Skip to content

Commit f682c6b

Browse files
dgarskedgarske
committed
Fixes for TLS v1.3 and x25519 non-blocking crypto
1 parent f7c1f77 commit f682c6b

6 files changed

Lines changed: 329 additions & 92 deletions

File tree

.github/workflows/async-examples.yml

Lines changed: 46 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -24,25 +24,63 @@ jobs:
2424
make -C examples/async clean
2525
make -C examples/async
2626
27-
- name: Run async examples (ECC + X25519)
27+
- name: Run async examples
2828
run: |
2929
set -euo pipefail
30+
31+
MIN_PENDING=100
32+
3033
run_pair() {
31-
local mode="$1"
32-
local ready="/tmp/wolfssl_async_ready_${mode}"
34+
local label="$1"
35+
shift
36+
local args="$*"
37+
local ready="/tmp/wolfssl_async_ready_${label}"
3338
rm -f "$ready"
39+
3440
WOLFSSL_ASYNC_READYFILE="$ready" \
35-
./examples/async/async_server --"$mode" > "/tmp/async_server_${mode}.log" 2>&1 &
41+
./examples/async/async_server $args \
42+
> "/tmp/async_server_${label}.log" 2>&1 &
3643
local pid=$!
44+
3745
WOLFSSL_ASYNC_READYFILE="$ready" \
38-
./examples/async/async_client --"$mode" 127.0.0.1 11111 > "/tmp/async_client_${mode}.log" 2>&1
46+
./examples/async/async_client $args 127.0.0.1 11111 \
47+
> "/tmp/async_client_${label}.log" 2>&1
3948
local rc=$?
49+
4050
kill "$pid" >/dev/null 2>&1 || true
4151
wait "$pid" >/dev/null 2>&1 || true
42-
return "$rc"
52+
53+
if [ "$rc" -ne 0 ]; then
54+
echo "FAIL: $label (exit=$rc)"
55+
return 1
56+
fi
57+
58+
# Validate WC_PENDING_E count is a proper value
59+
local count
60+
count=$(awk '/WC_PENDING_E count:/ {print $NF}' \
61+
"/tmp/async_client_${label}.log")
62+
if [ -z "$count" ] || [ "$count" -lt "$MIN_PENDING" ]; then
63+
echo "FAIL: $label - WC_PENDING_E count too low:" \
64+
"${count:-missing} (expected >= $MIN_PENDING)"
65+
return 1
66+
fi
67+
echo "PASS: $label (WC_PENDING_E: $count)"
68+
return 0
4369
}
44-
run_pair ecc
45-
run_pair x25519
70+
71+
# TLS 1.3
72+
run_pair ecc_tls13 --ecc
73+
run_pair x25519_tls13 --x25519
74+
75+
# TLS 1.2
76+
run_pair ecc_tls12 --tls12 --ecc
77+
run_pair x25519_tls12 --tls12 --x25519
78+
79+
# BELOW ARE NOT WORKING YET
80+
# TLS 1.3 mutual auth
81+
#run_pair ecc_tls13_mutual --mutual --ecc
82+
#run_pair x25519_tls13_mutual --mutual --x25519
83+
4684
4785
- name: Print async logs
4886
if: ${{ failure() }}

.github/workflows/os-check.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,8 @@ jobs:
8181
'--enable-all CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH',
8282
'--enable-all CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''',
8383
'--enable-all CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''',
84-
'--enable-curve25519=nonblock --enable-ecc=nonblock --enable-sp=yes,nonblock CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK"',
84+
'--enable-curve25519=nonblock --enable-ecc=nonblock --enable-sp=yes,nonblock CPPFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK"',
85+
'--enable-certreq --enable-certext --enable-certgen --disable-secure-renegotiation-info CPPFLAGS="-DNO_TLS"',
8586
]
8687
name: make check
8788
if: github.repository_owner == 'wolfssl'

examples/async/async_client.c

Lines changed: 93 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,7 @@
5252
#include <wolfssl/ssl.h>
5353
#include <wolfssl/wolfio.h>
5454
#include <wolfssl/wolfcrypt/error-crypt.h>
55+
#include <wolfssl/certs_test.h>
5556
#include "examples/async/async_tls.h"
5657

