From 33cb8231481d5beb46b57511c2630aba36028256 Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Thu, 23 Sep 2021 18:37:53 -0400 Subject: [PATCH] Remove legacy NTRU and OQS (#4418) * Remove NTRU and OQS * Keep the DTLS serialization format backwards compatible. * Remove n from mygetopt_long() call. * Fix over-zealous deletion. * Resolve problems found by @SparkiDev --- CMakeLists.txt | 2 - .../MDK-ARM/wolfSSL/config-BARE-METAL.h | 6 - IDE/MDK-ARM/MDK-ARM/wolfSSL/config-FS.h | 6 - .../MDK-ARM/wolfSSL/config-RTX-TCP-FS.h | 6 - IDE/MDK5-ARM/Conf/user_settings.h | 7 - .../RTE/wolfSSL/user_settings.h | 7 - .../CryptTest/RTE/wolfSSL/user_settings.h | 7 - .../EchoClient/RTE/wolfSSL/user_settings.h | 7 - .../EchoServer/RTE/wolfSSL/user_settings.h | 7 - .../SimpleClient/RTE/wolfSSL/user_settings.h | 7 - .../SimpleServer/RTE/wolfSSL/user_settings.h | 7 - .../wolfSSL-Lib/RTE/wolfSSL/user_settings.h | 7 - IDE/STM32Cube/wolfssl_example.c | 5 - Makefile.am | 5 - README | 6 +- README.md | 8 +- certs/include.am | 3 - certs/ntru-cert.pem | 29 - certs/ntru-key.raw | Bin 607 -> 0 bytes certs/renewcerts.sh | 116 +- cmake/functions.cmake | 1 - configure.ac | 63 - cyassl/ctaocrypt/asn_public.h | 4 - cyassl/ctaocrypt/settings_comp.h | 3 - cyassl/ssl.h | 1 - doc/dox_comments/header_files/asn_public.h | 104 - doc/dox_comments/header_files/pkcs7.h | 2 - doc/dox_comments/header_files/ssl.h | 152 -- examples/client/client-ntru.vcproj | 199 -- examples/client/client.c | 5 - examples/client/include.am | 1 - examples/echoclient/echoclient-ntru.vcproj | 199 -- examples/echoclient/include.am | 1 - examples/echoserver/echoserver-ntru.vcproj | 199 -- examples/echoserver/echoserver.c | 16 +- examples/echoserver/include.am | 1 - examples/server/include.am | 1 - examples/server/server-ntru.vcproj | 199 -- examples/server/server.c | 30 +- linuxkm/module_exports.c.template | 4 - src/internal.c | 992 +-------- src/keys.c | 111 - src/ssl.c | 151 +- src/tls.c | 932 +-------- src/tls13.c | 25 +- tests/api.c | 8 +- tests/include.am | 2 - tests/suites.c | 30 - tests/test-qsh-sha2.conf | 303 --- tests/test-qsh.conf | 1836 ----------------- tests/test.conf | 121 -- testsuite/include.am | 1 - testsuite/testsuite-ntru.vcproj | 219 -- wolfcrypt/benchmark/benchmark.c | 234 +-- wolfcrypt/benchmark/benchmark.h | 2 - wolfcrypt/src/asn.c | 234 +-- wolfcrypt/src/error.c | 3 - wolfcrypt/test/test.c | 260 +-- wolfssl-ntru.sln | 65 - wolfssl-ntru.vcproj | 353 ---- wolfssl/error-ssl.h | 4 - wolfssl/internal.h | 110 +- wolfssl/ssl.h | 34 +- wolfssl/test.h | 11 +- wolfssl/wolfcrypt/asn.h | 7 +- wolfssl/wolfcrypt/asn_public.h | 12 - wolfssl/wolfcrypt/error-crypt.h | 1 - wolfssl/wolfcrypt/types.h | 1 - 68 files changed, 106 insertions(+), 7389 deletions(-) delete mode 100644 certs/ntru-cert.pem delete mode 100644 certs/ntru-key.raw delete mode 100755 examples/client/client-ntru.vcproj delete mode 100755 examples/echoclient/echoclient-ntru.vcproj delete mode 100755 examples/echoserver/echoserver-ntru.vcproj delete mode 100755 examples/server/server-ntru.vcproj delete mode 100644 tests/test-qsh-sha2.conf delete mode 100644 tests/test-qsh.conf delete mode 100755 testsuite/testsuite-ntru.vcproj delete mode 100755 wolfssl-ntru.sln delete mode 100755 wolfssl-ntru.vcproj diff --git a/CMakeLists.txt b/CMakeLists.txt index 5607ab702..811ad0947 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1015,8 +1015,6 @@ endif() # - CRL # - CRL monitor # - User crypto -# - NTRU -# - QSH # - Whitewood netRandom client library # - SNI # - Max fragment length diff --git a/IDE/MDK-ARM/MDK-ARM/wolfSSL/config-BARE-METAL.h b/IDE/MDK-ARM/MDK-ARM/wolfSSL/config-BARE-METAL.h index 4a1e452fc..745b78399 100644 --- a/IDE/MDK-ARM/MDK-ARM/wolfSSL/config-BARE-METAL.h +++ b/IDE/MDK-ARM/MDK-ARM/wolfSSL/config-BARE-METAL.h @@ -215,12 +215,6 @@ #define BUILD_AESGCM #endif // -// NTRU (need License, "crypto_ntru.h") -#define MDK_CONF_NTRU 0 -#if MDK_CONF_NTRU == 1 -#define HAVE_NTRU -#endif -// // // Others diff --git a/IDE/MDK-ARM/MDK-ARM/wolfSSL/config-FS.h b/IDE/MDK-ARM/MDK-ARM/wolfSSL/config-FS.h index b77821155..6275972fb 100644 --- a/IDE/MDK-ARM/MDK-ARM/wolfSSL/config-FS.h +++ b/IDE/MDK-ARM/MDK-ARM/wolfSSL/config-FS.h @@ -252,12 +252,6 @@ #define BUILD_AESGCM #endif // -// NTRU (need License, "crypto_ntru.h") -#define MDK_CONF_NTRU 0 -#if MDK_CONF_NTRU == 1 -#define HAVE_NTRU -#endif -// // // Others diff --git a/IDE/MDK-ARM/MDK-ARM/wolfSSL/config-RTX-TCP-FS.h b/IDE/MDK-ARM/MDK-ARM/wolfSSL/config-RTX-TCP-FS.h index 626a1c348..7e31d13a1 100644 --- a/IDE/MDK-ARM/MDK-ARM/wolfSSL/config-RTX-TCP-FS.h +++ b/IDE/MDK-ARM/MDK-ARM/wolfSSL/config-RTX-TCP-FS.h @@ -274,12 +274,6 @@ #define BUILD_AESGCM #endif // -// NTRU (need License, "crypto_ntru.h") -#define MDK_CONF_NTRU 0 -#if MDK_CONF_NTRU == 1 -#define HAVE_NTRU -#endif -// // // Others diff --git a/IDE/MDK5-ARM/Conf/user_settings.h b/IDE/MDK5-ARM/Conf/user_settings.h index 98f168809..5b83f556d 100644 --- a/IDE/MDK5-ARM/Conf/user_settings.h +++ b/IDE/MDK5-ARM/Conf/user_settings.h @@ -360,13 +360,6 @@ #define HAVE_PKCS7 #endif // - -// NTRU (need License, "crypto_ntru.h") -#define MDK_CONF_NTRU 0 -#if MDK_CONF_NTRU == 1 -#define HAVE_NTRU -#endif -// // // Random Seed, for TEST Only diff --git a/IDE/MDK5-ARM/Projects/CryptBenchmark/RTE/wolfSSL/user_settings.h b/IDE/MDK5-ARM/Projects/CryptBenchmark/RTE/wolfSSL/user_settings.h index 639e0fc50..c0dbb1894 100644 --- a/IDE/MDK5-ARM/Projects/CryptBenchmark/RTE/wolfSSL/user_settings.h +++ b/IDE/MDK5-ARM/Projects/CryptBenchmark/RTE/wolfSSL/user_settings.h @@ -360,13 +360,6 @@ #define HAVE_PKCS7 #endif // - -// NTRU (need License, "crypto_ntru.h") -#define MDK_CONF_NTRU 0 -#if MDK_CONF_NTRU == 1 -#define HAVE_NTRU -#endif -// // // Random Seed, for TEST Only diff --git a/IDE/MDK5-ARM/Projects/CryptTest/RTE/wolfSSL/user_settings.h b/IDE/MDK5-ARM/Projects/CryptTest/RTE/wolfSSL/user_settings.h index 96106ffc1..5c77fe125 100644 --- a/IDE/MDK5-ARM/Projects/CryptTest/RTE/wolfSSL/user_settings.h +++ b/IDE/MDK5-ARM/Projects/CryptTest/RTE/wolfSSL/user_settings.h @@ -360,13 +360,6 @@ #define HAVE_PKCS7 #endif // - -// NTRU (need License, "crypto_ntru.h") -#define MDK_CONF_NTRU 0 -#if MDK_CONF_NTRU == 1 -#define HAVE_NTRU -#endif -// // // Random Seed, for TEST Only diff --git a/IDE/MDK5-ARM/Projects/EchoClient/RTE/wolfSSL/user_settings.h b/IDE/MDK5-ARM/Projects/EchoClient/RTE/wolfSSL/user_settings.h index 4ddba7092..1706c1b82 100644 --- a/IDE/MDK5-ARM/Projects/EchoClient/RTE/wolfSSL/user_settings.h +++ b/IDE/MDK5-ARM/Projects/EchoClient/RTE/wolfSSL/user_settings.h @@ -358,13 +358,6 @@ #define HAVE_PKCS7 #endif // - -// NTRU (need License, "crypto_ntru.h") -#define MDK_CONF_NTRU 0 -#if MDK_CONF_NTRU == 1 -#define HAVE_NTRU -#endif -// // // Random Seed, for TEST Only diff --git a/IDE/MDK5-ARM/Projects/EchoServer/RTE/wolfSSL/user_settings.h b/IDE/MDK5-ARM/Projects/EchoServer/RTE/wolfSSL/user_settings.h index 36806c07e..a47879058 100644 --- a/IDE/MDK5-ARM/Projects/EchoServer/RTE/wolfSSL/user_settings.h +++ b/IDE/MDK5-ARM/Projects/EchoServer/RTE/wolfSSL/user_settings.h @@ -360,13 +360,6 @@ #define HAVE_PKCS7 #endif // - -// NTRU (need License, "crypto_ntru.h") -#define MDK_CONF_NTRU 0 -#if MDK_CONF_NTRU == 1 -#define HAVE_NTRU -#endif -// // // Random Seed, for TEST Only diff --git a/IDE/MDK5-ARM/Projects/SimpleClient/RTE/wolfSSL/user_settings.h b/IDE/MDK5-ARM/Projects/SimpleClient/RTE/wolfSSL/user_settings.h index 5f47c6c93..f4519b1d6 100644 --- a/IDE/MDK5-ARM/Projects/SimpleClient/RTE/wolfSSL/user_settings.h +++ b/IDE/MDK5-ARM/Projects/SimpleClient/RTE/wolfSSL/user_settings.h @@ -360,13 +360,6 @@ #define HAVE_PKCS7 #endif // - -// NTRU (need License, "crypto_ntru.h") -#define MDK_CONF_NTRU 0 -#if MDK_CONF_NTRU == 1 -#define HAVE_NTRU -#endif -// // // Random Seed, for TEST Only diff --git a/IDE/MDK5-ARM/Projects/SimpleServer/RTE/wolfSSL/user_settings.h b/IDE/MDK5-ARM/Projects/SimpleServer/RTE/wolfSSL/user_settings.h index 5f47c6c93..f4519b1d6 100644 --- a/IDE/MDK5-ARM/Projects/SimpleServer/RTE/wolfSSL/user_settings.h +++ b/IDE/MDK5-ARM/Projects/SimpleServer/RTE/wolfSSL/user_settings.h @@ -360,13 +360,6 @@ #define HAVE_PKCS7 #endif // - -// NTRU (need License, "crypto_ntru.h") -#define MDK_CONF_NTRU 0 -#if MDK_CONF_NTRU == 1 -#define HAVE_NTRU -#endif -// // // Random Seed, for TEST Only diff --git a/IDE/MDK5-ARM/Projects/wolfSSL-Lib/RTE/wolfSSL/user_settings.h b/IDE/MDK5-ARM/Projects/wolfSSL-Lib/RTE/wolfSSL/user_settings.h index 5f47c6c93..f4519b1d6 100644 --- a/IDE/MDK5-ARM/Projects/wolfSSL-Lib/RTE/wolfSSL/user_settings.h +++ b/IDE/MDK5-ARM/Projects/wolfSSL-Lib/RTE/wolfSSL/user_settings.h @@ -360,13 +360,6 @@ #define HAVE_PKCS7 #endif // - -// NTRU (need License, "crypto_ntru.h") -#define MDK_CONF_NTRU 0 -#if MDK_CONF_NTRU == 1 -#define HAVE_NTRU -#endif -// // // Random Seed, for TEST Only diff --git a/IDE/STM32Cube/wolfssl_example.c b/IDE/STM32Cube/wolfssl_example.c index c359d53eb..724e79770 100644 --- a/IDE/STM32Cube/wolfssl_example.c +++ b/IDE/STM32Cube/wolfssl_example.c @@ -463,12 +463,7 @@ static void ShowPeer(WOLFSSL* ssl) printf("%s %s\n", words[0], wolfSSL_get_version(ssl)); cipher = wolfSSL_get_current_cipher(ssl); -#ifdef HAVE_QSH - printf("%s %s%s\n", words[1], (wolfSSL_isQSH(ssl))? "QSH:": "", - wolfSSL_CIPHER_get_name(cipher)); -#else printf("%s %s\n", words[1], wolfSSL_CIPHER_get_name(cipher)); -#endif #if defined(HAVE_ECC) || !defined(NO_DH) if ((name = wolfSSL_get_curve_name(ssl)) != NULL) printf("%s %s\n", words[2], name); diff --git a/Makefile.am b/Makefile.am index 2d24f82d5..6a514406b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -38,10 +38,7 @@ CLEANFILES+= ecc-key.der \ certreq.pem \ key.der \ key.pem \ - ntru-cert.der \ ecc-key-pkcs8.der \ - ntru-cert.pem \ - ntru-key.raw \ othercert.der \ othercert.pem \ pkcs7cert.der \ @@ -135,10 +132,8 @@ ACLOCAL_AMFLAGS= -I m4 EXTRA_DIST+= lib/dummy -EXTRA_DIST+= wolfssl-ntru.vcproj EXTRA_DIST+= wolfssl.vcproj EXTRA_DIST+= wolfssl.vcxproj -EXTRA_DIST+= wolfssl-ntru.sln EXTRA_DIST+= wolfssl.sln EXTRA_DIST+= wolfssl64.sln EXTRA_DIST+= valgrind-error.sh diff --git a/README b/README index 85bc92f23..a334ab543 100644 --- a/README +++ b/README @@ -7,7 +7,7 @@ and feature set. It is commonly used in standard operating environments as well because of its royalty-free pricing and excellent cross platform support. wolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.2 levels, is up to 20 times smaller than OpenSSL, and offers progressive ciphers -such as ChaCha20, Curve25519, NTRU, and Blake2b. User benchmarking and feedback +such as ChaCha20, Curve25519, and Blake2b. User benchmarking and feedback reports dramatically better performance when using wolfSSL over OpenSSL. wolfSSL is powered by the wolfCrypt library. Two versions of the wolfCrypt @@ -41,9 +41,7 @@ with WOLFSSL_STATIC_PSK though static key cipher suites are deprecated and will be removed from future -versions of TLS. They also lower your security by removing PFS. Since current -NTRU suites available do not use ephemeral keys, WOLFSSL_STATIC_RSA needs to be -used in order to build with NTRU suites. +versions of TLS. They also lower your security by removing PFS. When compiling ssl.c, wolfSSL will now issue a compiler error if no cipher suites are available. You can remove this error by defining diff --git a/README.md b/README.md index 6f8dada07..86e0166a3 100644 --- a/README.md +++ b/README.md @@ -12,8 +12,8 @@ standard operating environments as well because of its royalty-free pricing and excellent cross platform support. wolfSSL supports industry standards up to the current [TLS 1.3](https://www.wolfssl.com/tls13) and DTLS 1.2, is up to 20 times smaller than OpenSSL, and offers progressive ciphers such as ChaCha20, -Curve25519, NTRU, and Blake2b. User benchmarking and feedback reports -dramatically better performance when using wolfSSL over OpenSSL. +Curve25519, Blake2b and OQS TLS 1.3 groups. User benchmarking and feedback +reports dramatically better performance when using wolfSSL over OpenSSL. wolfSSL is powered by the wolfCrypt cryptography library. Two versions of wolfCrypt have been FIPS 140-2 validated (Certificate #2425 and @@ -47,9 +47,7 @@ with one or more of the following defines: WOLFSSL_STATIC_PSK Though static key cipher suites are deprecated and will be removed from future -versions of TLS. They also lower your security by removing PFS. Since current -NTRU suites available do not use ephemeral keys, ```WOLFSSL_STATIC_RSA``` needs -to be used in order to build with NTRU suites. +versions of TLS. They also lower your security by removing PFS. When compiling ssl.c, wolfSSL will now issue a compiler error if no cipher suites are available. You can remove this error by defining diff --git a/certs/include.am b/certs/include.am index dccd84fa7..9625b5d32 100644 --- a/certs/include.am +++ b/certs/include.am @@ -24,7 +24,6 @@ EXTRA_DIST += \ certs/ecc-client-keyPub.pem \ certs/client-ecc-cert.pem \ certs/client-ca.pem \ - certs/ntru-cert.pem \ certs/dh2048.pem \ certs/server-cert.pem \ certs/server-ecc.pem \ @@ -108,8 +107,6 @@ EXTRA_DIST += \ dist_doc_DATA+= certs/taoCert.txt -EXTRA_DIST+= certs/ntru-key.raw - include certs/1024/include.am include certs/3072/include.am include certs/4096/include.am diff --git a/certs/ntru-cert.pem b/certs/ntru-cert.pem deleted file mode 100644 index 9ac81cc6d..000000000 --- a/certs/ntru-cert.pem +++ /dev/null @@ -1,29 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFBzCCA++gAwIBAgIQMR8ILKCzOEvwC/AXGSWKWDANBgkqhkiG9w0BAQUFADCB -lDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVt -YW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYD -VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz -bC5jb20wIhgPMjAyMTAyMDkxOTUwMzBaGA8yMDIzMTEwNzE5NTAzMFowgboxCzAJ -BgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAPBgNVBAcMCFBvcnRsYW5kMQ0w -CwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9w -bWVudDEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMRUwEwYDVQQFEwx3b2xmU1NM -MTIzNDUxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggJNMBoGCysG -AQQBwRYBAQEBBgsrBgEEAcEWAQECLgOCAi0ABIICKJXoRX/LkS71JEpP72eR3NN2 -FnLtLhBsM19zkQaNzr+HF88KgALHnkM1ufiPBu5BC3Qplb/Zk2UAK9oSbdSb9nr5 -cPCVie0MIUkYX3Dd6fICzVulmwUWeokFs9i82Li69tdtBVwlfzCihieZ+eafE27H -wlnm1UIIWiTrYu3hs0GPepgJqc1Umj8gjm61k0KdeiYKjmFHFa+wuU+kUji6nljE -yLA8iEbW7kefeQj01A4AMCAet74TuBm5r1Mly1/GT8cFyAj5Kn/mufgfaFNVrdvW -q62pTFxJEFeLra/ShUulIx7f58SaaxMGk90bFSo1Q/HlNW1ijXulkO+XZkIsAyqU -wfuh0HdIgQw+pHOn3UNrSWs4klsdm6lR/Vke4xoNedcyW7B6i1zd8QzeG57N4IZF -1ZBdU2OBMcCBEvhL9TYdDRo5FZF7QUMv1d4C5R2nG176RBho65yFJoJT8VreyTDO -MUlD5n0BQMdZzTIdFMaepB6LHKBKqI5uJh5PYaKdajM/WkJnBCIv9eHpBoNP9YBZ -r/C9/5WcQAd37f5yk2AxxFdOve9jgXWI9X/E3QglVbwK84t2yIVRjq0ojEu1ln50 -dwWIpzbvmkPS2dD0/YhJQ22J1qfT8LosOKkB7t98m5E4MwgQVHUUWmR69VfPzggP -AXRV3TXZkL0mSA/ml5P4rBuYmBFTogYIRZY80Gmmlx/Cz3nzvm/AHhH5+5zH279V -Pzu/V7m2ADANBgkqhkiG9w0BAQUFAAOCAQEAawKWRypsPE0AvIWPiR6K7qgMWRe0 -vq+l9BqkkapQT5H5kIKAEsgFZTXYpZb4WLp5MOhZZVH16Q29p9KP84UuU3F3coHl -UDQYEBwIfb8XJERcHftZluODYLKNm7nRyeEgQKAYyjTRt/2ShKBUqlt/2fTyvKi9 -IBR//pCoMY3o+jIg7Kiq6ro/GKZ7JHDayoahqlXJ08ZsbOU5A5GVYon9dGAGHoNE -bkimZ3N4eDIHpxE/qCKp3GdYifQFxpUIemN3BdzToikg1CRRCcC65Qg7rRwJt91T -wbzuhM1flJmm7nZMTyEVTpVrIud96clU5qdQ+qmbKwJzGxrS1eTs4QHcHg== ------END CERTIFICATE----- diff --git a/certs/ntru-key.raw b/certs/ntru-key.raw deleted file mode 100644 index 07fe2d19cfe9d9d4e15874afc4d9431f468de969..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 607 zcmV-l0-*f@0{{XLmFPu(%aJbiBuY>3XOY~~b{2B&E)Z-pUvrTLjn2P^7tacS0>_?1 zHM#hY2JS%%bSag;*^^}eE7}rm)SLEt`Ec-+iR}y_Nf=*n-RbfI&0D3L1r~aV1+&<^ z*toj(*KGw{C4VrYh9{Z%=ARR8$HH0W)j|kbB*ze?_+^=i1mNO-3TRBybAM+cF2WMj;$z+OSP7Mbaw@ar#A1J zL(ey(UNx z=9iQBtQ(k^5mTZD2t}4W&}pWZAHvUh^S*Du9ufKboX6Y0RX;nwSGl$TsvN^g*+Q{E txn?ZTFm#ycJseu&=x}!9@l$ diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index 6a2b2ab4e..1d60d0404 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -35,9 +35,6 @@ # # pkcs7: # test-degenerate.p7b -# if HAVE_NTRU -# ntru-cert.pem -# ntru-key.raw ############################################################################### ######################## FUNCTIONS SECTION #################################### ############################################################################### @@ -53,10 +50,6 @@ restore_config(){ check_result(){ if [ $1 -ne 0 ]; then echo "Failed at \"$2\", Abort" - if [ "$2" = "configure for ntru" ] || \ - [ "$2" = "make check with ntru" ]; then - restore_config - fi exit 1 else echo "Step Succeeded!" @@ -730,62 +723,19 @@ run_renewcerts(){ echo "---------------------------------------------------------------------" } -#function for copy and pasting ntru updates -move_ntru(){ - cp ntru-cert.pem certs/ntru-cert.pem || exit 1 - cp ntru-key.raw certs/ntru-key.raw || exit 1 - cp ntru-cert.der certs/ntru-cert.der || exit 1 -} - ############################################################################### ##################### THE EXECUTABLE BODY ##################################### ############################################################################### #start in root. cd ../ || exit 1 -#if HAVE_NTRU already defined && there is no argument -if grep HAVE_NTRU "wolfssl/options.h" && [ -z "$1" ] -then - #run the function to renew the certs - run_renewcerts - CURRDIR=${PWD##*/} - if [ "$CURRDIR" = "certs" ]; then - cd ../ || exit 1 - else - echo "We are not in the right directory! Abort." - exit 1 - fi - echo "changed directory to wolfssl root directory." - echo "" - - ############################################################ - ########## update ntru if already installed ################ - ############################################################ - - # We cannot assume that user has certgen and keygen enabled - CFLAG_TMP="-DWOLFSSL_STATIC_RSA" - export CFLAGS=${CFLAG_TMP} - ./configure --with-ntru --enable-certgen --enable-keygen - check_result $? "configure for ntru" - make check - check_result $? "make check with ntru" - export CFLAGS="" - - #copy/paste ntru-certs and key to certs/ - move_ntru - -#else if there was an argument given, check it for validity or print out error -elif [ ! -z "$1" ]; then - #valid argument then renew certs without ntru - if [ "$1" == "--override-ntru" ]; then - echo "overriding ntru, update all certs except ntru." - run_renewcerts +#if there was an argument given, check it for validity or print out error +if [ ! -z "$1" ]; then #valid argument print out other valid arguments - elif [ "$1" == "-h" ] || [ "$1" == "-help" ]; then + if [ "$1" == "-h" ] || [ "$1" == "-help" ]; then echo "" echo "\"no argument\" will attempt to update all certificates" - echo "--override-ntru updates all certificates except ntru" echo "-h or -help display this menu" echo "" echo "" @@ -797,7 +747,6 @@ elif [ ! -z "$1" ]; then echo "use -h or -help for a list of available options." echo "" fi -#else HAVE_NTRU not already defined else echo "Saving the configure state" echo "" @@ -809,63 +758,10 @@ else make clean check_result $? "make clean" - #attempt to define ntru by configuring with ntru - echo "Configuring with ntru, enabling certgen and keygen" - echo "" - CFLAG_TMP="-DWOLFSSL_STATIC_RSA" - export CFLAGS=${CFLAG_TMP} - ./configure --with-ntru --enable-certgen --enable-keygen - check_result $? "configure for ntru" - make check - check_result $? "make check with ntru" - export CFLAGS="" + # restore previous configure state + restore_config + check_result $? "restoring old configuration" - # check options.h a second time, if the user had - # ntru installed on their system and in the default - # path location, then it will now be defined, if the - # user does not have ntru on their system this will fail - # again and we will not update any certs until user installs - # ntru in the default location - - # if now defined - if grep HAVE_NTRU "wolfssl/options.h"; then - run_renewcerts - CURRDIR=${PWD##*/} - if [ "$CURRDIR" = "certs" ]; then - cd ../ || exit 1 - else - echo "We are not in the right directory! Abort." - exit 1 - fi - echo "changed directory to wolfssl root directory." - echo "" - - move_ntru - - echo "ntru-certs, and ntru-key.raw have been updated" - echo "" - - # restore previous configure state - restore_config - check_result $? "restoring old configuration" - else - - # restore previous configure state - restore_config - check_result $? "restoring old configuration" - - echo "" - echo "ntru is not installed at the default location," - echo "or ntru not installed, none of the certs were updated." - echo "" - echo "clone the ntru repository into your \"cd ~\" directory then," - echo "\"cd NTRUEncrypt\" and run \"make\" then \"make install\"" - echo "once complete run this script again to update all the certs." - echo "" - echo "To update all certs except ntru use \"./renewcerts.sh --override-ntru\"" - echo "" - - fi #END now defined fi #END already defined exit 0 diff --git a/cmake/functions.cmake b/cmake/functions.cmake index 2ce819b0f..2e96fcf50 100644 --- a/cmake/functions.cmake +++ b/cmake/functions.cmake @@ -195,7 +195,6 @@ function(generate_build_flags) endif() set(BUILD_USER_RSA ${WOLFSSL_USER_RSA} PARENT_SCOPE) set(BUILD_USER_CRYPTO ${WOLFSSL_USER_CRYPTO} PARENT_SCOPE) - set(BUILD_NTRU ${WOLFSSL_NTRU} PARENT_SCOPE) set(BUILD_WNR ${WOLFSSL_WNR} PARENT_SCOPE) if(WOLFSSL_SRP OR WOLFSSL_USER_SETTINGS) set(BUILD_SRP "yes" PARENT_SCOPE) diff --git a/configure.ac b/configure.ac index 363e23e65..b417a3b43 100644 --- a/configure.ac +++ b/configure.ac @@ -3623,66 +3623,6 @@ then AC_MSG_ERROR([cannot enable user crypto and fips, user crypto posibility of using code in fips boundary.]) fi - -# NTRU -ENABLED_NTRU="no" -tryntrudir="" -AC_ARG_WITH([ntru], - [AS_HELP_STRING([--with-ntru=PATH],[Path to NTRU install (default /usr/)])], - [ - AC_MSG_CHECKING([for NTRU]) - CPPFLAGS="$CPPFLAGS -DHAVE_NTRU -DHAVE_TLS_EXTENSIONS" - LIBS="$LIBS -lntruencrypt" - - AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ ntru_crypto_drbg_instantiate(0, 0, 0, 0, 0); ]])], [ ntru_linked=yes ],[ ntru_linked=no ]) - - if test "x$ntru_linked" = "xno" ; then - if test "x$withval" != "xno" ; then - tryntrudir=$withval - fi - if test "x$withval" = "xyes" ; then - tryntrudir="/usr" - fi - - LDFLAGS="$AM_LDFLAGS $LDFLAGS -L$tryntrudir/lib" - CPPFLAGS="$CPPFLAGS -I$tryntrudir/include" - - AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ ntru_crypto_drbg_instantiate(0, 0, 0, 0, 0); ]])], [ ntru_linked=yes ],[ ntru_linked=no ]) - - if test "x$ntru_linked" = "xno" ; then - AC_MSG_ERROR([NTRU isn't found. - If it's already installed, specify its path using --with-ntru=/dir/]) - fi - AC_MSG_RESULT([yes]) - AM_LDFLAGS="$AM_LDFLAGS -L$tryntrudir/lib" - else - AC_MSG_RESULT([yes]) - fi - - AM_CFLAGS="$AM_CFLAGS -DHAVE_NTRU -DHAVE_TLS_EXTENSIONS -DWOLFSSL_STATIC_RSA" - ENABLED_NTRU="yes" - ] -) - - -# QSH -AC_ARG_ENABLE([qsh], - [AS_HELP_STRING([--enable-qsh],[Enable QSH (default: disabled)])], - [ ENABLED_QSH=$enableval ], - [ ENABLED_QSH=no ] - ) - -if test "x$ENABLED_QSH" = "xyes" -then - if test "x$ENABLED_NTRU" = "xno" - then - AC_MSG_ERROR([cannot enable qsh without NTRU]) - fi - - AM_CFLAGS="$AM_CFLAGS -DHAVE_QSH -DWOLFSSL_STATIC_DH -DWOLFSSL_STATIC_PSK" -fi - - # liboqs ENABLED_LIBOQS="no" tryliboqsdir="" @@ -6934,7 +6874,6 @@ AM_CONDITIONAL([BUILD_CRL],[test "x$ENABLED_CRL" != "xno" || test "x$ENABLED_USE AM_CONDITIONAL([BUILD_CRL_MONITOR],[test "x$ENABLED_CRL_MONITOR" = "xyes"]) AM_CONDITIONAL([BUILD_USER_RSA],[test "x$ENABLED_USER_RSA" = "xyes"] ) AM_CONDITIONAL([BUILD_USER_CRYPTO],[test "x$ENABLED_USER_CRYPTO" = "xyes"]) -AM_CONDITIONAL([BUILD_NTRU],[test "x$ENABLED_NTRU" = "xyes"]) AM_CONDITIONAL([BUILD_LIBOQS],[test "x$ENABLED_LIBOQS" = "xyes"]) AM_CONDITIONAL([BUILD_WNR],[test "x$ENABLED_WNR" = "xyes"]) AM_CONDITIONAL([BUILD_SRP],[test "x$ENABLED_SRP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) @@ -7296,8 +7235,6 @@ echo " * Persistent session cache: $ENABLED_SAVESESSION" echo " * Persistent cert cache: $ENABLED_SAVECERT" echo " * Atomic User Record Layer: $ENABLED_ATOMICUSER" echo " * Public Key Callbacks: $ENABLED_PKCALLBACKS" -echo " * NTRU: $ENABLED_NTRU" -echo " * QSH: $ENABLED_QSH" echo " * liboqs: $ENABLED_LIBOQS" echo " * Whitewood netRandom: $ENABLED_WNR" echo " * Server Name Indication: $ENABLED_SNI" diff --git a/cyassl/ctaocrypt/asn_public.h b/cyassl/ctaocrypt/asn_public.h index b4dc6da66..824c560e8 100644 --- a/cyassl/ctaocrypt/asn_public.h +++ b/cyassl/ctaocrypt/asn_public.h @@ -55,10 +55,6 @@ #define SetAltNamesBuffer wc_SetAltNamesBuffer #define SetDatesBuffer wc_SetDatesBuffer - #ifdef HAVE_NTRU - #define MakeNtruCert wc_MakeNtruCert - #endif - #endif /* WOLFSSL_CERT_GEN */ #if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) diff --git a/cyassl/ctaocrypt/settings_comp.h b/cyassl/ctaocrypt/settings_comp.h index 8565e1aa2..4270a57e4 100644 --- a/cyassl/ctaocrypt/settings_comp.h +++ b/cyassl/ctaocrypt/settings_comp.h @@ -36,9 +36,6 @@ #endif /* have rsa and HAVE_FIPS */ /* Macro redefinitions for compatibility */ -#ifdef HAVE_NTRU - #define MakeNtruCert wc_MakeNtruCert -#endif #if defined(WOLFSSL_SHA512) && !defined(CYASSL_SHA512) #define CYASSL_SHA512 #endif diff --git a/cyassl/ssl.h b/cyassl/ssl.h index 8599de128..f907cbdec 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -448,7 +448,6 @@ #define CyaSSL_CTX_use_certificate_file wolfSSL_CTX_use_certificate_file #define CyaSSL_CTX_use_PrivateKey_buffer wolfSSL_CTX_use_PrivateKey_buffer #define CyaSSL_CTX_use_certificate_buffer wolfSSL_CTX_use_certificate_buffer -#define CyaSSL_CTX_use_NTRUPrivateKey_file wolfSSL_CTX_use_NTRUPrivateKey_file #define CyaSSL_use_certificate_chain_buffer wolfSSL_use_certificate_chain_buffer #define CyaSSL_CTX_der_load_verify_locations \ wolfSSL_CTX_der_load_verify_locations diff --git a/doc/dox_comments/header_files/asn_public.h b/doc/dox_comments/header_files/asn_public.h index d118f9908..98885d0cd 100644 --- a/doc/dox_comments/header_files/asn_public.h +++ b/doc/dox_comments/header_files/asn_public.h @@ -237,8 +237,6 @@ WOLFSSL_API int wc_MakeSelfCert(Cert*, byte* derBuffer, word32 derSz, RsaKey*, expiration date \return ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate - \return ASN_NTRU_KEY_E Returned if there is an error parsing the NTRU key - from the certificate \return ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate \return ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown @@ -297,8 +295,6 @@ WOLFSSL_API int wc_SetIssuer(Cert*, const char*); expiration date \return ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate - \return ASN_NTRU_KEY_E Returned if there is an error parsing the NTRU key - from the certificate \return ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate \return ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown @@ -358,8 +354,6 @@ WOLFSSL_API int wc_SetSubject(Cert*, const char*); expiration date \return ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate - \return ASN_NTRU_KEY_E Returned if there is an error parsing the NTRU key - from the certificate \return ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate \return ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown @@ -453,8 +447,6 @@ WOLFSSL_API int wc_GetSubjectRaw(byte **subjectRaw, Cert *cert); expiration date \return ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate - \return ASN_NTRU_KEY_E Returned if there is an error parsing the NTRU key - from the certificate \return ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate \return ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown @@ -513,8 +505,6 @@ WOLFSSL_API int wc_SetAltNames(Cert*, const char*); expiration date \return ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate - \return ASN_NTRU_KEY_E Returned if there is an error parsing the NTRU - key from the certificate \return ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate \return ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown @@ -579,8 +569,6 @@ WOLFSSL_API int wc_SetIssuerBuffer(Cert*, const byte*, int); expiration date \return ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate - \return ASN_NTRU_KEY_E Returned if there is an error parsing the NTRU key - from the certificate \return ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate \return ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown @@ -644,8 +632,6 @@ WOLFSSL_API int wc_SetIssuerRaw(Cert* cert, const byte* der, int derSz); expiration date \return ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate - \return ASN_NTRU_KEY_E Returned if there is an error parsing the NTRU key - from the certificate \return ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate \return ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown @@ -712,8 +698,6 @@ WOLFSSL_API int wc_SetSubjectBuffer(Cert*, const byte*, int); expiration date \return ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate - \return ASN_NTRU_KEY_E Returned if there is an error parsing the NTRU key - from the certificate \return ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate \return ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown @@ -778,8 +762,6 @@ WOLFSSL_API int wc_SetAltNamesBuffer(Cert*, const byte*, int); expiration date \return ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate - \return ASN_NTRU_KEY_E Returned if there is an error parsing the NTRU key - from the certificate \return ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate \return ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown @@ -943,7 +925,6 @@ WOLFSSL_API int wc_SetAuthKeyId(Cert *cert, const char* file); \endcode \sa wc_SetSubjectKeyId - \sa wc_SetSubjectKeyIdFromNtruPublicKey */ WOLFSSL_API int wc_SetSubjectKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey); @@ -974,44 +955,10 @@ WOLFSSL_API int wc_SetSubjectKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, } \endcode - \sa wc_SetSubjectKeyIdFromNtruPublicKey \sa wc_SetSubjectKeyIdFromPublicKey */ WOLFSSL_API int wc_SetSubjectKeyId(Cert *cert, const char* file); -/*! - \ingroup ASN - - \brief Set SKID from NTRU public key. - - \return 0 Success - \return BAD_FUNC_ARG Returned if cert or ntruKey is null. - \return MEMORY_E Returned if there is an error allocating memory. - \return PUBLIC_KEY_E Returned if there is an error getting the public key. - - \param cert Pointer to a Cert structure to be used. - \param ntruKey Pointer to the NTRU public key in a byte array. - \param ntruKeySz Size of the NTRU byte array. - - _Example_ - \code - Cert some_cert; - wc_InitCert(&some_cert); - byte some_ntru_key[] = { // Load an NTRU key }; - word32 ntru_size = sizeof(some_ntru_key); - - if(wc_SetSubjectKeyIdFromNtruPublicKey(&some_cert, - some_ntru_key, ntru_size) != 0) - { - // Handle error - } - \endcode - - \sa SetKeyIdFromPublicKey -*/ -WOLFSSL_API int wc_SetSubjectKeyIdFromNtruPublicKey(Cert *cert, byte *ntruKey, - word16 ntruKeySz); - /*! \ingroup RSA @@ -1046,57 +993,6 @@ WOLFSSL_API int wc_SetSubjectKeyIdFromNtruPublicKey(Cert *cert, byte *ntruKey, */ WOLFSSL_API int wc_SetKeyUsage(Cert *cert, const char *value); -/*! - \ingroup ASN - - \brief Used to make CA signed certs. Called after the subject information - has been entered. This function makes an NTRU Certificate from a cert - input. It then writes this cert to derBuffer. It takes in an ntruKey and - a rng to generate the certificate. The certificate must be initialized - with wc_InitCert before this method is called. - - \return Success On successfully making a NTRU certificate from the - specified input cert, returns the size of the cert generated. - \return MEMORY_E Returned if there is an error allocating memory - with XMALLOC - \return BUFFER_E Returned if the provided derBuffer is too small to - store the generated certificate - \return Other Additional error messages may be returned if the cert - generation is not successful. - - \param cert pointer to an initialized cert structure - \param derBuffer pointer to the buffer in which to store - the generated certificate - \param derSz size of the buffer in which to store the generated - certificate - \param ntruKey pointer to the key to be used to generate the NTRU - certificate - \param keySz size of the key used to generate the NTRU certificate - \param rng pointer to the random number generator used to generate - the NTRU certificate - - _Example_ - \code - Cert myCert; - // initialize myCert - WC_RNG rng; - //initialize rng; - byte ntruPublicKey[NTRU_KEY_SIZE]; - //initialize ntruPublicKey; - byte * derCert = malloc(FOURK_BUF); - - word32 certSz; - certSz = wc_MakeNtruCert(&myCert, derCert, FOURK_BUF, &ntruPublicKey, - NTRU_KEY_SIZE, &rng); - \endcode - - \sa wc_InitCert - \sa wc_MakeCert -*/ -WOLFSSL_API int wc_MakeNtruCert(Cert*, byte* derBuffer, word32 derSz, - const byte* ntruKey, word16 keySz, - WC_RNG*); - /*! \ingroup ASN diff --git a/doc/dox_comments/header_files/pkcs7.h b/doc/dox_comments/header_files/pkcs7.h index d68598724..e7bbe8e87 100644 --- a/doc/dox_comments/header_files/pkcs7.h +++ b/doc/dox_comments/header_files/pkcs7.h @@ -19,8 +19,6 @@ expiration date \return ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate - \return ASN_NTRU_KEY_E Returned if there is an error parsing the NTRU - key from the certificate \return ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate \return ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown diff --git a/doc/dox_comments/header_files/ssl.h b/doc/dox_comments/header_files/ssl.h index ef87249cb..d49fba1d5 100644 --- a/doc/dox_comments/header_files/ssl.h +++ b/doc/dox_comments/header_files/ssl.h @@ -948,7 +948,6 @@ WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX*, const char*, int); \sa wolfSSL_CTX_load_verify_buffer \sa wolfSSL_CTX_use_certificate_file \sa wolfSSL_CTX_use_PrivateKey_file - \sa wolfSSL_CTX_use_NTRUPrivateKey_file \sa wolfSSL_CTX_use_certificate_chain_file \sa wolfSSL_use_certificate_file \sa wolfSSL_use_PrivateKey_file @@ -1014,7 +1013,6 @@ WOLFSSL_API int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX*, const char*, \sa wolfSSL_CTX_load_verify_buffer \sa wolfSSL_CTX_use_certificate_file \sa wolfSSL_CTX_use_PrivateKey_file - \sa wolfSSL_CTX_use_NTRUPrivateKey_file \sa wolfSSL_CTX_use_certificate_chain_file \sa wolfSSL_use_certificate_file \sa wolfSSL_use_PrivateKey_file @@ -1064,7 +1062,6 @@ WOLFSSL_API int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX*, const char*, \sa wolfSSL_CTX_load_verify_buffer \sa wolfSSL_CTX_use_certificate_file \sa wolfSSL_CTX_use_PrivateKey_file - \sa wolfSSL_CTX_use_NTRUPrivateKey_file \sa wolfSSL_CTX_use_certificate_chain_file \sa wolfSSL_CTX_trust_peer_buffer \sa wolfSSL_CTX_Unload_trust_peers @@ -1436,52 +1433,6 @@ WOLFSSL_API int wolfSSL_use_RSAPrivateKey_file(WOLFSSL*, const char*, int); WOLFSSL_API int wolfSSL_CTX_der_load_verify_locations(WOLFSSL_CTX*, const char*, int); -/*! - \ingroup CertsKeys - - \brief This function loads an NTRU private key file into the WOLFSSL - Context. It behaves like the normal version, only differing in its - ability to accept an NTRU raw key file. This function is needed since - the format of the file is different than the normal key file (buffer) - functions. Please see the examples for proper usage. - - \return SSL_SUCCES upon success. - \return SSL_BAD_FILE will be returned if the file doesn’t exist, can’t - be read, or is corrupted. - \return MEMORY_E will be returned if an out of memory condition occurs. - \return ASN_INPUT_E will be returned if Base16 decoding fails on the file. - \return BUFFER_E will be returned if a chain buffer is bigger than the - receiving buffer. - \return NO_PASSWORD will be returned if the key file is encrypted but - no password is provided. - - \param ctx a pointer to a WOLFSSL_CTX structure, created using - wolfSSL_CTX_new() - \param file a pointer to the name of the file containing the NTRU - private key to be loaded into the wolfSSL SSL context. - - _Example_ - \code - int ret = 0; - WOLFSSL_CTX* ctx; - ... - ret = wolfSSL_CTX_use_NTRUPrivateKey_file(ctx, “./ntru-key.raw”); - if (ret != SSL_SUCCESS) { - // error loading NTRU private key - } - ... - \endcode - - \sa wolfSSL_CTX_load_verify_buffer - \sa wolfSSL_CTX_use_certificate_buffer - \sa wolfSSL_CTX_use_PrivateKey_buffer - \sa wolfSSL_CTX_use_certificate_chain_buffer - \sa wolfSSL_use_certificate_buffer - \sa wolfSSL_use_PrivateKey_buffer - \sa wolfSSL_use_certificate_chain_buffer -*/ -WOLFSSL_API int wolfSSL_CTX_use_NTRUPrivateKey_file(WOLFSSL_CTX*, const char*); - /*! \ingroup Setup @@ -7212,7 +7163,6 @@ WOLFSSL_API int wolfSSL_CTX_Unload_trust_peers(WOLFSSL_CTX*); \sa wolfSSL_CTX_load_verify_buffer \sa wolfSSL_CTX_use_certificate_file \sa wolfSSL_CTX_use_PrivateKey_file - \sa wolfSSL_CTX_use_NTRUPrivateKey_file \sa wolfSSL_CTX_use_certificate_chain_file \sa wolfSSL_CTX_trust_peer_cert \sa wolfSSL_CTX_Unload_trust_peers @@ -7267,7 +7217,6 @@ WOLFSSL_API int wolfSSL_CTX_trust_peer_buffer(WOLFSSL_CTX*, \sa wolfSSL_CTX_load_verify_locations \sa wolfSSL_CTX_use_certificate_buffer \sa wolfSSL_CTX_use_PrivateKey_buffer - \sa wolfSSL_CTX_use_NTRUPrivateKey_file \sa wolfSSL_CTX_use_certificate_chain_buffer \sa wolfSSL_use_certificate_buffer \sa wolfSSL_use_PrivateKey_buffer @@ -7328,7 +7277,6 @@ WOLFSSL_API int wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX*, \sa wolfSSL_CTX_load_verify_locations \sa wolfSSL_CTX_use_certificate_buffer \sa wolfSSL_CTX_use_PrivateKey_buffer - \sa wolfSSL_CTX_use_NTRUPrivateKey_file \sa wolfSSL_CTX_use_certificate_chain_buffer \sa wolfSSL_use_certificate_buffer \sa wolfSSL_use_PrivateKey_buffer @@ -7383,7 +7331,6 @@ WOLFSSL_API int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX*, \sa wolfSSL_CTX_load_verify_locations \sa wolfSSL_CTX_use_certificate_buffer \sa wolfSSL_CTX_use_PrivateKey_buffer - \sa wolfSSL_CTX_use_NTRUPrivateKey_file \sa wolfSSL_CTX_use_certificate_chain_buffer \sa wolfSSL_use_certificate_buffer \sa wolfSSL_use_PrivateKey_buffer @@ -7431,7 +7378,6 @@ WOLFSSL_API int wolfSSL_CTX_load_verify_chain_buffer_format(WOLFSSL_CTX*, \sa wolfSSL_CTX_load_verify_buffer \sa wolfSSL_CTX_use_PrivateKey_buffer - \sa wolfSSL_CTX_use_NTRUPrivateKey_file \sa wolfSSL_CTX_use_certificate_chain_buffer \sa wolfSSL_use_certificate_buffer \sa wolfSSL_use_PrivateKey_buffer @@ -7481,7 +7427,6 @@ WOLFSSL_API int wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX*, \sa wolfSSL_CTX_load_verify_buffer \sa wolfSSL_CTX_use_certificate_buffer - \sa wolfSSL_CTX_use_NTRUPrivateKey_file \sa wolfSSL_CTX_use_certificate_chain_buffer \sa wolfSSL_use_certificate_buffer \sa wolfSSL_use_PrivateKey_buffer @@ -7531,7 +7476,6 @@ WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX*, \sa wolfSSL_CTX_load_verify_buffer \sa wolfSSL_CTX_use_certificate_buffer \sa wolfSSL_CTX_use_PrivateKey_buffer - \sa wolfSSL_CTX_use_NTRUPrivateKey_file \sa wolfSSL_use_certificate_buffer \sa wolfSSL_use_PrivateKey_buffer \sa wolfSSL_use_certificate_chain_buffer @@ -7579,7 +7523,6 @@ WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_buffer(WOLFSSL_CTX*, \sa wolfSSL_CTX_load_verify_buffer \sa wolfSSL_CTX_use_certificate_buffer \sa wolfSSL_CTX_use_PrivateKey_buffer - \sa wolfSSL_CTX_use_NTRUPrivateKey_file \sa wolfSSL_CTX_use_certificate_chain_buffer \sa wolfSSL_use_PrivateKey_buffer \sa wolfSSL_use_certificate_chain_buffer @@ -7629,7 +7572,6 @@ WOLFSSL_API int wolfSSL_use_certificate_buffer(WOLFSSL*, const unsigned char*, \sa wolfSSL_CTX_load_verify_buffer \sa wolfSSL_CTX_use_certificate_buffer \sa wolfSSL_CTX_use_PrivateKey_buffer - \sa wolfSSL_CTX_use_NTRUPrivateKey_file \sa wolfSSL_CTX_use_certificate_chain_buffer \sa wolfSSL_use_certificate_buffer \sa wolfSSL_use_certificate_chain_buffer @@ -7676,7 +7618,6 @@ WOLFSSL_API int wolfSSL_use_PrivateKey_buffer(WOLFSSL*, const unsigned char*, \sa wolfSSL_CTX_load_verify_buffer \sa wolfSSL_CTX_use_certificate_buffer \sa wolfSSL_CTX_use_PrivateKey_buffer - \sa wolfSSL_CTX_use_NTRUPrivateKey_file \sa wolfSSL_CTX_use_certificate_chain_buffer \sa wolfSSL_use_certificate_buffer \sa wolfSSL_use_PrivateKey_buffer @@ -11336,99 +11277,6 @@ WOLFSSL_API int wolfSSL_CTX_set_TicketEncCtx(WOLFSSL_CTX* ctx, void*); */ WOLFSSL_API void* wolfSSL_CTX_get_TicketEncCtx(WOLFSSL_CTX* ctx); -/*! - \ingroup IO - - \brief Checks if QSH is used in the supplied SSL session. - - \return 0 Not used - \return 1 Is used - - \param ssl Pointer to the SSL session to check. - - _Example_ - \code - wolfSSL_Init(); - WOLFSSL_CTX* ctx; - WOLFSSL* ssl; - WOLFSSL_METHOD method = // Some wolfSSL method - ctx = wolfSSL_CTX_new(method); - ssl = wolfSSL_new(ctx); - - if(wolfSSL_isQSH(ssl) == 1) - { - // SSL is using QSH. - } - \endcode - - \sa wolfSSL_UseSupportedQSH -*/ -WOLFSSL_API int wolfSSL_isQSH(WOLFSSL* ssl); - -/*! - \ingroup Setup - - \brief This function sets the ssl session to use supported QSH provided by - name. - - \return SSL_SUCCESS Successfully set supported QSH. - \return BAD_FUNC_ARG ssl is null or name is invalid. - \return MEMORY_E Error allocating memory for operation. - - \param ssl Pointer to ssl session to use. - \param name Name of a supported QSH. Valid names are WOLFSSL_NTRU_EESS439, - WOLFSSL_NTRU_EESS593, or WOLFSSL_NTRU_EESS743. - - _Example_ - \code - wolfSSL_Init(); - WOLFSSL_CTX* ctx; - WOLFSSL* ssl; - WOLFSSL_METHOD method = // Some wolfSSL method ; - ctx = wolfSSL_CTX_new(method); - ssl = wolfSSL_new(ctx); - - word16 qsh_name = WOLFSSL_NTRU_EESS439; - - if(wolfSSL_UseSupportedQSH(ssl,qsh_name) != SSL_SUCCESS) - { - // Error setting QSH - } - \endcode - - \sa TLSX_UseQSHScheme -*/ -WOLFSSL_API int wolfSSL_UseSupportedQSH(WOLFSSL* ssl, unsigned short name); - -/*! - \ingroup CertsKeys - - \brief If the flag is 1 keys will be sent in hello. If flag is 0 then the - keys will not be sent during hello. - - \return 0 on success. - \return BAD_FUNC_ARG if the WOLFSSL structure is NULL. - - \param ssl a pointer to a WOLFSSL structure, created using wolfSSL_new(). - \param flag an unsigned char input to determine if the keys will be sent - during hello. - - _Example_ - \code - WOLFSSL* ssl; - unsigned char flag = 1; // send keys - ... - if(!wolfSSL_UseClientQSHKeys(ssl, flag)){ - // The keys will be sent during hello. - } - \endcode - - \sa wolfSSL_UseALPN - \sa wolfSSL_UseSupportedQSH - \sa wolfSSL_isQSH -*/ -WOLFSSL_API int wolfSSL_UseClientQSHKeys(WOLFSSL* ssl, unsigned char flag); - /*! \brief This function sets the handshake done callback. The hsDoneCb and hsDoneCtx members of the WOLFSSL structure are set in this function. diff --git a/examples/client/client-ntru.vcproj b/examples/client/client-ntru.vcproj deleted file mode 100755 index b3eccc06a..000000000 --- a/examples/client/client-ntru.vcproj +++ /dev/null @@ -1,199 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/examples/client/client.c b/examples/client/client.c index 01cad65a8..0e9cc54d6 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -2589,11 +2589,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) done += 1; #endif - #if defined(HAVE_QSH) - /*currently google server rejects client hello with QSH extension.*/ - done += 1; - #endif - /* For the external test, if we disable AES, GoDaddy will reject the * connection. They only currently support AES suites, RC4 and 3DES * suites. With AES disabled we only offer PolyChacha suites. */ diff --git a/examples/client/include.am b/examples/client/include.am index e44831b82..a4fb59a11 100644 --- a/examples/client/include.am +++ b/examples/client/include.am @@ -10,7 +10,6 @@ examples_client_client_DEPENDENCIES = src/libwolfssl.la examples_client_client_CFLAGS = $(WOLFSENTRY_INCLUDE) $(AM_CFLAGS) endif EXTRA_DIST += examples/client/client.sln -EXTRA_DIST += examples/client/client-ntru.vcproj EXTRA_DIST += examples/client/client.vcproj EXTRA_DIST += examples/client/client.vcxproj diff --git a/examples/echoclient/echoclient-ntru.vcproj b/examples/echoclient/echoclient-ntru.vcproj deleted file mode 100755 index 9a4ebb661..000000000 --- a/examples/echoclient/echoclient-ntru.vcproj +++ /dev/null @@ -1,199 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/examples/echoclient/include.am b/examples/echoclient/include.am index 7f0bc47d1..aab6312e3 100644 --- a/examples/echoclient/include.am +++ b/examples/echoclient/include.am @@ -11,7 +11,6 @@ examples_echoclient_echoclient_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD examples_echoclient_echoclient_DEPENDENCIES = src/libwolfssl.la endif EXTRA_DIST += examples/echoclient/echoclient.sln -EXTRA_DIST += examples/echoclient/echoclient-ntru.vcproj EXTRA_DIST += examples/echoclient/echoclient.vcproj EXTRA_DIST += examples/echoclient/echoclient.vcxproj diff --git a/examples/echoserver/echoserver-ntru.vcproj b/examples/echoserver/echoserver-ntru.vcproj deleted file mode 100755 index 924fdd849..000000000 --- a/examples/echoserver/echoserver-ntru.vcproj +++ /dev/null @@ -1,199 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index fc36a26be..a133a7e78 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -147,8 +147,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) #if defined(CYASSL_DTLS) method = CyaDTLSv1_2_server_method(); #elif !defined(NO_TLS) - #if (defined(WOLFSSL_TLS13) && defined(WOLFSSL_SNIFFER)) || \ - defined(HAVE_NTRU) + #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_SNIFFER) method = CyaTLSv1_2_server_method(); #else method = CyaSSLv23_server_method(); @@ -174,18 +173,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) #ifndef NO_FILESYSTEM if (doPSK == 0) { - #if defined(HAVE_NTRU) && defined(WOLFSSL_STATIC_RSA) - /* ntru */ - if (CyaSSL_CTX_use_certificate_file(ctx, ntruCertFile, WOLFSSL_FILETYPE_PEM) - != WOLFSSL_SUCCESS) - err_sys("can't load ntru cert file, " - "Please run from wolfSSL home dir"); - - if (CyaSSL_CTX_use_NTRUPrivateKey_file(ctx, ntruKeyFile) - != WOLFSSL_SUCCESS) - err_sys("can't load ntru key file, " - "Please run from wolfSSL home dir"); - #elif defined(HAVE_ECC) && !defined(CYASSL_SNIFFER) + #if defined(HAVE_ECC) && !defined(CYASSL_SNIFFER) /* ecc */ if (CyaSSL_CTX_use_certificate_file(ctx, eccCertFile, WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) diff --git a/examples/echoserver/include.am b/examples/echoserver/include.am index 516c40441..7b754b25c 100644 --- a/examples/echoserver/include.am +++ b/examples/echoserver/include.am @@ -11,7 +11,6 @@ examples_echoserver_echoserver_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD examples_echoserver_echoserver_DEPENDENCIES = src/libwolfssl.la endif EXTRA_DIST += examples/echoserver/echoserver.sln -EXTRA_DIST += examples/echoserver/echoserver-ntru.vcproj EXTRA_DIST += examples/echoserver/echoserver.vcproj EXTRA_DIST += examples/echoserver/echoserver.vcxproj diff --git a/examples/server/include.am b/examples/server/include.am index 9f6fdd8d9..b7676016b 100644 --- a/examples/server/include.am +++ b/examples/server/include.am @@ -12,7 +12,6 @@ examples_server_server_DEPENDENCIES = src/libwolfssl.la examples_server_server_CFLAGS = $(WOLFSENTRY_INCLUDE) $(AM_CFLAGS) endif EXTRA_DIST += examples/server/server.sln -EXTRA_DIST += examples/server/server-ntru.vcproj EXTRA_DIST += examples/server/server.vcproj EXTRA_DIST += examples/server/server.vcxproj diff --git a/examples/server/server-ntru.vcproj b/examples/server/server-ntru.vcproj deleted file mode 100755 index 8e45e1686..000000000 --- a/examples/server/server-ntru.vcproj +++ /dev/null @@ -1,199 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/examples/server/server.c b/examples/server/server.c index 3bd37116e..2e4d5e577 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -859,9 +859,6 @@ static const char* server_usage_msg[][60] = { "-x Print server errors but do not close connection\n",/* 27 */ "-i Loop indefinitely (allow repeated connections)\n", /* 28 */ "-e Echo data mode (return raw bytes received)\n", /* 29 */ -#ifdef HAVE_NTRU - "-n Use NTRU key (needed for NTRU suites)\n", /* 30 */ -#endif "-B Benchmark throughput" " using bytes and print stats\n", /* 31 */ #ifdef HAVE_CRL @@ -1026,9 +1023,6 @@ static const char* server_usage_msg[][60] = { "-i 無期限にループする(繰り返し接続を許可)\n", /* 28 */ "-e エコー・データモード" "(受け取ったバイトデータを返す)\n", /* 29 */ -#ifdef HAVE_NTRU - "-n NTRU鍵を使用する(NTRUスイートに必要)\n", /* 30 */ -#endif "-B バイトを用いてのベンチマーク・スループット" "測定と結果を出力する\n", /* 31 */ #ifdef HAVE_CRL @@ -1190,9 +1184,6 @@ static void Usage(void) printf("%s", msg[++msgId]); /* -x */ printf("%s", msg[++msgId]); /* -i */ printf("%s", msg[++msgId]); /* -e */ -#ifdef HAVE_NTRU - printf("%s", msg[++msgId]); /* -n */ -#endif printf("%s", msg[++msgId]); /* -B */ #ifdef HAVE_CRL printf("%s", msg[++msgId]); /* -V */ @@ -1335,7 +1326,6 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) WOLFSSL_TEST_DTLS_CTX dtlsCtx; #endif int needDH = 0; - int useNtruKey = 0; int nonBlocking = 0; int simulateWantWrite = 0; int fewerPackets = 0; @@ -1492,7 +1482,6 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) (void)ourCert; (void)ourDhParam; (void)verifyCert; - (void)useNtruKey; (void)doCliCertCheck; (void)minDhKeyBits; (void)minRsaKeyBits; @@ -1525,7 +1514,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) /* Not Used: h, z, W, X, 7 */ while ((ch = mygetopt_long(argc, argv, "?:" - "abc:defgijk:l:mnop:q:rstu;v:wxy" + "abc:defgijk:l:mop:q:rstu;v:wxy" "A:B:C:D:E:FGH:IJKL:MNO:PQR:S:T;UVYZ:" "01:23:4:5689" "@#", long_options, 0)) != -1) { @@ -1576,10 +1565,6 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) usePskPlus = 1; break; - case 'n' : - useNtruKey = 1; - break; - case 'u' : doDTLS = 1; dtlsUDP = 1; @@ -2330,19 +2315,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) } #endif -#ifdef HAVE_NTRU - if (useNtruKey) { - if (wolfSSL_CTX_use_NTRUPrivateKey_file(ctx, ourKey) - != WOLFSSL_SUCCESS) - err_sys_ex(catastrophic, "can't load ntru key file, " - "Please run from wolfSSL home dir"); - } -#endif #if !defined(NO_CERTS) #ifdef HAVE_PK_CALLBACKS pkCbInfo.ourKey = ourKey; #endif - if (!useNtruKey && (!usePsk || usePskPlus) && !useAnon + if ((!usePsk || usePskPlus) && !useAnon && !(loadCertKeyIntoSSLObj == 1) #if defined(HAVE_PK_CALLBACKS) && defined(TEST_PK_PRIVKEY) && !pkCallbacks @@ -2613,7 +2590,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #endif } - if (!useNtruKey && (!usePsk || usePskPlus) && !useAnon && + if ((!usePsk || usePskPlus) && !useAnon && loadCertKeyIntoSSLObj #if defined(HAVE_PK_CALLBACKS) && defined(TEST_PK_PRIVKEY) && !pkCallbacks @@ -3298,7 +3275,6 @@ exit: (void) ourKey; (void) verifyCert; (void) doCliCertCheck; - (void) useNtruKey; (void) ourDhParam; (void) ourCert; (void) useX25519; diff --git a/linuxkm/module_exports.c.template b/linuxkm/module_exports.c.template index aaa2f536a..677f1cb70 100644 --- a/linuxkm/module_exports.c.template +++ b/linuxkm/module_exports.c.template @@ -158,10 +158,6 @@ #include -#ifdef HAVE_NTRU - #include "libntruencrypt/ntru_crypto.h" -#endif - #include #include #include diff --git a/src/internal.c b/src/internal.c index 5e9b43e83..f8adda15f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -96,9 +96,6 @@ #include "zlib.h" #endif -#ifdef HAVE_NTRU - #include "libntruencrypt/ntru_crypto.h" -#endif #ifdef WOLFSSL_QNX_CAAM /* included to get CAAM devId value */ #include @@ -223,10 +220,6 @@ static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, #endif /* !WOLFSSL_NO_TLS12 */ -#ifdef HAVE_QSH - int QSH_Init(WOLFSSL* ssl); -#endif - #ifdef WOLFSSL_RENESAS_TSIP_TLS int tsip_useable(const WOLFSSL *ssl); int tsip_generatePremasterSecret(); @@ -505,122 +498,6 @@ static WC_INLINE int IsDtlsNotSctpMode(WOLFSSL* ssl) } #endif /* DTLS || !WOLFSSL_NO_TLS12 */ - -#ifdef HAVE_QSH -/* free all structs that where used with QSH */ -static int QSH_FreeAll(WOLFSSL* ssl) -{ - QSHKey* key = ssl->QSH_Key; - QSHKey* preKey = NULL; - QSHSecret* secret = ssl->QSH_secret; - QSHScheme* list = NULL; - QSHScheme* preList = NULL; - - /* free elements in struct */ - while (key) { - preKey = key; - if (key->pri.buffer) { - ForceZero(key->pri.buffer, key->pri.length); - XFREE(key->pri.buffer, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); - } - if (key->pub.buffer) - XFREE(key->pub.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); - key = (QSHKey*)key->next; - - /* free struct */ - XFREE(preKey, ssl->heap, DYNAMIC_TYPE_QSH); - } - - - /* free all of peers QSH keys */ - key = ssl->peerQSHKey; - while (key) { - preKey = key; - if (key->pri.buffer) { - ForceZero(key->pri.buffer, key->pri.length); - XFREE(key->pri.buffer, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); - } - if (key->pub.buffer) - XFREE(key->pub.