MatrixSSL 3.9.5

2017-12-13 16:23:52 +02:00
parent 8735be1654
commit 83bff65b84
111 changed files with 5821 additions and 2646 deletions
--- a/apps/ssl/Makefile
+++ b/apps/ssl/Makefile
@@ -31,6 +31,13 @@ endif
 CFLAGS+=$(CFLAGS_INTERNAL)
 LDFLAGS+=$(LDFLAGS_INTERNAL)

+# Extra dependencies
+MATRIXSSL_CONFIG:=$(shell make parse-config --directory $(MATRIXSSL_ROOT)/matrixssl)
+
+ifneq (,$(findstring USE_ZLIB_COMPRESSION, $(MATRIXSSL_CONFIG)))
+LDFLAGS+=-lz
+endif
+
 include $(MATRIXSSL_ROOT)/common.mk

 # Linked files
@@ -40,6 +47,9 @@ STATIC:=\
 	$(MATRIXSSL_ROOT)/core/libcore_s.a \
 	$(STATIC_INTERNAL)

+STATIC_CLIENT:=\
+	$(MATRIXSSL_ROOT)/apps/common/client_common_s.a
+
 # Allow selecting the client auth identity (ID_RSA, ID_ECDH_ECDSA,
 # etc.) via an environment variable.
 ifneq '$(CIPHER_OPTION)' ''
@@ -54,7 +64,7 @@ $(OBJS): $(MATRIXSSL_ROOT)/common.mk Makefile $(wildcard *.h)
 $(SERVER_EXE): $(SERVER_SRC:.c=.o) $(STATIC)
 	$(CC) -o $@ $^ $(LDFLAGS) $(CFLAGS)

-$(CLIENT_EXE): $(CLIENT_SRC:.c=.o) $(STATIC)
+$(CLIENT_EXE): $(CLIENT_SRC:.c=.o) $(STATIC) $(STATIC_CLIENT)
 	$(CC) -o $@ $^ $(LDFLAGS) $(CFLAGS)

 $(NET_EXE): $(NET_SRC:.c=.o) $(STATIC)
--- a/apps/ssl/client.c
+++ b/apps/ssl/client.c
--- a/apps/ssl/net.c
+++ b/apps/ssl/net.c
@@ -433,12 +433,12 @@ int do_dialog_client(const char *host, const char *port)
 }

 /* The MatrixSSL certificate validation callback. */
+# ifdef USE_CLIENT_SIDE_SSL
 static int32 ssl_cert_auth(ssl_t *ssl, psX509Cert_t *cert, int32 alert)
 {
    return MATRIXSSL_SUCCESS;
 }

-# ifdef USE_CLIENT_SIDE_SSL
 static int32 extensionCb(ssl_t *ssl, uint16_t extType, uint8_t extLen, void *e)
 {

@@ -642,14 +642,12 @@ int do_dialog_server(const char *host, const char *port)
    return 2;
 }

-# ifdef USE_STATELESS_SESSION_TICKETS
+# if defined(USE_SERVER_SIDE_SSL) && defined(USE_STATELESS_SESSION_TICKETS)
 static int32 sessTicketCb(void *keys, unsigned char name[16], short found);

 static unsigned char sessTicketSymKey[32] = { 0 };
 static unsigned char sessTicketMacKey[32] = { 0 };
-# endif

-# ifdef USE_STATELESS_SESSION_TICKETS
 int32 sessTicketCb(void *keys, unsigned char name[16], short found)
 {
    if (found)
@@ -661,7 +659,7 @@ int32 sessTicketCb(void *keys, unsigned char name[16], short found)
    return matrixSslLoadSessionTicketKeys((sslKeys_t *) keys, name,
        sessTicketSymKey, 32, sessTicketMacKey, 32);
 }
-# endif
+# endif /* USE_SERVER_SIDE_SSL && USE_STATELESS_SESSION_TICKETS */

