From 064483035c01e7f34d4f7a735e225c4c72d1c3dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Mon, 9 Jun 2014 17:31:32 -0300 Subject: [PATCH 1/6] fix on TLSX_SNI_GetFromBuffer - set inOutSz value to zero when there is no SNI extension in the client hello buffer. --- src/tls.c | 2 ++ tests/api.c | 14 ++++++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/src/tls.c b/src/tls.c index 420ea15ba..45de6a8ef 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1047,6 +1047,8 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, len16 -= min(2 * OPAQUE16_LEN + extLen, len16); } + *inOutSz = 0; + return len16 ? BUFFER_ERROR : SSL_SUCCESS; } diff --git a/tests/api.c b/tests/api.c index 200fca2e1..a0a6f781b 100644 --- a/tests/api.c +++ b/tests/api.c @@ -390,9 +390,15 @@ static void test_CyaSSL_SNI_GetFromBuffer(void) AssertIntEQ(SSL_SUCCESS, CyaSSL_SNI_GetFromBuffer(buffer3, sizeof(buffer3), 0, result, &length)); + AssertIntEQ(XSTRLEN(""), length); + + length = 32; AssertIntEQ(SSL_SUCCESS, CyaSSL_SNI_GetFromBuffer(buffer2, sizeof(buffer2), 1, result, &length)); + AssertIntEQ(XSTRLEN(""), length); + + length = 32; AssertIntEQ(-228, CyaSSL_SNI_GetFromBuffer(buffer, sizeof(buffer), 0, result, &length)); @@ -410,15 +416,15 @@ static void test_CyaSSL_SNI_GetFromBuffer(void) result, &length)); buffer[4] = 0x64; - AssertIntEQ(1, CyaSSL_SNI_GetFromBuffer(buffer, sizeof(buffer), 0, - result, &length)); + AssertIntEQ(SSL_SUCCESS, CyaSSL_SNI_GetFromBuffer(buffer, sizeof(buffer), + 0, result, &length)); result[length] = 0; AssertStrEQ("www.paypal.com", (const char*) result); length = 32; - AssertIntEQ(1, CyaSSL_SNI_GetFromBuffer(buffer2, sizeof(buffer2), 0, - result, &length)); + AssertIntEQ(SSL_SUCCESS, CyaSSL_SNI_GetFromBuffer(buffer2, sizeof(buffer2), + 0, result, &length)); result[length] = 0; AssertStrEQ("api.textmate.org", (const char*) result); } From ba36c24fc1986806d839e4cc5eba988c40bc18c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Tue, 10 Jun 2014 15:25:49 -0300 Subject: [PATCH 2/6] fix on TLSX_SNI_GetFromBuffer - undo last fix and return 0 when there is no SNI extension. Now the return is the same when there is no extensions at all. --- src/tls.c | 4 +--- tests/api.c | 10 ++-------- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/src/tls.c b/src/tls.c index 45de6a8ef..7fe94ac2b 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1047,9 +1047,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, len16 -= min(2 * OPAQUE16_LEN + extLen, len16); } - *inOutSz = 0; - - return len16 ? BUFFER_ERROR : SSL_SUCCESS; + return len16 ? BUFFER_ERROR : 0; } #endif diff --git a/tests/api.c b/tests/api.c index a0a6f781b..a5acfeaa3 100644 --- a/tests/api.c +++ b/tests/api.c @@ -388,17 +388,11 @@ static void test_CyaSSL_SNI_GetFromBuffer(void) byte result[32] = {0}; word32 length = 32; - AssertIntEQ(SSL_SUCCESS, CyaSSL_SNI_GetFromBuffer(buffer3, sizeof(buffer3), + AssertIntEQ(0, CyaSSL_SNI_GetFromBuffer(buffer3, sizeof(buffer3), 0, result, &length)); - AssertIntEQ(XSTRLEN(""), length); - length = 32; - - AssertIntEQ(SSL_SUCCESS, CyaSSL_SNI_GetFromBuffer(buffer2, sizeof(buffer2), + AssertIntEQ(0, CyaSSL_SNI_GetFromBuffer(buffer2, sizeof(buffer2), 1, result, &length)); - AssertIntEQ(XSTRLEN(""), length); - - length = 32; AssertIntEQ(-228, CyaSSL_SNI_GetFromBuffer(buffer, sizeof(buffer), 0, result, &length)); From 9c905b6519a0dcbb5bfdb4e083f1220c19d818aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Tue, 10 Jun 2014 16:56:45 -0300 Subject: [PATCH 3/6] fix on TLSX_SNI_GetFromBuffer - > should be >= so extensions of length 0 get inside the while. added test to cover case. --- src/tls.c | 2 +- tests/api.c | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/src/tls.c b/src/tls.c index 7fe94ac2b..c734125bc 100644 --- a/src/tls.c +++ b/src/tls.c @@ -997,7 +997,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, if (helloSz < offset + len16) return BUFFER_ERROR; - while (len16 > OPAQUE16_LEN + OPAQUE16_LEN) { + while (len16 >= OPAQUE16_LEN + OPAQUE16_LEN) { word16 extType; word16 extLen; diff --git a/tests/api.c b/tests/api.c index a5acfeaa3..4b624adde 100644 --- a/tests/api.c +++ b/tests/api.c @@ -385,9 +385,32 @@ static void test_CyaSSL_SNI_GetFromBuffer(void) 0x00, 0x0d, 0x00, 0x06, 0x00, 0x04, 0x04, 0x01, 0x02, 0x01 }; + byte buffer4[] = { /* last extension has zero size */ + 0x16, 0x03, 0x01, 0x00, 0xba, 0x01, 0x00, 0x00, + 0xb6, 0x03, 0x03, 0x83, 0xa3, 0xe6, 0xdc, 0x16, 0xa1, 0x43, 0xe9, 0x45, + 0x15, 0xbd, 0x64, 0xa9, 0xb6, 0x07, 0xb4, 0x50, 0xc6, 0xdd, 0xff, 0xc2, + 0xd3, 0x0d, 0x4f, 0x36, 0xb4, 0x41, 0x51, 0x61, 0xc1, 0xa5, 0x9e, 0x00, + 0x00, 0x28, 0xcc, 0x14, 0xcc, 0x13, 0xc0, 0x2b, 0xc0, 0x2f, 0x00, 0x9e, + 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x14, 0xc0, 0x07, 0xc0, 0x11, + 0x00, 0x33, 0x00, 0x32, 0x00, 0x39, 0x00, 0x9c, 0x00, 0x2f, 0x00, 0x35, + 0x00, 0x0a, 0x00, 0x05, 0x00, 0x04, 0x01, 0x00, 0x00, 0x65, 0xff, 0x01, + 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x17, 0x00, + 0x18, 0x00, 0x19, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, + 0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00, 0x1b, 0x00, 0x19, 0x06, + 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, + 0x33, 0x2e, 0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31, + 0x75, 0x50, 0x00, 0x00, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x0d, 0x00, 0x12, 0x00, 0x10, 0x04, 0x01, 0x05, 0x01, 0x02, + 0x01, 0x04, 0x03, 0x05, 0x03, 0x02, 0x03, 0x04, 0x02, 0x02, 0x02, 0x00, + 0x12, 0x00, 0x00 + }; + byte result[32] = {0}; word32 length = 32; + AssertIntEQ(0, CyaSSL_SNI_GetFromBuffer(buffer4, sizeof(buffer4), + 0, result, &length)); + AssertIntEQ(0, CyaSSL_SNI_GetFromBuffer(buffer3, sizeof(buffer3), 0, result, &length)); From aad204428fbb325c53de92758edf186ab6c8354c Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 11 Jun 2014 11:43:17 -0700 Subject: [PATCH 4/6] fips mode hmac min key length for 2014 requirements --- ctaocrypt/src/hmac.c | 5 +++++ ctaocrypt/test/test.c | 32 ++++++++++++++++++++++++-------- cyassl/ctaocrypt/hmac.h | 2 ++ tests/hash.c | 16 ++++++++++++++++ 4 files changed, 47 insertions(+), 8 deletions(-) diff --git a/ctaocrypt/src/hmac.c b/ctaocrypt/src/hmac.c index 0bd1c41d1..cadbd18fc 100644 --- a/ctaocrypt/src/hmac.c +++ b/ctaocrypt/src/hmac.c @@ -131,6 +131,11 @@ int HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length) if (ret != 0) return ret; +#ifdef HAVE_FIPS + if (length < HMAC_FIPS_MIN_KEY) + return -1; /* TODO: