Merge branch 'master' of github.com:cyassl/cyassl

This commit is contained in:
John Safranek 2012-08-09 11:02:27 -07:00
commit 93c89ccc35
15 changed files with 626 additions and 67 deletions

View File

@ -16,6 +16,7 @@ EXTRA_DIST += \
certs/dh2048.pem \
certs/server-cert.pem \
certs/server-ecc.pem \
certs/server-ecc-rsa.pem \
certs/server-keyEnc.pem \
certs/server-key.pem \
certs/server-keyPkcs8Enc12.pem \

54
certs/server-ecc-rsa.pem Normal file
View File

@ -0,0 +1,54 @@
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 9 (0x9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.yassl.com/emailAddress=info@yassl.com
Validity
Not Before: Aug 8 21:58:29 2012 GMT
Not After : May 5 21:58:29 2015 GMT
Subject: C=US, ST=Washington, L=Seattle, O=Elliptic - RSAsig, OU=ECC-RSAsig, CN=www.yassl.com/emailAddress=info@yassl.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:bb:33:ac:4c:27:50:4a:c6:4a:a5:04:c3:3c:de:
9f:36:db:72:2d:ce:94:ea:2b:fa:cb:20:09:39:2c:
16:e8:61:02:e9:af:4d:d3:02:93:9a:31:5b:97:92:
21:7f:f0:cf:18:da:91:11:02:34:86:e8:20:58:33:
0b:80:34:89:d8
ASN1 OID: prime256v1
Signature Algorithm: sha1WithRSAEncryption
a0:1c:de:98:e8:61:c8:fb:0a:0e:af:ea:99:4b:c0:49:e6:66:
68:5e:7a:18:b8:0c:e3:0f:16:86:bc:b5:86:79:02:69:1c:b7:
e7:ff:53:d9:05:5d:27:39:24:54:67:14:de:ef:8e:c2:a0:11:
ca:c8:27:99:b9:d6:e9:71:1f:86:c9:8f:b1:74:a2:9f:93:6a:
0c:74:cf:17:77:8c:26:08:6e:a8:ac:69:d4:55:15:a2:95:87:
43:7a:ab:72:93:73:40:58:c2:bb:9c:89:f2:73:20:69:df:f1:
f3:65:08:9c:00:67:97:a6:71:00:2b:31:84:10:ac:bd:54:ac:
fd:b3:eb:12:36:77:f6:0a:e3:9a:96:d2:a6:22:bc:1d:6b:ce:
3c:0d:7b:d9:1c:1d:f1:ee:ec:ce:83:c8:98:c9:65:3e:06:31:
c3:b2:87:da:09:b4:90:0b:e2:6b:29:0e:d6:ae:53:1d:10:98:
e2:dc:f9:63:38:a1:a2:af:46:23:a4:4c:ab:0c:0b:08:be:cd:
a4:a6:6d:46:f0:f8:e0:31:99:85:39:10:4a:a0:04:54:3b:21:
e1:e9:b4:f3:a5:06:cd:37:ae:2c:ca:5d:ac:90:b5:ab:92:81:
aa:bf:2d:3f:8e:ee:4d:12:81:0a:8e:a4:ca:87:93:af:b0:25:
7e:e2:07:f7
-----BEGIN CERTIFICATE-----
MIIC1zCCAb8CAQkwDQYJKoZIhvcNAQEFBQAwgZAxCzAJBgNVBAYTAlVTMRAwDgYD
VQQIEwdNb250YW5hMRAwDgYDVQQHEwdCb3plbWFuMREwDwYDVQQKEwhTYXd0b290
aDETMBEGA1UECxMKQ29uc3VsdGluZzEWMBQGA1UEAxMNd3d3Lnlhc3NsLmNvbTEd
MBsGCSqGSIb3DQEJARYOaW5mb0B5YXNzbC5jb20wHhcNMTIwODA4MjE1ODI5WhcN
MTUwNTA1MjE1ODI5WjCBnDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0
b24xEDAOBgNVBAcTB1NlYXR0bGUxGjAYBgNVBAoTEUVsbGlwdGljIC0gUlNBc2ln
MRMwEQYDVQQLEwpFQ0MtUlNBc2lnMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0w
GwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABLszrEwnUErGSqUEwzzenzbbci3OlOor+ssgCTksFuhhAumvTdMCk5ox
W5eSIX/wzxjakRECNIboIFgzC4A0idgwDQYJKoZIhvcNAQEFBQADggEBAKAc3pjo
Ycj7Cg6v6plLwEnmZmheehi4DOMPFoa8tYZ5Amkct+f/U9kFXSc5JFRnFN7vjsKg
EcrIJ5m51ulxH4bJj7F0op+Tagx0zxd3jCYIbqisadRVFaKVh0N6q3KTc0BYwruc
ifJzIGnf8fNlCJwAZ5emcQArMYQQrL1UrP2z6xI2d/YK45qW0qYivB1rzjwNe9kc
HfHu7M6DyJjJZT4GMcOyh9oJtJAL4mspDtauUx0QmOLc+WM4oaKvRiOkTKsMCwi+
zaSmbUbw+OAxmYU5EEqgBFQ7IeHptPOlBs03rizKXayQtauSgaq/LT+O7k0SgQqO
pMqHk6+wJX7iB/c=
-----END CERTIFICATE-----

