From bdafc49e29e24c74c5cf7ec90429096cad2e348a Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 26 Oct 2021 16:37:55 -0700 Subject: [PATCH 1/9] Improvement to examples. Add argument support to HTTP server. Improve error when key manager connection fails. Fix `etsi_test` help messages for fingerprint and context string. --- examples/etsi_test/etsi_test.c | 4 +- examples/https/server.c | 70 +++++++++++++++++++++++++++++----- src/mod_etsi.c | 1 + 3 files changed, 63 insertions(+), 12 deletions(-) diff --git a/examples/etsi_test/etsi_test.c b/examples/etsi_test/etsi_test.c index db6dfb5..d62ccd7 100644 --- a/examples/etsi_test/etsi_test.c +++ b/examples/etsi_test/etsi_test.c @@ -219,8 +219,8 @@ static void Usage(void) printf("-A TLS CA Certificate, default %s\n", ETSI_TEST_CLIENT_CA); printf("-K Key Type: SECP256R1, FFDHE_2048, X25519 or X448 (default %s)\n", wolfEtsiKeyGetTypeStr(ETSI_TEST_KEY_TYPE)); - printf("-F Fingerprint used for multiple servers (first 80-bit of pkey hash as hex string)\n"); - printf("-C Find key using public key name (hex string)\n"); + printf("-F Fingerprint to find (first 80-bit of pkey hash as hex string)\n"); + printf("-C Unique key name (used for multiple servers)\n"); } int etsi_test(int argc, char** argv) diff --git a/examples/https/server.c b/examples/https/server.c index a32f867..aa215fc 100644 --- a/examples/https/server.c +++ b/examples/https/server.c @@ -26,6 +26,14 @@ #include /* signal */ +#ifndef EX_USAGE +#define EX_USAGE 2 +#endif + +#ifndef EXIT_FAILURE +#define EXIT_FAILURE 1 +#endif + static volatile int mStop = 0; static WKM_SOCKET_T listenFd = WKM_SOCKET_INVALID; @@ -47,6 +55,17 @@ static int etsi_key_cb(EtsiKey* key, void* cbCtx) return ret; } +/* usage help */ +static void Usage(void) +{ + printf("%s %s\n", "https/server", PACKAGE_VERSION); + printf("-? Help, print this usage\n"); + printf("-d Disable ETSI Key Manager loading\n"); + printf("-p Port to listen, default %d\n", HTTPS_TEST_PORT); + printf("-l Log Level (1=Error to 4=Debug), default %d\n", WOLFKM_DEFAULT_LOG_LEVEL); + printf("-h Key Manager URL (default %s)\n", "https://" ETSI_TEST_HOST ":" ETSI_TEST_PORT_STR); +} + int https_server_test(int argc, char** argv) { int ret; @@ -58,21 +77,48 @@ int https_server_test(int argc, char** argv) HttpHeader headers[2]; const char* body = HTTPS_TEST_RESPONSE; SOCKADDR_IN_T clientAddr; + int port = HTTPS_TEST_PORT; + enum log_level_t logLevel = WOLFKM_DEFAULT_LOG_LEVEL; const char* etsiServer = "https://" ETSI_TEST_HOST ":" ETSI_TEST_PORT_STR; + int ch, useKeyMgr = 1; signal(SIGINT, sig_handler); - /* TODO: Support arguments */ - (void)argc; - (void)argv; + /* argument processing */ + while ((ch = getopt(argc, argv, "?p:l:dh:")) != -1) { + switch (ch) { + case '?' : + Usage(); + exit(EX_USAGE); + case 'p' : + port = atoi(optarg); + break; + case 'l' : + logLevel = atoi(optarg); + if (logLevel < WOLFKM_LOG_ERROR || logLevel > WOLFKM_LOG_DEBUG) { + perror("loglevel [1:4] only"); + exit(EX_USAGE); + } + break; + case 'd': + useKeyMgr = 0; + break; + case 'h': + etsiServer = optarg; + break; + default: + Usage(); + exit(EX_USAGE); + } + } - printf("HTTPS Server: Port %d\n", HTTPS_TEST_PORT); + printf("HTTPS Server: Port %d\n", port); wolfSSL_Init(); /* log setup */ /* wolfSSL_Debugging_ON(); */ - wolfKeyMgr_SetLogFile(NULL, 0, WOLFKM_LOG_DEBUG); + wolfKeyMgr_SetLogFile(NULL, 0, logLevel); ctx = wolfTlsServerNew(); if (ctx == NULL) { ret = WOLFKM_BAD_MEMORY; goto exit; } @@ -85,14 +131,18 @@ int https_server_test(int argc, char** argv) if (ret != 0) goto exit; /* setup listener */ - ret = wolfSockListen(&listenFd, HTTPS_TEST_PORT); + ret = wolfSockListen(&listenFd, port); if (ret != 0) goto exit; do { - ret = etsi_client_get_all(etsiServer, etsi_key_cb, ctx); - if (ret != 0) { - mStop = 1; - goto end_sess; + if (useKeyMgr) { + ret = etsi_client_get_all(etsiServer, etsi_key_cb, ctx); + if (ret != 0) { + printf("\nFailure connecting to key manager\n"); + printf("Make sure ./src/wolfkeymgr is running\n"); + mStop = 1; + goto end_sess; + } } ret = wolfTlsAccept(ctx, listenFd, &ssl, &clientAddr, diff --git a/src/mod_etsi.c b/src/mod_etsi.c index b836d00..7ddafe4 100644 --- a/src/mod_etsi.c +++ b/src/mod_etsi.c @@ -87,6 +87,7 @@ int wolfEtsiClientConnect(EtsiClientCtx* client, const char* host, } else { XLOG(WOLFKM_LOG_ERROR, "Failure connecting to ETSI service %d\n", ret); + ret = WOLFKM_BAD_HOST; } wc_UnLockMutex(&client->lock); From 0e85128fa74b2f824356deff24e97aaad5c9634d Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 27 Oct 2021 11:44:35 -0700 Subject: [PATCH 2/9] Improve help on middlebox/decrypt tool. --- examples/etsi_test/etsi_test.c | 8 -------- examples/https/server.c | 15 ++++---------- examples/middlebox/decrypt.c | 37 ++++++++++++++++++++++++++-------- examples/test_config.h | 10 +++++++++ 4 files changed, 43 insertions(+), 27 deletions(-) diff --git a/examples/etsi_test/etsi_test.c b/examples/etsi_test/etsi_test.c index d62ccd7..67bcba1 100644 --- a/examples/etsi_test/etsi_test.c +++ b/examples/etsi_test/etsi_test.c @@ -26,14 +26,6 @@ #define WOLFKM_ETST_CLIENT_DEF_REQUESTS 1 /* per thread */ #define WOLFKM_ETST_CLIENT_DEF_TIMEOUT_SEC 10 -#ifndef EX_USAGE -#define EX_USAGE 2 -#endif - -#ifndef EXIT_FAILURE -#define EXIT_FAILURE 1 -#endif - #define REQ_TYPE_GET 1 #define REQ_TYPE_PUSH 2 #define REQ_TYPE_FIND 3 diff --git a/examples/https/server.c b/examples/https/server.c index aa215fc..0f036e4 100644 --- a/examples/https/server.c +++ b/examples/https/server.c @@ -26,14 +26,6 @@ #include /* signal */ -#ifndef EX_USAGE -#define EX_USAGE 2 -#endif - -#ifndef EXIT_FAILURE -#define EXIT_FAILURE 1 -#endif - static volatile int mStop = 0; static WKM_SOCKET_T listenFd = WKM_SOCKET_INVALID; @@ -62,8 +54,9 @@ static void Usage(void) printf("-? Help, print this usage\n"); printf("-d Disable ETSI Key Manager loading\n"); printf("-p Port to listen, default %d\n", HTTPS_TEST_PORT); - printf("-l Log Level (1=Error to 4=Debug), default %d\n", WOLFKM_DEFAULT_LOG_LEVEL); - printf("-h Key Manager URL (default %s)\n", "https://" ETSI_TEST_HOST ":" ETSI_TEST_PORT_STR); + printf("-l Log Level (1=Error to 4=Debug), default %d\n", + WOLFKM_DEFAULT_LOG_LEVEL); + printf("-h Key Manager URL (default %s)\n", ETSI_TEST_URL); } int https_server_test(int argc, char** argv) @@ -79,7 +72,7 @@ int https_server_test(int argc, char** argv) SOCKADDR_IN_T clientAddr; int port = HTTPS_TEST_PORT; enum log_level_t logLevel = WOLFKM_DEFAULT_LOG_LEVEL; - const char* etsiServer = "https://" ETSI_TEST_HOST ":" ETSI_TEST_PORT_STR; + const char* etsiServer = ETSI_TEST_URL; int ch, useKeyMgr = 1; signal(SIGINT, sig_handler); diff --git a/examples/middlebox/decrypt.c b/examples/middlebox/decrypt.c index bbfa0d0..4208f1d 100644 --- a/examples/middlebox/decrypt.c +++ b/examples/middlebox/decrypt.c @@ -48,6 +48,7 @@ #include #endif +#define DEFAULT_SERVER_ADDR_FILTER "127.0.0.1" typedef unsigned char byte; @@ -326,6 +327,22 @@ static void TrimNewLine(char* str) str[strSz-1] = '\0'; } +static void Usage(void) +{ + printf("%s %s\n", "decrypt", PACKAGE_VERSION); + printf( "usage: ./decrypt or ./decrypt pcapFile keyServerURL" + " [server] [port] [password]\n"); + printf("-? Help, print this usage\n"); + printf("pcapFile A previously saved pcap file\n"); + printf("keyServerURL Key Manager URL or private key as PEM (default %s)\n", + ETSI_TEST_URL); + printf("server The server’s IP address (v4 or v6) (default %s)\n", + DEFAULT_SERVER_ADDR_FILTER); + printf("port The server port to sniff (default %d)\n", + HTTPS_TEST_PORT); + printf("password Private Key Password if required\n"); +} + int middlebox_decrypt_test(int argc, char** argv) { int ret = 0; @@ -336,7 +353,7 @@ int middlebox_decrypt_test(int argc, char** argv) int frame = ETHER_IF_FRAME_LEN; char err[PCAP_ERRBUF_SIZE]; char filter[32]; - const char *keyFilesSrc = "https://" ETSI_TEST_HOST ":" ETSI_TEST_PORT_STR; + const char *keyFilesSrc = ETSI_TEST_URL; char keyFilesBuf[MAX_FILENAME_SZ]; char keyFilesUser[MAX_FILENAME_SZ]; const char *server = NULL; @@ -347,6 +364,16 @@ int middlebox_decrypt_test(int argc, char** argv) signal(SIGINT, sig_handler); + if (argc == 2 && + (XSTRNCMP(argv[1], "-?", 2) == 0 || + XSTRNCMP(argv[1], "-h", 2) == 0 || + XSTRNCMP(argv[1], "--help", 6) == 0)) + { + /* show usage */ + Usage(); + exit(EX_USAGE); + } + #ifndef _WIN32 ssl_InitSniffer(); /* dll load on Windows */ #endif @@ -524,7 +551,7 @@ int middlebox_decrypt_test(int argc, char** argv) /* defaults for server and port */ port = portDef; - server = "127.0.0.1"; + server = DEFAULT_SERVER_ADDR_FILTER; if (argc >= 3) keyFilesSrc = argv[2]; @@ -554,12 +581,6 @@ int middlebox_decrypt_test(int argc, char** argv) } } } - else { - /* usage error */ - printf( "usage: ./decrypt or ./decrypt dumpFile keyServerURL" - " [server] [port] [password]\n"); - exit(EXIT_FAILURE); - } if (ret != 0) err_sys(err); diff --git a/examples/test_config.h b/examples/test_config.h index 56bb709..193850a 100644 --- a/examples/test_config.h +++ b/examples/test_config.h @@ -34,6 +34,7 @@ extern "C" { #define ETSI_TEST_PORT_STR "8119" #define ETSI_TEST_TIMEOUT_MS 2 #define ETSI_TEST_KEY_TYPE ETSI_KEY_TYPE_SECP256R1 +#define ETSI_TEST_URL "https://" ETSI_TEST_HOST ":" ETSI_TEST_PORT_STR /* Example certificate and key for mutual authentication to key manager. * See ./certs/test-cert.sh for generation and signing. */ @@ -67,6 +68,15 @@ int etsi_client_find(const char* urlStr, EtsiKey* key, int namedGroup, const by void etsi_client_cleanup(void); +#ifndef EX_USAGE +#define EX_USAGE 2 +#endif + +#ifndef EXIT_FAILURE +#define EXIT_FAILURE 1 +#endif + + #ifdef __cplusplus } #endif From 0a42ade39cbc023de6648b8c3d6501cfb6fbd6d4 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 27 Oct 2021 14:58:13 -0700 Subject: [PATCH 3/9] Fix to use `memmove` for relocation of memory within same buffer. Fixes sanitizer report. --- src/mod_etsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mod_etsi.c b/src/mod_etsi.c index 7ddafe4..abbe985 100644 --- a/src/mod_etsi.c +++ b/src/mod_etsi.c @@ -278,7 +278,7 @@ static int EtsiClientGet(EtsiClientCtx* client, EtsiKey* key, wolfHttpResponsePrint(rsp); /* move payload (body) to response (same buffer) */ - memcpy(key->response, rsp->body, rsp->bodySz); + memmove(key->response, rsp->body, rsp->bodySz); key->responseSz = rsp->bodySz; } else { From c4ca9698458c8e0e4c159226d98ec5123d029200 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 28 Oct 2021 11:35:00 -0700 Subject: [PATCH 4/9] Fixes to support `HAVE_PUBLIC_FFDHE` not defined. --- src/mod_etsi.