback(WOLFSSL_CTX* ctx,
wc_psk_server_callback cb) wc_psk_server_callback cb)
{ {
@@ -13499,7 +13482,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ctx->server_psk_cb = cb; ctx->server_psk_cb = cb;
} }
void wolfSSL_set_psk_server_callback(WOLFSSL* ssl,wc_psk_server_callback cb) void wolfSSL_set_psk_server_callback(WOLFSSL* ssl,wc_psk_server_callback cb)
{ {
byte haveRSA = 1; byte haveRSA = 1;
@@ -13524,7 +13506,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ssl->options.haveStaticECC, ssl->options.side); ssl->options.haveStaticECC, ssl->options.side);
} }
const char* wolfSSL_get_psk_identity_hint(const WOLFSSL* ssl) const char* wolfSSL_get_psk_identity_hint(const WOLFSSL* ssl)
{ {
WOLFSSL_ENTER("SSL_get_psk_identity_hint"); WOLFSSL_ENTER("SSL_get_psk_identity_hint");
@@ -13546,7 +13527,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return ssl->arrays->client_identity; return ssl->arrays->client_identity;
} }
int wolfSSL_CTX_use_psk_identity_hint(WOLFSSL_CTX* ctx, const char* hint) int wolfSSL_CTX_use_psk_identity_hint(WOLFSSL_CTX* ctx, const char* hint)
{ {
WOLFSSL_ENTER("SSL_CTX_use_psk_identity_hint"); WOLFSSL_ENTER("SSL_CTX_use_psk_identity_hint");
@@ -13563,7 +13543,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
} }
int wolfSSL_use_psk_identity_hint(WOLFSSL* ssl, const char* hint) int wolfSSL_use_psk_identity_hint(WOLFSSL* ssl, const char* hint)
{ {
WOLFSSL_ENTER("SSL_use_psk_identity_hint"); WOLFSSL_ENTER("SSL_use_psk_identity_hint");
@@ -13581,6 +13560,28 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
} }
void* wolfSSL_get_psk_callback_ctx(WOLFSSL* ssl)
{
return ssl ? ssl->options.psk_ctx : NULL;
}
void* wolfSSL_CTX_get_psk_callback_ctx(WOLFSSL_CTX* ctx)
{
return ctx ? ctx->psk_ctx : NULL;
}
int wolfSSL_set_psk_callback_ctx(WOLFSSL* ssl, void* psk_ctx)
{
if (ssl == NULL)
return WOLFSSL_FAILURE;
ssl->options.psk_ctx = psk_ctx;
return WOLFSSL_SUCCESS;
}
int wolfSSL_CTX_set_psk_callback_ctx(WOLFSSL_CTX* ctx, void* psk_ctx)
{
if (ctx == NULL)
return WOLFSSL_FAILURE;
ctx->psk_ctx = psk_ctx;
return WOLFSSL_SUCCESS;
}
#endif /* NO_PSK */ #endif /* NO_PSK */
@@ -19293,21 +19294,7 @@ static const char* wolfSSL_internal_get_version(const ProtocolVersion* version)
case TLSv1_2_MINOR : case TLSv1_2_MINOR :
return "TLSv1.2"; return "TLSv1.2";
case TLSv1_3_MINOR : case TLSv1_3_MINOR :
#ifdef WOLFSSL_TLS13_DRAFT
#ifdef WOLFSSL_TLS13_DRAFT_18
return "TLSv1.3 (Draft 18)";
#elif defined(WOLFSSL_TLS13_DRAFT_22)
return "TLSv1.3 (Draft 22)";
#elif defined(WOLFSSL_TLS13_DRAFT_23)
return "TLSv1.3 (Draft 23)";
#elif defined(WOLFSSL_TLS13_DRAFT_26)
return "TLSv1.3 (Draft 26)";
#else
return "TLSv1.3 (Draft 28)";
#endif
#else
return "TLSv1.3"; return "TLSv1.3";
#endif
default: default:
return "unknown"; return "unknown";
} }
@@ -27043,11 +27030,9 @@ int wolfSSL_i2d_SSL_SESSION(WOLFSSL_SESSION* sess, unsigned char** p)
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
/* ticketSeen | ticketAdd */ /* ticketSeen | ticketAdd */
size += OPAQUE32_LEN + OPAQUE32_LEN; size += OPAQUE32_LEN + OPAQUE32_LEN;
#ifndef WOLFSSL_TLS13_DRAFT_18
/* ticketNonce */ /* ticketNonce */
size += OPAQUE8_LEN + sess->ticketNonce.len; size += OPAQUE8_LEN + sess->ticketNonce.len;
#endif #endif
#endif
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
size += OPAQUE32_LEN; size += OPAQUE32_LEN;
#endif #endif
