AES CCM: tag length set to full length when unset (0)

SparkiDev · SparkiDev · commit c09d22813a1e · 2021-10-13T09:53:30.000+10:00
TLS 1.2 cipher suites working
diff --git a/configure.ac b/configure.ac
@@ -12,6 +12,7 @@ AC_CONFIG_HEADERS([include/config.h])
 AC_CONFIG_MACRO_DIR([m4])
 
 dnl m4_include([m4/ax_check_openssl.m4])
+dnl m4_include([m4/ax_check_wolfssl.m4])
 
 AM_INIT_AUTOMAKE([1.11  -Wall -Werror -Wno-portability foreign tar-ustar subdir-objects no-define color-tests])
 LT_INIT([disable-static pic-only])
@@ -41,6 +42,7 @@ AC_SUBST([WOLFENGINE_LIBRARY_VERSION])
 
 LIBS="$LIBS -ldl"
 
+# OpenSSL
 AC_CHECK_HEADERS([openssl/engine.h])
 
 AX_CHECK_OPENSSL(
@@ -54,6 +56,18 @@ if test "x$have_openssl" = "xyes"; then
     LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
 fi
 
+# wolfSSL
+AX_CHECK_WOLFSSL(
+    [have_wolfssl=yes],
+    AC_MSG_FAILURE([could not locate wolfSSL])
+)
+
+if test "x$have_wolfssl" = "xyes"; then
+    LIBS="$LIBS $WOLFSSL_LIBS"
+    CFLAGS="$CFLAGS $WOLFSSL_INCLUDES"
+    LDFLAGS="$LDFLAGS $WOLFSSL_LDFLAGS"
+fi
+
 # DEBUG
 DEBUG_CFLAGS="-g -O0 -DWOLFENGINE_DEBUG"
 AX_DEBUG
@@ -653,7 +667,7 @@ AX_HARDEN_CC_COMPILER_FLAGS
 
 OPTION_FLAGS="$CFLAGS $CPPFLAGS $AM_CFLAGS"
 
-LIBS="$LIBS -lwolfssl -ldl -lm"
+LIBS="$LIBS -ldl -lm"
 
