Sparkidev mikeysakke r2

IDE/LINUX-SGX/README.md

@@ -1,7 +1,10 @@
 # Static Library: Building libwolfssl.sgx.static.lib.a for use with SGX Enclaves
 
 ### Requirements:
-This code was created to use Intel's SGX hardware. It is expected that the user has gone through the steps of both turning on the hardware in bios if needed and has installed the necessary software from Intel to make use of the hardware. (https://software.intel.com/en-us/sgx) If these steps have not been done then it is expected that the user is familure with simulation software being used in place of hardware.
+This code was created to use Intel's SGX hardware. It is expected that the user has gone through the steps of both turning on the hardware in bios if needed and has installed the necessary software from Intel to make use of the hardware. (https://software.intel.com/en-us/sgx) If these steps have not been done then it is expected that the user is familiar with simulation software being used in place of hardware.
+
+### Security:
+If not already in use, it is recommended that SP (single precision) RSA and ECC code is used. This will help mitigate potential side channel attacks. To use SP code check that wolfcrypt/src/sp_c32.c and wolfcrypt/src/sp_c64.c are compiled and add HAVE_WOLFSSL_SP=1 to the build command to define the necessary macros.
 
 ### Overview and Build:
 This project creates a static library to then link with Enclaves. A simple example of an Enclave linking to the created wolfSSL library can be found in wolfssl-examples on github. This project has been tested with gcc 5.4.0 on Ubuntu 16.04.
@@ -21,9 +24,10 @@ This will create a local static library, libwolfssl.sgx.static.lib.a, that can b
     To enable wolfssl debug, add CFLAGS=-DDEBUG_WOLFSSL.
     To enable wolfssl benchmark tests with enclave, specify: HAVE_WOLFSSL_BENCHMARK at build
     To enable wolfcrypt testsuite with enclave, specify: HAVE_WOLFSSL_TEST at build
+    To enable SP code, specify: HAVE_WOLFSSL_SP at build
 
-For example, to enable all three:
-`make -f sgx_t_static.mk CFLAGS=-DDEBUG_WOLFSSL HAVE_WOLFSSL_BENCHMARK=1 HAVE_WOLFSSL_TEST=1`
+For example:
+`make -f sgx_t_static.mk CFLAGS=-DDEBUG_WOLFSSL HAVE_WOLFSSL_BENCHMARK=1 HAVE_WOLFSSL_TEST=1 HAVE_WOLFSSL_SP=1`
 
 NOTE: This more customized step has been provided for easier execution in the
       script `build.sh`

IDE/LINUX-SGX/build.sh

@@ -5,5 +5,5 @@ CFLAGS_NEW="-DDEBUG_WOLFSSL"
 export CFLAGS="${CFLAGS} ${CFLAGS_NEW}"
 echo ${CFLAGS}
 
-make -f sgx_t_static.mk HAVE_WOLFSSL_BENCHMARK=1 HAVE_WOLFSSL_TEST=1
+make -f sgx_t_static.mk HAVE_WOLFSSL_BENCHMARK=1 HAVE_WOLFSSL_TEST=1 HAVE_WOLFSSL_SP=1
 

IDE/LINUX-SGX/sgx_t_static.mk

@@ -45,6 +45,7 @@ endif
 Crypto_Library_Name := sgx_tcrypto
 
 Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
+
 Wolfssl_C_Files :=$(WOLFSSL_ROOT)/wolfcrypt/src/aes.c\
 					$(WOLFSSL_ROOT)/wolfcrypt/src/arc4.c\
 					$(WOLFSSL_ROOT)/wolfcrypt/src/asn.c\
@@ -86,6 +87,8 @@ Wolfssl_C_Files :=$(WOLFSSL_ROOT)/wolfcrypt/src/aes.c\
 					$(WOLFSSL_ROOT)/wolfcrypt/src/sha256.c\
 					$(WOLFSSL_ROOT)/wolfcrypt/src/sha512.c\
 					$(WOLFSSL_ROOT)/wolfcrypt/src/signature.c\
+					$(WOLFSSL_ROOT)/wolfcrypt/src/sp_c32.c\
+					$(WOLFSSL_ROOT)/wolfcrypt/src/sp_c64.c\
 					$(WOLFSSL_ROOT)/src/ssl.c\
 					$(WOLFSSL_ROOT)/src/tls.c\
 					$(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.c\
@@ -105,6 +108,11 @@ ifeq ($(HAVE_WOLFSSL_BENCHMARK), 1)
 	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/
 endif
 