@@ -27111,12 +27096,10 @@ int wolfSSL_i2d_SSL_SESSION(WOLFSSL_SESSION* sess, unsigned char** p)
idx += OPAQUE32_LEN; idx += OPAQUE32_LEN;
c32toa(sess->ticketAdd, data + idx); c32toa(sess->ticketAdd, data + idx);
idx += OPAQUE32_LEN; idx += OPAQUE32_LEN;
#ifndef WOLFSSL_TLS13_DRAFT_18
data[idx++] = sess->ticketNonce.len; data[idx++] = sess->ticketNonce.len;
XMEMCPY(data + idx, sess->ticketNonce.data, sess->ticketNonce.len); XMEMCPY(data + idx, sess->ticketNonce.data, sess->ticketNonce.len);
idx += sess->ticketNonce.len; idx += sess->ticketNonce.len;
#endif #endif
#endif
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
c32toa(sess->maxEarlyDataSz, data + idx); c32toa(sess->maxEarlyDataSz, data + idx);
idx += OPAQUE32_LEN; idx += OPAQUE32_LEN;
@@ -27296,7 +27279,6 @@ WOLFSSL_SESSION* wolfSSL_d2i_SSL_SESSION(WOLFSSL_SESSION** sess,
idx += OPAQUE32_LEN; idx += OPAQUE32_LEN;
ato32(data + idx, &s->ticketAdd); ato32(data + idx, &s->ticketAdd);
idx += OPAQUE32_LEN; idx += OPAQUE32_LEN;
#ifndef WOLFSSL_TLS13_DRAFT_18
if (i - idx < OPAQUE8_LEN) { if (i - idx < OPAQUE8_LEN) {
ret = BUFFER_ERROR; ret = BUFFER_ERROR;
goto end; goto end;
@@ -27310,7 +27292,6 @@ WOLFSSL_SESSION* wolfSSL_d2i_SSL_SESSION(WOLFSSL_SESSION** sess,
XMEMCPY(s->ticketNonce.data, data + idx, s->ticketNonce.len); XMEMCPY(s->ticketNonce.data, data + idx, s->ticketNonce.len);
idx += s->ticketNonce.len; idx += s->ticketNonce.len;
#endif #endif
#endif
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
if (i - idx < OPAQUE32_LEN) { if (i - idx < OPAQUE32_LEN) {
ret = BUFFER_ERROR; ret = BUFFER_ERROR;
src/tls.c
+11 -54
View File
@@ -3744,7 +3744,7 @@ int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type,
&& !defined(HAVE_FFDHE) && !defined(HAVE_FFDHE)
#error Elliptic Curves Extension requires Elliptic Curve Cryptography. \ #error Elliptic Curves Extension requires Elliptic Curve Cryptography. \
Use --enable-ecc in the configure script or define HAVE_ECC. \ Use --enable-ecc in the configure script or define HAVE_ECC. \
Alternatively use FFDHE for DH ciperhsuites. Alternatively use FFDHE for DH ciphersuites.
#endif #endif
static int TLSX_SupportedCurve_New(SupportedCurve** curve, word16 name, static int TLSX_SupportedCurve_New(SupportedCurve** curve, word16 name,
@@ -3901,7 +3901,7 @@ static void TLSX_PointFormat_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS)); TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
} }
#endif #endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */
#ifndef NO_WOLFSSL_SERVER #ifndef NO_WOLFSSL_SERVER
@@ -3933,7 +3933,8 @@ static void TLSX_PointFormat_ValidateResponse(WOLFSSL* ssl, byte* semaphore)
#endif #endif
} }
#endif #endif /* !NO_WOLFSSL_SERVER */
#ifndef NO_WOLFSSL_CLIENT #ifndef NO_WOLFSSL_CLIENT
static word16 TLSX_SupportedCurve_GetSize(SupportedCurve* list) static word16 TLSX_SupportedCurve_GetSize(SupportedCurve* list)
@@ -4117,7 +4118,7 @@ int TLSX_SupportedCurve_CheckPriority(WOLFSSL* ssl)
return 0; return 0;
} }
#endif #endif /* WOLFSSL_TLS13 && !WOLFSSL_NO_SERVER_GROUPS_EXT */
#if defined(HAVE_FFDHE) && !defined(WOLFSSL_NO_TLS12) #if defined(HAVE_FFDHE) && !defined(WOLFSSL_NO_TLS12)
/* Set the highest priority common FFDHE group on the server as compared to /* Set the highest priority common FFDHE group on the server as compared to
