Make various improvements, mostly around supporting OpenSSH.

- Add an --enable-openssh configure option. This will cause the RSA, DH, and ECC
code to all use the global RNG. This is necessary because OpenSSH's sshd
launches unprivileged processes to handle incoming ssh connections, and these
processes aren't allowed to open /dev/urandom to create new RNGs. Add a new
macro, WE_DH_USE_GLOBAL_RNG, to handle this in the DH code.
- Make some minor improvements to openssh-tests.sh.
- Clean up we_aes_ctr.c.
- Clean up we_aes_gcm.c.
- Fix some incorrect log lines (erroneous WE_LOG_CIPHER usage).
- Modify test_rsa.c to use RSA_MIN_SIZE and RSA_MAX_SIZE to determine what
constitutes an invalid key size. This makes the RSA key generations tests
work with wolfSSL installations configured with larger FP_MAX_BITS than the
default.

Author: haydenroche5

configure.ac

@@ -112,6 +112,18 @@ then
     AM_CFLAGS="$AM_CFLAGS -DWE_ALIGNMENT_SAFETY"
 fi
 
+# Adds the necessary flags to support using wolfEngine with OpenSSH.
+AC_ARG_ENABLE([openssh],
+    [AS_HELP_STRING([--enable-openssh],[Support using wolfEngine with OpenSSH. (default: disabled).])],
+    [ ENABLED_OPENSSH=$enableval ],
+    [ ENABLED_OPENSSH=no ]
+    )
+
+if test "$ENABLED_OPENSSH" = "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWE_RSA_USE_GLOBAL_RNG -DWE_ECC_USE_GLOBAL_RNG -DWE_DH_USE_GLOBAL_RNG"
+fi
+
 # Single threaded
 AC_ARG_ENABLE([singlethreaded],
     [AS_HELP_STRING([--enable-singlethreaded],[Enable wolfEngine single threaded (default: disabled).])],
@@ -704,6 +716,7 @@ echo "   Features "
 echo "   * User settings:              $ENABLED_USERSETTINGS"
 echo "   * Dynamic engine:             $ENABLED_DYNAMIC_ENGINE"
 echo "   * Alignment safety:           $ENABLED_ALIGNMENT_SAFETY"
+echo "   * OpenSSH support:            $ENABLED_OPENSSH"
 echo "   * Digest:"
 echo "   *  - SHA-1:                   $ENABLED_SHA1"
 echo "   *  - SHA-224:                 $ENABLED_SHA224"

scripts/build-openssl-wolfengine.sh

@@ -326,16 +326,17 @@ build_wolfengine() {
     if [ -n "${OPENSSL_INSTALL}" ]; then
         ./configure $OPENSSL_CPPFLAGS $OPENSSL_LDFLAGS \
                     --with-openssl=$OPENSSL_INSTALL \
-                    --enable-debug >> $LOGFILE 2>&1
+                    --enable-debug \
+                    $WOLFENGINE_EXTRA_OPTS >> $LOGFILE 2>&1
     else
         # Tests have been patched to use debug logging - must enable debug.
         # User can set WOLFENGINE_EXTRA_LDFLAGS to provide extra LDFLAGS and
         # WOLFENGINE_EXTRA_CPPFLAGS to provide extra CPPFLAGS.
         ./configure LDFLAGS="-L$OPENSSL_SOURCE $WOLFENGINE_EXTRA_LDFLAGS" \
                     CPPFLAGS="$WOLFENGINE_EXTRA_CPPFLAGS" \
                     --with-openssl=$OPENSSL_SOURCE \
-                    $WOLFENGINE_EXTRA_OPTS \
-                    --enable-debug >> $LOGFILE 2>&1
+                    --enable-debug \
+                    $WOLFENGINE_EXTRA_OPTS >> $LOGFILE 2>&1
     fi
     if [ "$?" != 0 ]; then
         printf "failed\n"

scripts/openssh-tests.sh

@@ -7,16 +7,18 @@
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 WOLFENGINE_ROOT="${SCRIPT_DIR}/.."
 
-OPENSSL_INSTALL_DIR=${SCRIPT_DIR}/openssl
-OPENSSH_DIR=${SCRIPT_DIR}/openssh-portable
+if [ -z "${OPENSSL_INSTALL_DIR}" ]; then
+    OPENSSL_INSTALL_DIR=${SCRIPT_DIR}/openssl
+fi
+OPENSSH_DIR=${SCRIPT_DIR}/openssh
 
 source ${SCRIPT_DIR}/build-openssl-wolfengine.sh
 
 do_cleanup() {
     printf "Cleaning up.\n"
 
