mirrors
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:cyassl/cyassl

This commit is contained in:
John Safranek 2014-03-19 21:31:15 -07:00
parent acfa8fb966 58885b36eb
commit 5c41acb6be
12 changed files with 194 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -30,6 +30,7 @@ tags
.tags*
cyassl-config
cyassl.sublime*
fips.c
ctaocrypt/benchmark/benchmark
ctaocrypt/test/testctaocrypt
examples/client/client

19
configure.ac
View File

@ -1058,6 +1058,25 @@ fi
AM_CONDITIONAL([BUILD_RABBIT], [test "x$ENABLED_RABBIT" = "xyes"])
# FIPS
AC_ARG_ENABLE([fips],
[ --enable-fips Enable FIPS 140-2 (default: disabled)],
[ ENABLED_FIPS=$enableval ],
[ ENABLED_FIPS=no ]
)
if test "x$ENABLED_FIPS" = "xyes"
then
if test "$thread_ls_on" = "no"
then
AC_MSG_ERROR([FIPS requires Thread Local Storage])
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
fi
AM_CONDITIONAL([BUILD_FIPS], [test "x$ENABLED_FIPS" = "xyes"])
# Filesystem Build
AC_ARG_ENABLE([filesystem],
[ --enable-filesystem Enable Filesystem support (default: enabled)],

41
ctaocrypt/benchmark/benchmark.c
View File

@ -274,13 +274,20 @@ void bench_aes(int show)
Aes enc;
double start, total, persec;
int i;
int ret;
#ifdef HAVE_CAVIUM
if (AesInitCavium(&enc, CAVIUM_DEV_ID) != 0)
if (AesInitCavium(&enc, CAVIUM_DEV_ID) != 0) {
printf("aes init cavium failed\n");
return;
}
#endif
AesSetKey(&enc, key, 16, iv, AES_ENCRYPTION);
ret = AesSetKey(&enc, key, 16, iv, AES_ENCRYPTION);
if (ret != 0) {
printf("AesSetKey failed, ret = %d\n", ret);
return;
}
start = current_time(1);
for(i = 0; i < numBlocks; i++)
@ -295,7 +302,7 @@ void bench_aes(int show)
#endif
if (show)
printf("AES %d %s took %5.3f seconds, %6.3f MB/s\n", numBlocks,
printf("AES %d %s took %5.3f seconds, %7.3f MB/s\n", numBlocks,
blockType, total, persec);
#ifdef HAVE_CAVIUM
AesFreeCavium(&enc);
@ -332,7 +339,7 @@ void bench_aesgcm(void)
persec = persec / 1024;
#endif
printf("AES-GCM %d %s took %5.3f seconds, %6.3f MB/s\n", numBlocks,
printf("AES-GCM %d %s took %5.3f seconds, %7.3f MB/s\n", numBlocks,
blockType, total, persec);
}
#endif
@ -358,7 +365,7 @@ void bench_aesctr(void)
persec = persec / 1024;
#endif
printf("AES-CTR %d %s took %5.3f seconds, %6.3f MB/s\n", numBlocks,
printf("AES-CTR %d %s took %5.3f seconds, %7.3f MB/s\n", numBlocks,
blockType, total, persec);
}
#endif
@ -387,7 +394,7 @@ void bench_aesccm(void)
persec = persec / 1024;
#endif
printf("AES-CCM %d %s took %5.3f seconds, %6.3f MB/s\n", numBlocks,
printf("AES-CCM %d %s took %5.3f seconds, %7.3f MB/s\n", numBlocks,
blockType, total, persec);
}
#endif
@ -414,7 +421,7 @@ void bench_camellia(void)
persec = persec / 1024;
#endif
