From 08ff33894f07cc82609def9e3c7f18f3d0090734 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 8 Aug 2012 15:09:26 -0700 Subject: [PATCH 1/7] add ECDH static cipher suite tests including RSA signed ECDH, clean up code with haveECDSA -> haveECDSAsig --- certs/include.am | 1 + certs/server-ecc-rsa.pem | 54 +++++++++ cyassl/internal.h | 4 +- src/internal.c | 97 +++++++++------ src/ssl.c | 16 +-- tests/test-ecc.conf | 252 +++++++++++++++++++++++++++++++++++++++ 6 files changed, 375 insertions(+), 49 deletions(-) create mode 100644 certs/server-ecc-rsa.pem diff --git a/certs/include.am b/certs/include.am index a027c57b4..fcedd005b 100644 --- a/certs/include.am +++ b/certs/include.am @@ -16,6 +16,7 @@ EXTRA_DIST += \ certs/dh2048.pem \ certs/server-cert.pem \ certs/server-ecc.pem \ + certs/server-ecc-rsa.pem \ certs/server-keyEnc.pem \ certs/server-key.pem \ certs/server-keyPkcs8Enc12.pem \ diff --git a/certs/server-ecc-rsa.pem b/certs/server-ecc-rsa.pem new file mode 100644 index 000000000..5f25d9df8 --- /dev/null +++ b/certs/server-ecc-rsa.pem @@ -0,0 +1,54 @@ +Certificate: + Data: + Version: 1 (0x0) + Serial Number: 9 (0x9) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.yassl.com/emailAddress=info@yassl.com + Validity + Not Before: Aug 8 21:58:29 2012 GMT + Not After : May 5 21:58:29 2015 GMT + Subject: C=US, ST=Washington, L=Seattle, O=Elliptic - RSAsig, OU=ECC-RSAsig, CN=www.yassl.com/emailAddress=info@yassl.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + EC Public Key: + pub: + 04:bb:33:ac:4c:27:50:4a:c6:4a:a5:04:c3:3c:de: + 9f:36:db:72:2d:ce:94:ea:2b:fa:cb:20:09:39:2c: + 16:e8:61:02:e9:af:4d:d3:02:93:9a:31:5b:97:92: + 21:7f:f0:cf:18:da:91:11:02:34:86:e8:20:58:33: + 0b:80:34:89:d8 + ASN1 OID: prime256v1 + Signature Algorithm: sha1WithRSAEncryption + a0:1c:de:98:e8:61:c8:fb:0a:0e:af:ea:99:4b:c0:49:e6:66: + 68:5e:7a:18:b8:0c:e3:0f:16:86:bc:b5:86:79:02:69:1c:b7: + e7:ff:53:d9:05:5d:27:39:24:54:67:14:de:ef:8e:c2:a0:11: + ca:c8:27:99:b9:d6:e9:71:1f:86:c9:8f:b1:74:a2:9f:93:6a: + 0c:74:cf:17:77:8c:26:08:6e:a8:ac:69:d4:55:15:a2:95:87: + 43:7a:ab:72:93:73:40:58:c2:bb:9c:89:f2:73:20:69:df:f1: + f3:65:08:9c:00:67:97:a6:71:00:2b:31:84:10:ac:bd:54:ac: + fd:b3:eb:12:36:77:f6:0a:e3:9a:96:d2:a6:22:bc:1d:6b:ce: + 3c:0d:7b:d9:1c:1d:f1:ee:ec:ce:83:c8:98:c9:65:3e:06:31: + c3:b2:87:da:09:b4:90:0b:e2:6b:29:0e:d6:ae:53:1d:10:98: + e2:dc:f9:63:38:a1:a2:af:46:23:a4:4c:ab:0c:0b:08:be:cd: + a4:a6:6d:46:f0:f8:e0:31:99:85:39:10:4a:a0:04:54:3b:21: + e1:e9:b4:f3:a5:06:cd:37:ae:2c:ca:5d:ac:90:b5:ab:92:81: + aa:bf:2d:3f:8e:ee:4d:12:81:0a:8e:a4:ca:87:93:af:b0:25: + 7e:e2:07:f7 +-----BEGIN CERTIFICATE----- +MIIC1zCCAb8CAQkwDQYJKoZIhvcNAQEFBQAwgZAxCzAJBgNVBAYTAlVTMRAwDgYD +VQQIEwdNb250YW5hMRAwDgYDVQQHEwdCb3plbWFuMREwDwYDVQQKEwhTYXd0b290 +aDETMBEGA1UECxMKQ29uc3VsdGluZzEWMBQGA1UEAxMNd3d3Lnlhc3NsLmNvbTEd +MBsGCSqGSIb3DQEJARYOaW5mb0B5YXNzbC5jb20wHhcNMTIwODA4MjE1ODI5WhcN +MTUwNTA1MjE1ODI5WjCBnDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 +b24xEDAOBgNVBAcTB1NlYXR0bGUxGjAYBgNVBAoTEUVsbGlwdGljIC0gUlNBc2ln +MRMwEQYDVQQLEwpFQ0MtUlNBc2lnMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0w +GwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49 +AwEHA0IABLszrEwnUErGSqUEwzzenzbbci3OlOor+ssgCTksFuhhAumvTdMCk5ox +W5eSIX/wzxjakRECNIboIFgzC4A0idgwDQYJKoZIhvcNAQEFBQADggEBAKAc3pjo +Ycj7Cg6v6plLwEnmZmheehi4DOMPFoa8tYZ5Amkct+f/U9kFXSc5JFRnFN7vjsKg +EcrIJ5m51ulxH4bJj7F0op+Tagx0zxd3jCYIbqisadRVFaKVh0N6q3KTc0BYwruc +ifJzIGnf8fNlCJwAZ5emcQArMYQQrL1UrP2z6xI2d/YK45qW0qYivB1rzjwNe9kc +HfHu7M6DyJjJZT4GMcOyh9oJtJAL4mspDtauUx0QmOLc+WM4oaKvRiOkTKsMCwi+ +zaSmbUbw+OAxmYU5EEqgBFQ7IeHptPOlBs03rizKXayQtauSgaq/LT+O7k0SgQqO +pMqHk6+wJX7iB/c= +-----END CERTIFICATE----- diff --git a/cyassl/internal.h b/cyassl/internal.h index 7081430eb..372ca4a82 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -784,7 +784,7 @@ struct CYASSL_CTX { byte sendVerify; /* for client side */ byte haveDH; /* server DH parms set by user */ byte haveNTRU; /* server private NTRU key loaded */ - byte haveECDSA; /* server cert signed w/ ECDSA loaded */ + byte haveECDSAsig; /* server cert signed w/ ECDSA */ byte haveStaticECC; /* static server ECC private key */ byte partialWrite; /* only one msg per write call */ byte