-    # Use the environment variable KEEP_OPENSSH to prevent OpenSSH directories
-    # from being deleted at the end of the run.
+    # Use the environment variable KEEP_OPENSSH to prevent OpenSSH and OpenSSL
+    # directories from being deleted at the end of the run.
     if [ -z "${KEEP_OPENSSH}" ]; then
         printf "\tDeleting OpenSSH directory.\n"
         rm -rf ${OPENSSH_DIR}
@@ -27,8 +29,8 @@ do_cleanup() {
 }
 
 do_failure() {
-    # Keep the logs around to help debug the failure.
-    KEEP_LOGS=1
+    # Keep the OpenSSH and OpenSSL directories around to help debug the failure.
+    KEEP_OPENSSH=1
     do_cleanup
     exit 1
 }
@@ -37,7 +39,7 @@ do_failure() {
 trap do_failure INT TERM
 
 download_openssh() {
-    printf "Setting up OpenSSH.\n"
+    printf "Downloading OpenSSH..."
     if [ -n "${OPENSSH_NO_DOWNLOAD}" -o -n "${OPENSSH_NO_BUILD}" ]; then
         return
     fi
@@ -46,8 +48,7 @@ download_openssh() {
 
     cd ${SCRIPT_DIR}
 
-    printf "\tDownloading..."
-    git clone https://github.com/openssh/openssh-portable.git >> $LOGFILE 2>&1
+    git clone https://github.com/openssh/openssh-portable.git $OPENSSH_DIR >> $LOGFILE 2>&1
     if [ $? != 0 ]; then
         printf "failed\n"
         do_failure
@@ -65,7 +66,7 @@ build_openssh() {
     cd ${OPENSSH_DIR}
 
     printf "Building OpenSSH.\n"
-    printf "\tAutoreconf..."
+    printf "\tRunning autoreconf..."
     autoreconf >> $LOGFILE 2>&1
     if [ $? != 0 ]; then
         printf "failed.\n"
@@ -98,81 +99,81 @@ test_openssh_separate() {
 
     printf "Running OpenSSH tests with wolfEngine\n"
     for T in connect \
-                proxy-connect \
-                connect-privsep \
-                connect-uri \
-                proto-version \
-                proto-mismatch \
-                exit-status \
-                envpass \
-                transfer \
-                banner \
-                rekey \
-                dhgex \
-                stderr-data \
-                stderr-after-eof \
-                broken-pipe \
-                try-ciphers \
-                yes-head \
-                login-timeout \
-                agent \
-                agent-getpeereid \
-                agent-timeout \
-                agent-ptrace \
-                agent-subprocess \
-                keyscan \
-                keygen-change \
-                keygen-convert \
-                keygen-moduli \
-                key-options \
-                scp \
-                scp-uri \
-                sftp \
-                sftp-chroot \
-                sftp-cmds \
-                sftp-badcmds \
-                sftp-batch \
-                sftp-glob \
-                sftp-perm \
-                sftp-uri \
-                reconfigure \
-                dynamic-forward \
-                forwarding \
-                multiplex \
-                reexec \
-                brokenkeys \
-                sshcfgparse \
-                cfgparse \
-                cfgmatch \
-                cfgmatchlisten \
-                percent \
-                addrmatch \
-                localcommand \
-                forcecommand \
-                portnum \
-                keytype \
-                kextype \
-                cert-hostkey \
-                cert-userkey \
-                host-expand \
-                keys-command \
-                forward-control \
-                integrity \
-                krl \
-                multipubkey \
-                limit-keytype \
-                hostkey-agent \
-                keygen-knownhosts \
-                hostkey-rotate \
-                principals-command \
-                cert-file \
-                cfginclude \
-                servcfginclude \
-                allow-deny-users \
-                authinfo \
-                sshsig \
-                keygen-comment \
-                knownhosts-command
+             proxy-connect \
+             agent \
+             connect-privsep \
+             connect-uri \
+             proto-version \
+             proto-mismatch \
+             exit-status \
+             envpass \
+             transfer \
+             banner \
+             rekey \
+             dhgex \
+             stderr-data \
+             stderr-after-eof \
+             broken-pipe \
+             try-ciphers \
+             yes-head \
+             login-timeout \
+             agent-getpeereid \
+             agent-timeout \
+             agent-ptrace \
+             agent-subprocess \
+             keyscan \
+             keygen-change \
+             keygen-convert \
+             keygen-moduli \
+             key-options \
+             scp \
+             scp-uri \
+             sftp \
+             sftp-chroot \
+             sftp-cmds \
+             sftp-badcmds \
+             sftp-batch \
+             sftp-glob \
+             sftp-perm \
+             sftp-uri \
+             reconfigure \
+             dynamic-forward \
+             forwarding \
+             multiplex \
+             reexec \
+             brokenkeys \
+             sshcfgparse \
+             cfgparse \
+             cfgmatch \
+             cfgmatchlisten \
+             percent \
+             addrmatch \
+             localcommand \
+             forcecommand \
+             portnum \
+             keytype \
+             kextype \
+             cert-hostkey \
+             cert-userkey \
+             host-expand \
+             keys-command \
+             forward-control \
+             integrity \
+             krl \
+             multipubkey \
+             limit-keytype \
+             hostkey-agent \
+             keygen-knownhosts \
+             hostkey-rotate \
+             principals-command \
+             cert-file \
+             cfginclude \
+             servcfginclude \
+             allow-deny-users \
+             authinfo \
+             sshsig \
+             keygen-comment \
+             knownhosts-command
     do
         printf "\t$T..."
         make t-exec LTESTS=$T >> $LOGFILE 2>&1
@@ -256,14 +257,17 @@ do
     OPENSSL_INSTALL=${OPENSSL_INSTALL_DIR}
     setup_openssl_install
 