View File

@ -101,11 +101,12 @@ enum CyaSSL_ErrorCodes {
OCSP_CERT_UNKNOWN = -266, /* OCSP responder doesn't know */
OCSP_LOOKUP_FAIL = -267, /* OCSP lookup not successful */
MAX_CHAIN_ERROR = -268, /* max chain depth exceeded */
COOKIE_ERROR = -269, /* dtls cookie error */
/* add strings to SetErrorString !!!!! */
/* begin negotiation parameter errors */
UNSUPPORTED_SUITE = -270, /* unsupported cipher suite */
MATCH_SUITE_ERROR = -271 /* can't match cipher suite */
UNSUPPORTED_SUITE = -290, /* unsupported cipher suite */
MATCH_SUITE_ERROR = -291 /* can't match cipher suite */
/* end negotiation parameter errors only 10 for now */
/* add strings to SetErrorString !!!!! */
};

View File

@ -784,7 +784,7 @@ struct CYASSL_CTX {
byte sendVerify; /* for client side */
byte haveDH; /* server DH parms set by user */
byte haveNTRU; /* server private NTRU key loaded */
byte haveECDSA; /* server cert signed w/ ECDSA loaded */
byte haveECDSAsig; /* server cert signed w/ ECDSA */
byte haveStaticECC; /* static server ECC private key */
byte partialWrite; /* only one msg per write call */
byte quietShutdown; /* don't send close notify */
@ -1104,7 +1104,7 @@ typedef struct Options {
byte usingCompression; /* are we using compression */
byte haveDH; /* server DH parms set by user */
byte haveNTRU; /* server NTRU private key loaded */
byte haveECDSA; /* server ECDSA signed cert */
byte haveECDSAsig; /* server ECDSA signed cert */
byte haveStaticECC; /* static server ECC private key */
byte havePeerCert; /* do we have peer's cert */
byte usingPSK_cipher; /* whether we're using psk as cipher */

