From 2e223fb1014a5709c1b1446ac2b27b12b7c6bdda Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Tue, 5 Jan 2021 17:02:43 +0900 Subject: [PATCH 01/19] implemeted wolfSSL_CTX_get0/set1_param, and corresponding to sub-methods --- src/internal.c | 12 ++++ src/ssl.c | 110 ++++++++++++++++++++++++++++- tests/api.c | 157 +++++++++++++++++++++++++++++++++++++----- wolfssl/internal.h | 1 + wolfssl/openssl/ssl.h | 9 +++ wolfssl/ssl.h | 12 ++++ 6 files changed, 283 insertions(+), 18 deletions(-) diff --git a/src/internal.c b/src/internal.c index 79ec90351..7baad8c51 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1800,6 +1800,15 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) #ifdef OPENSSL_EXTRA /* setup WOLFSSL_X509_STORE */ ctx->x509_store.cm = ctx->cm; + + /* WOLFSSL_X509_VERIFY_PARAM */ + if ((ctx->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), + ctx->heap, DYNAMIC_TYPE_OPENSSL)) == NULL) { + WOLFSSL_MSG("ctx->param memory error"); + return MEMORY_E; + } + XMEMSET(ctx->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); #endif #endif @@ -1948,6 +1957,9 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) XFREE((void *)ctx->alpn_cli_protos, NULL, DYNAMIC_TYPE_OPENSSL); ctx->alpn_cli_protos = NULL; } + if (ctx->param) { + XFREE(ctx->param, ctx->heap, DYNAMIC_TYPE_OPENSSL); + } #endif #ifdef WOLFSSL_STATIC_EPHEMERAL #ifndef NO_DH diff --git a/src/ssl.c b/src/ssl.c index c483d36b3..1b9d6835c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -26195,6 +26195,68 @@ int wolfSSL_X509_VERIFY_PARAM_clear_flags(WOLFSSL_X509_VERIFY_PARAM *param, } +/* +* WOLFSSL_VPARAM_DEFAULT any values in "src" is copied +* if "src" value is new for "to". +* WOLFSSL_VPARAM_OVERWRITE all values of "form" are copied to "to" +* WOLFSSL_VPARAM_RESET_FLAGS the flag values are copied, not Ored +* WOLFSSL_VPARAM_LOCKED don't copy any values +* WOLFSSL_VPARAM_ONCE the current inherit_flags is zerroed +*/ +static int woflSSL_X509_VERIFY_PARAM_inherit(WOLFSSL_X509_VERIFY_PARAM *to, + const WOLFSSL_X509_VERIFY_PARAM *from) +{ + int ret = WOLFSSL_FAILURE; + int isOverWrite = 0; + int isDefault = 0; + unsigned int flags; + + /* sanity check */ + if (!to || !from) { + /* be compatible to openssl return value */ + return WOLFSSL_SUCCESS; + } + flags = to->inherit_flags | from->inherit_flags; + + if (flags & WOLFSSL_VPARAM_LOCKED) { + return WOLFSSL_SUCCESS; + } + + if (flags & WOLFSSL_VPARAM_ONCE) { + to->inherit_flags = 0; + } + + isOverWrite = (flags & WOLFSSL_VPARAM_OVERWRITE); + isDefault = (flags & WOLFSSL_VPARAM_DEFAULT); + + /* copy check_time if check time is not set */ + if ((to->flags & WOLFSSL_USE_CHECK_TIME) == 0 || isOverWrite) { + to->check_time = from->check_time; + to->flags &= ~WOLFSSL_USE_CHECK_TIME; + } + /* host name */ + if (isOverWrite || + (from->hostName[0] != 0 && (to->hostName[0] == 0 || isDefault))) { + if (!(ret = wolfSSL_X509_VERIFY_PARAM_set1_host(to, from->hostName, + XSTRLEN(from->hostName)))) + return ret; + to->hostFlags = from->hostFlags; + } + /* ip ascii */ + if (isOverWrite || + (from->ipasc[0] != 0 && (to->ipasc[0] == 0 || isDefault))) { + + if (!(ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(to, from->ipasc))) + return ret; + } + + if (flags & WOLFSSL_VPARAM_RESET_FLAGS) + to->flags = 0; + + to->flags |= from->flags; + + return ret; +} /****************************************************************************** * wolfSSL_X509_VERIFY_PARAM_set1_host - sets the DNS hostname to name * hostnames is cleared if name is NULL or empty. @@ -26236,12 +26298,32 @@ int wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam, return WOLFSSL_SUCCESS; } /****************************************************************************** -* wolfSSL_get0_param - return a pointer to the SSL verification parameters +* wolfSSL_CTX_set1_param - set a pointer to the SSL verification parameters +* +* RETURNS: +* WOLFSSL_SUCCESS on success, otherwise returns WOLFSSL_FAILURE +*/ +int wolfSSL_CTX_set1_param(WOLFSSL_CTX* ctx, WOLFSSL_X509_VERIFY_PARAM *vpm) +{ + return wolfSSL_X509_VERIFY_PARAM_set1(ctx->param, vpm); +} + +/****************************************************************************** +* wolfSSL_CTX/_get0_param - return a pointer to the SSL verification parameters * * RETURNS: * returns pointer to the SSL verification parameters on success, * otherwise returns NULL */ +WOLFSSL_X509_VERIFY_PARAM* wolfSSL_CTX_get0_param(WOLFSSL_CTX* ctx) +{ + if (ctx == NULL) { + return NULL; + } + + return ctx->param; +} + WOLFSSL_X509_VERIFY_PARAM* wolfSSL_get0_param(WOLFSSL* ssl) { if (ssl == NULL) { @@ -26250,6 +26332,32 @@ WOLFSSL_X509_VERIFY_PARAM* wolfSSL_get0_param(WOLFSSL* ssl) return ssl->param; } +/* Set VERIFY PARAM from "from" pointer to "to" pointer */ +int wolfSSL_X509_VERIFY_PARAM_set1(WOLFSSL_X509_VERIFY_PARAM *to, + const WOLFSSL_X509_VERIFY_PARAM *from) +{ + int ret = WOLFSSL_FAILURE; + unsigned int _inherit_flags; + + if (!to) { + return ret; + } + /* keeps the inherit flags for save */ + _inherit_flags = to->inherit_flags; + + /* Ored DEFAULT inherit flag proerty to copy "from" contents to "to" + * contends + */ + to->inherit_flags |= WOLFSSL_VPARAM_DEFAULT; + + ret = woflSSL_X509_VERIFY_PARAM_inherit(to, from); + + /* restore inherit flag */ + to->inherit_flags = _inherit_flags; + + return ret; +} + /* Set the host flag in the X509_VERIFY_PARAM structure */ void wolfSSL_X509_VERIFY_PARAM_set_hostflags(WOLFSSL_X509_VERIFY_PARAM* param, unsigned int flags) diff --git a/tests/api.c b/tests/api.c index 63e329fb0..759523728 100644 --- a/tests/api.c +++ b/tests/api.c @@ -28045,6 +28045,50 @@ static void test_wolfSSL_X509_STORE_CTX_set_time(void) #endif /* OPENSSL_EXTRA */ } +static void test_wolfSSL_CTX_get0_set1_param(void) +{ +#if defined(OPENSSL_EXTRA) + int ret; + SSL_CTX* ctx; + WOLFSSL_X509_VERIFY_PARAM* pParam; + WOLFSSL_X509_VERIFY_PARAM* pvpm; + char testIPv4[] = "127.0.0.1"; + char testhostName[] = "foo.hoge.com"; + + printf(testingFmt, "wolfSSL_CTX_get0_set1_param()"); + + #ifndef NO_WOLFSSL_SERVER + AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + #else + AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); + #endif + + AssertNotNull(pParam = SSL_CTX_get0_param(ctx)); + + pvpm = (WOLFSSL_X509_VERIFY_PARAM *)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), NULL, DYNAMIC_TYPE_OPENSSL); + AssertNotNull(pvpm); + + wolfSSL_X509_VERIFY_PARAM_set1_host(pvpm, testhostName, + XSTRLEN(testhostName)); + wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(pvpm, testIPv4); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(pvpm, 0x01); + + ret = SSL_CTX_set1_param(ctx, pvpm); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(pParam->hostName, testhostName, + XSTRLEN(testhostName))); + AssertIntEQ(0x01, pParam->hostFlags); + AssertIntEQ(0, XSTRNCMP(pParam->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); + + SSL_CTX_free(ctx); + + XFREE(pvpm, NULL, DYNAMIC_TYPE_OPENSSL); + + printf(resultFmt, passed); +#endif /* OPENSSL_EXTRA && !defined(NO_RSA)*/ +} + static void test_wolfSSL_get0_param(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) @@ -29903,50 +29947,128 @@ static void test_wolfSSL_X509_ALGOR_get0(void) static void test_wolfSSL_X509_VERIFY_PARAM(void) { #if defined(OPENSSL_EXTRA) - WOLFSSL_X509_VERIFY_PARAM *param; + WOLFSSL_X509_VERIFY_PARAM *paramTo; + WOLFSSL_X509_VERIFY_PARAM *paramFrom; int ret; char testIPv4[] = "127.0.0.1"; char testIPv6[] = "0001:0000:0000:0000:0000:0000:0000:0000/32"; - + char testhostName1[] = "foo.hoge.com"; + char testhostName2[] = "foobar.hoge.com"; + printf(testingFmt, "wolfSSL_X509()"); - param = wolfSSL_X509_VERIFY_PARAM_new(); - AssertNotNull(param); + paramTo = wolfSSL_X509_VERIFY_PARAM_new(); + AssertNotNull(paramTo); + XMEMSET(paramTo, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM )); - XMEMSET(param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM )); + paramFrom = wolfSSL_X509_VERIFY_PARAM_new(); + AssertNotNull(paramFrom); + XMEMSET(paramFrom, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM )); + ret = wolfSSL_X509_VERIFY_PARAM_set1_host(paramFrom, testhostName1, + XSTRLEN(testhostName1)); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(paramFrom->hostName, testhostName1, + XSTRLEN(testhostName1))); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(NULL, 0x00); - wolfSSL_X509_VERIFY_PARAM_set_hostflags(param, 0x01); - AssertIntEQ(0x01, param->hostFlags); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(paramFrom, 0x01); + AssertIntEQ(0x01, paramFrom->hostFlags); ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(NULL, testIPv4); AssertIntEQ(0, ret); - ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, testIPv4); + ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramFrom, testIPv4); AssertIntEQ(1, ret); - AssertIntEQ(0, XSTRNCMP(param->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); + AssertIntEQ(0, XSTRNCMP(paramFrom->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); - ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, NULL); + ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramFrom, NULL); AssertIntEQ(1, ret); - ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, testIPv6); + ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramFrom, testIPv6); AssertIntEQ(1, ret); - AssertIntEQ(0, XSTRNCMP(param->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + AssertIntEQ(0, XSTRNCMP(paramFrom->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); - ret = wolfSSL_X509_VERIFY_PARAM_set_flags(param, WOLFSSL_CRL_CHECKALL); + /* null pointer */ + ret = wolfSSL_X509_VERIFY_PARAM_set1(NULL, paramFrom); + AssertIntEQ(WOLFSSL_FAILURE, ret); + /* in the case of "from" null, returns success */ + ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, NULL); + AssertIntEQ(WOLFSSL_SUCCESS, ret); + + ret = wolfSSL_X509_VERIFY_PARAM_set1(NULL, NULL); + AssertIntEQ(WOLFSSL_FAILURE, ret); + + /* inherit flags test : VPARAM_DEFAULT */ + ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, + XSTRLEN(testhostName1))); + AssertIntEQ(0x01, paramTo->hostFlags); + AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + + /* inherit flags test : VPARAM OVERWRITE */ + wolfSSL_X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, + XSTRLEN(testhostName2)); + wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(paramTo, 0x00); + + paramTo->inherit_flags = WOLFSSL_VPARAM_OVERWRITE; + + ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, + XSTRLEN(testhostName1))); + AssertIntEQ(0x01, paramTo->hostFlags); + AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + + /* inherit flags test : VPARAM_RESET_FLAGS */ + wolfSSL_X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, + XSTRLEN(testhostName2)); + wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(paramTo, 0x10); + + paramTo->inherit_flags = WOLFSSL_VPARAM_RESET_FLAGS; + + ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, + XSTRLEN(testhostName1))); + AssertIntEQ(0x01, paramTo->hostFlags); + AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + + /* inherit flags test : VPARAM_LOCKED */ + wolfSSL_X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, + XSTRLEN(testhostName2)); + wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(paramTo, 0x00); + + paramTo->inherit_flags = WOLFSSL_VPARAM_LOCKED; + + ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName2, + XSTRLEN(testhostName2))); + AssertIntEQ(0x00, paramTo->hostFlags); + AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); + + /* inherit flags test : VPARAM_ONCE, not testable yet */ + + ret = wolfSSL_X509_VERIFY_PARAM_set_flags(paramTo, WOLFSSL_CRL_CHECKALL); AssertIntEQ(1, ret); - ret = wolfSSL_X509_VERIFY_PARAM_get_flags(param); + ret = wolfSSL_X509_VERIFY_PARAM_get_flags(paramTo); AssertIntEQ(WOLFSSL_CRL_CHECKALL, ret); - ret = wolfSSL_X509_VERIFY_PARAM_clear_flags(param, WOLFSSL_CRL_CHECKALL); + ret = wolfSSL_X509_VERIFY_PARAM_clear_flags(paramTo, WOLFSSL_CRL_CHECKALL); AssertIntEQ(1, ret); - ret = wolfSSL_X509_VERIFY_PARAM_get_flags(param); + ret = wolfSSL_X509_VERIFY_PARAM_get_flags(paramTo); AssertIntEQ(0, ret); - wolfSSL_X509_VERIFY_PARAM_free(param); + wolfSSL_X509_VERIFY_PARAM_free(paramTo); + wolfSSL_X509_VERIFY_PARAM_free(paramFrom); printf(resultFmt, passed); @@ -40637,6 +40759,7 @@ void ApiTest(void) test_wolfSSL_X509_STORE(); test_wolfSSL_X509_STORE_load_locations(); test_wolfSSL_BN(); + test_wolfSSL_CTX_get0_set1_param(); #ifndef NO_BIO test_wolfSSL_PEM_read_bio(); test_wolfSSL_BIO(); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index aebfb3a69..8a124dd01 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2837,6 +2837,7 @@ struct WOLFSSL_CTX { byte sessionCtxSz; byte cbioFlag; /* WOLFSSL_CBIO_RECV/SEND: CBIORecv/Send is set */ CallbackInfoState* CBIS; /* used to get info about SSL state */ + WOLFSSL_X509_VERIFY_PARAM* param; /* verification parameters*/ #endif CallbackIORecv CBIORecv; CallbackIOSend CBIOSend; diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 8b7604ea3..1fd838bce 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -558,6 +558,12 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define X509_V_FLAG_NO_CHECK_TIME WOLFSSL_NO_CHECK_TIME #define X509_CHECK_FLAG_NO_WILDCARDS WOLFSSL_NO_WILDCARDS +#define X509_VP_FLAG_DEFAULT WOLFSSL_VPARAM_DEFAULT +#define X509_VP_FLAG_OVERWRITE WOLFSSL_VPARAM_OVERWRITE +#define X509_VP_FLAG_RESET_FLAGS WOLFSSL_VPARAM_RESET_FLAGS +#define X509_VP_FLAG_LOCKED WOLFSSL_VPARAM_LOCKED +#define X509_VP_FLAG_ONCE WOLFSSL_VPARAM_ONCE + #define X509_STORE_CTX_get_current_cert wolfSSL_X509_STORE_CTX_get_current_cert #define X509_STORE_CTX_set_verify_cb wolfSSL_X509_STORE_CTX_set_verify_cb #define X509_STORE_CTX_new wolfSSL_X509_STORE_CTX_new @@ -605,6 +611,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define X509_VERIFY_PARAM_set_hostflags