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/src/mod_etsi.c b/src/mod_etsi.c index abbe985..d4b9ce3 100644 --- a/src/mod_etsi.c +++ b/src/mod_etsi.c @@ -622,6 +622,8 @@ static int NamedGroupToDhParams(EtsiKeyType keyType, int ret = 0; const DhParams* params = NULL; word32 privKeySz = 0; + word32 pubKeySz = 0; + #ifdef HAVE_PUBLIC_FFDHE switch (keyType) { #ifdef HAVE_FFDHE_2048 case ETSI_KEY_TYPE_FFDHE_2048: @@ -647,10 +649,17 @@ static int NamedGroupToDhParams(EtsiKeyType keyType, ret = WOLFKM_NOT_COMPILED_IN; break; } + if (params) + pubKeySz = params->p_len; + #else + privKeySz = wc_DhGetNamedKeyMinSize((int)keyType); + ret = wc_DhGetNamedKeyParamSize((int)keyType, &pubKeySz, NULL, NULL); + #endif + if (pParams) *pParams = params; - if (pPubKeySz && params) - *pPubKeySz = params->p_len; + if (pPubKeySz) + *pPubKeySz = pubKeySz; if (pPrivKeySz) *pPrivKeySz = privKeySz; return ret; @@ -837,7 +846,7 @@ static int GenNewKeyDh(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng) int ret; DhKey dh; const DhParams* params = NULL; - word32 privKeySz = 0, pubKeySz = 0; + word32 privKeySz = 0, pubKeySz = 0, p_len; byte privKey[MAX_DH_PRIV_SZ]; byte pubKey[MAX_DH_PUB_SZ]; @@ -845,6 +854,7 @@ static int GenNewKeyDh(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng) if (ret != 0) { return ret; } + p_len = pubKeySz; ret = wc_InitDhKey(&dh); if (ret != 0) { @@ -853,9 +863,13 @@ static int GenNewKeyDh(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng) } /* Set key params */ +#ifdef HAVE_PUBLIC_FFDHE ret = wc_DhSetKey(&dh, params->p, params->p_len, params->g, params->g_len); +#else + ret = wc_DhSetNamedKey(&dh, (int)keyType); +#endif if (ret == 0) { /* Generate a new key pair */ ret = wc_DhGenerateKeyPair(&dh, rng, @@ -863,10 +877,10 @@ static int GenNewKeyDh(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng) pubKey, &pubKeySz); } if (ret == 0) { - if (params->p_len != pubKeySz) { + if (p_len != pubKeySz) { /* Zero pad the front of the public key to match prime "p" size */ - memmove(pubKey + params->p_len - pubKeySz, pubKey, pubKeySz); - memset(pubKey, 0, params->p_len - pubKeySz); + memmove(pubKey + p_len - pubKeySz, pubKey, pubKeySz); + memset(pubKey, 0, p_len - pubKeySz); } /* load public and private key info into DkKey */ From 1011e40c68273e2ebcedcfe4aeb77c2b80f864d1 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 28 Oct 2021 13:42:49 -0700 Subject: [PATCH 5/9] Fix HTTPS example server to send shutdown. --- examples/https/server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/https/server.c b/examples/https/server.c index 0f036e4..0f3f03c 100644 --- a/examples/https/server.c +++ b/examples/https/server.c @@ -173,7 +173,7 @@ int https_server_test(int argc, char** argv) /* Done - send TLS shutdown message */ if (ssl) { - (void)wolfTlsClose(ssl, ret == 0 ? 1 : 0); + (void)wolfTlsClose(ssl, ret >= 0 ? 