@@ -4267,7 +4268,7 @@ int TLSX_SupportedCurve_Preferred(WOLFSSL* ssl, int checkSupported)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
#endif #endif /* HAVE_SUPPORTED_CURVES */
#ifndef NO_WOLFSSL_SERVER #ifndef NO_WOLFSSL_SERVER
@@ -5912,10 +5913,8 @@ static int TLSX_SupportedVersions_GetSize(void* data, byte msgType, word16* pSz)
*pSz += (word16)(OPAQUE8_LEN + cnt * OPAQUE16_LEN); *pSz += (word16)(OPAQUE8_LEN + cnt * OPAQUE16_LEN);
} }
#ifndef WOLFSSL_TLS13_DRAFT_18
else if (msgType == server_hello || msgType == hello_retry_request) else if (msgType == server_hello || msgType == hello_retry_request)
*pSz += OPAQUE16_LEN; *pSz += OPAQUE16_LEN;
#endif
else else
return SANITY_MSG_E; return SANITY_MSG_E;
@@ -5993,24 +5992,12 @@ static int TLSX_SupportedVersions_Write(void* data, byte* output,
*pSz += (word16)(OPAQUE8_LEN + *cnt); *pSz += (word16)(OPAQUE8_LEN + *cnt);
} }
#ifndef WOLFSSL_TLS13_DRAFT_18
else if (msgType == server_hello || msgType == hello_retry_request) { else if (msgType == server_hello || msgType == hello_retry_request) {
#ifdef WOLFSSL_TLS13_DRAFT output[0] = ssl->version.major;
if (ssl->version.major == SSLv3_MAJOR && output[1] = ssl->version.minor;
ssl->version.minor == TLSv1_3_MINOR) {
output[0] = TLS_DRAFT_MAJOR;
output[1] = TLS_DRAFT_MINOR;
}
else
#endif
{
output[0] = ssl->version.major;
output[1] = ssl->version.minor;
}
*pSz += OPAQUE16_LEN; *pSz += OPAQUE16_LEN;
} }
#endif
else else
return SANITY_MSG_E; return SANITY_MSG_E;
@@ -6092,9 +6079,7 @@ static int TLSX_SupportedVersions_Parse(WOLFSSL* ssl, byte* input,
if (ret != 0) { if (ret != 0) {
return ret; return ret;
} }
#ifndef WOLFSSL_TLS13_DRAFT_18
TLSX_SetResponse(ssl, TLSX_SUPPORTED_VERSIONS); TLSX_SetResponse(ssl, TLSX_SUPPORTED_VERSIONS);
#endif
} }
if (minor > newMinor) { if (minor > newMinor) {
ssl->version.minor = minor; ssl->version.minor = minor;
@@ -6115,7 +6100,6 @@ static int TLSX_SupportedVersions_Parse(WOLFSSL* ssl, byte* input,
return VERSION_ERROR; return VERSION_ERROR;
} }
} }
#ifndef WOLFSSL_TLS13_DRAFT_18
else if (msgType == server_hello || msgType == hello_retry_request) { else if (msgType == server_hello || msgType == hello_retry_request) {
/* Must contain one version. */ /* Must contain one version. */
if (length != OPAQUE16_LEN) if (length != OPAQUE16_LEN)
@@ -6124,13 +6108,6 @@ static int TLSX_SupportedVersions_Parse(WOLFSSL* ssl, byte* input,
major = input[0]; major = input[0];
minor = input[OPAQUE8_LEN]; minor = input[OPAQUE8_LEN];
#ifdef WOLFSSL_TLS13_DRAFT
if (major == TLS_DRAFT_MAJOR && minor == TLS_DRAFT_MINOR) {
major = SSLv3_MAJOR;
minor = TLSv1_3_MINOR;
}
#endif
if (major != pv.major) if (major != pv.major)
return VERSION_ERROR; return VERSION_ERROR;
@@ -6160,7 +6137,6 @@ static int TLSX_SupportedVersions_Parse(WOLFSSL* ssl, byte* input,
ssl->version.minor = minor; ssl->version.minor = minor;
} }
} }
#endif
else else
return SANITY_MSG_E; return SANITY_MSG_E;
@@ -6494,7 +6470,6 @@ static int TLSX_SetSignatureAlgorithms(TLSX** extensions, const void* data,
/******************************************************************************/ /******************************************************************************/
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
#if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
/* Return the size of the SignatureAlgorithms extension's data. /* Return the size of the SignatureAlgorithms extension's data.