printf("Camellia %d %s took %5.3f seconds, %6.3f MB/s\n", numBlocks,
printf("Camellia %d %s took %5.3f seconds, %7.3f MB/s\n", numBlocks,
blockType, total, persec);
}
#endif
@ -445,7 +452,7 @@ void bench_des(void)
persec = persec / 1024;
#endif
printf("3DES %d %s took %5.3f seconds, %6.3f MB/s\n", numBlocks,
printf("3DES %d %s took %5.3f seconds, %7.3f MB/s\n", numBlocks,
blockType, total, persec);
#ifdef HAVE_CAVIUM
Des3_FreeCavium(&enc);
@ -479,7 +486,7 @@ void bench_arc4(void)
persec = persec / 1024;
#endif
printf("ARC4 %d %s took %5.3f seconds, %6.3f MB/s\n", numBlocks,
printf("ARC4 %d %s took %5.3f seconds, %7.3f MB/s\n", numBlocks,
blockType, total, persec);
#ifdef HAVE_CAVIUM
Arc4FreeCavium(&enc);
@ -508,7 +515,7 @@ void bench_hc128(void)
persec = persec / 1024;
#endif
printf("HC128 %d %s took %5.3f seconds, %6.3f MB/s\n", numBlocks,
printf("HC128 %d %s took %5.3f seconds, %7.3f MB/s\n", numBlocks,
blockType, total, persec);
}
#endif /* HAVE_HC128 */
@ -534,7 +541,7 @@ void bench_rabbit(void)
persec = persec / 1024;
#endif
printf("RABBIT %d %s took %5.3f seconds, %6.3f MB/s\n", numBlocks,
printf("RABBIT %d %s took %5.3f seconds, %7.3f MB/s\n", numBlocks,
blockType, total, persec);
}
#endif /* NO_RABBIT */
@ -563,7 +570,7 @@ void bench_md5(void)
persec = persec / 1024;
#endif
printf("MD5 %d %s took %5.3f seconds, %6.3f MB/s\n", numBlocks,
printf("MD5 %d %s took %5.3f seconds, %7.3f MB/s\n", numBlocks,
blockType, total, persec);
}
#endif /* NO_MD5 */
@ -592,7 +599,7 @@ void bench_sha(void)
persec = persec / 1024;
#endif
printf("SHA %d %s took %5.3f seconds, %6.3f MB/s\n", numBlocks,
printf("SHA %d %s took %5.3f seconds, %7.3f MB/s\n", numBlocks,
blockType, total, persec);
}
#endif /* NO_SHA */
@ -621,7 +628,7 @@ void bench_sha256(void)
persec = persec / 1024;
#endif
printf("SHA-256 %d %s took %5.3f seconds, %6.3f MB/s\n", numBlocks,
printf("SHA-256 %d %s took %5.3f seconds, %7.3f MB/s\n", numBlocks,
blockType, total, persec);
}
#endif
@ -649,7 +656,7 @@ void bench_sha512(void)
persec = persec / 1024;
#endif
printf("SHA-512 %d %s took %5.3f seconds, %6.3f MB/s\n", numBlocks,
printf("SHA-512 %d %s took %5.3f seconds, %7.3f MB/s\n", numBlocks,
blockType, total, persec);
}
#endif
@ -677,7 +684,7 @@ void bench_ripemd(void)
persec = persec / 1024;
#endif
printf("RIPEMD %d %s took %5.3f seconds, %6.3f MB/s\n", numBlocks,
printf("RIPEMD %d %s took %5.3f seconds, %7.3f MB/s\n", numBlocks,
blockType, total, persec);
}
#endif
@ -706,7 +713,7 @@ void bench_blake2(void)
persec = persec / 1024;
#endif
printf("BLAKE2b %d %s took %5.3f seconds, %6.3f MB/s\n", numBlocks,
printf("BLAKE2b %d %s took %5.3f seconds, %7.3f MB/s\n", numBlocks,
blockType, total, persec);
}
#endif