1 : 0); ssl = NULL; } From 997956abfd0c7b702c23b9ee997d36508ead34f1 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 29 Oct 2021 14:25:16 -0700 Subject: [PATCH 6/9] Fix "ETSI" references to be "ETS" (Enterprise Transport Security)... not ETSI org. Note: This breaks backwards compatibility with API's. --- .gitignore | 2 +- README.md | 54 ++-- ...ETSI-Components.png => ETS-Components.png} | Bin docs/README.md | 20 +- docs/include.am | 2 +- .../etsi_test.c => ets_test/ets_test.c} | 94 +++--- .../etsi_test.h => ets_test/ets_test.h} | 10 +- examples/ets_test/include.am | 10 + examples/etsi_test/include.am | 10 - examples/https/README.md | 2 +- examples/https/server.c | 16 +- examples/include.am | 2 +- examples/middlebox/decrypt.c | 34 +- examples/test_config.c | 98 +++--- examples/test_config.h | 38 +-- src/include.am | 8 +- src/keymanager.c | 72 ++--- src/{mod_etsi.c => mod_ets.c} | 302 +++++++++--------- src/{svc_etsi.c => svc_ets.c} | 222 ++++++------- tests/unit_tests.c | 4 +- wolfkeymgr/keymanager.h | 40 +-- wolfkeymgr/mod_ets.h | 220 +++++++++++++ wolfkeymgr/mod_etsi.h | 220 ------------- wolfkeymgr/{svc_etsi.h => svc_ets.h} | 30 +- 24 files changed, 755 insertions(+), 755 deletions(-) rename docs/{ETSI-Components.png => ETS-Components.png} (100%) rename examples/{etsi_test/etsi_test.c => ets_test/ets_test.c} (80%) rename examples/{etsi_test/etsi_test.h => ets_test/ets_test.h} (85%) create mode 100644 examples/ets_test/include.am delete mode 100644 examples/etsi_test/include.am rename src/{mod_etsi.c => mod_ets.c} (79%) rename src/{svc_etsi.c => svc_ets.c} (74%) create mode 100644 wolfkeymgr/mod_ets.h delete mode 100644 wolfkeymgr/mod_etsi.h rename wolfkeymgr/{svc_etsi.h => svc_ets.h} (56%) diff --git a/.gitignore b/.gitignore index 306ea03..0fa1604 100644 --- a/.gitignore +++ b/.gitignore @@ -40,7 +40,7 @@ diff # applications src/wolfkeymgr examples/middlebox/decrypt -examples/etsi_test/etsi_test +examples/ets_test/ets_test examples/https/client examples/https/server libtool diff --git a/README.md b/README.md index fa34c24..d6f044a 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -# wolf Key Manager +# wolf Key Manager for Enterprise Transport Security (ETS) -This is a secure service for Key management based on ETSI Enterprise Transport Security specification. Provides middle-box decryption of TLS traffic. +This is a secure key management service for providing middle-box decryption of TLS traffic. The library includes examples to demonstrate full passive decryption of an HTTPS server. We also have a demo package for Apache httpd available by request. @@ -23,11 +23,11 @@ Based on: * keymanager.c: The main entry point * sock_mgr.c: The libevent socket manager -* svc_[]: Services exposed (ETSI) -* mod_[]: Modules for support (HTTP, TLS, Socket, ETSI and Vault) +* svc_[]: Services exposed (ETS) +* mod_[]: Modules for support (HTTP, TLS, Socket, ETS and Vault) * wkm_[]: Generic wolf / KeyManager functions -## ETSI Design +## ETS Design Server Side 1) KeyGen (Gen Key) @@ -36,7 +36,7 @@ Server Side 4) Key expiration and notification of new key to peers Client side -1) Encoding ETSI HTTP request +1) Encoding ETS HTTP request 2) Parsing HTTP response 3) Unbundling asymmetric key @@ -106,7 +106,7 @@ installed, then proceed to the next step. ## Examples -The wolf Key Manager includes examples for ETSI client tests, HTTPS server / client and middle-box decryption. +The wolf Key Manager includes examples for ETS client tests, HTTPS server / client and