next, fix wolfCrypt error range */ +#endif + switch (hmac->macType) { #ifndef NO_MD5 case MD5: diff --git a/ctaocrypt/test/test.c b/ctaocrypt/test/test.c index c2c5d7f4e..e6684d011 100644 --- a/ctaocrypt/test/test.c +++ b/ctaocrypt/test/test.c @@ -1149,9 +1149,11 @@ int hmac_md5_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { -#ifdef HAVE_CAVIUM +#if defined(HAVE_FIPS) || defined(HAVE_CAVIUM) if (i == 1) - continue; /* driver can't handle keys <= bytes */ + continue; /* cavium can't handle short keys, fips not allowed */ +#endif +#ifdef HAVE_CAVIUM if (HmacInitCavium(&hmac, CAVIUM_DEV_ID) != 0) return -20009; #endif @@ -1224,9 +1226,11 @@ int hmac_sha_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { -#ifdef HAVE_CAVIUM +#if defined(HAVE_FIPS) || defined(HAVE_CAVIUM) if (i == 1) - continue; /* driver can't handle keys <= bytes */ + continue; /* cavium can't handle short keys, fips not allowed */ +#endif +#ifdef HAVE_CAVIUM if (HmacInitCavium(&hmac, CAVIUM_DEV_ID) != 0) return -20010; #endif @@ -1303,9 +1307,11 @@ int hmac_sha256_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { -#ifdef HAVE_CAVIUM +#if defined(HAVE_FIPS) || defined(HAVE_CAVIUM) if (i == 1) - continue; /* driver can't handle keys <= bytes */ + continue; /* cavium can't handle short keys, fips not allowed */ +#endif +#ifdef HAVE_CAVIUM if (HmacInitCavium(&hmac, CAVIUM_DEV_ID) != 0) return -20011; #endif @@ -1382,9 +1388,11 @@ int hmac_blake2b_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { -#ifdef HAVE_CAVIUM +#if defined(HAVE_FIPS) || defined(HAVE_CAVIUM) if (i == 1) - continue; /* driver can't handle keys <= bytes */ + continue; /* cavium can't handle short keys, fips not allowed */ +#endif +#ifdef HAVE_CAVIUM if (HmacInitCavium(&hmac, CAVIUM_DEV_ID) != 0) return -20011; #endif @@ -1465,6 +1473,10 @@ int hmac_sha384_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { +#if defined(HAVE_FIPS) + if (i == 1) + continue; /* fips not allowed */ +#endif ret = HmacSetKey(&hmac, SHA384, (byte*)keys[i],(word32)strlen(keys[i])); if (ret != 0) return -4027; @@ -1541,6 +1553,10 @@ int hmac_sha512_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { +#if defined(HAVE_FIPS) + if (i == 1) + continue; /* fips not allowed */ +#endif ret = HmacSetKey(&hmac, SHA512, (byte*)keys[i],(word32)strlen(keys[i])); if (ret != 0) return -4030; diff --git a/cyassl/ctaocrypt/hmac.h b/cyassl/ctaocrypt/hmac.h index 68627efcd..78cc9556c 100644 --- a/cyassl/ctaocrypt/hmac.h +++ b/cyassl/ctaocrypt/hmac.h @@ -60,6 +60,8 @@ #define CYASSL_HMAC_CAVIUM_MAGIC 0xBEEF0005 enum { + HMAC_FIPS_MIN_KEY = 14, /* 112 bit key length minimum */ + IPAD = 0x36, OPAD = 0x5C, diff --git a/tests/hash.c b/tests/hash.c index 03bf4bcb0..e8a7e6df5 100644 --- a/tests/hash.c +++ b/tests/hash.c @@ -608,6 +608,10 @@ int hmac_md5_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { +#if defined(HAVE_FIPS) + if (i == 1) + continue; /* fips not allowed */ +#endif ret = HmacSetKey(&hmac, MD5, (byte*)keys[i], (word32)strlen(keys[i])); if (ret != 0) return -4014; @@ -674,6 +678,10 @@ int hmac_sha_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { +#if defined(HAVE_FIPS) + if (i == 1) + continue; /* fips not allowed */ +#endif ret = HmacSetKey(&hmac, SHA, (byte*)keys[i], (word32)strlen(keys[i])); if (ret != 0) return -4017; @@ -743,6 +751,10 @@ int hmac_sha256_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { +#if defined(HAVE_FIPS) + if (i == 1) + continue; /* fips not allowed */ +#endif ret = HmacSetKey(&hmac,SHA256, (byte*)keys[i], (word32)strlen(keys[i])); if (ret != 0) return -4020; @@ -816,6 +828,10 @@ int hmac_sha384_test(void) test_hmac[2] = c; for (i = 0; i < times; ++i) { +#if defined(HAVE_FIPS) + if (i == 1) + continue; /* fips not allowed */ +#endif ret = HmacSetKey(&hmac,SHA384, (byte*)keys[i], (word32)strlen(keys[i])); if (ret != 0) return -4023; From b3abbbb0ce4411bbe151844efbf901fd53791053 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 11 Jun 2014 11:50:14 -0700 Subject: [PATCH 5/6] make more room for wolfCrypt error range --- cyassl/ctaocrypt/error-crypt.h | 2 +- cyassl/error-ssl.h | 174 ++++++++++++++++----------------- 2 files changed, 88 insertions(+), 88 deletions(-) diff --git a/cyassl/ctaocrypt/error-crypt.h b/cyassl/ctaocrypt/error-crypt.h index ced5a4748..d2c8266c7 100644 --- a/cyassl/ctaocrypt/error-crypt.h +++ b/cyassl/ctaocrypt/error-crypt.h @@ -127,7 +127,7 @@ enum { RNG_FAILURE_E = -199, /* RNG Failed, Reinitialize */ - MIN_CODE_E = -200 /* errors -101 - -199 */ + MIN_CODE_E = -300 /* errors -101 - -299 */ }; diff --git a/cyassl/error-ssl.h b/cyassl/error-ssl.h index 1cfb2cca3..71778ec15 100644 --- a/cyassl/error-ssl.h +++ b/cyassl/error-ssl.h @@ -30,99 +30,99 @@ #endif enum CyaSSL_ErrorCodes { - INPUT_CASE_ERROR = -201, /* process input state error */ - PREFIX_ERROR = -202, /* bad index to key rounds */ - MEMORY_ERROR = -203, /* out of memory */ - VERIFY_FINISHED_ERROR = -204, /* verify problem on finished */ - VERIFY_MAC_ERROR = -205, /* verify mac problem */ - PARSE_ERROR = -206, /* parse error on header */ - UNKNOWN_HANDSHAKE_TYPE = -207, /* weird handshake type */ - SOCKET_ERROR_E = -208, /* error state on socket */ - SOCKET_NODATA = -209, /* expected data, not there */ - INCOMPLETE_DATA = -210, /* don't have enough data to + INPUT_CASE_ERROR = -301, /* process input state error */ + PREFIX_ERROR = -302, /* bad index to key rounds */ + MEMORY_ERROR = -303, /* out of memory */ + VERIFY_FINISHED_ERROR = -304, /* verify problem on finished */ + VERIFY_MAC_ERROR = -305, /* verify mac problem */ + PARSE_ERROR = -306, /* parse error on header */ + UNKNOWN_HANDSHAKE_TYPE = -307, /* weird handshake type */ + SOCKET_ERROR_E = -308, /* error state on socket */ + SOCKET_NODATA = -309, /* expected data, not there */ + INCOMPLETE_DATA = -310, /* don't have enough data to complete task */ - UNKNOWN_RECORD_TYPE = -211, /* unknown type in record hdr */ - DECRYPT_ERROR = -212, /* error during decryption */ - FATAL_ERROR = -213, /* recvd alert fatal error */ - ENCRYPT_ERROR = -214, /* error during encryption */ - FREAD_ERROR = -215, /* fread problem */ - NO_PEER_KEY = -216, /* need peer's key */ - NO_PRIVATE_KEY = -217, /* need the private key */ - RSA_PRIVATE_ERROR = -218, /* error during rsa priv op */ - NO_DH_PARAMS = -219, /* server missing DH params */ - BUILD_MSG_ERROR = -220, /* build message failure */ + UNKNOWN_RECORD_TYPE = -311, /* unknown type in record hdr */ + DECRYPT_ERROR = -312, /* error during