+ifeq ($(HAVE_WOLFSSL_SP), 1)
+    Wolfssl_C_Extra_Flags += -DWOLFSSL_HAVE_SP_RSA \
+                             -DWOLFSSL_HAVE_SP_DH  \
+                             -DWOLFSSL_HAVE_SP_ECC
+endif
 
 
 Flags_Just_For_C := -Wno-implicit-function-declaration -std=c11

examples/benchmark/tls_bench.c

@@ -525,15 +525,15 @@ static int ReceiveFrom(WOLFSSL *ssl, int sd, char *buf, int sz)
     int recvd;
     int dtls_timeout = wolfSSL_dtls_get_current_timeout(ssl);
     struct sockaddr peer;
-    socklen_t peerSz;
-    
+    socklen_t peerSz = 0;
+
     if (DoneHandShake) dtls_timeout = 0;
 
     if (!wolfSSL_get_using_nonblock(ssl)) {
         struct timeval timeout;
         XMEMSET(&timeout, 0, sizeof(timeout));
         timeout.tv_sec = dtls_timeout;
-    
+
         if (setsockopt(sd, SOL_SOCKET, SO_RCVTIMEO, (char*)&timeout,
                        sizeof(timeout)) != 0) {
                 printf("setsockopt rcvtimeo failed\n");
@@ -543,7 +543,7 @@ static int ReceiveFrom(WOLFSSL *ssl, int sd, char *buf, int sz)
     recvd = (int)recvfrom(sd, buf, sz, 0, (SOCKADDR*)&peer, &peerSz);
 
     if (recvd < 0) {
-         
+
         if (errno == SOCKET_EWOULDBLOCK || errno == SOCKET_EAGAIN) {
             if (wolfSSL_dtls_get_using_nonblock(ssl)) {
                 return WOLFSSL_CBIO_ERR_WANT_READ;
@@ -576,7 +576,7 @@ static int ReceiveFrom(WOLFSSL *ssl, int sd, char *buf, int sz)
 #endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */
 
 #if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_CLIENT)
-static int SendTo(int sd, char *buf, int sz, const struct sockaddr *peer, 
+static int SendTo(int sd, char *buf, int sz, const struct sockaddr *peer,
                   socklen_t peerSz)
 {
     int sent;
@@ -625,9 +625,9 @@ static int ServerSend(WOLFSSL* ssl, char* buf, int sz, void* ctx)
 #endif
 #if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_CLIENT)
     if (info->doDTLS) {
-        return SendTo(info->server.sockFd, buf, sz, 
+        return SendTo(info->server.sockFd, buf, sz,
             (const struct sockaddr*)&info->clientAddr, sizeof(info->clientAddr));
-    } else 
+    } else
 #endif
         return SocketSend(info->server.sockFd, buf, sz);
 }
@@ -659,9 +659,9 @@ static int ClientSend(WOLFSSL* ssl, char* buf, int sz, void* ctx)
 #endif
 #ifdef WOLFSSL_DTLS
     if (info->doDTLS) {
-        return SendTo(info->client.sockFd, buf, sz, 
+        return SendTo(info->client.sockFd, buf, sz,
             (const struct sockaddr*)&info->serverAddr, sizeof(info->serverAddr));
-    } else 
+    } else
 #endif
         return SocketSend(info->client.sockFd, buf, sz);
 }
@@ -676,7 +676,7 @@ static int ClientRecv(WOLFSSL* ssl, char* buf, int sz, void* ctx)
 #if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_SERVER)
     if (info->doDTLS) {
         return ReceiveFrom(ssl, info->client.sockFd, buf, sz);
-    } else 
+    } else
 #endif
         return SocketRecv(info->client.sockFd, buf, sz);
 }
@@ -734,14 +734,14 @@ static int SetupSocketAndConnect(info_t* info, const char* host,
 
 #ifdef WOLFSSL_DTLS
     if (info->doDTLS) {
-        /* Create the SOCK_DGRAM socket type is implemented on the User 
+        /* Create the SOCK_DGRAM socket type is implemented on the User
         *  Datagram Protocol/Internet Protocol(UDP/IP protocol).*/
         if ((info->client.sockFd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
             printf("ERROR: failed to create the SOCK_DGRAM socket\n");
             return -1;
         }
         XMEMCPY(&info->serverAddr, &servAddr, sizeof(servAddr));
-    } else { 
+    } else {
 #endif
     /* Create a socket that uses an Internet IPv4 address,
      * Sets the socket to be stream based (TCP),
@@ -792,7 +792,7 @@ static int bench_tls_client(info_t* info)
     if(info->doDTLS) {
         if (tls13) return WOLFSSL_SUCCESS;
         cli_ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method());
-    } else 
+    } else
 #endif
 #ifdef WOLFSSL_TLS13
     if (tls13)
@@ -889,7 +889,7 @@ static int bench_tls_client(info_t* info)
 