wolfSSL_X509_VERIFY_PARAM_set_hostflags #define X509_VERIFY_PARAM_set1_host wolfSSL_X509_VERIFY_PARAM_set1_host #define X509_VERIFY_PARAM_set1_ip_asc wolfSSL_X509_VERIFY_PARAM_set1_ip_asc +#define X509_VERIFY_PARAM_set1 wolfSSL_X509_VERIFY_PARAM_set1 #define X509_STORE_load_locations wolfSSL_X509_STORE_load_locations #define X509_LOOKUP_add_dir wolfSSL_X509_LOOKUP_add_dir @@ -1312,6 +1319,8 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define SSL_CTX_set_srp_strength wolfSSL_CTX_set_srp_strength #define SSL_get_SSL_CTX wolfSSL_get_SSL_CTX #define SSL_get0_param wolfSSL_get0_param +#define SSL_CTX_get0_param wolfSSL_CTX_get0_param +#define SSL_CTX_set1_param wolfSSL_CTX_set1_param #define SSL_get_srp_username wolfSSL_get_srp_username #define ERR_NUM_ERRORS 16 diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index c3372b3f0..69103607e 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -563,8 +563,16 @@ struct WOLFSSL_X509_STORE { #define WOLFSSL_USE_CHECK_TIME 0x2 #define WOLFSSL_NO_CHECK_TIME 0x200000 #define WOLFSSL_HOST_NAME_MAX 256 + +#define WOLFSSL_VPARAM_DEFAULT 0x1 +#define WOLFSSL_VPARAM_OVERWRITE 0x2 +#define WOLFSSL_VPARAM_RESET_FLAGS 0x4 +#define WOLFSSL_VPARAM_LOCKED 0x8 +#define WOLFSSL_VPARAM_ONCE 0x10 + struct WOLFSSL_X509_VERIFY_PARAM { time_t check_time; + unsigned int inherit_flags; unsigned long flags; char hostName[WOLFSSL_HOST_NAME_MAX]; unsigned int hostFlags; @@ -877,7 +885,9 @@ WOLFSSL_API int wolfSSL_CTX_up_ref(WOLFSSL_CTX*); #endif WOLFSSL_ABI WOLFSSL_API WOLFSSL* wolfSSL_new(WOLFSSL_CTX*); WOLFSSL_API WOLFSSL_CTX* wolfSSL_get_SSL_CTX(WOLFSSL* ssl); +WOLFSSL_API WOLFSSL_X509_VERIFY_PARAM* wolfSSL_CTX_get0_param(WOLFSSL_CTX* ctx); WOLFSSL_API WOLFSSL_X509_VERIFY_PARAM* wolfSSL_get0_param(WOLFSSL* ssl); +WOLFSSL_API int wolfSSL_CTX_set1_param(WOLFSSL_CTX* ctx, WOLFSSL_X509_VERIFY_PARAM *vpm); WOLFSSL_API int wolfSSL_is_server(WOLFSSL*); WOLFSSL_API WOLFSSL* wolfSSL_write_dup(WOLFSSL*); WOLFSSL_ABI WOLFSSL_API int wolfSSL_set_fd (WOLFSSL*, int); @@ -1544,6 +1554,8 @@ WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* p unsigned int nameSz); WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_set1_ip_asc( WOLFSSL_X509_VERIFY_PARAM *param, const char *ipasc); +WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_set1(WOLFSSL_X509_VERIFY_PARAM* to, + const WOLFSSL_X509_VERIFY_PARAM* from); #endif WOLFSSL_API WOLFSSL_X509_REVOKED* wolfSSL_X509_CRL_get_REVOKED(WOLFSSL_X509_CRL*); WOLFSSL_API WOLFSSL_X509_REVOKED* wolfSSL_sk_X509_REVOKED_value( From 544ed3289356e4fc6ef8711f70f937f0ae155f66 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 14 Jan 2021 17:52:12 +0900 Subject: [PATCH 02/19] implemented X509_load_crl_file --- src/ssl.c | 84 +++++++++++++++++++++++++++++++++++++++++++ tests/api.c | 33 +++++++++++++++++ wolfssl/openssl/ssl.h | 1 + wolfssl/ssl.h | 4 +++ 4 files changed, 122 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index 1b9d6835c..d2533eed8 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -25980,12 +25980,96 @@ WOLFSSL_X509 *wolfSSL_d2i_X509_fp(XFILE fp, WOLFSSL_X509 **x509) #ifdef HAVE_CRL + +#ifndef NO_BIO +WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_bio(WOLFSSL_BIO *bp, + WOLFSSL_X509_CRL **x) +{ + int derSz; + byte* der = NULL; + WOLFSSL_X509_CRL* crl = NULL; + + if ((derSz = wolfSSL_BIO_get_len(bp)) > 0) { + der = (byte*)XMALLOC(derSz, 0, DYNAMIC_TYPE_DER); + if (der != NULL) { + if (wolfSSL_BIO_read(bp, der, derSz) == derSz) { + crl = wolfSSL_d2i_X509_CRL(x, der, derSz); + } + } + } + + if (der != NULL) { + XFREE(der, 0, DYNAMIC_TYPE_DER); + } + + return crl; +} +#endif + #ifndef NO_FILESYSTEM WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_fp(XFILE fp, WOLFSSL_X509_CRL **crl) { WOLFSSL_ENTER("wolfSSL_d2i_X509_CRL_fp"); return (WOLFSSL_X509_CRL *)wolfSSL_d2i_X509_fp_ex(fp, (void **)crl, CRL_TYPE); } + +WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, + const char *file, int type) +{ + int ret = WOLFSSL_FAILURE; + int count = 0; + WOLFSSL_BIO *bio = NULL; + WOLFSSL_X509_CRL *crl =NULL; + + WOLFSSL_ENTER("wolfSSL_X509_load_crl_file"); + + bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); + + if ((bio == NULL) || (wolfSSL_BIO_read_filename(bio, file) <= 0)) { + return ret; + } + + if (type == WOLFSSL_FILETYPE_PEM) { + do { + crl = wolfSSL_PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL); + if (crl == NULL) { + if (count <= 0) { + WOLFSSL_MSG("Load crl failed"); + } + break; + } + + ret = wolfSSL_X509_STORE_add_crl(ctx->store, crl); + if (ret == WOLFSSL_FAILURE) { + WOLFSSL_MSG("Adding crl failed"); + break; + } + count++; + wolfSSL_X509_CRL_free(crl); + crl = NULL; + } while(crl == NULL); + + ret = count; + } else if (type == WOLFSSL_FILETYPE_ASN1) { + crl = wolfSSL_d2i_X509_CRL_bio(bio, NULL); + if (crl == NULL) { + WOLFSSL_MSG("Load crl failed"); + } else { + ret = wolfSSL_X509_STORE_add_crl(ctx->store, crl); + if (ret == WOLFSSL_FAILURE) { + WOLFSSL_MSG("Adding crl failed"); + } + } + } else { + WOLFSSL_MSG("Invaid file type"); + } + + wolfSSL_X509_CRL_free(crl); + wolfSSL_BIO_free(bio); + + WOLFSSL_LEAVE("wolfSSL_X509_load_crl_file", ret); + return ret; +} #endif /* !NO_FILESYSTEM */ diff --git a/tests/api.c b/tests/api.c index 759523728..f64ff3dd5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -38789,6 +38789,38 @@ static void test_wolfSSL_X509_CRL(void) return; } +static void test_wolfSSL_X509_load_crl_file(void) +{ +#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_FILESYSTEM) + int i; + char pem[][100] = { + "./certs/crl/crl.pem", + "./certs/crl/crl2.pem", + "./certs/crl/caEccCrl.pem", + "./certs/crl/eccCliCRL.pem", + "./certs/crl/eccSrvCRL.pem", + "" + }; + WOLFSSL_X509_STORE* store; + WOLFSSL_X509_LOOKUP* lookup; + + printf(testingFmt, "wolfSSL_X509_laod_crl_file"); + + AssertNotNull(store = wolfSSL_X509_STORE_new()); + AssertNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); + + for (i = 0; pem[i][0] != '\0'; i++) + { + AssertIntEQ(wolfSSL_X509_load_crl_file(lookup, pem[i], WOLFSSL_FILETYPE_PEM), 1); + } + + wolfSSL_X509_STORE_free(store); + + printf(resultFmt, passed); + +#endif +} + static void test_wolfSSL_d2i_X509_REQ(void) { #if defined(WOLFSSL_CERT_REQ) && (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) @@ -40758,6 +40790,7 @@ void ApiTest(void) test_wolfSSL_X509_STORE_CTX_get0_store(); test_wolfSSL_X509_STORE(); test_wolfSSL_X509_STORE_load_locations(); + test_wolfSSL_X509_load_crl_file(); test_wolfSSL_BN(); test_wolfSSL_CTX_get0_set1_param(); #ifndef NO_BIO diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 1fd838bce..db4940107 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -629,6 +629,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define X509_CRL_get_nextUpdate wolfSSL_X509_CRL_get_nextUpdate #define X509_CRL_verify wolfSSL_X509_CRL_verify #define X509_CRL_get_REVOKED wolfSSL_X509_CRL_get_REVOKED +#define X509_load_crl_file wolfSSL_X509_load_crl_file #define X509_get_X509_PUBKEY wolfSSL_X509_get_X509_PUBKEY #define X509_REQ_get_X509_PUBKEY wolfSSL_X509_get_X509_PUBKEY diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 69103607e..61adac213 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1556,6 +1556,8 @@ WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_set1_ip_asc( WOLFSSL_X509_VERIFY_PARAM *param, const char *ipasc); WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_set1(WOLFSSL_X509_VERIFY_PARAM* to, const WOLFSSL_X509_VERIFY_PARAM* from); +WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, + const char *file, int type); #endif WOLFSSL_API WOLFSSL_X509_REVOKED* wolfSSL_X509_CRL_get_REVOKED(WOLFSSL_X509_CRL*); WOLFSSL_API WOLFSSL_X509_REVOKED* wolfSSL_sk_X509_REVOKED_value( @@ -2266,6 +2268,8 @@ WOLFSSL_API WOLFSSL_X509* WOLFSSL_API int wolfSSL_i2d_X509(WOLFSSL_X509* x509, unsigned char** out); WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL(WOLFSSL_X509_CRL **crl, const unsigned char *in, int len); +WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_bio(WOLFSSL_BIO *bp, + WOLFSSL_X509_CRL **crl); #if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_fp(XFILE file, WOLFSSL_X509_CRL **crl); #endif From 44a20c8ce6c8bacf882ba1b74ed881d0778a2ef8 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Fri, 15 Jan 2021 15:54:52 +0900 Subject: [PATCH 03/19] add more unit test case for load_crl_file --- certs/crl/crl.der | Bin 0 -> 520 bytes certs/crl/crl2.der | Bin 0 -> 520 bytes certs/crl/gencrls.sh | 5 +++++ certs/crl/include.am | 4 +++- src/ssl.c | 2 ++ tests/api.c | 50 +++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 certs/crl/crl.der create mode 100644 certs/crl/crl2.der diff --git a/certs/crl/crl.der b/certs/crl/crl.der new file mode 100644 index 0000000000000000000000000000000000000000..f8726dd52d15659ed8bdafeff3cdd9d4b8cf05ba GIT binary patch literal 520 zcmXqLVq!69e9OehXu!+HsnzDu_MMlJk(-slpmB;Jw*e;`b0`a&FjHu-p@0D&h{M6d z?wg-il9-nW6Jh6Jcgn9y%}vZR6g1!mso~<`2u>_7$mflJj#72r)4-p($FxXTW2?#l{>eE5gFe#K?r^Q|2Z{Mh1gr zE!n$YsPDc0_SX~MPYm8#l9FQbmkb{`d0JWIukp?P8I-cH%5Oqz<5k_=pHA=gRX=q9 zMp<3G!}+fg?^iLbN*R6H^sr$(F^^6bCmJ6PY3^eWBdgO0LntQ*@h1zSY&NV1+dbWYdGfZ4c z`|<+kRY^M+l%7bl5SU@5_SszYhe3_P#_XArg2%QkH%VMD@1)h5|C8tM6!w^P>2bym z-U<0GB`Svh(`Wb!?Eb3F^+PCn{qj5B!OLA+XHGm6e0;5T&xALZzIvntR7tWjE&Q_7$mflJj#72r)4-p($FxXTW2?#l{>eE5gFe#K?r^Q|2Z{Mh1gr zE!n$YsPDc0_SX~MPYm8#l9FQbmkb{`d0JWIukp?P8I-cH%5Oqz<5k_=pHA=gRX=q9 zMp<3G!}+fg?^iLbN*R6H^sr$(F^^6bCmJ6PY3^eWBdgO0LntQ*@h1zSY&NV1+dbWYdGfZ4c z`|<+kRY^M+l%7bl5SU@5_SszYhe3_P#_XArg2%QkH%VMD@1)h5|C8tM6!w^P>2bym z-U<0GB`Svh(`Wb!?Eb3F^+PCn{qj5B!OLA+XHGm6e0;5T&xALZzIvntR7tWjE&Qstore, crl); if (ret == WOLFSSL_FAILURE) { WOLFSSL_MSG("Adding crl failed"); + } else { + ret = 1;/* handled a file */ } } } else { diff --git a/tests/api.c b/tests/api.c index f64ff3dd5..3ef4d884c 100644 --- a/tests/api.c +++ b/tests/api.c @@ -38801,6 +38801,11 @@ static void test_wolfSSL_X509_load_crl_file(void) "./certs/crl/eccSrvCRL.pem", "" }; + char der[][100] = { + "./certs/crl/crl.der", + "./certs/crl/crl2.der", + "" + }; WOLFSSL_X509_STORE* store; WOLFSSL_X509_LOOKUP* lookup; @@ -38809,12 +38814,57 @@ static void test_wolfSSL_X509_load_crl_file(void) AssertNotNull(store = wolfSSL_X509_STORE_new()); AssertNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", + X509_FILETYPE_PEM), 1); + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem", + X509_FILETYPE_PEM), 1); + if (store) { + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, + WOLFSSL_FILETYPE_PEM), 1); + /* since store hasn't yet known the revoked cert*/ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM), 1); + } + for (i = 0; pem[i][0] != '\0'; i++) { AssertIntEQ(wolfSSL_X509_load_crl_file(lookup, pem[i], WOLFSSL_FILETYPE_PEM), 1); } + if (store) { + /* since store knows crl list */ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM ), CRL_CERT_REVOKED); + } + /* once feeing store */ wolfSSL_X509_STORE_free(store); + store = NULL; + + AssertNotNull(store = wolfSSL_X509_STORE_new()); + AssertNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); + + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", + X509_FILETYPE_PEM), 1); + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem", + X509_FILETYPE_PEM), 1); + if (store) { + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, + WOLFSSL_FILETYPE_PEM), 1); + /* since store hasn't yet known the revoked cert*/ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM), 1); + } + + for (i = 0; der[i][0] != '\0'; i++) + { + AssertIntEQ(wolfSSL_X509_load_crl_file(lookup, der[i], WOLFSSL_FILETYPE_ASN1), 1); + } + + if (store) { + /* since store knows crl list */ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM ), CRL_CERT_REVOKED); + } printf(resultFmt, passed); From e39477c531cf9fe84fb3de767a969801e6782aaf Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 21 Jan 2021 15:32:32 +0900 Subject: [PATCH 04/19] initial implement SSL_get_early_data_status --- examples/client/client.c | 26 ++++++++++++++++++++++++++ examples/server/server.c | 29 +++++++++++++++++++++++++++++ scripts/tls13.test | 2 +- src/internal.c | 3 +++ src/tls.c | 7 +++++++ src/tls13.c | 31 ++++++++++++++++++++++++++++++- wolfssl/error-ssl.h | 3 ++- wolfssl/internal.h | 1 + wolfssl/openssl/ssl.h | 5 +++++ wolfssl/ssl.h | 6 ++++++ 10 files changed, 110 insertions(+), 3 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 79aece83e..06b4fc449 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -329,6 +329,29 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519, #endif #ifdef WOLFSSL_EARLY_DATA +static void EarlyDataStatus(WOLFSSL* ssl) +{ + int earlyData_status; + + earlyData_status = wolfSSL_get_early_data_status(ssl); + if (earlyData_status < 0) return; + + printf("Early Data was "); + + switch(earlyData_status) { + case WOLFSSL_EARLY_DATA_NOT_SENT: + printf("not setn.\n"); + break; + case WOLFSSL_EARLY_DATA_REJECTED: + printf("rejected.\n"); + break; + case WOLFSSL_EARLY_DATA_ACCEPTED: + printf("accepted\n"); + break; + default: + printf("unknown...\n"); + } +} static void EarlyData(WOLFSSL_CTX* ctx, WOLFSSL* ssl, const char* msg, int msgSz, char* buffer) { @@ -466,6 +489,9 @@ static int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port, do { err = 0; /* reset error */ ret = wolfSSL_connect(ssl); +#ifdef WOLFSSL_EARLY_DATA + EarlyDataStatus(ssl); +#endif if (ret != WOLFSSL_SUCCESS) { err = wolfSSL_get_error(ssl, 0); #ifdef WOLFSSL_ASYNC_CRYPT diff --git a/examples/server/server.c b/examples/server/server.c index 05b6f2f54..ad63565b0 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -844,6 +844,32 @@ static const char* server_usage_msg[][56] = { #endif }; +#ifdef WOLFSSL_EARLY_DATA +static void EarlyDataStatus(WOLFSSL* ssl) +{ + int earlyData_status; + + earlyData_status = wolfSSL_get_early_data_status(ssl); + if (earlyData_status < 0) return; + + printf("Early Data was "); + + switch(earlyData_status) { + case WOLFSSL_EARLY_DATA_NOT_SENT: + printf("not sent.