5758
/* ------------------------------------------------------------------ */
@@ -154,7 +155,8 @@ static int posix_net_connect(const char* host, int port)
154155
/* ------------------------------------------------------------------ */
155156
static void usage(const char* prog)
156157
{
157-
printf("usage: %s [--ecc|--x25519] [host] [port]\n", prog);
158+
printf("usage: %s [--ecc|--x25519] [--mutual] [--tls12] [host] [port]\n",
159+
prog);
158160
}
159161

160162
static const char* group_name(word16 group)
@@ -170,7 +172,7 @@ static const char* group_name(word16 group)
170172
}
171173

172174
static int parse_client_args(int argc, char** argv,
173-
const char** host, int* port, word16* group)
175+
const char** host, int* port, word16* group, int* mutual, int* tls12)
174176
{
175177
int i;
176178
int host_set = 0;
@@ -179,6 +181,8 @@ static int parse_client_args(int argc, char** argv,
179181
*host = DEFAULT_TLS_HOST;
180182
*port = DEFAULT_TLS_PORT;
181183
*group = WOLFSSL_ECC_SECP256R1;
184+
*mutual = 0;
185+
*tls12 = 0;
182186

183187
for (i = 1; i < argc; i++) {
184188
if (XSTRCMP(argv[i], "--ecc") == 0) {
@@ -187,6 +191,12 @@ static int parse_client_args(int argc, char** argv,
187191
else if (XSTRCMP(argv[i], "--x25519") == 0) {
188192
*group = WOLFSSL_ECC_X25519;
189193
}
194+
else if (XSTRCMP(argv[i], "--mutual") == 0) {
195+
*mutual = 1;
196+
}
197+
else if (XSTRCMP(argv[i], "--tls12") == 0) {
198+
*tls12 = 1;
199+
}
190200
else if (XSTRCMP(argv[i], "--help") == 0) {
191201
return -1;
192202
}
@@ -227,13 +237,17 @@ int client_async_test(int argc, char** argv)
227237
int port = 0;
228238
word16 group = WOLFSSL_ECC_SECP256R1;
229239
const char* mode = NULL;
240+
int mutual = 0;
241+
int tls12 = 0;
230242

231-
if (parse_client_args(argc, argv, &host, &port, &group) != 0) {
243+
if (parse_client_args(argc, argv, &host, &port, &group, &mutual,
244+
&tls12) != 0) {
232245
usage(argv[0]);
233246
return 0;
234247
}
235248
mode = group_name(group);
236-
printf("Async client mode: %s (keyshare 0x%04x)\n", mode, group);
249+
printf("Async client mode: %s, TLS %s%s\n", mode,
250+
tls12 ? "1.2" : "1.3", mutual ? ", mutual auth" : "");
237251

238252
{
239253
const char* ready = getenv(WOLFSSL_ASYNC_READYFILE_ENV);
@@ -259,16 +273,71 @@ int client_async_test(int argc, char** argv)
259273
}
260274
#endif
261275

262-
ctx = wolfSSL_CTX_new(wolfSSLv23_client_method());
276+
#ifndef WOLFSSL_NO_TLS12
277+
if (tls12)
278+
ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());
279+
else
280+
#endif
281+
ctx = wolfSSL_CTX_new(wolfSSLv23_client_method());
263282
if (ctx == NULL) {
264283
goto out;
265284
}
266285
#ifdef WOLFSSL_ASYNC_CRYPT
267286
wolfSSL_CTX_SetDevId(ctx, devId);
268287
#endif
269288