 # ifdef USE_SERVER_SIDE_SSL
 int do_dialog_server_tls(const char *host, const char *port,
--- a/apps/ssl/runClient.sh
+++ b/apps/ssl/runClient.sh
@@ -16,8 +16,8 @@ CIPHER_SUITE="47"	#AES128-SHA
 #CIPHER_SUITE="57"  	#DHE_RSA AES256-SHA
 #CIPHER_SUITE="49195"   #ECDHE_ECDSA-AES128-GCM-SHA256
 #CIPHER_SUITE="49196"   #ECDHE_ECDSA-AES256-GCM-SHA384
-#CIPHER_SUITE="52243"   #TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-#CIPHER_SUITE="52244"   #TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+#CIPHER_SUITE="52392"   #TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+#CIPHER_SUITE="52393"   #TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
 fi
    
 if [ "X$PROTOCOL_VERSION" = "X" ]
@@ -28,7 +28,12 @@ PROTOCOL_VERSION="3"	#TLS1.2
 fi

 IPADDR="127.0.0.1"
+
+if [ "X$PORT" = "X" ]
+then
 PORT="4433"
+fi
+
 NEW_SESSIONS="1"
 RESUMED_SESSIONS="0"
 BYTES="1024"
--- a/apps/ssl/server.c
+++ b/apps/ssl/server.c
@@ -66,6 +66,12 @@ const static char g_defaultCAFile[] = "testkeys/RSA/2048_RSA_CA.pem";
 const static char g_defaultDHParamFile[] = "testkeys/DH/1024_DH_PARAMS.pem";
 #  endif

+#  ifdef USE_REHANDSHAKING
+static int g_doSelfInitiatedRehandshakeTest;
+static int g_numRehandshakes;
+static int g_maxRehandshakes;
+#  endif
+
 /********************************** Defines ***********************************/

 #  define SSL_TIMEOUT         45000 /* In milliseconds */
@@ -86,7 +92,8 @@ const static char g_defaultDHParamFile[] = "testkeys/DH/1024_DH_PARAMS.pem";
 static DLListEntry g_conns;
 static int32 g_exitFlag;
 static int g_port;
-static int g_version;
+static int g_min_version;
+static int g_max_version;
 static int g_disabledCiphers;
 static uint16_t g_disabledCipher[SSL_MAX_DISABLED_CIPHERS];

@@ -168,6 +175,13 @@ void SNIcallback(void *ssl, char *hostname, int32 hostnameLen,
    *newKeys = lssl->keys;
 }

+int32 setProtocolVersions(sslSessOpts_t *options)
+{
+    return matrixSslSessOptsSetServerTlsVersionRange(options,
+            g_min_version,
+            g_max_version);
+}
+
 /******************************************************************************/
 /**
    Display connections per second (if more than 0), at most once per second
@@ -312,6 +326,11 @@ static int32 selectLoop(sslKeys_t *keys, SOCKET lfd)
            memset(&options, 0x0, sizeof(sslSessOpts_t));
            options.userPtr = keys;
            /* options.extendedMasterSecret = 1; / * Require * / */
+            if (setProtocolVersions(&options) < 0)
+            {
+                close(fd);
+                return PS_ARG_FAIL;
+            }

