mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Changes needed for default TLS support in zephyr kernel

Browse Source
This commit is contained in:
Colton Willey 2024-07-09 12:00:34 -07:00
parent 00e42151ca
commit 4ec07bb5a8
10 changed files with 164 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/internal.c
View File

@ -9892,7 +9892,7 @@ ProtocolVersion MakeDTLSv1_3(void)
word32 LowResTimer(void)
{
int64_t t;
#if defined(CONFIG_ARCH_POSIX)
#if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_BOARD_NATIVE_POSIX)
k_cpu_idle();
#endif
t = k_uptime_get(); /* returns current uptime in milliseconds */

28
src/ssl.c
View File

@ -1641,6 +1641,34 @@ int wolfSSL_get_ciphers(char* buf, int len)
return WOLFSSL_SUCCESS;
}
#ifdef WOLFSSL_GET_CIPHER_BYTES
int wolfSSL_get_cipher_list_bytes(byte* buf, int *len)
{
const CipherSuiteInfo* ciphers = GetCipherNames();
int ciphersSz = GetCipherNamesSize();
int i;
if (len == NULL)
return BAD_FUNC_ARG;
/* For NULL input buffer and non-NULL len, set len */
if (buf == NULL) {
*len = (ciphersSz * 2);
return WOLFSSL_SUCCESS;
}
if (*len < (ciphersSz * 2))
return BUFFER_E;
/* Add each member to the buffer */
for (i = 0; i < ciphersSz; i++) {
*buf++ = ciphers->cipherSuite0;
*buf++ = ciphers->cipherSuite;
}
return WOLFSSL_SUCCESS;
}
#endif
#ifndef NO_ERROR_STRINGS
/* places a list of all supported cipher suites in TLS_* format into "buf"

