WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix TLS 1.3 with ECC disabled and CURVE25519 enabled. Resolves issue with using `./configure --disable-ecc --enable-curve25519 --enable-ed25519 --enable-tls13`. Refactor `TLSX_KeyShare_GenEccKey` to support either ECC or CURVE25519. Fix for `PemToDer` to handle ED25519 without ECC enabled.

pull/1485/head
David Garske 2018-04-09 10:10:08 -07:00
parent 2a460d3d05
commit 21833e245f
3 changed files with 45 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/ssl.c
View File

@ -4725,7 +4725,12 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
} else } else
#endif #endif
#ifdef HAVE_ED25519 #ifdef HAVE_ED25519
if (header == BEGIN_DSA_PRIV) { #ifdef HAVE_ECC
if (header == BEGIN_DSA_PRIV)
#else
if (header == BEGIN_ENC_PRIV_KEY)
#endif
{
header = BEGIN_EDDSA_PRIV; footer = END_EDDSA_PRIV; header = BEGIN_EDDSA_PRIV; footer = END_EDDSA_PRIV;
} else } else
#endif #endif
@ -5319,7 +5324,9 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
!= 0) { != 0) {
#ifdef HAVE_ECC #ifdef HAVE_ECC
/* could have DER ECC (or pkcs8 ecc), no easy way to tell */ /* could have DER ECC (or pkcs8 ecc), no easy way to tell */
eccKey = 1; /* so try it out */ eccKey = 1; /* try it next */
#elif defined(HAVE_ED25519)
ed25519Key = 1; /* try it next */
#else #else
WOLFSSL_MSG("RSA decode failed and ECC not enabled to try"); WOLFSSL_MSG("RSA decode failed and ECC not enabled to try");
ret = WOLFSSL_BAD_FILE; ret = WOLFSSL_BAD_FILE;

