From 4ec07bb5a83aaf4e6d4fe34454ac3c090e8b1342 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Tue, 9 Jul 2024 12:00:34 -0700 Subject: [PATCH 1/3] Changes needed for default TLS support in zephyr kernel --- src/internal.c | 2 +- src/ssl.c | 28 ++++++++++++++ tests/api.c | 72 +++++++++++++++++++++++++++--------- wolfcrypt/src/memory.c | 3 ++ wolfcrypt/src/wc_port.c | 23 ++++++++++++ wolfssl/ssl.h | 1 + wolfssl/wolfcrypt/settings.h | 1 + zephyr/CMakeLists.txt | 1 + zephyr/Kconfig | 23 ++++++++++++ zephyr/user_settings.h | 29 ++++++++++++++- 10 files changed, 163 insertions(+), 20 deletions(-) diff --git a/src/internal.c b/src/internal.c index 6bbd38fa8c..9ed04b4797 100644 --- a/src/internal.c +++ b/src/internal.c @@ -9892,7 +9892,7 @@ ProtocolVersion MakeDTLSv1_3(void) word32 LowResTimer(void) { int64_t t; - #if defined(CONFIG_ARCH_POSIX) + #if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_BOARD_NATIVE_POSIX) k_cpu_idle(); #endif t = k_uptime_get(); /* returns current uptime in milliseconds */ diff --git a/src/ssl.c b/src/ssl.c index 9ba891d629..4667f71b9e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1641,6 +1641,34 @@ int wolfSSL_get_ciphers(char* buf, int len) return WOLFSSL_SUCCESS; } +#ifdef WOLFSSL_GET_CIPHER_BYTES +int wolfSSL_get_cipher_list_bytes(byte* buf, int *len) +{ + const CipherSuiteInfo* ciphers = GetCipherNames(); + int ciphersSz = GetCipherNamesSize(); + int i; + + if (len == NULL) + return BAD_FUNC_ARG; + + /* For NULL input buffer and non-NULL len, set len */ + if (buf == NULL) { + *len = (ciphersSz * 2); + return WOLFSSL_SUCCESS; + } + + if (*len < (ciphersSz * 2)) + return BUFFER_E; + + /* Add each member to the buffer */ + for (i = 0; i < ciphersSz; i++) { + *buf++ = ciphers->cipherSuite0; + *buf++ = ciphers->cipherSuite; + } + + return WOLFSSL_SUCCESS; +} +#endif #ifndef NO_ERROR_STRINGS /* places a list of all supported cipher suites in TLS_* format into "buf" diff --git a/tests/api.c b/tests/api.c index 2e23ea1fb1..1ee219d9b7 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1546,24 +1546,24 @@ static int test_wolfSSL_CTX_set_cipher_list_bytes(void) const byte cipherList[] = { - /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */ 0xC0, 0x16, - /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */ 0xC0, 0x39, - /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */ 0xC0, 0x33, - /* TLS_DH_anon_WITH_AES_128_CBC_SHA */ 0xC0, 0x34, - /* TLS_RSA_WITH_AES_256_CBC_SHA */ 0xC0, 0x35, - /* TLS_RSA_WITH_AES_128_CBC_SHA */ 0xC0, 0x2F, - /* TLS_RSA_WITH_NULL_MD5 */ 0xC0, 0x01, - /* TLS_RSA_WITH_NULL_SHA */ 0xC0, 0x02, - /* TLS_PSK_WITH_AES_256_CBC_SHA */ 0xC0, 0x8d, - /* TLS_PSK_WITH_AES_128_CBC_SHA256 */ 0xC0, 0xae, - /* TLS_PSK_WITH_AES_256_CBC_SHA384 */ 0xC0, 0xaf, - /* TLS_PSK_WITH_AES_128_CBC_SHA */ 0xC0, 0x8c, - /* TLS_PSK_WITH_NULL_SHA256 */ 0xC0, 0xb0, - /* TLS_PSK_WITH_NULL_SHA384 */ 0xC0, 0xb1, - /* TLS_PSK_WITH_NULL_SHA */ 0xC0, 0x2c, - /* SSL_RSA_WITH_RC4_128_SHA */ 0xC0, 0x05, - /* SSL_RSA_WITH_RC4_128_MD5 */ 0xC0, 0x04, - /* SSL_RSA_WITH_3DES_EDE_CBC_SHA */ 0xC0, 0x0A, + /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */ 0x00, 0x16, + /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */ 0x00, 0x39, + /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */ 0x00, 0x33, + /* TLS_DH_anon_WITH_AES_128_CBC_SHA */ 0x00, 0x34, + /* TLS_RSA_WITH_AES_256_CBC_SHA */ 0x00, 0x35, + /* TLS_RSA_WITH_AES_128_CBC_SHA */ 0x00, 0x2F, + /* TLS_RSA_WITH_NULL_MD5 */ 0x00, 0x01, + /* TLS_RSA_WITH_NULL_SHA */ 0x00, 0x02, + /* TLS_PSK_WITH_AES_256_CBC_SHA */ 0x00, 0x8d, + /* TLS_PSK_WITH_AES_128_CBC_SHA256 */ 0x00, 0xae, + /* TLS_PSK_WITH_AES_256_CBC_SHA384 */ 0x00, 0xaf, + /* TLS_PSK_WITH_AES_128_CBC_SHA */ 0x00, 0x8c, + /* TLS_PSK_WITH_NULL_SHA256 */ 0x00, 0xb0, + /* TLS_PSK_WITH_NULL_SHA384 */ 0x00, 0xb1, + /* TLS_PSK_WITH_NULL_SHA */ 0x00, 0x2c, + /* SSL_RSA_WITH_RC4_128_SHA */ 0x00, 0x05, + /* SSL_RSA_WITH_RC4_128_MD5 */ 0x00, 0x04, + /* SSL_RSA_WITH_3DES_EDE_CBC_SHA */ 0x00, 0x0A, /* ECC suites, first byte is 0xC0 (ECC_BYTE) */ /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */ 0xC0, 0x14, @@ -1730,6 +1730,41 @@ static int test_wolfSSL_CTX_set_cipher_list_bytes(void) return EXPECT_RESULT(); } +static int test_wolfSSL_get_cipher_list_bytes(void) +{ + EXPECT_DECLS; +#if (defined(WOLFSSL_GET_CIPHER_BYTES)&& \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))) + WOLFSSL_CTX* ctx = NULL; + byte *getCipherList = NULL; + word32 cipherListLen = 0; + +#ifndef NO_WOLFSSL_SERVER + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#endif + + ExpectTrue(wolfSSL_get_cipher_list_bytes(NULL, (int *)(&cipherListLen))); + ExpectIntGT((int)cipherListLen, 0); + ExpectNotNull(getCipherList = + (byte *)XMALLOC(cipherListLen, NULL, DYNAMIC_TYPE_TMP_BUFFER)); + ExpectTrue(wolfSSL_get_cipher_list_bytes( + getCipherList, (int *)(&cipherListLen))); + + /* Intentionally minimal verification here. Only way to verify would + * be a comprehensive list of all possible ciphersuites, which would + * break and need to be updated for every addition to the list. That + * is a lot of maintinence overhead for this little used function so + * call this good enough. */ + + XFREE(getCipherList, NULL, DYNAMIC_TYPE_TMP_BUFFER); + wolfSSL_CTX_free(ctx); +#endif /* (WOLFSSL_GET_CIPHER_BYTES && (!NO_WOLFSSL_CLIENT \ + * || !NO_WOLFSSL_SERVER) */ + + return EXPECT_RESULT(); +} static int test_wolfSSL_CTX_use_certificate_file(void) { @@ -83801,6 +83836,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_SSL_CIPHER_get_xxx), TEST_DECL(test_wolfSSL_ERR_strings), TEST_DECL(test_wolfSSL_CTX_set_cipher_list_bytes), + TEST_DECL(test_wolfSSL_get_cipher_list_bytes), TEST_DECL(test_wolfSSL_CTX_use_certificate_file), TEST_DECL(test_wolfSSL_CTX_use_certificate_buffer), TEST_DECL(test_wolfSSL_CTX_use_PrivateKey_file), diff --git a/wolfcrypt/src/memory.c b/wolfcrypt/src/memory.c index d9958a9e3a..588fdda487 100644 --- a/wolfcrypt/src/memory.c +++ b/wolfcrypt/src/memory.c @@ -1207,6 +1207,9 @@ void wolfSSL_Free(void *ptr, void* heap, int type) #else free(ptr); #endif + #ifdef WOLFSSL_DEBUG_MEMORY + fprintf(stderr, "Free: %p at %s:%d\n", ptr, func, line); + #endif #else WOLFSSL_MSG("Error trying to call free when turned off"); #endif /* WOLFSSL_NO_MALLOC */ diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 32ffb9ea36..4a435ad6bf 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -132,6 +132,13 @@ #include #endif +#if defined(WOLFSSL_ZEPHYR) +#if defined(CONFIG_BOARD_NATIVE_POSIX) +#include "native_rtc.h" +#define CONFIG_RTC +#endif +#endif + /* prevent multiple mutex initializations */ static volatile int initRefCount = 0; @@ -3173,6 +3180,21 @@ time_t z_time(time_t * timer) #if defined(CONFIG_RTC) && \ (defined(CONFIG_PICOLIBC) || defined(CONFIG_NEWLIB_LIBC)) + + #if defined(CONFIG_BOARD_NATIVE_POSIX) + + /* When using native sim, get time from simulator rtc */ + uint32_t nsec = 0; + uint64_t sec = 0; + native_rtc_gettime(RTC_CLOCK_PSEUDOHOSTREALTIME, &nsec, &sec); + + if (timer != NULL) + *timer = sec; + + return sec; + + #else + /* Try to obtain the actual time from an RTC */ static const struct device *rtc = DEVICE_DT_GET(DT_NODELABEL(rtc)); @@ -3191,6 +3213,7 @@ time_t z_time(time_t * timer) return epochTime; } } + #endif /* defined(CONFIG_BOARD_NATIVE_POSIX) */ #endif /* Fallback to uptime since boot. This works for relative times, but diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index d1a88bd5df..51b90a706b 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1169,6 +1169,7 @@ WOLFSSL_API char* wolfSSL_get_cipher_list(int priority); WOLFSSL_API char* wolfSSL_get_cipher_list_ex(WOLFSSL* ssl, int priority); WOLFSSL_API int wolfSSL_get_ciphers(char* buf, int len); WOLFSSL_API int wolfSSL_get_ciphers_iana(char* buf, int len); +WOLFSSL_API int wolfSSL_get_cipher_list_bytes(byte* buf, int *len); WOLFSSL_API const char* wolfSSL_get_cipher_name(WOLFSSL* ssl); WOLFSSL_API const char* wolfSSL_get_cipher_name_from_suite( unsigned char cipherSuite0, unsigned char cipherSuite); diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index a4302c700f..ab1f664447 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2112,6 +2112,7 @@ extern void uITRON4_free(void *p) ; void *z_realloc(void *ptr, size_t size); #define realloc z_realloc + #define max MAX #if !defined(CONFIG_NET_SOCKETS_POSIX_NAMES) && !defined(CONFIG_POSIX_API) #define CONFIG_NET_SOCKETS_POSIX_NAMES diff --git a/zephyr/CMakeLists.txt b/zephyr/CMakeLists.txt index cf64215ca1..ed5900aaec 100644 --- a/zephyr/CMakeLists.txt +++ b/zephyr/CMakeLists.txt @@ -22,6 +22,7 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/zephyr/zephyr_init.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/crl.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/dtls.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/dtls13.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/internal.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/keys.c) diff --git a/zephyr/Kconfig b/zephyr/Kconfig index 5c6fa73ef1..1bf1f25bd9 100644 --- a/zephyr/Kconfig +++ b/zephyr/Kconfig @@ -70,6 +70,29 @@ config WOLFCRYPT_FIPS Enables FIPS support in wolfCrypt. Requires the wolfSSL FIPS ready download that includes fips.c/fips_test.c. +config WOLFSSL_DTLS + bool "wolfSSL DTLS support" + help + Enable DTLS support + +config WOLFSSL_ALPN + bool "wolfSSL ALPN support" + help + Enable ALPN support + +config WOLFSSL_PSK + bool "wolfSSL PSK support" + help + Enable PSK support + +config WOLFSSL_MAX_FRAGMENT_LEN + int + default 3 + range 1 6 + help + Sets the maximum fragment length wolfSSL will