Merge pull request #3660 from dgarske/sess_ticket_aes_gcm

Added support for AES GCM session ticket encryption
2021-01-25 15:00:03 -08:00 · 2021-01-25 15:00:03 -08:00 · 6e0e507dad
parent f91dcb950c 59305e9346
commit 6e0e507dad
6 changed files with 77 additions and 25 deletions
--- a/examples/echoserver/echoserver.c
+++ b/examples/echoserver/echoserver.c
@ -165,8 +165,9 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
    CyaSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
 #endif

-#if defined(HAVE_SESSION_TICKET) && defined(HAVE_CHACHA) && \
-                                    defined(HAVE_POLY1305)
+#if defined(HAVE_SESSION_TICKET) && \
+    ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || \
+      defined(HAVE_AESGCM))
    if (TicketInit() != 0)
        err_sys("unable to setup Session Ticket Key context");
    wolfSSL_CTX_set_TicketEncCb(ctx, myTicketEncCb);
--- a/examples/server/server.c
+++ b/examples/server/server.c
@ -1800,8 +1800,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
        wolfSSL_CTX_SetIOSend(ctx, SimulateWantWriteIOSendCb);
    }

-#if defined(HAVE_SESSION_TICKET) && defined(HAVE_CHACHA) && \
-                                    defined(HAVE_POLY1305)
+#if defined(HAVE_SESSION_TICKET) && \
+    ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || \
+      defined(HAVE_AESGCM))
    if (TicketInit() != 0)
        err_sys_ex(catastrophic, "unable to setup Session Ticket Key context");
    wolfSSL_CTX_set_TicketEncCb(ctx, myTicketEncCb);
--- a/tests/api.c
+++ b/tests/api.c
@ -2646,8 +2646,9 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
        ctx = wolfSSL_CTX_new(method);
    }

-#if defined(HAVE_SESSION_TICKET) && defined(HAVE_CHACHA) && \
-                                    defined(HAVE_POLY1305)
+#if defined(HAVE_SESSION_TICKET) && \
+    ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || \
+      defined(HAVE_AESGCM))
    TicketInit();
    wolfSSL_CTX_set_TicketEncCb(ctx, myTicketEncCb);
 #endif
@ -31486,7 +31487,7 @@ static void test_wolfSSL_SESSION(void)
    /* CHACHA and POLY1305 required for myTicketEncCb */
 #if defined(WOLFSSL_TLS13) && (!defined(HAVE_SESSION_TICKET) && \
    !defined(WOLFSSL_NO_TLS12) || !(defined(HAVE_CHACHA) && \
-            defined(HAVE_POLY1305)))
+            defined(HAVE_POLY1305) && !defined(HAVE_AESGCM)))
    AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()));
 #else
    AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
--- a/wolfssl/test.h
+++ b/wolfssl/test.h
@ -3926,14 +3926,22 @@ static WC_INLINE const char* mymktemp(char *tempfn, int len, int num)



-#if defined(HAVE_SESSION_TICKET) && defined(HAVE_CHACHA) && \
-                                    defined(HAVE_POLY1305)
+#if defined(HAVE_SESSION_TICKET) && \
+    ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || \
+      defined(HAVE_AESGCM))

+#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
    #include <wolfssl/wolfcrypt/chacha20_poly1305.h>
+    #define WOLFSSL_TICKET_KEY_SZ CHACHA20_POLY1305_AEAD_KEYSIZE
+#elif defined(HAVE_AESGCM)
+    #include <wolfssl/wolfcrypt/aes.h>
+    #include <wolfssl/wolfcrypt/wc_encrypt.h> /* AES IV sizes in FIPS mode */
+    #define WOLFSSL_TICKET_KEY_SZ AES_256_KEY_SIZE
+#endif

    typedef struct key_ctx {
-        byte name[WOLFSSL_TICKET_NAME_SZ];        /* name for this context */
-        byte key[CHACHA20_POLY1305_AEAD_KEYSIZE]; /* cipher key */
+        byte name[WOLFSSL_TICKET_NAME_SZ]; /* name for this context */
+        byte key[WOLFSSL_TICKET_KEY_SZ];   /* cipher key */
    } key_ctx;

    static THREAD_LS_T key_ctx myKey_ctx;
@ -3970,6 +3978,11 @@ static WC_INLINE const char* mymktemp(char *tempfn, int len, int num)
        byte aad[WOLFSSL_TICKET_NAME_SZ + WOLFSSL_TICKET_IV_SZ + 2];
        int  aadSz = WOLFSSL_TICKET_NAME_SZ + WOLFSSL_TICKET_IV_SZ + 2;
        byte* tmp = aad;
+    #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
+        /* chahca20/poly1305 */
+    #elif defined(HAVE_AESGCM)
+        Aes aes;
+    #endif

        (void)ssl;
        (void)userCtx;
@ -3986,22 +3999,35 @@ static WC_INLINE const char* mymktemp(char *tempfn, int len, int num)
            tmp += WOLFSSL_TICKET_NAME_SZ;
            XMEMCPY(tmp, iv, WOLFSSL_TICKET_IV_SZ);
            tmp += WOLFSSL_TICKET_IV_SZ;
-            XMEMCPY(tmp, &sLen, 2);
+            XMEMCPY(tmp, &sLen, sizeof(sLen));