72
tests/api.c
View File

@ -1546,24 +1546,24 @@ static int test_wolfSSL_CTX_set_cipher_list_bytes(void)
const byte cipherList[] =
{
/* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */ 0xC0, 0x16,
/* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */ 0xC0, 0x39,
/* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */ 0xC0, 0x33,
/* TLS_DH_anon_WITH_AES_128_CBC_SHA */ 0xC0, 0x34,
/* TLS_RSA_WITH_AES_256_CBC_SHA */ 0xC0, 0x35,
/* TLS_RSA_WITH_AES_128_CBC_SHA */ 0xC0, 0x2F,
/* TLS_RSA_WITH_NULL_MD5 */ 0xC0, 0x01,
/* TLS_RSA_WITH_NULL_SHA */ 0xC0, 0x02,
/* TLS_PSK_WITH_AES_256_CBC_SHA */ 0xC0, 0x8d,
/* TLS_PSK_WITH_AES_128_CBC_SHA256 */ 0xC0, 0xae,
/* TLS_PSK_WITH_AES_256_CBC_SHA384 */ 0xC0, 0xaf,
/* TLS_PSK_WITH_AES_128_CBC_SHA */ 0xC0, 0x8c,
/* TLS_PSK_WITH_NULL_SHA256 */ 0xC0, 0xb0,
/* TLS_PSK_WITH_NULL_SHA384 */ 0xC0, 0xb1,
/* TLS_PSK_WITH_NULL_SHA */ 0xC0, 0x2c,
/* SSL_RSA_WITH_RC4_128_SHA */ 0xC0, 0x05,
/* SSL_RSA_WITH_RC4_128_MD5 */ 0xC0, 0x04,
/* SSL_RSA_WITH_3DES_EDE_CBC_SHA */ 0xC0, 0x0A,
/* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */ 0x00, 0x16,
/* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */ 0x00, 0x39,
/* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */ 0x00, 0x33,
/* TLS_DH_anon_WITH_AES_128_CBC_SHA */ 0x00, 0x34,
/* TLS_RSA_WITH_AES_256_CBC_SHA */ 0x00, 0x35,
/* TLS_RSA_WITH_AES_128_CBC_SHA */ 0x00, 0x2F,
/* TLS_RSA_WITH_NULL_MD5 */ 0x00, 0x01,
/* TLS_RSA_WITH_NULL_SHA */ 0x00, 0x02,
/* TLS_PSK_WITH_AES_256_CBC_SHA */ 0x00, 0x8d,
/* TLS_PSK_WITH_AES_128_CBC_SHA256 */ 0x00, 0xae,
/* TLS_PSK_WITH_AES_256_CBC_SHA384 */ 0x00, 0xaf,
/* TLS_PSK_WITH_AES_128_CBC_SHA */ 0x00, 0x8c,
/* TLS_PSK_WITH_NULL_SHA256 */ 0x00, 0xb0,
/* TLS_PSK_WITH_NULL_SHA384 */ 0x00, 0xb1,
/* TLS_PSK_WITH_NULL_SHA */ 0x00, 0x2c,
/* SSL_RSA_WITH_RC4_128_SHA */ 0x00, 0x05,
/* SSL_RSA_WITH_RC4_128_MD5 */ 0x00, 0x04,
/* SSL_RSA_WITH_3DES_EDE_CBC_SHA */ 0x00, 0x0A,
/* ECC suites, first byte is 0xC0 (ECC_BYTE) */
/* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */ 0xC0, 0x14,
@ -1730,6 +1730,41 @@ static int test_wolfSSL_CTX_set_cipher_list_bytes(void)
return EXPECT_RESULT();
}
static int test_wolfSSL_get_cipher_list_bytes(void)
{
EXPECT_DECLS;
#if (defined(WOLFSSL_GET_CIPHER_BYTES)&& \
(!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)))
WOLFSSL_CTX* ctx = NULL;
byte *getCipherList = NULL;
word32 cipherListLen = 0;
#ifndef NO_WOLFSSL_SERVER
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#else
ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
#endif
ExpectTrue(wolfSSL_get_cipher_list_bytes(NULL, (int *)(&cipherListLen)));
ExpectIntGT((int)cipherListLen, 0);
ExpectNotNull(getCipherList =
(byte *)XMALLOC(cipherListLen, NULL, DYNAMIC_TYPE_TMP_BUFFER));
ExpectTrue(wolfSSL_get_cipher_list_bytes(
getCipherList, (int *)(&cipherListLen)));
/* Intentionally minimal verification here. Only way to verify would
* be a comprehensive list of all possible ciphersuites, which would
* break and need to be updated for every addition to the list. That
* is a lot of maintinence overhead for this little used function so
* call this good enough. */
XFREE(getCipherList, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL_CTX_free(ctx);
#endif /* (WOLFSSL_GET_CIPHER_BYTES && (!NO_WOLFSSL_CLIENT \
* || !NO_WOLFSSL_SERVER) */
return EXPECT_RESULT();
}
static int test_wolfSSL_CTX_use_certificate_file(void)
{
@ -83801,6 +83836,7 @@ TEST_CASE testCases[] = {
TEST_DECL(test_SSL_CIPHER_get_xxx),
TEST_DECL(test_wolfSSL_ERR_strings),
TEST_DECL(test_wolfSSL_CTX_set_cipher_list_bytes),
TEST_DECL(test_wolfSSL_get_cipher_list_bytes),
TEST_DECL(test_wolfSSL_CTX_use_certificate_file),
TEST_DECL(test_wolfSSL_CTX_use_certificate_buffer),
TEST_DECL(test_wolfSSL_CTX_use_PrivateKey_file),

3
wolfcrypt/src/memory.c
View File

@ -1207,6 +1207,9 @@ void wolfSSL_Free(void *ptr, void* heap, int type)
#else
free(ptr);
#endif
#ifdef WOLFSSL_DEBUG_MEMORY
fprintf(stderr, "Free: %p at %s:%d\n", ptr, func, line);
#endif
#else
WOLFSSL_MSG("Error trying to call free when turned off");
#endif /* WOLFSSL_NO_MALLOC */

23
wolfcrypt/src/wc_port.c
View File

@ -132,6 +132,13 @@
#include <pthread.h>
#endif
#if defined(WOLFSSL_ZEPHYR)
#if defined(CONFIG_BOARD_NATIVE_POSIX)
#include "native_rtc.h"
#define CONFIG_RTC
#endif
#endif
/* prevent multiple mutex initializations */
static volatile int initRefCount = 0;
@ -3173,6 +3180,21 @@ time_t z_time(time_t * timer)
#if defined(CONFIG_RTC) && \
(defined(CONFIG_PICOLIBC) || defined(CONFIG_NEWLIB_LIBC))
#if defined(CONFIG_BOARD_NATIVE_POSIX)
/* When using native sim, get time from simulator rtc */
uint32_t nsec = 0;
uint64_t sec = 0;
native_rtc_gettime(RTC_CLOCK_PSEUDOHOSTREALTIME, &nsec, &sec);
if (timer != NULL)
*timer = sec;
return sec;
#else
/* Try to obtain the actual time from an RTC */
static const struct device *rtc = DEVICE_DT_GET(DT_NODELABEL(rtc));
@ -3191,6 +3213,7 @@ time_t z_time(time_t * timer)
return epochTime;
}
}
#endif /* defined(CONFIG_BOARD_NATIVE_POSIX) */
#endif
/* Fallback to uptime since boot. This works for relative times, but