View File

@ -321,7 +321,7 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method)
ctx->serverDH_G.buffer = 0;
ctx->haveDH = 0;
ctx->haveNTRU = 0; /* start off */
ctx->haveECDSA = 0; /* start off */
ctx->haveECDSAsig = 0; /* start off */
ctx->haveStaticECC = 0; /* start off */
ctx->heap = ctx; /* defaults to self */
#ifndef NO_PSK
@ -360,14 +360,14 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method)
#endif
#ifdef HAVE_ECC
if (method->side == CLIENT_END) {
ctx->haveECDSA = 1; /* always on cliet side */
ctx->haveECDSAsig = 1; /* always on cliet side */
ctx->haveStaticECC = 1; /* server can turn on by loading key */
}
#endif
ctx->suites.setSuites = 0; /* user hasn't set yet */
/* remove DH later if server didn't set, add psk later */
InitSuites(&ctx->suites, method->version, TRUE, FALSE, ctx->haveNTRU,
ctx->haveECDSA, ctx->haveStaticECC, method->side);
ctx->haveECDSAsig, ctx->haveStaticECC, method->side);
ctx->verifyPeer = 0;
ctx->verifyNone = 0;
ctx->failNoCert = 0;
@ -436,12 +436,13 @@ void FreeSSL_Ctx(CYASSL_CTX* ctx)
void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK,
byte haveNTRU, byte haveStaticECC, byte haveECDSA, int side)
byte haveNTRU, byte haveECDSAsig, byte haveStaticECC, int side)
{
word16 idx = 0;
int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR;
int tls1_2 = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_2_MINOR;
int haveRSA = 1;
int haveRSAsig = 1;
(void)tls; /* shut up compiler */
(void)haveDH;
@ -452,8 +453,11 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK,
if (suites->setSuites)
return; /* trust user settings, don't override */
if (side == SERVER_END && haveECDSA)
haveRSA = 0; /* can't do RSA with ECDSA cert */
if (side == SERVER_END && haveStaticECC)
haveRSA = 0; /* can't do RSA with ECDSA key */
if (side == SERVER_END && haveECDSAsig)
haveRSAsig = 0; /* can't have RSA sig if signed by ECDSA */
#ifdef CYASSL_DTLS
if (pv.major == DTLS_MAJOR && pv.minor == DTLS_MINOR)
@ -489,84 +493,84 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK,
#endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
if (tls1_2 && haveECDSA) {
if (tls1_2 && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
}
#endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
if (tls && haveECDSA) {
if (tls && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA;
}
#endif
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
if (tls1_2 && haveECDSA && haveStaticECC) {
if (tls1_2 && haveECDSAsig && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384;
}
#endif
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
if (tls && haveECDSA && haveStaticECC) {
if (tls && haveECDSAsig && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA;
}
#endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
if (tls1_2 && haveECDSA) {
if (tls1_2 && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
}
#endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
if (tls && haveECDSA) {
if (tls && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA;
}
#endif
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
if (tls1_2 && haveECDSA && haveStaticECC) {
if (tls1_2 && haveECDSAsig && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256;
}
#endif
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
if (tls && haveECDSA && haveStaticECC) {
if (tls && haveECDSAsig && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA;
}
#endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
if (tls && haveECDSA) {
if (tls && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA;
}
#endif
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
if (tls && haveECDSA && haveStaticECC) {
if (tls && haveECDSAsig && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_RC4_128_SHA;
}
#endif
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
if (tls && haveECDSA) {
if (tls && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA;
}
#endif
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
if (tls && haveECDSA && haveStaticECC) {
if (tls && haveECDSAsig && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA;
}
@ -587,14 +591,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK,
#endif
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
if (tls1_2 && haveRSA && haveStaticECC) {
if (tls1_2 && haveRSAsig && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384;
}
#endif
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
if (tls && haveRSA && haveStaticECC) {
if (tls && haveRSAsig && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA;
}
@ -615,14 +619,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK,
#endif
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
if (tls1_2 && haveRSA && haveStaticECC) {
if (tls1_2 && haveRSAsig && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256;
}
#endif
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
if (tls && haveRSA && haveStaticECC) {
if (tls && haveRSAsig && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA;
}
@ -636,7 +640,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK,
#endif
#ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA
if (tls && haveRSA && haveStaticECC) {
if (tls && haveRSAsig && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_RSA_WITH_RC4_128_SHA;
}
@ -650,7 +654,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK,
#endif
#ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
if (tls && haveRSA && haveStaticECC) {
if (tls && haveRSAsig && haveStaticECC) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA;
}
@ -890,7 +894,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
else
ssl->options.haveDH = 0;
ssl->options.haveNTRU = ctx->haveNTRU;
ssl->options.haveECDSA = ctx->haveECDSA;
ssl->options.haveECDSAsig = ctx->haveECDSAsig;
ssl->options.haveStaticECC = ctx->haveStaticECC;
ssl->options.havePeerCert = 0;
ssl->options.usingPSK_cipher = 0;
@ -915,6 +919,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
ssl->keys.dtls_handshake_number = 0;
ssl->keys.dtls_epoch = 0;
ssl->keys.dtls_peer_epoch = 0;
ssl->arrays.cookieSz = 0;
#endif
ssl->keys.encryptionOn = 0; /* initially off */