+        #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
            ret = wc_ChaCha20Poly1305_Encrypt(myKey_ctx.key, iv,
                                              aad, aadSz,
                                              ticket, inLen,
                                              ticket,
                                              mac);
+        #elif defined(HAVE_AESGCM)
+            ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+            if (ret != 0) return WOLFSSL_TICKET_RET_REJECT;
+
+            ret = wc_AesGcmSetKey(&aes, myKey_ctx.key, sizeof(myKey_ctx.key));
+            if (ret == 0) {
+                ret = wc_AesGcmEncrypt(&aes, ticket, ticket, inLen,
+                                       iv, GCM_NONCE_MID_SZ, mac, AES_BLOCK_SIZE,
+                                       aad, aadSz);
+            }
+            wc_AesFree(&aes);
+        #endif
+            
            if (ret != 0) return WOLFSSL_TICKET_RET_REJECT;
            *outLen = inLen;  /* no padding in this mode */
        }
        /* decrypt */
        else {
-
            /* see if we know this key */
            if (XMEMCMP(key_name, myKey_ctx.name, WOLFSSL_TICKET_NAME_SZ) != 0){
-                printf("client presented unknown ticket key name ");
+                printf("client presented unknown ticket key name %s\n", key_name);
                return WOLFSSL_TICKET_RET_FATAL;
            }

@ -4010,13 +4036,27 @@ static WC_INLINE const char* mymktemp(char *tempfn, int len, int num)
            tmp += WOLFSSL_TICKET_NAME_SZ;
            XMEMCPY(tmp, iv, WOLFSSL_TICKET_IV_SZ);
            tmp += WOLFSSL_TICKET_IV_SZ;
-            XMEMCPY(tmp, &sLen, 2);
+            XMEMCPY(tmp, &sLen, sizeof(sLen));

+        #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
            ret = wc_ChaCha20Poly1305_Decrypt(myKey_ctx.key, iv,
                                              aad, aadSz,
                                              ticket, inLen,
                                              mac,
                                              ticket);
+        #elif defined(HAVE_AESGCM)
+            ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+            if (ret != 0) return WOLFSSL_TICKET_RET_REJECT;
+
+            ret = wc_AesGcmSetKey(&aes, myKey_ctx.key, sizeof(myKey_ctx.key));
+            if (ret == 0) {
+                ret = wc_AesGcmDecrypt(&aes, ticket, ticket, inLen,
+                                        iv, GCM_NONCE_MID_SZ, mac, AES_BLOCK_SIZE,
+                                        aad, aadSz);
+            }
+            wc_AesFree(&aes);
+        #endif
+
            if (ret != 0) return WOLFSSL_TICKET_RET_REJECT;
            *outLen = inLen;  /* no padding in this mode */
        }
@ -4024,7 +4064,8 @@ static WC_INLINE const char* mymktemp(char *tempfn, int len, int num)
        return WOLFSSL_TICKET_RET_OK;
    }

-#endif  /* HAVE_SESSION_TICKET && HAVE_CHACHA && HAVE_POLY1305 */
+#endif /* HAVE_SESSION_TICKET && ((HAVE_CHACHA && HAVE_POLY1305) || HAVE_AESGCM) */
+

 static WC_INLINE word16 GetRandomPort(void)
 {
--- a/wolfssl/wolfcrypt/pkcs7.h
+++ b/wolfssl/wolfcrypt/pkcs7.h
@ -41,6 +41,7 @@
 #ifndef NO_DES3
    #include <wolfssl/wolfcrypt/des3.h>
 #endif
+#include <wolfssl/wolfcrypt/wc_encrypt.h>

 #ifdef __cplusplus
    extern "C" {
@ -157,15 +158,6 @@ enum Pkcs7_Misc {
    MAX_RECIP_SZ          = MAX_VERSION_SZ +
                            MAX_SEQ_SZ + ASN_NAME_MAX + MAX_SN_SZ +
                            MAX_SEQ_SZ + MAX_ALGO_SZ + 1 + MAX_ENCRYPTED_KEY_SZ,
-#if (defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
-     (HAVE_FIPS_VERSION <= 2)) || (defined(HAVE_SELFTEST) && \
-     (!defined(HAVE_SELFTEST_VERSION) || (HAVE_SELFTEST_VERSION < 2)))
-    /* In the event of fips cert 3389 or CAVP selftest v1 build, these enums are
-     * not in aes.h for use with pkcs7 so enumerate it here outside the fips
-     * boundary */
-    GCM_NONCE_MID_SZ = 12, /* The usual default nonce size for AES-GCM. */
-    CCM_NONCE_MIN_SZ = 7,
-#endif
 };

 enum Cms_Options {
--- a/wolfssl/wolfcrypt/wc_encrypt.h
+++ b/wolfssl/wolfcrypt/wc_encrypt.h
@ -60,6 +60,22 @@
 #endif


+#if (defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
+     (HAVE_FIPS_VERSION <= 2)) || (defined(HAVE_SELFTEST) && \
+     (!defined(HAVE_SELFTEST_VERSION) || (HAVE_SELFTEST_VERSION < 2)))
+    /* In FIPS cert 3389 and CAVP selftest v1 build, these enums are
+     * not in aes.h. Define them here outside the fips boundary. 
+     */
+    #ifndef GCM_NONCE_MID_SZ
+        /* The usual default nonce size for AES-GCM. */
+        #define GCM_NONCE_MID_SZ 12
+    #endif
+    #ifndef CCM_NONCE_MIN_SZ
+        #define CCM_NONCE_MIN_SZ 7
+    #endif
+#endif
+
+
 #if !defined(NO_AES) && defined(HAVE_AES_CBC)
 WOLFSSL_API int wc_AesCbcEncryptWithKey(byte* out, const byte* in, word32 inSz,
                                        const byte* key, word32 keySz,