decryption */ + FATAL_ERROR = -313, /* recvd alert fatal error */ + ENCRYPT_ERROR = -314, /* error during encryption */ + FREAD_ERROR = -315, /* fread problem */ + NO_PEER_KEY = -316, /* need peer's key */ + NO_PRIVATE_KEY = -317, /* need the private key */ + RSA_PRIVATE_ERROR = -318, /* error during rsa priv op */ + NO_DH_PARAMS = -319, /* server missing DH params */ + BUILD_MSG_ERROR = -320, /* build message failure */ - BAD_HELLO = -221, /* client hello malformed */ - DOMAIN_NAME_MISMATCH = -222, /* peer subject name mismatch */ - WANT_READ = -223, /* want read, call again */ - NOT_READY_ERROR = -224, /* handshake layer not ready */ - PMS_VERSION_ERROR = -225, /* pre m secret version error */ - VERSION_ERROR = -226, /* record layer version error */ - WANT_WRITE = -227, /* want write, call again */ - BUFFER_ERROR = -228, /* malformed buffer input */ - VERIFY_CERT_ERROR = -229, /* verify cert error */ - VERIFY_SIGN_ERROR = -230, /* verify sign error */ - CLIENT_ID_ERROR = -231, /* psk client identity error */ - SERVER_HINT_ERROR = -232, /* psk server hint error */ - PSK_KEY_ERROR = -233, /* psk key error */ - ZLIB_INIT_ERROR = -234, /* zlib init error */ - ZLIB_COMPRESS_ERROR = -235, /* zlib compression error */ - ZLIB_DECOMPRESS_ERROR = -236, /* zlib decompression error */ + BAD_HELLO = -321, /* client hello malformed */ + DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */ + WANT_READ = -323, /* want read, call again */ + NOT_READY_ERROR = -324, /* handshake layer not ready */ + PMS_VERSION_ERROR = -325, /* pre m secret version error */ + VERSION_ERROR = -326, /* record layer version error */ + WANT_WRITE = -327, /* want write, call again */ + BUFFER_ERROR = -328, /* malformed buffer input */ + VERIFY_CERT_ERROR = -329, /* verify cert error */ + VERIFY_SIGN_ERROR = -330, /* verify sign error */ + CLIENT_ID_ERROR = -331, /* psk client identity error */ + SERVER_HINT_ERROR = -332, /* psk server hint error */ + PSK_KEY_ERROR = -333, /* psk key error */ + ZLIB_INIT_ERROR = -334, /* zlib init error */ + ZLIB_COMPRESS_ERROR = -335, /* zlib compression error */ + ZLIB_DECOMPRESS_ERROR = -336, /* zlib decompression error */ - GETTIME_ERROR = -237, /* gettimeofday failed ??? */ - GETITIMER_ERROR = -238, /* getitimer failed ??? */ - SIGACT_ERROR = -239, /* sigaction failed ??? */ - SETITIMER_ERROR = -240, /* setitimer failed ??? */ - LENGTH_ERROR = -241, /* record layer length error */ - PEER_KEY_ERROR = -242, /* can't decode peer key */ - ZERO_RETURN = -243, /* peer sent close notify */ - SIDE_ERROR = -244, /* wrong client/server type */ - NO_PEER_CERT = -245, /* peer didn't send key */ - NTRU_KEY_ERROR = -246, /* NTRU key error */ - NTRU_DRBG_ERROR = -247, /* NTRU drbg error */ - NTRU_ENCRYPT_ERROR = -248, /* NTRU encrypt error */ - NTRU_DECRYPT_ERROR = -249, /* NTRU decrypt error */ - ECC_CURVETYPE_ERROR = -250, /* Bad ECC Curve Type */ - ECC_CURVE_ERROR = -251, /* Bad ECC Curve */ - ECC_PEERKEY_ERROR = -252, /* Bad Peer ECC Key */ - ECC_MAKEKEY_ERROR = -253, /* Bad Make ECC Key */ - ECC_EXPORT_ERROR = -254, /* Bad ECC Export Key */ - ECC_SHARED_ERROR = -255, /* Bad ECC Shared Secret */ - NOT_CA_ERROR = -257, /* Not a CA cert error */ - BAD_PATH_ERROR = -258, /* Bad path for opendir */ - BAD_CERT_MANAGER_ERROR = -259, /* Bad Cert Manager */ - OCSP_CERT_REVOKED = -260, /* OCSP Certificate revoked */ - CRL_CERT_REVOKED = -261, /* CRL Certificate revoked */ - CRL_MISSING = -262, /* CRL Not loaded */ - MONITOR_RUNNING_E = -263, /* CRL Monitor already running */ - THREAD_CREATE_E = -264, /* Thread Create Error */ - OCSP_NEED_URL = -265, /* OCSP need an URL for lookup */ - OCSP_CERT_UNKNOWN = -266, /* OCSP responder doesn't know */ - OCSP_LOOKUP_FAIL = -267, /* OCSP lookup not successful */ - MAX_CHAIN_ERROR = -268, /* max chain depth exceeded */ - COOKIE_ERROR = -269, /* dtls cookie error */ - SEQUENCE_ERROR = -270, /* dtls sequence error */ - SUITES_ERROR = -271, /* suites pointer error */ - SSL_NO_PEM_HEADER = -272, /* no PEM header found */ - OUT_OF_ORDER_E = -273, /* out of order message */ - BAD_KEA_TYPE_E = -274, /* bad KEA type found */ - SANITY_CIPHER_E = -275, /* sanity check on cipher error */ - RECV_OVERFLOW_E = -276, /* RXCB returned more than rqed */ - GEN_COOKIE_E = -277, /* Generate Cookie Error */ - NO_PEER_VERIFY = -278, /* Need peer cert verify Error */ - FWRITE_ERROR = -279, /* fwrite problem */ - CACHE_MATCH_ERROR = -280, /* chache hdr match error */ - UNKNOWN_SNI_HOST_NAME_E = -281, /* Unrecognized host name Error */ - UNKNOWN_MAX_FRAG_LEN_E = -282, /* Unrecognized max frag len Error */ - KEYUSE_SIGNATURE_E = -283, /* KeyUse digSignature error */ - KEYUSE_ENCIPHER_E = -285, /* KeyUse keyEncipher error */ - EXTKEYUSE_AUTH_E = -286, /* ExtKeyUse server|client_auth */ - SEND_OOB_READ_E = -287, /* Send Cb out of bounds read */ + GETTIME_ERROR = -337, /* gettimeofday failed ??? */ + GETITIMER_ERROR = -338, /* getitimer failed ??? */ + SIGACT_ERROR = -339, /* sigaction failed ??? */ + SETITIMER_ERROR = -340, /* setitimer failed ??? */ + LENGTH_ERROR = -341, /* record layer length error */ + PEER_KEY_ERROR = -342, /* can't decode peer key */ + ZERO_RETURN = -343, /* peer sent close notify */ + SIDE_ERROR = -344, /* wrong client/server type */ + NO_PEER_CERT = -345, /* peer didn't send key */ + NTRU_KEY_ERROR = -346, /* NTRU key error */ + NTRU_DRBG_ERROR = -347, /* NTRU drbg error */ + NTRU_ENCRYPT_ERROR = -348, /* NTRU encrypt error */ + NTRU_DECRYPT_ERROR = -349, /* NTRU decrypt error */ + ECC_CURVETYPE_ERROR = -350, /* Bad ECC Curve Type */ + ECC_CURVE_ERROR = -351, /* Bad ECC Curve */ + ECC_PEERKEY_ERROR = -352, /* Bad Peer ECC Key */ + ECC_MAKEKEY_ERROR = -353, /* Bad Make ECC Key */ + ECC_EXPORT_ERROR = -354, /* Bad ECC Export Key */ + ECC_SHARED_ERROR = -355, /* Bad ECC Shared Secret */ + NOT_CA_ERROR = -357, /* Not a CA cert error */ + BAD_PATH_ERROR = -358, /* Bad path for opendir */ + BAD_CERT_MANAGER_ERROR = -359, /* Bad Cert Manager */ + OCSP_CERT_REVOKED = -360, /* OCSP Certificate revoked */ + CRL_CERT_REVOKED = -361, /* CRL Certificate revoked */ + CRL_MISSING = -362, /* CRL Not loaded */ + MONITOR_RUNNING_E = -363, /* CRL Monitor already running */ + THREAD_CREATE_E = -364, /* Thread Create Error */ + OCSP_NEED_URL = -365, /* OCSP need an URL for lookup */ + OCSP_CERT_UNKNOWN = -366, /* OCSP responder doesn't know */ + OCSP_LOOKUP_FAIL = -367, /* OCSP lookup not successful */ + MAX_CHAIN_ERROR = -368, /* max chain depth exceeded */ + COOKIE_ERROR = -369, /* dtls cookie error */ + SEQUENCE_ERROR = -370, /* dtls sequence error */ + SUITES_ERROR = -371, /* suites pointer error */ + SSL_NO_PEM_HEADER = -372, /* no PEM header found */ + OUT_OF_ORDER_E = -373, /* out of order message */ + BAD_KEA_TYPE_E = -374, /* bad KEA type found */ + SANITY_CIPHER_E = -375, /* sanity check on cipher error */ + RECV_OVERFLOW_E = -376, /* RXCB returned more than rqed */ + GEN_COOKIE_E = -377, /* Generate Cookie Error */ + NO_PEER_VERIFY = -378, /* Need peer cert verify Error */ + FWRITE_ERROR = -379, /* fwrite problem */ + CACHE_MATCH_ERROR = -380, /* chache hdr match error */ + UNKNOWN_SNI_HOST_NAME_E = -381, /* Unrecognized host name Error */ + UNKNOWN_MAX_FRAG_LEN_E = -382, /* Unrecognized max frag len Error */ + KEYUSE_SIGNATURE_E = -383, /* KeyUse digSignature error */ + KEYUSE_ENCIPHER_E = -385, /* KeyUse keyEncipher error */ + EXTKEYUSE_AUTH_E = -386, /* ExtKeyUse server|client_auth */ + SEND_OOB_READ_E = -387, /* Send Cb out of bounds read */ /* add strings to SetErrorString !!!!! */ /* begin negotiation parameter errors */ - UNSUPPORTED_SUITE = -290, /* unsupported cipher suite */ - MATCH_SUITE_ERROR = -291 /* can't match cipher suite */ + UNSUPPORTED_SUITE = -390, /* unsupported cipher suite */ + MATCH_SUITE_ERROR = -391 /* can't match cipher suite */ /* end negotiation parameter errors only 10 for now */ /* add strings to SetErrorString !!!!! */ }; From ddf5924b3b3dfbb7aa709ec16d198ba46dcabee4 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 11 Jun 2014 11:56:17 -0700 Subject: [PATCH 6/6] add error code for hmac min key len in new error range --- ctaocrypt/src/error.c | 3 +++ ctaocrypt/src/hmac.c | 2 +- cyassl/ctaocrypt/error-crypt.h | 4 +++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ctaocrypt/src/error.c b/ctaocrypt/src/error.c index ce9d1d046..00bfe309b 100644 --- a/ctaocrypt/src/error.c +++ b/ctaocrypt/src/error.c @@ -277,6 +277,9 @@ const char* CTaoCryptGetErrorString(int error) case RNG_FAILURE_E: return "Random Number Generator failed"; + case HMAC_MIN_KEYLEN_E: + return "FIPS Mode HMAC Minimum Key Length error"; + default: return "unknown error number"; diff --git a/ctaocrypt/src/hmac.c b/ctaocrypt/src/hmac.c index cadbd18fc..c5362db55 100644 --- a/ctaocrypt/src/hmac.c +++ b/ctaocrypt/src/hmac.c @@ -133,7 +133,7 @@ int HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length) #ifdef HAVE_FIPS if (length < HMAC_FIPS_MIN_KEY) - return -1; /* TODO: next, fix wolfCrypt error range */ + return HMAC_MIN_KEYLEN_E; #endif switch (hmac->macType) { diff --git a/cyassl/ctaocrypt/error-crypt.h b/cyassl/ctaocrypt/error-crypt.h index d2c8266c7..c75d37ceb 100644 --- a/cyassl/ctaocrypt/error-crypt.h +++ b/cyassl/ctaocrypt/error-crypt.h @@ -33,7 +33,7 @@ /* error codes */ enum { - MAX_CODE_E = -100, /* errors -101 - -199 */ + MAX_CODE_E = -100, /* errors -101 - -299 */ OPEN_RAN_E = -101, /* opening random device error */ READ_RAN_E = -102, /* reading random device error */ WINCRYPT_E = -103, /* windows crypt init error */ @@ -127,6 +127,8 @@ enum { RNG_FAILURE_E = -199, /* RNG Failed, Reinitialize */ + HMAC_MIN_KEYLEN_E = -200, /* FIPS Mode HMAC Minimum Key Length error */ + MIN_CODE_E = -300 /* errors -101 - -299 */ };