            if ((rc = matrixSslNewServerSession(&cp->ssl, keys, NULL,
                     &options)) < 0)
@@ -320,7 +339,6 @@ static int32 selectLoop(sslKeys_t *keys, SOCKET lfd)
                continue;
            }
            matrixSslRegisterSNICallback(cp->ssl, SNIcallback);
-
            cp->fd = fd;
            cp->timeout = SSL_TIMEOUT;
            psGetTime(&cp->time, NULL);
@@ -383,6 +401,26 @@ WRITE_MORE:
                {
                    /* If the protocol is server initiated, send data here */
                    g_handshakes++;
+# ifdef USE_REHANDSHAKING
+                    if (g_doSelfInitiatedRehandshakeTest &&
+                            g_numRehandshakes < g_maxRehandshakes)
+                    {
+                        /* Full rehandshake */
+                        printf("Server initiating re-handshake\n");
+                        if (matrixSslEncodeRehandshake(cp->ssl, NULL,
+# ifdef USE_CLIENT_AUTH
+                                        certCb,
+# else
+                                        NULL,
+# endif /* USE_CLIENT_AUTH */
+                                        SSL_OPTION_FULL_HANDSHAKE, NULL, 0) < 0)
+                        {
+                            printf("matrixSslEncodeRehandshake failed\n");
+                            exit(1);
+                        }
+                        g_numRehandshakes++;
+                    }
+#endif /* USE_REHANDSHAKING */
 #  ifdef ENABLE_FALSE_START
                    /* OR this could be a Chrome browser using
                        FALSE_START and the application data is already
@@ -750,6 +788,7 @@ static void usage(void)
        "                        - '1' TLS 1.0\n"
        "                        - '2' TLS 1.1\n"
        "                        - '3' TLS 1.2 (default)\n"
+        "-V <min>,<max>      - SSL/TLS version range to use, e.g. '-V 2,3'\n"
        "\n");

 }
@@ -799,7 +838,7 @@ static int32_t parse_cipher_list(char *cipherListString,
 static int32 process_cmd_options(int32 argc, char **argv)
 {
    int optionChar, str_len, version, numCiphers;
-    char *cipherListString;
+    char *cipherListString, *versionRangeStr;

    /* Start with all options zeroized. */
    memset(g_keyfilePath, 0, MAX_KEYFILE_PATH);
@@ -809,12 +848,12 @@ static int32 process_cmd_options(int32 argc, char **argv)
    memset(g_caFile, 0, MAX_KEYFILE_PATH);
    memset(g_password, 0, MAX_PASSWORD_LEN);

-    g_port              = HTTPS_PORT;
-    g_version           = 3;
-    g_disabledCiphers   = 0;
+    g_port = HTTPS_PORT;
+    g_min_version = g_max_version = 3;
+    g_disabledCiphers = 0;

    opterr = 0;
-    while ((optionChar = getopt(argc, argv, "c:d:a:D:hk:p:P:v:x:")) != -1)
+    while ((optionChar = getopt(argc, argv, "c:d:a:D:hk:p:P:v:V:x:r:")) != -1)
    {
        switch (optionChar)
        {
@@ -899,14 +938,44 @@ static int32 process_cmd_options(int32 argc, char **argv)
            g_port = atoi(optarg);
            break;

+        case 'r':
+#ifdef USE_REHANDSHAKING
+            g_doSelfInitiatedRehandshakeTest = 1;
+            g_maxRehandshakes = atoi(optarg);
+#else
+            printf("Need USE_REHANDSHAKING for re-handshake test\n");
+            exit(EXIT_FAILURE);
+#endif
+            break;
+
        case 'v':
+            /* Single version. */
            version = atoi(optarg);
-            if (version < 0 || version > 3)
+            if (!matrixSslTlsVersionRangeSupported(version,
+                            version))
            {
                printf("Invalid version: %d\n", version);
                return -1;
            }
-            g_version = version;
+            g_min_version = g_max_version = version;
+            break;
+
+        case 'V':
+            /* Version range. */
+            versionRangeStr = optarg;
+            if (strlen(versionRangeStr) != 3)
+            {
+                printf("Invalid version range string: %s\n", versionRangeStr);
+                return -1;
+            }
+            g_min_version = atoi(&versionRangeStr[0]);
+            g_max_version = atoi(&versionRangeStr[2]);
+            if (!matrixSslTlsVersionRangeSupported(g_min_version,
+                            g_max_version))
+            {
+                printf("Unsupported version range: %s\n", versionRangeStr);
+                return -1;
+            }
            break;
        }
    }