 #ifdef WOLFSSL_DTLS
         if (info->doDTLS) {
-            ret = wolfSSL_dtls_set_peer(cli_ssl, &info->serverAddr, 
+            ret = wolfSSL_dtls_set_peer(cli_ssl, &info->serverAddr,
                                                     sizeof(info->serverAddr));
             if (ret != WOLFSSL_SUCCESS) {
                 printf("error setting dtls peer\n");
@@ -906,7 +906,7 @@ static int bench_tls_client(info_t* info)
         wolfSSL_SetIOWriteCtx(cli_ssl, info);
 
 #if defined(HAVE_PTHREAD) && defined(WOLFSSL_DTLS)
-        /* synchronize with server */ 
+        /* synchronize with server */
         if (info->doDTLS && !info->clientOrserverOnly) {
             pthread_mutex_lock(&info->dtls_mutex);
             if (info->serverReady != 1) {
@@ -1083,7 +1083,7 @@ static int SetupSocketAndListen(int* listenFd, word32 port, int doDTLS)
 #ifdef WOLFSSL_DTLS
     if (doDTLS) {
         /* Create a socket that is implemented on the User Datagram Protocol/
-        * Interet Protocol(UDP/IP protocol). */ 
+        * Interet Protocol(UDP/IP protocol). */
         if((*listenFd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
             printf("ERROR: failed to create the socket\n");
             return -1;
@@ -1149,7 +1149,7 @@ static int SocketWaitClient(info_t* info)
             MSG_PEEK, (struct sockaddr*)&clientAddr, &size);
         if (connd < -1) {
             printf("ERROR: failed to accept the connection\n");
-            return -1; 
+            return -1;
         }
         XMEMCPY(&info->clientAddr, &clientAddr, sizeof(clientAddr));
         info->server.sockFd = info->listenFd;
@@ -1195,7 +1195,7 @@ static int bench_tls_server(info_t* info)
     if(info->doDTLS) {
         if(tls13) return WOLFSSL_SUCCESS;
         srv_ctx = wolfSSL_CTX_new(wolfDTLSv1_2_server_method());
-    } else { 
+    } else {
 #endif
 #ifdef WOLFSSL_TLS13
     if (tls13)
@@ -1301,7 +1301,7 @@ static int bench_tls_server(info_t* info)
         }
 #ifdef WOLFSSL_DTLS
         if (info->doDTLS) {
-            ret = wolfSSL_dtls_set_peer(srv_ssl, &info->clientAddr, 
+            ret = wolfSSL_dtls_set_peer(srv_ssl, &info->clientAddr,
                         sizeof(info->clientAddr));
             if (ret != WOLFSSL_SUCCESS) {
                 printf("error setting dtls peer\n");
@@ -1405,7 +1405,7 @@ static int bench_tls_server(info_t* info)
 #ifdef WOLFSSL_DTLS
         if (info->doDTLS) {
             SetupSocketAndListen(&info->listenFd, info->port, info->doDTLS);
-        }   
+        }
 #endif
 
     }

examples/client/client.c

@@ -728,7 +728,7 @@ static int StartTLS_Init(SOCKET_T* sockfd)
     XMEMSET(tmpBuf, 0, sizeof(tmpBuf));
     if (recv(*sockfd, tmpBuf, sizeof(tmpBuf)-1, 0) < 0)
         err_sys("failed to read STARTTLS command\n");
-
+    tmpBuf[sizeof(tmpBuf)-1] = '\0';
     if (!XSTRNCMP(tmpBuf, starttlsCmd[4], XSTRLEN(starttlsCmd[4]))) {
         printf("%s\n", tmpBuf);
     } else {

src/bio.c

@@ -159,22 +159,20 @@ static int wolfSSL_BIO_SSL_read(WOLFSSL_BIO* bio, void* buf,
 