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); - key = (QSHKey*)key->next; - - /* free struct */ - XFREE(preKey, ssl->heap, DYNAMIC_TYPE_QSH); - } - key = NULL; - - /* free secret information */ - if (secret) { - /* free up the QSHScheme list in QSHSecret */ - if (secret->list) - list = secret->list; - while (list) { - preList = list; - if (list->PK) - XFREE(list->PK, ssl->heap, DYNAMIC_TYPE_SECRET); - list = (QSHScheme*)list->next; - XFREE(preList, ssl->heap, DYNAMIC_TYPE_QSH); - } - - /* free secret buffers */ - if (secret->SerSi) { - if (secret->SerSi->buffer) { - /* clear extra secret material that supplemented Master Secret*/ - ForceZero(secret->SerSi->buffer, secret->SerSi->length); - XFREE(secret->SerSi->buffer, ssl->heap, DYNAMIC_TYPE_SECRET); - } - XFREE(secret->SerSi, ssl->heap, DYNAMIC_TYPE_SECRET); - } - if (secret->CliSi) { - if (secret->CliSi->buffer) { - /* clear extra secret material that supplemented Master Secret*/ - ForceZero(secret->CliSi->buffer, secret->CliSi->length); - XFREE(secret->CliSi->buffer, ssl->heap, DYNAMIC_TYPE_SECRET); - } - XFREE(secret->CliSi, ssl->heap, DYNAMIC_TYPE_SECRET); - } - } - XFREE(secret, ssl->heap, DYNAMIC_TYPE_QSH); - secret = NULL; - - return 0; -} -#endif - - -#ifdef HAVE_NTRU -static WOLFSSL_GLOBAL WC_RNG* rng; -static WOLFSSL_GLOBAL wolfSSL_Mutex* rngMutex; - -static word32 GetEntropy(unsigned char* out, word32 num_bytes) -{ - int ret = 0; - - if (rng == NULL) { - if ((rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), 0, - DYNAMIC_TYPE_RNG)) == NULL) - return DRBG_OUT_OF_MEMORY; - wc_InitRng(rng); - } - - if (rngMutex == NULL) { - if ((rngMutex = (wolfSSL_Mutex*)XMALLOC(sizeof(wolfSSL_Mutex), 0, - DYNAMIC_TYPE_MUTEX)) == NULL) - return DRBG_OUT_OF_MEMORY; - wc_InitMutex(rngMutex); - } - - ret |= wc_LockMutex(rngMutex); - ret |= wc_RNG_GenerateBlock(rng, out, num_bytes); - ret |= wc_UnLockMutex(rngMutex); - - if (ret != 0) - return DRBG_ENTROPY_FAIL; - - return DRBG_OK; -} -#endif /* HAVE_NTRU */ - #ifdef HAVE_LIBZ /* alloc user allocs to work with zlib */ @@ -1151,8 +1028,8 @@ static int dtls_export_new(WOLFSSL* ssl, byte* exp, word32 len, byte ver) exp[idx++] = options->haveRSA; exp[idx++] = options->haveECC; exp[idx++] = options->haveDH; - exp[idx++] = options->haveNTRU; - exp[idx++] = options->haveQSH; + exp[idx++] = 0; /* Historical: haveNTRU */ + exp[idx++] = 0; /* Historical: haveQSH */ exp[idx++] = options->haveECDSAsig; exp[idx++] = options->haveStaticECC; exp[idx++] = options->havePeerVerify; @@ -1318,8 +1195,8 @@ static int dtls_export_load(WOLFSSL* ssl, const byte* exp, word32 len, byte ver) options->haveRSA = exp[idx++]; options->haveECC = exp[idx++]; options->haveDH = exp[idx++]; - options->haveNTRU = exp[idx++]; - options->haveQSH = exp[idx++]; + idx++; /* Historical: haveNTRU */ + idx++; /* Historical: haveQSH */ options->haveECDSAsig = exp[idx++]; options->haveStaticECC = exp[idx++]; options->havePeerVerify = exp[idx++]; @@ -1864,12 +1741,6 @@ int InitSSL_Side(WOLFSSL* ssl, word16 side) ssl->options.side = side; /* reset options that are side specific */ -#ifdef HAVE_NTRU - if (ssl->options.side == WOLFSSL_CLIENT_END) { - ssl->options.haveNTRU = 1; /* always on client side */ - /* server can turn on by loading key */ - } -#endif #ifdef HAVE_ECC if (ssl->options.side == WOLFSSL_CLIENT_END) { ssl->options.haveECDSAsig = 1; /* always on client side */ @@ -1999,11 +1870,6 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) ctx->CBIOSend = GNRC_SendTo; #endif -#ifdef HAVE_NTRU - if (method->side == WOLFSSL_CLIENT_END) - ctx->haveNTRU = 1; /* always on client side */ - /* server can turn on by loading key */ -#endif #ifdef HAVE_ECC if (method->side == WOLFSSL_CLIENT_END) { ctx->haveECDSAsig = 1; /* always on client side */ @@ -2625,9 +2491,9 @@ void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig, } void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, - word16 havePSK, word16 haveDH, word16 haveNTRU, - word16 haveECDSAsig, word16 haveECC, - word16 haveStaticECC, word16 haveAnon, int side) + word16 havePSK, word16 haveDH, word16 haveECDSAsig, + word16 haveECC, word16 haveStaticECC, word16 haveAnon, + int side) { word16 idx = 0; int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR; @@ -2643,7 +2509,6 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, (void)dtls; (void)haveDH; (void)havePSK; - (void)haveNTRU; (void)haveStaticECC; (void)haveECC; (void)side; @@ -2742,41 +2607,6 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, } #endif -#ifdef BUILD_TLS_QSH - if (tls) { - suites->suites[idx++] = QSH_BYTE; - suites->suites[idx++] = TLS_QSH; - } -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA - if (tls && haveNTRU && haveRSA) { - suites->suites[idx++] = CIPHER_BYTE; - suites->suites[idx++] = TLS_NTRU_RSA_WITH_AES_256_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA - if (tls && haveNTRU && haveRSA) { - suites->suites[idx++] = CIPHER_BYTE; - suites->suites[idx++] = TLS_NTRU_RSA_WITH_AES_128_CBC_SHA; - } -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA - if (!dtls && tls && haveNTRU && haveRSA) { - suites->suites[idx++] = CIPHER_BYTE; - suites->suites[idx++] = TLS_NTRU_RSA_WITH_RC4_128_SHA; - } -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveNTRU && haveRSA) { - suites->suites[idx++] = CIPHER_BYTE; - suites->suites[idx++] = TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA; - } -#endif - #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 if (tls1_2 && haveECC) { suites->suites[idx++] = ECC_BYTE; @@ -5562,17 +5392,15 @@ int InitSSL_Suites(WOLFSSL* ssl) keySz = ssl->buffers.keySz; #endif - /* make sure server has DH parms, and add PSK if there, add NTRU too */ + /* make sure server has DH parms, and add PSK if there */ if (ssl->options.side == WOLFSSL_SERVER_END) { InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.haveAnon, - ssl->options.side); + ssl->options.haveDH, ssl->options.haveECDSAsig, + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.haveAnon, ssl->options.side); } else { - InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, - TRUE, ssl->options.haveNTRU, + InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, TRUE, ssl->options.haveECDSAsig, ssl->options.haveECC, ssl->options.haveStaticECC, ssl->options.haveAnon, ssl->options.side); @@ -5758,7 +5586,6 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->options.minDowngrade = ctx->minDowngrade; ssl->options.haveDH = ctx->haveDH; - ssl->options.haveNTRU = ctx->haveNTRU; ssl->options.haveECDSAsig = ctx->haveECDSAsig; ssl->options.haveECC = ctx->haveECC; ssl->options.haveStaticECC = ctx->haveStaticECC; @@ -7249,10 +7076,6 @@ void FreeHandshakeResources(WOLFSSL* ssl) } #endif /* HAVE_PK_CALLBACKS */ -#ifdef HAVE_QSH - QSH_FreeAll(ssl); -#endif - #ifdef HAVE_SESSION_TICKET if (ssl->session.isDynamic) { XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); @@ -9445,7 +9268,6 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) REQUIRES_ECC, REQUIRES_ECC_STATIC, REQUIRES_PSK, - REQUIRES_NTRU, REQUIRES_RSA_SIG, REQUIRES_AEAD }; @@ -9841,13 +9663,6 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) return 1; break; - #ifdef HAVE_NTRU - case TLS_NTRU_RSA_WITH_RC4_128_SHA : - if (requirement == REQUIRES_NTRU) - return 1; - break; - #endif /* HAVE_NTRU */ - case TLS_RSA_WITH_AES_128_CBC_SHA : if (requirement == REQUIRES_RSA) return 1; @@ -9858,25 +9673,11 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) return 1; break; - #ifdef HAVE_NTRU - case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA : - if (requirement == REQUIRES_NTRU) - return 1; - break; - #endif /* HAVE_NTRU */ - case TLS_RSA_WITH_AES_256_CBC_SHA : if (requirement == REQUIRES_RSA) return 1; break; - #ifdef HAVE_NTRU - case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA : - if (requirement == REQUIRES_NTRU) - return 1; - break; - #endif /* HAVE_NTRU */ - case TLS_RSA_WITH_AES_256_CBC_SHA256 : if (requirement == REQUIRES_RSA) return 1; @@ -9889,13 +9690,6 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) return 1; break; - #ifdef HAVE_NTRU - case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA : - if (requirement == REQUIRES_NTRU) - return 1; - break; - #endif /* HAVE_NTRU */ - #ifdef HAVE_IDEA case SSL_RSA_WITH_IDEA_CBC_SHA : if (requirement == REQUIRES_RSA) @@ -12580,22 +12374,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, break; } #endif /* NO_RSA */ - #ifdef HAVE_NTRU - case NTRUk: - { - if (args->dCert->pubKeySize > sizeof(ssl->peerNtruKey)) { - ret = PEER_KEY_ERROR; - } - else { - XMEMCPY(ssl->peerNtruKey, args->dCert->publicKey, - args->dCert->pubKeySize); - ssl->peerNtruKeyLen = - (word16)args->dCert->pubKeySize; - ssl->peerNtruKeyPresent = 1; - } - break; - } - #endif /* HAVE_NTRU */ #ifdef HAVE_ECC case ECDSAk: { @@ -13474,7 +13252,6 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type) #endif if (ssl->specs.static_ecdh == 1 || ssl->specs.kea == rsa_kea || - ssl->specs.kea == ntru_kea || pskNoServerHint) { WOLFSSL_MSG("No KeyExchange required"); } else { @@ -19825,18 +19602,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case PSK_KEY_ERROR: return "psk key callback error"; - case NTRU_KEY_ERROR: - return "NTRU key error"; - - case NTRU_DRBG_ERROR: - return "NTRU drbg error"; - - case NTRU_ENCRYPT_ERROR: - return "NTRU encrypt error"; - - case NTRU_DECRYPT_ERROR: - return "NTRU decrypt error"; - case GETTIME_ERROR: return "gettimeofday() error"; @@ -20416,22 +20181,6 @@ static const CipherSuiteInfo cipher_names[] = SUITE_INFO("RABBIT-SHA","TLS_RSA_WITH_RABBIT_SHA",CIPHER_BYTE,TLS_RSA_WITH_RABBIT_SHA,TLSv1_MINOR,SSLv3_MAJOR), #endif -#ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA - SUITE_INFO("NTRU-RC4-SHA","TLS_NTRU_RSA_WITH_RC4_128_SHA",CIPHER_BYTE,TLS_NTRU_RSA_WITH_RC4_128_SHA, TLSv1_MINOR, SSLv3_MAJOR), -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA - SUITE_INFO("NTRU-DES-CBC3-SHA","TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA",CIPHER_BYTE,TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR), -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA - SUITE_INFO("NTRU-AES128-SHA","TLS_NTRU_RSA_WITH_AES_128_CBC_SHA",CIPHER_BYTE,TLS_NTRU_RSA_WITH_AES_128_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR), -#endif - -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA - SUITE_INFO("NTRU-AES256-SHA","TLS_NTRU_RSA_WITH_AES_256_CBC_SHA",CIPHER_BYTE,TLS_NTRU_RSA_WITH_AES_256_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR), -#endif - #ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8 SUITE_INFO("AES128-CCM-8","TLS_RSA_WITH_AES_128_CCM_8",ECC_BYTE,TLS_RSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR), SUITE_ALIAS("AES128-CCM8",ECC_BYTE,TLS_RSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR) @@ -20680,10 +20429,6 @@ static const CipherSuiteInfo cipher_names[] = SUITE_INFO("ADH-AES256-GCM-SHA384","TLS_DH_anon_WITH_AES_256_GCM_SHA384",CIPHER_BYTE,TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR), #endif -#ifdef BUILD_TLS_QSH - SUITE_INFO("QSH","TLS_QSH",QSH_BYTE,TLS_QSH, TLSv1_MINOR, SSLv3_MAJOR), -#endif - #ifdef HAVE_RENEGOTIATION_INDICATION SUITE_INFO("RENEGOTIATION-INFO","TLS_EMPTY_RENEGOTIATION_INFO_SCSV",CIPHER_BYTE,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,SSLv3_MINOR,SSLv3_MAJOR), #endif @@ -20826,11 +20571,6 @@ const char* GetCipherKeaStr(char n[][MAX_SEGMENT_SZ]) { n3 = n[3]; n4 = n[4]; -#ifdef HAVE_NTRU - if (XSTRNCMP(n0,"NTRU",4) == 0) - return "NTRU"; -#endif - if (XSTRNCMP(n0,"ECDHE",5) == 0 && XSTRNCMP(n1,"PSK",3) == 0) keaStr = "ECDHEPSK"; else if (XSTRNCMP(n0,"ECDH",4) == 0) @@ -20866,11 +20606,6 @@ const char* GetCipherAuthStr(char n[][MAX_SEGMENT_SZ]) { n1 = n[1]; n2 = n[2]; -#ifdef HAVE_NTRU - if (XSTRNCMP(n0,"NTRU",4) == 0) - return "NTRU"; -#endif - if ((XSTRNCMP(n0,"AES128",6) == 0) || (XSTRNCMP(n0,"AES256",6) == 0) || ((XSTRNCMP(n0,"TLS13",5) == 0) && ((XSTRNCMP(n1,"AES128",6) == 0) || (XSTRNCMP(n1,"AES256",6) == 0) || (XSTRNCMP(n1,"CHACHA20",8) == 0))) || @@ -22240,10 +21975,6 @@ exit_dpk: /* auto populate extensions supported unless user defined */ if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0) return ret; - #ifdef HAVE_QSH - if (QSH_Init(ssl) != 0) - return MEMORY_E; - #endif extSz = 0; ret = TLSX_GetRequestSize(ssl, client_hello, &extSz); if (ret != 0) @@ -24441,32 +24172,6 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input, #endif } - /* QSH extensions */ - #ifdef HAVE_QSH - if (ssl->peerQSHKeyPresent) { - word16 name; - int qshSz; - - /* extension name */ - ato16(input + args->idx, &name); - args->idx += OPAQUE16_LEN; - - if (name == TLSX_QUANTUM_SAFE_HYBRID) { - /* if qshSz is larger than 0 it is the length of - buffer used */ - if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + args->idx, - size, 0)) < 0) { - ERROR_OUT(qshSz, exit_dske); - } - args->idx += qshSz; - } - else { - /* unknown extension sent server ignored handshake */ - ERROR_OUT(BUFFER_ERROR, exit_dske); - } - } - #endif - /* Advance state and proceed */ ssl->options.asyncState = TLS_ASYNC_END; } /* case TLS_ASYNC_FINALIZE */ @@ -24506,391 +24211,6 @@ exit_dske: return ret; } - -#ifdef HAVE_QSH - -#ifdef HAVE_NTRU -/* Encrypt a byte array using ntru - key a struct containing the public key to use - bufIn array to be encrypted - inSz size of bufIn array - bufOut cipher text out - outSz will be set to the new size of cipher text - */ -static int NtruSecretEncrypt(QSHKey* key, byte* bufIn, word32 inSz, - byte* bufOut, word16* outSz) -{ - int ret; - DRBG_HANDLE drbg; - - /* sanity checks on input arguments */ - if (key == NULL || bufIn == NULL || bufOut == NULL || outSz == NULL) - return BAD_FUNC_ARG; - - if (key->pub.buffer == NULL) - return BAD_FUNC_ARG; - - switch (key->name) { - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - break; - default: - WOLFSSL_MSG("Unknown QSH encryption key!"); - return -1; - } - - /* set up ntru drbg */ - ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); - if (ret != DRBG_OK) - return NTRU_DRBG_ERROR; - - /* encrypt the byte array */ - ret = ntru_crypto_ntru_encrypt(drbg, key->pub.length, key->pub.buffer, - inSz, bufIn, outSz, bufOut); - ntru_crypto_drbg_uninstantiate(drbg); - if (ret != NTRU_OK) - return NTRU_ENCRYPT_ERROR; - - return ret; -} - -/* Decrypt a byte array using ntru - key a struct containing the private key to use - bufIn array to be decrypted - inSz size of bufIn array - bufOut plain text out - outSz will be set to the new size of plain text - */ - -static int NtruSecretDecrypt(QSHKey* key, byte* bufIn, word32 inSz, - byte* bufOut, word16* outSz) -{ - int ret; - DRBG_HANDLE drbg; - - /* sanity checks on input arguments */ - if (key == NULL || bufIn == NULL || bufOut == NULL || outSz == NULL) - return BAD_FUNC_ARG; - - if (key->pri.buffer == NULL) - return BAD_FUNC_ARG; - - switch (key->name) { - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - break; - default: - WOLFSSL_MSG("Unknown QSH decryption key!"); - return -1; - } - - - /* set up drbg */ - ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); - if (ret != DRBG_OK) - return NTRU_DRBG_ERROR; - - /* decrypt cipher text */ - ret = ntru_crypto_ntru_decrypt(key->pri.length, key->pri.buffer, - inSz, bufIn, outSz, bufOut); - ntru_crypto_drbg_uninstantiate(drbg); - if (ret != NTRU_OK) - return NTRU_ENCRYPT_ERROR; - - return ret; -} -#endif /* HAVE_NTRU */ - -int QSH_Init(WOLFSSL* ssl) -{ - /* check so not initializing twice when running DTLS */ - if (ssl->QSH_secret != NULL) - return 0; - - /* malloc memory for holding generated secret information */ - if ((ssl->QSH_secret = (QSHSecret*)XMALLOC(sizeof(QSHSecret), ssl->heap, - DYNAMIC_TYPE_QSH)) == NULL) - return MEMORY_E; - - ssl->QSH_secret->CliSi = (buffer*)XMALLOC(sizeof(buffer), ssl->heap, - DYNAMIC_TYPE_SECRET); - if (ssl->QSH_secret->CliSi == NULL) - return MEMORY_E; - - ssl->QSH_secret->SerSi = (buffer*)XMALLOC(sizeof(buffer), ssl->heap, - DYNAMIC_TYPE_SECRET); - if (ssl->QSH_secret->SerSi == NULL) - return MEMORY_E; - - /* initialize variables */ - ssl->QSH_secret->list = NULL; - ssl->QSH_secret->CliSi->length = 0; - ssl->QSH_secret->CliSi->buffer = NULL; - ssl->QSH_secret->SerSi->length = 0; - ssl->QSH_secret->SerSi->buffer = NULL; - - return 0; -} - - -static int QSH_Encrypt(QSHKey* key, byte* in, word32 szIn, - byte* out, word32* szOut) -{ - int ret = 0; - word16 size = *szOut; - - (void)in; - (void)szIn; - (void)out; - (void)szOut; - - WOLFSSL_MSG("Encrypting QSH key material"); - - switch (key->name) { - #ifdef HAVE_NTRU - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - ret = NtruSecretEncrypt(key, in, szIn, out, &size); - break; - #endif - default: - WOLFSSL_MSG("Unknown QSH encryption key!"); - return -1; - } - - *szOut = size; - - return ret; -} - - -/* Decrypt using Quantum Safe Handshake algorithms */ -int QSH_Decrypt(QSHKey* key, byte* in, word32 szIn, byte* out, word16* szOut) -{ - int ret = 0; - word16 size = *szOut; - - (void)in; - (void)szIn; - (void)out; - (void)szOut; - - WOLFSSL_MSG("Decrypting QSH key material"); - - switch (key->name) { - #ifdef HAVE_NTRU - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - ret = NtruSecretDecrypt(key, in, szIn, out, &size); - break; - #endif - default: - WOLFSSL_MSG("Unknown QSH decryption key!"); - return -1; - } - - *szOut = size; - - return ret; -} - - -/* Get the max cipher text for corresponding encryption scheme - (encrypting 48 or max plain text whichever is smaller) - */ -static word32 QSH_MaxSecret(QSHKey* key) -{ - int ret = 0; -#ifdef HAVE_NTRU - byte isNtru = 0; - word16 inSz = 48; - word16 outSz; - DRBG_HANDLE drbg = 0; - byte bufIn[48]; -#endif - - if (key == NULL || key->pub.length == 0) - return 0; - - switch(key->name) { -#ifdef HAVE_NTRU - case WOLFSSL_NTRU_EESS439: - isNtru = 1; - break; - case WOLFSSL_NTRU_EESS593: - isNtru = 1; - break; - case WOLFSSL_NTRU_EESS743: - isNtru = 1; - break; -#endif - default: - WOLFSSL_MSG("Unknown QSH encryption scheme size!"); - return 0; - } - -#ifdef HAVE_NTRU - if (isNtru) { - ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); - if (ret != DRBG_OK) - return NTRU_DRBG_ERROR; - ret = ntru_crypto_ntru_encrypt(drbg, key->pub.length, - key->pub.buffer, inSz, bufIn, &outSz, NULL); - if (ret != NTRU_OK) { - return NTRU_ENCRYPT_ERROR; - } - ntru_crypto_drbg_uninstantiate(drbg); - ret = outSz; - } -#endif - - return ret; -} - -/* Generate the secret byte material for pms - returns length on success and -1 on fail - */ -static int QSH_GenerateSerCliSecret(WOLFSSL* ssl, byte isServer) -{ - int sz = 0; - int plainSz = 48; /* lesser of 48 and max plain text able to encrypt */ - int offset = 0; - word32 tmpSz = 0; - buffer* buf; - QSHKey* current; - QSHScheme* schmPre = NULL; - QSHScheme* schm = NULL; - - if (ssl == NULL) - return -1; - - WOLFSSL_MSG("Generating QSH secret key material"); - - current = ssl->peerQSHKey; - /* get size of buffer needed */ - while (current) { - if (current->pub.length != 0) { - sz += plainSz; - } - current = (QSHKey*)current->next; - } - - /* allocate memory for buffer */ - if (isServer) { - buf = ssl->QSH_secret->SerSi; - } - else { - buf = ssl->QSH_secret->CliSi; - } - buf->length = sz; - buf->buffer = (byte*)XMALLOC(sz, ssl->heap, DYNAMIC_TYPE_SECRET); - if (buf->buffer == NULL) { - WOLFSSL_ERROR(MEMORY_E); - } - - /* create secret information */ - sz = 0; - current = ssl->peerQSHKey; - while (current) { - schm = (QSHScheme*)XMALLOC(sizeof(QSHScheme), ssl->heap, - DYNAMIC_TYPE_QSH); - if (schm == NULL) - return MEMORY_E; - - /* initialize variables */ - schm->name = 0; - schm->PK = NULL; - schm->PKLen = 0; - schm->next = NULL; - if (ssl->QSH_secret->list == NULL) { - ssl->QSH_secret->list = schm; - } - else { - if (schmPre) - schmPre->next = schm; - } - - tmpSz = QSH_MaxSecret(current); - - if ((schm->PK = (byte*)XMALLOC(tmpSz, ssl->heap, - DYNAMIC_TYPE_SECRET)) == NULL) - return -1; - - /* store info for writing extension */ - schm->name = current->name; - - /* no key to use for encryption */ - if (tmpSz == 0) { - current = (QSHKey*)current->next; - continue; - } - - if (wc_RNG_GenerateBlock(ssl->rng, buf->buffer + offset, plainSz) - != 0) { - return -1; - } - if (QSH_Encrypt(current, buf->buffer + offset, plainSz, schm->PK, - &tmpSz) != 0) { - return -1; - } - schm->PKLen = tmpSz; - - sz += tmpSz; - offset += plainSz; - schmPre = schm; - current = (QSHKey*)current->next; - } - - return sz; -} - - -static word32 QSH_KeyGetSize(WOLFSSL* ssl) -{ - word32 sz = 0; - QSHKey* current; - - if (ssl == NULL) - return -1; - - current = ssl->peerQSHKey; - sz += OPAQUE16_LEN; /* type of extension ie 0x00 0x18 */ - sz += OPAQUE24_LEN; - /* get size of buffer needed */ - while (current) { - sz += OPAQUE16_LEN; /* scheme id */ - sz += OPAQUE16_LEN; /* encrypted key len*/ - sz += QSH_MaxSecret(current); - current = (QSHKey*)current->next; - } - - return sz; -} - - -/* handle QSH key Exchange - return 0 on success - */ -static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer) -{ - int ret = 0; - - WOLFSSL_ENTER("QSH KeyExchange"); - - ret = QSH_GenerateSerCliSecret(ssl, isServer); - if (ret < 0) - return MEMORY_E; - - return 0; -} - -#endif /* HAVE_QSH */ - - typedef struct SckeArgs { byte* output; /* not allocated */ byte* encSecret; @@ -25089,13 +24409,6 @@ int SendClientKeyExchange(WOLFSSL* ssl) break; #endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) && !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - if (ssl->peerNtruKeyPresent == 0) { - ERROR_OUT(NO_PEER_KEY, exit_scke); - } - break; - #endif /* HAVE_NTRU */ #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ defined(HAVE_CURVE448) case ecc_diffie_hellman_kea: @@ -25521,20 +24834,6 @@ int SendClientKeyExchange(WOLFSSL* ssl) break; } #endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) && !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - ret = wc_RNG_GenerateBlock(ssl->rng, - ssl->arrays->preMasterSecret, SECRET_LEN); - if (ret != 0) { - goto exit_scke; - } - - ssl->arrays->preMasterSz = SECRET_LEN; - args->encSz = MAX_ENCRYPT_SZ; - break; - } - #endif /* HAVE_NTRU */ #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ defined(HAVE_CURVE448) case ecc_diffie_hellman_kea: @@ -25743,32 +25042,6 @@ int SendClientKeyExchange(WOLFSSL* ssl) break; } #endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) && !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - word32 rc; - word16 tmpEncSz = (word16)args->encSz; - DRBG_HANDLE drbg; - - rc = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); - if (rc != DRBG_OK) { - ERROR_OUT(NTRU_DRBG_ERROR, exit_scke); - } - rc = ntru_crypto_ntru_encrypt(drbg, ssl->peerNtruKeyLen, - ssl->peerNtruKey, - ssl->arrays->preMasterSz, - ssl->arrays->preMasterSecret, - &tmpEncSz, - args->encSecret); - args->encSz = tmpEncSz; - ntru_crypto_drbg_uninstantiate(drbg); - if (rc != NTRU_OK) { - ERROR_OUT(NTRU_ENCRYPT_ERROR, exit_scke); - } - ret = 0; - break; - } - #endif /* HAVE_NTRU */ #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ defined(HAVE_CURVE448) case ecc_diffie_hellman_kea: @@ -25941,12 +25214,6 @@ int SendClientKeyExchange(WOLFSSL* ssl) break; } #endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) && !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - break; - } - #endif /* HAVE_NTRU */ #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ defined(HAVE_CURVE448) case ecc_diffie_hellman_kea: @@ -25977,13 +25244,6 @@ int SendClientKeyExchange(WOLFSSL* ssl) word32 tlsSz = 0; word32 idx = 0; - #ifdef HAVE_QSH - word32 qshSz = 0; - if (ssl->peerQSHKeyPresent) { - qshSz = QSH_KeyGetSize(ssl); - } - #endif - if (ssl->options.tls || ssl->specs.kea == diffie_hellman_kea) { tlsSz = 2; } @@ -26008,11 +25268,6 @@ int SendClientKeyExchange(WOLFSSL* ssl) args->sendSz += MAX_MSG_EXTRA; } - #ifdef HAVE_QSH - args->encSz += qshSz; - args->sendSz += qshSz; - #endif - /* check for available size */ if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { goto exit_scke; @@ -26022,36 +25277,8 @@ int SendClientKeyExchange(WOLFSSL* ssl) args->output = ssl->buffers.outputBuffer.buffer + ssl->buffers.outputBuffer.length; - #ifdef HAVE_QSH - if (ssl->peerQSHKeyPresent) { - byte idxSave = idx; - idx = args->sendSz - qshSz; - - if (QSH_KeyExchangeWrite(ssl, 0) != 0) { - ERROR_OUT(MEMORY_E, exit_scke); - } - - /* extension type */ - c16toa(TLSX_QUANTUM_SAFE_HYBRID, args->output + idx); - idx += OPAQUE16_LEN; - - /* write to output and check amount written */ - if (TLSX_QSHPK_Write(ssl->QSH_secret->list, - args->output + idx) > qshSz - OPAQUE16_LEN) { - ERROR_OUT(MEMORY_E, exit_scke); - } - - idx = idxSave; - } - #endif - AddHeaders(args->output, args->encSz + tlsSz, client_key_exchange, ssl); - #ifdef HAVE_QSH - if (ssl->peerQSHKeyPresent) { - args->encSz -= qshSz; - } - #endif if (tlsSz) { c16toa((word16)args->encSz, &args->output[idx]); idx += OPAQUE16_LEN; @@ -27142,9 +26369,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448) word32 exportSz; - #endif - #ifdef HAVE_QSH - word32 qshSz; #endif int sendSz; int inputSz; @@ -27216,12 +26440,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, { case TLS_ASYNC_BEGIN: { - #ifdef HAVE_QSH - if (ssl->peerQSHKeyPresent && ssl->options.haveQSH) { - args->qshSz = QSH_KeyGetSize(ssl); - } - #endif - /* Do some checks / debug msgs */ switch(ssl->specs.kea) { @@ -27482,11 +26700,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, args->sendSz = args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - #ifdef HAVE_QSH - args->length += args->qshSz; - args->sendSz += args->qshSz; - #endif - #ifdef WOLFSSL_DTLS if (ssl->options.dtls) { args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; @@ -27509,13 +26722,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, server_key_exchange, ssl); /* key data */ - #ifdef HAVE_QSH - c16toa((word16)(args->length - args->qshSz - - HINT_LEN_SZ), args->output + args->idx); - #else c16toa((word16)(args->length - HINT_LEN_SZ), args->output + args->idx); - #endif args->idx += HINT_LEN_SZ; XMEMCPY(args->output + args->idx, @@ -27544,10 +26752,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, args->sendSz = args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - #ifdef HAVE_QSH - args->length += args->qshSz; - args->sendSz += args->qshSz; - #endif #ifdef WOLFSSL_DTLS if (ssl->options.dtls) { args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; @@ -27660,10 +26864,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, args->length += hintLen + HINT_LEN_SZ; args->sendSz = args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - #ifdef HAVE_QSH - args->length += args->qshSz; - args->sendSz += args->qshSz; - #endif #ifdef WOLFSSL_DTLS if (ssl->options.dtls) { args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; @@ -27863,10 +27063,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, args->sendSz = args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - #ifdef HAVE_QSH - args->length += args->qshSz; - args->sendSz += args->qshSz; - #endif #ifdef WOLFSSL_DTLS if (ssl->options.dtls) { args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; @@ -28106,10 +27302,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, args->sendSz = args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; - #ifdef HAVE_QSH - args->length += args->qshSz; - args->sendSz += args->qshSz; - #endif #ifdef WOLFSSL_DTLS if (ssl->options.dtls) { args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; @@ -28598,29 +27790,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, case TLS_ASYNC_FINALIZE: { - #ifdef HAVE_QSH - if (ssl->peerQSHKeyPresent) { - if (args->qshSz > 0) { - args->idx = args->sendSz - args->qshSz; - if (QSH_KeyExchangeWrite(ssl, 1) != 0) { - ERROR_OUT(MEMORY_E, exit_sske); - } - - /* extension type */ - c16toa(TLSX_QUANTUM_SAFE_HYBRID, - args->output + args->idx); - args->idx += OPAQUE16_LEN; - - /* write to output and check amount written */ - if (TLSX_QSHPK_Write(ssl->QSH_secret->list, - args->output + args->idx) > - args->qshSz - OPAQUE16_LEN) { - ERROR_OUT(MEMORY_E, exit_sske); - } - } - } - #endif - #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ defined(HAVE_CURVE448) if (ssl->specs.kea == ecdhe_psk_kea || @@ -28726,9 +27895,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, first = ssl->suites->suites[idx]; second = ssl->suites->suites[idx+1]; - if (ssl->options.haveNTRU) - haveRSA = 0; - if (CipherRequires(first, second, REQUIRES_RSA)) { WOLFSSL_MSG("Requires RSA"); if (haveRSA == 0) { @@ -28772,14 +27938,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } } - if (CipherRequires(first, second, REQUIRES_NTRU)) { - WOLFSSL_MSG("Requires NTRU"); - if (ssl->options.haveNTRU == 0) { - WOLFSSL_MSG("Don't have NTRU"); - return 0; - } - } - if (CipherRequires(first, second, REQUIRES_RSA_SIG)) { WOLFSSL_MSG("Requires RSA Signature"); if (ssl->options.side == WOLFSSL_SERVER_END && @@ -28809,22 +27967,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } #endif - /* ECCDHE is always supported if ECC on */ - -#ifdef HAVE_QSH - /* need to negotiate a classic suite in addition to TLS_QSH */ - if (first == QSH_BYTE && second == TLS_QSH) { - if (TLSX_SupportExtensions(ssl)) { - ssl->options.haveQSH = 1; /* matched TLS_QSH */ - } - else { - WOLFSSL_MSG("Version of SSL connection does not support " - "TLS_QSH"); - } - return 0; - } -#endif - #ifdef WOLFSSL_TLS13 if (IsAtLeastTLSv1_3(ssl->version) && ssl->options.side == WOLFSSL_SERVER_END) { @@ -29019,10 +28161,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.haveAnon, - ssl->options.side); + ssl->options.haveDH, ssl->options.haveECDSAsig, + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.haveAnon, ssl->options.side); } /* suite size */ @@ -29373,10 +28514,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, keySz = ssl->buffers.keySz; #endif InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.haveAnon, - ssl->options.side); + ssl->options.haveDH, ssl->options.haveECDSAsig, + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.haveAnon, ssl->options.side); } #ifdef OPENSSL_EXTRA @@ -29436,10 +28576,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, /* reset cipher suites to account for TLS version change */ InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.haveAnon, - ssl->options.side); + ssl->options.haveDH, ssl->options.haveECDSAsig, + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.haveAnon, ssl->options.side); } } #endif @@ -29695,9 +28834,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, /* tls extensions */ if ((i - begin) < helloSz) { #ifdef HAVE_TLS_EXTENSIONS - #ifdef HAVE_QSH - QSH_Init(ssl); - #endif if (TLSX_SupportExtensions(ssl)) #else if (IsAtLeastTLSv1_2(ssl)) @@ -31452,17 +30588,6 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], break; } #endif /* !