\n"); + break; + case WOLFSSL_EARLY_DATA_REJECTED: + printf("rejected.\n"); + break; + case WOLFSSL_EARLY_DATA_ACCEPTED: + printf("accepted.\n"); + break; + default: + printf("unknown...\n"); + } +} +#endif + static void Usage(void) { int msgId = 0; @@ -2501,6 +2527,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) do { err = 0; /* reset error */ ret = SSL_accept(ssl); +#ifdef WOLFSSL_EARLY_DATA + EarlyDataStatus(ssl); +#endif if (ret != WOLFSSL_SUCCESS) { err = SSL_get_error(ssl, 0); #ifdef WOLFSSL_ASYNC_CRYPT diff --git a/scripts/tls13.test b/scripts/tls13.test index 7f4c927d3..e7a2b3618 100755 --- a/scripts/tls13.test +++ b/scripts/tls13.test @@ -257,7 +257,7 @@ if [ "$early_data" = "yes" ]; then grep 'Session Ticket' $client_out_file session_ticket=$? early_data_cnt=`grep 'Early Data' $server_out_file | wc -l` - if [ $session_ticket -eq 0 -a $early_data_cnt -ne 2 ]; then + if [ $session_ticket -eq 0 -a $early_data_cnt -ne 4 ]; then RESULT=1 fi if [ $RESULT -ne 0 ]; then diff --git a/src/internal.c b/src/internal.c index 7baad8c51..eeebe5302 100644 --- a/src/internal.c +++ b/src/internal.c @@ -18927,6 +18927,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case NO_CERT_ERROR: return "TLS1.3 No Certificate Set Error"; + case TOO_MUCH_EARLY_DATA: + return "Too much early data"; + default : return "unknown error number"; } diff --git a/src/tls.c b/src/tls.c index 0df44fc9b..38ebfbf02 100644 --- a/src/tls.c +++ b/src/tls.c @@ -9110,6 +9110,9 @@ static int TLSX_EarlyData_Parse(WOLFSSL* ssl, byte* input, word16 length, if (ssl->earlyData == expecting_early_data) return TLSX_EarlyData_Use(ssl, 0); ssl->earlyData = early_data_ext; + /* client wants to send early data. set this to rejected here. */ + /* Later, it is set to accepted if the server accepts the data. */ + ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED; return 0; } if (msgType == encrypted_extensions) { @@ -9122,6 +9125,10 @@ static int TLSX_EarlyData_Parse(WOLFSSL* ssl, byte* input, word16 length, if (ssl->options.pskIdIndex != 1) return PSK_KEY_ERROR; + if (ssl->options.side == WOLFSSL_CLIENT_END) + /* server could accept early data. */ + ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_ACCEPTED; + return TLSX_EarlyData_Use(ssl, 1); } if (msgType == session_ticket) { diff --git a/src/tls13.c b/src/tls13.c index 83e78a7ab..718630e5f 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -6497,6 +6497,7 @@ static int DoTls13EndOfEarlyData(WOLFSSL* ssl, const byte* input, } ssl->earlyData = done_early_data; + ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_ACCEPTED; /* Always encrypted. */ *inOutIdx += ssl->keys.padSz; @@ -8656,11 +8657,24 @@ int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz) ret = wolfSSL_connect_TLSv13(ssl); if (ret != WOLFSSL_SUCCESS) return WOLFSSL_FATAL_ERROR; + /* on client side, status is set to rejected */ + /* until sever accepts early data */ + ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED; } if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) { +#ifdef OPENSSL_EXTRA + /* when processed early data exceeds max size */ + if (ssl->earlyDataSz + sz > ssl->session.maxEarlyDataSz) { + ssl->error = TOO_MUCH_EARLY_DATA; + return WOLFSSL_FATAL_ERROR; + } +#endif ret = SendData(ssl, data, sz); - if (ret > 0) + if (ret > 0) { *outSz = ret; + /* store amount of processed early data from client */ + ssl->earlyDataSz += ret; + } } #else return SIDE_ERROR; @@ -8724,6 +8738,21 @@ int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz) ret = WOLFSSL_FATAL_ERROR; return ret; } + +/* Returns early data status + * + * ssl The SSL/TLS object. + * returns WOLFSSL_EARLY_DATA_ACCEPTED if the data was accepted + * WOLFSSL_EARLY_DATA_REJECTED if the data was rejected + * WOLFSSL_EARLY_DATA_NOT_SENT if no early data was sent + */ +int wolfSSL_get_early_data_status(const WOLFSSL* ssl) +{ + if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) + return BAD_FUNC_ARG; + + return ssl->earlyDataStatus; +} #endif #ifdef HAVE_SECRET_CALLBACK diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index 88c47b9c6..68ace3053 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -170,7 +170,8 @@ enum wolfSSL_ErrorCodes { DTLS_SIZE_ERROR = -439, /* Trying to send too much data */ NO_CERT_ERROR = -440, /* TLS1.3 - no cert set error */ APP_DATA_READY = -441, /* DTLS1.2 application data ready for read */ - + TOO_MUCH_EARLY_DATA = -442, /* Too much Early data */ + /* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */ /* begin negotiation parameter errors */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 8a124dd01..96ba70dcf 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4367,6 +4367,7 @@ struct WOLFSSL { #ifdef WOLFSSL_EARLY_DATA EarlyDataState earlyData; word32 earlyDataSz; + word32 earlyDataStatus; #endif #ifdef OPENSSL_ALL long verifyCallbackResult; diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index db4940107..2668fd891 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -1333,6 +1333,11 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define SSL_get_rbio wolfSSL_SSL_get_rbio #define SSL_get_wbio wolfSSL_SSL_get_wbio #define SSL_do_handshake wolfSSL_SSL_do_handshake + +#if defined(WOLFSSL_EARLY_DATA) +#define SSL_get_early_data_status wolfSSL_get_early_data_status +#endif + #endif /* OPENSSL_EXTRA */ /* cipher suites for compatibility */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 61adac213..f36f38be8 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -947,6 +947,11 @@ WOLFSSL_API int wolfSSL_connect_TLSv13(WOLFSSL*); WOLFSSL_API int wolfSSL_accept_TLSv13(WOLFSSL*); #ifdef WOLFSSL_EARLY_DATA + +#define WOLFSSL_EARLY_DATA_NOT_SENT 0 +#define WOLFSSL_EARLY_DATA_REJECTED 1 +#define WOLFSSL_EARLY_DATA_ACCEPTED 2 + WOLFSSL_API int wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx, unsigned int sz); WOLFSSL_API int wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz); @@ -954,6 +959,7 @@ WOLFSSL_API int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz); WOLFSSL_API int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz); +WOLFSSL_API int wolfSSL_get_early_data_status(const WOLFSSL* ssl); #endif /* WOLFSSL_EARLY_DATA */ #endif /* WOLFSSL_TLS13 */ WOLFSSL_ABI WOLFSSL_API void wolfSSL_CTX_free(WOLFSSL_CTX*); From 141d07e21b80f6bbe630b08b1dd4bfed60cb387b Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Fri, 22 Jan 2021 15:14:31 +0900 Subject: [PATCH 05/19] addressed pre-review comments --- examples/client/client.c | 2 +- src/tls.c | 18 ++++++++++++------ src/tls13.c | 7 +++---- 3 files changed, 16 insertions(+), 11 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 06b4fc449..86882c476 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -340,7 +340,7 @@ static void EarlyDataStatus(WOLFSSL* ssl) switch(earlyData_status) { case WOLFSSL_EARLY_DATA_NOT_SENT: - printf("not setn.\n"); + printf("not sent.\n"); break; case WOLFSSL_EARLY_DATA_REJECTED: printf("rejected.\n"); diff --git a/src/tls.c b/src/tls.c index 38ebfbf02..33e0fbaf6 100644 --- a/src/tls.c +++ b/src/tls.c @@ -9107,12 +9107,17 @@ static int TLSX_EarlyData_Parse(WOLFSSL* ssl, byte* input, word16 length, if (length != 0) return BUFFER_E; - if (ssl->earlyData == expecting_early_data) + if (ssl->earlyData == expecting_early_data) { + + if (ssl->options.maxEarlyDataSz != 0) + ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_ACCEPTED; + else + ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED; + return TLSX_EarlyData_Use(ssl, 0); + } ssl->earlyData = early_data_ext; - /* client wants to send early data. set this to rejected here. */ - /* Later, it is set to accepted if the server accepts the data. */ - ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED; + return 0; } if (msgType == encrypted_extensions) { @@ -9125,9 +9130,10 @@ static int TLSX_EarlyData_Parse(WOLFSSL* ssl, byte* input, word16 length, if (ssl->options.pskIdIndex != 1) return PSK_KEY_ERROR; - if (ssl->options.side == WOLFSSL_CLIENT_END) - /* server could accept early data. */ + if (ssl->options.side == WOLFSSL_CLIENT_END) { + /* the extension from server comes in */ ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_ACCEPTED; + } return TLSX_EarlyData_Use(ssl, 1); } diff --git a/src/tls13.c b/src/tls13.c index 718630e5f..0422fe270 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -6497,7 +6497,6 @@ static int DoTls13EndOfEarlyData(WOLFSSL* ssl, const byte* input, } ssl->earlyData = done_early_data; - ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_ACCEPTED; /* Always encrypted. */ *inOutIdx += ssl->keys.padSz; @@ -8657,13 +8656,13 @@ int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz) ret = wolfSSL_connect_TLSv13(ssl); if (ret != WOLFSSL_SUCCESS) return WOLFSSL_FATAL_ERROR; - /* on client side, status is set to rejected */ - /* until sever accepts early data */ + /* on client side, status is set to rejected */ + /* until sever accepts the early data extension. */ ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED; } if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) { #ifdef OPENSSL_EXTRA - /* when processed early data exceeds max size */ + /* when processed early data exceeds max size */ if (ssl->earlyDataSz + sz > ssl->session.maxEarlyDataSz) { ssl->error = TOO_MUCH_EARLY_DATA; return WOLFSSL_FATAL_ERROR; From cb3fa8ff9e57627c1dd3af706536968fd430f9e4 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Sat, 23 Jan 2021 08:56:17 +0900 Subject: [PATCH 06/19] SHA224 implementation --- src/ssl.c | 47 ++++++++++++++++++++++++++++++++++++++ tests/api.c | 24 +++++++++++++++++++ wolfssl/openssl/sha.h | 5 ++++ wolfssl/ssl.h | 1 + wolfssl/wolfcrypt/sha256.h | 5 +++- 5 files changed, 81 insertions(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index bff47af33..25bdd76f6 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -42931,6 +42931,53 @@ err: } #endif /* ! NO_SHA */ +#ifdef WOLFSSL_SHA224 + /* One shot SHA224 hash of message. + * + * d message to hash + * n size of d buffer + * md buffer to hold digest. Should be WC_SHA224_DIGEST_SIZE. + * + * Note: if md is null then a static buffer of WC_SHA256_DIGEST_SIZE is used. + * When the static buffer is used this function is not thread safe. + * + * Returns a pointer to the message digest on success and NULL on failure. + */ + unsigned char *wolfSSL_SHA224(const unsigned char *d, size_t n, + unsigned char *md) + { + static byte dig[WC_SHA224_DIGEST_SIZE]; + byte* ret = md; + wc_Sha256 sha; + + WOLFSSL_ENTER("wolfSSL_SHA224"); + + if (wc_InitSha224_ex(&sha, NULL, 0) != 0) { + WOLFSSL_MSG("SHA224 Init failed"); + return NULL; + } + + if (wc_Sha224Update(&sha, (const byte*)d, (word32)n) != 0) { + WOLFSSL_MSG("SHA224 Update failed"); + return NULL; + } + + if (md == NULL) { + WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA224 IS NOT " + "THREAD SAFE WHEN md == NULL"); + ret = dig; + } + if (wc_Sha224Final(&sha, ret) != 0) { + WOLFSSL_MSG("SHA224 Final failed"); + wc_Sha224Free(&sha); + return NULL; + } + wc_Sha224Free(&sha); + + return ret; + } +#endif + #ifndef NO_SHA256 /* One shot SHA256 hash of message. * diff --git a/tests/api.c b/tests/api.c index 3ef4d884c..79b1c7781 100644 --- a/tests/api.c +++ b/tests/api.c @@ -33003,6 +33003,29 @@ static void test_wolfSSL_AES_ecb_encrypt(void) #endif } +static void test_wolfSSL_SHA224(void) +{ +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA224) && \ + defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) + unsigned char input[] = + "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"; + unsigned char output[] = + "\x75\x38\x8b\x16\x51\x27\x76\xcc\x5d\xba\x5d\xa1\xfd\x89\x01" + "\x50\xb0\xc6\x45\x5c\xb4\xf5\x8b\x19\x52\x52\x25\x25"; + size_t inLen; + byte hash[WC_SHA224_DIGEST_SIZE]; + + printf(testingFmt, "wolfSSL_SHA224)"); + inLen = XSTRLEN((char*)input); + + XMEMSET(hash, 0, WC_SHA224_DIGEST_SIZE); + AssertNotNull(SHA224(input, inLen, hash)); + AssertIntEQ(XMEMCMP(hash, output, WC_SHA224_DIGEST_SIZE), 0); + + printf(resultFmt, passed); +#endif +} + static void test_wolfSSL_SHA256(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && \ @@ -40913,6 +40936,7 @@ void ApiTest(void) test_wolfSSL_PEM_write_DHparams(); test_wolfSSL_AES_ecb_encrypt(); test_wolfSSL_SHA256(); + test_wolfSSL_SHA224(); test_wolfSSL_X509_get_serialNumber(); test_wolfSSL_X509_CRL(); test_wolfSSL_d2i_X509_REQ(); diff --git a/wolfssl/openssl/sha.h b/wolfssl/openssl/sha.h index e3a814717..277a70e2c 100644 --- a/wolfssl/openssl/sha.h +++ b/wolfssl/openssl/sha.h @@ -99,6 +99,11 @@ typedef WOLFSSL_SHA224_CTX SHA224_CTX; #define SHA224_Init wolfSSL_SHA224_Init #define SHA224_Update wolfSSL_SHA224_Update #define SHA224_Final wolfSSL_SHA224_Final +#if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) + /* SHA224 is only available in non-fips mode because of SHA224 enum in FIPS + * build. */ + #define SHA224 wolfSSL_SHA224 +#endif #endif /* WOLFSSL_SHA224 */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index f36f38be8..d2bdfcf09 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3639,6 +3639,7 @@ WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl); WOLFSSL_API int wolfSSL_set_app_data(WOLFSSL *ssl, void *arg); WOLFSSL_API WOLFSSL_ASN1_OBJECT * wolfSSL_X509_NAME_ENTRY_get_object(WOLFSSL_X509_NAME_ENTRY *ne); WOLFSSL_API unsigned char *wolfSSL_SHA1(const unsigned char *d, size_t n, unsigned char *md); +WOLFSSL_API unsigned char *wolfSSL_SHA224(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API unsigned char *wolfSSL_SHA256(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API unsigned char *wolfSSL_SHA384(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API unsigned char *wolfSSL_SHA512(const unsigned char *d, size_t n, unsigned char *md); diff --git a/wolfssl/wolfcrypt/sha256.h