Compatibility layer

examples/client/client.c

@@ -1281,6 +1281,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
     if (ssl == NULL)
         err_sys("unable to get SSL object");
 
+    #ifdef OPENSSL_EXTRA
+    wolfSSL_KeepArrays(ssl);
+    #endif
+
     #ifdef HAVE_SUPPORTED_CURVES /* add curves to supported curves extension */
         if (wolfSSL_UseSupportedCurve(ssl, WOLFSSL_ECC_SECP256R1)
                 != SSL_SUCCESS) {
@@ -1428,6 +1432,36 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #endif
     showPeer(ssl);
 
+#ifdef OPENSSL_EXTRA
+    {
+        byte* rnd;
+        byte* pt;
+        int   size;
+
+        /* get size of buffer then print */
+        size = wolfSSL_get_client_random(NULL, NULL, 0);
+        if (size < 0) {
+            err_sys("error getting client random buffer size");
+        }
+
+        rnd = (byte*)XMALLOC(size, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        if (rnd == NULL) {
+            err_sys("error creating client random buffer");
+        }
+
+        size = wolfSSL_get_client_random(ssl, rnd, size);
+        if (size < 0) {
+            XFREE(rnd, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            err_sys("error getting client random buffer");
+        }
+
+        printf("Client Random : ");
+        for (pt = rnd; pt < rnd + size; pt++) printf("%02X", *pt);
+        printf("\n");
+        XFREE(rnd, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
     if (doSTARTTLS) {
         if (XSTRNCMP(starttlsProt, "smtp", 4) == 0) {
             if (SMTP_Shutdown(ssl, wc_shutdown) != SSL_SUCCESS) {

src/ssl.c

@@ -5630,6 +5630,43 @@ int wolfSSL_use_certificate_chain_file(WOLFSSL* ssl, const char* file)
 
 
 
+#if !defined(NO_WOLFSSL_CLIENT)
+/* Return the amount of random bytes copied over or error case.
+ * ssl : ssl struct after handshake
+ * out : buffer to hold random bytes
+ * outSz : either 0 (return max buffer sz) or size of out buffer
+ *
+ * NOTE: wolfSSL_KeepArrays(ssl) must be called to retain handshake information.
+ */
+int wolfSSL_get_client_random(WOLFSSL* ssl, unsigned char* out, int outSz)
+{
+    int size;
+
+    /* return max size of buffer */
+    if (outSz == 0) {
+        return RAN_LEN;
+    }
+
+    if (ssl == NULL || out == NULL || outSz < 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (ssl->options.saveArrays == 0 || ssl->arrays == NULL) {
+        WOLFSSL_MSG("Arrays struct not saved after handshake");
+    }
+
+    if (outSz > RAN_LEN) {
+        size = RAN_LEN;
+    }
+    else {
+        size = outSz;
+    }
+
+    XMEMCPY(out, ssl->arrays->clientRandom, size);
+    return size;
+}
+#endif /* !defined(NO_WOLFSSL_CLIENT) */
+
 #ifdef HAVE_ECC
 
 /* Set Temp CTX EC-DHE size in octets, should be 20 - 66 for 160 - 521 bit */
@@ -13272,6 +13309,125 @@ long wolfSSL_CTX_sess_number(WOLFSSL_CTX* ctx)
 }
 