use, values 1-6 correspond to enum values + WOLFSSL_MFL_* in ssl.h + config WOLFCRYPT_ARMASM bool "wolfCrypt ARM Assembly support" depends on WOLFSSL_BUILTIN diff --git a/zephyr/user_settings.h b/zephyr/user_settings.h index 7876c0baf2..b96e6c9690 100644 --- a/zephyr/user_settings.h +++ b/zephyr/user_settings.h @@ -133,9 +133,33 @@ extern "C" { #define NO_SESSION_CACHE /* disable session resumption */ #endif +/* DTLS */ +#if defined(CONFIG_WOLFSSL_DTLS) + #define WOLFSSL_DTLS + #define HAVE_SOCKADDR +#endif + /* PSK */ -#define NO_PSK /* disable pre-shared-key support */ +#if defined(CONFIG_WOLFSSL_PSK) + #undef NO_PSK + #define WOLFSSL_STATIC_PSK +#else + #define NO_PSK /* disable pre-shared-key support */ +#endif + +/* ALPN */ +#if defined(CONFIG_WOLFSSL_ALPN) + #define HAVE_ALPN +#endif +#if defined(CONFIG_WOLFSSL_MAX_FRAGMENT_LEN) + #define HAVE_MAX_FRAGMENT +#endif + +#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) + #define WOLFSSL_SET_CIPHER_BYTES + #define WOLFSSL_GET_CIPHER_BYTES +#endif /* ------------------------------------------------------------------------- */ /* Algorithms */ @@ -143,6 +167,9 @@ extern "C" { /* RNG */ #ifndef WC_NO_HASHDRBG #define HAVE_HASHDRBG /* Use DRBG SHA2-256 and seed */ + #ifdef CONFIG_CSPRNG_ENABLED + #define WC_RNG_SEED_CB + #endif #endif /* ECC */ From 7b089f548e882583699f1d27b6779af9dfeb2b71 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Thu, 11 Jul 2024 14:39:44 -0700 Subject: [PATCH 2/3] Remove get cipher list bytes --- src/ssl.c | 29 ----------------------------- tests/api.c | 37 ------------------------------------- zephyr/user_settings.h | 1 - 3 files changed, 67 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 4667f71b9e..d1d7189520 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1641,35 +1641,6 @@ int wolfSSL_get_ciphers(char* buf, int len) return WOLFSSL_SUCCESS; } -#ifdef WOLFSSL_GET_CIPHER_BYTES -int wolfSSL_get_cipher_list_bytes(byte* buf, int *len) -{ - const CipherSuiteInfo* ciphers = GetCipherNames(); - int ciphersSz = GetCipherNamesSize(); - int i; - - if (len == NULL) - return BAD_FUNC_ARG; - - /* For NULL input buffer and non-NULL len, set len */ - if (buf == NULL) { - *len = (ciphersSz * 2); - return WOLFSSL_SUCCESS; - } - - if (*len < (ciphersSz * 2)) - return BUFFER_E; - - /* Add each member to the buffer */ - for (i = 0; i < ciphersSz; i++) { - *buf++ = ciphers->cipherSuite0; - *buf++ = ciphers->cipherSuite; - } - - return WOLFSSL_SUCCESS; -} -#endif - #ifndef NO_ERROR_STRINGS /* places a list of all supported cipher suites in TLS_* format into "buf" * return WOLFSSL_SUCCESS on success */ diff --git a/tests/api.c b/tests/api.c index 1ee219d9b7..700293ba6c 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1730,42 +1730,6 @@ static int test_wolfSSL_CTX_set_cipher_list_bytes(void) return EXPECT_RESULT(); } -static int test_wolfSSL_get_cipher_list_bytes(void) -{ - EXPECT_DECLS; -#if (defined(WOLFSSL_GET_CIPHER_BYTES)&& \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))) - WOLFSSL_CTX* ctx = NULL; - byte *getCipherList = NULL; - word32 cipherListLen = 0; - -#ifndef NO_WOLFSSL_SERVER - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#endif - - ExpectTrue(wolfSSL_get_cipher_list_bytes(NULL, (int *)(&cipherListLen))); - ExpectIntGT((int)cipherListLen, 0); - ExpectNotNull(getCipherList = - (byte *)XMALLOC(cipherListLen, NULL, DYNAMIC_TYPE_TMP_BUFFER)); - ExpectTrue(wolfSSL_get_cipher_list_bytes( - getCipherList, (int *)(&cipherListLen))); - - /* Intentionally minimal verification here. Only way to verify would - * be a comprehensive list of all possible ciphersuites, which would - * break and need to be updated for every addition to the list. That - * is a lot of maintinence overhead for this little used function so - * call this good enough. */ - - XFREE(getCipherList, NULL, DYNAMIC_TYPE_TMP_BUFFER); - wolfSSL_CTX_free(ctx); -#endif /* (WOLFSSL_GET_CIPHER_BYTES && (!NO_WOLFSSL_CLIENT \ - * || !NO_WOLFSSL_SERVER) */ - - return EXPECT_RESULT(); -} - static int test_wolfSSL_CTX_use_certificate_file(void) { EXPECT_DECLS; @@ -83836,7 +83800,6 @@ TEST_CASE testCases[] = { TEST_DECL(test_SSL_CIPHER_get_xxx), TEST_DECL(test_wolfSSL_ERR_strings), TEST_DECL(test_wolfSSL_CTX_set_cipher_list_bytes), - TEST_DECL(test_wolfSSL_get_cipher_list_bytes), TEST_DECL(test_wolfSSL_CTX_use_certificate_file), TEST_DECL(test_wolfSSL_CTX_use_certificate_buffer), TEST_DECL(test_wolfSSL_CTX_use_PrivateKey_file), diff --git a/zephyr/user_settings.h b/zephyr/user_settings.h index b96e6c9690..68266da5f0 100644 --- a/zephyr/user_settings.h +++ b/zephyr/user_settings.h @@ -158,7 +158,6 @@ extern "C" { #if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) #define WOLFSSL_SET_CIPHER_BYTES - #define WOLFSSL_GET_CIPHER_BYTES #endif /* ------------------------------------------------------------------------- */ From 978456e39de8886bd57751f4b7fd954b264386a0 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Thu, 11 Jul 2024 14:51:38 -0700 Subject: [PATCH 3/3] Remove get cipher bytes from header --- src/ssl.c | 1 + tests/api.c | 1 + wolfssl/ssl.h | 1 - 3 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index d1d7189520..9ba891d629 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1641,6 +1641,7 @@ int wolfSSL_get_ciphers(char* buf, int len) return WOLFSSL_SUCCESS; } + #ifndef NO_ERROR_STRINGS /* places a list of all supported cipher suites in TLS_* format into "buf" * return WOLFSSL_SUCCESS on success */ diff --git a/tests/api.c b/tests/api.c index 700293ba6c..4a896533ac 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1730,6 +1730,7 @@ static int test_wolfSSL_CTX_set_cipher_list_bytes(void) return EXPECT_RESULT(); } + static int test_wolfSSL_CTX_use_certificate_file(void) { EXPECT_DECLS; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 51b90a706b..d1a88bd5df 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1169,7 +1169,6 @@ WOLFSSL_API char* wolfSSL_get_cipher_list(int priority); WOLFSSL_API char* wolfSSL_get_cipher_list_ex(WOLFSSL* ssl, int priority); WOLFSSL_API int wolfSSL_get_ciphers(char* buf, int len); WOLFSSL_API int wolfSSL_get_ciphers_iana(char* buf, int len); -WOLFSSL_API int wolfSSL_get_cipher_list_bytes(byte* buf, int *len); WOLFSSL_API const char* wolfSSL_get_cipher_name(WOLFSSL* ssl); WOLFSSL_API const char* wolfSSL_get_cipher_name_from_suite( unsigned char cipherSuite0, unsigned char cipherSuite);