6
ctaocrypt/src/aes.c
View File

@ -27,6 +27,11 @@
#ifndef NO_AES
#ifdef HAVE_FIPS
/* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
#define FIPS_NO_WRAPPERS
#endif
#include <cyassl/ctaocrypt/aes.h>
#include <cyassl/ctaocrypt/error.h>
#include <cyassl/ctaocrypt/logging.h>
@ -46,6 +51,7 @@
#endif
#ifdef HAVE_CAVIUM
static int AesCaviumSetKey(Aes* aes, const byte* key, word32 length,
const byte* iv);

25
ctaocrypt/test/test.c
View File

@ -1860,6 +1860,7 @@ int aes_test(void)
byte cipher[AES_BLOCK_SIZE * 4];
byte plain [AES_BLOCK_SIZE * 4];
int ret;
#ifdef HAVE_CAVIUM
if (AesInitCavium(&enc, CAVIUM_DEV_ID) != 0)
@ -1867,11 +1868,19 @@ int aes_test(void)
if (AesInitCavium(&dec, CAVIUM_DEV_ID) != 0)
return -20004;
#endif
AesSetKey(&enc, key, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
AesSetKey(&dec, key, AES_BLOCK_SIZE, iv, AES_DECRYPTION);
ret = AesSetKey(&enc, key, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
if (ret != 0)
return -1001;
ret = AesSetKey(&dec, key, AES_BLOCK_SIZE, iv, AES_DECRYPTION);
if (ret != 0)
return -1002;
AesCbcEncrypt(&enc, cipher, msg, AES_BLOCK_SIZE);
AesCbcDecrypt(&dec, plain, cipher, AES_BLOCK_SIZE);
ret = AesCbcEncrypt(&enc, cipher, msg, AES_BLOCK_SIZE);
if (ret != 0)
return -1005;
ret = AesCbcDecrypt(&dec, plain, cipher, AES_BLOCK_SIZE);
if (ret != 0)
return -1006;
if (memcmp(plain, msg, AES_BLOCK_SIZE))
return -60;
@ -1990,13 +1999,17 @@ int aes_test(void)
};
XMEMSET(cipher, 0, AES_BLOCK_SIZE);
AesSetKey(&enc, niKey, sizeof(niKey), cipher, AES_ENCRYPTION);
ret = AesSetKey(&enc, niKey, sizeof(niKey), cipher, AES_ENCRYPTION);
if (ret != 0)
return -1003;
AesEncryptDirect(&enc, cipher, niPlain);
if (XMEMCMP(cipher, niCipher, AES_BLOCK_SIZE) != 0)
return -20006;
XMEMSET(plain, 0, AES_BLOCK_SIZE);
AesSetKey(&dec, niKey, sizeof(niKey), plain, AES_DECRYPTION);
ret = AesSetKey(&dec, niKey, sizeof(niKey), plain, AES_DECRYPTION);
if (ret != 0)
return -1004;
AesDecryptDirect(&dec, plain, niCipher);
if (XMEMCMP(plain, niPlain, AES_BLOCK_SIZE) != 0)
return -20007;

19
cyassl/ctaocrypt/aes.h
View File

@ -149,6 +149,25 @@ CYASSL_API int AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
CYASSL_API void AesFreeCavium(Aes*);
#endif
#ifdef HAVE_FIPS
/* fips wrapper calls, user can call direct */
CYASSL_API int AesSetKey_fips(Aes* aes, const byte* key, word32 len,
const byte* iv, int dir);
CYASSL_API int AesCbcEncrypt_fips(Aes* aes, byte* out, const byte* in,
word32 sz);
CYASSL_API int AesCbcDecrypt_fips(Aes* aes, byte* out, const byte* in,
word32 sz);
#ifndef FIPS_NO_WRAPPERS
/* if not internal or fips.c consumer force fips calls if fips build */
#define AesSetKey AesSetKey_fips
#define AesCbcEncrypt AesCbcEncrypt_fips
#define AesCbcDecrypt AesCbcDecrypt_fips
#endif /* FIPS_NO_WRAPPERS */
#endif /* HAVE_FIPS */
#ifdef __cplusplus
} /* extern "C" */
#endif

1
cyassl/sniffer_error.h
View File

@ -101,6 +101,7 @@
#define BAD_COMPRESSION_STR 67
#define BAD_DERIVE_STR 68
#define ACK_MISSED_STR 69
#define BAD_DECRYPT 70
/* !!!! also add to msgTable in sniffer.c and .rc file !!!! */

1
cyassl/sniffer_error.rc
View File

@ -83,5 +83,6 @@ STRINGTABLE
67, "Bad Compression Type"
68, "Bad DeriveKeys Error"
69, "Saw ACK for Missing Packet Error"
70, "Bad Decrypt Operation"
}

4
src/include.am
View File

@ -36,6 +36,10 @@ if BUILD_ASN
src_libcyassl_la_SOURCES += ctaocrypt/src/asn.c
endif
if BUILD_FIPS
src_libcyassl_la_SOURCES += ctaocrypt/src/fips.c
endif
if BUILD_CODING
src_libcyassl_la_SOURCES += ctaocrypt/src/coding.c
endif

34
src/keys.c
View File

@ -1614,6 +1614,8 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#ifdef BUILD_AES
if (specs->bulk_cipher_algorithm == cyassl_aes) {
int aesRet = 0;
if (enc->aes == NULL)
enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (enc->aes == NULL)
@ -1635,20 +1637,28 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
}
#endif
if (side == CYASSL_CLIENT_END) {
AesSetKey(enc->aes, keys->client_write_key,
specs->key_size, keys->client_write_IV,
AES_ENCRYPTION);
AesSetKey(dec->aes, keys->server_write_key,
specs->key_size, keys->server_write_IV,
AES_DECRYPTION);
aesRet = AesSetKey(enc->aes, keys->client_write_key,
specs->key_size, keys->client_write_IV,
AES_ENCRYPTION);
if (aesRet != 0)
return aesRet;
aesRet = AesSetKey(dec->aes, keys->server_write_key,
specs->key_size, keys->server_write_IV,
AES_DECRYPTION);
if (aesRet != 0)
return aesRet;
}
else {
AesSetKey(enc->aes, keys->server_write_key,
specs->key_size, keys->server_write_IV,
AES_ENCRYPTION);
AesSetKey(dec->aes, keys->client_write_key,
specs->key_size, keys->client_write_IV,
AES_DECRYPTION);
aesRet = AesSetKey(enc->aes, keys->server_write_key,
specs->key_size, keys->server_write_IV,
AES_ENCRYPTION);
if (aesRet != 0)
return aesRet;
aesRet = AesSetKey(dec->aes, keys->client_write_key,
specs->key_size, keys->client_write_IV,
AES_DECRYPTION);
if (aesRet != 0)
return aesRet;
}
enc->setup = 1;
dec->setup = 1;