ssl->options.sessionCacheOff = ctx->sessionCacheOff;
@ -1004,11 +1009,11 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
/* make sure server has DH parms, and add PSK if there, add NTRU too */
if (ssl->options.side == SERVER_END)
InitSuites(&ssl->suites, ssl->version,ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
else
InitSuites(&ssl->suites, ssl->version, TRUE, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
return 0;
@ -3832,6 +3837,10 @@ void SetErrorString(int error, char* str)
XSTRNCPY(str, "Maximum Chain Depth Exceeded", max);
break;
case COOKIE_ERROR:
XSTRNCPY(str, "DTLS Cookie Error", max);
break;
default :
XSTRNCPY(str, "unknown error number", max);
}
@ -5879,7 +5888,8 @@ int SetCipherList(Suites* s, const char* list)
REQUIRES_ECC_DSA,
REQUIRES_ECC_STATIC,
REQUIRES_PSK,
REQUIRES_NTRU
REQUIRES_NTRU,
REQUIRES_RSA_SIG
};
@ -5902,6 +5912,8 @@ int SetCipherList(Suites* s, const char* list)
case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA :
if (requirement == REQUIRES_ECC_STATIC)
return 1;
if (requirement == REQUIRES_RSA_SIG)
return 1;
break;
case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA :
@ -5912,6 +5924,8 @@ int SetCipherList(Suites* s, const char* list)
case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA :
if (requirement == REQUIRES_ECC_STATIC)
return 1;
if (requirement == REQUIRES_RSA_SIG)
return 1;
break;
case TLS_ECDHE_RSA_WITH_RC4_128_SHA :
@ -5922,6 +5936,8 @@ int SetCipherList(Suites* s, const char* list)
case TLS_ECDH_RSA_WITH_RC4_128_SHA :
if (requirement == REQUIRES_ECC_STATIC)
return 1;
if (requirement == REQUIRES_RSA_SIG)
return 1;
break;
case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA :
@ -5952,6 +5968,8 @@ int SetCipherList(Suites* s, const char* list)
case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA :
if (requirement == REQUIRES_ECC_STATIC)
return 1;
if (requirement == REQUIRES_RSA_SIG)
return 1;
break;
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA :
@ -5975,42 +5993,46 @@ int SetCipherList(Suites* s, const char* list)
break;
case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 :
if (requirement == ecc_dsa_sa_algo)
if (requirement == REQUIRES_ECC_DSA)
return 1;
break;
case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 :
if (requirement == ecc_dsa_sa_algo)
if (requirement == REQUIRES_ECC_DSA)
return 1;
break;
case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 :
if (requirement == ecc_static_diffie_hellman_kea)
if (requirement == REQUIRES_ECC_STATIC)
return 1;
break;
case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 :
if (requirement == ecc_static_diffie_hellman_kea)
if (requirement == REQUIRES_ECC_STATIC)
return 1;
break;
case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 :
if (requirement == rsa_kea)
if (requirement == REQUIRES_RSA)
return 1;
break;
case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 :
if (requirement == rsa_kea)
if (requirement == REQUIRES_RSA)
return 1;
break;
case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 :
if (requirement == ecc_static_diffie_hellman_kea)
if (requirement == REQUIRES_ECC_STATIC)
return 1;
if (requirement == REQUIRES_RSA_SIG)
return 1;
break;
case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 :
if (requirement == ecc_static_diffie_hellman_kea)
if (requirement == REQUIRES_ECC_STATIC)
return 1;
if (requirement == REQUIRES_RSA_SIG)
return 1;
break;
@ -6132,15 +6154,15 @@ int SetCipherList(Suites* s, const char* list)
case TLS_RSA_WITH_AES_128_GCM_SHA256 :
case TLS_RSA_WITH_AES_256_GCM_SHA384 :
if (requirement == rsa_kea)
if (requirement == REQUIRES_RSA)
return 1;
break;
case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 :
case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 :
if (requirement == rsa_kea)
if (requirement == REQUIRES_RSA)
return 1;
if (requirement == diffie_hellman_kea)
if (requirement == REQUIRES_DHE)
return 1;
break;
@ -6160,7 +6182,7 @@ int SetCipherList(Suites* s, const char* list)
/* Make sure cert/key are valid for this suite, true on success */
static int VerifySuite(CYASSL* ssl, word16 idx)
{
int haveRSA = !ssl->options.haveECDSA;
int haveRSA = !ssl->options.haveStaticECC;
int havePSK = 0;
byte first = ssl->suites.suites[idx];
byte second = ssl->suites.suites[idx+1];
@ -6180,7 +6202,6 @@ int SetCipherList(Suites* s, const char* list)
CYASSL_MSG("Don't have RSA");
return 0;
}
return 1;
}
if (CipherRequires(first, second, REQUIRES_DHE)) {
@ -6189,16 +6210,14 @@ int SetCipherList(Suites* s, const char* list)
CYASSL_MSG("Don't have DHE");
return 0;
}
return 1;
}
if (CipherRequires(first, second, REQUIRES_ECC_DSA)) {
CYASSL_MSG("Requires ECCDSA");
if (ssl->options.haveECDSA == 0) {
if (ssl->options.haveECDSAsig == 0) {
CYASSL_MSG("Don't have ECCDSA");
return 0;
}
return 1;
}
if (CipherRequires(first, second, REQUIRES_ECC_STATIC)) {
@ -6207,7 +6226,6 @@ int SetCipherList(Suites* s, const char* list)
CYASSL_MSG("Don't have static ECC");
return 0;
}
return 1;
}
if (CipherRequires(first, second, REQUIRES_PSK)) {
@ -6216,7 +6234,6 @@ int SetCipherList(Suites* s, const char* list)
CYASSL_MSG("Don't have PSK");
return 0;
}
return 1;
}
if (CipherRequires(first, second, REQUIRES_NTRU)) {
@ -6225,7 +6242,14 @@ int SetCipherList(Suites* s, const char* list)
CYASSL_MSG("Don't have NTRU");
return 0;
}
return 1;
}
if (CipherRequires(first, second, REQUIRES_RSA_SIG)) {
CYASSL_MSG("Requires RSA Signature");
if (ssl->options.side == SERVER_END && ssl->options.haveECDSAsig == 1) {
CYASSL_MSG("Don't have RSA Signature");
return 0;
}
}
/* ECCDHE is always supported if ECC on */
@ -6329,7 +6353,7 @@ int SetCipherList(Suites* s, const char* list)
#endif
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
}
@ -6460,7 +6484,7 @@ int SetCipherList(Suites* s, const char* list)
havePSK = ssl->options.havePSK;
#endif
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
}
/* random */
@ -6501,7 +6525,7 @@ int SetCipherList(Suites* s, const char* list)
return INCOMPLETE_DATA;
cookieSz = EmbedGenerateCookie(cookie, COOKIE_SZ, ssl);
if ((b != cookieSz) || XMEMCMP(cookie, input + i, b) != 0)
return PARSE_ERROR;
return COOKIE_ERROR;
i += b;
}
}