quietShutdown; /* don't send close notify */ @@ -1104,7 +1104,7 @@ typedef struct Options { byte usingCompression; /* are we using compression */ byte haveDH; /* server DH parms set by user */ byte haveNTRU; /* server NTRU private key loaded */ - byte haveECDSA; /* server ECDSA signed cert */ + byte haveECDSAsig; /* server ECDSA signed cert */ byte haveStaticECC; /* static server ECC private key */ byte havePeerCert; /* do we have peer's cert */ byte usingPSK_cipher; /* whether we're using psk as cipher */ diff --git a/src/internal.c b/src/internal.c index 11f4df2a6..b99309a17 100644 --- a/src/internal.c +++ b/src/internal.c @@ -321,7 +321,7 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method) ctx->serverDH_G.buffer = 0; ctx->haveDH = 0; ctx->haveNTRU = 0; /* start off */ - ctx->haveECDSA = 0; /* start off */ + ctx->haveECDSAsig = 0; /* start off */ ctx->haveStaticECC = 0; /* start off */ ctx->heap = ctx; /* defaults to self */ #ifndef NO_PSK @@ -360,14 +360,14 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method) #endif #ifdef HAVE_ECC if (method->side == CLIENT_END) { - ctx->haveECDSA = 1; /* always on cliet side */ + ctx->haveECDSAsig = 1; /* always on cliet side */ ctx->haveStaticECC = 1; /* server can turn on by loading key */ } #endif ctx->suites.setSuites = 0; /* user hasn't set yet */ /* remove DH later if server didn't set, add psk later */ InitSuites(&ctx->suites, method->version, TRUE, FALSE, ctx->haveNTRU, - ctx->haveECDSA, ctx->haveStaticECC, method->side); + ctx->haveECDSAsig, ctx->haveStaticECC, method->side); ctx->verifyPeer = 0; ctx->verifyNone = 0; ctx->failNoCert = 0; @@ -436,12 +436,13 @@ void FreeSSL_Ctx(CYASSL_CTX* ctx) void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK, - byte haveNTRU, byte haveStaticECC, byte haveECDSA, int side) + byte haveNTRU, byte haveECDSAsig, byte haveStaticECC, int side) { word16 idx = 0; int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR; int tls1_2 = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_2_MINOR; int haveRSA = 1; + int haveRSAsig = 1; (void)tls; /* shut up compiler */ (void)haveDH; @@ -452,8 +453,11 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK, if (suites->setSuites) return; /* trust user settings, don't override */ - if (side == SERVER_END && haveECDSA) - haveRSA = 0; /* can't do RSA with ECDSA cert */ + if (side == SERVER_END && haveStaticECC) + haveRSA = 0; /* can't do RSA with ECDSA key */ + + if (side == SERVER_END && haveECDSAsig) + haveRSAsig = 0; /* can't have RSA sig if signed by ECDSA */ #ifdef CYASSL_DTLS if (pv.major == DTLS_MAJOR && pv.minor == DTLS_MINOR) @@ -489,84 +493,84 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveECDSA) { + if (tls1_2 && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - if (tls && haveECDSA) { + if (tls && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveECDSA && haveStaticECC) { + if (tls1_2 && haveECDSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - if (tls && haveECDSA && haveStaticECC) { + if (tls && haveECDSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveECDSA) { + if (tls1_2 && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - if (tls && haveECDSA) { + if (tls && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveECDSA && haveStaticECC) { + if (tls1_2 && haveECDSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - if (tls && haveECDSA && haveStaticECC) { + if (tls && haveECDSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - if (tls && haveECDSA) { + if (tls && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA - if (tls && haveECDSA && haveStaticECC) { + if (tls && haveECDSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_RC4_128_SHA; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveECDSA) { + if (tls && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA; } #endif #ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveECDSA && haveStaticECC) { + if (tls && haveECDSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA; } @@ -587,14 +591,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK, #endif #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveRSA && haveStaticECC) { + if (tls1_2 && haveRSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384; } #endif #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - if (tls && haveRSA && haveStaticECC) { + if (tls && haveRSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA; } @@ -615,14 +619,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK, #endif #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveRSA && haveStaticECC) { + if (tls1_2 && haveRSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256; } #endif #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - if (tls && haveRSA && haveStaticECC) { + if (tls && haveRSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA; } @@ -636,7 +640,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK, #endif #ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA - if (tls && haveRSA && haveStaticECC) { + if (tls && haveRSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_RSA_WITH_RC4_128_SHA; } @@ -650,7 +654,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK, #endif #ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveRSA && haveStaticECC) { + if (tls && haveRSAsig && haveStaticECC) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA; } @@ -889,8 +893,8 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->options.haveDH = ctx->haveDH; else ssl->options.haveDH = 0; - ssl->options.haveNTRU = ctx->haveNTRU; - ssl->options.haveECDSA = ctx->haveECDSA; + ssl->options.haveNTRU = ctx->haveNTRU; + ssl->options.haveECDSAsig = ctx->haveECDSAsig; ssl->options.haveStaticECC = ctx->haveStaticECC; ssl->options.havePeerCert = 0; ssl->options.usingPSK_cipher = 0; @@ -1004,11 +1008,11 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) /* make sure server has DH parms, and add PSK if there, add NTRU too */ if (ssl->options.side == SERVER_END) InitSuites(&ssl->suites, ssl->version,ssl->options.haveDH, havePSK, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); else InitSuites(&ssl->suites, ssl->version, TRUE, havePSK, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); return 0; @@ -5812,7 +5816,8 @@ int SetCipherList(Suites* s, const char* list) REQUIRES_ECC_DSA, REQUIRES_ECC_STATIC, REQUIRES_PSK, - REQUIRES_NTRU + REQUIRES_NTRU, + REQUIRES_RSA_SIG }; @@ -5835,6 +5840,8 @@ int SetCipherList(Suites* s, const char* list) case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA : if (requirement == REQUIRES_ECC_STATIC) return 1; + if (requirement == REQUIRES_RSA_SIG) + return 1; break; case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA : @@ -5845,6 +5852,8 @@ int SetCipherList(Suites* s, const char* list) case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA : if (requirement == REQUIRES_ECC_STATIC) return 1; + if (requirement == REQUIRES_RSA_SIG) + return 1; break; case TLS_ECDHE_RSA_WITH_RC4_128_SHA : @@ -5855,6 +5864,8 @@ int SetCipherList(Suites* s, const char* list) case TLS_ECDH_RSA_WITH_RC4_128_SHA : if (requirement == REQUIRES_ECC_STATIC) return 1; + if (requirement == REQUIRES_RSA_SIG) + return 1; break; case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : @@ -5885,6 +5896,8 @@ int SetCipherList(Suites* s, const char* list) case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA : if (requirement == REQUIRES_ECC_STATIC) return 1; + if (requirement == REQUIRES_RSA_SIG) + return 1; break; case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : @@ -5940,11 +5953,15 @@ int SetCipherList(Suites* s, const char* list) case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 : if (requirement == ecc_static_diffie_hellman_kea) return 1; + if (requirement == REQUIRES_RSA_SIG) + return 1; break; case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 : if (requirement == ecc_static_diffie_hellman_kea) return 1; + if (requirement == REQUIRES_RSA_SIG) + return 1; break; default: @@ -6093,7 +6110,7 @@ int SetCipherList(Suites* s, const char* list) /* Make sure cert/key are valid for this suite, true on success */ static int VerifySuite(CYASSL* ssl, word16 idx) { - int haveRSA = !ssl->options.haveECDSA; + int haveRSA = !ssl->options.haveStaticECC; int havePSK = 0; byte first = ssl->suites.suites[idx]; byte second = ssl->suites.suites[idx+1]; @@ -6113,7 +6130,6 @@ int SetCipherList(Suites* s, const char* list) CYASSL_MSG("Don't have RSA"); return 0; } - return 