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - /* make sure private key exists */ - if (ssl->buffers.key == NULL || - ssl->buffers.key->buffer == NULL) { - ERROR_OUT(NO_PRIVATE_KEY, exit_dcke); - } - break; - } - #endif /* HAVE_NTRU */ #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ defined(HAVE_CURVE448) case ecc_diffie_hellman_kea: @@ -31623,44 +30748,6 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], break; } #endif /* !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - word16 cipherLen; - word16 plainLen = ENCRYPT_LEN; - - if ((args->idx - args->begin) + OPAQUE16_LEN > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - ato16(input + args->idx, &cipherLen); - args->idx += OPAQUE16_LEN; - - if (cipherLen > MAX_NTRU_ENCRYPT_SZ) { - ERROR_OUT(NTRU_KEY_ERROR, exit_dcke); - } - - if ((args->idx - args->begin) + cipherLen > size) { - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - - if (NTRU_OK != ntru_crypto_ntru_decrypt( - (word16) ssl->buffers.key->length, - ssl->buffers.key->buffer, cipherLen, - input + args->idx, &plainLen, - ssl->arrays->preMasterSecret)) { - ERROR_OUT(NTRU_DECRYPT_ERROR, exit_dcke); - } - - if (plainLen != SECRET_LEN) { - ERROR_OUT(NTRU_DECRYPT_ERROR, exit_dcke); - } - - args->idx += cipherLen; - ssl->arrays->preMasterSz = plainLen; - break; - } - #endif /* HAVE_NTRU */ #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ defined(HAVE_CURVE448) case ecc_diffie_hellman_kea: @@ -32211,12 +31298,6 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], break; } #endif /* !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - break; - } - #endif /* HAVE_NTRU */ #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ defined(HAVE_CURVE448) case ecc_diffie_hellman_kea: @@ -32446,12 +31527,6 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], break; } #endif /* !NO_PSK */ - #ifdef HAVE_NTRU - case ntru_kea: - { - break; - } - #endif /* HAVE_NTRU */ #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ defined(HAVE_CURVE448) case ecc_diffie_hellman_kea: @@ -32564,31 +31639,6 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], #endif } - #ifdef HAVE_QSH - word16 name; - - if (ssl->options.haveQSH) { - /* extension name */ - ato16(input + args->idx, &name); - args->idx += OPAQUE16_LEN; - - if (name == TLSX_QUANTUM_SAFE_HYBRID) { - int qshSz; - /* if qshSz is larger than 0 it is the - length of buffer used */ - if ((qshSz = TLSX_QSHCipher_Parse(ssl, - input + args->idx, - size - args->idx + args->begin, 1)) < 0) { - ERROR_OUT(qshSz, exit_dcke); - } - args->idx += qshSz; - } - else { - /* unknown extension sent client ignored handshake */ - ERROR_OUT(BUFFER_ERROR, exit_dcke); - } - } - #endif /* HAVE_QSH */ ret = MakeMasterSecret(ssl); /* Check for error */ diff --git a/src/keys.c b/src/keys.c index 5bae0a5e5..cd8b3c008 100644 --- a/src/keys.c +++ b/src/keys.c @@ -1248,23 +1248,6 @@ int SetCipherSpecs(WOLFSSL* ssl) break; #endif -#ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA - case TLS_NTRU_RSA_WITH_RC4_128_SHA : - ssl->specs.bulk_cipher_algorithm = wolfssl_rc4; - ssl->specs.cipher_type = stream; - ssl->specs.mac_algorithm = sha_mac; - ssl->specs.kea = ntru_kea; - ssl->specs.sig_algo = rsa_sa_algo; - ssl->specs.hash_size = WC_SHA_DIGEST_SIZE; - ssl->specs.pad_size = PAD_SHA; - ssl->specs.static_ecdh = 0; - ssl->specs.key_size = RC4_KEY_SIZE; - ssl->specs.iv_size = 0; - ssl->specs.block_size = 0; - - break; -#endif - #ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5 case SSL_RSA_WITH_RC4_128_MD5 : ssl->specs.bulk_cipher_algorithm = wolfssl_rc4; @@ -1303,23 +1286,6 @@ int SetCipherSpecs(WOLFSSL* ssl) break; #endif -#ifdef BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA - case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA : - ssl->specs.bulk_cipher_algorithm = wolfssl_triple_des; - ssl->specs.cipher_type = block; - ssl->specs.mac_algorithm = sha_mac; - ssl->specs.kea = ntru_kea; - ssl->specs.sig_algo = rsa_sa_algo; - ssl->specs.hash_size = WC_SHA_DIGEST_SIZE; - ssl->specs.pad_size = PAD_SHA; - ssl->specs.static_ecdh = 0; - ssl->specs.key_size = DES3_KEY_SIZE; - ssl->specs.block_size = DES_BLOCK_SIZE; - ssl->specs.iv_size = DES_IV_SIZE; - - break; -#endif - #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA case TLS_RSA_WITH_AES_128_CBC_SHA : ssl->specs.bulk_cipher_algorithm = wolfssl_aes; @@ -1405,23 +1371,6 @@ int SetCipherSpecs(WOLFSSL* ssl) break; #endif -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA - case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA : - ssl->specs.bulk_cipher_algorithm = wolfssl_aes; - ssl->specs.cipher_type = block; - ssl->specs.mac_algorithm = sha_mac; - ssl->specs.kea = ntru_kea; - ssl->specs.sig_algo = rsa_sa_algo; - ssl->specs.hash_size = WC_SHA_DIGEST_SIZE; - ssl->specs.pad_size = PAD_SHA; - ssl->specs.static_ecdh = 0; - ssl->specs.key_size = AES_128_KEY_SIZE; - ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AES_IV_SIZE; - - break; -#endif - #ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA case TLS_RSA_WITH_AES_256_CBC_SHA : ssl->specs.bulk_cipher_algorithm = wolfssl_aes; @@ -1456,23 +1405,6 @@ int SetCipherSpecs(WOLFSSL* ssl) break; #endif -#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA - case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA : - ssl->specs.bulk_cipher_algorithm = wolfssl_aes; - ssl->specs.cipher_type = block; - ssl->specs.mac_algorithm = sha_mac; - ssl->specs.kea = ntru_kea; - ssl->specs.sig_algo = rsa_sa_algo; - ssl->specs.hash_size = WC_SHA_DIGEST_SIZE; - ssl->specs.pad_size = PAD_SHA; - ssl->specs.static_ecdh = 0; - ssl->specs.key_size = AES_256_KEY_SIZE; - ssl->specs.block_size = AES_BLOCK_SIZE; - ssl->specs.iv_size = AES_IV_SIZE; - - break; -#endif - #ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256 case TLS_PSK_WITH_AES_128_GCM_SHA256 : ssl->specs.bulk_cipher_algorithm = wolfssl_aes_gcm; @@ -3683,49 +3615,6 @@ static int MakeSslMasterSecret(WOLFSSL* ssl) int MakeMasterSecret(WOLFSSL* ssl) { /* append secret to premaster : premaster | SerSi | CliSi */ -#ifdef HAVE_QSH - word32 offset = 0; - - if (ssl->peerQSHKeyPresent) { - offset += ssl->arrays->preMasterSz; - ssl->arrays->preMasterSz += ssl->QSH_secret->CliSi->length + - ssl->QSH_secret->SerSi->length; - /* test and set flag if QSH has been used */ - if (ssl->QSH_secret->CliSi->length > 0 || - ssl->QSH_secret->SerSi->length > 0) - ssl->isQSH = 1; - - /* append secrets to the premaster */ - if (ssl->QSH_secret->SerSi != NULL) { - XMEMCPY(ssl->arrays->preMasterSecret + offset, - ssl->QSH_secret->SerSi->buffer, ssl->QSH_secret->SerSi->length); - } - offset += ssl->QSH_secret->SerSi->length; - if (ssl->QSH_secret->CliSi != NULL) { - XMEMCPY(ssl->arrays->preMasterSecret + offset, - ssl->QSH_secret->CliSi->buffer, ssl->QSH_secret->CliSi->length); - } - - /* show secret SerSi and CliSi */ - #ifdef SHOW_SECRETS - { - word32 j; - printf("QSH generated secret material\n"); - printf("SerSi : "); - for (j = 0; j < ssl->QSH_secret->SerSi->length; j++) { - printf("%02x", ssl->QSH_secret->SerSi->buffer[j]); - } - printf("\n"); - printf("CliSi : "); - for (j = 0; j < ssl->QSH_secret->CliSi->length; j++) { - printf("%02x", ssl->QSH_secret->CliSi->buffer[j]); - } - printf("\n"); - } - #endif - } -#endif - #ifndef NO_OLD_TLS if (ssl->options.tls) return MakeTlsMasterSecret(ssl); return MakeSslMasterSecret(ssl); diff --git a/src/ssl.c b/src/ssl.c index f3f4414fb..688fc41fe 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1910,10 +1910,9 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz, keySz = ssl->buffers.keySz; #endif InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.haveAnon, - ssl->options.side); + ssl->options.haveDH, ssl->options.haveECDSAsig, + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.haveAnon, ssl->options.side); } WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0); @@ -2684,58 +2683,6 @@ int wolfSSL_set1_groups(WOLFSSL* ssl, int* groups, int count) #endif /* OPENSSL_EXTRA && WOLFSSL_TLS13 */ #endif /* HAVE_SUPPORTED_CURVES */ -/* QSH quantum safe handshake */ -#ifdef HAVE_QSH -/* returns 1 if QSH has been used 0 otherwise */ -int wolfSSL_isQSH(WOLFSSL* ssl) -{ - /* if no ssl struct than QSH was not used */ - if (ssl == NULL) - return 0; - - return ssl->isQSH; -} - - -int wolfSSL_UseSupportedQSH(WOLFSSL* ssl, word16 name) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - switch (name) { - #ifdef HAVE_NTRU - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - break; - #endif - default: - return BAD_FUNC_ARG; - } - - ssl->user_set_QSHSchemes = 1; - - return TLSX_UseQSHScheme(&ssl->extensions, name, NULL, 0, ssl->heap); -} - -#ifndef NO_WOLFSSL_CLIENT - /* user control over sending client public key in hello - when flag = 1 will send keys if flag is 0 or function is not called - then will not send keys in the hello extension - return 0 on success - */ - int wolfSSL_UseClientQSHKeys(WOLFSSL* ssl, unsigned char flag) - { - if (ssl == NULL) - return BAD_FUNC_ARG; - - ssl->sendQSHKeys = flag; - - return 0; - } -#endif /* NO_WOLFSSL_CLIENT */ -#endif /* HAVE_QSH */ - /* Application-Layer Protocol Negotiation */ #ifdef HAVE_ALPN @@ -4405,10 +4352,9 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version) #endif InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.haveAnon, - ssl->options.side); + ssl->options.haveDH, ssl->options.haveECDSAsig, + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.haveAnon, ssl->options.side); return WOLFSSL_SUCCESS; } @@ -5591,7 +5537,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz, int format, int type, WOLFSSL* ssl, long* used, int userChain, int verify) { - DerBuffer* der = NULL; /* holds DER or RAW (for NTRU) */ + DerBuffer* der = NULL; int ret = 0; int done = 0; int keyFormat = 0; @@ -5618,8 +5564,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, *used = sz; /* used bytes default to sz, PEM chain may shorten*/ /* check args */ - if (format != WOLFSSL_FILETYPE_ASN1 && format != WOLFSSL_FILETYPE_PEM - && format != WOLFSSL_FILETYPE_RAW) + if (format != WOLFSSL_FILETYPE_ASN1 && format != WOLFSSL_FILETYPE_PEM) return WOLFSSL_BAD_FILETYPE; if (ctx == NULL && ssl == NULL) @@ -5648,7 +5593,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, #endif } else { - /* ASN1 (DER) or RAW (NTRU) */ + /* ASN1 (DER) */ int length = (int)sz; if (format == WOLFSSL_FILETYPE_ASN1) { /* get length of der (read sequence or octet string) */ @@ -5707,7 +5652,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, } /* info is only used for private key with DER or PEM, so free now */ - if (ret < 0 || type != PRIVATEKEY_TYPE || format == WOLFSSL_FILETYPE_RAW) { + if (ret < 0 || type != PRIVATEKEY_TYPE) { #ifdef WOLFSSL_SMALL_STACK XFREE(info, heap, DYNAMIC_TYPE_ENCRYPTEDINFO); #endif @@ -5798,7 +5743,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, if (done == 1) { /* No operation, just skip the next section */ } - else if (type == PRIVATEKEY_TYPE && format != WOLFSSL_FILETYPE_RAW) { + else if (type == PRIVATEKEY_TYPE) { ret = ProcessBufferTryDecode(ctx, ssl, der, &keySz, &idx, &resetSuites, &keyFormat, heap, devId); @@ -6134,10 +6079,9 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, /* let's reset suites */ InitSuites(ssl->suites, ssl->version, keySz, haveRSA, - havePSK, ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.haveAnon, - ssl->options.side); + havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig, + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.haveAnon, ssl->options.side); } return WOLFSSL_SUCCESS; @@ -11447,31 +11391,6 @@ int wolfSSL_SESSION_get_master_key_length(const WOLFSSL_SESSION* ses) #endif /* OPENSSL_EXTRA */ -#ifndef NO_FILESYSTEM -#ifdef HAVE_NTRU - -int wolfSSL_CTX_use_NTRUPrivateKey_file(WOLFSSL_CTX* ctx, const char* file) -{ - WOLFSSL_ENTER("wolfSSL_CTX_use_NTRUPrivateKey_file"); - - if (ctx == NULL) - return WOLFSSL_FAILURE; - - if (ProcessFile(ctx, file, WOLFSSL_FILETYPE_RAW, PRIVATEKEY_TYPE, NULL, 0, - NULL, GET_VERIFY_SETTING_CTX(ctx)) == WOLFSSL_SUCCESS) { - ctx->haveNTRU = 1; - return WOLFSSL_SUCCESS; - } - - return WOLFSSL_FAILURE; -} - -#endif /* HAVE_NTRU */ - - -#endif /* NO_FILESYSTEM */ - - WOLFSSL_ABI void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc) { @@ -15684,10 +15603,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) keySz = ssl->buffers.keySz; #endif InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.haveAnon, - ssl->options.side); + ssl->options.haveDH, ssl->options.haveECDSAsig, + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.haveAnon, ssl->options.side); } #ifdef OPENSSL_EXTRA /** @@ -15737,10 +15655,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) keySz = ssl->buffers.keySz; #endif InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.haveAnon, - ssl->options.side); + ssl->options.haveDH, ssl->options.haveECDSAsig, + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.haveAnon, ssl->options.side); } const char* wolfSSL_get_psk_identity_hint(const WOLFSSL* ssl) @@ -24571,11 +24488,6 @@ static WC_INLINE const char* wolfssl_kea_to_string(int kea) break; #endif #endif -#ifdef HAVE_NTRU - case ntru_kea: - keaStr = "NTRU"; - break; -#endif #ifdef HAVE_ECC case ecc_diffie_hellman_kea: keaStr = "ECDHE"; @@ -27547,10 +27459,9 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op) if (ssl->suites != NULL && ssl->options.side != WOLFSSL_NEITHER_END) InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.haveAnon, - ssl->options.side); + ssl->options.haveDH, ssl->options.haveECDSAsig, + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.haveAnon, ssl->options.side); return ssl->options.mask; } @@ -30680,9 +30591,6 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { { RSAk, RSAk, oidKeyType, "rsaEncryption", "rsaEncryption"}, { NID_rsaEncryption, RSAk, oidKeyType, "rsaEncryption", "rsaEncryption"}, #endif /* NO_RSA */ - #ifdef HAVE_NTRU - { NTRUk, NTRUk, oidKeyType, "NTRU", "ntruEncryption"}, - #endif /* HAVE_NTRU */ #ifdef HAVE_ECC { ECDSAk, ECDSAk, oidKeyType, "ECDSA", "ecdsaEncryption"}, { NID_X9_62_id_ecPublicKey, ECDSAk, oidKeyType, "id-ecPublicKey", @@ -47897,11 +47805,6 @@ static WC_INLINE int SCSV_Check(byte suite0, byte suite) #ifdef HAVE_RENEGOTIATION_INDICATION if (suite0 == CIPHER_BYTE && suite == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) return 1; -#endif -#ifdef BUILD_TLS_QSH - /* This isn't defined as a SCSV, but it acts like one. */ - if (suite0 == QSH_BYTE && suite == TLS_QSH) - return 1; #endif return 0; } @@ -49678,10 +49581,6 @@ word32 nid2oid(int nid, int grp) case RSAk: return RSAk; #endif /* NO_RSA */ - #ifdef HAVE_NTRU - case NTRUk: - return NTRUk; - #endif /* HAVE_NTRU */ #ifdef HAVE_ECC case ECDSAk: return ECDSAk; @@ -50034,10 +49933,6 @@ int oid2nid(word32 oid, int grp) case RSAk: return RSAk; #endif /* NO_RSA */ - #ifdef HAVE_NTRU - case NTRUk: - return NTRUk; - #endif /* HAVE_NTRU */ #ifdef HAVE_ECC case ECDSAk: return ECDSAk; diff --git a/src/tls.c b/src/tls.c index 43945a4db..5dde7dfa3 100644 --- a/src/tls.c +++ b/src/tls.c @@ -46,22 +46,10 @@ #ifdef HAVE_CURVE448 #include #endif -#ifdef HAVE_NTRU - #include "libntruencrypt/ntru_crypto.h" - #include -#endif #ifdef HAVE_LIBOQS #include #endif -#ifdef HAVE_QSH - static int TLSX_AddQSHKey(QSHKey** list, QSHKey* key); - static byte* TLSX_QSHKeyFind_Pub(QSHKey* qsh, word16* pubLen, word16 name); -#if defined(HAVE_NTRU) - static int TLSX_CreateNtruKey(WOLFSSL* ssl, int type); -#endif -#endif /* HAVE_QSH */ - #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES) static int TLSX_KeyShare_IsSupported(int namedGroup); static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap); @@ -5195,607 +5183,6 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket, void* heap) #endif /* HAVE_SESSION_TICKET */ -/******************************************************************************/ -/* Quantum-Safe-Hybrid */ -/******************************************************************************/ - -#ifdef HAVE_QSH -#if defined(HAVE_NTRU) -static WC_RNG* gRng; -static wolfSSL_Mutex* gRngMutex; -#endif - -static void TLSX_QSH_FreeAll(QSHScheme* list, void* heap) -{ - QSHScheme* current; - - while ((current = list)) { - list = current->next; - XFREE(current, heap, DYNAMIC_TYPE_TLSX); - } - - (void)heap; -} - -static int TLSX_QSH_Append(QSHScheme** list, word16 name, byte* pub, - word16 pubLen) -{ - QSHScheme* temp; - - if (list == NULL) - return BAD_FUNC_ARG; - - if ((temp = (QSHScheme*)XMALLOC(sizeof(QSHScheme), NULL, - DYNAMIC_TYPE_TLSX)) == NULL) - return MEMORY_E; - - temp->name = name; - temp->PK = pub; - temp->PKLen = pubLen; - temp->next = *list; - - *list = temp; - - return 0; -} - - -/* request for server's public key : 02 indicates 0-2 requested */ -static byte TLSX_QSH_SerPKReq(byte* output, byte isRequest) -{ - if (isRequest) { - /* only request one public key from the server */ - output[0] = 0x01; - - return OPAQUE8_LEN; - } - else { - return 0; - } -} - -#ifndef NO_WOLFSSL_CLIENT - -/* check for TLS_QSH suite */ -static void TLSX_QSH_ValidateRequest(WOLFSSL* ssl, byte* semaphore) -{ - int i; - - for (i = 0; i < ssl->suites->suiteSz; i += 2) - if (ssl->suites->suites[i] == QSH_BYTE) - return; - - /* No QSH suite found */ - TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_QUANTUM_SAFE_HYBRID)); -} - - -/* return the size of the QSH hello extension - list the list of QSHScheme structs containing id and key - isRequest if 1 then is being sent to the server - */ -word16 TLSX_QSH_GetSize(QSHScheme* list, byte isRequest) -{ - QSHScheme* temp = list; - word16 length = 0; - - /* account for size of scheme list and public key list */ - if (isRequest) - length = OPAQUE16_LEN; - length += OPAQUE24_LEN; - - /* for each non null element in list add size */ - while ((temp)) { - /* add public key info Scheme | Key Length | Key */ - length += OPAQUE16_LEN; - length += OPAQUE16_LEN; - length += temp->PKLen; - - /* if client add name size for scheme list - advance to next QSHScheme struct in list */ - if (isRequest) - length += OPAQUE16_LEN; - temp = temp->next; - } - - /* add length for request server public keys */ - if (isRequest) - length += OPAQUE8_LEN; - - return length; -} - - -/* write out a list of QSHScheme IDs */ -static word16 TLSX_QSH_Write(QSHScheme* list, byte* output) -{ - QSHScheme* current = list; - word16 length = 0; - - length += OPAQUE16_LEN; - - while (current) { - c16toa(current->name, output + length); - length += OPAQUE16_LEN; - current = (QSHScheme*)current->next; - } - - c16toa(length - OPAQUE16_LEN, output); /* writing list length */ - - return length; -} - - -/* write public key list in extension */ -static word16 TLSX_QSHPK_WriteR(QSHScheme* format, byte* output) -{ - word32 offset = 0; - word16 public_len = 0; - - if (!format) - return offset; - - /* write scheme ID */ - c16toa(format->name, output + offset); - offset += OPAQUE16_LEN; - - /* write public key matching scheme */ - public_len = format->PKLen; - c16toa(public_len, output + offset); - offset += OPAQUE16_LEN; - if (format->PK) { - XMEMCPY(output+offset, format->PK, public_len); - } - - return public_len + offset; -} - -word16 TLSX_QSHPK_Write(QSHScheme* list, byte* output) -{ - QSHScheme* current = list; - word32 length = 0; - word24 toWire; - - length += OPAQUE24_LEN; - - while (current) { - length += TLSX_QSHPK_WriteR(current, output + length); - current = (QSHScheme*)current->next; - } - /* length of public keys sent */ - c32to24(length - OPAQUE24_LEN, toWire); - output[0] = toWire[0]; - output[1] = toWire[1]; - output[2] = toWire[2]; - - return length; -} - -#endif /* NO_WOLFSSL_CLIENT */ -#ifndef NO_WOLFSSL_SERVER - -static void TLSX_QSHAgreement(TLSX** extensions, void* heap) -{ - TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); - QSHScheme* format = NULL; - QSHScheme* del = NULL; - QSHScheme* prev = NULL; - - if (extension == NULL) - return; - - format = (QSHScheme*)extension->data; - while (format) { - if (format->PKLen == 0) { - /* case of head */ - if (format == extension->data) { - extension->data = format->next; - } - if (prev) - prev->next = format->next; - del = format; - format = format->next; - XFREE(del, heap, DYNAMIC_TYPE_TMP_BUFFER); - del = NULL; - } else { - prev = format; - format = format->next; - } - } - - (void)heap; -} - - -/* Parse in hello extension - input the byte stream to process - length length of total extension found - isRequest set to 1 if being sent to the server - */ -static int TLSX_QSH_Parse(WOLFSSL* ssl, const byte* input, word16 length, - byte isRequest) -{ - byte numKeys = 0; - word16 offset = 0; - word16 schemSz = 0; - word16 offset_len = 0; - word32 offset_pk = 0; - word16 name = 0; - word16 PKLen = 0; - byte* PK = NULL; - int r; - - - if (OPAQUE16_LEN > length) - return BUFFER_ERROR; - - if (isRequest) { - ato16(input, &schemSz); - - /* list of public keys available for QSH schemes */ - offset_len = schemSz + OPAQUE16_LEN; - } - - offset_pk = ((input[offset_len] << 16) & 0xFF00000) | - (((input[offset_len + 1]) << 8) & 0xFF00) | - (input[offset_len + 2] & 0xFF); - offset_len += OPAQUE24_LEN; - - /* check buffer size */ - if (offset_pk > length) - return BUFFER_ERROR; - - /* set maximum number of keys the client will accept */ - if (!isRequest) - numKeys = (ssl->maxRequest < 1)? 1 : ssl->maxRequest; - - /* hello extension read list of scheme ids */ - if (isRequest) { - - /* read in request for public keys */ - ssl->minRequest = (input[length -1] >> 4) & 0xFF; - ssl->maxRequest = input[length -1] & 0x0F; - - /* choose the min between min requested by client and 1 */ - numKeys = (ssl->minRequest > 1) ? ssl->minRequest : 1; - - if (ssl->minRequest > ssl->maxRequest) - return BAD_FUNC_ARG; - - offset += OPAQUE16_LEN; - schemSz += offset; - - /* check buffer size */ - if (schemSz > length) - return BUFFER_ERROR; - - while ((offset < schemSz) && numKeys) { - /* Scheme ID list */ - ato16(input + offset, &name); - offset += OPAQUE16_LEN; - - /* validate we have scheme id */ - if (ssl->user_set_QSHSchemes && - !TLSX_ValidateQSHScheme(&ssl->extensions, name)) { - continue; - } - - /* server create keys on demand */ - if ((r = TLSX_CreateNtruKey(ssl, name)) != 0) { - WOLFSSL_MSG("Error creating ntru keys"); - return r; - } - - /* peer sent an agreed upon scheme */ - r = TLSX_UseQSHScheme(&ssl->extensions, name, NULL, 0, ssl->heap); - - if (r != WOLFSSL_SUCCESS) return r; /* throw error */ - - numKeys--; - } - - /* choose the min between min requested by client and 1 */ - numKeys = (ssl->minRequest > 1) ? ssl->minRequest : 1; - } - - /* QSHPK struct */ - offset_pk += offset_len; - while ((offset_len < offset_pk) && numKeys) { - QSHKey * temp; - - if ((temp = (QSHKey*)XMALLOC(sizeof(QSHKey), ssl->heap, - DYNAMIC_TYPE_TLSX)) == NULL) - return MEMORY_E; - - /* initialize */ - temp->next = NULL; - temp->pub.buffer = NULL; - temp->pub.length = 0; - temp->pri.buffer = NULL; - temp->pri.length = 0; - - /* scheme id */ - ato16(input + offset_len, &(temp->name)); - offset_len += OPAQUE16_LEN; - - /* public key length */ - ato16(input + offset_len, &PKLen); - temp->pub.length = PKLen; - offset_len += OPAQUE16_LEN; - - - if (isRequest) { - /* validate we have scheme id */ - if (ssl->user_set_QSHSchemes && - (!TLSX_ValidateQSHScheme(&ssl->extensions, temp->name))) { - offset_len += PKLen; - XFREE(temp, ssl->heap, DYNAMIC_TYPE_TLSX); - continue; - } - } - - /* read in public key */ - if (PKLen > 0) { - temp->pub.buffer = (byte*)XMALLOC(temp->pub.length, - ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); - XMEMCPY(temp->pub.buffer, input + offset_len, temp->pub.length); - offset_len += PKLen; - } - else { - PK = NULL; - } - - /* use own key when adding to extensions list for sending reply */ - PKLen = 0; - PK = TLSX_QSHKeyFind_Pub(ssl->QSH_Key, &PKLen, temp->name); - r = TLSX_UseQSHScheme(&ssl->extensions, temp->name, PK, PKLen, - ssl->heap); - - /* store peers key */ - ssl->peerQSHKeyPresent = 1; - if (TLSX_AddQSHKey(&ssl->peerQSHKey, temp) != 0) - return MEMORY_E; - - if (temp->pub.length == 0) { - XFREE(temp, ssl->heap, DYNAMIC_TYPE_TLSX); - } - - if (r != WOLFSSL_SUCCESS) {return r;} /* throw error */ - - numKeys--; - } - - /* reply to a QSH extension sent from client */ - if (isRequest) { - TLSX_SetResponse(ssl, TLSX_QUANTUM_SAFE_HYBRID); - /* only use schemes we have key generated for -- free the rest */ - TLSX_QSHAgreement(&ssl->extensions, ssl->heap); - } - - return 0; -} - - -/* Used for parsing in QSHCipher structs on Key Exchange */ -int TLSX_QSHCipher_Parse(WOLFSSL* ssl, const byte* input, word16 length, - byte isServer) -{ - QSHKey* key; - word16 Max_Secret_Len = 48; - word16 offset = 0; - word16 offset_len = 0; - word32 offset_pk = 0; - word16 name = 0; - word16 secretLen = 0; - byte* secret = NULL; - word16 buffLen = 0; - byte buff[145]; /* size enough for 3 secrets */ - buffer* buf; - - if (offset_len + OPAQUE24_LEN > length) - return BUFFER_ERROR; - - /* pointer to location where secret should be stored */ - if (isServer) { - buf = ssl->QSH_secret->CliSi; - } - else { - buf = ssl->QSH_secret->SerSi; - } - - offset_pk = ((input[offset_len] << 16) & 0xFF0000) | - (((input[offset_len + 1]) << 8) & 0xFF00) | - (input[offset_len + 2] & 0xFF); - offset_len += OPAQUE24_LEN; - - /* validating extension list length -- check if trying to read over edge - of buffer */ - if (length < (offset_pk + OPAQUE24_LEN)) { - return BUFFER_ERROR; - } - - /* QSHCipherList struct */ - offset_pk += offset_len; - while (offset_len < offset_pk) { - - /* scheme id */ - ato16(input + offset_len, &name); - offset_len += OPAQUE16_LEN; - - /* public key length */ - ato16(input + offset_len, &secretLen); - offset_len += OPAQUE16_LEN; - - /* read in public key */ - if (secretLen > 0) { - secret = (byte*)(input + offset_len); - offset_len += secretLen; - } - else { - secret = NULL; - } - - /* no secret sent */ - if (secret == NULL) - continue; - - /* find corresponding key */ - key = ssl->QSH_Key; - while (key) { - if (key->name == name) - break; - else - key = (QSHKey*)key->next; - } - - /* if we do not have the key than there was a big issue negotiation */ - if (key == NULL) { - WOLFSSL_MSG("key was null for decryption!!!