View File

@ -29,7 +29,6 @@
#endif
#include <cyassl/internal.h>
#include <cyassl/ctaocrypt/sha.h>
/* if user writes own I/O callbacks they can define CYASSL_USER_IO to remove
automatic setting of default I/O functions EmbedSend() and EmbedReceive()
@ -201,6 +200,10 @@ int EmbedSend(char *buf, int sz, void *ctx)
}
#ifdef CYASSL_DTLS
#include <cyassl/ctaocrypt/sha.h>
/* The DTLS Generate Cookie callback
* return : number of bytes copied into buf, or error
*/
@ -240,6 +243,8 @@ int EmbedGenerateCookie(byte *buf, int sz, void *ctx)
return SHA_DIGEST_SIZE;
}
#endif /* CYASSL_DTLS */
#endif /* CYASSL_USER_IO */

View File

@ -245,7 +245,7 @@ int CyaSSL_SetTmpDH(CYASSL* ssl, const unsigned char* p, int pSz,
havePSK = ssl->options.havePSK;
#endif
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH,
havePSK, ssl->options.haveNTRU, ssl->options.haveECDSA,
havePSK, ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
CYASSL_LEAVE("CyaSSL_SetTmpDH", 0);
@ -529,7 +529,7 @@ int CyaSSL_SetVersion(CYASSL* ssl, int version)
#endif
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
return SSL_SUCCESS;
@ -1148,9 +1148,9 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
case CTC_SHA384wECDSA:
case CTC_SHA512wECDSA:
CYASSL_MSG("ECDSA cert signature");
ctx->haveECDSA = 1;
ctx->haveECDSAsig = 1;
if (ssl)
ssl->options.haveECDSA = 1;
ssl->options.haveECDSAsig = 1;
break;
default:
CYASSL_MSG("Not ECDSA cert signature");
@ -2135,7 +2135,7 @@ int CyaSSL_set_cipher_list(CYASSL* ssl, const char* list)
#endif
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
return SSL_SUCCESS;
@ -3159,7 +3159,7 @@ int CyaSSL_set_compression(CYASSL* ssl)
ssl->options.client_psk_cb = cb;
InitSuites(&ssl->suites, ssl->version,TRUE,TRUE, ssl->options.haveNTRU,
ssl->options.haveECDSA, ssl->options.haveStaticECC,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC,
ssl->options.side);
}
@ -3180,7 +3180,7 @@ int CyaSSL_set_compression(CYASSL* ssl)
ssl->options.server_psk_cb = cb;
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, TRUE,
ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
}
@ -3405,7 +3405,7 @@ int CyaSSL_set_compression(CYASSL* ssl)
havePSK = ssl->options.havePSK;
#endif
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
}