1; } if (CipherRequires(first, second, REQUIRES_DHE)) { @@ -6122,16 +6138,14 @@ int SetCipherList(Suites* s, const char* list) CYASSL_MSG("Don't have DHE"); return 0; } - return 1; } if (CipherRequires(first, second, REQUIRES_ECC_DSA)) { CYASSL_MSG("Requires ECCDSA"); - if (ssl->options.haveECDSA == 0) { + if (ssl->options.haveECDSAsig == 0) { CYASSL_MSG("Don't have ECCDSA"); return 0; } - return 1; } if (CipherRequires(first, second, REQUIRES_ECC_STATIC)) { @@ -6140,7 +6154,6 @@ int SetCipherList(Suites* s, const char* list) CYASSL_MSG("Don't have static ECC"); return 0; } - return 1; } if (CipherRequires(first, second, REQUIRES_PSK)) { @@ -6149,7 +6162,6 @@ int SetCipherList(Suites* s, const char* list) CYASSL_MSG("Don't have PSK"); return 0; } - return 1; } if (CipherRequires(first, second, REQUIRES_NTRU)) { @@ -6158,7 +6170,14 @@ int SetCipherList(Suites* s, const char* list) CYASSL_MSG("Don't have NTRU"); return 0; } - return 1; + } + + if (CipherRequires(first, second, REQUIRES_RSA_SIG)) { + CYASSL_MSG("Requires RSA Signature"); + if (ssl->options.side == SERVER_END && ssl->options.haveECDSAsig == 1) { + CYASSL_MSG("Don't have RSA Signature"); + return 0; + } } /* ECCDHE is always supported if ECC on */ @@ -6262,7 +6281,7 @@ int SetCipherList(Suites* s, const char* list) #endif InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); } @@ -6393,7 +6412,7 @@ int SetCipherList(Suites* s, const char* list) havePSK = ssl->options.havePSK; #endif InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); } /* random */ diff --git a/src/ssl.c b/src/ssl.c index b6c75a64c..1518c69aa 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -245,7 +245,7 @@ int CyaSSL_SetTmpDH(CYASSL* ssl, const unsigned char* p, int pSz, havePSK = ssl->options.havePSK; #endif InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, - havePSK, ssl->options.haveNTRU, ssl->options.haveECDSA, + havePSK, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); CYASSL_LEAVE("CyaSSL_SetTmpDH", 0); @@ -529,7 +529,7 @@ int CyaSSL_SetVersion(CYASSL* ssl, int version) #endif InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); return SSL_SUCCESS; @@ -1148,9 +1148,9 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify) case CTC_SHA384wECDSA: case CTC_SHA512wECDSA: CYASSL_MSG("ECDSA cert signature"); - ctx->haveECDSA = 1; + ctx->haveECDSAsig = 1; if (ssl) - ssl->options.haveECDSA = 1; + ssl->options.haveECDSAsig = 1; break; default: CYASSL_MSG("Not ECDSA cert signature"); @@ -2135,7 +2135,7 @@ int CyaSSL_set_cipher_list(CYASSL* ssl, const char* list) #endif InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); return SSL_SUCCESS; @@ -3159,7 +3159,7 @@ int CyaSSL_set_compression(CYASSL* ssl) ssl->options.client_psk_cb = cb; InitSuites(&ssl->suites, ssl->version,TRUE,TRUE, ssl->options.haveNTRU, - ssl->options.haveECDSA, ssl->options.haveStaticECC, + ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); } @@ -3180,7 +3180,7 @@ int CyaSSL_set_compression(CYASSL* ssl) ssl->options.server_psk_cb = cb; InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, TRUE, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); } @@ -3405,7 +3405,7 @@ int CyaSSL_set_compression(CYASSL* ssl) havePSK = ssl->options.havePSK; #endif InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, - ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); } diff --git a/tests/test-ecc.conf b/tests/test-ecc.conf index f21a8eeab..ca1bc56f5 100644 --- a/tests/test-ecc.conf +++ b/tests/test-ecc.conf @@ -226,3 +226,255 @@ -l ECDHE-ECDSA-AES256-SHA -A ./certs/server-ecc.pem +# server TLSv1 ECDH-RSA-RC4 +-v 1 +-l ECDH-RSA-RC4-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-RSA-RC4 +-v 1 +-l ECDH-RSA-RC4-SHA + +# server TLSv1 ECDH-RSA-DES3 +-v 1 +-l ECDH-RSA-DES-CBC3-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-RSA-DES3 +-v 1 +-l ECDH-RSA-DES-CBC3-SHA + +# server TLSv1 ECDH-RSA-AES128 +-v 1 +-l ECDH-RSA-AES128-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-RSA-AES128 +-v 1 +-l ECDH-RSA-AES128-SHA + +# server TLSv1 ECDH-RSA-AES256 +-v 1 +-l ECDH-RSA-AES256-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-RSA-AES256 +-v 1 +-l ECDH-RSA-AES256-SHA + +# server TLSv1.1 ECDH-RSA-RC4 +-v 2 +-l