* *
* data Unused * data Unused
@@ -6581,7 +6556,6 @@ static int TLSX_SetSignatureAlgorithmsCert(TLSX** extensions, const void* data,
#define SAC_GET_SIZE TLSX_SignatureAlgorithmsCert_GetSize #define SAC_GET_SIZE TLSX_SignatureAlgorithmsCert_GetSize
#define SAC_WRITE TLSX_SignatureAlgorithmsCert_Write #define SAC_WRITE TLSX_SignatureAlgorithmsCert_Write
#define SAC_PARSE TLSX_SignatureAlgorithmsCert_Parse #define SAC_PARSE TLSX_SignatureAlgorithmsCert_Parse
#endif /* !WOLFSSL_TLS13_DRAFT_18 && !WOLFSSL_TLS13_DRAFT_22 */
#endif /* WOLFSSL_TLS13 */ #endif /* WOLFSSL_TLS13 */
@@ -9233,10 +9207,8 @@ void TLSX_FreeAll(TLSX* list, void* heap)
break; break;
#endif #endif
#if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
case TLSX_SIGNATURE_ALGORITHMS_CERT: case TLSX_SIGNATURE_ALGORITHMS_CERT:
break; break;
#endif
case TLSX_KEY_SHARE: case TLSX_KEY_SHARE:
KS_FREE_ALL((KeyShareEntry*)extension->data, heap); KS_FREE_ALL((KeyShareEntry*)extension->data, heap);
@@ -9380,11 +9352,9 @@ static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType,
break; break;
#endif #endif
#if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
case TLSX_SIGNATURE_ALGORITHMS_CERT: case TLSX_SIGNATURE_ALGORITHMS_CERT:
length += SAC_GET_SIZE(extension->data); length += SAC_GET_SIZE(extension->data);
break; break;
#endif
case TLSX_KEY_SHARE: case TLSX_KEY_SHARE:
length += KS_GET_SIZE((KeyShareEntry*)extension->data, msgType); length += KS_GET_SIZE((KeyShareEntry*)extension->data, msgType);
@@ -9558,12 +9528,10 @@ static int TLSX_Write(TLSX* list, byte* output, byte* semaphore,
break; break;
#endif #endif
#if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
case TLSX_SIGNATURE_ALGORITHMS_CERT: case TLSX_SIGNATURE_ALGORITHMS_CERT:
WOLFSSL_MSG("Signature Algorithms extension to write"); WOLFSSL_MSG("Signature Algorithms extension to write");
offset += SAC_WRITE(extension->data, output + offset); offset += SAC_WRITE(extension->data, output + offset);
break; break;
#endif
case TLSX_KEY_SHARE: case TLSX_KEY_SHARE:
WOLFSSL_MSG("Key Share extension to write"); WOLFSSL_MSG("Key Share extension to write");
@@ -9789,8 +9757,6 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
{ {
int ret = WOLFSSL_SUCCESS; int ret = WOLFSSL_SUCCESS;
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
int i;
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (ssl->options.resuming && ssl->session.namedGroup != 0) { if (ssl->options.resuming && ssl->session.namedGroup != 0) {
return TLSX_UseSupportedCurve(extensions, ssl->session.namedGroup, return TLSX_UseSupportedCurve(extensions, ssl->session.namedGroup,
@@ -9798,7 +9764,9 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
} }
#endif #endif
#ifdef HAVE_SUPPORTED_CURVES
if (ssl->numGroups != 0) { if (ssl->numGroups != 0) {
int i;
for (i = 0; i < ssl->numGroups; i++) { for (i = 0; i < ssl->numGroups; i++) {
ret = TLSX_UseSupportedCurve(extensions, ssl->group[i], ssl->heap); ret = TLSX_UseSupportedCurve(extensions, ssl->group[i], ssl->heap);
if (ret != WOLFSSL_SUCCESS) if (ret != WOLFSSL_SUCCESS)
@@ -9806,6 +9774,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
} }
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
} }
#endif /* HAVE_SUPPORTED_CURVES */
#endif /* WOLFSSL_TLS13 */ #endif /* WOLFSSL_TLS13 */
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES) #if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
@@ -10125,7 +10094,6 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
} }
#endif /* (HAVE_ECC || CURVE25519 || CURVE448) && HAVE_SUPPORTED_CURVES */ #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && HAVE_SUPPORTED_CURVES */
#if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
if (ssl->certHashSigAlgoSz > 0) { if (ssl->certHashSigAlgoSz > 0) {
WOLFSSL_MSG("Adding signature algorithms cert extension"); WOLFSSL_MSG("Adding signature algorithms cert extension");
if ((ret = TLSX_SetSignatureAlgorithmsCert(&ssl->extensions, if ((ret = TLSX_SetSignatureAlgorithmsCert(&ssl->extensions,
@@ -10133,7 +10101,6 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