\n"); - return MEMORY_E; - } - - /* Decrypt sent secret */ - buffLen = Max_Secret_Len; - QSH_Decrypt(key, secret, secretLen, buff + offset, &buffLen); - offset += buffLen; - } - - /* allocate memory for buffer */ - buf->length = offset; - buf->buffer = (byte*)XMALLOC(offset, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (buf->buffer == NULL) - return MEMORY_E; - - /* store secrets */ - XMEMCPY(buf->buffer, buff, offset); - ForceZero(buff, offset); - - return offset_len; -} - - -/* return 1 on success */ -int TLSX_ValidateQSHScheme(TLSX** extensions, word16 theirs) { - TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); - QSHScheme* format = NULL; - - /* if no extension is sent then do not use QSH */ - if (!extension) { - WOLFSSL_MSG("No QSH Extension"); - return 0; - } - - for (format = (QSHScheme*)extension->data; format; format = format->next) { - if (format->name == theirs) { - WOLFSSL_MSG("Found Matching QSH Scheme"); - return 1; /* have QSH */ - } - } - - return 0; -} -#endif /* NO_WOLFSSL_SERVER */ - -/* test if the QSH Scheme is implemented - return 1 if yes 0 if no */ -static int TLSX_HaveQSHScheme(word16 name) -{ - switch(name) { - #ifdef HAVE_NTRU - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - return 1; - #endif - case WOLFSSL_LWE_XXX: - case WOLFSSL_HFE_XXX: - return 0; /* not supported yet */ - - default: - return 0; - } -} - - -/* Add a QSHScheme struct to list of usable ones */ -int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz, - void* heap) -{ - TLSX* extension = NULL; - QSHScheme* format = NULL; - int ret = 0; - - /* sanity check */ - if (extensions == NULL || (pKey == NULL && pkeySz != 0)) - return BAD_FUNC_ARG; - - extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); - - /* if scheme is implemented than add */ - if (TLSX_HaveQSHScheme(name)) { - if ((ret = TLSX_QSH_Append(&format, name, pKey, pkeySz)) != 0) - return ret; - - extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); - if (!extension) { - if ((ret = TLSX_Push(extensions, TLSX_QUANTUM_SAFE_HYBRID, format, - heap)) != 0) { - XFREE(format, 0, DYNAMIC_TYPE_TLSX); - return ret; - } - } - else { - /* push new QSH object to extension data. */ - format->next = (QSHScheme*)extension->data; - extension->data = (void*)format; - - /* look for another format of the same name to remove (replacement) */ - do { - if (format->next && (format->next->name == name)) { - QSHScheme* next = format->next; - - format->next = next->next; - XFREE(next, 0, DYNAMIC_TYPE_TLSX); - - break; - } - } while ((format = format->next)); - } - } - return WOLFSSL_SUCCESS; -} - -#define QSH_FREE_ALL TLSX_QSH_FreeAll -#define QSH_VALIDATE_REQUEST TLSX_QSH_ValidateRequest - -#ifndef NO_WOLFSSL_CLIENT -#define QSH_GET_SIZE TLSX_QSH_GetSize -#define QSH_WRITE TLSX_QSH_Write -#else -#define QSH_GET_SIZE(list, a) 0 -#define QSH_WRITE(a, b) 0 -#endif - -#ifndef NO_WOLFSSL_SERVER -#define QSH_PARSE TLSX_QSH_Parse -#else -#define QSH_PARSE(a, b, c, d) 0 -#endif - -#define QSHPK_WRITE TLSX_QSHPK_Write -#define QSH_SERREQ TLSX_QSH_SerPKReq -#else - -#define QSH_FREE_ALL(list, heap) -#define QSH_GET_SIZE(list, a) 0 -#define QSH_WRITE(a, b) 0 -#define QSH_PARSE(a, b, c, d) 0 -#define QSHPK_WRITE(a, b) 0 -#define QSH_SERREQ(a, b) 0 -#define QSH_VALIDATE_REQUEST(a, b) - -#endif /* HAVE_QSH */ - #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) /******************************************************************************/ /* Encrypt-then-MAC */ @@ -10089,10 +9476,6 @@ void TLSX_FreeAll(TLSX* list, void* heap) WOLF_STK_FREE(extension->data, heap); break; - case TLSX_QUANTUM_SAFE_HYBRID: - QSH_FREE_ALL((QSHScheme*)extension->data, heap); - break; - case TLSX_APPLICATION_LAYER_PROTOCOL: ALPN_FREE_ALL((ALPN*)extension->data, heap); break; @@ -10236,10 +9619,6 @@ static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType, isRequest); break; - case TLSX_QUANTUM_SAFE_HYBRID: - length += QSH_GET_SIZE((QSHScheme*)extension->data, isRequest); - break; - case TLSX_APPLICATION_LAYER_PROTOCOL: length += ALPN_GET_SIZE((ALPN*)extension->data); break; @@ -10408,15 +9787,6 @@ static int TLSX_Write(TLSX* list, byte* output, byte* semaphore, output + offset, isRequest); break; - case TLSX_QUANTUM_SAFE_HYBRID: - WOLFSSL_MSG("Quantum-Safe-Hybrid extension to write"); - if (isRequest) { - offset += QSH_WRITE((QSHScheme*)extension->data, output + offset); - } - offset += QSHPK_WRITE((QSHScheme*)extension->data, output + offset); - offset += QSH_SERREQ(output + offset, isRequest); - break; - case TLSX_APPLICATION_LAYER_PROTOCOL: WOLFSSL_MSG("ALPN extension to write"); offset += ALPN_WRITE((ALPN*)extension->data, output + offset); @@ -10506,197 +9876,6 @@ static int TLSX_Write(TLSX* list, byte* output, byte* semaphore, return ret; } - -#if defined(HAVE_NTRU) && defined(HAVE_QSH) - -static word32 GetEntropy(unsigned char* out, word32 num_bytes) -{ - int ret = 0; - - if (gRng == NULL) { - if ((gRng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, - DYNAMIC_TYPE_TLSX)) == NULL) - return DRBG_OUT_OF_MEMORY; - wc_InitRng(gRng); - } - - if (gRngMutex == NULL) { - if ((gRngMutex = (wolfSSL_Mutex*)XMALLOC(sizeof(wolfSSL_Mutex), NULL, - DYNAMIC_TYPE_TLSX)) == NULL) - return DRBG_OUT_OF_MEMORY; - wc_InitMutex(gRngMutex); - } - - ret |= wc_LockMutex(gRngMutex); - ret |= wc_RNG_GenerateBlock(gRng, out, num_bytes); - ret |= wc_UnLockMutex(gRngMutex); - - if (ret != 0) - return DRBG_ENTROPY_FAIL; - - return DRBG_OK; -} -#endif - - -#ifdef HAVE_QSH -static int TLSX_CreateQSHKey(WOLFSSL* ssl, int type) -{ - int ret = -1; - - (void)ssl; - - switch (type) { -#ifdef HAVE_NTRU - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - ret = TLSX_CreateNtruKey(ssl, type); - break; -#endif - default: - WOLFSSL_MSG("Unknown type for creating NTRU key"); - break; - } - - return ret; -} - - -static int TLSX_AddQSHKey(QSHKey** list, QSHKey* key) -{ - QSHKey* current; - - if (key == NULL) - return BAD_FUNC_ARG; - - /* if no public key stored in key then do not add */ - if (key->pub.length == 0 || key->pub.buffer == NULL) - return 0; - - /* first element to be added to the list */ - current = *list; - if (current == NULL) { - *list = key; - return 0; - } - - while (current->next) { - /* can only have one of the key in the list */ - if (current->name == key->name) - return -1; - current = (QSHKey*)current->next; - } - - current->next = (struct QSHKey*)key; - - return 0; -} - - -#if defined(HAVE_NTRU) -int TLSX_CreateNtruKey(WOLFSSL* ssl, int type) -{ - int ret = -1; - int ntruType; - - /* variable declarations for NTRU*/ - QSHKey* temp = NULL; - byte public_key[1027]; - word16 public_key_len = sizeof(public_key); - byte private_key[1120]; - word16 private_key_len = sizeof(private_key); - DRBG_HANDLE drbg; - - if (ssl == NULL) - return BAD_FUNC_ARG; - - switch (type) { - case WOLFSSL_NTRU_EESS439: - ntruType = NTRU_EES439EP1; - break; - case WOLFSSL_NTRU_EESS593: - ntruType = NTRU_EES593EP1; - break; - case WOLFSSL_NTRU_EESS743: - ntruType = NTRU_EES743EP1; - break; - default: - WOLFSSL_MSG("Unknown type for creating NTRU key"); - return -1; - } - ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg); - if (ret != DRBG_OK) { - WOLFSSL_MSG("NTRU drbg instantiate failed\n"); - return ret; - } - - if ((ret = ntru_crypto_ntru_encrypt_keygen(drbg, ntruType, - &public_key_len, NULL, &private_key_len, NULL)) != NTRU_OK) - return ret; - - if ((ret = ntru_crypto_ntru_encrypt_keygen(drbg, ntruType, - &public_key_len, public_key, &private_key_len, private_key)) != NTRU_OK) - return ret; - - ret = ntru_crypto_drbg_uninstantiate(drbg); - if (ret != NTRU_OK) { - WOLFSSL_MSG("NTRU drbg uninstantiate failed\n"); - return ret; - } - - if ((temp = (QSHKey*)XMALLOC(sizeof(QSHKey), ssl->heap, - DYNAMIC_TYPE_TLSX)) == NULL) - return MEMORY_E; - temp->name = type; - temp->pub.length = public_key_len; - temp->pub.buffer = (byte*)XMALLOC(public_key_len, ssl->heap, - DYNAMIC_TYPE_PUBLIC_KEY); - XMEMCPY(temp->pub.buffer, public_key, public_key_len); - temp->pri.length = private_key_len; - temp->pri.buffer = (byte*)XMALLOC(private_key_len, ssl->heap, - DYNAMIC_TYPE_ARRAYS); - XMEMCPY(temp->pri.buffer, private_key, private_key_len); - temp->next = NULL; - - TLSX_AddQSHKey(&ssl->QSH_Key, temp); - - (void)ssl; - (void)type; - - return ret; -} -#endif - - -/* - Used to find a public key from the list of keys - pubLen length of array - name input the name of the scheme looking for ie WOLFSSL_NTRU_ESSXXX - - returns a pointer to public key byte* or NULL if not found - */ -static byte* TLSX_QSHKeyFind_Pub(QSHKey* qsh, word16* pubLen, word16 name) -{ - QSHKey* current = qsh; - - if (qsh == NULL || pubLen == NULL) - return NULL; - - *pubLen = 0; - - while(current) { - if (current->name == name) { - *pubLen = current->pub.length; - return current->pub.buffer; - } - current = (QSHKey*)current->next; - } - - return NULL; -} -#endif /* HAVE_QSH */ - #ifdef HAVE_SUPPORTED_CURVES /* Populates the default supported groups / curves */ @@ -11021,98 +10200,13 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) #if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) int usingPSK = 0; #endif -#if (defined(HAVE_SUPPORTED_CURVES) && defined(WOLFSSL_TLS13)) || \ - defined(HAVE_QSH) - TLSX* extension = NULL; -#endif #if defined(HAVE_SUPPORTED_CURVES) && defined(WOLFSSL_TLS13) + TLSX* extension = NULL; word16 namedGroup = 0; #endif -#ifdef HAVE_QSH - QSHScheme* qsh; - QSHScheme* next; - - /* add supported QSHSchemes */ - WOLFSSL_MSG("Adding supported QSH Schemes"); -#endif /* server will add extension depending on what is parsed from client */ if (!isServer) { -#ifdef HAVE_QSH - /* test if user has set a specific scheme already */ - if (!ssl->user_set_QSHSchemes) { - if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) { - if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS743)) != 0) { - WOLFSSL_MSG("Error creating ntru keys"); - return ret; - } - if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS593)) != 0) { - WOLFSSL_MSG("Error creating ntru keys"); - return ret; - } - if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS439)) != 0) { - WOLFSSL_MSG("Error creating ntru keys"); - return ret; - } - - /* add NTRU 256 */ - public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key, - &public_key_len, WOLFSSL_NTRU_EESS743); - } - if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS743, - public_key, public_key_len, ssl->heap) - != WOLFSSL_SUCCESS) - ret = -1; - - /* add NTRU 196 */ - if (ssl->sendQSHKeys) { - public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key, - &public_key_len, WOLFSSL_NTRU_EESS593); - } - if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS593, - public_key, public_key_len, ssl->heap) - != WOLFSSL_SUCCESS) - ret = -1; - - /* add NTRU 128 */ - if (ssl->sendQSHKeys) { - public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key, - &public_key_len, WOLFSSL_NTRU_EESS439); - } - if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS439, - public_key, public_key_len, ssl->heap) - != WOLFSSL_SUCCESS) - ret = -1; - } - else if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) { - /* for each scheme make a client key */ - extension = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID); - if (extension) { - qsh = (QSHScheme*)extension->data; - - while (qsh) { - if ((ret = TLSX_CreateQSHKey(ssl, qsh->name)) != 0) - return ret; - - /* get next now because qsh could be freed */ - next = qsh->next; - - /* find the public key created and add to extension*/ - public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key, - &public_key_len, qsh->name); - if (TLSX_UseQSHScheme(&ssl->extensions, qsh->name, - public_key, public_key_len, - ssl->heap) != WOLFSSL_SUCCESS) - ret = -1; - qsh = next; - } - } - } - if (ret != 0) { - return ret; - } -#endif - #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) if (!ssl->options.disallowEncThenMac) { ret = TLSX_EncryptThenMac_Use(ssl); @@ -11420,7 +10514,6 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength) if (msgType == client_hello) { EC_VALIDATE_REQUEST(ssl, semaphore); PF_VALIDATE_REQUEST(ssl, semaphore); - QSH_VALIDATE_REQUEST(ssl, semaphore); WOLF_STK_VALIDATE_REQUEST(ssl); #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) if (ssl->suites->hashSigAlgoSz == 0) @@ -11515,7 +10608,6 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset) EC_VALIDATE_REQUEST(ssl, semaphore); PF_VALIDATE_REQUEST(ssl, semaphore); WOLF_STK_VALIDATE_REQUEST(ssl); - QSH_VALIDATE_REQUEST(ssl, semaphore); #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) if (ssl->suites->hashSigAlgoSz == 0) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); @@ -11724,15 +10816,6 @@ int TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType, word16* pLength) #endif } - #ifdef HAVE_QSH - /* change response if not using TLS_QSH */ - if (!ssl->options.haveQSH) { - TLSX* ext = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID); - if (ext) - ext->resp = 0; - } - #endif - #ifdef HAVE_EXTENDED_MASTER if (ssl->options.haveEMS && msgType == server_hello && !IsAtLeastTLSv1_3(ssl->version)) { @@ -12179,19 +11262,6 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, ret = WOLF_STK_PARSE(ssl, input + offset, size, isRequest); break; - case TLSX_QUANTUM_SAFE_HYBRID: - WOLFSSL_MSG("Quantum-Safe-Hybrid extension received"); - #ifdef WOLFSSL_DEBUG_TLS - WOLFSSL_BUFFER(input + offset, size); - #endif - -#if defined(WOLFSSL_TLS13) && defined(HAVE_QSH) - if (IsAtLeastTLSv1_3(ssl->version)) - break; -#endif - ret = QSH_PARSE(ssl, input + offset, size, isRequest); - break; - case TLSX_APPLICATION_LAYER_PROTOCOL: WOLFSSL_MSG("ALPN extension received"); diff --git a/src/tls13.c b/src/tls13.c index 2e5980e60..3963cb18a 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -106,10 +106,6 @@ #include #endif -#ifdef HAVE_NTRU - #include "libntruencrypt/ntru_crypto.h" -#endif - #ifdef __sun #include #endif @@ -9082,10 +9078,9 @@ void wolfSSL_set_psk_client_cs_callback(WOLFSSL* ssl, keySz = ssl->buffers.keySz; #endif InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.haveAnon, - ssl->options.side); + ssl->options.haveDH, ssl->options.haveECDSAsig, + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.haveAnon, ssl->options.side); } /* Set the PSK callback that returns the cipher suite for a client to use @@ -9133,10 +9128,9 @@ void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl, keySz = ssl->buffers.keySz; #endif InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.haveAnon, - ssl->options.side); + ssl->options.haveDH, ssl->options.haveECDSAsig, + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.haveAnon, ssl->options.side); } /* Set the PSK callback that returns the cipher suite for a server to use @@ -9181,10 +9175,9 @@ void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl, keySz = ssl->buffers.keySz; #endif InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.haveAnon, - ssl->options.side); + ssl->options.haveDH, ssl->options.haveECDSAsig, + ssl->options.haveECC, ssl->options.haveStaticECC, + ssl->options.haveAnon, ssl->options.side); } /* Get name of first supported cipher suite that uses the hash indicated. diff --git a/tests/api.c b/tests/api.c index e37eb27fd..352b7cbfc 100644 --- a/tests/api.c +++ b/tests/api.c @@ -490,7 +490,7 @@ static int test_wolfCrypt_Init(void) svrCertFile, svrKeyFile, caCertFile, eccCertFile, eccKeyFile, eccRsaCertFile, cliCertFile, cliCertDerFile, cliKeyFile, - ntruCertFile, ntruKeyFile, dhParamFile, + dhParamFile, cliEccKeyFile, cliEccCertFile, caEccCertFile, edCertFile, edKeyFile, cliEdCertFile, cliEdKeyFile, caEdCertFile, NULL @@ -39536,10 +39536,6 @@ static void test_wolfSSL_X509_check_ca(void){ AssertIntEQ(wolfSSL_X509_check_ca(x509), 1); wolfSSL_X509_free(x509); - x509 = wolfSSL_X509_load_certificate_file(ntruCertFile, WOLFSSL_FILETYPE_PEM); - AssertIntEQ(wolfSSL_X509_check_ca(x509), 0); - wolfSSL_X509_free(x509); - printf(resultFmt, passed); #endif } @@ -47225,7 +47221,6 @@ static void test_wolfSSL_CTX_LoadCRL(void) const char* badPath = "dummypath"; const char* validPath = "./certs/crl"; int derType = WOLFSSL_FILETYPE_ASN1; - int rawType = WOLFSSL_FILETYPE_RAW; int pemType = WOLFSSL_FILETYPE_PEM; int monitor = WOLFSSL_CRL_MONITOR; @@ -47247,7 +47242,6 @@ static void test_wolfSSL_CTX_LoadCRL(void) SUCC_T (wolfSSL_CTX_LoadCRL, ctx, validPath, pemType, monitor); SUCC_T (wolfSSL_CTX_LoadCRL, ctx, badPath, pemType, monitor); SUCC_T (wolfSSL_CTX_LoadCRL, ctx, badPath, derType, monitor); - SUCC_T (wolfSSL_CTX_LoadCRL, ctx, badPath, rawType, monitor); wolfSSL_CTX_free(ctx); ctx = NULL; diff --git a/tests/include.am b/tests/include.am index aade835f0..4e704c896 100644 --- a/tests/include.am +++ b/tests/include.am @@ -24,8 +24,6 @@ EXTRA_DIST += tests/test.conf \ tests/test-tls13-down.conf \ tests/test-tls13-ecc.conf \ tests/test-tls13-psk.conf \ - tests/test-qsh.conf \ - tests/test-qsh-sha2.conf \ tests/test-psk.conf \ tests/test-psk-no-id.conf \ tests/test-psk-no-id-sha2.conf \ diff --git a/tests/suites.c b/tests/suites.c index dc5ab94c4..453a4ec0e 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -155,15 +155,6 @@ static int IsValidCipherSuite(const char* line, char *suite, size_t suite_spc) found = 1; } - /* if QSH not enabled then do not use QSH suite */ - #ifdef HAVE_QSH - if (suite[0] && (XSTRNCMP(suite, "QSH", 3) == 0)) { - if (wolfSSL_CTX_set_cipher_list(cipherSuiteCtx, suite + 4) - != WOLFSSL_SUCCESS) - return 0; - } - #endif - if (found) { if (wolfSSL_CTX_set_cipher_list(cipherSuiteCtx, suite) == WOLFSSL_SUCCESS) valid = 1; @@ -1072,27 +1063,6 @@ int SuiteTest(int argc, char** argv) } #endif /* HAVE_RSA and HAVE_ECC */ #endif /* !WC_STRICT_SIG */ -#ifdef HAVE_QSH - /* add QSH extra suites */ - strcpy(argv0[1], "tests/test-qsh.conf"); - printf("starting qsh extra cipher suite tests\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - args.return_code = EXIT_FAILURE; - goto exit; - } -#ifdef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES - strcpy(argv0[1], "tests/test-qsh-sha2.conf"); - printf("starting qsh extra cipher suite tests - old TLS sha-2 cs\n"); - test_harness(&args); - if (args.return_code != 0) { - printf("error from script %d\n", args.return_code); - args.return_code = EXIT_FAILURE; - goto exit; - } -#endif -#endif #ifndef NO_PSK #ifndef WOLFSSL_NO_TLS12 #if !defined(NO_RSA) || defined(HAVE_ECC) diff --git a/tests/test-qsh-sha2.conf b/tests/test-qsh-sha2.conf deleted file mode 100644 index 921f098be..000000000 --- a/tests/test-qsh-sha2.conf +++ /dev/null @@ -1,303 +0,0 @@ -# server TLSv1 AES128-SHA256 --v 1 --l QSH:AES128-SHA256 - -# client TLSv1 AES128-SHA256 --v 1 --l QSH:AES128-SHA256 - -# server TLSv1 AES256-SHA256 --v 1 --l QSH:AES256-SHA256 - -# client TLSv1 AES256-SHA256 --v 1 --l QSH:AES256-SHA256 - -# server TLSv1.1 AES128-SHA256 --v 2 --l QSH:AES128-SHA256 - -# client TLSv1.1 AES128-SHA256 --v 2 --l QSH:AES128-SHA256 - -# server TLSv1.1 AES256-SHA256 --v 2 --l QSH:AES256-SHA256 - -# client TLSv1.1 AES256-SHA256 --v 2 --l QSH:AES256-SHA256 - -# server TLSv1 DHE AES128-SHA256 --v 1 --l QSH:DHE-RSA-AES128-SHA256 - -# client TLSv1 DHE AES128-SHA256 --v 1 --l QSH:DHE-RSA-AES128-SHA256 - -# server TLSv1 DHE AES256-SHA256 --v 1 --l QSH:DHE-RSA-AES256-SHA256 - -# client TLSv1 DHE AES256-SHA256 --v 1 --l QSH:DHE-RSA-AES256-SHA256 - -# server TLSv1.1 DHE AES128-SHA256 --v 2 --l QSH:DHE-RSA-AES128-SHA256 - -# client TLSv1.1 DHE AES128-SHA256 --v 2 --l QSH:DHE-RSA-AES128-SHA256 - -# server TLSv1.1 DHE AES256-SHA256 --v 2 --l QSH:DHE-RSA-AES256-SHA256 - -# client TLSv1.1 DHE AES256-SHA256 --v 2 --l QSH:DHE-RSA-AES256-SHA256 - -# server TLSv1 ECDHE-PSK-AES128-SHA256 --s --v 1 --l QSH:ECDHE-PSK-AES128-SHA256 - -# client TLSv1 ECDHE-PSK-AES128-SHA256 --s --v 1 --l QSH:ECDHE-PSK-AES128-SHA256 - -# server TLSv1.1 ECDHE-PSK-AES128-SHA256 --s --v 2 --l QSH:ECDHE-PSK-AES128-SHA256 - -# client TLSv1.1 ECDHE-PSK-AES128-SHA256 --s --v 2 --l QSH:ECDHE-PSK-AES128-SHA256 - -# server TLSv1 ECDHE-PSK-NULL-SHA256 --s --v 1 --l QSH:ECDHE-PSK-NULL-SHA256 - -# client TLSv1 ECDHE-PSK-NULL-SHA256 --s --v 1 --l QSH:ECDHE-PSK-NULL-SHA256 - -# server TLSv1.1 ECDHE-PSK-NULL-SHA256 --s --v 2 --l QSH:ECDHE-PSK-NULL-SHA256 - -# client TLSv1.1 ECDHE-PSK-NULL-SHA256 --s --v 2 --l QSH:ECDHE-PSK-NULL-SHA256 - -# server TLSv1.0 PSK-AES128-SHA256 --s --v 1 --l QSH:PSK-AES128-CBC-SHA256 - -# client TLSv1.0 PSK-AES128-SHA256 --s --v 1 --l QSH:PSK-AES128-CBC-SHA256 - -# server TLSv1.1 PSK-AES128-SHA256 --s --v 2 --l QSH:PSK-AES128-CBC-SHA256 - -# client TLSv1.1 PSK-AES128-SHA256 --s --v 2 --l QSH:PSK-AES128-CBC-SHA256 - -# server TLSv1.0 PSK-AES256-SHA384 --s --v 1 --l QSH:PSK-AES256-CBC-SHA384 - -# client TLSv1.0 PSK-AES256-SHA384 --s --v 1 --l QSH:PSK-AES256-CBC-SHA384 - -# server TLSv1.1 PSK-AES256-SHA384 --s --v 2 --l QSH:PSK-AES256-CBC-SHA384 - -# client TLSv1.1 PSK-AES256-SHA384 --s --v 2 --l QSH:PSK-AES256-CBC-SHA384 - -# server TLSv1.0 RSA-NULL-SHA256 --v 1 --l QSH:NULL-SHA256 - -# client TLSv1.0 RSA-NULL-SHA256 --v 1 --l QSH:NULL-SHA256 - -# server TLSv1.1 RSA-NULL-SHA256 --v 2 --l QSH:NULL-SHA256 - -# client TLSv1.1 RSA-NULL-SHA256 --v 2 --l QSH:NULL-SHA256 - -# server TLSv1 CAMELLIA128-SHA256 --v 1 --l QSH:CAMELLIA128-SHA256 - -# client TLSv1 CAMELLIA128-SHA256 --v 1 --l QSH:CAMELLIA128-SHA256 - -# server TLSv1 CAMELLIA256-SHA256 --v 1 --l QSH:CAMELLIA256-SHA256 - -# client TLSv1 CAMELLIA256-SHA256 --v 1 --l QSH:CAMELLIA256-SHA256 - -# server TLSv1.1 CAMELLIA128-SHA256 --v 2 --l QSH:CAMELLIA128-SHA256 - -# client TLSv1.1 CAMELLIA128-SHA256 --v 2 --l QSH:CAMELLIA128-SHA256 - -# server TLSv1.1 CAMELLIA256-SHA256 --v 2 --l QSH:CAMELLIA256-SHA256 - -# client TLSv1.1 CAMELLIA256-SHA256 --v 2 --l QSH:CAMELLIA256-SHA256 - -# server TLSv1 DHE-RSA-CAMELLIA128-SHA256 --v 1 --l QSH:DHE-RSA-CAMELLIA128-SHA256 - -# client TLSv1 DHE-RSA-CAMELLIA128-SHA256 --v 1 --l QSH:DHE-RSA-CAMELLIA128-SHA256 - -# server TLSv1 DHE-RSA-CAMELLIA256-SHA256 --v 1 --l QSH:DHE-RSA-CAMELLIA256-SHA256 - -# client TLSv1 DHE-RSA-CAMELLIA256-SHA256 --v 1 --l QSH:DHE-RSA-CAMELLIA256-SHA256 - -# server TLSv1.1 DHE-RSA-CAMELLIA128-SHA256 --v 2 --l QSH:DHE-RSA-CAMELLIA128-SHA256 - -# client TLSv1.1 DHE-RSA-CAMELLIA128-SHA256 --v 2 --l QSH:DHE-RSA-CAMELLIA128-SHA256 - -# server TLSv1.1 DHE-RSA-CAMELLIA256-SHA256 --v 2 --l QSH:DHE-RSA-CAMELLIA256-SHA256 - -# client TLSv1.1 DHE-RSA-CAMELLIA256-SHA256 --v 2 --l QSH:DHE-RSA-CAMELLIA256-SHA256 - -# server TLSv1.0 DHE-PSK-AES128-CBC-SHA256 --s --v 1 --l QSH:DHE-PSK-AES128-CBC-SHA256 - -# client TLSv1.0 DHE-PSK-AES128-CBC-SHA256 --s --v 1 --l QSH:DHE-PSK-AES128-CBC-SHA256 - -# server TLSv1.1 DHE-PSK-AES128-CBC-SHA256 --s --v 2 --l QSH:DHE-PSK-AES128-CBC-SHA256 - -# client TLSv1.1 DHE-PSK-AES128-CBC-SHA256 --s --v 2 --l QSH:DHE-PSK-AES128-CBC-SHA256 - -# server TLSv1.0 DHE-PSK-AES256-CBC-SHA384 --s --v 1 --l QSH:DHE-PSK-AES256-CBC-SHA384 - -# client TLSv1.0 DHE-PSK-AES256-CBC-SHA384 --s --v 1 --l QSH:DHE-PSK-AES256-CBC-SHA384 - -# server TLSv1.1 DHE-PSK-AES256-CBC-SHA384 --s --v 2 --l QSH:DHE-PSK-AES256-CBC-SHA384 - -# client TLSv1.1 DHE-PSK-AES256-CBC-SHA384 --s --v 2 --l QSH:DHE-PSK-AES256-CBC-SHA384 - -# server TLSv1.0 DHE-PSK-NULL-SHA256 --s --v 1 --l QSH:DHE-PSK-NULL-SHA256 - -# client TLSv1.0 DHE-PSK-NULL-SHA256 --s --v 1 --l QSH:DHE-PSK-NULL-SHA256 - -# server TLSv1.1 DHE-PSK-NULL-SHA256 --s --v 2 --l QSH:DHE-PSK-NULL-SHA256 - -# client TLSv1.1 DHE-PSK-NULL-SHA256 --s --v 2 --l QSH:DHE-PSK-NULL-SHA256 - -# server TLSv1.0 DHE-PSK-NULL-SHA384 --s --v 1 --l QSH:DHE-PSK-NULL-SHA384 - -# client TLSv1.0 DHE-PSK-NULL-SHA384 --s --v 1 --l QSH:DHE-PSK-NULL-SHA384 - -# server TLSv1.1 DHE-PSK-NULL-SHA384 --s --v 2 --l QSH:DHE-PSK-NULL-SHA384 - -# client TLSv1.1 DHE-PSK-NULL-SHA384 --s --v 2 --l QSH:DHE-PSK-NULL-SHA384 diff --git a/tests/test-qsh.conf b/tests/test-qsh.conf deleted file mode 100644 index 5093e1786..000000000 --- a/tests/test-qsh.conf +++ /dev/null @@ -1,1836 +0,0 @@ -# server TLSv1.2 DHE-PSK-CHACHA20-POLY1305 --v 3 --s --l QSH:DHE-PSK-CHACHA20-POLY1305 - -# client TLSv1.2 DHE-PSK-CHACHA20-POLY1305 --v 3 --s --l QSH:DHE-PSK-CHACHA20-POLY1305 - -# server TLSv1.2 ECDHE-PSK-CHACHA20-POLY1305 --v 3 --s --l QSH:ECDHE-PSK-CHACHA20-POLY1305 - -# client TLSv1.2 ECDHE-PSK-CHACHA20-POLY1305 --v 3 --s --l QSH:ECDHE-PSK-CHACHA20-POLY1305 - -# server TLSv1.2 PSK-CHACHA20-POLY1305 --v 3 --s --l QSH:PSK-CHACHA20-POLY1305 - -# client TLSv1.2 PSK-CHACHA20-POLY1305 --v 3 --s --l QSH:PSK-CHACHA20-POLY1305 - -# server TLSv1.2 DHE-RSA-CHACHA20-POLY1305-OLD --v 3 --l QSH:DHE-RSA-CHACHA20-POLY1305-OLD - -# client TLSv1.2 DHE-RSA-CHACHA20-POLY1305-OLD --v 3 --l QSH:DHE-RSA-CHACHA20-POLY1305-OLD - -# server TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305-OLD --v 3 --l QSH:ECDHE-RSA-CHACHA20-POLY1305-OLD - -# client TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305-OLD --v 3 --l QSH:ECDHE-RSA-CHACHA20-POLY1305-OLD - -# server TLSv1.2 ECDHE-EDCSA-CHACHA20-POLY1305-OLD --v 3 --l QSH:ECDHE-ECDSA-CHACHA20-POLY1305-OLD --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305-OLD --v 3 --l QSH:ECDHE-ECDSA-CHACHA20-POLY1305-OLD --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 DHE-RSA-CHACHA20-POLY1305 --v 3 --l QSH:DHE-RSA-CHACHA20-POLY1305 - -# client TLSv1.2 DHE-RSA-CHACHA20-POLY1305 --v 3 --l QSH:DHE-RSA-CHACHA20-POLY1305 - -# server TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 --v 3 --l QSH:ECDHE-RSA-CHACHA20-POLY1305 - -# client TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 --v 3 --l QSH:ECDHE-RSA-CHACHA20-POLY1305 - -# server TLSv1.2 ECDHE-EDCSA-CHACHA20-POLY1305 --v 3 --l QSH:ECDHE-ECDSA-CHACHA20-POLY1305 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305 --v 3 --l QSH:ECDHE-ECDSA-CHACHA20-POLY1305 --A ./certs/ca-ecc-cert.pem - -# server SSLv3 RC4-SHA --v 0 --l QSH:RC4-SHA - -# client SSLv3 RC4-SHA --v 0 --l QSH:RC4-SHA - -# server SSLv3 RC4-MD5 --v 0 --l QSH:RC4-MD5 - -# client SSLv3 RC4-MD5 --v 0 --l QSH:RC4-MD5 - -# server SSLv3 DES-CBC3-SHA --v 0 --l QSH:DES-CBC3-SHA - -# client SSLv3 DES-CBC3-SHA --v 0 --l QSH:DES-CBC3-SHA - -# server SSLv3 IDEA-CBC-SHA --v 0 --l QSH:IDEA-CBC-SHA - -# client SSLv3 IDEA-CBC-SHA --v 0 --l QSH:IDEA-CBC-SHA - -# server TLSv1 RC4-SHA --v 1 --l QSH:RC4-SHA - -# client TLSv1 RC4-SHA --v 1 --l QSH:RC4-SHA - -# server TLSv1 RC4-MD5 --v 1 --l QSH:RC4-MD5 - -# client TLSv1 RC4-MD5 --v 1 --l QSH:RC4-MD5 - -# server TLSv1 DES-CBC3-SHA --v 1 --l QSH:DES-CBC3-SHA - -# client TLSv1 DES-CBC3-SHA --v 1 --l QSH:DES-CBC3-SHA - -# server TLSv1 IDEA-CBC-SHA --v 1 --l QSH:IDEA-CBC-SHA - -# client TLSv1 IDEA-CBC-SHA --v 1 --l QSH:IDEA-CBC-SHA - -# server TLSv1 AES128-SHA --v 1 --l QSH:AES128-SHA - -# client TLSv1 AES128-SHA --v 1 --l QSH:AES128-SHA - -# server TLSv1 AES256-SHA --v 1 --l QSH:AES256-SHA - -# client TLSv1 AES256-SHA --v 1 --l QSH:AES256-SHA - -# server TLSv1.1 RC4-SHA --v 2 --l QSH:RC4-SHA - -# client TLSv1.1 RC4-SHA --v 2 --l QSH:RC4-SHA - -# server TLSv1.1 RC4-MD5 --v 2 --l QSH:RC4-MD5 - -# client TLSv1.1 RC4-MD5 --v 2 --l QSH:RC4-MD5 - -# server TLSv1.1 IDEA-CBC-SHA --v 2 --l QSH:IDEA-CBC-SHA - -# client TLSv1.1 IDEA-CBC-SHA --v 2 --l QSH:IDEA-CBC-SHA - -# server TLSv1.1 DES-CBC3-SHA --v 2 --l QSH:DES-CBC3-SHA - -# client TLSv1.1 DES-CBC3-SHA --v 2 --l QSH:DES-CBC3-SHA - -# server TLSv1.1 AES128-SHA --v 2 --l QSH:AES128-SHA - -# client TLSv1.1 AES128-SHA --v 2 --l QSH:AES128-SHA - -# server TLSv1.1 AES256-SHA --v 2 --l QSH:AES256-SHA - -# client TLSv1.1 AES256-SHA --v 2 --l QSH:AES256-SHA - -# server TLSv1.2 RC4-SHA --v 3 --l QSH:RC4-SHA - -# client TLSv1.2 RC4-SHA --v 3 --l QSH:RC4-SHA - -# server TLSv1.2 RC4-MD5 --v 3 --l QSH:RC4-MD5 - -# client TLSv1.2 RC4-MD5 --v 3 --l QSH:RC4-MD5 - -# server TLSv1.2 DES-CBC3-SHA --v 3 --l QSH:DES-CBC3-SHA - -# client TLSv1.2 DES-CBC3-SHA --v 3 --l QSH:DES-CBC3-SHA - -# server TLSv1.2 AES128-SHA --v 3 --l QSH:AES128-SHA - -# client TLSv1.2 AES128-SHA --v 3 --l QSH:AES128-SHA - -# server TLSv1.2 AES256-SHA --v 3 --l QSH:AES256-SHA - -# client TLSv1.2 AES256-SHA --v 3 --l QSH:AES256-SHA - -# server TLSv1.2 AES128-SHA256 --v 3 --l QSH:AES128-SHA256 - -# client TLSv1.2 AES128-SHA256 --v 3 --l QSH:AES128-SHA256 - -# server TLSv1.2 AES256-SHA256 --v 3 --l QSH:AES256-SHA256 - -# client TLSv1.2 AES256-SHA256 --v 3 --l QSH:AES256-SHA256 - -# server TLSv1 ECDHE-RSA-RC4 --v 1 --l QSH:ECDHE-RSA-RC4-SHA - -# client TLSv1 ECDHE-RSA-RC4 --v 1 --l QSH:ECDHE-RSA-RC4-SHA - -# server TLSv1 ECDHE-RSA-DES3 --v 1 --l QSH:ECDHE-RSA-DES-CBC3-SHA - -# client TLSv1 ECDHE-RSA-DES3 --v 1 --l QSH:ECDHE-RSA-DES-CBC3-SHA - -# server TLSv1 ECDHE-RSA-AES128 --v 1 --l QSH:ECDHE-RSA-AES128-SHA - -# client TLSv1 ECDHE-RSA-AES128 --v 1 --l QSH:ECDHE-RSA-AES128-SHA - -# server TLSv1 ECDHE-RSA-AES256 --v 1 --l QSH:ECDHE-RSA-AES256-SHA - -# client TLSv1 ECDHE-RSA-AES256 --v 1 --l QSH:ECDHE-RSA-AES256-SHA - -# server TLSv1 ECDHE-ECDSA-NULL-SHA --v 1 --l QSH:ECDHE-ECDSA-NULL-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDHE-ECDSA-NULL-SHA --v 1 --l QSH:ECDHE-ECDSA-NULL-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.1 ECDHE-ECDSA-NULL-SHA --v 2 --l QSH:ECDHE-ECDSA-NULL-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDHE-ECDSA-NULL-SHA --v 2 --l QSH:ECDHE-ECDSA-NULL-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDHE-ECDSA-NULL-SHA --v 3 --l QSH:ECDHE-ECDSA-NULL-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-NULL-SHA --v 3 --l QSH:ECDHE-ECDSA-NULL-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.1 ECDHE-RSA-RC4 --v 2 --l QSH:ECDHE-RSA-RC4-SHA - -# client TLSv1.1 ECDHE-RSA-RC4 --v 2 --l QSH:ECDHE-RSA-RC4-SHA - -# server TLSv1.1 ECDHE-RSA-DES3 --v 2 --l QSH:ECDHE-RSA-DES-CBC3-SHA - -# client TLSv1.1 ECDHE-RSA-DES3 --v 2 --l QSH:ECDHE-RSA-DES-CBC3-SHA - -# server TLSv1.1 ECDHE-RSA-AES128 --v 2 --l QSH:ECDHE-RSA-AES128-SHA - -# client TLSv1.1 ECDHE-RSA-AES128 --v 2 --l QSH:ECDHE-RSA-AES128-SHA - -# server TLSv1.1 ECDHE-RSA-AES256 --v 2 --l QSH:ECDHE-RSA-AES256-SHA - -# client TLSv1.1 ECDHE-RSA-AES256 --v 2 --l QSH:ECDHE-RSA-AES256-SHA - -# server TLSv1.2 ECDHE-RSA-RC4 --v 3 --l QSH:ECDHE-RSA-RC4-SHA - -# client TLSv1.2 ECDHE-RSA-RC4 --v 3 --l QSH:ECDHE-RSA-RC4-SHA - -# server TLSv1.2 ECDHE-RSA-DES3 --v 3 --l QSH:ECDHE-RSA-DES-CBC3-SHA - -# client TLSv1.2 ECDHE-RSA-DES3 --v 3 --l QSH:ECDHE-RSA-DES-CBC3-SHA - -# server TLSv1.2 ECDHE-RSA-AES128 --v 3 --l QSH:ECDHE-RSA-AES128-SHA - -# client TLSv1.2 ECDHE-RSA-AES128 --v 3 --l QSH:ECDHE-RSA-AES128-SHA - -# server TLSv1.2 ECDHE-RSA-AES128-SHA256 --v 3 --l QSH:ECDHE-RSA-AES128-SHA256 - -# client TLSv1.2 ECDHE-RSA-AES128-SHA256 --v 3 --l QSH:ECDHE-RSA-AES128-SHA256 - -# server TLSv1.2 ECDHE-RSA-AES256 --v 3 --l QSH:ECDHE-RSA-AES256-SHA - -# client TLSv1.2 ECDHE-RSA-AES256 --v 3 --l QSH:ECDHE-RSA-AES256-SHA - -# server TLSv1 ECDHE-ECDSA-RC4 --v 1 --l QSH:ECDHE-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDHE-ECDSA-RC4 --v 1 --l QSH:ECDHE-ECDSA-RC4-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1 ECDHE-ECDSA-DES3 --v 1 --l QSH:ECDHE-ECDSA-DES-CBC3-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDHE-ECDSA-DES3 --v 1 --l QSH:ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1 ECDHE-ECDSA-AES128 --v 1 --l QSH:ECDHE-ECDSA-AES128-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDHE-ECDSA-AES128 --v 1 --l QSH:ECDHE-ECDSA-AES128-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1 ECDHE-ECDSA-AES256 --v 1 --l QSH:ECDHE-ECDSA-AES256-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDHE-ECDSA-AES256 --v 1 --l QSH:ECDHE-ECDSA-AES256-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.1 ECDHE-EDCSA-RC4 --v 2 --l QSH:ECDHE-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDHE-ECDSA-RC4 --v 2 --l QSH:ECDHE-ECDSA-RC4-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.1 ECDHE-ECDSA-DES3 --v 2 --l QSH:ECDHE-ECDSA-DES-CBC3-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDHE-ECDSA-DES3 --v 2 --l QSH:ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.1 ECDHE-ECDSA-AES128 --v 2 --l QSH:ECDHE-ECDSA-AES128-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDHE-ECDSA-AES128 --v 2 --l QSH:ECDHE-ECDSA-AES128-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.1 ECDHE-ECDSA-AES256 --v 2 --l QSH:ECDHE-ECDSA-AES256-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDHE-ECDSA-AES256 --v 2 --l QSH:ECDHE-ECDSA-AES256-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDHE-ECDSA-RC4 --v 3 --l QSH:ECDHE-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-RC4 --v 3 --l QSH:ECDHE-ECDSA-RC4-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDHE-ECDSA-DES3 --v 3 --l QSH:ECDHE-ECDSA-DES-CBC3-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-DES3 --v 3 --l QSH:ECDHE-ECDSA-DES-CBC3-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDHE-ECDSA-AES128 --v 3 --l QSH:ECDHE-ECDSA-AES128-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES128 --v 3 --l QSH:ECDHE-ECDSA-AES128-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDHE-ECDSA-AES128-SHA256 --v 3 --l QSH:ECDHE-ECDSA-AES128-SHA256 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES128-SHA256 --v 3 --l QSH:ECDHE-ECDSA-AES128-SHA256 --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDHE-ECDSA-AES256 --v 3 --l QSH:ECDHE-ECDSA-AES256-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES256 --v 3 --l QSH:ECDHE-ECDSA-AES256-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1 ECDH-RSA-RC4 --v 1 --l QSH:ECDH-RSA-RC4-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-RSA-RC4 --v 1 --l QSH:ECDH-RSA-RC4-SHA - -# server TLSv1 ECDH-RSA-DES3 --v 1 --l QSH:ECDH-RSA-DES-CBC3-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-RSA-DES3 --v 1 --l QSH:ECDH-RSA-DES-CBC3-SHA - -# server TLSv1 ECDH-RSA-AES128 --v 1 --l QSH:ECDH-RSA-AES128-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-RSA-AES128 --v 1 --l QSH:ECDH-RSA-AES128-SHA - -# server TLSv1 ECDH-RSA-AES256 --v 1 --l QSH:ECDH-RSA-AES256-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-RSA-AES256 --v 1 --l QSH:ECDH-RSA-AES256-SHA - -# server TLSv1.1 ECDH-RSA-RC4 --v 2 --l QSH:ECDH-RSA-RC4-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-RSA-RC4 --v 2 --l QSH:ECDH-RSA-RC4-SHA - -# server TLSv1.1 ECDH-RSA-DES3 --v 2 --l QSH:ECDH-RSA-DES-CBC3-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-RSA-DES3 --v 2 --l QSH:ECDH-RSA-DES-CBC3-SHA - -# server TLSv1.1 ECDH-RSA-AES128 --v 2 --l QSH:ECDH-RSA-AES128-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-RSA-AES128 --v 2 --l QSH:ECDH-RSA-AES128-SHA - -# server TLSv1.1 ECDH-RSA-AES256 --v 2 --l QSH:ECDH-RSA-AES256-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-RSA-AES256 --v 2 --l QSH:ECDH-RSA-AES256-SHA - -# server TLSv1.2 ECDH-RSA-RC4 --v 3 --l QSH:ECDH-RSA-RC4-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-RSA-RC4 --v 3 --l QSH:ECDH-RSA-RC4-SHA - -# server TLSv1.2 ECDH-RSA-DES3 --v 3 --l QSH:ECDH-RSA-DES-CBC3-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-RSA-DES3 --v 3 --l QSH:ECDH-RSA-DES-CBC3-SHA - -# server TLSv1.2 ECDH-RSA-AES128 --v 3 --l QSH:ECDH-RSA-AES128-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-RSA-AES128 --v 3 --l QSH:ECDH-RSA-AES128-SHA - -# server TLSv1.2 ECDH-RSA-AES128-SHA256 --v 3 --l QSH:ECDH-RSA-AES128-SHA256 --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-RSA-AES128-SHA256 --v 3 --l QSH:ECDH-RSA-AES128-SHA256 - -# server TLSv1.2 ECDH-RSA-AES256 --v 3 --l QSH:ECDH-RSA-AES256-SHA --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-RSA-AES256 --v 3 --l QSH:ECDH-RSA-AES256-SHA - -# server TLSv1 ECDH-ECDSA-RC4 --v 1 --l QSH:ECDH-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-ECDSA-RC4 --v 1 --l QSH:ECDH-ECDSA-RC4-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1 ECDH-ECDSA-DES3 --v 1 --l QSH:ECDH-ECDSA-DES-CBC3-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-ECDSA-DES3 --v 1 --l QSH:ECDH-ECDSA-DES-CBC3-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1 ECDH-ECDSA-AES128 --v 1 --l QSH:ECDH-ECDSA-AES128-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-ECDSA-AES128 --v 1 --l QSH:ECDH-ECDSA-AES128-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1 ECDH-ECDSA-AES256 --v 1 --l QSH:ECDH-ECDSA-AES256-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1 ECDH-ECDSA-AES256 --v 1 --l QSH:ECDH-ECDSA-AES256-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.1 ECDH-EDCSA-RC4 --v 2 --l QSH:ECDH-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-ECDSA-RC4 --v 2 --l QSH:ECDH-ECDSA-RC4-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.1 ECDH-ECDSA-DES3 --v 2 --l QSH:ECDH-ECDSA-DES-CBC3-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-ECDSA-DES3 --v 2 --l QSH:ECDH-ECDSA-DES-CBC3-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.1 ECDH-ECDSA-AES128 --v 2 --l QSH:ECDH-ECDSA-AES128-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-ECDSA-AES128 --v 2 --l QSH:ECDH-ECDSA-AES128-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.1 ECDH-ECDSA-AES256 --v 2 --l QSH:ECDH-ECDSA-AES256-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.1 ECDH-ECDSA-AES256 --v 2 --l QSH:ECDH-ECDSA-AES256-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDHE-ECDSA-RC4 --v 3 --l QSH:ECDH-ECDSA-RC4-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-ECDSA-RC4 --v 3 --l QSH:ECDH-ECDSA-RC4-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDH-ECDSA-DES3 --v 3 --l QSH:ECDH-ECDSA-DES-CBC3-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-ECDSA-DES3 --v 3 --l QSH:ECDH-ECDSA-DES-CBC3-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDH-ECDSA-AES128 --v 3 --l QSH:ECDH-ECDSA-AES128-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-ECDSA-AES128 --v 3 --l QSH:ECDH-ECDSA-AES128-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDH-ECDSA-AES128-SHA256 --v 3 --l QSH:ECDH-ECDSA-AES128-SHA256 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-ECDSA-AES128-SHA256 --v 3 --l QSH:ECDH-ECDSA-AES128-SHA256 --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDH-ECDSA-AES256 --v 3 --l QSH:ECDH-ECDSA-AES256-SHA --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-ECDSA-AES256 --v 3 --l QSH:ECDH-ECDSA-AES256-SHA --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDHE-RSA-AES256-SHA384 --v 3 --l QSH:ECDHE-RSA-AES256-SHA384 - -# client TLSv1.2 ECDHE-RSA-AES256-SHA384 --v 3 --l QSH:ECDHE-RSA-AES256-SHA384 - -# server TLSv1.2 ECDHE-ECDSA-AES256-SHA384 --v 3 --l QSH:ECDHE-ECDSA-AES256-SHA384 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES256-SHA384 --v 3 --l QSH:ECDHE-ECDSA-AES256-SHA384 --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDH-RSA-AES256-SHA384 --v 3 --l QSH:ECDH-RSA-AES256-SHA384 --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-RSA-AES256-SHA384 --v 3 --l QSH:ECDH-RSA-AES256-SHA384 - -# server TLSv1.2 ECDH-ECDSA-AES256-SHA384 --v 3 --l QSH:ECDH-ECDSA-AES256-SHA384 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-ECDSA-AES256-SHA384 --v 3 --l QSH:ECDH-ECDSA-AES256-SHA384 --A ./certs/ca-ecc-cert.pem - -# server TLSv1 HC128-SHA --v 1 --l QSH:HC128-SHA - -# client TLSv1 HC128-SHA --v 1 --l QSH:HC128-SHA - -# server TLSv1 HC128-MD5 --v 1 --l QSH:HC128-MD5 - -# client TLSv1 HC128-MD5 --v 1 --l QSH:HC128-MD5 - -# server TLSv1.1 HC128-SHA --v 2 --l QSH:HC128-SHA - -# client TLSv1.1 HC128-SHA --v 2 --l QSH:HC128-SHA - -# server TLSv1.1 HC128-MD5 --v 2 --l QSH:HC128-MD5 - -# client TLSv1.1 HC128-MD5 --v 2 --l QSH:HC128-MD5 - -# server TLSv1.2 HC128-SHA --v 3 --l QSH:HC128-SHA - -# client TLSv1.2 HC128-SHA --v 3 --l QSH:HC128-SHA - -# server TLSv1.2 HC128-MD5 --v 3 --l QSH:HC128-MD5 - -# client TLSv1.2 HC128-MD5 --v 3 --l QSH:HC128-MD5 - -# server TLSv1 RABBIT-SHA --v 1 --l QSH:RABBIT-SHA - -# client TLSv1 RABBIT-SHA --v 1 --l QSH:RABBIT-SHA - -# server TLSv1.1 RABBIT-SHA --v 2 --l QSH:RABBIT-SHA - -# client TLSv1.1 RABBIT-SHA --v 2 --l QSH:RABBIT-SHA - -# server TLSv1.2 RABBIT-SHA --v 3 --l QSH:RABBIT-SHA - -# client TLSv1.2 RABBIT-SHA --v 3 --l QSH:RABBIT-SHA - -# server TLSv1 DHE AES128 --v 1 --l QSH:DHE-RSA-AES128-SHA - -# client TLSv1 DHE AES128 --v 1 --l QSH:DHE-RSA-AES128-SHA - -# server TLSv1 DHE AES256 --v 1 --l QSH:DHE-RSA-AES256-SHA - -# client TLSv1 DHE AES256 --v 1 --l QSH:DHE-RSA-AES256-SHA - -# server TLSv1.1 DHE AES128 --v 2 --l QSH:DHE-RSA-AES128-SHA - -# client TLSv1.1 DHE AES128 --v 2 --l QSH:DHE-RSA-AES128-SHA - -# server TLSv1.1 DHE AES256 --v 2 --l QSH:DHE-RSA-AES256-SHA - -# client TLSv1.1 DHE AES256 --v 2 --l QSH:DHE-RSA-AES256-SHA - -# server TLSv1.2 DHE AES128 --v 3 --l QSH:DHE-RSA-AES128-SHA - -# client TLSv1.2 DHE AES128 --v 3 --l QSH:DHE-RSA-AES128-SHA - -# server TLSv1.2 DHE AES256 --v 3 --l QSH:DHE-RSA-AES256-SHA - -# client TLSv1.2 DHE AES256 --v 3 --l QSH:DHE-RSA-AES256-SHA - -# server TLSv1.2 DHE AES128-SHA256 --v 3 --l QSH:DHE-RSA-AES128-SHA256 - -# client TLSv1.2 DHE AES128-SHA256 --v 3 --l QSH:DHE-RSA-AES128-SHA256 - -# server TLSv1.2 DHE AES256-SHA256 --v 3 --l QSH:DHE-RSA-AES256-SHA256 - -# client TLSv1.2 DHE AES256-SHA256 --v 3 --l QSH:DHE-RSA-AES256-SHA256 - -# server TLSv1.2 ECDHE-PSK-AES128-SHA256 --s --v 3 --l QSH:ECDHE-PSK-AES128-SHA256 - -# client TLSv1.2 ECDHE-PSK-AES128-SHA256 --s --v 3 --l QSH:ECDHE-PSK-AES128-SHA256 - -# server TLSv1.2 ECDHE-PSK-NULL-SHA256 --s --v 3 --l QSH:ECDHE-PSK-NULL-SHA256 - -# client TLSv1.2 ECDHE-PSK-NULL-SHA256 --s --v 3 --l QSH:ECDHE-PSK-NULL-SHA256 - -# server TLSv1 PSK-AES128 --s --v 1 --l QSH:PSK-AES128-CBC-SHA - -# client TLSv1 PSK-AES128 --s --v 1 --l QSH:PSK-AES128-CBC-SHA - -# server TLSv1 PSK-AES256 --s --v 1 --l QSH:PSK-AES256-CBC-SHA - -# client TLSv1 PSK-AES256 --s --v 1 --l QSH:PSK-AES256-CBC-SHA - -# server TLSv1.1 PSK-AES128 --s --v 2 --l QSH:PSK-AES128-CBC-SHA - -# client TLSv1.1 PSK-AES128 --s --v 2 --l QSH:PSK-AES128-CBC-SHA - -# server TLSv1.1 PSK-AES256 --s --v 2 --l QSH:PSK-AES256-CBC-SHA - -# client TLSv1.1 PSK-AES256 --s --v 2 --l QSH:PSK-AES256-CBC-SHA - -# server TLSv1.2 PSK-AES128 --s --v 3 --l QSH:PSK-AES128-CBC-SHA - -# client TLSv1.2 PSK-AES128 --s --v 3 --l QSH:PSK-AES128-CBC-SHA - -# server TLSv1.2 PSK-AES256 --s --v 3 --l QSH:PSK-AES256-CBC-SHA - -# client TLSv1.2 PSK-AES256 --s --v 3 --l QSH:PSK-AES256-CBC-SHA - -# server TLSv1.2 PSK-AES128-SHA256 --s --v 3 --l QSH:PSK-AES128-CBC-SHA256 - -# client TLSv1.2 PSK-AES128-SHA256 --s --v 3 --l QSH:PSK-AES128-CBC-SHA256 - -# server TLSv1.2 PSK-AES256-SHA384 --s --v 3 --l QSH:PSK-AES256-CBC-SHA384 - -# client TLSv1.2 PSK-AES256-SHA384 --s --v 3 --l QSH:PSK-AES256-CBC-SHA384 - -# server TLSv1.0 PSK-NULL --s --v 1 --l QSH:PSK-NULL-SHA - -# client TLSv1.0 PSK-NULL --s --v 1 --l QSH:PSK-NULL-SHA - -# server TLSv1.1 PSK-NULL --s --v 2 --l QSH:PSK-NULL-SHA - -# client TLSv1.1 PSK-NULL --s --v 2 --l QSH:PSK-NULL-SHA - -# server TLSv1.2 PSK-NULL --s --v 3 --l QSH:PSK-NULL-SHA - -# client TLSv1.2 PSK-NULL --s --v 3 --l QSH:PSK-NULL-SHA - -# server TLSv1.2 PSK-NULL-SHA256 --s --v 3 --l QSH:PSK-NULL-SHA256 - -# client TLSv1.2 PSK-NULL-SHA256 --s --v 3 --l QSH:PSK-NULL-SHA256 - -# server TLSv1.2 PSK-NULL-SHA384 --s --v 3 --l QSH:PSK-NULL-SHA384 - -# client TLSv1.2 PSK-NULL-SHA384 --s --v 3 --l QSH:PSK-NULL-SHA384 - -# server TLSv1.2 PSK-NULL --s --v 3 --l QSH:PSK-NULL-SHA - -# client TLSv1.2 PSK-NULL --s --v 3 --l QSH:PSK-NULL-SHA - -# server TLSv1.2 PSK-NULL-SHA256 --s --v 3 --l QSH:PSK-NULL-SHA256 - -# client TLSv1.2 PSK-NULL-SHA256 --s --v 3 --l QSH:PSK-NULL-SHA256 - -# server TLSv1.0 RSA-NULL-SHA --v 1 --l QSH:NULL-SHA - -# client TLSv1.0 RSA-NULL-SHA --v 1 --l QSH:NULL-SHA - -# server TLSv1.1 RSA-NULL-SHA --v 2 --l QSH:NULL-SHA - -# client TLSv1.1 RSA-NULL-SHA --v 2 --l QSH:NULL-SHA - -# server TLSv1.2 RSA-NULL-SHA --v 3 --l QSH:NULL-SHA - -# client TLSv1.2 RSA-NULL-SHA --v 3 --l QSH:NULL-SHA - -# server TLSv1.2 RSA-NULL-SHA256 --v 3 --l QSH:NULL-SHA256 - -# client TLSv1.2 RSA-NULL-SHA256 --v 3 --l QSH:NULL-SHA256 - -# server TLSv1 CAMELLIA128-SHA --v 1 --l QSH:CAMELLIA128-SHA - -# client TLSv1 CAMELLIA128-SHA --v 1 --l QSH:CAMELLIA128-SHA - -# server TLSv1 CAMELLIA256-SHA --v 1 --l QSH:CAMELLIA256-SHA - -# client TLSv1 CAMELLIA256-SHA --v 1 --l QSH:CAMELLIA256-SHA - -# server TLSv1.1 CAMELLIA128-SHA --v 2 --l QSH:CAMELLIA128-SHA - -# client TLSv1.1 CAMELLIA128-SHA --v 2 --l QSH:CAMELLIA128-SHA - -# server TLSv1.1 CAMELLIA256-SHA --v 2 --l QSH:CAMELLIA256-SHA - -# client TLSv1.1 CAMELLIA256-SHA --v 2 --l QSH:CAMELLIA256-SHA - -# server TLSv1.2 CAMELLIA128-SHA --v 3 --l QSH:CAMELLIA128-SHA - -# client TLSv1.2 CAMELLIA128-SHA --v 3 --l QSH:CAMELLIA128-SHA - -# server TLSv1.2 CAMELLIA256-SHA --v 3 --l QSH:CAMELLIA256-SHA - -# client TLSv1.2 CAMELLIA256-SHA --v 3 --l QSH:CAMELLIA256-SHA - -# server TLSv1.2 CAMELLIA128-SHA256 --v 3 --l QSH:CAMELLIA128-SHA256 - -# client TLSv1.2 CAMELLIA128-SHA256 --v 3 --l QSH:CAMELLIA128-SHA256 - -# server TLSv1.2 CAMELLIA256-SHA256 --v 3 --l QSH:CAMELLIA256-SHA256 - -# client TLSv1.2 CAMELLIA256-SHA256 --v 3 --l QSH:CAMELLIA256-SHA256 - -# server TLSv1 DHE-RSA-CAMELLIA128-SHA --v 1 --l QSH:DHE-RSA-CAMELLIA128-SHA - -# client TLSv1 DHE-RSA-CAMELLIA128-SHA --v 1 --l QSH:DHE-RSA-CAMELLIA128-SHA - -# server TLSv1 DHE-RSA-CAMELLIA256-SHA --v 1 --l QSH:DHE-RSA-CAMELLIA256-SHA - -# client TLSv1 DHE-RSA-CAMELLIA256-SHA --v 1 --l QSH:DHE-RSA-CAMELLIA256-SHA - -# server TLSv1.1 DHE-RSA-CAMELLIA128-SHA --v 2 --l QSH:DHE-RSA-CAMELLIA128-SHA - -# client TLSv1.1 DHE-RSA-CAMELLIA128-SHA --v 2 --l QSH:DHE-RSA-CAMELLIA128-SHA - -# server TLSv1.1 DHE-RSA-CAMELLIA256-SHA --v 2 --l QSH:DHE-RSA-CAMELLIA256-SHA - -# client TLSv1.1 DHE-RSA-CAMELLIA256-SHA --v 2 --l QSH:DHE-RSA-CAMELLIA256-SHA - -# server TLSv1.2 DHE-RSA-CAMELLIA128-SHA --v 3 --l QSH:DHE-RSA-CAMELLIA128-SHA - -# client TLSv1.2 DHE-RSA-CAMELLIA128-SHA --v 3 --l QSH:DHE-RSA-CAMELLIA128-SHA - -# server TLSv1.2 DHE-RSA-CAMELLIA256-SHA --v 3 --l QSH:DHE-RSA-CAMELLIA256-SHA - -# client TLSv1.2 DHE-RSA-CAMELLIA256-SHA --v 3 --l QSH:DHE-RSA-CAMELLIA256-SHA - -# server TLSv1.2 DHE-RSA-CAMELLIA128-SHA256 --v 3 --l QSH:DHE-RSA-CAMELLIA128-SHA256 - -# client TLSv1.2 DHE-RSA-CAMELLIA128-SHA256 --v 3 --l QSH:DHE-RSA-CAMELLIA128-SHA256 - -# server TLSv1.2 DHE-RSA-CAMELLIA256-SHA256 --v 3 --l QSH:DHE-RSA-CAMELLIA256-SHA256 - -# client TLSv1.2 DHE-RSA-CAMELLIA256-SHA256 --v 3 --l QSH:DHE-RSA-CAMELLIA256-SHA256 - -# server TLSv1.2 RSA-AES128-GCM-SHA256 --v 3 --l QSH:AES128-GCM-SHA256 - -# client TLSv1.2 RSA-AES128-GCM-SHA256 --v 3 --l QSH:AES128-GCM-SHA256 - -# server TLSv1.2 RSA-AES256-GCM-SHA384 --v 3 --l QSH:AES256-GCM-SHA384 - -# client TLSv1.2 RSA-AES256-GCM-SHA384 --v 3 --l QSH:AES256-GCM-SHA384 - -# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 --v 3 --l QSH:ECDHE-ECDSA-AES128-GCM-SHA256 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 --v 3 --l QSH:ECDHE-ECDSA-AES128-GCM-SHA256 --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 --v 3 --l QSH:ECDHE-ECDSA-AES256-GCM-SHA384 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 --v 3 --l QSH:ECDHE-ECDSA-AES256-GCM-SHA384 --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 --v 3 --l QSH:ECDH-ECDSA-AES128-GCM-SHA256 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-ECDSA-AES128-GCM-SHA256 --v 3 --l QSH:ECDH-ECDSA-AES128-GCM-SHA256 --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 --v 3 --l QSH:ECDH-ECDSA-AES256-GCM-SHA384 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-ECDSA-AES256-GCM-SHA384 --v 3 --l QSH:ECDH-ECDSA-AES256-GCM-SHA384 --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 --v 3 --l QSH:ECDHE-RSA-AES128-GCM-SHA256 - -# client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 --v 3 --l QSH:ECDHE-RSA-AES128-GCM-SHA256 - -# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 --v 3 --l QSH:ECDHE-RSA-AES256-GCM-SHA384 - -# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 --v 3 --l QSH:ECDHE-RSA-AES256-GCM-SHA384 - -# server TLSv1.2 ECDH-RSA-AES128-GCM-SHA256 --v 3 --l QSH:ECDH-RSA-AES128-GCM-SHA256 --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-RSA-AES128-GCM-SHA256 --v 3 --l QSH:ECDH-RSA-AES128-GCM-SHA256 - -# server TLSv1.2 ECDH-RSA-AES256-GCM-SHA384 --v 3 --l QSH:ECDH-RSA-AES256-GCM-SHA384 --c ./certs/server-ecc-rsa.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDH-RSA-AES256-GCM-SHA384 --v 3 --l QSH:ECDH-RSA-AES256-GCM-SHA384 - -# server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 --v 3 --l QSH:DHE-RSA-AES128-GCM-SHA256 - -# client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 --v 3 --l QSH:DHE-RSA-AES128-GCM-SHA256 - -# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384 --v 3 --l QSH:DHE-RSA-AES256-GCM-SHA384 - -# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384 --v 3 --l QSH:DHE-RSA-AES256-GCM-SHA384 - -# server TLSv1.2 PSK-AES128-GCM-SHA256 --s --v 3 --l QSH:PSK-AES128-GCM-SHA256 - -# client TLSv1.2 PSK-AES128-GCM-SHA256 --s --v 3 --l QSH:PSK-AES128-GCM-SHA256 - -# server TLSv1.2 PSK-AES256-GCM-SHA384 --s --v 3 --l QSH:PSK-AES256-GCM-SHA384 - -# client TLSv1.2 PSK-AES256-GCM-SHA384 --s --v 3 --l QSH:PSK-AES256-GCM-SHA384 - -# server TLSv1.2 AES128-CCM-8 --v 3 --l QSH:AES128-CCM-8 - -# client TLSv1.2 AES128-CCM-8 --v 3 --l QSH:AES128-CCM-8 - -# server TLSv1.2 AES256-CCM-8 --v 3 --l QSH:AES256-CCM-8 - -# client TLSv1.2 AES256-CCM-8 --v 3 --l QSH:AES256-CCM-8 - -# server TLSv1.2 AES128-CCM8 (OpenSSL-compat alias) --v 3 --l QSH:AES128-CCM8 - -# client TLSv1.2 AES128-CCM8 (OpenSSL-compat alias) --v 3 --l QSH:AES128-CCM8 - -# server TLSv1.2 AES256-CCM8 (OpenSSL-compat alias) --v 3 --l QSH:AES256-CCM8 - -# client TLSv1.2 AES256-CCM8 (OpenSSL-compat alias) --v 3 --l QSH:AES256-CCM8 - -# server TLSv1.2 ECDHE-ECDSA-AES128-CCM --v 3 --l QSH:ECDHE-ECDSA-AES128-CCM --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES128-CCM --v 3 --l QSH:ECDHE-ECDSA-AES128-CCM --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8 --v 3 --l QSH:ECDHE-ECDSA-AES128-CCM-8 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES128-CCM-8 --v 3 --l QSH:ECDHE-ECDSA-AES128-CCM-8 --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDHE-ECDSA-AES256-CCM-8 --v 3 --l QSH:ECDHE-ECDSA-AES256-CCM-8 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES256-CCM-8 --v 3 --l QSH:ECDHE-ECDSA-AES256-CCM-8 --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) --v 3 --l QSH:ECDHE-ECDSA-AES128-CCM8 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES128-CCM8 (OpenSSL-compat alias) --v 3 --l QSH:ECDHE-ECDSA-AES128-CCM8 --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) --v 3 --l QSH:ECDHE-ECDSA-AES256-CCM8 --c ./certs/server-ecc.pem --k ./certs/ecc-key.pem - -# client TLSv1.2 ECDHE-ECDSA-AES256-CCM8 (OpenSSL-compat alias) --v 3 --l QSH:ECDHE-ECDSA-AES256-CCM8 --A ./certs/ca-ecc-cert.pem - -# server TLSv1.2 PSK-AES128-CCM --s --v 3 --l QSH:PSK-AES128-CCM - -# client TLSv1.2 PSK-AES128-CCM --s --v 3 --l QSH:PSK-AES128-CCM - -# server TLSv1.2 PSK-AES256-CCM --s --v 3 --l QSH:PSK-AES256-CCM - -# client TLSv1.2 PSK-AES256-CCM --s --v 3 --l QSH:PSK-AES256-CCM - -# server TLSv1.2 PSK-AES128-CCM-8 --s --v 3 --l QSH:PSK-AES128-CCM-8 - -# client TLSv1.2 PSK-AES128-CCM-8 --s --v 3 --l QSH:PSK-AES128-CCM-8 - -# server TLSv1.2 PSK-AES256-CCM-8 --s --v 3 --l QSH:PSK-AES256-CCM-8 - -# client TLSv1.2 PSK-AES256-CCM-8 --s --v 3 --l QSH:PSK-AES256-CCM-8 - -# server TLSv1.2 PSK-AES128-CCM8 (OpenSSL-compat alias) --s --v 3 --l QSH:PSK-AES128-CCM8 - -# client TLSv1.2 PSK-AES128-CCM8 (OpenSSL-compat alias) --s --v 3 --l QSH:PSK-AES128-CCM8 - -# server TLSv1.2 PSK-AES256-CCM8 (OpenSSL-compat alias) --s --v 3 --l QSH:PSK-AES256-CCM8 - -# client TLSv1.2 PSK-AES256-CCM8 (OpenSSL-compat alias) --s --v 3 --l QSH:PSK-AES256-CCM8 - -# server TLSv1.2 DHE-PSK-AES128-CBC-SHA256 --s --v 3 --l QSH:DHE-PSK-AES128-CBC-SHA256 - -# client TLSv1.2 DHE-PSK-AES128-CBC-SHA256 --s --v 3 --l QSH:DHE-PSK-AES128-CBC-SHA256 - -# server TLSv1.2 DHE-PSK-AES256-CBC-SHA384 --s --v 3 --l QSH:DHE-PSK-AES256-CBC-SHA384 - -# client TLSv1.2 DHE-PSK-AES256-CBC-SHA384 --s --v 3 --l QSH:DHE-PSK-AES256-CBC-SHA384 - -# server TLSv1.2 DHE-PSK-NULL-SHA256 --s --v 3 --l QSH:DHE-PSK-NULL-SHA256 - -# client TLSv1.2 DHE-PSK-NULL-SHA256 --s --v 3 --l QSH:DHE-PSK-NULL-SHA256 - -# server TLSv1.2 DHE-PSK-NULL-SHA384 --s --v 3 --l QSH:DHE-PSK-NULL-SHA384 - -# client TLSv1.2 DHE-PSK-NULL-SHA384 --s --v 3 --l QSH:DHE-PSK-NULL-SHA384 - -# server TLSv1.2 DHE-PSK-AES128-GCM-SHA256 --s --v 3 --l QSH:DHE-PSK-AES128-GCM-SHA256 - -# client TLSv1.2 DHE-PSK-AES128-GCM-SHA256 --s --v 3 --l QSH:DHE-PSK-AES128-GCM-SHA256 - -# server TLSv1.2 DHE-PSK-AES256-GCM-SHA384 --s --v 3 --l QSH:DHE-PSK-AES256-GCM-SHA384 - -# client TLSv1.2 DHE-PSK-AES256-GCM-SHA384 --s --v 3 --l QSH:DHE-PSK-AES256-GCM-SHA384 - -# server TLSv1.2 DHE-PSK-AES128-CCM --s --v 3 --l QSH:DHE-PSK-AES128-CCM - -# client TLSv1.2 DHE-PSK-AES128-CCM --s --v 3 --l QSH:DHE-PSK-AES128-CCM - -# server TLSv1.2 DHE-PSK-AES256-CCM --s --v 3 --l QSH:DHE-PSK-AES256-CCM - -# client TLSv1.2 DHE-PSK-AES256-CCM --s --v 3 --l QSH:DHE-PSK-AES256-CCM - -# server TLSv1.2 ADH-AES128-SHA --a --v 3 --l QSH:ADH-AES128-SHA - -# client TLSv1.2 ADH-AES128-SHA --a --v 3 --l QSH:ADH-AES128-SHA - -# server TLSv1.1 ADH-AES128-SHA --a --v 2 --l QSH:ADH-AES128-SHA - -# client TLSv1.1 ADH-AES128-SHA --a --v 2 --l QSH:ADH-AES128-SHA - -# server TLSv1.0 ADH-AES128-SHA --a --v 1 --l QSH:ADH-AES128-SHA - -# client TLSv1.0 ADH-AES128-SHA --a --v 1 --l QSH:ADH-AES128-SHA - -# server TLSv1 NTRU_RC4 --v 1 --l QSH:NTRU-RC4-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1 NTRU_RC4 --v 1 --l QSH:NTRU-RC4-SHA - -# server TLSv1 NTRU_DES3 --v 1 --l QSH:NTRU-DES-CBC3-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1 NTRU_DES3 --v 1 --l QSH:NTRU-DES-CBC3-SHA - -# server TLSv1 NTRU_AES128 --v 1 --l QSH:NTRU-AES128-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1 NTRU_AES128 --v 1 --l QSH:NTRU-AES128-SHA - -# server TLSv1 NTRU_AES256 --v 1 --l QSH:NTRU-AES256-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1 NTRU_AES256 --v 1 --l QSH:NTRU-AES256-SHA - -# server TLSv1.1 NTRU_RC4 --v 2 --l QSH:NTRU-RC4-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.1 NTRU_RC4 --v 2 --l QSH:NTRU-RC4-SHA - -# server TLSv1.1 NTRU_DES3 --v 2 --l QSH:NTRU-DES-CBC3-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.1 NTRU_DES3 --v 2 --l QSH:NTRU-DES-CBC3-SHA - -# server TLSv1.1 NTRU_AES128 --v 2 --l QSH:NTRU-AES128-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.1 NTRU_AES128 --v 2 --l QSH:NTRU-AES128-SHA - -# server TLSv1.1 NTRU_AES256 --v 2 --l QSH:NTRU-AES256-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.1 NTRU_AES256 --v 2 --l QSH:NTRU-AES256-SHA - -# server TLSv1.2 NTRU_RC4 --v 3 --l QSH:NTRU-RC4-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.2 NTRU_RC4 --v 3 --l QSH:NTRU-RC4-SHA - -# server TLSv1.2 NTRU_DES3 --v 3 --l QSH:NTRU-DES-CBC3-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.2 NTRU_DES3 --v 3 --l QSH:NTRU-DES-CBC3-SHA - -# server TLSv1.2 NTRU_AES128 --v 3 --l QSH:NTRU-AES128-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.2 NTRU_AES128 --v 3 --l QSH:NTRU-AES128-SHA diff --git a/tests/test.conf b/tests/test.conf index d4b8a8714..42d6d6026 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -1821,127 +1821,6 @@ -v 2 -l DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA -# server TLSv1 NTRU_RC4 --v 1 --l NTRU-RC4-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1 NTRU_RC4 --v 1 --l NTRU-RC4-SHA - -# server TLSv1 NTRU_DES3 --v 1 --l NTRU-DES-CBC3-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1 NTRU_DES3 --v 1 --l NTRU-DES-CBC3-SHA - -# server TLSv1 NTRU_AES128 --v 1 --l NTRU-AES128-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1 NTRU_AES128 --v 1 --l NTRU-AES128-SHA - -# server TLSv1 NTRU_AES256 --v 1 --l NTRU-AES256-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1 NTRU_AES256 --v 1 --l NTRU-AES256-SHA - -# server TLSv1.1 NTRU_RC4 --v 2 --l NTRU-RC4-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.1 NTRU_RC4 --v 2 --l NTRU-RC4-SHA - -# server TLSv1.1 NTRU_DES3 --v 2 --l NTRU-DES-CBC3-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.1 NTRU_DES3 --v 2 --l NTRU-DES-CBC3-SHA - -# server TLSv1.1 NTRU_AES128 --v 2 --l NTRU-AES128-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.1 NTRU_AES128 --v 2 --l NTRU-AES128-SHA - -# server TLSv1.1 NTRU_AES256 --v 2 --l NTRU-AES256-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.1 NTRU_AES256 --v 2 --l NTRU-AES256-SHA - -# server TLSv1.2 NTRU_RC4 --v 3 --l NTRU-RC4-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.2 NTRU_RC4 --v 3 --l NTRU-RC4-SHA - -# server TLSv1.2 NTRU_DES3 --v 3 --l NTRU-DES-CBC3-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.2 NTRU_DES3 --v 3 --l NTRU-DES-CBC3-SHA - -# server TLSv1.2 NTRU_AES128 --v 3 --l NTRU-AES128-SHA --n --c ./certs/ntru-cert.pem --k ./certs/ntru-key.raw - -# client TLSv1.2 NTRU_AES128 --v 3 --l NTRU-AES128-SHA - # error going into callback, return ok # server TLSv1.2 verify callback override -v 3 diff --git a/testsuite/include.am b/testsuite/include.am index a3eea3978..e8788bb12 100644 --- a/testsuite/include.am +++ b/testsuite/include.am @@ -18,7 +18,6 @@ testsuite_testsuite_test_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) $(WO testsuite_testsuite_test_DEPENDENCIES = src/libwolfssl.la endif EXTRA_DIST += testsuite/testsuite.sln -EXTRA_DIST += testsuite/testsuite-ntru.vcproj EXTRA_DIST += testsuite/testsuite.vcproj EXTRA_DIST += testsuite/testsuite.vcxproj EXTRA_DIST += input diff --git a/testsuite/testsuite-ntru.vcproj b/testsuite/testsuite-ntru.vcproj deleted file mode 100755 index a6fc7be67..000000000 --- a/testsuite/testsuite-ntru.vcproj +++ /dev/null @@ -1,219 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 07935e26d..5e684509b 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -197,9 +197,6 @@ #endif #include -#ifdef HAVE_NTRU - #include "libntruencrypt/ntru_crypto.h" -#endif #include #include #include @@ -298,8 +295,6 @@ #define BENCH_RSA 0x00000002 #define BENCH_RSA_SZ 0x00000004 #define BENCH_DH 0x00000010 -#define BENCH_NTRU 0x00000100 -#define BENCH_NTRU_KEYGEN 0x00000200 #define BENCH_ECC_MAKEKEY 0x00001000 #define BENCH_ECC 0x00002000 #define BENCH_ECC_ENCRYPT 0x00004000 @@ -510,10 +505,6 @@ static const bench_alg bench_asym_opt[] = { #ifndef NO_DH { "-dh", BENCH_DH }, #endif -#ifdef HAVE_NTRU - { "-ntru", BENCH_NTRU }, - { "-ntru-kg", BENCH_NTRU_KEYGEN }, -#endif #ifdef HAVE_ECC { "-ecc-kg", BENCH_ECC_MAKEKEY }, { "-ecc", BENCH_ECC }, @@ -639,7 +630,7 @@ static const char* bench_result_words1[][4] = { #endif }; -#if !defined(NO_RSA) || defined(HAVE_NTRU) || \ +#if !defined(NO_RSA) || \ defined(HAVE_ECC) || !defined(NO_DH) || defined(HAVE_ECC_ENCRYPT) || \ defined(HAVE_CURVE25519) || defined(HAVE_CURVE25519_SHARED_SECRET) || \ defined(HAVE_ED25519) || defined(HAVE_CURVE448) || \ @@ -780,7 +771,7 @@ static const char* bench_desc_words[][14] = { #if defined(HAVE_ED25519) || defined(HAVE_CURVE25519) || \ defined(HAVE_CURVE448) || defined(HAVE_ED448) || \ - defined(HAVE_ECC) || defined(HAVE_NTRU) || !defined(NO_DH) || \ + defined(HAVE_ECC) || !defined(NO_DH) || \ !defined(NO_RSA) || defined(HAVE_SCRYPT) #define BENCH_ASYM #endif @@ -1872,13 +1863,6 @@ static void* benchmarks_do(void* args) } #endif -#ifdef HAVE_NTRU - if (bench_all || (bench_asym_algs & BENCH_NTRU)) - bench_ntru(); - if (bench_all || (bench_asym_algs & BENCH_NTRU_KEYGEN)) - bench_ntruKeyGen(); -#endif - #ifdef HAVE_ECC if (bench_all || (bench_asym_algs & BENCH_ECC_MAKEKEY) || (bench_asym_algs & BENCH_ECC) || @@ -5241,220 +5225,6 @@ exit: } #endif /* !NO_DH */ -#ifdef HAVE_NTRU -byte GetEntropy(ENTROPY_CMD cmd, byte* out); - -byte GetEntropy(ENTROPY_CMD cmd, byte* out) -{ - if (cmd == INIT) - return 1; /* using local rng */ - - if (out == NULL) - return 0; - - if (cmd == GET_BYTE_OF_ENTROPY) - return (wc_RNG_GenerateBlock(&gRng, out, 1) == 0) ? 1 : 0; - - if (cmd == GET_NUM_BYTES_PER_BYTE_OF_ENTROPY) { - *out = 1; - return 1; - } - - return 0; -} - -void bench_ntru(void) -{ - int i; - double start; - - byte public_key[1027]; - word16 public_key_len = sizeof(public_key); - byte private_key[1120]; - word16 private_key_len = sizeof(private_key); - word16 ntruBits = 128; - word16 type = 0; - word32 ret; - - byte ciphertext[1022]; - word16 ciphertext_len; - byte plaintext[16]; - word16 plaintext_len; - const char**desc = bench_desc_words[lng_index]; - - DRBG_HANDLE drbg; - static byte const aes_key[] = { - 0xf3, 0xe9, 0x87, 0xbb, 0x18, 0x08, 0x3c, 0xaa, - 0x7b, 0x12, 0x49, 0x88, 0xaf, 0xb3, 0x22, 0xd8 - }; - - static byte const wolfsslStr[] = { - 'w', 'o', 'l', 'f', 'S', 'S', 'L', ' ', 'N', 'T', 'R', 'U' - }; - - for (ntruBits = 128; ntruBits < 257; ntruBits += 64) { - switch (ntruBits) { - case 128: - type = NTRU_EES439EP1; - break; - case 192: - type = NTRU_EES593EP1; - break; - case 256: - type = NTRU_EES743EP1; - break; - } - - ret = ntru_crypto_drbg_instantiate(ntruBits, wolfsslStr, - sizeof(wolfsslStr), (ENTROPY_FN) GetEntropy, &drbg); - if(ret != DRBG_OK) { - printf("NTRU drbg instantiate failed\n"); - return; - } - - /* set key sizes */ - ret = ntru_crypto_ntru_encrypt_keygen(drbg, type, &public_key_len, - NULL, &private_key_len, NULL); - if (ret != NTRU_OK) { - ntru_crypto_drbg_uninstantiate(drbg); - printf("NTRU failed to get key lengths\n"); - return; - } - - ret = ntru_crypto_ntru_encrypt_keygen(drbg, type, &public_key_len, - public_key, &private_key_len, - private_key); - - ntru_crypto_drbg_uninstantiate(drbg); - - if (ret != NTRU_OK) { - printf("NTRU keygen failed\n"); - return; - } - - ret = ntru_crypto_drbg_instantiate(ntruBits, NULL, 0, - (ENTROPY_FN)GetEntropy, &drbg); - if (ret != DRBG_OK) { - printf("NTRU error occurred during DRBG instantiation\n"); - return; - } - - ret = ntru_crypto_ntru_encrypt(drbg, public_key_len, public_key, - sizeof(aes_key), aes_key, &ciphertext_len, NULL); - - if (ret != NTRU_OK) { - printf("NTRU error occurred requesting the buffer size needed\n"); - return; - } - - bench_stats_start(&i, &start); - for (i = 0; i < ntimes; i++) { - ret = ntru_crypto_ntru_encrypt(drbg, public_key_len, public_key, - sizeof(aes_key), aes_key, &ciphertext_len, ciphertext); - if (ret != NTRU_OK) { - printf("NTRU encrypt error\n"); - return; - } - } - bench_stats_asym_finish("NTRU", ntruBits, desc[6], 0, i, start, ret); - - ret = ntru_crypto_drbg_uninstantiate(drbg); - if (ret != DRBG_OK) { - printf("NTRU error occurred uninstantiating the DRBG\n"); - return; - } - - ret = ntru_crypto_ntru_decrypt(private_key_len, private_key, - ciphertext_len, ciphertext, &plaintext_len, NULL); - - if (ret != NTRU_OK) { - printf("NTRU decrypt error occurred getting the buffer size needed\n"); - return; - } - - plaintext_len = sizeof(plaintext); - - bench_stats_start(&i, &start); - for (i = 0; i < ntimes; i++) { - ret = ntru_crypto_ntru_decrypt(private_key_len, private_key, - ciphertext_len, ciphertext, - &plaintext_len, plaintext); - - if (ret != NTRU_OK) { - printf("NTRU error occurred decrypting the key\n"); - return; - } - } - bench_stats_asym_finish("NTRU", ntruBits, desc[7], 0, i, start, ret); - } - -} - -void bench_ntruKeyGen(void) -{ - double start; - int i; - - byte public_key[1027]; - word16 public_key_len = sizeof(public_key); - byte private_key[1120]; - word16 private_key_len = sizeof(private_key); - word16 ntruBits = 128; - word16 type = 0; - word32 ret; - const char**desc = bench_desc_words[lng_index]; - - DRBG_HANDLE drbg; - static uint8_t const pers_str[] = { - 'w', 'o', 'l', 'f', 'S', 'S', 'L', ' ', 't', 'e', 's', 't' - }; - - for (ntruBits = 128; ntruBits < 257; ntruBits += 64) { - ret = ntru_crypto_drbg_instantiate(ntruBits, pers_str, - sizeof(pers_str), GetEntropy, &drbg); - if (ret != DRBG_OK) { - printf("NTRU drbg instantiate failed\n"); - return; - } - - switch (ntruBits) { - case 128: - type = NTRU_EES439EP1; - break; - case 192: - type = NTRU_EES593EP1; - break; - case 256: - type = NTRU_EES743EP1; - break; - } - - /* set key sizes */ - ret = ntru_crypto_ntru_encrypt_keygen(drbg, type, &public_key_len, - NULL, &private_key_len, NULL); - - bench_stats_start(&i, &start); - for (i = 0; i < genTimes; i++) { - ret = ntru_crypto_ntru_encrypt_keygen(drbg, type, &public_key_len, - public_key, &private_key_len, - private_key); - } - bench_stats_asym_finish("NTRU", ntruBits, desc[2], 0, i, start, ret); - - if (ret != NTRU_OK) { - return; - } - - ret = ntru_crypto_drbg_uninstantiate(drbg); - - if (ret != NTRU_OK) { - printf("NTRU drbg uninstantiate failed\n"); - return; - } - } -} -#endif - #ifdef HAVE_ECC /* +8 for 'ECDSA [%s]' and null terminator */ diff --git a/wolfcrypt/benchmark/benchmark.h b/wolfcrypt/benchmark/benchmark.h index e9b13a410..1981db98d 100644 --- a/wolfcrypt/benchmark/benchmark.h +++ b/wolfcrypt/benchmark/benchmark.h @@ -102,8 +102,6 @@ void bench_sakkeKeyGen(void); void bench_sakkeRskGen(void); void bench_sakkeValidate(void); void bench_sakke(void); -void bench_ntru(void); -void bench_ntruKeyGen(void); void bench_rng(void); void bench_blake2b(void); void bench_blake2s(void); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 58d5d5bec..191b85c1f 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -103,10 +103,6 @@ ASN Options: #include #endif -#ifdef HAVE_NTRU - #include "libntruencrypt/ntru_crypto.h" -#endif - #if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384) #include #endif @@ -3810,9 +3806,6 @@ static word32 SetBitString16Bit(word16 val, byte* output) #ifndef NO_RSA static const byte keyRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 1}; #endif /* NO_RSA */ -#ifdef HAVE_NTRU - static const byte keyNtruOid[] = {43, 6, 1, 4, 1, 193, 22, 1, 1, 1, 1}; -#endif /* HAVE_NTRU */ #ifdef HAVE_ECC static const byte keyEcdsaOid[] = {42, 134, 72, 206, 61, 2, 1}; #endif /* HAVE_ECC */ @@ -4260,12 +4253,6 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz) *oidSz = sizeof(keyRsaOid); break; #endif /* NO_RSA */ - #ifdef HAVE_NTRU - case NTRUk: - oid = keyNtruOid; - *oidSz = sizeof(keyNtruOid); - break; - #endif /* HAVE_NTRU */ #ifdef HAVE_ECC case ECDSAk: oid = keyEcdsaOid; @@ -9813,85 +9800,6 @@ static int ParseDsaKey(const byte* source, word32* srcIdx, word32 maxIdx, } #endif /* !NO_DSA */ -#ifdef HAVE_NTRU -/* Store NTRU key data and length in certificate object. - * - * @param [in, out] cert Certificate object. - * @param [in] source Buffer containing encoded key. - * @param [in, out] srcIdx On in, start of RSA key data. - * On out, start of element after RSA key data. - * @param [in] maxIdx Maximum index of key data. - * @param [in] pubIdx Index of into buffer of public key. - * @return 0 on success. - * @return MEMORY_E when dynamic memory allocation fails. - * @return ASN_NTRU_KEY_E when BER encoding is invalid. - */ -static int StoreNtruKey(DecodedCert* cert, const byte* source, word32* srcIdx, - word32 maxIdx, word32 pubIdx) -{ - const byte* key = &source[pubIdx]; - byte* next = (byte*)key; - word16 keyLen; - word32 rc; - word32 remaining = maxIdx - *srcIdx; - byte* publicKey; -#ifdef WOLFSSL_SMALL_STACK - byte* keyBlob = NULL; -#else - byte keyBlob[MAX_NTRU_KEY_SZ]; -#endif - rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key, &keyLen, - NULL, &next, &remaining); - if (rc != NTRU_OK) - return ASN_NTRU_KEY_E; - if (keyLen > MAX_NTRU_KEY_SZ) - return ASN_NTRU_KEY_E; - -#ifdef WOLFSSL_SMALL_STACK - keyBlob = (byte*)XMALLOC(MAX_NTRU_KEY_SZ, cert->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (keyBlob == NULL) - return MEMORY_E; -#endif - - rc = ntru_crypto_ntru_encrypt_subjectPublicKeyInfo2PublicKey(key, &keyLen, - keyBlob, &next, &remaining); - if (rc != NTRU_OK) { -#ifdef WOLFSSL_SMALL_STACK - XFREE(keyBlob, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); -#endif - return ASN_NTRU_KEY_E; - } - - if ( (next - key) < 0) { -#ifdef WOLFSSL_SMALL_STACK - XFREE(keyBlob, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); -#endif - return ASN_NTRU_KEY_E; - } - - *srcIdx = pubIdx + (int)(next - key); - - publicKey = (byte*)XMALLOC(keyLen, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); - if (publicKey == NULL) { -#ifdef WOLFSSL_SMALL_STACK - XFREE(keyBlob, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); -#endif - return MEMORY_E; - } - XMEMCPY(publicKey, keyBlob, keyLen); - cert->publicKey = publicKey; - cert->pubKeyStored = 1; - cert->pubKeySize = keyLen; - -#ifdef WOLFSSL_SMALL_STACK - XFREE(keyBlob, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - return 0; -} -#endif /* HAVE_NTRU */ - /* Decode the SubjectPublicKeyInfo block in a certificate. * * Stores the public key in fields of the certificate object. @@ -9914,7 +9822,7 @@ static int GetCertKey(DecodedCert* cert, const byte* source, word32* inOutIdx, #if defined(HAVE_ECC) || !defined(NO_DSA) int pubLen; #endif -#if defined(HAVE_ECC) || defined(HAVE_NTRU) || !defined(NO_DSA) +#if defined(HAVE_ECC) || !defined(NO_DSA) int pubIdx = srcIdx; #endif int ret = 0; @@ -9950,11 +9858,6 @@ static int GetCertKey(DecodedCert* cert, const byte* source, word32* inOutIdx, break; #endif /* NO_RSA */ - #ifdef HAVE_NTRU - case NTRUk: - ret = StoreNtruKey(cert, source, &srcIdx, maxIdx, pubIdx); - break; - #endif /* HAVE_NTRU */ #ifdef HAVE_ECC case ECDSAk: ret = StoreEccKey(cert, source, &srcIdx, maxIdx, source + pubIdx, @@ -19888,7 +19791,7 @@ typedef struct DerCert { byte issuer[ASN_NAME_MAX]; /* issuer encoded */ byte subject[ASN_NAME_MAX]; /* subject encoded */ byte validity[MAX_DATE_SIZE*2 + MAX_SEQ_SZ*2]; /* before and after dates */ - byte publicKey[MAX_PUBLIC_KEY_SZ]; /* rsa / ntru public key encoded */ + byte publicKey[MAX_PUBLIC_KEY_SZ]; /* rsa public key encoded */ byte ca[MAX_CA_SZ]; /* basic constraint CA true size */ byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */ #ifdef WOLFSSL_CERT_EXT @@ -21884,13 +21787,9 @@ int SetName(byte* output, word32 outputSz, CertName* name) static int EncodePublicKey(int keyType, byte* output, int outLen, RsaKey* rsaKey, ecc_key* eccKey, ed25519_key* ed25519Key, ed448_key* ed448Key, - DsaKey* dsaKey, const byte* ntruKey, word16 ntruSz) + DsaKey* dsaKey) { int ret = 0; -#ifdef HAVE_NTRU - word32 rc; - word16 encodedSz; -#endif (void)outLen; (void)rsaKey; @@ -21898,8 +21797,6 @@ static int EncodePublicKey(int keyType, byte* output, int outLen, (void)ed25519Key; (void)ed448Key; (void)dsaKey; - (void)ntruKey; - (void)ntruSz; switch (keyType) { #ifndef NO_RSA @@ -21934,18 +21831,6 @@ static int EncodePublicKey(int keyType, byte* output, int outLen, } break; #endif - #ifdef HAVE_NTRU - case NTRU_KEY: - rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(ntruSz, - ntruKey, &encodedSz, output); - if (rc != NTRU_OK) { - ret = PUBLIC_KEY_E; - } - if (ret == 0) { - ret = encodedSz; - } - break; - #endif /* HAVE_NTRU */ default: ret = PUBLIC_KEY_E; break; @@ -22308,8 +22193,8 @@ static int SetValidity(byte* before, byte* after, int daysValid) #ifndef WOLFSSL_ASN_TEMPLATE /* encode info from cert into DER encoded format */ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, - WC_RNG* rng, const byte* ntruKey, word16 ntruSz, DsaKey* dsaKey, - ed25519_key* ed25519Key, ed448_key* ed448Key) + WC_RNG* rng, DsaKey* dsaKey, ed25519_key* ed25519Key, + ed448_key* ed448Key) { int ret; @@ -22318,7 +22203,7 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, /* make sure at least one key type is provided */ if (rsaKey == NULL && eccKey == NULL && ed25519Key == NULL && - dsaKey == NULL && ed448Key == NULL && ntruKey == NULL) { + dsaKey == NULL && ed448Key == NULL) { return PUBLIC_KEY_E; } @@ -22394,32 +22279,6 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, } #endif -#ifdef HAVE_NTRU - if (cert->keyType == NTRU_KEY) { - word32 rc; - word16 encodedSz; - - if (ntruKey == NULL) - return PUBLIC_KEY_E; - - rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(ntruSz, - ntruKey, &encodedSz, NULL); - if (rc != NTRU_OK) - return PUBLIC_KEY_E; - if (encodedSz > MAX_PUBLIC_KEY_SZ) - return PUBLIC_KEY_E; - - rc = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(ntruSz, - ntruKey, &encodedSz, der->publicKey); - if (rc != NTRU_OK) - return PUBLIC_KEY_E; - - der->publicKeySz = encodedSz; - } -#else - (void)ntruSz; -#endif /* HAVE_NTRU */ - if (der->publicKeySz <= 0) return PUBLIC_KEY_E; @@ -22989,8 +22848,8 @@ int AddSignature(byte* buf, int bodySz, const byte* sig, int sigSz, /* Make an x509 Certificate v3 any key type from cert input, write to buffer */ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng, - DsaKey* dsaKey, const byte* ntruKey, word16 ntruSz, - ed25519_key* ed25519Key, ed448_key* ed448Key) + DsaKey* dsaKey, ed25519_key* ed25519Key, + ed448_key* ed448Key) { #ifndef WOLFSSL_ASN_TEMPLATE int ret; @@ -23013,8 +22872,6 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, cert->keyType = ED25519_KEY; else if (ed448Key) cert->keyType = ED448_KEY; - else if (ntruKey) - cert->keyType = NTRU_KEY; else return BAD_FUNC_ARG; @@ -23024,8 +22881,8 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, return MEMORY_E; #endif - ret = EncodeCert(cert, der, rsaKey, eccKey, rng, ntruKey, ntruSz, dsaKey, - ed25519Key, ed448Key); + ret = EncodeCert(cert, der, rsaKey, eccKey, rng, dsaKey, ed25519Key, + ed448Key); if (ret == 0) { if (der->total + MAX_SEQ_SZ * 2 > (int)derSz) ret = BUFFER_E; @@ -23069,9 +22926,6 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, else if (ed448Key) { cert->keyType = ED448_KEY; } - else if (ntruKey) { - cert->keyType = NTRU_KEY; - } else { ret = BAD_FUNC_ARG; } @@ -23116,7 +22970,7 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, if (ret >= 0) { /* Calcuate public key encoding size. */ ret = publicKeySz = EncodePublicKey(cert->keyType, NULL, 0, rsaKey, - eccKey, ed25519Key, ed448Key, dsaKey, ntruKey, ntruSz); + eccKey, ed25519Key, ed448Key, dsaKey); } if (ret >= 0) { /* Calcuate extensions encoding size - may be 0. */ @@ -23251,7 +23105,7 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, /* Encode public key into buffer. */ ret = EncodePublicKey(cert->keyType, (byte*)dataASN[15].data.buffer.data, dataASN[15].data.buffer.length, - rsaKey, eccKey, ed25519Key, ed448Key, dsaKey, ntruKey, ntruSz); + rsaKey, eccKey, ed25519Key, ed448Key, dsaKey); } if ((ret >= 0) && (!dataASN[23].noOut)) { /* Encode extensions into buffer. */ @@ -23293,29 +23147,16 @@ int wc_MakeCert_ex(Cert* cert, byte* derBuffer, word32 derSz, int keyType, ed448Key = (ed448_key*)key; return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, dsaKey, - NULL, 0, ed25519Key, ed448Key); + ed25519Key, ed448Key); } /* Make an x509 Certificate v3 RSA or ECC from cert input, write to buffer */ int wc_MakeCert(Cert* cert, byte* derBuffer, word32 derSz, RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng) { - return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, NULL, NULL, 0, - NULL, NULL); + return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, NULL, NULL, + NULL); } - -#ifdef HAVE_NTRU - -int wc_MakeNtruCert(Cert* cert, byte* derBuffer, word32 derSz, - const byte* ntruKey, word16 keySz, WC_RNG* rng) -{ - return MakeAnyCert(cert, derBuffer, derSz, NULL, NULL, rng, NULL, - ntruKey, keySz, NULL, NULL); -} - -#endif /* HAVE_NTRU */ - - #ifdef WOLFSSL_CERT_REQ #ifndef WOLFSSL_ASN_TEMPLATE @@ -23815,7 +23656,7 @@ static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz, if (ret >= 0) { /* Determine encode public key size. */ ret = publicKeySz = EncodePublicKey(cert->keyType, NULL, 0, rsaKey, - eccKey, ed25519Key, ed448Key, dsaKey, NULL, 0); + eccKey, ed25519Key, ed448Key, dsaKey); } if (ret >= 0) { /* Determine encode extensions size. */ @@ -23898,7 +23739,7 @@ static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz, /* Encode public key into space in buffer. */ ret = EncodePublicKey(cert->keyType, (byte*)dataASN[3].data.buffer.data, dataASN[3].data.buffer.length, rsaKey, eccKey, ed25519Key, ed448Key, - dsaKey, NULL, 0); + dsaKey); } if ((ret >= 0) && (!dataASN[13].noOut)) { /* Encode extensions into space in buffer. */ @@ -24086,7 +23927,6 @@ int wc_GetSubjectRaw(byte **subjectRaw, Cert *cert) /* Set KID from public key */ static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey, - byte *ntruKey, word16 ntruKeySz, ed25519_key* ed25519Key, ed448_key* ed448Key, int kid_type) { @@ -24094,8 +23934,8 @@ static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey, int bufferSz, ret; if (cert == NULL || - (rsakey == NULL && eckey == NULL && ntruKey == NULL && - ed25519Key == NULL && ed448Key == NULL) || + (rsakey == NULL && eckey == NULL && ed25519Key == NULL && + ed448Key == NULL) || (kid_type != SKID_TYPE && kid_type != AKID_TYPE)) return BAD_FUNC_ARG; @@ -24116,18 +23956,6 @@ static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey, if (eckey != NULL) bufferSz = SetEccPublicKey(buf, eckey, MAX_PUBLIC_KEY_SZ, 0); #endif -#ifdef HAVE_NTRU - /* NTRU public key */ - if (ntruKey != NULL) { - bufferSz = MAX_PUBLIC_KEY_SZ; - ret = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( - ntruKeySz, ntruKey, (word16 *)(&bufferSz), buf); - if (ret != NTRU_OK) - bufferSz = -1; - } -#else - (void)ntruKeySz; -#endif #if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_EXPORT) /* ED25519 public key */ if (ed25519Key != NULL) { @@ -24178,27 +24006,16 @@ int wc_SetSubjectKeyIdFromPublicKey_ex(Cert *cert, int keyType, void* key) else if (keyType == ED448_TYPE) ed448Key = (ed448_key*)key; - return SetKeyIdFromPublicKey(cert, rsaKey, eccKey, NULL, 0, ed25519Key, - ed448Key, SKID_TYPE); + return SetKeyIdFromPublicKey(cert, rsaKey, eccKey, ed25519Key, ed448Key, + SKID_TYPE); } /* Set SKID from RSA or ECC public key */ int wc_SetSubjectKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey) { - return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, NULL, NULL, - SKID_TYPE); + return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, NULL, SKID_TYPE); } -#ifdef HAVE_NTRU -/* Set SKID from NTRU public key */ -int wc_SetSubjectKeyIdFromNtruPublicKey(Cert *cert, - byte *ntruKey, word16 ntruKeySz) -{ - return SetKeyIdFromPublicKey(cert, NULL,NULL,ntruKey, ntruKeySz, NULL, NULL, - SKID_TYPE); -} -#endif - int wc_SetAuthKeyIdFromPublicKey_ex(Cert *cert, int keyType, void* key) { RsaKey* rsaKey = NULL; @@ -24215,15 +24032,14 @@ int wc_SetAuthKeyIdFromPublicKey_ex(Cert *cert, int keyType, void* key) else if (keyType == ED448_TYPE) ed448Key = (ed448_key*)key; - return SetKeyIdFromPublicKey(cert, rsaKey, eccKey, NULL, 0, ed25519Key, - ed448Key, AKID_TYPE); + return SetKeyIdFromPublicKey(cert, rsaKey, eccKey, ed25519Key, ed448Key, + AKID_TYPE); } /* Set SKID from RSA or ECC public key */ int wc_SetAuthKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey) { - return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, NULL, NULL, - AKID_TYPE); + return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, NULL, AKID_TYPE); } diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index 000d4ca7f..4293bd941 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -194,9 +194,6 @@ const char* wc_GetErrorString(int error) case ASN_DH_KEY_E : return "ASN key init error, invalid input"; - case ASN_NTRU_KEY_E : - return "ASN NTRU key decode error, invalid input"; - case ASN_CRIT_EXT_E: return "X.509 Critical extension ignored or invalid"; diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index a4ec1e240..0966ea9c0 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -334,10 +334,6 @@ _Pragma("GCC diagnostic ignored \"-Wunused-function\"") #include -#ifdef HAVE_NTRU - #include "libntruencrypt/ntru_crypto.h" -#endif - #ifdef DEVKITPRO #include #endif @@ -1639,9 +1635,8 @@ WOLFSSL_TEST_SUBROUTINE int error_test(void) int i; int j = 0; /* Values that are not or no longer error codes. */ - int missing[] = { -122, -123, -124, -127, -128, -129, - -163, -164, -165, -166, -167, -168, -169, - -233, + int missing[] = { -122, -123, -124, -127, -128, -129, -159, + -163, -164, -165, -166, -167, -168, -169, -233, 0 }; /* Check that all errors have a string and it's the same through the two @@ -11945,35 +11940,6 @@ WOLFSSL_TEST_SUBROUTINE int memory_test(void) return ret; } - -#ifdef HAVE_NTRU - -byte GetEntropy(ENTROPY_CMD cmd, byte* out); - -byte GetEntropy(ENTROPY_CMD cmd, byte* out) -{ - static WC_RNG rng; - - if (cmd == INIT) - return (wc_InitRng(&rng) == 0) ? 1 : 0; - - if (out == NULL) - return 0; - - if (cmd == GET_BYTE_OF_ENTROPY) - return (wc_RNG_GenerateBlock(&rng, out, 1) == 0) ? 