 if test "$GCC" = "yes"
 then
diff --git a/m4/m4_ax_check_wolfssl.m4 b/m4/m4_ax_check_wolfssl.m4
@@ -0,0 +1,125 @@
+# SYNOPSIS
+#
+#   AX_CHECK_WOLFSSL([action-if-found[, action-if-not-found]])
+#
+# DESCRIPTION
+#
+#   Look for wolfSSL in a number of default spots, or in a user-selected
+#   spot (via --with-wolfssl).  Sets
+#
+#     WOLFSSL_INCLUDES to the include directives required
+#     WOLFSSL_LIBS to the -l directives required
+#     WOLFSSL_LDFLAGS to the -L or -R flags required
+#
+#   and calls ACTION-IF-FOUND or ACTION-IF-NOT-FOUND appropriately
+#
+#   This macro sets WOLFSSL_INCLUDES such that source files should use the
+#   wolfssl/ directory in include directives:
+#
+#     #include <wolfssl/wolfcrypt/hmac.h>
+#
+# LICENSE
+#
+#   Copyright (c) 2021 wolfSSL <http://www.wolfssl.com/>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 1
+
+AU_ALIAS([CHECK_SSL], [AX_CHECK_WOLFSSL])
+AC_DEFUN([AX_CHECK_WOLFSSL], [
+    found=false
+    AC_ARG_WITH([wolfssl],
+        [AS_HELP_STRING([--with-wolfssl=DIR],
+            [root of the wolfSSL directory])],
+        [
+            case "$withval" in
+            "" | y | ye | yes | n | no)
+            AC_MSG_ERROR([Invalid --with-wolfssl value])
+              ;;
+            *) wolfssldirs="$withval"
+              ;;
+            esac
+        ], [
+            # if pkg-config is installed and wolfssl has installed a .pc file,
+            # then use that information and don't search wolfssldirs
+            AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
+            if test x"$PKG_CONFIG" != x""; then
+                WOLFSSL_LDFLAGS=`$PKG_CONFIG wolfssl --libs-only-L 2>/dev/null`
+                if test $? = 0; then
+                    WOLFSSL_LIBS=`$PKG_CONFIG wolfssl --libs-only-l 2>/dev/null`
+                    WOLFSSL_INCLUDES=`$PKG_CONFIG wolfssl --cflags-only-I 2>/dev/null`
+                    found=true
+                fi
+            fi
+
+            # no such luck; use some default wolfssldirs
+            if ! $found; then
+                wolfssldirs="/usr/local /usr/lib /usr"
+            fi
+        ]
+        )
+
+
+    # note that we #include <wolfssl/foo.h>, so the wolfSSL headers have to be
+    # in an 'wolfssl' subdirectory
+
+    if ! $found; then
+        WOLFSSL_INCLUDES=
+        for wolfssldir in $wolfssldirs; do
+            AC_MSG_CHECKING([for include/wolfssl/ssl.h in $wolfssldir])
+            if test -f "$wolfssldir/include/wolfssl/ssl.h"; then
+                WOLFSSL_INCLUDES="-I$wolfssldir/include"
+                WOLFSSL_LDFLAGS="-L$wolfssldir/lib"
+                WOLFSSL_LIBS="-lwolfssl"
+
+                WOLFSSL_VERSION=$(grep -oP "(?<=define LIBWOLFSSL_VERSION_HEX)\s+0x[[0-9a-fA-F]]+" $wolfssldir/include/wolfssl/version.h)
+                WOLFSSL_VERSION_DEC=$(printf "%d" $WOLFSSL_VERSION)
+
+                found=true
+                AC_MSG_RESULT([yes])
+                break
+            else
+                AC_MSG_RESULT([no])
+            fi
+        done
+
+        # if the file wasn't found, well, go ahead and try the link anyway --
+        # maybe it will just work!
+    fi
+
+    # try the preprocessor and linker with our new flags,
+    # being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS
+
+    AC_MSG_CHECKING([whether compiling and linking against wolfSSL works])
+    echo "Trying link with WOLFSSL_LDFLAGS=$WOLFSSL_LDFLAGS;" \
+        "WOLFSSL_LIBS=$WOLFSSL_LIBS; WOLFSSL_INCLUDES=$WOLFSSL_INCLUDES" >&AS_MESSAGE_LOG_FD
+
+    save_LIBS="$LIBS"
+    save_LDFLAGS="$LDFLAGS"
+    save_CPPFLAGS="$CPPFLAGS"
+    LDFLAGS="$LDFLAGS $WOLFSSL_LDFLAGS"
+    LIBS="$WOLFSSL_LIBS $LIBS"
+    CPPFLAGS="$WOLFSSL_INCLUDES $CPPFLAGS"
+    AC_LINK_IFELSE(
+        [AC_LANG_PROGRAM([
+#include <wolfssl/options.h>
+#include <wolfssl/ssl.h>], [wolfSSL_new(NULL)])],
+        [
+            AC_MSG_RESULT([yes])
+            $1
+        ], [
+            AC_MSG_RESULT([no])
+            $2
+        ])
+    CPPFLAGS="$save_CPPFLAGS"
+    LDFLAGS="$save_LDFLAGS"
+    LIBS="$save_LIBS"
+
+    AC_SUBST([WOLFSSL_INCLUDES])
+    AC_SUBST([WOLFSSL_LIBS])
+    AC_SUBST([WOLFSSL_LDFLAGS])
+])
diff --git a/scripts/we-cs-test.sh b/scripts/we-cs-test.sh
@@ -42,9 +42,13 @@ do_trap() {
 