return ret; return ret;
} }
} }
#endif /* !WOLFSSL_TLS13_DRAFT_18 && !WOLFSSL_TLS13_DRAFT_22 */
if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) { if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) {
word16 namedGroup; word16 namedGroup;
@@ -10511,10 +10478,8 @@ int TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType, word16* pLength)
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version)) { if (IsAtLeastTLSv1_3(ssl->version)) {
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
#ifndef WOLFSSL_TLS13_DRAFT_18
TURN_OFF(semaphore, TURN_OFF(semaphore,
TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#endif
if (!ssl->options.noPskDheKe) if (!ssl->options.noPskDheKe)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
@@ -10533,9 +10498,7 @@ int TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType, word16* pLength)
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
case hello_retry_request: case hello_retry_request:
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
#ifndef WOLFSSL_TLS13_DRAFT_18
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#endif
if (!ssl->options.noPskDheKe) if (!ssl->options.noPskDheKe)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_COOKIE)); TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
@@ -10631,10 +10594,8 @@ int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version)) { if (IsAtLeastTLSv1_3(ssl->version)) {
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
#ifndef WOLFSSL_TLS13_DRAFT_18
TURN_OFF(semaphore, TURN_OFF(semaphore,
TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#endif
if (!ssl->options.noPskDheKe) if (!ssl->options.noPskDheKe)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
@@ -10653,9 +10614,7 @@ int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
case hello_retry_request: case hello_retry_request:
XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
#ifndef WOLFSSL_TLS13_DRAFT_18
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
#endif
if (!ssl->options.noPskDheKe) if (!ssl->options.noPskDheKe)
TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
/* Cookie is written below as last extension. */ /* Cookie is written below as last extension. */
@@ -11182,7 +11141,6 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
break; break;
#endif #endif
#if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
case TLSX_SIGNATURE_ALGORITHMS_CERT: case TLSX_SIGNATURE_ALGORITHMS_CERT:
WOLFSSL_MSG("Signature Algorithms extension received"); WOLFSSL_MSG("Signature Algorithms extension received");
#ifdef WOLFSSL_DEBUG_TLS #ifdef WOLFSSL_DEBUG_TLS
@@ -11203,7 +11161,6 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
ret = SAC_PARSE(ssl, input + offset, size, isRequest); ret = SAC_PARSE(ssl, input + offset, size, isRequest);
break; break;
#endif
case TLSX_KEY_SHARE: case TLSX_KEY_SHARE:
WOLFSSL_MSG("Key Share extension received"); WOLFSSL_MSG("Key Share extension received");
src/tls13.c
+54 -613
View File
File diff suppressed because it is too large Load Diff
tests/api.c
+5
View File
@@ -25461,7 +25461,12 @@ static void test_wolfSSL_SESSION(void)
char msg[80]; char msg[80];
printf(testingFmt, "wolfSSL_SESSION()"); printf(testingFmt, "wolfSSL_SESSION()");
/* TLS v1.3 requires session tickets */
#if defined(WOLFSSL_TLS13) && !defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_TLS12)
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()));
#else
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
#endif
AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM)); AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM));
AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM)); AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM));
tests/suites.c
+4 -2
View File
@@ -467,14 +467,16 @@ static int execute_test_case(int svr_argc, char** svr_argv,
/* verify results */ /* verify results */
if ((cliArgs.return_code != 0 && cliTestShouldFail == 0) || if ((cliArgs.return_code != 0 && cliTestShouldFail == 0) ||