View File

@ -602,9 +602,7 @@ THREAD_RETURN CYASSL_THREAD test_server_nofail(void* args)
}
ssl = CyaSSL_new(ctx);
tcp_accept(&sockfd, &clientfd, (func_args*)args, yasslPort, 0, 0);
#ifndef CYASSL_DTLS
CloseSocket(sockfd);
#endif
CyaSSL_set_fd(ssl, clientfd);

View File

@ -21,4 +21,8 @@ EXTRA_DIST += tests/test.conf \
tests/test-hc128.conf \
tests/test-psk.conf \
tests/test-ntru.conf \
tests/test-ecc.conf
tests/test-ecc.conf \
tests/test-aesgcm.conf \
tests/test-aesgcm-ecc.conf \
tests/test-aesgcm-openssl.conf \
tests/test-dtls.conf

View File

@ -291,6 +291,50 @@ int SuiteTest(void)
}
#endif
#ifdef HAVE_AESGCM
/* add aesgcm extra suites */
strcpy(argv0[1], "tests/test-aesgcm.conf");
printf("starting aesgcm extra cipher suite tests\n");
test_harness(&args);
if (args.return_code != 0) {
printf("error from script %d\n", args.return_code);
exit(EXIT_FAILURE);
}
#endif
#if defined(HAVE_AESGCM) && defined(OPENSSL_EXTRA)
/* add aesgcm openssl extra suites */
strcpy(argv0[1], "tests/test-aesgcm-openssl.conf");
printf("starting aesgcm openssl extra cipher suite tests\n");
test_harness(&args);
if (args.return_code != 0) {
printf("error from script %d\n", args.return_code);
exit(EXIT_FAILURE);
}
#endif
#if defined(HAVE_AESGCM) && defined(HAVE_ECC)
/* add aesgcm ecc extra suites */
strcpy(argv0[1], "tests/test-aesgcm-ecc.conf");
printf("starting aesgcm ecc extra cipher suite tests\n");
test_harness(&args);
if (args.return_code != 0) {
printf("error from script %d\n", args.return_code);
exit(EXIT_FAILURE);
}
#endif
#ifdef CYASSL_DTLS
/* add dtls extra suites */
strcpy(argv0[1], "tests/test-dtls.conf");
printf("starting dtls extra cipher suite tests\n");
test_harness(&args);
if (args.return_code != 0) {
printf("error from script %d\n", args.return_code);
exit(EXIT_FAILURE);
}
#endif
printf(" End Cipher Suite Tests\n");
return args.return_code;

View File

@ -0,0 +1,80 @@
# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/server-ecc.pem
# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDHE-ECDSA-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDHE-ECDSA-AES256-GCM-SHA384
-A ./certs/server-ecc.pem
# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256
-v 3
-l ECDH-ECDSA-AES128-GCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256
-v 3
-l ECDH-ECDSA-AES128-GCM-SHA256
-A ./certs/server-ecc.pem
# server TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDH-ECDSA-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDH-ECDSA-AES256-GCM-SHA384
-A ./certs/server-ecc.pem
# server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
# client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
# server TLSv1.2 ECDH-RSA-AES128-GCM-SHA256
-v 3
-l ECDH-RSA-AES128-GCM-SHA256
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client TLSv1.2 ECDH-RSA-AES128-GCM-SHA256
-v 3
-l ECDH-RSA-AES128-GCM-SHA256
# server TLSv1.2 ECDH-RSA-AES256-GCM-SHA384
-v 3
-l ECDH-RSA-AES256-GCM-SHA384
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client TLSv1.2 ECDH-RSA-AES256-GCM-SHA384
-v 3
-l ECDH-RSA-AES256-GCM-SHA384