ECDH-RSA-RC4-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-RSA-RC4 +-v 2 +-l ECDH-RSA-RC4-SHA + +# server TLSv1.1 ECDH-RSA-DES3 +-v 2 +-l ECDH-RSA-DES-CBC3-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-RSA-DES3 +-v 2 +-l ECDH-RSA-DES-CBC3-SHA + +# server TLSv1.1 ECDH-RSA-AES128 +-v 2 +-l ECDH-RSA-AES128-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-RSA-AES128 +-v 2 +-l ECDH-RSA-AES128-SHA + +# server TLSv1.1 ECDH-RSA-AES256 +-v 2 +-l ECDH-RSA-AES256-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-RSA-AES256 +-v 2 +-l ECDH-RSA-AES256-SHA + +# server TLSv1.2 ECDH-RSA-RC4 +-v 3 +-l ECDH-RSA-RC4-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-RSA-RC4 +-v 3 +-l ECDH-RSA-RC4-SHA + +# server TLSv1.2 ECDH-RSA-DES3 +-v 3 +-l ECDH-RSA-DES-CBC3-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-RSA-DES3 +-v 3 +-l ECDH-RSA-DES-CBC3-SHA + +# server TLSv1.2 ECDH-RSA-AES128 +-v 3 +-l ECDH-RSA-AES128-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-RSA-AES128 +-v 3 +-l ECDH-RSA-AES128-SHA + +# server TLSv1.2 ECDH-RSA-AES256 +-v 3 +-l ECDH-RSA-AES256-SHA +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-RSA-AES256 +-v 3 +-l ECDH-RSA-AES256-SHA + +# server TLSv1 ECDH-ECDSA-RC4 +-v 1 +-l ECDH-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-ECDSA-RC4 +-v 1 +-l ECDH-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem + +# server TLSv1 ECDH-ECDSA-DES3 +-v 1 +-l ECDH-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-ECDSA-DES3 +-v 1 +-l ECDH-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem + +# server TLSv1 ECDH-ECDSA-AES128 +-v 1 +-l ECDH-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-ECDSA-AES128 +-v 1 +-l ECDH-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem + +# server TLSv1 ECDH-ECDSA-AES256 +-v 1 +-l ECDH-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDH-ECDSA-AES256 +-v 1 +-l ECDH-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.1 ECDH-EDCSA-RC4 +-v 2 +-l ECDH-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-ECDSA-RC4 +-v 2 +-l ECDH-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.1 ECDH-ECDSA-DES3 +-v 2 +-l ECDH-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-ECDSA-DES3 +-v 2 +-l ECDH-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.1 ECDH-ECDSA-AES128 +-v 2 +-l ECDH-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-ECDSA-AES128 +-v 2 +-l ECDH-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.1 ECDH-ECDSA-AES256 +-v 2 +-l ECDH-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.1 ECDH-ECDSA-AES256 +-v 2 +-l ECDH-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDHE-ECDSA-RC4 +-v 3 +-l ECDH-ECDSA-RC4-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-RC4 +-v 3 +-l ECDH-ECDSA-RC4-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDH-ECDSA-DES3 +-v 3 +-l ECDH-ECDSA-DES-CBC3-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-DES3 +-v 3 +-l ECDH-ECDSA-DES-CBC3-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDH-ECDSA-AES128 +-v 3 +-l ECDH-ECDSA-AES128-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-AES128 +-v 3 +-l ECDH-ECDSA-AES128-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDH-ECDSA-AES256 +-v 3 +-l ECDH-ECDSA-AES256-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-AES256 +-v 3 +-l ECDH-ECDSA-AES256-SHA +-A ./certs/server-ecc.pem + From 6defed64cd268fbc732200b1b5dad3dd33db568e Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 8 Aug 2012 15:22:41 -0700 Subject: [PATCH 2/7] add basic aescgm cipher suite tests --- tests/include.am | 3 ++- tests/suites.c | 11 +++++++++++ tests/test-aesgcm.conf | 16 ++++++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 tests/test-aesgcm.conf diff --git a/tests/include.am b/tests/include.am index 1c6b5b63f..52813189a 100644 --- a/tests/include.am +++ b/tests/include.am @@ -21,4 +21,5 @@ EXTRA_DIST += tests/test.conf \ tests/test-hc128.conf \ tests/test-psk.conf \ tests/test-ntru.conf \ - tests/test-ecc.conf + tests/test-ecc.conf \ + tests/test-aesgcm.conf diff --git a/tests/suites.c b/tests/suites.c index 11415f9de..d42c82d2e 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -291,6 +291,17 @@ int SuiteTest(void) } #endif +#ifdef HAVE_AESGCM + /* add ecc extra suites */ + strcpy(argv0[1], "tests/test-aesgcm.conf"); + printf("starting aesgcm extra cipher suite tests\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + exit(EXIT_FAILURE); + } +#endif + printf(" End Cipher Suite Tests\n"); return args.return_code; diff --git a/tests/test-aesgcm.conf b/tests/test-aesgcm.conf new file mode 100644 index 000000000..9efc5a578 --- /dev/null +++ b/tests/test-aesgcm.conf @@ -0,0 +1,16 @@ +# server TLSv1.2 RSA-AES128-GCM-SHA256 +-v 3 +-l AES128-GCM-SHA256 + +# client TLSv1.2 RSA-AES128-GCM-SHA256 +-v 3 +-l AES128-GCM-SHA256 + +# server TLSv1.2 RSA-AES256-GCM-SHA384 +-v 3 +-l AES256-GCM-SHA384 + +# client TLSv1.2 RSA-AES256-GCM-SHA384 +-v 3 +-l AES256-GCM-SHA384 + From 17a92e76d37bfd31d549fd66d7a54aebe9c106d7 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 8 Aug 2012 15:37:00 -0700 Subject: [PATCH 3/7] add aesgcm openssl, and fix requires to use our local enum for aesgcm --- src/internal.c | 22 +++++++++++----------- tests/include.am | 3 ++- tests/suites.c | 13 ++++++++++++- tests/test-aesgcm-openssl.conf | 16 ++++++++++++++++ 4 files changed, 41 insertions(+), 13 deletions(-) create mode 100644 tests/test-aesgcm-openssl.conf diff --git a/src/internal.c b/src/internal.c index b99309a17..ae5169e19 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5921,44 +5921,44 @@ int SetCipherList(Suites* s, const char* list) break; case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 : - if (requirement == ecc_dsa_sa_algo) + if (requirement == REQUIRES_ECC_DSA) return 1; break; case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 : - if (requirement == ecc_dsa_sa_algo) + if (requirement == REQUIRES_ECC_DSA) return 1; break; case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 : - if (requirement == ecc_static_diffie_hellman_kea) + if (requirement == REQUIRES_ECC_STATIC) return 1; break; case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 : - if (requirement == ecc_static_diffie_hellman_kea) + if (requirement == REQUIRES_ECC_STATIC) return 1; break; case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : - if (requirement == rsa_kea) + if (requirement == REQUIRES_RSA) return 1; break; case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 : - if (requirement == rsa_kea) + if (requirement == REQUIRES_RSA) return 1; break; case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 : - if (requirement == ecc_static_diffie_hellman_kea) + if (requirement == REQUIRES_ECC_STATIC) return 1; if (requirement == REQUIRES_RSA_SIG) return 1; break; case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 : - if (requirement == ecc_static_diffie_hellman_kea) + if (requirement == REQUIRES_ECC_STATIC) return 1; if (requirement == REQUIRES_RSA_SIG) return 1; @@ -6082,15 +6082,15 @@ int SetCipherList(Suites* s, const char* list) case TLS_RSA_WITH_AES_128_GCM_SHA256 : case TLS_RSA_WITH_AES_256_GCM_SHA384 : - if (requirement == rsa_kea) + if (requirement == REQUIRES_RSA) return 1; break; case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 : case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 : - if (requirement == rsa_kea) + if (requirement == REQUIRES_RSA) return 1; - if (requirement == diffie_hellman_kea) + if (requirement == REQUIRES_DHE) return 1; break; diff --git a/tests/include.am b/tests/include.am index 52813189a..6ce2bf6e5 100644 --- a/tests/include.am +++ b/tests/include.am @@ -22,4 +22,5 @@ EXTRA_DIST += tests/test.conf \ tests/test-psk.conf \ tests/test-ntru.conf \ tests/test-ecc.conf \ - tests/test-aesgcm.conf + tests/test-aesgcm.conf \ + tests/test-aesgcm-openssl.conf diff --git a/tests/suites.c b/tests/suites.c index d42c82d2e..5a3c672c9 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -292,7 +292,7 @@ int SuiteTest(void) #endif #ifdef HAVE_AESGCM - /* add ecc extra suites */ + /* add aesgcm extra suites */ strcpy(argv0[1], "tests/test-aesgcm.conf"); printf("starting aesgcm extra cipher suite tests\n"); test_harness(&args); @@ -302,6 +302,17 @@ int SuiteTest(void) } #endif +#if defined(HAVE_AESGCM) && defined(OPENSSL_EXTRA) + /* add aesgcm openssl extra suites */ + strcpy(argv0[1], "tests/test-aesgcm-openssl.conf"); + printf("starting aesgcm openssl extra cipher suite tests\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + exit(EXIT_FAILURE); + } +#endif + printf(" End Cipher Suite Tests\n"); return args.return_code; diff --git a/tests/test-aesgcm-openssl.conf b/tests/test-aesgcm-openssl.conf new file mode 100644 index 000000000..006e27216 --- /dev/null +++ b/tests/test-aesgcm-openssl.conf @@ -0,0 +1,16 @@ +# server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 +-v 3 +-l DHE-RSA-AES128-GCM-SHA256 + +# client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 +-v 3 +-l DHE-RSA-AES128-GCM-SHA256 + +# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384 +-v 3 +-l DHE-RSA-AES256-GCM-SHA384 + From 16ac91e6de00eb7829dc6f233a20f6deb0678f3e Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 8 Aug 2012 15:57:18 -0700 Subject: [PATCH 4/7] add aesgcm ecc cipher suite tests --- tests/include.am | 1 + tests/suites.c | 11 ++++++ tests/test-aesgcm-ecc.conf | 80 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 92 insertions(+) create mode 100644 tests/test-aesgcm-ecc.conf diff --git a/tests/include.am b/tests/include.am index 6ce2bf6e5..bb36546cc 100644 --- a/tests/include.am +++ b/tests/include.am @@ -23,4 +23,5 @@ EXTRA_DIST += tests/test.conf \ tests/test-ntru.conf \ tests/test-ecc.conf \ tests/test-aesgcm.conf \ + tests/test-aesgcm-ecc.conf \ tests/test-aesgcm-openssl.conf diff --git a/tests/suites.c b/tests/suites.c index 5a3c672c9..0d3fb361c 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -313,6 +313,17 @@ int SuiteTest(void) } #endif +#if defined(HAVE_AESGCM) && defined(HAVE_ECC) + /* add aesgcm ecc extra suites */ + strcpy(argv0[1], "tests/test-aesgcm-ecc.conf"); + printf("starting aesgcm ecc extra cipher suite tests\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + exit(EXIT_FAILURE); + } +#endif + printf(" End Cipher Suite Tests\n"); return args.return_code; diff --git a/tests/test-aesgcm-ecc.conf b/tests/test-aesgcm-ecc.conf new file mode 100644 index 000000000..7aff47f9a --- /dev/null +++ b/tests/test-aesgcm-ecc.conf @@ -0,0 +1,80 @@ +# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-ECDSA-AES128-GCM-SHA256 +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-ECDSA-AES256-GCM-SHA384 +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 +-v 3 +-l ECDH-ECDSA-AES128-GCM-SHA256 +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDH-ECDSA-AES256-GCM-SHA384 +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 +-v 3 +-l ECDH-ECDSA-AES256-GCM-SHA384 +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 + +# client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 +-v 3 +-l ECDHE-RSA-AES128-GCM-SHA256 + +# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDHE-RSA-AES256-GCM-SHA384 + +# server TLSv1.2 ECDH-RSA-AES128-GCM-SHA256 +-v 3 +-l ECDH-RSA-AES128-GCM-SHA256 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-RSA-AES128-GCM-SHA256 +-v 3 +-l ECDH-RSA-AES128-GCM-SHA256 + +# server TLSv1.2 ECDH-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDH-RSA-AES256-GCM-SHA384 +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDH-RSA-AES256-GCM-SHA384 +-v 3 +-l ECDH-RSA-AES256-GCM-SHA384 + From 18c36794440c219ddcf4f9bc6f4dd7188a95234d Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 8 Aug 2012 16:56:19 -0700 Subject: [PATCH 5/7] fix DLTS cookieSz init problem --- cyassl/error.h | 5 +++-- src/internal.c | 7 ++++++- tests/api.c | 2 -- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/cyassl/error.h b/cyassl/error.h index c3b79d0ce..ed96361ec 100644 --- a/cyassl/error.h +++ b/cyassl/error.h @@ -101,11 +101,12 @@ enum CyaSSL_ErrorCodes { OCSP_CERT_UNKNOWN = -266, /* OCSP responder doesn't know */ OCSP_LOOKUP_FAIL = -267, /* OCSP lookup not successful */ MAX_CHAIN_ERROR = -268, /* max chain depth exceeded */ + COOKIE_ERROR = -269, /* dtls cookie error */ /* add strings to SetErrorString !!!!! */ /* begin negotiation parameter errors */ - UNSUPPORTED_SUITE = -270, /* unsupported cipher suite */ - MATCH_SUITE_ERROR = -271 /* can't match cipher suite */ + UNSUPPORTED_SUITE = -290, /* unsupported cipher suite */ + MATCH_SUITE_ERROR = -291 /* can't match cipher suite */ /* end negotiation parameter errors only 10 for now */ /* add strings to SetErrorString !!!!! */ }; diff --git a/src/internal.c b/src/internal.c index