(cliArgs.return_code == 0 && cliTestShouldFail != 0)) { (cliArgs.return_code == 0 && cliTestShouldFail != 0)) {
printf("client_test failed\n"); printf("client_test failed %d %s\n", cliArgs.return_code,
cliTestShouldFail ? "(should fail)" : "");
XEXIT(EXIT_FAILURE); XEXIT(EXIT_FAILURE);
} }
join_thread(serverThread); join_thread(serverThread);
if ((svrArgs.return_code != 0 && svrTestShouldFail == 0) || if ((svrArgs.return_code != 0 && svrTestShouldFail == 0) ||
(svrArgs.return_code == 0 && svrTestShouldFail != 0)) { (svrArgs.return_code == 0 && svrTestShouldFail != 0)) {
printf("server_test failed\n"); printf("server_test failed %d %s\n", svrArgs.return_code,
svrTestShouldFail ? "(should fail)" : "");
XEXIT(EXIT_FAILURE); XEXIT(EXIT_FAILURE);
} }
tests/test-tls13.conf
+1
View File
@@ -164,6 +164,7 @@
# client TLSv1.3 # client TLSv1.3
-v 4 -v 4
-l TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-CCM-SHA256:TLS13-AES128-CCM-8-SHA256
# server TLSv1.3 KeyUpdate # server TLSv1.3 KeyUpdate
-v 4 -v 4
testsuite/testsuite.c
+1 -1
View File
@@ -152,7 +152,7 @@ int testsuite_test(int argc, char** argv)
return EXIT_FAILURE; return EXIT_FAILURE;
} }
strcpy(arg[0], "echoclient"); strcpy(arg[0], "testsuite");
strcpy(arg[1], "input"); strcpy(arg[1], "input");
strcpy(arg[2], outputName); strcpy(arg[2], outputName);
wolfcrypt/test/test.c
+2 -2
View File
@@ -11781,7 +11781,7 @@ done:
} }
#endif #endif
#ifdef WC_RSA_PSS #if defined(WC_RSA_PSS) && !defined(HAVE_FIPS_VERSION) /* not supported with FIPSv1 */
static int rsa_pss_test(WC_RNG* rng, RsaKey* key) static int rsa_pss_test(WC_RNG* rng, RsaKey* key)
{ {
byte digest[WC_MAX_DIGEST_SIZE]; byte digest[WC_MAX_DIGEST_SIZE];
@@ -13917,7 +13917,7 @@ int rsa_test(void)
#endif /* WOLFSSL_CERT_REQ */ #endif /* WOLFSSL_CERT_REQ */
#endif /* WOLFSSL_CERT_GEN */ #endif /* WOLFSSL_CERT_GEN */
#ifdef WC_RSA_PSS #if defined(WC_RSA_PSS) && !defined(HAVE_FIPS_VERSION) /* not supported with FIPSv1 */
ret = rsa_pss_test(&rng, &key); ret = rsa_pss_test(&rng, &key);
#endif #endif
wolfssl/internal.h
+2 -27
View File
@@ -1210,19 +1210,6 @@ enum Misc {
TLSv1_2_MINOR = 3, /* TLSv1_2 minor version number */ TLSv1_2_MINOR = 3, /* TLSv1_2 minor version number */
TLSv1_3_MINOR = 4, /* TLSv1_3 minor version number */ TLSv1_3_MINOR = 4, /* TLSv1_3 minor version number */
TLS_DRAFT_MAJOR = 0x7f, /* Draft TLS major version number */ TLS_DRAFT_MAJOR = 0x7f, /* Draft TLS major version number */
#ifdef WOLFSSL_TLS13_DRAFT
#ifdef WOLFSSL_TLS13_DRAFT_18
TLS_DRAFT_MINOR = 0x12, /* Minor version number of TLS draft */
#elif defined(WOLFSSL_TLS13_DRAFT_22)
TLS_DRAFT_MINOR = 0x16, /* Minor version number of TLS draft */
#elif defined(WOLFSSL_TLS13_DRAFT_23)
TLS_DRAFT_MINOR = 0x17, /* Minor version number of TLS draft */
#elif defined(WOLFSSL_TLS13_DRAFT_26)
TLS_DRAFT_MINOR = 0x1a, /* Minor version number of TLS draft */
#else
TLS_DRAFT_MINOR = 0x1c, /* Minor version number of TLS draft */
#endif
#endif
OLD_HELLO_ID = 0x01, /* SSLv2 Client Hello Indicator */ OLD_HELLO_ID = 0x01, /* SSLv2 Client Hello Indicator */
INVALID_BYTE = 0xff, /* Used to initialize cipher specs values */ INVALID_BYTE = 0xff, /* Used to initialize cipher specs values */
NO_COMPRESSION = 0, NO_COMPRESSION = 0,
@@ -2187,12 +2174,8 @@ typedef enum {
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
TLSX_POST_HANDSHAKE_AUTH = 0x0031, TLSX_POST_HANDSHAKE_AUTH = 0x0031,
#endif #endif
#if defined(WOLFSSL_TLS13_DRAFT_18) || defined(WOLFSSL_TLS13_DRAFT_22)
TLSX_KEY_SHARE = 0x0028,
#else
TLSX_SIGNATURE_ALGORITHMS_CERT = 0x0032, TLSX_SIGNATURE_ALGORITHMS_CERT = 0x0032,
TLSX_KEY_SHARE = 0x0033, TLSX_KEY_SHARE = 0x0033,
#endif
#endif #endif
TLSX_RENEGOTIATION_INFO = 0xff01 TLSX_RENEGOTIATION_INFO = 0xff01
} TLSX_Type; } TLSX_Type;
@@ -2534,7 +2517,6 @@ WOLFSSL_LOCAL int TLSX_KeyShare_DeriveSecret(WOLFSSL* ssl);
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
#ifndef WOLFSSL_TLS13_DRAFT_18
/* Ticket nonce - for deriving PSK. /* Ticket nonce - for deriving PSK.
* Length allowed to be: 1..255. Only support 4 bytes. * Length allowed to be: 1..255. Only support 4 bytes.