View File

@ -0,0 +1,16 @@
# server TLSv1.2 DHE-RSA-AES128-GCM-SHA256
-v 3
-l DHE-RSA-AES128-GCM-SHA256
# client TLSv1.2 DHE-RSA-AES128-GCM-SHA256
-v 3
-l DHE-RSA-AES128-GCM-SHA256
# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384
-v 3
-l DHE-RSA-AES256-GCM-SHA384
# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384
-v 3
-l DHE-RSA-AES256-GCM-SHA384

16
tests/test-aesgcm.conf Normal file
View File

@ -0,0 +1,16 @@
# server TLSv1.2 RSA-AES128-GCM-SHA256
-v 3
-l AES128-GCM-SHA256
# client TLSv1.2 RSA-AES128-GCM-SHA256
-v 3
-l AES128-GCM-SHA256
# server TLSv1.2 RSA-AES256-GCM-SHA384
-v 3
-l AES256-GCM-SHA384
# client TLSv1.2 RSA-AES256-GCM-SHA384
-v 3
-l AES256-GCM-SHA384

64
tests/test-dtls.conf Normal file
View File

@ -0,0 +1,64 @@
# server DTLSv1 RC4-SHA
-u
-l RC4-SHA
# client DTLSv1 RC4-SHA
-u
-l RC4-SHA
# server DTLSv1 RC4-MD5
-u
-l RC4-MD5
# client DTLSv1 RC4-MD5
-u
-l RC4-MD5
# server DTLSv1 DES-CBC3-SHA
-u
-l DES-CBC3-SHA
# client DTLSv1 DES-CBC3-SHA
-u
-l DES-CBC3-SHA
# server DTLSv1 AES128-SHA
-u
-l AES128-SHA
# client DTLSv1 AES128-SHA
-u
-l AES128-SHA
# server DTLSv1 AES256-SHA
-u
-l AES256-SHA
# client DTLSv1 AES256-SHA
-u
-l AES256-SHA
# server DTLSv1 AES128-SHA256
-u
-l AES128-SHA256
# client DTLSv1 AES128-SHA256
-u
-l AES128-SHA256
# server DTLSv1 AES256-SHA256
-u
-l AES256-SHA256
# client DTLSv1 AES256-SHA256
-u
-l AES256-SHA256
# server DTLSv1 RABBIT-SHA
-u
-l RABBIT-SHA
# client DTLSv1 RABBIT-SHA
-u
-l RABBIT-SHA