 #ifndef NO_DES3
+void wolfSSL_DES_set_key(WOLFSSL_const_DES_cblock* myDes,
+                                               WOLFSSL_DES_key_schedule* key)
+{
+#ifdef WOLFSSL_CHECK_DESKEY
+    wolfSSL_DES_set_key_checked(myDes, key);
+#else
+    wolfSSL_DES_set_key_unchecked(myDes, key);
+#endif
+}
+
+
+
+/* return true in fail case (1) */
+static int DES_check(word32 mask, word32 mask2, unsigned char* key)
+{
+    if ((*(word32*)(key + 0) ^ mask) == 0) {
+        if ((*(word32*)(key + 4) ^ mask2) == 0) {
+            return 1;
+        }
+    }
+    return 0;
+}
+
+
+/* check that the key is odd parity and is not a weak key */
+void wolfSSL_DES_set_key_checked(WOLFSSL_const_DES_cblock* myDes,
+                                               WOLFSSL_DES_key_schedule* key)
+{
+    if (myDes == NULL || key == NULL) {
+        WOLFSSL_MSG("Bad argument passed to wolfSSL_DES_set_key_checked");
+    }
+    else {
+        word32 i, mask, mask2;
+
+        /* check odd parity */
+        for (i = 0; i < sizeof(WOLFSSL_DES_key_schedule); i++) {
+            unsigned char c = *((unsigned char*)key + i);
+            if (((c & 0x01) ^
+                ((c >> 1) & 0x01) ^
+                ((c >> 2) & 0x01) ^
+                ((c >> 3) & 0x01) ^
+                ((c >> 4) & 0x01) ^
+                ((c >> 5) & 0x01) ^
+                ((c >> 6) & 0x01) ^
+                ((c >> 7) & 0x01)) != 1) {
+                WOLFSSL_MSG("Odd parity test fail");
+                return;
+            }
+        }
+
+        /* check is not weak. Weak key list from Nist
+           "Recommendation for the Triple
+           Data Encryption Algorithm
+           (TDEA) Block Cipher" */
+        mask = 0x01010101; mask2 = 0x01010101;
+        if (DES_check(mask, mask2, *key)) {
+            WOLFSSL_MSG("Weak key found");
+            return;
+        }
+
+        mask = 0xFEFEFEFE; mask2 = 0xFEFEFEFE;
+        if (DES_check(mask, mask2, *key)) {
+            WOLFSSL_MSG("Weak key found");
+            return;
+        }
+
+        mask = 0xE0E0E0E0; mask2 = 0xF1F1F1F1;
+        if (DES_check(mask, mask2, *key)) {
+            WOLFSSL_MSG("Weak key found");
+            return;
+        }
+
+        mask = 0x1F1F1F1F; mask2 = 0x0E0E0E0E;
+        if (DES_check(mask, mask2, *key)) {
+            WOLFSSL_MSG("Weak key found");
+            return;
+        }
+
+        /* semi-weak *key check (list from same Nist paper) */
+        mask  = 0x011F011F; mask2 = 0x010E010E;
+        if (DES_check(mask, mask2, *key) ||
+            DES_check(ByteReverseWord32(mask), ByteReverseWord32(mask2), *key)) {
+            WOLFSSL_MSG("Weak key found");
+            return;
+        }
+
+        mask  = 0x01E001E0; mask2 = 0x01F101F1;
+        if (DES_check(mask, mask2, *key) ||
+            DES_check(ByteReverseWord32(mask), ByteReverseWord32(mask2), *key)) {
+            WOLFSSL_MSG("Weak key found");
+            return;
+        }
+
+        mask  = 0x01FE01FE; mask2 = 0x01FE01FE;
+        if (DES_check(mask, mask2, *key) ||
+            DES_check(ByteReverseWord32(mask), ByteReverseWord32(mask2), *key)) {
+            WOLFSSL_MSG("Weak key found");
+            return;
+        }
+
+        mask  = 0x1FE01FE0; mask2 = 0x0EF10EF1;
+        if (DES_check(mask, mask2, *key) ||
+            DES_check(ByteReverseWord32(mask), ByteReverseWord32(mask2), *key)) {
+            WOLFSSL_MSG("Weak key found");
+            return;
+        }
+
+        mask  = 0x1FFE1FFE; mask2 = 0x0EFE0EFE;
+        if (DES_check(mask, mask2, *key) ||
+            DES_check(ByteReverseWord32(mask), ByteReverseWord32(mask2), *key)) {
+            WOLFSSL_MSG("Weak key found");
+            return;
+        }
+
+        /* passed tests, now copy over key */
+        XMEMCPY(key, myDes, sizeof(WOLFSSL_const_DES_cblock));
+    }
+}
+
 
 void wolfSSL_DES_set_key_unchecked(WOLFSSL_const_DES_cblock* myDes,
                                                WOLFSSL_DES_key_schedule* key)

tests/api.c

@@ -46,7 +46,10 @@
 #ifdef OPENSSL_EXTRA
     #include <wolfssl/openssl/ssl.h>
     #include <wolfssl/openssl/pkcs12.h>
+#ifndef NO_DES3
+    #include <wolfssl/openssl/des.h>
 #endif
+#endif /* OPENSSL_EXTRA */
 
 /* enable testing buffer load functions */
 #ifndef USE_CERT_BUFFERS_2048
@@ -2195,6 +2198,53 @@ static int test_wolfSSL_UseOCSPStaplingV2(void)
 } /*END test_wolfSSL_UseOCSPStaplingV2*/
 