*/ */
@@ -2542,7 +2524,6 @@ typedef struct TicketNonce {
byte len; byte len;
byte data[MAX_TICKET_NONCE_SZ]; byte data[MAX_TICKET_NONCE_SZ];
} TicketNonce; } TicketNonce;
#endif
/* The PreSharedKey extension information - entry in a linked list. */ /* The PreSharedKey extension information - entry in a linked list. */
typedef struct PreSharedKey { typedef struct PreSharedKey {
@@ -2767,6 +2748,7 @@ struct WOLFSSL_CTX {
wc_psk_client_tls13_callback client_psk_tls13_cb; /* client callback */ wc_psk_client_tls13_callback client_psk_tls13_cb; /* client callback */
wc_psk_server_tls13_callback server_psk_tls13_cb; /* server callback */ wc_psk_server_tls13_callback server_psk_tls13_cb; /* server callback */
#endif #endif
void* psk_ctx;
char server_hint[MAX_PSK_ID_LEN + NULL_TERM_LEN]; char server_hint[MAX_PSK_ID_LEN + NULL_TERM_LEN];
#endif /* HAVE_SESSION_TICKET || !NO_PSK */ #endif /* HAVE_SESSION_TICKET || !NO_PSK */
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
@@ -3169,9 +3151,7 @@ struct WOLFSSL_SESSION {
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
word32 ticketSeen; /* Time ticket seen (ms) */ word32 ticketSeen; /* Time ticket seen (ms) */
word32 ticketAdd; /* Added by client */ word32 ticketAdd; /* Added by client */
#ifndef WOLFSSL_TLS13_DRAFT_18
TicketNonce ticketNonce; /* Nonce used to derive PSK */ TicketNonce ticketNonce; /* Nonce used to derive PSK */
#endif
#endif #endif
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
word32 maxEarlyDataSz; word32 maxEarlyDataSz;
@@ -3358,6 +3338,7 @@ typedef struct Options {
wc_psk_client_tls13_callback client_psk_tls13_cb; /* client callback */ wc_psk_client_tls13_callback client_psk_tls13_cb; /* client callback */
wc_psk_server_tls13_callback server_psk_tls13_cb; /* server callback */ wc_psk_server_tls13_callback server_psk_tls13_cb; /* server callback */
#endif #endif
void* psk_ctx;
#endif /* NO_PSK */ #endif /* NO_PSK */
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL) #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
unsigned long mask; /* store SSL_OP_ flags */ unsigned long mask; /* store SSL_OP_ flags */
@@ -3983,11 +3964,9 @@ struct WOLFSSL {
#endif #endif
word16 pssAlgo; word16 pssAlgo;
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
#if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
word16 certHashSigAlgoSz; /* SigAlgoCert ext length in bytes */ word16 certHashSigAlgoSz; /* SigAlgoCert ext length in bytes */
byte certHashSigAlgo[WOLFSSL_MAX_SIGALGO]; /* cert sig/algo to byte certHashSigAlgo[WOLFSSL_MAX_SIGALGO]; /* cert sig/algo to
* offer */ * offer */
#endif /* !WOLFSSL_TLS13_DRAFT_18 && !WOLFSSL_TLS13_DRAFT_22 */
#endif #endif
#ifdef HAVE_NTRU #ifdef HAVE_NTRU
word16 peerNtruKeyLen; word16 peerNtruKeyLen;
@@ -4345,12 +4324,8 @@ WOLFSSL_LOCAL int SendTicket(WOLFSSL*);
WOLFSSL_LOCAL int DoClientTicket(WOLFSSL*, const byte*, word32); WOLFSSL_LOCAL int DoClientTicket(WOLFSSL*, const byte*, word32);
WOLFSSL_LOCAL int SendData(WOLFSSL*, const void*, int); WOLFSSL_LOCAL int SendData(WOLFSSL*, const void*, int);
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
#ifdef WOLFSSL_TLS13_DRAFT_18
WOLFSSL_LOCAL int SendTls13HelloRetryRequest(WOLFSSL*);
#else
WOLFSSL_LOCAL int SendTls13ServerHello(WOLFSSL*, byte); WOLFSSL_LOCAL int SendTls13ServerHello(WOLFSSL*, byte);
#endif #endif
#endif
WOLFSSL_LOCAL int SendCertificate(WOLFSSL*); WOLFSSL_LOCAL int SendCertificate(WOLFSSL*);
WOLFSSL_LOCAL int SendCertificateRequest(WOLFSSL*); WOLFSSL_LOCAL int SendCertificateRequest(WOLFSSL*);
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
wolfssl/ssl.h
+5
View File
@@ -1950,6 +1950,11 @@ enum { /* ssl Constants */
WOLFSSL_API void wolfSSL_set_psk_server_tls13_callback(WOLFSSL*, WOLFSSL_API void wolfSSL_set_psk_server_tls13_callback(WOLFSSL*,
wc_psk_server_tls13_callback); wc_psk_server_tls13_callback);
#endif #endif
WOLFSSL_API void* wolfSSL_get_psk_callback_ctx(WOLFSSL*);
WOLFSSL_API int wolfSSL_set_psk_callback_ctx(WOLFSSL*, void*);
WOLFSSL_API void* wolfSSL_CTX_get_psk_callback_ctx(WOLFSSL_CTX*);
WOLFSSL_API int wolfSSL_CTX_set_psk_callback_ctx(WOLFSSL_CTX*, void*);
#define PSK_TYPES_DEFINED #define PSK_TYPES_DEFINED
#endif /* NO_PSK */ #endif /* NO_PSK */
