mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update OpenSSL interopability testing

Browse Source 
Added TLS 1.3 testing.
Added Ed25519 and Ed448 testing.
Added tesitng of OpenSSL client against wolfSSL server.
Fixed builds of Curve25519/Curve448/Ed25519/Ed448 in different
configurations.
This commit is contained in:
Sean Parkinson 2020-07-07 22:47:28 +10:00
parent 132adeac14
commit 93cdfd7132
9 changed files with 990 additions and 172 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
configure.ac
View File

@ -3131,7 +3131,7 @@ AC_ARG_ENABLE([supportedcurves],
if test "x$ENABLED_SUPPORTED_CURVES" = "xyes"
then
AS_IF([test "x$ENABLED_ECC" = "xno" && test "x$ENABLED_CURVE25519" = "xno"],
AS_IF([test "x$ENABLED_ECC" = "xno" && test "x$ENABLED_CURVE25519" = "xno" && test "x$ENABLED_CURVE448" = "xno"],
[ENABLED_SUPPORTED_CURVES=no],
[AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES"])
fi
@ -3231,7 +3231,7 @@ then
ENABLED_ENCRYPT_THEN_MAC=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_ALPN -DHAVE_TRUSTED_CA"
# Check the ECC supported curves prereq
AS_IF([test "x$ENABLED_ECC" != "xno" || test "x$ENABLED_CURVE25519" = "xyes" || test "x$ENABLED_TLS13" = "xyes"],
AS_IF([test "x$ENABLED_ECC" != "xno" || test "x$ENABLED_CURVE25519" = "xyes" || test "x$ENABLED_CURVE448" = "xyes" || test "x$ENABLED_TLS13" = "xyes"],
[ENABLED_SUPPORTED_CURVES=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_SUPPORTED_CURVES"])
fi

1076
scripts/openssl.test
View File

File diff suppressed because it is too large Load Diff

32
src/internal.c
View File

@ -20980,14 +20980,14 @@ exit_dpk:
/* Persistable DoServerKeyExchange arguments */
typedef struct DskeArgs {
byte* output; /* not allocated */
#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448)
#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
defined(HAVE_CURVE448)
byte* verifySig;
#endif
word32 idx;
word32 begin;
#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448)
#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
defined(HAVE_CURVE448)
word16 verifySigSz;
#endif
word16 sigSz;
@ -21005,8 +21005,8 @@ static void FreeDskeArgs(WOLFSSL* ssl, void* pArgs)
(void)ssl;
(void)args;
#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448)
#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
defined(HAVE_CURVE448)
if (args->verifySig) {
XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
args->verifySig = NULL;
@ -21643,8 +21643,8 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
case diffie_hellman_kea:
case ecc_diffie_hellman_kea:
{
#if defined(NO_DH) && !defined(HAVE_ECC) && !defined(HAVE_ED25519) \
&& !defined(HAVE_ED448)
#if defined(NO_DH) && !defined(HAVE_ECC) && \
!defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448)
ERROR_OUT(NOT_COMPILED_IN, exit_dske);
#else
enum wc_HashType hashType;
@ -21816,8 +21816,8 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
case diffie_hellman_kea:
case ecc_diffie_hellman_kea:
{
#if defined(NO_DH) && !defined(HAVE_ECC) && !defined(HAVE_ED25519) \
&& !defined(HAVE_ED448)
#if defined(NO_DH) && !defined(HAVE_ECC) && \
!defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448)
ERROR_OUT(NOT_COMPILED_IN, exit_dske);
#else
if (ssl->options.usingAnon_cipher) {
@ -21990,8 +21990,8 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
case diffie_hellman_kea:
case ecc_diffie_hellman_kea:
{
#if defined(NO_DH) && !defined(HAVE_ECC) && !defined(HAVE_ED25519) \
&& !defined(HAVE_ED448)
#if defined(NO_DH) && !defined(HAVE_ECC) && \
!defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448)
ERROR_OUT(NOT_COMPILED_IN, exit_dske);
#else
if (ssl->options.usingAnon_cipher) {
@ -24835,7 +24835,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
typedef struct SskeArgs {
byte* output; /* not allocated */
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
(!defined(NO_DH) && !defined(NO_RSA))
!defined(NO_RSA)
byte* sigDataBuf;
#endif
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
@ -24850,7 +24850,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
word32 length;
word32 sigSz;
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
(!defined(NO_DH) && !defined(NO_RSA))
!defined(NO_RSA)
word32 sigDataSz;
#endif
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
@ -25994,8 +25994,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
break;
}
#endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || \
defined(HAVE_ED448)
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
defined(HAVE_CURVE448)
case ecc_diffie_hellman_kea:
{
/* Sign hash to create signature */

2
src/ssl.c
View File

@ -52,7 +52,7 @@
#if !defined(WOLFSSL_ALLOW_NO_SUITES) && !defined(WOLFCRYPT_ONLY)
#if defined(NO_DH) && !defined(HAVE_ECC) && !defined(WOLFSSL_STATIC_RSA) \
&& !defined(WOLFSSL_STATIC_DH) && !defined(WOLFSSL_STATIC_PSK) \
&& !defined(HAVE_ED25519) && !defined(HAVE_ED448)
&& !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448)
#error "No cipher suites defined because DH disabled, ECC disabled, and no static suites defined. Please see top of README"
#endif
#ifdef WOLFSSL_CERT_GEN