 
+/*----------------------------------------------------------------------------*
+ | Compatibility Tests
+ *----------------------------------------------------------------------------*/
+
+
+static void test_wolfSSL_DES(void)
+{
+    #if defined(OPENSSL_EXTRA) && !defined(NO_DES3)
+    const_DES_cblock myDes;
+    DES_key_schedule key;
+    word32 i;
+
+    printf(testingFmt, "wolfSSL_DES()");
+
+    DES_check_key(1);
+    DES_set_key(&myDes, &key);
+
+    /* check, check of odd parity */
+    XMEMSET(key, 4, sizeof(DES_key_schedule));  key[0] = 3; /*set even parity*/
+    XMEMSET(myDes, 5, sizeof(const_DES_cblock));
+    DES_set_key_checked(&myDes, &key);
+    AssertIntNE(key[0], myDes[0]); /* should not have copied over key */
+
+    /* set odd parity for success case */
+    key[0] = 4;
+    DES_set_key_checked(&myDes, &key);
+    for (i = 0; i < sizeof(DES_key_schedule); i++) {
+        AssertIntEQ(key[i], myDes[i]);
+    }
+
+    /* check weak key */
+    XMEMSET(key, 1, sizeof(DES_key_schedule));
+    XMEMSET(myDes, 5, sizeof(const_DES_cblock));
+    DES_set_key_checked(&myDes, &key);
+    AssertIntNE(key[0], myDes[0]); /* should not have copied over key */
+
+    /* now do unchecked copy of a weak key over */
+    DES_set_key_unchecked(&myDes, &key);
+    /* compare arrays, should be the same */
+    for (i = 0; i < sizeof(DES_key_schedule); i++) {
+        AssertIntEQ(key[i], myDes[i]);
+    }
+
+    printf(resultFmt, passed);
+    #endif /* defined(OPENSSL_EXTRA) && !defined(NO_DES3) */
+}
+
 /*----------------------------------------------------------------------------*
  | Main
  *----------------------------------------------------------------------------*/
@@ -2239,6 +2289,9 @@ void ApiTest(void)
     AssertIntEQ(test_wolfSSL_UseOCSPStapling(), SSL_SUCCESS);
     AssertIntEQ(test_wolfSSL_UseOCSPStaplingV2(), SSL_SUCCESS);
 
+    /* compatibility tests */
+    test_wolfSSL_DES();
+
     AssertIntEQ(test_wolfSSL_Cleanup(), SSL_SUCCESS);
     printf(" End API Tests\n");
 

wolfcrypt/test/test.c

@@ -6311,6 +6311,14 @@ int openssl_test(void)
     (void)e;
     (void)f;
 
+    /* test malloc / free , 10 is an arbitrary amount of memory chosen */
+    {
+        byte* p;
+        p = (byte*)CRYPTO_malloc(10, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XMEMSET(p, 0, 10);
+        CRYPTO_free(p, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
 #ifndef NO_MD5
 
     a.input  = "1234567890123456789012345678901234567890123456789012345678"

wolfssl/openssl/des.h

@@ -53,6 +53,10 @@ enum {
 };
 
 
+WOLFSSL_API void wolfSSL_DES_set_key(WOLFSSL_const_DES_cblock* myDes,
+                                               WOLFSSL_DES_key_schedule* key);
+WOLFSSL_API void wolfSSL_DES_set_key_checked(WOLFSSL_const_DES_cblock* myDes,
+                                               WOLFSSL_DES_key_schedule* key);
 WOLFSSL_API void wolfSSL_DES_set_key_unchecked(WOLFSSL_const_DES_cblock*,
                                              WOLFSSL_DES_key_schedule*);
 WOLFSSL_API int  wolfSSL_DES_key_sched(WOLFSSL_const_DES_cblock* key,
@@ -81,6 +85,9 @@ typedef WOLFSSL_DES_cblock DES_cblock;
 typedef WOLFSSL_const_DES_cblock const_DES_cblock;
 typedef WOLFSSL_DES_key_schedule DES_key_schedule;
 
+#define DES_check_key(x) /* Define WOLFSSL_CHECK_DESKEY to check key */
+#define DES_set_key           wolfSSL_DES_set_key
+#define DES_set_key_checked   wolfSSL_DES_set_key_checked
 #define DES_set_key_unchecked wolfSSL_DES_set_key_unchecked
 #define DES_key_sched         wolfSSL_DES_key_sched
 #define DES_cbc_encrypt       wolfSSL_DES_cbc_encrypt

wolfssl/openssl/ssl.h

@@ -90,6 +90,11 @@ typedef WOLFSSL_X509_REVOKED   X509_REVOKED;
 typedef WOLFSSL_X509_OBJECT    X509_OBJECT;
 typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX;
 
+#define CRYPTO_free   XFREE
+#define CRYPTO_malloc XMALLOC
+
+#define SSL_get_client_random(ssl,out,outSz) \
+                                  wolfSSL_get_client_random((ssl),(out),(outSz))
 #define SSL_get_cipher_list(ctx,i)          wolfSSL_get_cipher_list((i))
 #define SSL_get_cipher_name(ctx)            wolfSSL_get_cipher((ctx))
 #define SSL_get_shared_ciphers(ctx,buf,len) \

wolfssl/ssl.h

@@ -1797,7 +1797,12 @@ WOLFSSL_API char* wolfSSL_ASN1_TIME_to_string(WOLFSSL_ASN1_TIME* time,
 
 #ifdef OPENSSL_EXTRA
 
- /*lighttp compatibility */
+WOLFSSL_API int wolfSSL_get_client_random(WOLFSSL* ssl, unsigned char* out,
+                                                                     int outSz);
+
+
+/*lighttp compatibility */
+
 #include <wolfssl/openssl/asn1.h>
 struct WOLFSSL_X509_NAME_ENTRY {
     WOLFSSL_ASN1_OBJECT* object; /* not defined yet */