wolfssl/test.h
+9 -7
View File
@@ -1302,7 +1302,7 @@ static WC_INLINE unsigned int my_psk_client_cb(WOLFSSL* ssl, const char* hint,
(void)key_max_len; (void)key_max_len;
/* see internal.h MAX_PSK_ID_LEN for PSK identity limit */ /* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
strncpy(identity, kIdentityStr, id_max_len); XSTRNCPY(identity, kIdentityStr, id_max_len);
if (wolfSSL_GetVersion(ssl) < WOLFSSL_TLSV1_3) { if (wolfSSL_GetVersion(ssl) < WOLFSSL_TLSV1_3) {
/* test key in hex is 0x1a2b3c4d , in decimal 439,041,101 , we're using /* test key in hex is 0x1a2b3c4d , in decimal 439,041,101 , we're using
@@ -1336,7 +1336,7 @@ static WC_INLINE unsigned int my_psk_server_cb(WOLFSSL* ssl, const char* identit
(void)key_max_len; (void)key_max_len;
/* see internal.h MAX_PSK_ID_LEN for PSK identity limit */ /* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
if (strncmp(identity, kIdentityStr, strlen(kIdentityStr)) != 0) if (XSTRNCMP(identity, kIdentityStr, XSTRLEN(kIdentityStr)) != 0)
return 0; return 0;
if (wolfSSL_GetVersion(ssl) < WOLFSSL_TLSV1_3) { if (wolfSSL_GetVersion(ssl) < WOLFSSL_TLSV1_3) {
@@ -1370,13 +1370,14 @@ static WC_INLINE unsigned int my_psk_client_tls13_cb(WOLFSSL* ssl,
{ {
int i; int i;
int b = 0x01; int b = 0x01;
const char* userCipher = (const char*)wolfSSL_get_psk_callback_ctx(ssl);
(void)ssl; (void)ssl;
(void)hint; (void)hint;
(void)key_max_len; (void)key_max_len;
/* see internal.h MAX_PSK_ID_LEN for PSK identity limit */ /* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
strncpy(identity, kIdentityStr, id_max_len); XSTRNCPY(identity, kIdentityStr, id_max_len);
for (i = 0; i < 32; i++, b += 0x22) { for (i = 0; i < 32; i++, b += 0x22) {
if (b >= 0x100) if (b >= 0x100)
@@ -1384,7 +1385,7 @@ static WC_INLINE unsigned int my_psk_client_tls13_cb(WOLFSSL* ssl,
key[i] = b; key[i] = b;
} }
*ciphersuite = "TLS13-AES128-GCM-SHA256"; *ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256";
return 32; /* length of key in octets or 0 for error */ return 32; /* length of key in octets or 0 for error */
} }
@@ -1396,12 +1397,13 @@ static WC_INLINE unsigned int my_psk_server_tls13_cb(WOLFSSL* ssl,
{ {
int i; int i;
int b = 0x01; int b = 0x01;
const char* userCipher = (const char*)wolfSSL_get_psk_callback_ctx(ssl);
(void)ssl; (void)ssl;
(void)key_max_len; (void)key_max_len;
/* see internal.h MAX_PSK_ID_LEN for PSK identity limit */ /* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
if (strncmp(identity, kIdentityStr, strlen(kIdentityStr)) != 0) if (XSTRNCMP(identity, kIdentityStr, XSTRLEN(kIdentityStr)) != 0)
return 0; return 0;
for (i = 0; i < 32; i++, b += 0x22) { for (i = 0; i < 32; i++, b += 0x22) {
@@ -1410,12 +1412,12 @@ static WC_INLINE unsigned int my_psk_server_tls13_cb(WOLFSSL* ssl,
key[i] = b; key[i] = b;
} }
*ciphersuite = "TLS13-AES128-GCM-SHA256"; *ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256";
return 32; /* length of key in octets or 0 for error */ return 32; /* length of key in octets or 0 for error */
} }
#endif /* NO_PSK */ #endif /* !NO_PSK */
#if defined(WOLFSSL_USER_CURRTIME) #if defined(WOLFSSL_USER_CURRTIME)
wolfssl/wolfcrypt/memory.h
+5 -1
View File
@@ -110,7 +110,11 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb*,
#elif defined (OPENSSL_EXTRA) #elif defined (OPENSSL_EXTRA)
/* extra storage in structs for multiple attributes and order */ /* extra storage in structs for multiple attributes and order */
#ifndef LARGEST_MEM_BUCKET #ifndef LARGEST_MEM_BUCKET
#define LARGEST_MEM_BUCKET 25600 #ifdef WOLFSSL_TLS13
#define LARGEST_MEM_BUCKET 25792
#else
#define LARGEST_MEM_BUCKET 25600
#endif
#endif #endif
#define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3360,4480,\ #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3360,4480,\
LARGEST_MEM_BUCKET LARGEST_MEM_BUCKET
wolfssl/wolfcrypt/settings.h
+6
View File
@@ -2244,6 +2244,12 @@ extern void uITRON4_free(void *p) ;
#define WOLFSSL_NO_CONSTCHARCONST #define WOLFSSL_NO_CONSTCHARCONST
#endif #endif
/* FIPS v1 does not support TLS v1.3 (requires RSA PSS and HKDF) */
#if defined(HAVE_FIPS) && !defined(HAVE_FIPS_VERSION)
#undef WC_RSA_PSS
#undef WOLFSSL_TLS13
#endif
#ifdef __cplusplus #ifdef __cplusplus
} /* extern "C" */ } /* extern "C" */