 trap do_trap INT TERM
 
+TLS13_ALL_CIPHERS="TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256"
+
 TLS13_CIPHERS=(
     TLS_AES_256_GCM_SHA384
     TLS_AES_128_GCM_SHA256
+    TLS_AES_128_CCM_SHA256
+    TLS_AES_128_CCM_8_SHA256
 )
 TLS12_CIPHERS=(
     ECDHE-ECDSA-AES256-GCM-SHA384
@@ -53,6 +57,14 @@ TLS12_CIPHERS=(
     ECDHE-ECDSA-AES128-GCM-SHA256
     ECDHE-RSA-AES128-GCM-SHA256
     DHE-RSA-AES128-GCM-SHA256
+    ECDHE-ECDSA-AES256-CCM8
+    ECDHE-ECDSA-AES256-CCM
+    DHE-RSA-AES256-CCM8
+    DHE-RSA-AES256-CCM
+    ECDHE-ECDSA-AES128-CCM8
+    ECDHE-ECDSA-AES128-CCM
+    DHE-RSA-AES128-CCM8
+    DHE-RSA-AES128-CCM
     ECDHE-ECDSA-AES256-SHA384
     ECDHE-RSA-AES256-SHA384
     DHE-RSA-AES256-SHA256
@@ -67,6 +79,10 @@ TLS12_CIPHERS=(
     DHE-RSA-AES128-SHA
     AES256-GCM-SHA384
     AES128-GCM-SHA256
+    AES256-CCM8
+    AES256-CCM
+    AES128-CCM8
+    AES128-CCM
     AES256-SHA256
     AES128-SHA256
     AES256-SHA
@@ -269,22 +285,32 @@ check_log() {
     # Check wolfEngine's cipher code was used.
     grep we_aes_gcm_cipher $TMP_LOG >/dev/null 2>&1
     GCM_GREP=$?
+    grep we_aes_ccm_cipher $TMP_LOG >/dev/null 2>&1
+    CCM_GREP=$?
     grep we_aes_cbc_cipher $TMP_LOG >/dev/null 2>&1
     CBC_GREP=$?
     grep we_des3_cbc_cipher $TMP_LOG >/dev/null 2>&1
     DES3CBC_GREP=$?
-    if [ $GCM_GREP != 0 -a $CBC_GREP != 0 -a $DES3CBC_GREP != 0 ]; then
-        printf "\t\tCipher not wolfEngine...failed\n"
-        FAIL=$((FAIL+1))
-    fi
+    CIPHER_WOLFENGINE=0
     if [ $GCM_GREP = 0 ]; then
         WE_ALGS="$WE_ALGS AES-GCM"
+        CIPHER_WOLFENGINE=1
+    fi
+    if [ $CCM_GREP = 0 ]; then
+        WE_ALGS="$WE_ALGS AES-CCM"
+        CIPHER_WOLFENGINE=1
     fi
     if [ $CBC_GREP = 0 ]; then
         WE_ALGS="$WE_ALGS AES-CBC"
+        CIPHER_WOLFENGINE=1
     fi
     if [ $DES3CBC_GREP = 0 ]; then
         WE_ALGS="$WE_ALGS DES3-CBC"
+        CIPHER_WOLFENGINE=1
+    fi
+    if [ "$CIPHER_WOLFENGINE" = "0" ]; then
+        printf "\t\tCipher not wolfEngine...failed\n"
+        FAIL=$((FAIL+1))
     fi
 
     printf "$WE_ALGS\n"
@@ -297,7 +323,7 @@ start_openssl_server() {
     ($OPENSSL_DIR/apps/openssl s_server -www \
          -cert $CERT_DIR/server-cert.pem -key $CERT_DIR/server-key.pem \
          -dcert $CERT_DIR/server-ecc.pem -dkey $CERT_DIR/ecc-key.pem \
-         -accept $OPENSSL_PORT \
+         -accept $OPENSSL_PORT $OPENSSL_ALL_CIPHERS \
          >$LOG_SERVER 2>&1
     ) &
     OPENSSL_SERVER_PID=$!
@@ -318,10 +344,10 @@ start_we_openssl_server() {
 