29
src/sniffer.c
View File

@ -224,7 +224,8 @@ static const char* const msgTable[] =
"Bad Finished Message Processing",
"Bad Compression Type",
"Bad DeriveKeys Error",
"Saw ACK for Missing Packet Error"
"Saw ACK for Missing Packet Error",
"Bad Decrypt Operation"
};
@ -1557,9 +1558,11 @@ static int DoHandShake(const byte* input, int* sslBytes,
}
/* Decrypt input into plain output */
static void Decrypt(SSL* ssl, byte* output, const byte* input, word32 sz)
/* Decrypt input into plain output, 0 on success */
static int Decrypt(SSL* ssl, byte* output, const byte* input, word32 sz)
{
int ret = 0;
switch (ssl->specs.bulk_cipher_algorithm) {
#ifdef BUILD_ARC4
case cyassl_rc4:
@ -1575,7 +1578,7 @@ static void Decrypt(SSL* ssl, byte* output, const byte* input, word32 sz)
#ifdef BUILD_AES
case cyassl_aes:
AesCbcDecrypt(ssl->decrypt.aes, output, input, sz);
ret = AesCbcDecrypt(ssl->decrypt.aes, output, input, sz);
break;
#endif
@ -1599,18 +1602,25 @@ static void Decrypt(SSL* ssl, byte* output, const byte* input, word32 sz)
default:
Trace(BAD_DECRYPT_TYPE);
ret = -1;
break;
}
return ret;
}
/* Decrypt input message into output, adjust output steam if needed */
static const byte* DecryptMessage(SSL* ssl, const byte* input, word32 sz,
byte* output)
byte* output, int* error)
{
int ivExtra = 0;
Decrypt(ssl, output, input, sz);
int ret = Decrypt(ssl, output, input, sz);
if (ret != 0) {
*error = ret;
return NULL;
}
ssl->keys.encryptSz = sz;
if (ssl->options.tls1_1 && ssl->specs.cipher_type == block) {
output += ssl->specs.block_size; /* go past TLSv1.1 IV */
@ -2320,6 +2330,7 @@ static int ProcessMessage(const byte* sslFrame, SnifferSession* session,
RecordLayerHeader rh;
int rhSize = 0;
int ret;
int errCode = 0;
int decoded = 0; /* bytes stored for user in data */
int notEnough; /* notEnough bytes yet flag */
SSL* ssl = (session->flags.side == CYASSL_SERVER_END) ?
@ -2372,7 +2383,11 @@ doMessage:
return -1;
}
sslFrame = DecryptMessage(ssl, sslFrame, rhSize,
ssl->buffers.outputBuffer.buffer);
ssl->buffers.outputBuffer.buffer, &errCode);
if (errCode != 0) {
SetError(BAD_DECRYPT, error, session, FATAL_ERROR_STATE);
return -1;
}
}
switch ((enum ContentType)rh.type) {