1 : 0; - - if (cmd == GET_NUM_BYTES_PER_BYTE_OF_ENTROPY) { - *out = 1; - return 1; - } - - return 0; -} - -#endif /* HAVE_NTRU */ - - #ifndef NO_FILESYSTEM /* Cert Paths */ @@ -12219,7 +12185,7 @@ static const CertName certDefaultName = { WOLFSSL_SMALL_STACK_STATIC const char certKeyUsage[] = "digitalSignature,nonRepudiation"; #endif - #if (defined(WOLFSSL_CERT_REQ) || defined(HAVE_NTRU)) && !defined(NO_RSA) + #if defined(WOLFSSL_CERT_REQ) && !defined(NO_RSA) WOLFSSL_SMALL_STACK_STATIC const char certKeyUsage2[] = "digitalSignature,nonRepudiation,keyEncipherment,keyAgreement"; #endif @@ -14831,196 +14797,6 @@ exit_rsa: } #endif -#if defined(WOLFSSL_CERT_GEN) && defined(HAVE_NTRU) -static int rsa_ntru_test(RsaKey* caKey, WC_RNG* rng, byte* tmp) -{ - int ret; - - Cert myCert; -#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) - XFILE caFile; -#endif -#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - XFILE ntruPrivFile; -#endif - int certSz; - word32 idx3 = 0; -#ifdef WOLFSSL_TEST_CERT - DecodedCert decode; -#endif - byte public_key[557]; /* sized for EES401EP2 */ - word16 public_key_len; /* no. of octets in public key */ - byte private_key[607]; /* sized for EES401EP2 */ - word16 private_key_len; /* no. of octets in private key */ - DRBG_HANDLE drbg; - static uint8_t const pers_str[] = { - 'C', 'y', 'a', 'S', 'S', 'L', ' ', 't', 'e', 's', 't' - }; - word32 rc = ntru_crypto_drbg_instantiate(112, pers_str, - sizeof(pers_str), GetEntropy, &drbg); - if (rc != DRBG_OK) { - ERROR_OUT(-7946, exit_rsa); - } - - rc = ntru_crypto_ntru_encrypt_keygen(drbg, NTRU_EES401EP2, - &public_key_len, NULL, - &private_key_len, NULL); - if (rc != NTRU_OK) { - ERROR_OUT(-7947, exit_rsa); - } - - rc = ntru_crypto_ntru_encrypt_keygen(drbg, NTRU_EES401EP2, - &public_key_len, public_key, - &private_key_len, private_key); - if (rc != NTRU_OK) { - ERROR_OUT(-7948, exit_rsa); - } - - rc = ntru_crypto_drbg_uninstantiate(drbg); - if (rc != NTRU_OK) { - ERROR_OUT(-7949, exit_rsa); - } - -#ifdef USE_CERT_BUFFERS_1024 - XMEMCPY(tmp, ca_key_der_1024, sizeof_ca_key_der_1024); - bytes = sizeof_ca_key_der_1024; -#elif defined(USE_CERT_BUFFERS_2048) - XMEMCPY(tmp, ca_key_der_2048, sizeof_ca_key_der_2048); - bytes = sizeof_ca_key_der_2048; -#else - caFile = XFOPEN(rsaCaKeyFile, "rb"); - if (!caFile) { - ERROR_OUT(-7950, exit_rsa); - } - - bytes = XFREAD(tmp, 1, FOURK_BUF, caFile); - XFCLOSE(caFile); -#endif /* USE_CERT_BUFFERS */ - - ret = wc_InitRsaKey(caKey, HEAP_HINT); - if (ret != 0) { - ERROR_OUT(-7951, exit_rsa); - } - ret = wc_RsaPrivateKeyDecode(tmp, &idx3, caKey, (word32)bytes); - if (ret != 0) { - ERROR_OUT(-7952, exit_rsa); - } - - if (wc_InitCert_ex(&myCert, HEAP_HINT, devId)) { - ERROR_OUT(-7953, exit_rsa); - } - - XMEMCPY(&myCert.subject, &certDefaultName, sizeof(CertName)); - myCert.daysValid = 1000; - -#ifdef WOLFSSL_CERT_EXT - /* add SKID from the Public Key */ - if (wc_SetSubjectKeyIdFromNtruPublicKey(&myCert, public_key, - public_key_len) != 0) { - ERROR_OUT(-7954, exit_rsa); - } - - /* add AKID from the CA certificate */ -#if defined(USE_CERT_BUFFERS_2048) - ret = wc_SetAuthKeyIdFromCert(&myCert, ca_cert_der_2048, - sizeof_ca_cert_der_2048); -#elif defined(USE_CERT_BUFFERS_1024) - ret = wc_SetAuthKeyIdFromCert(&myCert, ca_cert_der_1024, - sizeof_ca_cert_der_1024); -#else - ret = wc_SetAuthKeyId(&myCert, rsaCaCertFile); -#endif - if (ret != 0) { - ERROR_OUT(-7955, exit_rsa); - } - - /* add Key Usage */ - if (wc_SetKeyUsage(&myCert, certKeyUsage2) != 0) { - ERROR_OUT(-7956, exit_rsa); - } -#endif /* WOLFSSL_CERT_EXT */ - -#if defined(USE_CERT_BUFFERS_2048) - ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_2048, - sizeof_ca_cert_der_2048); -#elif defined(USE_CERT_BUFFERS_1024) - ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_1024, - sizeof_ca_cert_der_1024); -#else - ret = wc_SetIssuer(&myCert, rsaCaCertFile); -#endif - if (ret < 0) { - ERROR_OUT(-7957, exit_rsa); - } - - der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - if (der == NULL) { - ERROR_OUT(-7958, exit_rsa); - } - - certSz = wc_MakeNtruCert(&myCert, der, FOURK_BUF, public_key, - public_key_len, rng); - if (certSz < 0) { - ERROR_OUT(-7959, exit_rsa); - } - - ret = 0; - do { - #if defined(WOLFSSL_ASYNC_CRYPT) - ret = wc_AsyncWait(ret, &caKey->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); - #endif - if (ret >= 0) { - ret = wc_SignCert(myCert.bodySz, myCert.sigType, der, FOURK_BUF, - caKey, NULL, rng); - } - } while (ret == WC_PENDING_E); - wc_FreeRsaKey(caKey); - if (ret < 0) { - ERROR_OUT(-7960, exit_rsa); - } - certSz = ret; - -#ifdef WOLFSSL_TEST_CERT - InitDecodedCert(&decode, der, certSz, HEAP_HINT); - ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0); - if (ret != 0) { - FreeDecodedCert(&decode); - ERROR_OUT(-7961, exit_rsa); - } - FreeDecodedCert(&decode); -#endif - - ret = SaveDerAndPem(der, certSz, "./ntru-cert.der", "./ntru-cert.pem", - CERT_TYPE, -5637); - if (ret != 0) { - goto exit_rsa; - } - -#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - ntruPrivFile = XFOPEN("./ntru-key.raw", "wb"); - if (!ntruPrivFile) { - ERROR_OUT(-7962, exit_rsa); - } - ret = (int)XFWRITE(private_key, 1, private_key_len, ntruPrivFile); - XFCLOSE(ntruPrivFile); - if (ret != private_key_len) { - ERROR_OUT(-7963, exit_rsa); - } -#endif - -exit_rsa: - if (der != NULL) { - XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - der = NULL; - } - - if (ret >= 0) - ret = 0; - else - return ret; -} -#endif - #ifndef WOLFSSL_RSA_VERIFY_ONLY #if !defined(WC_NO_RSA_OAEP) && !defined(WC_NO_RNG) && \ !defined(HAVE_FAST_RSA) && !defined(HAVE_USER_RSA) && \ @@ -15388,13 +15164,6 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void) #else RsaKey keypub[1]; #endif -#endif -#if defined(HAVE_NTRU) -#ifdef WOLFSSL_SMALL_STACK - RsaKey *caKey = (RsaKey *)XMALLOC(sizeof *caKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); -#else - RsaKey caKey[1]; -#endif #endif word32 idx = 0; const char inStr[] = TEST_STRING; @@ -15445,10 +15214,6 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void) if (keypub == NULL) ERROR_OUT(MEMORY_E, exit_rsa); #endif -#if defined(HAVE_NTRU) - if (caKey == NULL) - ERROR_OUT(MEMORY_E, exit_rsa); -#endif #ifdef WOLFSSL_TEST_CERT if (cert == NULL) ERROR_OUT(MEMORY_E, exit_rsa); @@ -15461,9 +15226,6 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void) #if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_CERT_GEN) XMEMSET(keypub, 0, sizeof *keypub); #endif -#if defined(HAVE_NTRU) - XMEMSET(caKey, 0, sizeof *caKey); -#endif #if !defined(HAVE_USER_RSA) && !defined(NO_ASN) ret = rsa_decode_test(key); @@ -15881,13 +15643,6 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void) goto exit_rsa; #endif -#ifdef HAVE_NTRU - ret = rsa_ntru_test(caKey, &rng, tmp); - if (ret != 0) - goto exit_rsa; - -#endif /* HAVE_NTRU */ - #ifdef WOLFSSL_CERT_REQ { Cert *req; @@ -16024,12 +15779,6 @@ exit_rsa: XFREE(keypub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); } #endif - #if defined(HAVE_NTRU) - if (caKey != NULL) { - wc_FreeRsaKey(caKey); - XFREE(caKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - } - #endif #ifdef WOLFSSL_TEST_CERT if (cert != NULL) XFREE(cert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -16039,9 +15788,6 @@ exit_rsa: #if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_CERT_GEN) wc_FreeRsaKey(keypub); #endif - #if defined(HAVE_NTRU) - wc_FreeRsaKey(caKey); - #endif #endif /* WOLFSSL_SMALL_STACK */ XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); diff --git a/wolfssl-ntru.sln b/wolfssl-ntru.sln deleted file mode 100755 index c43e1cf19..000000000 --- a/wolfssl-ntru.sln +++ /dev/null @@ -1,65 +0,0 @@ - -Microsoft Visual Studio Solution File, Format Version 10.00 -# Visual C++ Express 2008 -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "wolfssl", "wolfssl-ntru.vcproj", "{73973223-5EE8-41CA-8E88-1D60E89A237B}" -EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "testsuite", "testsuite\testsuite-ntru.vcproj", "{611E8971-46E0-4D0A-B5A1-632C3B00CB80}" - ProjectSection(ProjectDependencies) = postProject - {73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B} - EndProjectSection -EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "echoserver", "examples\echoserver\echoserver-ntru.vcproj", "{07D97C48-E08F-4E34-9F67-3064039FF2CB}" - ProjectSection(ProjectDependencies) = postProject - {73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B} - EndProjectSection -EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "echoclient", "examples\echoclient\echoclient-ntru.vcproj", "{8362A816-C5DC-4E22-B5C5-9E6806387073}" - ProjectSection(ProjectDependencies) = postProject - {73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B} - EndProjectSection -EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "client", "examples\client\client-ntru.vcproj", "{3ADE9549-582D-4D8E-9826-B172197A7959}" - ProjectSection(ProjectDependencies) = postProject - {73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B} - EndProjectSection -EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "server", "examples\server\server-ntru.vcproj", "{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}" - ProjectSection(ProjectDependencies) = postProject - {73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B} - EndProjectSection -EndProject -Global - GlobalSection(SolutionConfigurationPlatforms) = preSolution - Debug|Win32 = Debug|Win32 - Release|Win32 = Release|Win32 - EndGlobalSection - GlobalSection(ProjectConfigurationPlatforms) = postSolution - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.ActiveCfg = Debug|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.Build.0 = Debug|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.ActiveCfg = Release|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.Build.0 = Release|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Win32.ActiveCfg = Debug|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Win32.Build.0 = Debug|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Win32.ActiveCfg = Release|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Win32.Build.0 = Release|Win32 - {07D97C48-E08F-4E34-9F67-3064039FF2CB}.Debug|Win32.ActiveCfg = Debug|Win32 - {07D97C48-E08F-4E34-9F67-3064039FF2CB}.Debug|Win32.Build.0 = Debug|Win32 - {07D97C48-E08F-4E34-9F67-3064039FF2CB}.Release|Win32.ActiveCfg = Release|Win32 - {07D97C48-E08F-4E34-9F67-3064039FF2CB}.Release|Win32.Build.0 = Release|Win32 - {8362A816-C5DC-4E22-B5C5-9E6806387073}.Debug|Win32.ActiveCfg = Debug|Win32 - {8362A816-C5DC-4E22-B5C5-9E6806387073}.Debug|Win32.Build.0 = Debug|Win32 - {8362A816-C5DC-4E22-B5C5-9E6806387073}.Release|Win32.ActiveCfg = Release|Win32 - {8362A816-C5DC-4E22-B5C5-9E6806387073}.Release|Win32.Build.0 = Release|Win32 - {3ADE9549-582D-4D8E-9826-B172197A7959}.Debug|Win32.ActiveCfg = Debug|Win32 - {3ADE9549-582D-4D8E-9826-B172197A7959}.Debug|Win32.Build.0 = Debug|Win32 - {3ADE9549-582D-4D8E-9826-B172197A7959}.Release|Win32.ActiveCfg = Release|Win32 - {3ADE9549-582D-4D8E-9826-B172197A7959}.Release|Win32.Build.0 = Release|Win32 - {E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Debug|Win32.ActiveCfg = Debug|Win32 - {E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Debug|Win32.Build.0 = Debug|Win32 - {E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Release|Win32.ActiveCfg = Release|Win32 - {E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Release|Win32.Build.0 = Release|Win32 - EndGlobalSection - GlobalSection(SolutionProperties) = preSolution - HideSolutionNode = FALSE - EndGlobalSection -EndGlobal diff --git a/wolfssl-ntru.vcproj b/wolfssl-ntru.vcproj deleted file mode 100755 index e6c6d66b0..000000000 --- a/wolfssl-ntru.vcproj +++ /dev/null @@ -1,353 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index 019447493..84f1dcfd4 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -75,10 +75,6 @@ enum wolfSSL_ErrorCodes { ZERO_RETURN = -343, /* peer sent close notify */ SIDE_ERROR = -344, /* wrong client/server type */ NO_PEER_CERT = -345, /* peer didn't send key */ - NTRU_KEY_ERROR = -346, /* NTRU key error */ - NTRU_DRBG_ERROR = -347, /* NTRU drbg error */ - NTRU_ENCRYPT_ERROR = -348, /* NTRU encrypt error */ - NTRU_DECRYPT_ERROR = -349, /* NTRU decrypt error */ ECC_CURVETYPE_ERROR = -350, /* Bad ECC Curve Type */ ECC_CURVE_ERROR = -351, /* Bad ECC Curve */ ECC_PEERKEY_ERROR = -352, /* Bad Peer ECC Key */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 504dbb5b8..bc0fb41b2 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -288,11 +288,6 @@ #error "You are trying to build max strength with requirements disabled." #endif -/* Have QSH : Quantum-safe Handshake */ -#if defined(HAVE_QSH) - #define BUILD_TLS_QSH -#endif - #ifndef WOLFSSL_NO_TLS12 #ifndef WOLFSSL_MAX_STRENGTH @@ -312,10 +307,6 @@ #define BUILD_SSL_RSA_WITH_RC4_128_MD5 #endif #endif - #if !defined(NO_TLS) && defined(HAVE_NTRU) && !defined(NO_SHA) \ - && defined(WOLFSSL_STATIC_RSA) - #define BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA - #endif #endif #if !defined(NO_RSA) && !defined(NO_DES3) @@ -323,10 +314,6 @@ #if defined(WOLFSSL_STATIC_RSA) #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA #endif - #if !defined(NO_TLS) && defined(HAVE_NTRU) \ - && defined(WOLFSSL_STATIC_RSA) - #define BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA - #endif #endif #endif @@ -347,14 +334,6 @@ #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA #endif #endif - #if defined(HAVE_NTRU) && defined(WOLFSSL_STATIC_RSA) - #ifdef WOLFSSL_AES_128 - #define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA - #endif - #ifdef WOLFSSL_AES_256 - #define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA - #endif - #endif #endif #if defined(WOLFSSL_STATIC_RSA) #if !defined (NO_SHA256) && defined(HAVE_AES_CBC) @@ -1042,16 +1021,6 @@ enum { TLS_RSA_WITH_RABBIT_SHA = 0xFD, WDM_WITH_NULL_SHA256 = 0xFE, /* wolfSSL DTLS Multicast */ - /* wolfSSL extension - NTRU */ - TLS_NTRU_RSA_WITH_RC4_128_SHA = 0xe5, - TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA = 0xe6, - TLS_NTRU_RSA_WITH_AES_128_CBC_SHA = 0xe7, /* clashes w/official SHA-256 */ - TLS_NTRU_RSA_WITH_AES_256_CBC_SHA = 0xe8, - - /* wolfSSL extension - NTRU , Quantum-safe Handshake - first byte is 0xD0 (QSH_BYTE) */ - TLS_QSH = 0x01, - /* SHA256 */ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x6b, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x67, @@ -1236,7 +1205,6 @@ enum { enum Misc { CIPHER_BYTE = 0x00, /* Default ciphers */ ECC_BYTE = 0xC0, /* ECC first cipher suite byte */ - QSH_BYTE = 0xD0, /* Quantum-safe Handshake cipher suite */ CHACHA_BYTE = 0xCC, /* ChaCha first cipher suite */ TLS13_BYTE = 0x13, /* TLS v1.3 first byte of cipher suite */ @@ -1512,9 +1480,6 @@ enum Misc { #endif CERT_MIN_SIZE = 256, /* min PEM cert size with header/footer */ - MAX_NTRU_PUB_KEY_SZ = 1027, /* NTRU max for now */ - MAX_NTRU_ENCRYPT_SZ = 1027, /* NTRU max for now */ - MAX_NTRU_BITS = 256, /* max symmetric bit strength */ NO_SNIFF = 0, /* not sniffing */ SNIFF = 1, /* currently sniffing */ @@ -1645,13 +1610,7 @@ enum Misc { #endif #endif - -/* don't use extra 3/4k stack space unless need to */ -#ifdef HAVE_NTRU - #define MAX_ENCRYPT_SZ MAX_NTRU_ENCRYPT_SZ -#else - #define MAX_ENCRYPT_SZ ENCRYPT_LEN -#endif +#define MAX_ENCRYPT_SZ ENCRYPT_LEN /* states */ @@ -1913,7 +1872,7 @@ WOLFSSL_LOCAL void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig, int haveAnon, int tls1_2, int keySz); WOLFSSL_LOCAL void InitSuites(Suites*, ProtocolVersion, int, word16, word16, - word16, word16, word16, word16, word16, word16, int); + word16, word16, word16, word16, word16, int); WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites); WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX*, Suites*, const char* list); WOLFSSL_LOCAL int SetSuitesHashSigAlgo(Suites*, const char* list); @@ -2280,7 +2239,6 @@ typedef enum { TLSX_ENCRYPT_THEN_MAC = 0x0016, /* RFC 7366 */ #endif TLSX_EXTENDED_MASTER_SECRET = 0x0017, /* HELLO_EXT_EXTMS */ - TLSX_QUANTUM_SAFE_HYBRID = 0x0018, /* a.k.a. QSH */ TLSX_SESSION_TICKET = 0x0023, #ifdef WOLFSSL_TLS13 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) @@ -2349,7 +2307,6 @@ WOLFSSL_LOCAL int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) \ || defined(HAVE_SUPPORTED_CURVES) \ || defined(HAVE_ALPN) \ - || defined(HAVE_QSH) \ || defined(HAVE_SESSION_TICKET) \ || defined(HAVE_SECURE_RENEGOTIATION) \ || defined(HAVE_SERVER_RENEGOTIATION_INFO) @@ -2591,48 +2548,6 @@ WOLFSSL_LOCAL void TLSX_SessionTicket_Free(SessionTicket* ticket, void* heap); #endif /* HAVE_SESSION_TICKET */ -/** Quantum-Safe-Hybrid - draft-whyte-qsh-tls12-00 */ -#ifdef HAVE_QSH - -typedef struct QSHScheme { - struct QSHScheme* next; /* List Behavior */ - byte* PK; - word16 name; /* QSHScheme Names */ - word16 PKLen; -} QSHScheme; - -typedef struct QSHkey { - struct QSHKey* next; - word16 name; - buffer pub; - buffer pri; -} QSHKey; - -typedef struct QSHSecret { - QSHScheme* list; - buffer* SerSi; - buffer* CliSi; -} QSHSecret; - -/* used in key exchange during handshake */ -WOLFSSL_LOCAL int TLSX_QSHCipher_Parse(WOLFSSL* ssl, const byte* input, - word16 length, byte isServer); -WOLFSSL_LOCAL word16 TLSX_QSHPK_Write(QSHScheme* list, byte* output); -WOLFSSL_LOCAL word16 TLSX_QSH_GetSize(QSHScheme* list, byte isRequest); - -/* used by api for setting a specific QSH scheme */ -WOLFSSL_LOCAL int TLSX_UseQSHScheme(TLSX** extensions, word16 name, - byte* pKey, word16 pKeySz, void* heap); - -/* used when parsing in QSHCipher structs */ -WOLFSSL_LOCAL int QSH_Decrypt(QSHKey* key, byte* in, word32 szIn, - byte* out, word16* szOut); -#ifndef NO_WOLFSSL_SERVER -WOLFSSL_LOCAL int TLSX_ValidateQSHScheme(TLSX** extensions, word16 name); -#endif - -#endif /* HAVE_QSH */ - #ifdef WOLFSSL_TLS13 /* Cookie extension information - cookie data. */ typedef struct Cookie { @@ -2848,7 +2763,6 @@ struct WOLFSSL_CTX { byte haveRSA:1; /* RSA available */ byte haveECC:1; /* ECC available */ byte haveDH:1; /* server DH parms set by user */ - byte haveNTRU:1; /* server private NTRU key loaded */ byte haveECDSAsig:1; /* server cert signed w/ ECDSA */ byte haveStaticECC:1; /* static server ECC private key */ byte partialWrite:1; /* only one msg per write call */ @@ -3172,7 +3086,6 @@ enum KeyExchangeAlgorithm { psk_kea, dhe_psk_kea, ecdhe_psk_kea, - ntru_kea, ecc_diffie_hellman_kea, ecc_static_diffie_hellman_kea /* for verify suite only */ }; @@ -3636,8 +3549,6 @@ typedef struct Options { word16 haveRSA:1; /* RSA available */ word16 haveECC:1; /* ECC available */ word16 haveDH:1; /* server DH parms set by user */ - word16 haveNTRU:1; /* server NTRU private key loaded */ - word16 haveQSH:1; /* have QSH ability */ word16 haveECDSAsig:1; /* server ECDSA signed cert */ word16 haveStaticECC:1; /* static server ECC private key */ word16 havePeerCert:1; /* do we have peer's cert */ @@ -4262,18 +4173,6 @@ struct WOLFSSL { #endif byte peerRsaKeyPresent; #endif -#ifdef HAVE_QSH - QSHKey* QSH_Key; - QSHKey* peerQSHKey; - QSHSecret* QSH_secret; - byte isQSH; /* is the handshake a QSH? */ - byte sendQSHKeys; /* flag for if the client should sen - public keys */ - byte peerQSHKeyPresent; - byte minRequest; - byte maxRequest; - byte user_set_QSHSchemes; -#endif #if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE) word16 namedGroup; #endif @@ -4287,11 +4186,6 @@ struct WOLFSSL { byte certHashSigAlgo[WOLFSSL_MAX_SIGALGO]; /* cert sig/algo to * offer */ #endif -#ifdef HAVE_NTRU - word16 peerNtruKeyLen; - byte peerNtruKey[MAX_NTRU_PUB_KEY_SZ]; - byte peerNtruKeyPresent; -#endif #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) int eccVerifyRes; #endif diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 24582b027..c523c8b67 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -366,7 +366,7 @@ struct WOLFSSL_EVP_PKEY { #endif union { - char* ptr; /* der format of key / or raw for NTRU */ + char* ptr; /* der format of key */ } pkey; #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) #ifndef NO_RSA @@ -968,12 +968,6 @@ WOLFSSL_API int wolfSSL_use_RSAPrivateKey_file(WOLFSSL*, const char*, int); WOLFSSL_API int wolfSSL_CTX_der_load_verify_locations(WOLFSSL_CTX*, const char*, int); #endif - -#ifdef HAVE_NTRU - WOLFSSL_API int wolfSSL_CTX_use_NTRUPrivateKey_file(WOLFSSL_CTX*, const char*); - /* load NTRU private key blob */ -#endif - #endif /* !NO_FILESYSTEM && !NO_CERTS */ WOLFSSL_API WOLFSSL_CTX* wolfSSL_CTX_new_ex(WOLFSSL_METHOD* method, void* heap); @@ -2192,7 +2186,6 @@ WOLFSSL_API void wolfSSL_ERR_print_errors(WOLFSSL_BIO *bio); #define SSL_FILETYPE_ASN1 WOLFSSL_FILETYPE_ASN1 #define SSL_FILETYPE_PEM WOLFSSL_FILETYPE_PEM #define SSL_FILETYPE_DEFAULT WOLFSSL_FILETYPE_DEFAULT - #define SSL_FILETYPE_RAW WOLFSSL_FILETYPE_RAW #define SSL_VERIFY_NONE WOLFSSL_VERIFY_NONE #define SSL_VERIFY_PEER WOLFSSL_VERIFY_PEER @@ -2263,7 +2256,6 @@ enum { /* ssl Constants */ WOLFSSL_FILETYPE_ASN1 = 2, WOLFSSL_FILETYPE_PEM = 1, WOLFSSL_FILETYPE_DEFAULT = 2, /* ASN1 */ - WOLFSSL_FILETYPE_RAW = 3, /* NTRU raw key blob */ WOLFSSL_VERIFY_NONE = 0, WOLFSSL_VERIFY_PEER = 1 << 0, @@ -3668,30 +3660,6 @@ WOLFSSL_API int wolfSSL_CTX_set_num_tickets(WOLFSSL_CTX* ctx, size_t mxTickets); #endif /* HAVE_SESSION_TICKET */ -#ifdef HAVE_QSH -/* Quantum-safe Crypto Schemes */ -enum { - WOLFSSL_NTRU_EESS439 = 0x0101, /* max plaintext length of 65 */ - WOLFSSL_NTRU_EESS593 = 0x0102, /* max plaintext length of 86 */ - WOLFSSL_NTRU_EESS743 = 0x0103, /* max plaintext length of 106 */ - WOLFSSL_LWE_XXX = 0x0201, /* Learning With Error encryption scheme */ - WOLFSSL_HFE_XXX = 0x0301, /* Hidden Field Equation scheme */ - WOLFSSL_NULL_QSH = 0xFFFF /* QSHScheme is not used */ -}; - - -/* test if the connection is using a QSH secure connection return 1 if so */ -WOLFSSL_API int wolfSSL_isQSH(WOLFSSL* ssl); -WOLFSSL_API int wolfSSL_UseSupportedQSH(WOLFSSL* ssl, unsigned short name); -#ifndef NO_WOLFSSL_CLIENT - /* user control over sending client public key in hello - when flag = 1 will send keys if flag is 0 or function is not called - then will not send keys in the hello extension */ - WOLFSSL_API int wolfSSL_UseClientQSHKeys(WOLFSSL* ssl, unsigned char flag); -#endif - -#endif /* QSH */ - /* TLS Extended Master Secret Extension */ WOLFSSL_API int wolfSSL_DisableExtendedMasterSecret(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_CTX_DisableExtendedMasterSecret(WOLFSSL_CTX* ctx); diff --git a/wolfssl/test.h b/wolfssl/test.h index 5eee9202d..8a16bdb4e 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -343,8 +343,6 @@ #define cliCertFileExt "certs/client-cert-ext.pem" #define cliCertDerFileExt "certs/client-cert-ext.der" #define cliKeyFile "certs/client-key.pem" -#define ntruCertFile "certs/ntru-cert.pem" -#define ntruKeyFile "certs/ntru-key.raw" #define dhParamFile "certs/dh2048.pem" #define cliEccKeyFile "certs/ecc-client-key.pem" #define cliEccCertFile "certs/client-ecc-cert.pem" @@ -377,8 +375,6 @@ #define cliCertFileExt "./certs/client-cert-ext.pem" #define cliCertDerFileExt "./certs/client-cert-ext.der" #define cliKeyFile "./certs/client-key.pem" -#define ntruCertFile "./certs/ntru-cert.pem" -#define ntruKeyFile "./certs/ntru-key.raw" #define dhParamFile "./certs/dh2048.pem" #define cliEccKeyFile "./certs/ecc-client-key.pem" #define cliEccCertFile "./certs/client-ecc-cert.pem" @@ -983,12 +979,7 @@ static WC_INLINE void showPeerEx(WOLFSSL* ssl, int lng_index) printf("%s %s\n", words[0], wolfSSL_get_version(ssl)); cipher = wolfSSL_get_current_cipher(ssl); -#ifdef HAVE_QSH - printf("%s %s%s\n", words[1], (wolfSSL_isQSH(ssl))? "QSH:": "", - wolfSSL_CIPHER_get_name(cipher)); -#else printf("%s %s\n", words[1], wolfSSL_CIPHER_get_name(cipher)); -#endif #ifdef OPENSSL_EXTRA if (wolfSSL_get_signature_nid(ssl, &nid) == WOLFSSL_SUCCESS) { printf("%s %s\n", words[2], OBJ_nid2sn(nid)); @@ -2753,7 +2744,7 @@ static WC_INLINE void CaCb(unsigned char* der, int sz, int type) int depth, res; XFILE keyFile; for(depth = 0; depth <= MAX_WOLF_ROOT_DEPTH; depth++) { - keyFile = XFOPEN(ntruKeyFile, "rb"); + keyFile = XFOPEN(dhParamFile, "rb"); if (keyFile != NULL) { fclose(keyFile); return depth; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 8205188ce..606661303 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -820,8 +820,6 @@ enum Misc_ASN { MAX_DSA_PRIVKEY_SZ = (DSA_INTS * MAX_DSA_INT_SZ) + MAX_SEQ_SZ + MAX_VERSION_SZ, /* Maximum size of a DSA Private key taken from DsaKeyIntsToDer. */ - MAX_NTRU_KEY_SZ = 610, /* NTRU 112 bit public key */ - MAX_NTRU_ENC_SZ = 628, /* NTRU 112 bit DER public encoding */ MAX_RSA_E_SZ = 16, /* Max RSA public e size */ MAX_CA_SZ = 32, /* Max encoded CA basic constraint length */ MAX_SN_SZ = 35, /* Max encoded serial number (INT) length */ @@ -864,8 +862,7 @@ enum Misc_ASN { MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */ MAX_OCSP_NONCE_SZ = 16, /* OCSP Nonce size */ EIGHTK_BUF = 8192, /* Tmp buffer size */ - MAX_PUBLIC_KEY_SZ = MAX_NTRU_ENC_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2, - /* use bigger NTRU size */ + MAX_PUBLIC_KEY_SZ = MAX_DSA_PUBKEY_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2, #ifdef WOLFSSL_ENCRYPTED_KEYS HEADER_ENCRYPTED_KEY_SIZE = 88,/* Extra header size for encrypted key */ #else @@ -971,7 +968,6 @@ enum Block_Sum { enum Key_Sum { DSAk = 515, RSAk = 645, - NTRUk = 274, ECDSAk = 518, ED25519k = 256, /* 1.3.101.112 */ X25519k = 254, /* 1.3.101.110 */ @@ -1880,7 +1876,6 @@ enum cert_enums { EMAIL_JOINT_LEN = 9, PILOT_JOINT_LEN = 10, RSA_KEY = 10, - NTRU_KEY = 11, ECC_KEY = 12, ED25519_KEY = 13, ED448_KEY = 14, diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index e8f0be466..f39272a8a 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -437,11 +437,6 @@ WOLFSSL_API int wc_GetSubjectRaw(byte **subjectRaw, Cert *cert); WOLFSSL_API int wc_SetSubjectRaw(Cert* cert, const byte* der, int derSz); WOLFSSL_API int wc_SetIssuerRaw(Cert* cert, const byte* der, int derSz); -#ifdef HAVE_NTRU -WOLFSSL_API int wc_SetSubjectKeyIdFromNtruPublicKey(Cert *cert, byte *ntruKey, - word16 ntruKeySz); -#endif - /* Set the KeyUsage. * Value is a string separated tokens with ','. Accepted tokens are : * digitalSignature,nonRepudiation,contentCommitment,keyCertSign,cRLSign, @@ -466,13 +461,6 @@ WOLFSSL_API int wc_SetExtKeyUsageOID(Cert *cert, const char *oid, word32 sz, byte idx, void* heap); #endif /* WOLFSSL_EKU_OID */ #endif /* WOLFSSL_CERT_EXT */ - - #ifdef HAVE_NTRU - WOLFSSL_API int wc_MakeNtruCert(Cert*, byte* derBuffer, word32 derSz, - const byte* ntruKey, word16 keySz, - WC_RNG*); - #endif - #endif /* WOLFSSL_CERT_GEN */ WOLFSSL_API int wc_GetDateInfo(const byte* certDate, int certDateSz, diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index f03c6d473..78851d3d4 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -103,7 +103,6 @@ enum { ASN_SIG_HASH_E = -156, /* ASN sig error, unsupported hash type */ ASN_SIG_KEY_E = -157, /* ASN sig error, unsupported key type */ ASN_DH_KEY_E = -158, /* ASN key init error, invalid input */ - ASN_NTRU_KEY_E = -159, /* ASN ntru key decode error, invalid input */ ASN_CRIT_EXT_E = -160, /* ASN unsupported critical extension */ ASN_ALT_NAME_E = -161, /* ASN alternate name error */ ASN_NO_PEM_HEADER = -162, /* ASN no PEM header found */ diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 5ecb1949b..9aefa7637 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -814,7 +814,6 @@ decouple library dependencies with standard string, memory and so on. DYNAMIC_TYPE_SEED = 83, DYNAMIC_TYPE_SYMMETRIC_KEY= 84, DYNAMIC_TYPE_ECC_BUFFER = 85, - DYNAMIC_TYPE_QSH = 86, DYNAMIC_TYPE_SALT = 87, DYNAMIC_TYPE_HASH_TMP = 88, DYNAMIC_TYPE_BLOB = 89,