View File

@ -226,3 +226,255 @@
-l ECDHE-ECDSA-AES256-SHA
-A ./certs/server-ecc.pem
# server TLSv1 ECDH-RSA-RC4
-v 1
-l ECDH-RSA-RC4-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client TLSv1 ECDH-RSA-RC4
-v 1
-l ECDH-RSA-RC4-SHA
# server TLSv1 ECDH-RSA-DES3
-v 1
-l ECDH-RSA-DES-CBC3-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client TLSv1 ECDH-RSA-DES3
-v 1
-l ECDH-RSA-DES-CBC3-SHA
# server TLSv1 ECDH-RSA-AES128
-v 1
-l ECDH-RSA-AES128-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client TLSv1 ECDH-RSA-AES128
-v 1
-l ECDH-RSA-AES128-SHA
# server TLSv1 ECDH-RSA-AES256
-v 1
-l ECDH-RSA-AES256-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client TLSv1 ECDH-RSA-AES256
-v 1
-l ECDH-RSA-AES256-SHA
# server TLSv1.1 ECDH-RSA-RC4
-v 2
-l ECDH-RSA-RC4-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client TLSv1.1 ECDH-RSA-RC4
-v 2
-l ECDH-RSA-RC4-SHA
# server TLSv1.1 ECDH-RSA-DES3
-v 2
-l ECDH-RSA-DES-CBC3-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client TLSv1.1 ECDH-RSA-DES3
-v 2
-l ECDH-RSA-DES-CBC3-SHA
# server TLSv1.1 ECDH-RSA-AES128
-v 2
-l ECDH-RSA-AES128-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client TLSv1.1 ECDH-RSA-AES128
-v 2
-l ECDH-RSA-AES128-SHA
# server TLSv1.1 ECDH-RSA-AES256
-v 2
-l ECDH-RSA-AES256-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client TLSv1.1 ECDH-RSA-AES256
-v 2
-l ECDH-RSA-AES256-SHA
# server TLSv1.2 ECDH-RSA-RC4
-v 3
-l ECDH-RSA-RC4-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client TLSv1.2 ECDH-RSA-RC4
-v 3
-l ECDH-RSA-RC4-SHA
# server TLSv1.2 ECDH-RSA-DES3
-v 3
-l ECDH-RSA-DES-CBC3-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client TLSv1.2 ECDH-RSA-DES3
-v 3
-l ECDH-RSA-DES-CBC3-SHA
# server TLSv1.2 ECDH-RSA-AES128
-v 3
-l ECDH-RSA-AES128-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client TLSv1.2 ECDH-RSA-AES128
-v 3
-l ECDH-RSA-AES128-SHA
# server TLSv1.2 ECDH-RSA-AES256
-v 3
-l ECDH-RSA-AES256-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
# client TLSv1.2 ECDH-RSA-AES256
-v 3
-l ECDH-RSA-AES256-SHA
# server TLSv1 ECDH-ECDSA-RC4
-v 1
-l ECDH-ECDSA-RC4-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1 ECDH-ECDSA-RC4
-v 1
-l ECDH-ECDSA-RC4-SHA
-A ./certs/server-ecc.pem
# server TLSv1 ECDH-ECDSA-DES3
-v 1
-l ECDH-ECDSA-DES-CBC3-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1 ECDH-ECDSA-DES3
-v 1
-l ECDH-ECDSA-DES-CBC3-SHA
-A ./certs/server-ecc.pem
# server TLSv1 ECDH-ECDSA-AES128
-v 1
-l ECDH-ECDSA-AES128-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1 ECDH-ECDSA-AES128
-v 1
-l ECDH-ECDSA-AES128-SHA
-A ./certs/server-ecc.pem
# server TLSv1 ECDH-ECDSA-AES256
-v 1
-l ECDH-ECDSA-AES256-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1 ECDH-ECDSA-AES256
-v 1
-l ECDH-ECDSA-AES256-SHA
-A ./certs/server-ecc.pem
# server TLSv1.1 ECDH-EDCSA-RC4
-v 2
-l ECDH-ECDSA-RC4-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.1 ECDH-ECDSA-RC4
-v 2
-l ECDH-ECDSA-RC4-SHA
-A ./certs/server-ecc.pem
# server TLSv1.1 ECDH-ECDSA-DES3
-v 2
-l ECDH-ECDSA-DES-CBC3-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.1 ECDH-ECDSA-DES3
-v 2
-l ECDH-ECDSA-DES-CBC3-SHA
-A ./certs/server-ecc.pem
# server TLSv1.1 ECDH-ECDSA-AES128
-v 2
-l ECDH-ECDSA-AES128-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.1 ECDH-ECDSA-AES128
-v 2
-l ECDH-ECDSA-AES128-SHA
-A ./certs/server-ecc.pem
# server TLSv1.1 ECDH-ECDSA-AES256
-v 2
-l ECDH-ECDSA-AES256-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.1 ECDH-ECDSA-AES256
-v 2
-l ECDH-ECDSA-AES256-SHA
-A ./certs/server-ecc.pem
# server TLSv1.2 ECDHE-ECDSA-RC4
-v 3
-l ECDH-ECDSA-RC4-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.2 ECDH-ECDSA-RC4
-v 3
-l ECDH-ECDSA-RC4-SHA
-A ./certs/server-ecc.pem
# server TLSv1.2 ECDH-ECDSA-DES3
-v 3
-l ECDH-ECDSA-DES-CBC3-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.2 ECDH-ECDSA-DES3
-v 3
-l ECDH-ECDSA-DES-CBC3-SHA
-A ./certs/server-ecc.pem
# server TLSv1.2 ECDH-ECDSA-AES128
-v 3
-l ECDH-ECDSA-AES128-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.2 ECDH-ECDSA-AES128
-v 3
-l ECDH-ECDSA-AES128-SHA
-A ./certs/server-ecc.pem
# server TLSv1.2 ECDH-ECDSA-AES256
-v 3
-l ECDH-ECDSA-AES256-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.2 ECDH-ECDSA-AES256
-v 3
-l ECDH-ECDSA-AES256-SHA
-A ./certs/server-ecc.pem