80
src/ssl.c
View File

@ -2018,6 +2018,7 @@ int CyaSSL_Init(void)
XFREE(der.buffer, heap, dynamicType);
return ret;
}
ret = 0; /* back to good status */
if (XSTRNCMP(info.name, "DES-CBC", 7) == 0) {
Des enc;
@ -2031,23 +2032,34 @@ int CyaSSL_Init(void)
}
else if (XSTRNCMP(info.name, "AES-128-CBC", 13) == 0) {
Aes enc;
AesSetKey(&enc, key, AES_128_KEY_SIZE, info.iv, AES_DECRYPTION);
AesCbcDecrypt(&enc, der.buffer, der.buffer, der.length);
ret = AesSetKey(&enc, key, AES_128_KEY_SIZE, info.iv,
AES_DECRYPTION);
if (ret == 0)
ret = AesCbcDecrypt(&enc, der.buffer,der.buffer,der.length);
}
else if (XSTRNCMP(info.name, "AES-192-CBC", 13) == 0) {
Aes enc;
AesSetKey(&enc, key, AES_192_KEY_SIZE, info.iv, AES_DECRYPTION);
AesCbcDecrypt(&enc, der.buffer, der.buffer, der.length);
ret = AesSetKey(&enc, key, AES_192_KEY_SIZE, info.iv,
AES_DECRYPTION);
if (ret == 0)
ret = AesCbcDecrypt(&enc, der.buffer,der.buffer,der.length);
}
else if (XSTRNCMP(info.name, "AES-256-CBC", 13) == 0) {
Aes enc;
AesSetKey(&enc, key, AES_256_KEY_SIZE, info.iv, AES_DECRYPTION);
AesCbcDecrypt(&enc, der.buffer, der.buffer, der.length);
ret = AesSetKey(&enc, key, AES_256_KEY_SIZE, info.iv,
AES_DECRYPTION);
if (ret == 0)
ret = AesCbcDecrypt(&enc, der.buffer,der.buffer,der.length);
}
else {
XFREE(der.buffer, heap, dynamicType);
return SSL_BAD_FILE;
}
if (ret != 0) {
XFREE(der.buffer, heap, dynamicType);
return ret;
}
}
#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */
@ -6723,6 +6735,8 @@ int CyaSSL_set_compression(CYASSL* ssl)
const CYASSL_EVP_CIPHER* type, byte* key,
byte* iv, int enc)
{
int ret = 0;
CYASSL_ENTER("CyaSSL_EVP_CipherInit");
if (ctx == NULL) {
CYASSL_MSG("no ctx");
@ -6741,9 +6755,12 @@ int CyaSSL_set_compression(CYASSL* ssl)
ctx->keyLen = 16;
if (enc == 0 || enc == 1)
ctx->enc = enc ? 1 : 0;
if (key)
AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv,
ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION);
if (key) {
ret = AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv,
ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION);
if (ret != 0)
return ret;
}
if (iv && key == NULL)
AesSetIV(&ctx->cipher.aes, iv);
}
@ -6754,9 +6771,12 @@ int CyaSSL_set_compression(CYASSL* ssl)
ctx->keyLen = 24;
if (enc == 0 || enc == 1)
ctx->enc = enc ? 1 : 0;
if (key)
AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv,
ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION);
if (key) {
ret = AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv,
ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION);
if (ret != 0)
return ret;
}
if (iv && key == NULL)
AesSetIV(&ctx->cipher.aes, iv);
}
@ -6767,9 +6787,12 @@ int CyaSSL_set_compression(CYASSL* ssl)
ctx->keyLen = 32;
if (enc == 0 || enc == 1)
ctx->enc = enc ? 1 : 0;
if (key)
AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv,
ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION);
if (key) {
ret = AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv,
ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION);
if (ret != 0)
return ret;
}
if (iv && key == NULL)
AesSetIV(&ctx->cipher.aes, iv);
}
@ -6781,9 +6804,12 @@ int CyaSSL_set_compression(CYASSL* ssl)
ctx->keyLen = 16;
if (enc == 0 || enc == 1)
ctx->enc = enc ? 1 : 0;
if (key)
AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv,
AES_ENCRYPTION);
if (key) {
ret = AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv,
AES_ENCRYPTION);
if (ret != 0)
return ret;
}
if (iv && key == NULL)
AesSetIV(&ctx->cipher.aes, iv);
}
@ -6794,9 +6820,12 @@ int CyaSSL_set_compression(CYASSL* ssl)
ctx->keyLen = 24;
if (enc == 0 || enc == 1)
ctx->enc = enc ? 1 : 0;
if (key)
AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv,
AES_ENCRYPTION);
if (key) {
ret = AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv,
AES_ENCRYPTION);
if (ret != 0)
return ret;
}
if (iv && key == NULL)
AesSetIV(&ctx->cipher.aes, iv);
}
@ -6807,9 +6836,12 @@ int CyaSSL_set_compression(CYASSL* ssl)
ctx->keyLen = 32;
if (enc == 0 || enc == 1)
ctx->enc = enc ? 1 : 0;
if (key)
AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv,
AES_ENCRYPTION);
if (key) {
ret = AesSetKey(&ctx->cipher.aes, key, ctx->keyLen, iv,
AES_ENCRYPTION);
if (ret != 0)
return ret;
}
if (iv && key == NULL)
AesSetIV(&ctx->cipher.aes, iv);
}