270-
/* Bare-metal style: disable verification unless you load CA/peer certs. */
271-
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL);
289+
if (mutual) {
290+
if (group == WOLFSSL_ECC_X25519) {
291+
#ifdef HAVE_ED25519
292+
ret = wolfSSL_CTX_load_verify_buffer(ctx, ca_ed25519_cert,
293+
sizeof_ca_ed25519_cert, WOLFSSL_FILETYPE_ASN1);
294+
if (ret != WOLFSSL_SUCCESS) {
295+
fprintf(stderr, "ERROR: failed to load ED25519 CA cert.\n");
296+
goto out;
297+
}
298+
ret = wolfSSL_CTX_use_certificate_buffer(ctx, client_ed25519_cert,
299+
sizeof_client_ed25519_cert, WOLFSSL_FILETYPE_ASN1);
300+
if (ret != WOLFSSL_SUCCESS) {
301+
fprintf(stderr, "ERROR: failed to load ED25519 client cert.\n");
302+
goto out;
303+
}
304+
ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, client_ed25519_key,
305+
sizeof_client_ed25519_key, WOLFSSL_FILETYPE_ASN1);
306+
if (ret != WOLFSSL_SUCCESS) {
307+
fprintf(stderr, "ERROR: failed to load ED25519 client key.\n");
308+
goto out;
309+
}
310+
#else
311+
fprintf(stderr,
312+
"ERROR: --x25519 --mutual requires HAVE_ED25519\n");
313+
goto out;
314+
#endif
315+
}
316+
else {
317+
ret = wolfSSL_CTX_load_verify_buffer(ctx, ca_ecc_cert_der_256,
318+
sizeof_ca_ecc_cert_der_256, WOLFSSL_FILETYPE_ASN1);
319+
if (ret != WOLFSSL_SUCCESS) {
320+
fprintf(stderr, "ERROR: failed to load ECC CA cert.\n");
321+
goto out;
322+
}
323+
ret = wolfSSL_CTX_use_certificate_buffer(ctx, cliecc_cert_der_256,
324+
sizeof_cliecc_cert_der_256, WOLFSSL_FILETYPE_ASN1);
325+
if (ret != WOLFSSL_SUCCESS) {
326+
fprintf(stderr, "ERROR: failed to load ECC client cert.\n");
327+
goto out;
328+
}
329+
ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, ecc_clikey_der_256,
330+
sizeof_ecc_clikey_der_256, WOLFSSL_FILETYPE_ASN1);
331+
if (ret != WOLFSSL_SUCCESS) {
332+
fprintf(stderr, "ERROR: failed to load ECC client key.\n");
333+
goto out;
334+
}
335+
}
336+
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL);
337+
}
338+
else {
339+
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL);
340+
}
272341

273342
wolfSSL_SetIORecv(ctx, NET_IO_RECV_CB);
274343
wolfSSL_SetIOSend(ctx, NET_IO_SEND_CB);
@@ -286,23 +355,26 @@ int client_async_test(int argc, char** argv)
286355
(void)wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, host,
287356
(word16)XSTRLEN(host));
288357

289-
for (;;) {
290-
ret = wolfSSL_UseKeyShare(ssl, group);
291-
if (ret == WOLFSSL_SUCCESS) {
292-
break;
293-
}
294-
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
358+
/* UseKeyShare is TLS 1.3 only */
359+
if (!tls12) {
360+
for (;;) {
361+
ret = wolfSSL_UseKeyShare(ssl, group);
362+
if (ret == WOLFSSL_SUCCESS) {
363+
break;
364+
}
365+
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
295366
#ifdef WOLFSSL_DEBUG_NONBLOCK
296-
pending_count++;
367+
pending_count++;
297368
#endif
298369
#ifdef WOLFSSL_ASYNC_CRYPT
299-
if (wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW) < 0) {
300-
goto out;
301-
}
370+
if (wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW) < 0) {
371+
goto out;
372+
}
302373
#endif
303-
continue;
374+
continue;
375+
}
376+
goto out;
304377
}
305-
goto out;
306378
}
307379

308380
/* Non-blocking style loop. */
@@ -332,6 +404,8 @@ int client_async_test(int argc, char** argv)
332404
}
333405
continue;
334406
}
407+
fprintf(stderr, "ERROR: wolfSSL_connect failed: %d (%s)\n",
408+
err, wolfSSL_ERR_reason_error_string(err));
335409
goto out;
336410
}
337411

0 commit comments

Comments
 (0)