ae5169e19..ff73e0bfd 100644 --- a/src/internal.c +++ b/src/internal.c @@ -919,6 +919,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->keys.dtls_handshake_number = 0; ssl->keys.dtls_epoch = 0; ssl->keys.dtls_peer_epoch = 0; + ssl->arrays.cookieSz = 0; #endif ssl->keys.encryptionOn = 0; /* initially off */ ssl->options.sessionCacheOff = ctx->sessionCacheOff; @@ -3769,6 +3770,10 @@ void SetErrorString(int error, char* str) XSTRNCPY(str, "Maximum Chain Depth Exceeded", max); break; + case COOKIE_ERROR: + XSTRNCPY(str, "DTLS Cookie Error", max); + break; + default : XSTRNCPY(str, "unknown error number", max); } @@ -6453,7 +6458,7 @@ int SetCipherList(Suites* s, const char* list) return INCOMPLETE_DATA; cookieSz = EmbedGenerateCookie(cookie, COOKIE_SZ, ssl); if ((b != cookieSz) || XMEMCMP(cookie, input + i, b) != 0) - return PARSE_ERROR; + return COOKIE_ERROR; i += b; } } diff --git a/tests/api.c b/tests/api.c index ef898cd08..102dc09a5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -602,9 +602,7 @@ THREAD_RETURN CYASSL_THREAD test_server_nofail(void* args) } ssl = CyaSSL_new(ctx); tcp_accept(&sockfd, &clientfd, (func_args*)args, yasslPort, 0, 0); -#ifndef CYASSL_DTLS CloseSocket(sockfd); -#endif CyaSSL_set_fd(ssl, clientfd); From 73349ec0d3347520e19f4cd75c5a9961ddb294a0 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 8 Aug 2012 17:09:09 -0700 Subject: [PATCH 6/7] add DTLS basic cipher suite tests --- tests/include.am | 3 ++- tests/suites.c | 11 ++++++++ tests/test-dtls.conf | 64 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 tests/test-dtls.conf diff --git a/tests/include.am b/tests/include.am index bb36546cc..d62e3f98a 100644 --- a/tests/include.am +++ b/tests/include.am @@ -24,4 +24,5 @@ EXTRA_DIST += tests/test.conf \ tests/test-ecc.conf \ tests/test-aesgcm.conf \ tests/test-aesgcm-ecc.conf \ - tests/test-aesgcm-openssl.conf + tests/test-aesgcm-openssl.conf \ + tests/test-dtls.conf diff --git a/tests/suites.c b/tests/suites.c index 0d3fb361c..6e59ed8af 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -324,6 +324,17 @@ int SuiteTest(void) } #endif +#ifdef CYASSL_DTLS + /* add dtls extra suites */ + strcpy(argv0[1], "tests/test-dtls.conf"); + printf("starting dtls extra cipher suite tests\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + exit(EXIT_FAILURE); + } +#endif + printf(" End Cipher Suite Tests\n"); return args.return_code; diff --git a/tests/test-dtls.conf b/tests/test-dtls.conf new file mode 100644 index 000000000..7cffa9660 --- /dev/null +++ b/tests/test-dtls.conf @@ -0,0 +1,64 @@ +# server DTLSv1 RC4-SHA +-u +-l RC4-SHA + +# client DTLSv1 RC4-SHA +-u +-l RC4-SHA + +# server DTLSv1 RC4-MD5 +-u +-l RC4-MD5 + +# client DTLSv1 RC4-MD5 +-u +-l RC4-MD5 + +# server DTLSv1 DES-CBC3-SHA +-u +-l DES-CBC3-SHA + +# client DTLSv1 DES-CBC3-SHA +-u +-l DES-CBC3-SHA + +# server DTLSv1 AES128-SHA +-u +-l AES128-SHA + +# client DTLSv1 AES128-SHA +-u +-l AES128-SHA + +# server DTLSv1 AES256-SHA +-u +-l AES256-SHA + +# client DTLSv1 AES256-SHA +-u +-l AES256-SHA + +# server DTLSv1 AES128-SHA256 +-u +-l AES128-SHA256 + +# client DTLSv1 AES128-SHA256 +-u +-l AES128-SHA256 + +# server DTLSv1 AES256-SHA256 +-u +-l AES256-SHA256 + +# client DTLSv1 AES256-SHA256 +-u +-l AES256-SHA256 + +# server DTLSv1 RABBIT-SHA +-u +-l RABBIT-SHA + +# client DTLSv1 RABBIT-SHA +-u +-l RABBIT-SHA + From 80326fa1fa7aa5298b1a4e38e2022238793167fd Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 8 Aug 2012 17:21:03 -0700 Subject: [PATCH 7/7] pub EmbedGenerateCookie around dtls for now --- src/io.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/io.c b/src/io.c index cf38c8a66..9316defb5 100644 --- a/src/io.c +++ b/src/io.c @@ -29,7 +29,6 @@ #endif #include -#include /* if user writes own I/O callbacks they can define CYASSL_USER_IO to remove automatic setting of default I/O functions EmbedSend() and EmbedReceive() @@ -201,6 +200,10 @@ int EmbedSend(char *buf, int sz, void *ctx) } +#ifdef CYASSL_DTLS + +#include + /* The DTLS Generate Cookie callback * return : number of bytes copied into buf, or error */ @@ -240,6 +243,8 @@ int EmbedGenerateCookie(byte *buf, int sz, void *ctx) return SHA_DIGEST_SIZE; } +#endif /* CYASSL_DTLS */ + #endif /* CYASSL_USER_IO */