b/wolfssl/wolfcrypt/sha256.h index 9538fed7b..2fb267cb0 100644 --- a/wolfssl/wolfcrypt/sha256.h +++ b/wolfssl/wolfcrypt/sha256.h @@ -216,9 +216,12 @@ WOLFSSL_API void wc_Sha256SizeSet(wc_Sha256*, word32); #if !defined(HAVE_FIPS) || \ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)) +#if !defined(NO_OLD_SHA_NAMES) + #define SHA224 WC_SHA224 +#endif + #ifndef NO_OLD_WC_NAMES #define Sha224 wc_Sha224 - #define SHA224 WC_SHA224 #define SHA224_BLOCK_SIZE WC_SHA224_BLOCK_SIZE #define SHA224_DIGEST_SIZE WC_SHA224_DIGEST_SIZE #define SHA224_PAD_SIZE WC_SHA224_PAD_SIZE From 95cf3675e956cbb9818645d37054db7a411d22fc Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 28 Jan 2021 12:02:35 +0900 Subject: [PATCH 07/19] implemented SHA256_Transform WIP SHA512_Transform --- src/ssl.c | 38 ++++++++++++++++++++++++++++++-- tests/api.c | 44 ++++++++++++++++++++++++++++++++++++++ wolfcrypt/src/sha256.c | 6 ++++++ wolfssl/openssl/sha.h | 13 +++++++---- wolfssl/wolfcrypt/sha256.h | 4 +++- 5 files changed, 98 insertions(+), 7 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 25bdd76f6..d10cd8545 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -17007,8 +17007,29 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } + + #if defined(OPENSSL_EXTRA) + int wolfSSL_SHA256_Transform(WOLFSSL_SHA256_CTX* sha256, + const unsigned char* data) + { + int ret; + + WOLFSSL_ENTER("SHA256_Transform"); + #if defined(LITTLE_ENDIAN_ORDER) + { + ByteReverseWords((word32*)data, (word32*)data, WC_SHA256_BLOCK_SIZE); + } + #endif + ret = wc_Sha256Transform((wc_Sha256*)sha256, data); - + /* return 1 on success, 0 otherwise */ + if (ret == 0) + return 1; + + return ret; + } + #endif + #ifdef WOLFSSL_SHA384 int wolfSSL_SHA384_Init(WOLFSSL_SHA384_CTX* sha) @@ -17111,7 +17132,20 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } - + #if defined(OPENSSL_EXTRA) + int wolfSSL_SHA512_Transform(WOLFSSL_SHA512_CTX* sha, + const unsigned char* data) + { + int ret = WOLFSSL_SUCCESS; + + WOLFSSL_ENTER("SHA512_Transform"); + (void)sha; + (void)data; + + return ret; + } + #endif + #endif /* WOLFSSL_SHA512 */ #ifdef WOLFSSL_SHA3 diff --git a/tests/api.c b/tests/api.c index 79b1c7781..893d82fb0 100644 --- a/tests/api.c +++ b/tests/api.c @@ -33026,6 +33026,49 @@ static void test_wolfSSL_SHA224(void) #endif } + +static void test_wolfSSL_SHA256_Transform(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && \ + defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) + byte input1[] = ""; + byte input2[] = "abc"; + byte local[WC_SHA256_BLOCK_SIZE]; + word32 sLen = 0; + unsigned char output1[] = + "\xbe\x98\x56\xda\x69\xb4\xb9\x17\x99\x57\x33\x62\xca\xbe\x9f\x77" + "\x91\xd4\xe5\x8c\x43\x62\xd2\xc0\xea\xf9\xfe\xba\xd8\xa9\x37\x18"; + unsigned char output2[] = + "\x67\xd4\x4e\x1d\x67\x61\x7c\x67\x26\x76\x10\x44\xb8\xff\x10\x78" + "\x39\x9a\xc8\x40\x8c\x60\x16\x73\x05\xd6\x61\xa6\x35\x8c\xf2\x91"; + + WOLFSSL_SHA256_CTX sha256; + + printf(testingFmt, "wolfSSL_SHA256_Transform()"); + + XMEMSET(&sha256, 0, sizeof(sha256)); + XMEMSET(&local, 0, sizeof(local)); + + /* Init SHA256 CTX */ + AssertIntEQ(wolfSSL_SHA256_Init(&sha256), 1); + /* Do Transform*/ + sLen = XSTRLEN((char*)input1); + XMEMCPY(local, input1, sLen); + AssertIntEQ(wolfSSL_SHA256_Transform(&sha256, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha256*)&sha256)->digest[0], output1, WC_SHA256_DIGEST_SIZE), 0); + + /* Init SHA256 CTX */ + AssertIntEQ(wolfSSL_SHA256_Init(&sha256), 1); + sLen = XSTRLEN((char*)input2); + XMEMSET(local, 0, WC_SHA256_BLOCK_SIZE); + XMEMCPY(local, input2, sLen); + AssertIntEQ(wolfSSL_SHA256_Transform(&sha256, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha256*)&sha256)->digest[0], output2, WC_SHA256_DIGEST_SIZE), 0); + + printf(resultFmt, passed); +#endif +} + static void test_wolfSSL_SHA256(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && \ @@ -40936,6 +40979,7 @@ void ApiTest(void) test_wolfSSL_PEM_write_DHparams(); test_wolfSSL_AES_ecb_encrypt(); test_wolfSSL_SHA256(); + test_wolfSSL_SHA256_Transform(); test_wolfSSL_SHA224(); test_wolfSSL_X509_get_serialNumber(); test_wolfSSL_X509_CRL(); diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index 50b8cf60f..eb26ad6d6 100644 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -1295,6 +1295,12 @@ static int InitSha256(wc_Sha256* sha256) return InitSha256(sha256); /* reset state */ } + #if defined(OPENSSL_EXTRA) + int wc_Sha256Transform(wc_Sha256* sha, const unsigned char* data) + { + return (Transform_Sha256(sha, data)); + } + #endif #endif /* XTRANSFORM */ #ifdef WOLFSSL_SHA224 diff --git a/wolfssl/openssl/sha.h b/wolfssl/openssl/sha.h index 277a70e2c..e4ff4af6c 100644 --- a/wolfssl/openssl/sha.h +++ b/wolfssl/openssl/sha.h @@ -118,9 +118,10 @@ typedef struct WOLFSSL_SHA256_CTX { WOLFSSL_API int wolfSSL_SHA256_Init(WOLFSSL_SHA256_CTX*); WOLFSSL_API int wolfSSL_SHA256_Update(WOLFSSL_SHA256_CTX*, const void*, - unsigned long); + unsigned long); WOLFSSL_API int wolfSSL_SHA256_Final(unsigned char*, WOLFSSL_SHA256_CTX*); - +WOLFSSL_API int wolfSSL_SHA256_Transform(WOLFSSL_SHA256_CTX*, + const unsigned char *data); enum { SHA256_DIGEST_LENGTH = 32 }; @@ -131,6 +132,8 @@ typedef WOLFSSL_SHA256_CTX SHA256_CTX; #define SHA256_Init wolfSSL_SHA256_Init #define SHA256_Update wolfSSL_SHA256_Update #define SHA256_Final wolfSSL_SHA256_Final +#define SHA256_Transform wolfSSL_SHA256_Transform + #if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) /* SHA256 is only available in non-fips mode because of SHA256 enum in FIPS * build. */ @@ -176,9 +179,10 @@ typedef struct WOLFSSL_SHA512_CTX { WOLFSSL_API int wolfSSL_SHA512_Init(WOLFSSL_SHA512_CTX*); WOLFSSL_API int wolfSSL_SHA512_Update(WOLFSSL_SHA512_CTX*, const void*, - unsigned long); + unsigned long); WOLFSSL_API int wolfSSL_SHA512_Final(unsigned char*, WOLFSSL_SHA512_CTX*); - +WOLFSSL_API int wolfSSL_SHA512_Transform(WOLFSSL_SHA512_CTX*, + const unsigned char*); enum { SHA512_DIGEST_LENGTH = 64 }; @@ -189,6 +193,7 @@ typedef WOLFSSL_SHA512_CTX SHA512_CTX; #define SHA512_Init wolfSSL_SHA512_Init #define SHA512_Update wolfSSL_SHA512_Update #define SHA512_Final wolfSSL_SHA512_Final +#define SHA512_Transform wolfSSL_SHA512_Transform #if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) /* SHA512 is only available in non-fips mode because of SHA512 enum in FIPS * build. */ diff --git a/wolfssl/wolfcrypt/sha256.h b/wolfssl/wolfcrypt/sha256.h index 2fb267cb0..93c794f31 100644 --- a/wolfssl/wolfcrypt/sha256.h +++ b/wolfssl/wolfcrypt/sha256.h @@ -198,7 +198,9 @@ WOLFSSL_API int wc_Sha256Update(wc_Sha256*, const byte*, word32); WOLFSSL_API int wc_Sha256FinalRaw(wc_Sha256*, byte*); WOLFSSL_API int wc_Sha256Final(wc_Sha256*, byte*); WOLFSSL_API void wc_Sha256Free(wc_Sha256*); - +#if defined(OPENSSL_EXTRA) +WOLFSSL_API int wc_Sha256Transform(wc_Sha256*, const byte*); +#endif WOLFSSL_API int wc_Sha256GetHash(wc_Sha256*, byte*); WOLFSSL_API int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst); From 502e1458f95872760d44c43d92185a42a1e84df0 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 28 Jan 2021 14:34:09 +0900 Subject: [PATCH 08/19] Implemented SHA one shot Implemented SHA_Transform --- src/ssl.c | 39 ++++++++++++++++++++++++++++++++ tests/api.c | 50 +++++++++++++++++++++++++++++++++++++++++ wolfcrypt/src/sha.c | 7 ++++++ wolfssl/openssl/sha.h | 21 ++++++++++++----- wolfssl/ssl.h | 1 + wolfssl/wolfcrypt/sha.h | 3 +++ 6 files changed, 116 insertions(+), 5 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index d10cd8545..bf58cfd90 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16884,7 +16884,28 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } + #if defined(OPENSSL_EXTRA) + int wolfSSL_SHA_Transform(WOLFSSL_SHA_CTX* sha, + const unsigned char* data) + { + int ret; + + WOLFSSL_ENTER("SHA_Transform"); + #if defined(LITTLE_ENDIAN_ORDER) + { + ByteReverseWords((word32*)data, (word32*)data, WC_SHA_BLOCK_SIZE); + } + #endif + ret = wc_ShaTransform((wc_Sha*)sha, data); + /* return 1 on success, 0 otherwise */ + if (ret == 0) + return 1; + + return ret; + } + #endif + int wolfSSL_SHA1_Init(WOLFSSL_SHA_CTX* sha) { WOLFSSL_ENTER("SHA1_Init"); @@ -16905,6 +16926,14 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, WOLFSSL_ENTER("SHA1_Final"); return SHA_Final(input, sha); } + #if defined(OPENSSL_EXTRA) + int wolfSSL_SHA1_Transform(WOLFSSL_SHA_CTX* sha, + const unsigned char* data) + { + WOLFSSL_ENTER("SHA1_Transform"); + return (wolfSSL_SHA_Transform(sha, data)); + } + #endif #endif /* !NO_SHA */ #ifdef WOLFSSL_SHA224 @@ -42919,6 +42948,16 @@ err: defined(WOLFSSL_HAPROXY) #ifndef NO_SHA + /* One shot SHA hash of message. + * + * Wrap SHA1 one shot + */ + unsigned char *wolfSSL_SHA(const unsigned char *d, size_t n, + unsigned char *md) + { + return wolfSSL_SHA1(d, n, md); + } + /* One shot SHA1 hash of message. * * d message to hash diff --git a/tests/api.c b/tests/api.c index 893d82fb0..2c638fe07 100644 --- a/tests/api.c +++ b/tests/api.c @@ -32794,6 +32794,11 @@ static void test_wolfSSL_SHA(void) XMEMSET(out, 0, WC_SHA_DIGEST_SIZE); AssertNotNull(SHA1(in, XSTRLEN((char*)in), out)); AssertIntEQ(XMEMCMP(out, expected, WC_SHA_DIGEST_SIZE), 0); + + /* SHA interface test */ + XMEMSET(out, 0, WC_SHA_DIGEST_SIZE); + AssertNotNull(SHA(in, XSTRLEN((char*)in), out)); + AssertIntEQ(XMEMCMP(out, expected, WC_SHA_DIGEST_SIZE), 0); } #endif @@ -33025,7 +33030,51 @@ static void test_wolfSSL_SHA224(void) printf(resultFmt, passed); #endif } +static void test_wolfSSL_SHA_Transform(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && \ + defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) + byte input1[] = ""; + byte input2[] = "abc"; + byte local[WC_SHA_BLOCK_SIZE]; + word32 sLen = 0; + word32 i; + unsigned char output1[] = + "\xe5\x04\xb4\x92\xed\x8c\x58\x56\x4e\xcd\x1a\x6c\x68\x3f\x05\xbf" + "\x93\x3a\xf7\x09"; + unsigned char output2[] = + "\x8b\x74\xb2\x97\xca\xbc\x5b\x4f\xea\xe6\xc0\x5b\xa0\xb4\x40\x2d" + "\xb8\x08\x6e\x7c"; + WOLFSSL_SHA_CTX sha; + + printf(testingFmt, "wolfSSL_SHA_Transform()"); + + XMEMSET(&sha, 0, sizeof(sha)); + XMEMSET(&local, 0, sizeof(local)); + + /* Init SHA CTX */ + AssertIntEQ(wolfSSL_SHA_Init(&sha), 1); + /* Do Transform*/ + sLen = XSTRLEN((char*)input1); + XMEMCPY(local, input1, sLen); + AssertIntEQ(wolfSSL_SHA_Transform(&sha, (const byte*)&local[0]), 1); + for(i = 0; i< 5; i++) { + printf("sha->diges[%d] = 0x%08x\n", i, ((wc_Sha*)&sha)->digest[i]); + } + AssertIntEQ(XMEMCMP(&((wc_Sha*)&sha)->digest[0], output1, WC_SHA_DIGEST_SIZE), 0); + + /* Init SHA256 CTX */ + AssertIntEQ(wolfSSL_SHA_Init(&sha), 1); + sLen = XSTRLEN((char*)input2); + XMEMSET(local, 0, WC_SHA_BLOCK_SIZE); + XMEMCPY(local, input2, sLen); + AssertIntEQ(wolfSSL_SHA_Transform(&sha, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha*)&sha)->digest[0], output2, WC_SHA_DIGEST_SIZE), 0); + + printf(resultFmt, passed); +#endif +} static void test_wolfSSL_SHA256_Transform(void) { @@ -40978,6 +41027,7 @@ void ApiTest(void) test_wolfSSL_DH_1536_prime(); test_wolfSSL_PEM_write_DHparams(); test_wolfSSL_AES_ecb_encrypt(); + test_wolfSSL_SHA_Transform(); test_wolfSSL_SHA256(); test_wolfSSL_SHA256_Transform(); test_wolfSSL_SHA224(); diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index 63f4ed402..35c1589c6 100644 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -773,6 +773,13 @@ int wc_ShaFinal(wc_Sha* sha, byte* hash) return ret; } +#if defined(OPENSSL_EXTRA) +int wc_ShaTransform(wc_Sha* sha, const unsigned char* data) +{ + return (Transform(sha, data)); +} +#endif + #endif /* USE_SHA_SOFTWARE_IMPL */ diff --git a/wolfssl/openssl/sha.h b/wolfssl/openssl/sha.h index e4ff4af6c..9db9a098e 100644 --- a/wolfssl/openssl/sha.h +++ b/wolfssl/openssl/sha.h @@ -52,12 +52,14 @@ typedef struct WOLFSSL_SHA_CTX { WOLFSSL_API int wolfSSL_SHA_Init(WOLFSSL_SHA_CTX*); WOLFSSL_API int wolfSSL_SHA_Update(WOLFSSL_SHA_CTX*, const void*, unsigned long); WOLFSSL_API int wolfSSL_SHA_Final(unsigned char*, WOLFSSL_SHA_CTX*); - +WOLFSSL_API int wolfSSL_SHA_Transform(WOLFSSL_SHA_CTX*, + const unsigned char *data); /* SHA1 points to above, shouldn't use SHA0 ever */ WOLFSSL_API int wolfSSL_SHA1_Init(WOLFSSL_SHA_CTX*); WOLFSSL_API int wolfSSL_SHA1_Update(WOLFSSL_SHA_CTX*, const void*, unsigned long); WOLFSSL_API int wolfSSL_SHA1_Final(unsigned char*, WOLFSSL_SHA_CTX*); - +WOLFSSL_API int wolfSSL_SHA1_Transform(WOLFSSL_SHA_CTX*, + const unsigned char *data); enum { SHA_DIGEST_LENGTH = 20 }; @@ -68,6 +70,13 @@ typedef WOLFSSL_SHA_CTX SHA_CTX; #define SHA_Init wolfSSL_SHA_Init #define SHA_Update wolfSSL_SHA_Update #define SHA_Final wolfSSL_SHA_Final +#if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_SELFTEST) && \ + (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) + /* SHA is only available in non-fips mode or fips version > 2 mode + * because of SHA enum in FIPS build. */ + #define SHA wolfSSL_SHA +#endif #define SHA1_Init wolfSSL_SHA1_Init #define SHA1_Update wolfSSL_SHA1_Update @@ -99,9 +108,11 @@ typedef WOLFSSL_SHA224_CTX SHA224_CTX; #define SHA224_Init wolfSSL_SHA224_Init #define SHA224_Update wolfSSL_SHA224_Update #define SHA224_Final wolfSSL_SHA224_Final -#if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) - /* SHA224 is only available in non-fips mode because of SHA224 enum in FIPS - * build. */ +#if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_SELFTEST) && \ + (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) + /* SHA224 is only available in non-fips mode or fips version > 2 mode + * because of SHA224 enum in FIPS build. */ #define SHA224 wolfSSL_SHA224 #endif diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index d2bdfcf09..a9f7f6738 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3638,6 +3638,7 @@ WOLFSSL_API void wolfSSL_set_verify_depth(WOLFSSL *ssl,int depth); WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl); WOLFSSL_API