 static int wolfSSL_BIO_MD_read(WOLFSSL_BIO* bio, void* buf, int sz)
 {
-    int ret = sz;
-
     if (wolfSSL_EVP_MD_CTX_type((WOLFSSL_EVP_MD_CTX*)bio->ptr) == NID_hmac) {
         if (wolfSSL_EVP_DigestSignUpdate((WOLFSSL_EVP_MD_CTX*)bio->ptr, buf,
                         sz) != WOLFSSL_SUCCESS)
         {
-            ret = WOLFSSL_FATAL_ERROR;
+            return WOLFSSL_FATAL_ERROR;
         }
     }
     else {
-        if (wolfSSL_EVP_DigestUpdate((WOLFSSL_EVP_MD_CTX*)bio->ptr, buf, ret)
+        if (wolfSSL_EVP_DigestUpdate((WOLFSSL_EVP_MD_CTX*)bio->ptr, buf, sz)
                 != WOLFSSL_SUCCESS) {
-            ret = WOLFSSL_FATAL_ERROR;
+            return WOLFSSL_FATAL_ERROR;
         }
     }
-    return ret;
+    return sz;
 }
 #endif /* WOLFCRYPT_ONLY */
 
@@ -609,17 +607,17 @@ int wolfSSL_BIO_write(WOLFSSL_BIO* bio, const void* data, int len)
         bio = bio->next;
     }
 
-    if (frmt != NULL) {
-        XFREE(frmt, front->heap, DYNAMIC_TYPE_TMP_BUFFER);
-    }
-
     /* info cb, user can override return value */
     if (front != NULL && front->infoCb != NULL) {
         ret = (int)front->infoCb(front,
                                  WOLFSSL_BIO_CB_WRITE | WOLFSSL_BIO_CB_RETURN,
                                  (const char*)data, 0, 0, ret);
     }
 
+    if (frmt != NULL) {
+        XFREE(frmt, front->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
     if (retB64 != 0)
         return retB64;
     else
@@ -1527,6 +1525,7 @@ void* wolfSSL_BIO_get_data(WOLFSSL_BIO* bio)
  */
 long wolfSSL_BIO_set_nbio(WOLFSSL_BIO* bio, long on)
 {
+    int ret = 0;
     #ifndef WOLFSSL_DTLS
     (void)on;
     #endif
@@ -1538,9 +1537,9 @@ long wolfSSL_BIO_set_nbio(WOLFSSL_BIO* bio, long on)
             {
                 int flag = XFCNTL(bio->num, F_GETFL, 0);
                 if (on)
-                    XFCNTL(bio->num, F_SETFL, flag | O_NONBLOCK);
+                    ret = XFCNTL(bio->num, F_SETFL, flag | O_NONBLOCK);
                 else
-                    XFCNTL(bio->num, F_SETFL, flag & ~O_NONBLOCK);
+                    ret = XFCNTL(bio->num, F_SETFL, flag & ~O_NONBLOCK);
             }
         #endif
             break;
@@ -1554,8 +1553,10 @@ long wolfSSL_BIO_set_nbio(WOLFSSL_BIO* bio, long on)
             WOLFSSL_MSG("Unsupported bio type for non blocking");
             break;
     }
-
-    return 1;
+    if (ret != -1)
+        return 1;
+    else
+        return 0;
 }
 
 

src/crl.c

@@ -630,6 +630,7 @@ static CRL_Entry* DupCRL_list(CRL_Entry* crl, void* heap)
                 head = head->next;
                 FreeCRL_Entry(current, heap);
             }
+
             return NULL;
         }
         current = current->next;

src/internal.c

@@ -19234,7 +19234,7 @@ int GetCipherSuiteFromName(const char* name, byte* cipherSuite0,
     int           i;
     unsigned long len;
     const char*   nameDelim;
-    
+
     /* Support trailing : */
     nameDelim = XSTRSTR(name, ":");
     if (nameDelim)
@@ -26971,6 +26971,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
             #ifdef WOLFSSL_EXTRA_ALERTS
                 SendAlert(ssl, alert_fatal, handshake_failure);
             #endif
+                #ifdef HAVE_EXT_CACHE
+                    wolfSSL_SESSION_free(session);
+                #endif
                 return EXT_MASTER_SECRET_NEEDED_E;
             }
         #ifdef HAVE_EXT_CACHE

src/keys.c

@@ -3388,7 +3388,7 @@ int StoreKeys(WOLFSSL* ssl, const byte* keyData, int side)
         /* Initialize the AES-GCM/CCM explicit IV to a zero. */
     #ifdef WOLFSSL_DTLS
         if (scr_copy)
-            XMEMCPY(ssl->keys.aead_exp_IV,
+            XMEMMOVE(ssl->keys.aead_exp_IV,
                     keys->aead_exp_IV, AEAD_MAX_EXP_SZ);
     #endif
         XMEMSET(keys->aead_exp_IV, 0, AEAD_MAX_EXP_SZ);