34
src/tls.c
View File

@ -4288,7 +4288,11 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
TLSX* extension = NULL;
SupportedCurve* curve = NULL;
word32 oid = 0;
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_ED25519) || \
defined(HAVE_CURVE448) || defined(HAVE_ED448) || \
(!defined(NO_RSA) && defined(WOLFSSL_STATIC_DH))
word32 pkOid = 0;
#endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 || (!NO_RSA && STATIC_DH) */
word32 defOid = 0;
word32 defSz = 80; /* Maximum known curve size is 66. */
word32 nextOid = 0;
@ -4300,7 +4304,21 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
int key = 0; /* validate key */
(void)oid;
(void)pkOid;
if (first == CHACHA_BYTE) {
switch (second) {
case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256:
case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256:
case TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256:
return 1; /* no suite restriction */
case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256:
case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256:
break;
}
}
if (first == ECC_BYTE || first == CHACHA_BYTE)
extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS);
if (!extension)
@ -4379,7 +4397,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
#endif /* !NO_ECC_SECP */
#endif /* !NO_ECC256 || HAVE_ALL_CURVES */
#endif
#ifdef HAVE_CURVE25519
#if defined(HAVE_CURVE25519) || defined(HAVE_ED25519)
case WOLFSSL_ECC_X25519:
oid = ECC_X25519_OID;
#ifdef HAVE_ED25519
@ -4406,7 +4424,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
#endif /* HAVE_ECC_BRAINPOOL */
#endif
#endif
#ifdef HAVE_CURVE448
#if defined(HAVE_CURVE448) || defined(HAVE_ED448)
case WOLFSSL_ECC_X448:
oid = ECC_X448_OID;
#ifdef HAVE_ED448
@ -4482,6 +4500,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
if (first == ECC_BYTE) {
switch (second) {
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
/* ECDHE_ECDSA */
case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
@ -4498,7 +4517,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
ephmSuite = 1;
break;
#ifdef WOLFSSL_STATIC_DH
#ifdef WOLFSSL_STATIC_DH
/* ECDH_ECDSA */
case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
@ -4519,7 +4538,8 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
sig |= ssl->pkCurveOID == pkOid;
key |= ssl->pkCurveOID == oid;
break;
#endif /* WOLFSSL_STATIC_DH */
#endif /* WOLFSSL_STATIC_DH */
#endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */
#ifndef NO_RSA
/* ECDHE_RSA */
case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
@ -4535,7 +4555,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
ephmSuite = 1;
break;
#ifdef WOLFSSL_STATIC_DH
#ifdef WOLFSSL_STATIC_DH
/* ECDH_RSA */
case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
@ -4556,7 +4576,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
sig = 1;
key |= ssl->pkCurveOID == pkOid;
break;
#endif /* WOLFSSL_STATIC_DH */
#endif /* WOLFSSL_STATIC_DH */
#endif
default:
if (oid == ECC_X25519_OID && defOid == oid) {
@ -4578,6 +4598,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
/* ChaCha20-Poly1305 ECC cipher suites */
if (first == CHACHA_BYTE) {
switch (second) {
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
/* ECDHE_ECDSA */
case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :
case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
@ -4585,6 +4606,7 @@ int TLSX_ValidateSupportedCurves(WOLFSSL* ssl, byte first, byte second) {
key |= ssl->ecdhCurveOID == oid;
ephmSuite = 1;
break;
#endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */
#ifndef NO_RSA
/* ECDHE_RSA */
case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :

3
tests/test-ed25519.conf
View File

@ -3,6 +3,7 @@
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/ed25519/server-ed25519.pem
-k ./certs/ed25519/server-ed25519-key.pem
-d
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
-v 3
@ -15,6 +16,7 @@
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/ed25519/server-ed25519.pem
-k ./certs/ed25519/server-ed25519-priv.pem
-d
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
-v 3
@ -44,6 +46,7 @@
-l TLS13-AES128-GCM-SHA256
-c ./certs/ed25519/server-ed25519.pem
-k ./certs/ed25519/server-ed25519-key.pem
-d
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4

2
tests/test-ed448.conf
View File

@ -3,6 +3,7 @@
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/ed448/server-ed448.pem
-k ./certs/ed448/server-ed448-priv.pem
-d
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
-v 3
@ -32,6 +33,7 @@
-l TLS13-AES128-GCM-SHA256
-c ./certs/ed448/server-ed448.pem
-k ./certs/ed448/server-ed448-priv.pem
-d
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4

5
wolfssl/internal.h
View File

@ -861,11 +861,13 @@
#if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) || \
defined(BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) || \
defined(BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) || \
defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) || \
defined(BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256) || \
defined(BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256) || \
defined(BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384) || \
defined(BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384) || \
defined(BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) || \
defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) || \
defined(BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384) || \
defined(BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384) || \
@ -1168,7 +1170,8 @@ enum {
#ifndef MAX_PSK_ID_LEN
/* max psk identity/hint supported */
#if defined(WOLFSSL_TLS13)
#define MAX_PSK_ID_LEN 256
/* OpenSSL has a 1472 byte sessiont ticket */
#define MAX_PSK_ID_LEN 1536
#else
#define MAX_PSK_ID_LEN 128
#endif

4
wolfssl/test.h
View File

@ -1961,7 +1961,7 @@ static WC_INLINE int StackSizeCheck(func_args* args, thread_func tf)
int ret, i, used;
void* status;
unsigned char* myStack = NULL;
int stackSize = 1024*152;
int stackSize = 1024*176;
pthread_attr_t myAttr;
pthread_t threadId;
@ -2915,7 +2915,7 @@ static WC_INLINE int myEd448Verify(WOLFSSL* ssl, const byte* sig, word32 sigSz,
ret = wc_ed448_import_public(key, keySz, &myKey);
if (ret == 0) {
ret = wc_ed448_verify_msg(sig, sigSz, msg, msgSz, result, &myKey,
NULL, 0);
NULL, 0);
}
wc_ed448_free(&myKey);
}