1
wolfssl/ssl.h
View File

@ -1169,6 +1169,7 @@ WOLFSSL_API char* wolfSSL_get_cipher_list(int priority);
WOLFSSL_API char* wolfSSL_get_cipher_list_ex(WOLFSSL* ssl, int priority);
WOLFSSL_API int wolfSSL_get_ciphers(char* buf, int len);
WOLFSSL_API int wolfSSL_get_ciphers_iana(char* buf, int len);
WOLFSSL_API int wolfSSL_get_cipher_list_bytes(byte* buf, int *len);
WOLFSSL_API const char* wolfSSL_get_cipher_name(WOLFSSL* ssl);
WOLFSSL_API const char* wolfSSL_get_cipher_name_from_suite(
unsigned char cipherSuite0, unsigned char cipherSuite);

1
wolfssl/wolfcrypt/settings.h
View File

@ -2112,6 +2112,7 @@ extern void uITRON4_free(void *p) ;
void *z_realloc(void *ptr, size_t size);
#define realloc z_realloc
#define max MAX
#if !defined(CONFIG_NET_SOCKETS_POSIX_NAMES) && !defined(CONFIG_POSIX_API)
#define CONFIG_NET_SOCKETS_POSIX_NAMES

1
zephyr/CMakeLists.txt
View File

@ -22,6 +22,7 @@ if(CONFIG_WOLFSSL)
zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/zephyr/zephyr_init.c)
zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/crl.c)
zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/dtls.c)
zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/dtls13.c)
zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/internal.c)
zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/keys.c)

23
zephyr/Kconfig
View File

@ -70,6 +70,29 @@ config WOLFCRYPT_FIPS
Enables FIPS support in wolfCrypt. Requires the wolfSSL FIPS ready
download that includes fips.c/fips_test.c.
config WOLFSSL_DTLS
bool "wolfSSL DTLS support"
help
Enable DTLS support
config WOLFSSL_ALPN
bool "wolfSSL ALPN support"
help
Enable ALPN support
config WOLFSSL_PSK
bool "wolfSSL PSK support"
help
Enable PSK support
config WOLFSSL_MAX_FRAGMENT_LEN
int
default 3
range 1 6
help
Sets the maximum fragment length wolfSSL will use, values 1-6 correspond to enum values
WOLFSSL_MFL_* in ssl.h
config WOLFCRYPT_ARMASM
bool "wolfCrypt ARM Assembly support"
depends on WOLFSSL_BUILTIN

31
zephyr/user_settings.h
View File

@ -133,9 +133,33 @@ extern "C" {
#define NO_SESSION_CACHE /* disable session resumption */
#endif
/* PSK */
#define NO_PSK /* disable pre-shared-key support */
/* DTLS */
#if defined(CONFIG_WOLFSSL_DTLS)
#define WOLFSSL_DTLS
#define HAVE_SOCKADDR
#endif
/* PSK */
#if defined(CONFIG_WOLFSSL_PSK)
#undef NO_PSK
#define WOLFSSL_STATIC_PSK
#else
#define NO_PSK /* disable pre-shared-key support */
#endif
/* ALPN */
#if defined(CONFIG_WOLFSSL_ALPN)
#define HAVE_ALPN
#endif
#if defined(CONFIG_WOLFSSL_MAX_FRAGMENT_LEN)
#define HAVE_MAX_FRAGMENT
#endif
#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
#define WOLFSSL_SET_CIPHER_BYTES
#define WOLFSSL_GET_CIPHER_BYTES
#endif
/* ------------------------------------------------------------------------- */
/* Algorithms */
@ -143,6 +167,9 @@ extern "C" {
/* RNG */
#ifndef WC_NO_HASHDRBG
#define HAVE_HASHDRBG /* Use DRBG SHA2-256 and seed */
#ifdef CONFIG_CSPRNG_ENABLED
#define WC_RNG_SEED_CB
#endif
#endif
/* ECC */