int wolfSSL_set_app_data(WOLFSSL *ssl, void *arg); WOLFSSL_API WOLFSSL_ASN1_OBJECT * wolfSSL_X509_NAME_ENTRY_get_object(WOLFSSL_X509_NAME_ENTRY *ne); +WOLFSSL_API unsigned char *wolfSSL_SHA(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API unsigned char *wolfSSL_SHA1(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API unsigned char *wolfSSL_SHA224(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API unsigned char *wolfSSL_SHA256(const unsigned char *d, size_t n, unsigned char *md); diff --git a/wolfssl/wolfcrypt/sha.h b/wolfssl/wolfcrypt/sha.h index 6203d648d..f074f28c4 100644 --- a/wolfssl/wolfcrypt/sha.h +++ b/wolfssl/wolfcrypt/sha.h @@ -169,6 +169,9 @@ WOLFSSL_API void wc_ShaFree(wc_Sha*); WOLFSSL_API int wc_ShaGetHash(wc_Sha*, byte*); WOLFSSL_API int wc_ShaCopy(wc_Sha*, wc_Sha*); +#if defined(OPENSSL_EXTRA) +WOLFSSL_API int wc_ShaTransform(wc_Sha*, const byte*); +#endif #ifdef WOLFSSL_PIC32MZ_HASH WOLFSSL_API void wc_ShaSizeSet(wc_Sha* sha, word32 len); From 525d28f38f6131ed01de36f09c99aeecc9f82231 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Wed, 3 Feb 2021 14:00:03 +0900 Subject: [PATCH 09/19] Implemented MD5_Transform --- src/ssl.c | 20 ++++++++++++++++++++ wolfcrypt/src/md5.c | 7 ++++++- wolfssl/openssl/md5.h | 3 ++- wolfssl/wolfcrypt/md5.h | 8 +++++++- 4 files changed, 35 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index bf58cfd90..08a1ab682 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16832,6 +16832,26 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } + + int wolfSSL_MD5_Transform(WOLFSSL_MD5_CTX* md5, const unsigned char* data) + { + int ret; + + WOLFSSL_ENTER("MD5_Transform"); + #if defined(LITTLE_ENDIAN_ORDER) + { + ByteReverseWords((word32*)data, (word32*)data, WC_MD5_BLOCK_SIZE); + } + #endif + + ret = wc_Md5Transform((wc_Md5*)md5, data); + + /* return 1 on success, 0 otherwise */ + if (ret == 0) + return 1; + + return ret; + } #endif /* !NO_MD5 */ diff --git a/wolfcrypt/src/md5.c b/wolfcrypt/src/md5.c index 7bc2489e8..d4c92ad0b 100644 --- a/wolfcrypt/src/md5.c +++ b/wolfcrypt/src/md5.c @@ -550,7 +550,12 @@ int wc_Md5Copy(wc_Md5* src, wc_Md5* dst) return ret; } - +#ifdef OPENSSL_EXTRA +int wc_Md5Transform(wc_Md5* md5, const byte* data) +{ + return Transform(md5, data); +} +#endif #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB) int wc_Md5SetFlags(wc_Md5* md5, word32 flags) { diff --git a/wolfssl/openssl/md5.h b/wolfssl/openssl/md5.h index 49ac1e32f..08cbd527e 100644 --- a/wolfssl/openssl/md5.h +++ b/wolfssl/openssl/md5.h @@ -52,13 +52,14 @@ typedef struct WOLFSSL_MD5_CTX { WOLFSSL_API int wolfSSL_MD5_Init(WOLFSSL_MD5_CTX*); WOLFSSL_API int wolfSSL_MD5_Update(WOLFSSL_MD5_CTX*, const void*, unsigned long); WOLFSSL_API int wolfSSL_MD5_Final(unsigned char*, WOLFSSL_MD5_CTX*); - +WOLFSSL_API int wolfSSL_MD5_Transform(WOLFSSL_MD5_CTX*, const unsigned char*); typedef WOLFSSL_MD5_CTX MD5_CTX; #define MD5_Init wolfSSL_MD5_Init #define MD5_Update wolfSSL_MD5_Update #define MD5_Final wolfSSL_MD5_Final +#define MD5_Transform wolfSSL_MD5_Transform #ifdef OPENSSL_EXTRA_BSD #define MD5Init wolfSSL_MD5_Init diff --git a/wolfssl/wolfcrypt/md5.h b/wolfssl/wolfcrypt/md5.h index e2ee13c32..30f46078d 100644 --- a/wolfssl/wolfcrypt/md5.h +++ b/wolfssl/wolfcrypt/md5.h @@ -42,9 +42,12 @@ extern "C" { #endif +#if !defined(NO_OLD_MD5_NAMES) + #define MD5 WC_MD5 +#endif + #ifndef NO_OLD_WC_NAMES #define Md5 wc_Md5 - #define MD5 WC_MD5 #define MD5_BLOCK_SIZE WC_MD5_BLOCK_SIZE #define MD5_DIGEST_SIZE WC_MD5_DIGEST_SIZE #define WC_MD5_PAD_SIZE WC_MD5_PAD_SIZE @@ -109,6 +112,9 @@ WOLFSSL_API int wc_InitMd5_ex(wc_Md5*, void*, int); WOLFSSL_API int wc_Md5Update(wc_Md5*, const byte*, word32); WOLFSSL_API int wc_Md5Final(wc_Md5*, byte*); WOLFSSL_API void wc_Md5Free(wc_Md5*); +#ifdef OPENSSL_EXTRA +WOLFSSL_API int wc_Md5Transform(wc_Md5*, const byte*); +#endif WOLFSSL_API int wc_Md5GetHash(wc_Md5*, byte*); WOLFSSL_API int wc_Md5Copy(wc_Md5*, wc_Md5*); From 82fb498ed5be2f885406d1b571d7712c2d78cdd8 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 4 Feb 2021 10:22:02 +0900 Subject: [PATCH 10/19] Implemented MD5 unit tests --- src/ssl.c | 2 +- tests/api.c | 109 +++++++++++++++++++++++++++++++---- wolfssl/wolfcrypt/settings.h | 1 + 3 files changed, 100 insertions(+), 12 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 08a1ab682..35816ec62 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16838,7 +16838,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, int ret; WOLFSSL_ENTER("MD5_Transform"); - #if defined(LITTLE_ENDIAN_ORDER) + #if defined(BIG_ENDIAN_ORDER) { ByteReverseWords((word32*)data, (word32*)data, WC_MD5_BLOCK_SIZE); } diff --git a/tests/api.c b/tests/api.c index 2c638fe07..6388b0c86 100644 --- a/tests/api.c +++ b/tests/api.c @@ -33008,10 +33008,96 @@ static void test_wolfSSL_AES_ecb_encrypt(void) #endif } +static void test_wolfSSL_MD5(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_MD5) + byte input1[] = ""; + byte input2[] = "message digest"; + byte hash[WC_MD5_DIGEST_SIZE]; + unsigned char output1[] = + "\xd4\x1d\x8c\xd9\x8f\x00\xb2\x04\xe9\x80\x09\x98\xec\xf8\x42\x7e"; + unsigned char output2[] = + "\xf9\x6b\x69\x7d\x7c\xb7\x93\x8d\x52\x5a\x2f\x31\xaa\xf1\x61\xd0"; + WOLFSSL_MD5_CTX md5; + + printf(testingFmt, "wolfSSL_MD5()"); + + XMEMSET(&md5, 0, sizeof(md5)); + + /* Init MD5 CTX */ + AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); + AssertIntEQ(wolfSSL_MD5_Update(&md5, input1, + XSTRLEN((const char*)&input1)), 1); + AssertIntEQ(wolfSSL_MD5_Final(hash, &md5), 1); + AssertIntEQ(XMEMCMP(&hash, output1, WC_MD5_DIGEST_SIZE), 0); + + /* Init MD5 CTX */ + AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); + AssertIntEQ(wolfSSL_MD5_Update(&md5, input2, + XSTRLEN((const char*)input2)), 1); + AssertIntEQ(wolfSSL_MD5_Final(hash, &md5), 1); + AssertIntEQ(XMEMCMP(&hash, output2, WC_MD5_DIGEST_SIZE), 0); +#if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && \ + (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) + AssertIntEQ(MD5(input1, XSTRLEN((const char*)&input1), (byte*)&hash), 0); + AssertIntEQ(XMEMCMP(&hash, output1, WC_MD5_DIGEST_SIZE), 0); + + AssertIntEQ(MD5(input2, XSTRLEN((const char*)&input2), (byte*)&hash), 0); + AssertIntEQ(XMEMCMP(&hash, output2, WC_MD5_DIGEST_SIZE), 0); +#endif + + printf(resultFmt, passed); +#endif +} + +static void test_wolfSSL_MD5_Transform(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_MD5) + byte input1[] = ""; + byte input2[] = "abc"; + byte local[WC_MD5_BLOCK_SIZE]; + word32 sLen = 0; + unsigned char output1[] = + "\xac\x1d\x1f\x03\xd0\x8e\xa5\x6e\xb7\x67\xab\x1f\x91\x77\x31\x74"; + unsigned char output2[] = + "\x8d\x79\xd3\xef\x90\x25\x17\x67\xc7\x79\x13\xa4\xbc\x7b\xa7\xe3"; + + WOLFSSL_MD5_CTX md5; + + printf(testingFmt, "wolfSSL_MD5_Transform()"); + + XMEMSET(&md5, 0, sizeof(md5)); + XMEMSET(&local, 0, sizeof(local)); + + /* Init MD5 CTX */ + AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); + /* Do Transform*/ + sLen = XSTRLEN((char*)input1); + XMEMCPY(local, input1, sLen); + AssertIntEQ(wolfSSL_MD5_Transform(&md5, (const byte*)&local[0]), 1); + + AssertIntEQ(XMEMCMP(&((wc_Md5*)&md5)->digest[0], output1, + WC_MD5_DIGEST_SIZE), 0); + + /* Init MD5 CTX */ + AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); + sLen = XSTRLEN((char*)input2); + XMEMSET(local, 0, WC_MD5_BLOCK_SIZE); + XMEMCPY(local, input2, sLen); + AssertIntEQ(wolfSSL_MD5_Transform(&md5, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Md5*)&md5)->digest[0], output2, + WC_MD5_DIGEST_SIZE), 0); + + printf(resultFmt, passed); +#endif +} + static void test_wolfSSL_SHA224(void) { #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA224) && \ - defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) + !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) unsigned char input[] = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"; unsigned char output[] = @@ -33032,13 +33118,11 @@ static void test_wolfSSL_SHA224(void) } static void test_wolfSSL_SHA_Transform(void) { -#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && \ - defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA) byte input1[] = ""; byte input2[] = "abc"; byte local[WC_SHA_BLOCK_SIZE]; word32 sLen = 0; - word32 i; unsigned char output1[] = "\xe5\x04\xb4\x92\xed\x8c\x58\x56\x4e\xcd\x1a\x6c\x68\x3f\x05\xbf" "\x93\x3a\xf7\x09"; @@ -33059,10 +33143,8 @@ static void test_wolfSSL_SHA_Transform(void) sLen = XSTRLEN((char*)input1); XMEMCPY(local, input1, sLen); AssertIntEQ(wolfSSL_SHA_Transform(&sha, (const byte*)&local[0]), 1); - for(i = 0; i< 5; i++) { - printf("sha->diges[%d] = 0x%08x\n", i, ((wc_Sha*)&sha)->digest[i]); - } - AssertIntEQ(XMEMCMP(&((wc_Sha*)&sha)->digest[0], output1, WC_SHA_DIGEST_SIZE), 0); + AssertIntEQ(XMEMCMP(&((wc_Sha*)&sha)->digest[0], output1, + WC_SHA_DIGEST_SIZE), 0); /* Init SHA256 CTX */ AssertIntEQ(wolfSSL_SHA_Init(&sha), 1); @@ -33070,7 +33152,8 @@ static void test_wolfSSL_SHA_Transform(void) XMEMSET(local, 0, WC_SHA_BLOCK_SIZE); XMEMCPY(local, input2, sLen); AssertIntEQ(wolfSSL_SHA_Transform(&sha, (const byte*)&local[0]), 1); - AssertIntEQ(XMEMCMP(&((wc_Sha*)&sha)->digest[0], output2, WC_SHA_DIGEST_SIZE), 0); + AssertIntEQ(XMEMCMP(&((wc_Sha*)&sha)->digest[0], output2, + WC_SHA_DIGEST_SIZE), 0); printf(resultFmt, passed); #endif @@ -33104,7 +33187,8 @@ static void test_wolfSSL_SHA256_Transform(void) sLen = XSTRLEN((char*)input1); XMEMCPY(local, input1, sLen); AssertIntEQ(wolfSSL_SHA256_Transform(&sha256, (const byte*)&local[0]), 1); - AssertIntEQ(XMEMCMP(&((wc_Sha256*)&sha256)->digest[0], output1, WC_SHA256_DIGEST_SIZE), 0); + AssertIntEQ(XMEMCMP(&((wc_Sha256*)&sha256)->digest[0], output1, + WC_SHA256_DIGEST_SIZE), 0); /* Init SHA256 CTX */ AssertIntEQ(wolfSSL_SHA256_Init(&sha256), 1); @@ -33112,7 +33196,8 @@ static void test_wolfSSL_SHA256_Transform(void) XMEMSET(local, 0, WC_SHA256_BLOCK_SIZE); XMEMCPY(local, input2, sLen); AssertIntEQ(wolfSSL_SHA256_Transform(&sha256, (const byte*)&local[0]), 1); - AssertIntEQ(XMEMCMP(&((wc_Sha256*)&sha256)->digest[0], output2, WC_SHA256_DIGEST_SIZE), 0); + AssertIntEQ(XMEMCMP(&((wc_Sha256*)&sha256)->digest[0], output2, + WC_SHA256_DIGEST_SIZE), 0); printf(resultFmt, passed); #endif @@ -41027,6 +41112,8 @@ void ApiTest(void) test_wolfSSL_DH_1536_prime(); test_wolfSSL_PEM_write_DHparams(); test_wolfSSL_AES_ecb_encrypt(); + test_wolfSSL_MD5(); + test_wolfSSL_MD5_Transform(); test_wolfSSL_SHA_Transform(); test_wolfSSL_SHA256(); test_wolfSSL_SHA256_Transform(); diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index c025ac9ce..102665c57 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2275,6 +2275,7 @@ extern void uITRON4_free(void *p) ; /* added to have compatibility with SHA256() */ #if !defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) #define NO_OLD_SHA_NAMES + #define NO_OLD_MD5_NAMES #endif #endif From 5fb9aa3f9b4254e007dabcf8c9c5f7e623b6da1e Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Fri, 5 Feb 2021 17:38:58 +0900 Subject: [PATCH 11/19] implemented SHA512_Transform and unit test --- src/ssl.c | 18 +++++++++---- tests/api.c | 52 ++++++++++++++++++++++++++++++++++++-- wolfcrypt/src/sha512.c | 25 ++++++++++++++++++ wolfssl/wolfcrypt/sha512.h | 3 +++ 4 files changed, 91 insertions(+), 7 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 35816ec62..d7b1592f4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -17181,19 +17181,27 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } - #if defined(OPENSSL_EXTRA) - int wolfSSL_SHA512_Transform(WOLFSSL_SHA512_CTX* sha, + + int wolfSSL_SHA512_Transform(WOLFSSL_SHA512_CTX* sha512, const unsigned char* data) { int ret = WOLFSSL_SUCCESS; WOLFSSL_ENTER("SHA512_Transform"); - (void)sha; - (void)data; + #if defined(LITTLE_ENDIAN_ORDER) + { + ByteReverseWords64((word64*)data, (word64*)data, + WC_SHA512_BLOCK_SIZE); + } + #endif + ret = wc_Sha512Transform((wc_Sha512*)sha512, data); + + /* return 1 on success, 0 otherwise */ + if (ret == 0) + return 1; return ret; } - #endif #endif /* WOLFSSL_SHA512 */ diff --git a/tests/api.c b/tests/api.c index 6388b0c86..402d026c8 100644 --- a/tests/api.c +++ b/tests/api.c @@ -33161,8 +33161,7 @@ static void test_wolfSSL_SHA_Transform(void) static void test_wolfSSL_SHA256_Transform(void) { -#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && \ - defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) byte input1[] = ""; byte input2[] = "abc"; byte local[WC_SHA256_BLOCK_SIZE]; @@ -33227,6 +33226,54 @@ static void test_wolfSSL_SHA256(void) #endif } +static void test_wolfSSL_SHA512_Transform(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA512) + byte input1[] = ""; + byte input2[] = "abc"; + byte local[WC_SHA512_BLOCK_SIZE]; + word32 sLen = 0; + unsigned char output1[] = + "\xe8\xcb\x4a\x77\xd5\x81\x78\xcf\x70\x80\xc7\xfb\xe0\x62\x33\x53" + "\xda\x0e\x46\x87\x9d\x63\x67\x02\xb0\x31\x59\xe8\x40\xcb\x86\x30" + "\xa3\x23\xa0\x88\x52\xc9\x7d\x71\xe0\xb5\xe0\x4c\xc1\xb2\xba\x96" + "\x0b\x3e\xe3\xea\x04\xfe\xc4\x6f\xee\x8b\x66\xbd\x0c\xd8\xf4\x91"; + unsigned char output2[] = + "\x0d\xcc\xa0\xeb\x4e\x93\x10\x11\x21\xc8\x04\xfb\x9c\x43\x33\xfd" + "\x41\x31\xab\xca\x3d\x26\xb4\xa9\xab\xd7\x67\xe1\xaf\xaa\xc6\xe2" + "\x83\x4e\xba\x2c\x54\x2e\x8f\x31\x98\x38\x2b\x8f\x9d\xec\x88\xbe" + "\x4d\x5e\x8b\x53\x9d\x4e\xd2\x14\xf0\x96\x20\xaf\x69\x6c\x68\xde"; + + WOLFSSL_SHA512_CTX sha512; + + printf(testingFmt, "wolfSSL_SHA512_Transform()"); + + XMEMSET(&sha512, 0, sizeof(sha512)); + XMEMSET(&local, 0, sizeof(local)); + + /* Init SHA512 CTX */ + AssertIntEQ(wolfSSL_SHA512_Init(&sha512), 1); + + /* Do Transform*/ + sLen = XSTRLEN((char*)input1); + XMEMCPY(local, input1, sLen); + AssertIntEQ(wolfSSL_SHA512_Transform(&sha512, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha512*)&sha512)->digest[0], output1, + WC_SHA512_DIGEST_SIZE), 