     (OPENSSL_CONF=engine.conf \
      $OPENSSL_DIR/apps/openssl s_server -www \
-         -engine wolfSSL \
+         -engine $WOLFENGINE_NAME \
          -cert $CERT_DIR/server-cert.pem -key $CERT_DIR/server-key.pem \
          -dcert $CERT_DIR/server-ecc.pem -dkey $CERT_DIR/ecc-key.pem \
-         -accept $WE_OPENSSL_PORT \
+         -accept $WE_OPENSSL_PORT $OPENSSL_ALL_CIPHERS \
          >$LOG_WE_SERVER 2>&1
     ) &
     WE_OPENSSL_SERVER_PID=$!
@@ -344,7 +370,7 @@ do_we_client() {
          OPENSSL_CONF=engine.conf \
          LD_LIBRARY_PATH="./.libs:$LD_LIBRARY_PATH" \
          $OPENSSL_DIR/apps/openssl s_client \
-             -engine wolfSSL \
+             -engine $WOLFENGINE_NAME \
              -cipher $CIPHER $TLS_VERSION \
              -curves $CURVES \
              -connect localhost:$OPENSSL_PORT \
@@ -355,7 +381,7 @@ do_we_client() {
          OPENSSL_CONF=engine.conf \
          LD_LIBRARY_PATH="./.libs:$LD_LIBRARY_PATH" \
          $OPENSSL_DIR/apps/openssl s_client \
-             -engine wolfSSL \
+             -engine $WOLFENGINE_NAME \
              -ciphersuites $CIPHER $TLS_VERSION \
              -curves $CURVES \
              -connect localhost:$OPENSSL_PORT \
@@ -504,7 +530,7 @@ do_configure() {
         printf "Setting up wolfEngine\n"
         printf "\tConfigure ... "
         ./configure LDFLAGS="-L$OPENSSL_DIR" --with-openssl=$OPENSSL_DIR \
-            --enable-debug &>$LOG_FILE
+           $WITH_WOLFSSL --enable-debug &>$LOG_FILE
         if [ "$?" = "0" ]; then
             printf "done\n"
         else
@@ -668,6 +694,16 @@ else
     VERSIONS="1.0.2 1.1.1"
 fi
 
+if [ "$WOLFSSL_DIR" != "" ]; then
+    WITH_WOLFSSL="--with-wolfssl=$WOLFSSL_DIR"
+    if [ -d "$WOLFSSL_DIR/lib" ]; then
+        WOLFSSL_LIBDIR=":$WOLFSSL_DIR/lib"
+    else
+        WOLFSSL_LIBDIR=":$WOLFSSL_DIR"
+    fi
+fi
+export OPENSSL_ENGINES="$PWD/.libs"
+
 CURVES=prime256v1
 for VERSION in $VERSIONS
 do
@@ -679,17 +715,23 @@ do
     if [ "$VERSION" = "1.0.2" ]; then
         setup_openssl_102h
         OPENSSL_DIR="${OPENSSL_1_0_2_SOURCE}"
+        OPENSSL_ALL_CIPHERS="-cipher ALL"
+        WOLFENGINE_NAME=wolfengine
     fi
     if [ "$VERSION" = "1.1.0" ]; then
         setup_openssl_110j
         OPENSSL_DIR="${OPENSSL_1_1_0_SOURCE}"
+        OPENSSL_ALL_CIPHERS="-cipher ALL"
+        WOLFENGINE_NAME=libwolfengine
     fi
     if [ "$VERSION" = "1.1.1" ]; then
         setup_openssl_111b
         OPENSSL_DIR="${OPENSSL_1_1_1_SOURCE}"
+        OPENSSL_ALL_CIPHERS="-cipher ALL -ciphersuites $TLS13_ALL_CIPHERS"
+        WOLFENGINE_NAME=libwolfengine
     fi
 
-    export LD_LIBRARY_PATH=$OPENSSL_DIR
+    export LD_LIBRARY_PATH=$OPENSSL_DIR$WOLFSSL_LIBDIR
 
     do_configure
     if [ "$NO_TEST_CLIENT" = "" ]; then
diff --git a/src/we_aes_ccm.c b/src/we_aes_ccm.c