52
src/tls.c
View File

@ -5256,7 +5256,7 @@ end:
} }
#endif #endif
#ifdef HAVE_ECC #if defined(HAVE_ECC) || defined(HAVE_CURVE25519)
/* Create a key share entry using named elliptic curve parameters group. /* Create a key share entry using named elliptic curve parameters group.
* Generates a key pair. * Generates a key pair.
* *
@ -5269,13 +5269,17 @@ static int TLSX_KeyShare_GenEccKey(WOLFSSL *ssl, KeyShareEntry* kse)
int ret; int ret;
byte* keyData = NULL; byte* keyData = NULL;
word32 dataSize; word32 dataSize;
byte* keyPtr = NULL;
word32 keySize; word32 keySize;
ecc_key* eccKey = NULL; #ifdef HAVE_ECC
ecc_key* eccKey;
word16 curveId; word16 curveId;
#endif
/* TODO: [TLS13] The key sizes should come from wolfcrypt. */ /* TODO: [TLS13] The key sizes should come from wolfcrypt. */
/* Translate named group to a curve id. */ /* Translate named group to a curve id. */
switch (kse->group) { switch (kse->group) {
#ifdef HAVE_ECC
#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP #ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP256R1: case WOLFSSL_ECC_SECP256R1:
@ -5303,52 +5307,49 @@ static int TLSX_KeyShare_GenEccKey(WOLFSSL *ssl, KeyShareEntry* kse)
break; break;
#endif /* !NO_ECC_SECP */ #endif /* !NO_ECC_SECP */
#endif #endif
#endif
#ifdef HAVE_CURVE25519 #ifdef HAVE_CURVE25519
case WOLFSSL_ECC_X25519: case WOLFSSL_ECC_X25519:
{ {
curve25519_key* key; curve25519_key* curve_key;
/* Allocate an ECC key to hold private key. */ /* Allocate an ECC key to hold private key. */
key = (curve25519_key*)XMALLOC(sizeof(curve25519_key), keyPtr = (byte*)XMALLOC(sizeof(curve25519_key),
ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
if (key == NULL) { if (keyPtr == NULL) {
WOLFSSL_MSG("EccTempKey Memory error"); WOLFSSL_MSG("EccTempKey Memory error");
return MEMORY_E; return MEMORY_E;
} }
curve_key = (curve25519_key*)keyPtr;
dataSize = keySize = 32; dataSize = keySize = 32;
/* Make an ECC key. */ /* Make an ECC key. */
ret = wc_curve25519_init(key); ret = wc_curve25519_init(curve_key);
if (ret != 0) { if (ret != 0)
eccKey = (ecc_key*)key; /* assign for freeing key */
goto end; goto end;
} ret = wc_curve25519_make_key(ssl->rng, keySize, curve_key);
ret = wc_curve25519_make_key(ssl->rng, keySize, key); if (ret != 0)
if (ret != 0) {
eccKey = (ecc_key*)key; /* assign for freeing key */
goto end; goto end;
}
/* Allocate space for the public key. */ /* Allocate space for the public key. */
keyData = (byte*)XMALLOC(dataSize, ssl->heap, keyData = (byte*)XMALLOC(dataSize, ssl->heap,
DYNAMIC_TYPE_PUBLIC_KEY); DYNAMIC_TYPE_PUBLIC_KEY);
if (keyData == NULL) { if (keyData == NULL) {
WOLFSSL_MSG("Key data Memory error"); WOLFSSL_MSG("Key data Memory error");
ret = MEMORY_E; ret = MEMORY_E;
eccKey = (ecc_key*)key; /* assign for freeing key */
goto end; goto end;
} }
/* Export public key. */ /* Export public key. */
if (wc_curve25519_export_public_ex(key, keyData, &dataSize, if (wc_curve25519_export_public_ex(curve_key, keyData, &dataSize,
EC25519_LITTLE_ENDIAN) != 0) { EC25519_LITTLE_ENDIAN) != 0) {
ret = ECC_EXPORT_ERROR; ret = ECC_EXPORT_ERROR;
eccKey = (ecc_key*)key; /* assign for freeing key */
goto end; goto end;
} }
kse->ke = keyData; kse->ke = keyData;
kse->keLen = dataSize; kse->keLen = dataSize;
kse->key = key; kse->key = keyPtr;
#ifdef WOLFSSL_DEBUG_TLS #ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG("Public Curve25519 Key"); WOLFSSL_MSG("Public Curve25519 Key");
@ -5368,13 +5369,15 @@ static int TLSX_KeyShare_GenEccKey(WOLFSSL *ssl, KeyShareEntry* kse)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
#ifdef HAVE_ECC
/* Allocate an ECC key to hold private key. */ /* Allocate an ECC key to hold private key. */
eccKey = (ecc_key*)XMALLOC(sizeof(ecc_key), ssl->heap, keyPtr = (byte*)XMALLOC(sizeof(ecc_key), ssl->heap,
DYNAMIC_TYPE_PRIVATE_KEY); DYNAMIC_TYPE_PRIVATE_KEY);
if (eccKey == NULL) { if (keyPtr == NULL) {
WOLFSSL_MSG("EccTempKey Memory error"); WOLFSSL_MSG("EccTempKey Memory error");
return MEMORY_E; return MEMORY_E;
} }
eccKey = (ecc_key*)keyPtr;
/* Make an ECC key. */ /* Make an ECC key. */
ret = wc_ecc_init_ex(eccKey, ssl->heap, ssl->devId); ret = wc_ecc_init_ex(eccKey, ssl->heap, ssl->devId);
@ -5406,20 +5409,21 @@ static int TLSX_KeyShare_GenEccKey(WOLFSSL *ssl, KeyShareEntry* kse)
kse->ke = keyData; kse->ke = keyData;
kse->keLen = dataSize; kse->keLen = dataSize;
kse->key = eccKey; kse->key = keyPtr;
#ifdef WOLFSSL_DEBUG_TLS #ifdef WOLFSSL_DEBUG_TLS
WOLFSSL_MSG("Public ECC Key"); WOLFSSL_MSG("Public ECC Key");
WOLFSSL_BUFFER(keyData, dataSize); WOLFSSL_BUFFER(keyData, dataSize);
#endif #endif
#endif /* HAVE_ECC */
end: end:
if (ret != 0) { if (ret != 0) {
/* Data owned by key share entry otherwise. */ /* Data owned by key share entry otherwise. */
if (eccKey != NULL) if (keyPtr != NULL)
XFREE(eccKey, ssl->heap, DYNAMIC_TYPE_TLSX); XFREE(keyPtr, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
if (keyData != NULL) if (keyData != NULL)
XFREE(keyData, ssl->heap, DYNAMIC_TYPE_TLSX); XFREE(keyData, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
} }
return ret; return ret;
} }
@ -5437,7 +5441,7 @@ static int TLSX_KeyShare_GenKey(WOLFSSL *ssl, KeyShareEntry *kse)
if ((kse->group & NAMED_DH_MASK) == NAMED_DH_MASK) if ((kse->group & NAMED_DH_MASK) == NAMED_DH_MASK)
return TLSX_KeyShare_GenDhKey(ssl, kse); return TLSX_KeyShare_GenDhKey(ssl, kse);
#endif #endif
#ifdef HAVE_ECC #if defined(HAVE_ECC) || defined(HAVE_CURVE25519)
return TLSX_KeyShare_GenEccKey(ssl, kse); return TLSX_KeyShare_GenEccKey(ssl, kse);
#else #else
return NOT_COMPILED_IN; return NOT_COMPILED_IN;

8
tests/api.c
View File

@ -18123,6 +18123,14 @@ static int test_tls13_apis(void)
WOLFSSL_SUCCESS); WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_UseKeyShare(clientSsl, WOLFSSL_ECC_SECP256R1), AssertIntEQ(wolfSSL_UseKeyShare(clientSsl, WOLFSSL_ECC_SECP256R1),
WOLFSSL_SUCCESS); WOLFSSL_SUCCESS);
#elif defined(HAVE_CURVE25519)
AssertIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_X25519), BAD_FUNC_ARG);
AssertIntEQ(wolfSSL_UseKeyShare(serverSsl, WOLFSSL_ECC_X25519),
SIDE_ERROR);
AssertIntEQ(wolfSSL_UseKeyShare(clientTls12Ssl, WOLFSSL_ECC_X25519),
WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_UseKeyShare(clientSsl, WOLFSSL_ECC_X25519),
WOLFSSL_SUCCESS);
#else #else
AssertIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_SECP256R1), BAD_FUNC_ARG); AssertIntEQ(wolfSSL_UseKeyShare(NULL, WOLFSSL_ECC_SECP256R1), BAD_FUNC_ARG);
AssertIntEQ(wolfSSL_UseKeyShare(serverSsl, WOLFSSL_ECC_SECP256R1), AssertIntEQ(wolfSSL_UseKeyShare(serverSsl, WOLFSSL_ECC_SECP256R1),