0); + + /* Init SHA512 CTX */ + AssertIntEQ(wolfSSL_SHA512_Init(&sha512), 1); + sLen = XSTRLEN((char*)input2); + XMEMSET(local, 0, WC_SHA512_BLOCK_SIZE); + XMEMCPY(local, input2, sLen); + AssertIntEQ(wolfSSL_SHA512_Transform(&sha512, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha512*)&sha512)->digest[0], output2, + WC_SHA512_DIGEST_SIZE), 0); + (void)input1; + printf(resultFmt, passed); +#endif +} + static void test_wolfSSL_X509_get_serialNumber(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) @@ -41118,6 +41165,7 @@ void ApiTest(void) test_wolfSSL_SHA256(); test_wolfSSL_SHA256_Transform(); test_wolfSSL_SHA224(); + test_wolfSSL_SHA512_Transform(); test_wolfSSL_X509_get_serialNumber(); test_wolfSSL_X509_CRL(); test_wolfSSL_d2i_X509_REQ(); diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index ef09e5404..45a70e03a 100644 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -916,7 +916,32 @@ void wc_Sha512Free(wc_Sha512* sha512) wolfAsync_DevCtxFree(&sha512->asyncDev, WOLFSSL_ASYNC_MARKER_SHA512); #endif /* WOLFSSL_ASYNC_CRYPT */ } +#if defined(OPENSSL_EXTRA) +int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data) +{ + int ret ; + /* back up buffer */ + #if defined(WOLFSSL_SMALL_STACK) + word64* buffer; + buffer = (word64*) XMALLOC(sizeof(word64) * 16, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (buffer == NULL) + return MEMORY_E; + #else + word64 buffer[WC_SHA512_BLOCK_SIZE / sizeof(word64)]; + #endif + + XMEMCPY(buffer, sha->buffer, WC_SHA512_BLOCK_SIZE); + XMEMCPY(sha->buffer, data, WC_SHA512_BLOCK_SIZE); + + ret = Transform_Sha512(sha); + XMEMCPY(sha->buffer, buffer, WC_SHA512_BLOCK_SIZE); + #if defined(WOLFSSL_SMALL_STACK) + XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; +} +#endif #endif /* WOLFSSL_SHA512 */ /* -------------------------------------------------------------------------- */ diff --git a/wolfssl/wolfcrypt/sha512.h b/wolfssl/wolfcrypt/sha512.h index f3e79a263..6b6ad84e9 100644 --- a/wolfssl/wolfcrypt/sha512.h +++ b/wolfssl/wolfcrypt/sha512.h @@ -180,6 +180,9 @@ WOLFSSL_API int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst); WOLFSSL_API int wc_Sha512GetFlags(wc_Sha512* sha512, word32* flags); #endif +#if defined(OPENSSL_EXTRA) +WOLFSSL_API int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data); +#endif #endif /* WOLFSSL_SHA512 */ #if defined(WOLFSSL_SHA384) From cd26444e0185e19bfbc7c2f0f058ac728889fd73 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 18 Feb 2021 09:56:37 +0900 Subject: [PATCH 12/19] addressed jenkins failure part1 --- configure.ac | 2 +- src/ssl.c | 2 +- tests/api.c | 49 ++++++++++++++++++------------------ wolfssl/wolfcrypt/md5.h | 2 +- wolfssl/wolfcrypt/settings.h | 4 ++- 5 files changed, 30 insertions(+), 29 deletions(-) diff --git a/configure.ac b/configure.ac index 507fe147d..08414bb7d 100644 --- a/configure.ac +++ b/configure.ac @@ -5625,7 +5625,7 @@ AC_ARG_ENABLE([oldnames], if test "x$ENABLED_OLDNAMES" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno" then AM_CFLAGS="$AM_CFLAGS -DNO_OLD_RNGNAME -DNO_OLD_WC_NAMES -DNO_OLD_SSL_NAMES" - AM_CFLAGS="$AM_CFLAGS -DNO_OLD_SHA_NAMES" + AM_CFLAGS="$AM_CFLAGS -DNO_OLD_SHA_NAMES -DNO_OLD_MD5_NAME" fi diff --git a/src/ssl.c b/src/ssl.c index d7b1592f4..e77ac2756 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -26415,7 +26415,7 @@ static int woflSSL_X509_VERIFY_PARAM_inherit(WOLFSSL_X509_VERIFY_PARAM *to, if (isOverWrite || (from->hostName[0] != 0 && (to->hostName[0] == 0 || isDefault))) { if (!(ret = wolfSSL_X509_VERIFY_PARAM_set1_host(to, from->hostName, - XSTRLEN(from->hostName)))) + (int)XSTRLEN(from->hostName)))) return ret; to->hostFlags = from->hostFlags; } diff --git a/tests/api.c b/tests/api.c index 402d026c8..8934a3ebf 100644 --- a/tests/api.c +++ b/tests/api.c @@ -28070,14 +28070,14 @@ static void test_wolfSSL_CTX_get0_set1_param(void) AssertNotNull(pvpm); wolfSSL_X509_VERIFY_PARAM_set1_host(pvpm, testhostName, - XSTRLEN(testhostName)); + (int)XSTRLEN(testhostName)); wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(pvpm, testIPv4); wolfSSL_X509_VERIFY_PARAM_set_hostflags(pvpm, 0x01); ret = SSL_CTX_set1_param(ctx, pvpm); AssertIntEQ(1, ret); AssertIntEQ(0, XSTRNCMP(pParam->hostName, testhostName, - XSTRLEN(testhostName))); + (int)XSTRLEN(testhostName))); AssertIntEQ(0x01, pParam->hostFlags); AssertIntEQ(0, XSTRNCMP(pParam->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); @@ -29966,10 +29966,10 @@ static void test_wolfSSL_X509_VERIFY_PARAM(void) XMEMSET(paramFrom, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM )); ret = wolfSSL_X509_VERIFY_PARAM_set1_host(paramFrom, testhostName1, - XSTRLEN(testhostName1)); + (int)XSTRLEN(testhostName1)); AssertIntEQ(1, ret); AssertIntEQ(0, XSTRNCMP(paramFrom->hostName, testhostName1, - XSTRLEN(testhostName1))); + (int)XSTRLEN(testhostName1))); wolfSSL_X509_VERIFY_PARAM_set_hostflags(NULL, 0x00); @@ -30004,13 +30004,13 @@ static void test_wolfSSL_X509_VERIFY_PARAM(void) ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); AssertIntEQ(1, ret); AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, - XSTRLEN(testhostName1))); + (int)XSTRLEN(testhostName1))); AssertIntEQ(0x01, paramTo->hostFlags); AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); /* inherit flags test : VPARAM OVERWRITE */ wolfSSL_X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, - XSTRLEN(testhostName2)); + (int)XSTRLEN(testhostName2)); wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4); wolfSSL_X509_VERIFY_PARAM_set_hostflags(paramTo, 0x00); @@ -30019,13 +30019,13 @@ static void test_wolfSSL_X509_VERIFY_PARAM(void) ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); AssertIntEQ(1, ret); AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, - XSTRLEN(testhostName1))); + (int)XSTRLEN(testhostName1))); AssertIntEQ(0x01, paramTo->hostFlags); AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); /* inherit flags test : VPARAM_RESET_FLAGS */ wolfSSL_X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, - XSTRLEN(testhostName2)); + (int)XSTRLEN(testhostName2)); wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4); wolfSSL_X509_VERIFY_PARAM_set_hostflags(paramTo, 0x10); @@ -30034,13 +30034,13 @@ static void test_wolfSSL_X509_VERIFY_PARAM(void) ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); AssertIntEQ(1, ret); AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, - XSTRLEN(testhostName1))); + (int)XSTRLEN(testhostName1))); AssertIntEQ(0x01, paramTo->hostFlags); AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); /* inherit flags test : VPARAM_LOCKED */ wolfSSL_X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, - XSTRLEN(testhostName2)); + (int)XSTRLEN(testhostName2)); wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4); wolfSSL_X509_VERIFY_PARAM_set_hostflags(paramTo, 0x00); @@ -30049,7 +30049,7 @@ static void test_wolfSSL_X509_VERIFY_PARAM(void) ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); AssertIntEQ(1, ret); AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName2, - XSTRLEN(testhostName2))); + (int)XSTRLEN(testhostName2))); AssertIntEQ(0x00, paramTo->hostFlags); AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); @@ -33034,16 +33034,15 @@ static void test_wolfSSL_MD5(void) /* Init MD5 CTX */ AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); AssertIntEQ(wolfSSL_MD5_Update(&md5, input2, - XSTRLEN((const char*)input2)), 1); + (int)XSTRLEN((const char*)input2)), 1); AssertIntEQ(wolfSSL_MD5_Final(hash, &md5), 1); AssertIntEQ(XMEMCMP(&hash, output2, WC_MD5_DIGEST_SIZE), 0); -#if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && \ - (!defined(HAVE_FIPS) || \ - (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) - AssertIntEQ(MD5(input1, XSTRLEN((const char*)&input1), (byte*)&hash), 0); +#if !defined(NO_OLD_NAMES) && \ + (!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2))) + AssertIntEQ(MD5(input1, (int)XSTRLEN((const char*)&input1), (byte*)&hash), 0); AssertIntEQ(XMEMCMP(&hash, output1, WC_MD5_DIGEST_SIZE), 0); - AssertIntEQ(MD5(input2, XSTRLEN((const char*)&input2), (byte*)&hash), 0); + AssertIntEQ(MD5(input2, (int)XSTRLEN((const char*)&input2), (byte*)&hash), 0); AssertIntEQ(XMEMCMP(&hash, output2, WC_MD5_DIGEST_SIZE), 0); #endif @@ -33073,7 +33072,7 @@ static void test_wolfSSL_MD5_Transform(void) /* Init MD5 CTX */ AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); /* Do Transform*/ - sLen = XSTRLEN((char*)input1); + sLen = (word32)XSTRLEN((char*)input1); XMEMCPY(local, input1, sLen); AssertIntEQ(wolfSSL_MD5_Transform(&md5, (const byte*)&local[0]), 1); @@ -33082,7 +33081,7 @@ static void test_wolfSSL_MD5_Transform(void) /* Init MD5 CTX */ AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); - sLen = XSTRLEN((char*)input2); + sLen = (word32)XSTRLEN((char*)input2); XMEMSET(local, 0, WC_MD5_BLOCK_SIZE); XMEMCPY(local, input2, sLen); AssertIntEQ(wolfSSL_MD5_Transform(&md5, (const byte*)&local[0]), 1); @@ -33140,7 +33139,7 @@ static void test_wolfSSL_SHA_Transform(void) /* Init SHA CTX */ AssertIntEQ(wolfSSL_SHA_Init(&sha), 1); /* Do Transform*/ - sLen = XSTRLEN((char*)input1); + sLen = (word32)XSTRLEN((char*)input1); XMEMCPY(local, input1, sLen); AssertIntEQ(wolfSSL_SHA_Transform(&sha, (const byte*)&local[0]), 1); AssertIntEQ(XMEMCMP(&((wc_Sha*)&sha)->digest[0], output1, @@ -33148,7 +33147,7 @@ static void test_wolfSSL_SHA_Transform(void) /* Init SHA256 CTX */ AssertIntEQ(wolfSSL_SHA_Init(&sha), 1); - sLen = XSTRLEN((char*)input2); + sLen = (word32)XSTRLEN((char*)input2); XMEMSET(local, 0, WC_SHA_BLOCK_SIZE); XMEMCPY(local, input2, sLen); AssertIntEQ(wolfSSL_SHA_Transform(&sha, (const byte*)&local[0]), 1); @@ -33183,7 +33182,7 @@ static void test_wolfSSL_SHA256_Transform(void) /* Init SHA256 CTX */ AssertIntEQ(wolfSSL_SHA256_Init(&sha256), 1); /* Do Transform*/ - sLen = XSTRLEN((char*)input1); + sLen = (word32)XSTRLEN((char*)input1); XMEMCPY(local, input1, sLen); AssertIntEQ(wolfSSL_SHA256_Transform(&sha256, (const byte*)&local[0]), 1); AssertIntEQ(XMEMCMP(&((wc_Sha256*)&sha256)->digest[0], output1, @@ -33191,7 +33190,7 @@ static void test_wolfSSL_SHA256_Transform(void) /* Init SHA256 CTX */ AssertIntEQ(wolfSSL_SHA256_Init(&sha256), 1); - sLen = XSTRLEN((char*)input2); + sLen = (word32)XSTRLEN((char*)input2); XMEMSET(local, 0, WC_SHA256_BLOCK_SIZE); XMEMCPY(local, input2, sLen); AssertIntEQ(wolfSSL_SHA256_Transform(&sha256, (const byte*)&local[0]), 1); @@ -33255,7 +33254,7 @@ static void test_wolfSSL_SHA512_Transform(void) AssertIntEQ(wolfSSL_SHA512_Init(&sha512), 1); /* Do Transform*/ - sLen = XSTRLEN((char*)input1); + sLen = (word32)XSTRLEN((char*)input1); XMEMCPY(local, input1, sLen); AssertIntEQ(wolfSSL_SHA512_Transform(&sha512, (const byte*)&local[0]), 1); AssertIntEQ(XMEMCMP(&((wc_Sha512*)&sha512)->digest[0], output1, @@ -33263,7 +33262,7 @@ static void test_wolfSSL_SHA512_Transform(void) /* Init SHA512 CTX */ AssertIntEQ(wolfSSL_SHA512_Init(&sha512), 1); - sLen = XSTRLEN((char*)input2); + sLen = (word32)XSTRLEN((char*)input2); XMEMSET(local, 0, WC_SHA512_BLOCK_SIZE); XMEMCPY(local, input2, sLen); AssertIntEQ(wolfSSL_SHA512_Transform(&sha512, (const byte*)&local[0]), 1); diff --git a/wolfssl/wolfcrypt/md5.h b/wolfssl/wolfcrypt/md5.h index 30f46078d..290c5ec91 100644 --- a/wolfssl/wolfcrypt/md5.h +++ b/wolfssl/wolfcrypt/md5.h @@ -42,7 +42,7 @@ extern "C" { #endif -#if !defined(NO_OLD_MD5_NAMES) +#if !defined(NO_OLD_MD5_NAME) #define MD5 WC_MD5 #endif diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 102665c57..f01fcdd56 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2275,7 +2275,9 @@ extern void uITRON4_free(void *p) ; /* added to have compatibility with SHA256() */ #if !defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) #define NO_OLD_SHA_NAMES - #define NO_OLD_MD5_NAMES + #endif + #if !defined(NO_OLD_MD5_NAME) && !defined(HAVE_FIPS) + #define NO_OLD_MD5_NAME #endif #endif From 5ddd2710d7e9b3fa6045671bc7d999a110ac039a Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 18 Feb 2021 11:27:57 +0900 Subject: [PATCH 13/19] addressed jenkins failure part2 --- tests/api.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/api.c b/tests/api.c index 8934a3ebf..5ec6f003f 100644 --- a/tests/api.c +++ b/tests/api.c @@ -28068,6 +28068,7 @@ static void test_wolfSSL_CTX_get0_set1_param(void) pvpm = (WOLFSSL_X509_VERIFY_PARAM *)XMALLOC( sizeof(WOLFSSL_X509_VERIFY_PARAM), NULL, DYNAMIC_TYPE_OPENSSL); AssertNotNull(pvpm); + XMEMSET(pvpm, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); wolfSSL_X509_VERIFY_PARAM_set1_host(pvpm, testhostName, (int)XSTRLEN(testhostName)); From 9bae05525ca16b62699045660cdfb13aa239c5e0 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 18 Feb 2021 12:07:01 +0900 Subject: [PATCH 14/19] addressed review comments --- examples/client/client.c | 23 ----------------------- examples/server/server.c | 26 -------------------------- src/ssl.c | 10 ---------- wolfssl/internal.h | 2 +- wolfssl/openssl/sha.h | 2 +- wolfssl/ssl.h | 1 - wolfssl/test.h | 26 ++++++++++++++++++++++++++ 7 files changed, 28 insertions(+), 62 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 86882c476..729aacdee 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -329,29 +329,6 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519, #endif #ifdef WOLFSSL_EARLY_DATA -static void EarlyDataStatus(WOLFSSL* ssl) -{ - int earlyData_status; - - earlyData_status = wolfSSL_get_early_data_status(ssl); - if (earlyData_status < 0) return; - - printf("Early Data was "); - - switch(earlyData_status) { - case WOLFSSL_EARLY_DATA_NOT_SENT: - printf("not sent.\n"); - break; - case WOLFSSL_EARLY_DATA_REJECTED: - printf("rejected.\n"); - break; - case WOLFSSL_EARLY_DATA_ACCEPTED: - printf("accepted\n"); - break; - default: - printf("unknown...