-    WE_OPENSSL_CONF=${SCRIPT_DIR}/wolfengine.conf
-    WE_DEBUG=0
-
+    WOLFENGINE_EXTRA_OPTS="--enable-openssh"
     build_wolfengine
+
+    # We don't want to print debug messages as that will trigger false failures
+    # in the OpenSSH tests.
+    WE_DEBUG=0
+    WE_OPENSSL_CONF=${SCRIPT_DIR}/wolfengine.conf
     write_conf_file
 
     build_openssh
-    test_openssh
+    test_openssh_separate
 done
 
 

src/we_aes_block.c

@@ -34,8 +34,6 @@ typedef struct we_AesBlock
     unsigned char  lastBlock[AES_BLOCK_SIZE];
     /** Number of buffered bytes.  */
     unsigned int   over;
-    /** Flag to indicate whether wolfSSL AES object initialized. */
-    unsigned int   init:1;
     /** Flag to indicate whether we are doing encrypt (1) or decrpyt (0). */
     unsigned int   enc:1;
 } we_AesBlock;
@@ -86,25 +84,23 @@ static int we_aes_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
             WOLFENGINE_ERROR_FUNC(WE_LOG_CIPHER, "wc_AesInit", rc);
             ret = 0;
         }
-        aes->init = (ret == 1);
+        if (ret == 1) {
+            WOLFENGINE_MSG(WE_LOG_CIPHER, "Setting AES key (%d bytes)",
+                           EVP_CIPHER_CTX_key_length(ctx));
+            rc = wc_AesSetKey(&aes->aes, key, EVP_CIPHER_CTX_key_length(ctx),
+                              iv, enc ? AES_ENCRYPTION : AES_DECRYPTION);
+            if (rc != 0) {
+                WOLFENGINE_ERROR_FUNC(WE_LOG_CIPHER, "wc_AesSetKey", rc);
+                ret = 0;
+            }
+        }
     }
 
     if (ret == 1) {
         /* Store whether encrypting. */
         aes->enc = enc;
     }
 
-    if ((ret == 1) && (key != NULL)) {
-        WOLFENGINE_MSG(WE_LOG_CIPHER, "Setting AES key (%d bytes)",
-                       EVP_CIPHER_CTX_key_length(ctx));
-        rc = wc_AesSetKey(&aes->aes, key, EVP_CIPHER_CTX_key_length(ctx), iv,
-                          enc ? AES_ENCRYPTION : AES_DECRYPTION);
-        if (rc != 0) {
-            WOLFENGINE_ERROR_FUNC(WE_LOG_CIPHER, "wc_AesSetKey", rc);
-            ret = 0;
-        }
-    }
-
     WOLFENGINE_LEAVE(WE_LOG_CIPHER, "we_aes_cbc_init", ret);
 
     return ret;
@@ -440,9 +436,6 @@ static int we_aes_ecb_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
             WOLFENGINE_ERROR_FUNC(WE_LOG_CIPHER, "wc_AesInit", rc);
             ret = 0;
         }
-        else {
-            aes->init = 1;
-        }
     }
 
     if (ret == 1) {

src/we_aes_ctr.c

@@ -52,7 +52,6 @@ static int we_aes_ctr_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
     int ret = 1;
     int rc;
     we_AesCtr *aes;
-    const unsigned char *tmpIv;
 
     WOLFENGINE_ENTER(WE_LOG_CIPHER, "we_aes_ctr_init");
     WOLFENGINE_MSG_VERBOSE(WE_LOG_CIPHER, "ARGS [ctx = %p, key = %p, iv = %p, "
@@ -100,7 +99,7 @@ static int we_aes_ctr_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  * @param  in   [in]      Data to encrypt/decrypt.
  * @param  len  [in]      Length of data to encrypt/decrypt.
  * @return  -1 on failure.
- * @return  Number of bytes put in out on success.
+ * @return  1 on success.
  */
 static int we_aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, size_t len)
@@ -125,7 +124,7 @@ static int we_aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         rc = wc_AesSetIV(&aes->aes, EVP_CIPHER_CTX_iv_noconst(ctx));
         if (rc != 0) {
             WOLFENGINE_ERROR_FUNC(WE_LOG_CIPHER, "wc_AesSetIV", rc);
-            ret = 0;
+            ret = -1;
         }
     }
     if (ret == 1) {
@@ -207,7 +206,6 @@ EVP_CIPHER* we_aes192_ctr_ciph = NULL;
 /** AES256-CTR EVP cipher method. */
 EVP_CIPHER* we_aes256_ctr_ciph = NULL;
 
-
 /**
  * Initialize an AES-CTR method.
  *
@@ -315,4 +313,3 @@ int we_init_aesctr_meths()
 }
 
 #endif /* WE_HAVE_AESCTR */
-