\n"); - } -} static void EarlyData(WOLFSSL_CTX* ctx, WOLFSSL* ssl, const char* msg, int msgSz, char* buffer) { diff --git a/examples/server/server.c b/examples/server/server.c index ad63565b0..00e17e80e 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -844,32 +844,6 @@ static const char* server_usage_msg[][56] = { #endif }; -#ifdef WOLFSSL_EARLY_DATA -static void EarlyDataStatus(WOLFSSL* ssl) -{ - int earlyData_status; - - earlyData_status = wolfSSL_get_early_data_status(ssl); - if (earlyData_status < 0) return; - - printf("Early Data was "); - - switch(earlyData_status) { - case WOLFSSL_EARLY_DATA_NOT_SENT: - printf("not sent.\n"); - break; - case WOLFSSL_EARLY_DATA_REJECTED: - printf("rejected.\n"); - break; - case WOLFSSL_EARLY_DATA_ACCEPTED: - printf("accepted.\n"); - break; - default: - printf("unknown...\n"); - } -} -#endif - static void Usage(void) { int msgId = 0; diff --git a/src/ssl.c b/src/ssl.c index e77ac2756..0b99b5fa4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -42976,16 +42976,6 @@ err: defined(WOLFSSL_HAPROXY) #ifndef NO_SHA - /* One shot SHA hash of message. - * - * Wrap SHA1 one shot - */ - unsigned char *wolfSSL_SHA(const unsigned char *d, size_t n, - unsigned char *md) - { - return wolfSSL_SHA1(d, n, md); - } - /* One shot SHA1 hash of message. * * d message to hash diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 96ba70dcf..7c3491546 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4367,7 +4367,7 @@ struct WOLFSSL { #ifdef WOLFSSL_EARLY_DATA EarlyDataState earlyData; word32 earlyDataSz; - word32 earlyDataStatus; + byte earlyDataStatus; #endif #ifdef OPENSSL_ALL long verifyCallbackResult; diff --git a/wolfssl/openssl/sha.h b/wolfssl/openssl/sha.h index 9db9a098e..c8ee6d4c6 100644 --- a/wolfssl/openssl/sha.h +++ b/wolfssl/openssl/sha.h @@ -75,7 +75,7 @@ typedef WOLFSSL_SHA_CTX SHA_CTX; (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) /* SHA is only available in non-fips mode or fips version > 2 mode * because of SHA enum in FIPS build. */ - #define SHA wolfSSL_SHA + #define SHA wolfSSL_SHA1 #endif #define SHA1_Init wolfSSL_SHA1_Init diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index a9f7f6738..d2bdfcf09 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3638,7 +3638,6 @@ WOLFSSL_API void wolfSSL_set_verify_depth(WOLFSSL *ssl,int depth); WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl); WOLFSSL_API int wolfSSL_set_app_data(WOLFSSL *ssl, void *arg); WOLFSSL_API WOLFSSL_ASN1_OBJECT * wolfSSL_X509_NAME_ENTRY_get_object(WOLFSSL_X509_NAME_ENTRY *ne); -WOLFSSL_API unsigned char *wolfSSL_SHA(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API unsigned char *wolfSSL_SHA1(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API unsigned char *wolfSSL_SHA224(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API unsigned char *wolfSSL_SHA256(const unsigned char *d, size_t n, unsigned char *md); diff --git a/wolfssl/test.h b/wolfssl/test.h index 5da853e60..50a5c96a2 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -4088,4 +4088,30 @@ static WC_INLINE word16 GetRandomPort(void) return port; } +#ifdef WOLFSSL_EARLY_DATA +static WC_INLINE void EarlyDataStatus(WOLFSSL* ssl) +{ + int earlyData_status; + + earlyData_status = wolfSSL_get_early_data_status(ssl); + if (earlyData_status < 0) return; + + printf("Early Data was "); + + switch(earlyData_status) { + case WOLFSSL_EARLY_DATA_NOT_SENT: + printf("not sent.\n"); + break; + case WOLFSSL_EARLY_DATA_REJECTED: + printf("rejected.\n"); + break; + case WOLFSSL_EARLY_DATA_ACCEPTED: + printf("accepted\n"); + break; + default: + printf("unknown...\n"); + } +} +#endif /* WOLFSSL_EARLY_DATA */ + #endif /* wolfSSL_TEST_H */ From 302c6dfe1165b43374578b5ebecbdca826d6d83f Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Thu, 18 Feb 2021 16:33:58 +0900 Subject: [PATCH 15/19] addressed jenkins failure part3 --- scripts/tls13.test | 4 ++-- src/internal.c | 2 +- src/ssl.c | 7 +------ tests/api.c | 2 +- wolfcrypt/src/sha512.c | 21 ++++++++++++++++++--- 5 files changed, 23 insertions(+), 13 deletions(-) diff --git a/scripts/tls13.test b/scripts/tls13.test index e7a2b3618..70f007265 100755 --- a/scripts/tls13.test +++ b/scripts/tls13.test @@ -280,11 +280,11 @@ if [ "$early_data" = "yes" -a "$psk" = "yes" ]; then RESULT=$? remove_ready_file early_data_cnt=`grep 'Early Data' $server_out_file | wc -l` - if [ $early_data_cnt -ne 2 -a $early_data_cnt -ne 4 ]; then + if [ $early_data_cnt -ne 3 -a $early_data_cnt -ne 4 ]; then RESULT=1 fi if [ $RESULT -ne 0 ]; then - echo -e "\n\nIssue with TLS v1.3 Early Data - session ticket" + echo -e "\n\nIssue with TLS v1.3 Early Data - PSK" do_cleanup exit 1 fi diff --git a/src/internal.c b/src/internal.c index eeebe5302..20df4f998 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1804,7 +1804,7 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) /* WOLFSSL_X509_VERIFY_PARAM */ if ((ctx->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( sizeof(WOLFSSL_X509_VERIFY_PARAM), - ctx->heap, DYNAMIC_TYPE_OPENSSL)) == NULL) { + heap, DYNAMIC_TYPE_OPENSSL)) == NULL) { WOLFSSL_MSG("ctx->param memory error"); return MEMORY_E; } diff --git a/src/ssl.c b/src/ssl.c index 0b99b5fa4..14f112311 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -17188,12 +17188,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, int ret = WOLFSSL_SUCCESS; WOLFSSL_ENTER("SHA512_Transform"); - #if defined(LITTLE_ENDIAN_ORDER) - { - ByteReverseWords64((word64*)data, (word64*)data, - WC_SHA512_BLOCK_SIZE); - } - #endif + ret = wc_Sha512Transform((wc_Sha512*)sha512, data); /* return 1 on success, 0 otherwise */ diff --git a/tests/api.c b/tests/api.c index 5ec6f003f..07b6f0879 100644 --- a/tests/api.c +++ b/tests/api.c @@ -33228,7 +33228,7 @@ static void test_wolfSSL_SHA256(void) static void test_wolfSSL_SHA512_Transform(void) { -#if defined(OPENSSL_EXTRA) && !defined(NO_SHA512) +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA512) byte input1[] = ""; byte input2[] = "abc"; byte local[WC_SHA512_BLOCK_SIZE]; diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index 45a70e03a..0353cfc64 100644 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -923,16 +923,31 @@ int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data) /* back up buffer */ #if defined(WOLFSSL_SMALL_STACK) word64* buffer; - buffer = (word64*) XMALLOC(sizeof(word64) * 16, NULL, DYNAMIC_TYPE_TMP_BUFFER); + buffer = (word64*) XMALLOC(sizeof(word64) * 16, NULL, + DYNAMIC_TYPE_TMP_BUFFER); if (buffer == NULL) return MEMORY_E; #else word64 buffer[WC_SHA512_BLOCK_SIZE / sizeof(word64)]; #endif - + +#if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) + Sha512_SetTransform(); +#endif + +#if defined(LITTLE_ENDIAN_ORDER) +#if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) + if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags)) +#endif + { + ByteReverseWords64((word64*)data, (word64*)data, + WC_SHA512_BLOCK_SIZE); + } +#endif + XMEMCPY(buffer, sha->buffer, WC_SHA512_BLOCK_SIZE); XMEMCPY(sha->buffer, data, WC_SHA512_BLOCK_SIZE); - + ret = Transform_Sha512(sha); XMEMCPY(sha->buffer, buffer, WC_SHA512_BLOCK_SIZE); From 2246ea33cc481e3ad46d8a0b326127f05fd37387 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Fri, 19 Feb 2021 17:21:46 +0900 Subject: [PATCH 16/19] addressed sanitize failure --- tests/api.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/api.c b/tests/api.c index 07b6f0879..51fb3fac5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -39113,8 +39113,10 @@ static void test_wolfSSL_X509_load_crl_file(void) WOLFSSL_FILETYPE_PEM ), CRL_CERT_REVOKED); } - printf(resultFmt, passed); + wolfSSL_X509_STORE_free(store); + store = NULL; + printf(resultFmt, passed); #endif } From 464f82a575f216bda72ba4e96dd9802b1877a6ef Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Fri, 19 Feb 2021 17:37:12 +0900 Subject: [PATCH 17/19] addressed jenkins failure part4 --- src/ssl.c | 16 ++++++++++++++-- tests/api.c | 11 ++++++++++- wolfssl/wolfcrypt/settings.h | 6 ++++-- 3 files changed, 28 insertions(+), 5 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 14f112311..41fe9bad8 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16904,7 +16904,9 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } - #if defined(OPENSSL_EXTRA) + #if defined(OPENSSL_EXTRA) + #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2)) int wolfSSL_SHA_Transform(WOLFSSL_SHA_CTX* sha, const unsigned char* data) { @@ -16925,6 +16927,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return ret; } #endif + #endif int wolfSSL_SHA1_Init(WOLFSSL_SHA_CTX* sha) { @@ -16947,6 +16950,8 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return SHA_Final(input, sha); } #if defined(OPENSSL_EXTRA) + #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2)) int wolfSSL_SHA1_Transform(WOLFSSL_SHA_CTX* sha, const unsigned char* data) { @@ -16954,6 +16959,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return (wolfSSL_SHA_Transform(sha, data)); } #endif + #endif #endif /* !NO_SHA */ #ifdef WOLFSSL_SHA224 @@ -17058,6 +17064,8 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, } #if defined(OPENSSL_EXTRA) + #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2)) int wolfSSL_SHA256_Transform(WOLFSSL_SHA256_CTX* sha256, const unsigned char* data) { @@ -17078,6 +17086,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return ret; } #endif + #endif #ifdef WOLFSSL_SHA384 @@ -17182,6 +17191,8 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } + #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2)) int wolfSSL_SHA512_Transform(WOLFSSL_SHA512_CTX* sha512, const unsigned char* data) { @@ -17197,7 +17208,8 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return ret; } - + #endif /* !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2)) */ #endif /* WOLFSSL_SHA512 */ #ifdef WOLFSSL_SHA3 diff --git a/tests/api.c b/tests/api.c index 51fb3fac5..93f8f589b 100644 --- a/tests/api.c +++ b/tests/api.c @@ -32785,7 +32785,7 @@ static void test_wolfSSL_SHA(void) #if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) printf(testingFmt, "wolfSSL_SHA()"); - #if !defined(NO_SHA) + #if !defined(NO_SHA) && defined(NO_OLD_SHA_NAMES) { const unsigned char in[] = "abc"; unsigned char expected[] = "\xA9\x99\x3E\x36\x47\x06\x81\x6A\xBA\x3E" @@ -33119,6 +33119,8 @@ static void test_wolfSSL_SHA224(void) static void test_wolfSSL_SHA_Transform(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_SHA) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2)) byte input1[] = ""; byte input2[] = "abc"; byte local[WC_SHA_BLOCK_SIZE]; @@ -33157,11 +33159,14 @@ static void test_wolfSSL_SHA_Transform(void) printf(resultFmt, passed); #endif +#endif } static void test_wolfSSL_SHA256_Transform(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2)) byte input1[] = ""; byte input2[] = "abc"; byte local[WC_SHA256_BLOCK_SIZE]; @@ -33200,6 +33205,7 @@ static void test_wolfSSL_SHA256_Transform(void) printf(resultFmt, passed); #endif +#endif } static void test_wolfSSL_SHA256(void) @@ -33229,6 +33235,8 @@ static void test_wolfSSL_SHA256(void) static void test_wolfSSL_SHA512_Transform(void) { #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA512) +#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2)) byte input1[] = ""; byte input2[] = "abc"; byte local[WC_SHA512_BLOCK_SIZE]; @@ -33272,6 +33280,7 @@ static void test_wolfSSL_SHA512_Transform(void) (void)input1; printf(resultFmt, passed); #endif +#endif } static void test_wolfSSL_X509_get_serialNumber(void) diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index f01fcdd56..a3a527a97 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2273,10 +2273,12 @@ extern void uITRON4_free(void *p) ; #if defined(NO_OLD_WC_NAMES) || defined(OPENSSL_EXTRA) /* added to have compatibility with SHA256() */ - #if !defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) + #if !defined(NO_OLD_SHA_NAMES) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) #define NO_OLD_SHA_NAMES #endif - #if !defined(NO_OLD_MD5_NAME) && !defined(HAVE_FIPS) + #if !defined(NO_OLD_MD5_NAME) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) #define NO_OLD_MD5_NAME #endif #endif From 896245cae74d13765e83560207ca38db38f53883 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Sat, 20 Feb 2021 12:54:59 +0900 Subject: [PATCH 18/19] addressed jenkins cavp test failure --- src/ssl.c | 16 ++++++++-------- src/tls13.c | 3 ++- tests/api.c | 12 ++++++------ 3 files changed, 16 insertions(+), 15 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 41fe9bad8..d6dd64f7a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16905,8 +16905,8 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, } #if defined(OPENSSL_EXTRA) - #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2)) + #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) int wolfSSL_SHA_Transform(WOLFSSL_SHA_CTX* sha, const unsigned char* data) { @@ -16950,8 +16950,8 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return SHA_Final(input, sha); } #if defined(OPENSSL_EXTRA) - #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2)) + #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) int wolfSSL_SHA1_Transform(WOLFSSL_SHA_CTX* sha, const unsigned char* data) { @@ -17064,8 +17064,8 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, } #if defined(OPENSSL_EXTRA) - #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2)) + #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) int wolfSSL_SHA256_Transform(WOLFSSL_SHA256_CTX* sha256, const unsigned char* data) { @@ -17191,8 +17191,8 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } - #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2)) + #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) int wolfSSL_SHA512_Transform(WOLFSSL_SHA512_CTX* sha512, const unsigned char* data) { diff --git a/src/tls13.c b/src/tls13.c index 0422fe270..16b449f91 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8663,7 +8663,8 @@ int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz) if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) { #ifdef OPENSSL_EXTRA /* when processed early data exceeds max size */ - if (ssl->earlyDataSz + sz > ssl->session.maxEarlyDataSz) { + if (ssl->session.maxEarlyDataSz > 0 && + (ssl->earlyDataSz + sz > ssl->session.maxEarlyDataSz)) { ssl->error = TOO_MUCH_EARLY_DATA; return WOLFSSL_FATAL_ERROR; } diff --git a/tests/api.c b/tests/api.c index 93f8f589b..2579fe06c 100644 --- a/tests/api.c +++ b/tests/api.c @@ -33119,8 +33119,8 @@ static void test_wolfSSL_SHA224(void) static void test_wolfSSL_SHA_Transform(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_SHA) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2)) +#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) byte input1[] = ""; byte input2[] = "abc"; byte local[WC_SHA_BLOCK_SIZE]; @@ -33165,8 +33165,8 @@ static void test_wolfSSL_SHA_Transform(void) static void test_wolfSSL_SHA256_Transform(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2)) +#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) byte input1[] = ""; byte input2[] = "abc"; byte local[WC_SHA256_BLOCK_SIZE]; @@ -33235,8 +33235,8 @@ static void test_wolfSSL_SHA256(void) static void test_wolfSSL_SHA512_Transform(void) { #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA512) -#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ - (HAVE_FIPS_VERSION > 2)) +#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) byte input1[] = ""; byte input2[] = "abc"; byte local[WC_SHA512_BLOCK_SIZE]; From 3b768bcb5ee5e737a8f66adee6f6737f012ce2c1 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Sat, 6 Mar 2021 10:18:31 +0900 Subject: [PATCH 19/19] addressed review comments --- src/ssl.c | 64 +++++++++++++++++++++++++++++++----------- tests/api.c | 34 +++++++++++++++++++++- wolfcrypt/src/md5.c | 8 ++++++ wolfcrypt/src/sha.c | 8 ++++++ wolfcrypt/src/sha256.c | 7 +++++ wolfcrypt/src/sha512.c | 13 ++++++++- 6 files changed, 115 insertions(+), 19 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index d6dd64f7a..7ca132336 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2272,7 +2272,7 @@ int wolfSSL_UseMaxFragment(WOLFSSL* ssl, byte mfl) #ifdef WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST /* The following is a non-standard way to reconfigure the max packet size - post-handshake for wolfSSL_write/woflSSL_read */ + post-handshake for wolfSSL_write/wolfSSL_read */ if (ssl->options.handShakeState == HANDSHAKE_DONE) { switch (mfl) { case WOLFSSL_MFL_2_8 : ssl->max_fragment = 256; break; @@ -16832,25 +16832,30 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } - + /* Apply MD5 transformation to the data */ int wolfSSL_MD5_Transform(WOLFSSL_MD5_CTX* md5, const unsigned char* data) { int ret; WOLFSSL_ENTER("MD5_Transform"); + + /* sanity check */ + if (md5 == NULL || data == NULL) { + return 0; + } #if defined(BIG_ENDIAN_ORDER) { ByteReverseWords((word32*)data, (word32*)data, WC_MD5_BLOCK_SIZE); } #endif - + ret = wc_Md5Transform((wc_Md5*)md5, data); /* return 1 on success, 0 otherwise */ if (ret == 0) return 1; - - return ret; + else + return 0; } #endif /* !NO_MD5 */ @@ -16907,12 +16912,17 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, #if defined(OPENSSL_EXTRA) #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + /* Apply SHA1 transformation to the data */ int wolfSSL_SHA_Transform(WOLFSSL_SHA_CTX* sha, const unsigned char* data) { int ret; WOLFSSL_ENTER("SHA_Transform"); + /* sanity check */ + if (sha == NULL || data == NULL) { + return 0; + } #if defined(LITTLE_ENDIAN_ORDER) { ByteReverseWords((word32*)data, (word32*)data, WC_SHA_BLOCK_SIZE); @@ -16923,8 +16933,8 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, /* return 1 on success, 0 otherwise */ if (ret == 0) return 1; - - return ret; + else + return 0; } #endif #endif @@ -16952,6 +16962,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, #if defined(OPENSSL_EXTRA) #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + /* Apply SHA1 transformation to the data */ int wolfSSL_SHA1_Transform(WOLFSSL_SHA_CTX* sha, const unsigned char* data) { @@ -17066,12 +17077,17 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, #if defined(OPENSSL_EXTRA) #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + /* Apply SHA256 transformation to the data */ int wolfSSL_SHA256_Transform(WOLFSSL_SHA256_CTX* sha256, const unsigned char* data) { int ret; WOLFSSL_ENTER("SHA256_Transform"); + /* sanity check */ + if (sha256 == NULL || data == NULL) { + return 0; + } #if defined(LITTLE_ENDIAN_ORDER) { ByteReverseWords((word32*)data, (word32*)data, WC_SHA256_BLOCK_SIZE); @@ -17082,8 +17098,8 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, /* return 1 on success, 0 otherwise */ if (ret == 0) return 1; - - return ret; + else + return 0; } #endif #endif @@ -17193,20 +17209,25 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + /* Apply SHA512 transformation to the data */ int wolfSSL_SHA512_Transform(WOLFSSL_SHA512_CTX* sha512, const unsigned char* data) { int ret = WOLFSSL_SUCCESS; WOLFSSL_ENTER("SHA512_Transform"); + /* sanity check */ + if (sha512 == NULL || data == NULL) { + return 0; + } ret = wc_Sha512Transform((wc_Sha512*)sha512, data); /* return 1 on success, 0 otherwise */ if (ret == 0) return 1; - - return ret; + else + return 0; } #endif /* !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ (HAVE_FIPS_VERSION > 2)) */ @@ -21690,7 +21711,7 @@ WOLFSSL_SESSION* wolfSSL_SESSION_new(void) } /* add one to session reference count - * return WOFLSSL_SUCCESS on success and WOLFSSL_FAILURE on error */ + * return WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on error */ int wolfSSL_SESSION_up_ref(WOLFSSL_SESSION* session) { if (session == NULL) @@ -26087,6 +26108,9 @@ WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_bio(WOLFSSL_BIO *bp, byte* der = NULL; WOLFSSL_X509_CRL* crl = NULL; + if (bp == NULL) + return NULL; + if ((derSz = wolfSSL_BIO_get_len(bp)) > 0) { der = (byte*)XMALLOC(derSz, 0, DYNAMIC_TYPE_DER); if (der != NULL) { @@ -26111,6 +26135,11 @@ WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_fp(XFILE fp, WOLFSSL_X509_CRL **crl) return (WOLFSSL_X509_CRL *)wolfSSL_d2i_X509_fp_ex(fp, (void **)crl, CRL_TYPE); } +/* Read CRL file, and add it to store and corresponding cert manager */ +/* @param ctx a pointer of X509_LOOKUP back to the X509_STORE */ +/* @param file a file to read */ +/* @param type WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1 */ +/* @return WOLFSSL_SUCCESS(1) on successful, othewise WOLFSSL_FAILURE(0)*/ WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, const char *file, int type) { @@ -26161,7 +26190,7 @@ WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, } } } else { - WOLFSSL_MSG("Invaid file type"); + WOLFSSL_MSG("Invalid file type"); } wolfSSL_X509_CRL_free(crl); @@ -26379,7 +26408,8 @@ int wolfSSL_X509_VERIFY_PARAM_clear_flags(WOLFSSL_X509_VERIFY_PARAM *param, } -/* +/* inherits properties of param "to" to param "from" +* * WOLFSSL_VPARAM_DEFAULT any values in "src" is copied * if "src" value is new for "to". * WOLFSSL_VPARAM_OVERWRITE all values of "form" are copied to "to" @@ -26387,7 +26417,7 @@ int wolfSSL_X509_VERIFY_PARAM_clear_flags(WOLFSSL_X509_VERIFY_PARAM *param, * WOLFSSL_VPARAM_LOCKED don't copy any values * WOLFSSL_VPARAM_ONCE the current inherit_flags is zerroed */ -static int woflSSL_X509_VERIFY_PARAM_inherit(WOLFSSL_X509_VERIFY_PARAM *to, +static int wolfSSL_X509_VERIFY_PARAM_inherit(WOLFSSL_X509_VERIFY_PARAM *to, const WOLFSSL_X509_VERIFY_PARAM *from) { int ret = WOLFSSL_FAILURE; @@ -26530,11 +26560,11 @@ int wolfSSL_X509_VERIFY_PARAM_set1(WOLFSSL_X509_VERIFY_PARAM *to, _inherit_flags = to->inherit_flags; /* Ored DEFAULT inherit flag proerty to copy "from" contents to "to" - * contends + * contents */ to->inherit_flags |= WOLFSSL_VPARAM_DEFAULT; - ret = woflSSL_X509_VERIFY_PARAM_inherit(to, from); + ret = wolfSSL_X509_VERIFY_PARAM_inherit(to, from); /* restore inherit flag */ to->inherit_flags = _inherit_flags; diff --git a/tests/api.c b/tests/api.c index 2579fe06c..1aaa4911e 100644 --- a/tests/api.c +++ b/tests/api.c @@ -33070,6 +33070,14 @@ static void test_wolfSSL_MD5_Transform(void) XMEMSET(&md5, 0, sizeof(md5)); XMEMSET(&local, 0, sizeof(local)); + /* sanity check */ + AssertIntEQ(wolfSSL_MD5_Transform(NULL, NULL), 0); + AssertIntEQ(wolfSSL_MD5_Transform(NULL, (const byte*)&input1), 0); + AssertIntEQ(wolfSSL_MD5_Transform(&md5, NULL), 0); + AssertIntEQ(wc_Md5Transform(NULL, NULL), BAD_FUNC_ARG); + AssertIntEQ(wc_Md5Transform(NULL, (const byte*)&input1), BAD_FUNC_ARG); + AssertIntEQ(wc_Md5Transform((wc_Md5*)&md5, NULL), BAD_FUNC_ARG); + /* Init MD5 CTX */ AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); /* Do Transform*/ @@ -33106,7 +33114,7 @@ static void test_wolfSSL_SHA224(void) size_t inLen; byte hash[WC_SHA224_DIGEST_SIZE]; - printf(testingFmt, "wolfSSL_SHA224)"); + printf(testingFmt, "wolfSSL_SHA224()"); inLen = XSTRLEN((char*)input); XMEMSET(hash, 0, WC_SHA224_DIGEST_SIZE); @@ -33139,6 +33147,14 @@ static void test_wolfSSL_SHA_Transform(void) XMEMSET(&sha, 0, sizeof(sha)); XMEMSET(&local, 0, sizeof(local)); + /* sanity check */ + AssertIntEQ(wolfSSL_SHA_Transform(NULL, NULL), 0); + AssertIntEQ(wolfSSL_SHA_Transform(NULL, (const byte*)&input1), 0); + AssertIntEQ(wolfSSL_SHA_Transform(&sha, NULL), 0); + AssertIntEQ(wc_ShaTransform(NULL, NULL), BAD_FUNC_ARG); + AssertIntEQ(wc_ShaTransform(NULL, (const byte*)&input1), BAD_FUNC_ARG); + AssertIntEQ(wc_ShaTransform((wc_Sha*)&sha, NULL), BAD_FUNC_ARG); + /* Init SHA CTX */ AssertIntEQ(wolfSSL_SHA_Init(&sha), 1); /* Do Transform*/ @@ -33185,6 +33201,14 @@ static void test_wolfSSL_SHA256_Transform(void) XMEMSET(&sha256, 0, sizeof(sha256)); XMEMSET(&local, 0, sizeof(local)); + /* sanity check */ + AssertIntEQ(wolfSSL_SHA256_Transform(NULL, NULL), 0); + AssertIntEQ(wolfSSL_SHA256_Transform(NULL, (const byte*)&input1), 0); + AssertIntEQ(wolfSSL_SHA256_Transform(&sha256, NULL), 0); + AssertIntEQ(wc_Sha256Transform(NULL, NULL), BAD_FUNC_ARG); + AssertIntEQ(wc_Sha256Transform(NULL, (const byte*)&input1), BAD_FUNC_ARG); + AssertIntEQ(wc_Sha256Transform((wc_Sha256*)&sha256, NULL), BAD_FUNC_ARG); + /* Init SHA256 CTX */ AssertIntEQ(wolfSSL_SHA256_Init(&sha256), 1); /* Do Transform*/ @@ -33259,6 +33283,14 @@ static void test_wolfSSL_SHA512_Transform(void) XMEMSET(&sha512, 0, sizeof(sha512)); XMEMSET(&local, 0, sizeof(local)); + /* sanity check */ + AssertIntEQ(wolfSSL_SHA512_Transform(NULL, NULL), 0); + AssertIntEQ(wolfSSL_SHA512_Transform(NULL, (const byte*)&input1), 0); + AssertIntEQ(wolfSSL_SHA512_Transform(&sha512, NULL), 0); + AssertIntEQ(wc_Sha512Transform(NULL, NULL), BAD_FUNC_ARG); + AssertIntEQ(wc_Sha512Transform(NULL, (const byte*)&input1), BAD_FUNC_ARG); + AssertIntEQ(wc_Sha512Transform((wc_Sha512*)&sha512, NULL), BAD_FUNC_ARG); + /* Init SHA512 CTX */ AssertIntEQ(wolfSSL_SHA512_Init(&sha512), 1); diff --git a/wolfcrypt/src/md5.c b/wolfcrypt/src/md5.c index d4c92ad0b..e4ffc2f09 100644 --- a/wolfcrypt/src/md5.c +++ b/wolfcrypt/src/md5.c @@ -551,8 +551,16 @@ int wc_Md5Copy(wc_Md5* src, wc_Md5* dst) return ret; } #ifdef OPENSSL_EXTRA +/* Apply MD5 transformation to the data */ +/* @param md5 a pointer to wc_MD5 structure */ +/* @param data data to be applied MD5 transformation */ +/* @return 0 on successful, otherwise non-zero on failure */ int wc_Md5Transform(wc_Md5* md5, const byte* data) { + /* sanity check */ + if (md5 == NULL || data == NULL) { + return BAD_FUNC_ARG; + } return Transform(md5, data); } #endif diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index 35c1589c6..0d16521cd 100644 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -774,8 +774,16 @@ int wc_ShaFinal(wc_Sha* sha, byte* hash) } #if defined(OPENSSL_EXTRA) +/* Apply SHA1 transformation to the data */ +/* @param sha a pointer to wc_Sha structure */ +/* @param data data to be applied SHA1 transformation */ +/* @return 0 on successful, otherwise non-zero on failure */ int wc_ShaTransform(wc_Sha* sha, const unsigned char* data) { + /* sanity check */ + if (sha == NULL || data == NULL) { + return BAD_FUNC_ARG; + } return (Transform(sha, data)); } #endif diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index eb26ad6d6..249bc5d6d 100644 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -1296,8 +1296,15 @@ static int InitSha256(wc_Sha256* sha256) } #if defined(OPENSSL_EXTRA) +/* Apply SHA256 transformation to the data */ +/* @param sha a pointer to wc_Sha256 structure */ +/* @param data data to be applied SHA256 transformation */ +/* @return 0 on successful, otherwise non-zero on failure */ int wc_Sha256Transform(wc_Sha256* sha, const unsigned char* data) { + if (sha == NULL || data == NULL) { + return BAD_FUNC_ARG; + } return (Transform_Sha256(sha, data)); } #endif diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index 0353cfc64..bc576da21 100644 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -917,6 +917,10 @@ void wc_Sha512Free(wc_Sha512* sha512) #endif /* WOLFSSL_ASYNC_CRYPT */ } #if defined(OPENSSL_EXTRA) +/* Apply SHA512 transformation to the data */ +/* @param sha a pointer to wc_Sha512 structure */ +/* @param data data to be applied SHA512 transformation */ +/* @return 0 on successful, otherwise non-zero on failure */ int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data) { int ret ; @@ -930,7 +934,14 @@ int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data) #else word64 buffer[WC_SHA512_BLOCK_SIZE / sizeof(word64)]; #endif - + + /* sanity check */ + if (sha == NULL || data == NULL) { + #if defined(WOLFSSL_SMALL_STACK) + XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return BAD_FUNC_ARG; + } #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) Sha512_SetTransform(); #endif