middle-box decryption. All test parameters for these examples are in the `examples/test_config.h`. @@ -136,13 +136,13 @@ wolfKeyManager 1.0 To exit the key manager use ctrl+c. -### ETSI Test client +### ETS Test client -This demonstrates secure interactions with the key manager service using the ETSI HTTPS GET/PUT commands for different key types. +This demonstrates secure interactions with the key manager service using the ETS HTTPS GET/PUT commands for different key types. ```sh -$ ./examples/etsi_test/etsi_test -? -etsi_test 1.0 +$ ./examples/ets_test/ets_test -? +ets_test 1.0 -? Help, print this usage -e Error mode, force error response -h Host to connect to, default localhost @@ -150,8 +150,8 @@ etsi_test 1.0 -t Thread pool size (stress test), default 0 -l Log Level (1=Error to 4=Debug), default 4 -r Requests per thread, default 1 --f to store ETSI response --u Use ETSI Push (default is get) +-f to store ETS response +-u Use ETS Push (default is get) -s Timeout seconds (default 10) -k TLS Client TLS Key, default certs/client-key.pem -w TLS Client Key Password, default wolfssl @@ -164,11 +164,11 @@ etsi_test 1.0 This client also support stress testing options: * Use the thread pool "-t" to spin up more threads. -* Use the ETSI test client "-r" to make additional requests per thread. +* Use the ETS test client "-r" to make additional requests per thread. * Use the "-F" argument to get key for specific fingerprint (hex string of hash of public key - first 80 bits / 10 bytes) * Use the "-C" command to include context string (used for multiple servers). -#### ETSI Fingerprint +#### ETS Fingerprint The fingerprint is a SHA-256 hash of the ephemeral public key with the first 80 bits (10 bytes) in big endian format. If the fingerprint is blank the current active key for that TLS group will be returned (assuming it is within the expiration and use count restrictions). @@ -176,20 +176,20 @@ The fingerprint is used to lookup an ephemeral key based on public key using the * ECC: Public X and Y hashed with SHA256 (first 10 bytes) * DH: Public key hashed with SHA256 (first 10 bytes) -#### ETSI Context String +#### ETS Context String The context string is used to specify additional information to the key manager to distribute keys for multiple servers. ### HTTP Server / Client -We have included a simple HTTPS server to show getting the static ephemeral key using the ETSI client and key manager. +We have included a simple HTTPS server to show getting the static ephemeral key using the ETS client and key manager. ``` ./examples/https/server HTTPS Server: Port 443 -Jun 15 14:26:54 2021: [INFO] Connected to ETSI service +Jun 15 14:26:54 2021: [INFO] Connected to ETS service Jun 15 14:26:54 2021: [INFO] Sent get request (117 bytes) Jun 15 14:26:54 2021: [DEBUG] HTTP HTTP/1.1 Jun 15 14:26:54 2021: [DEBUG] Code 200: OK @@ -199,8 +199,8 @@ Jun 15 14:26:54 2021: [DEBUG] Connection: : Keep-Alive Jun 15 14:26:54 2021: [DEBUG] Expires: : Tue, 15 Jun 2021 15:26:46 PDT Jun 15 14:26:54 2021: [DEBUG] Content-Length: : 121 Jun 15 14:26:54 2021: [DEBUG] Body Size: 121 -Jun 15 14:26:54 2021: [INFO] Got ETSI response (121 bytes) -Got ETSI static ephemeral key (121 bytes) +Jun 15 14:26:54 2021: [INFO] Got ETS response (121 bytes) +Got ETS static ephemeral key (121 bytes) Jun 15 14:26:54 2021: [INFO] SECP256R1: E24EF332747DF70CD4E5 TLS Accept 127.0.0.1 @@ -215,7 +215,7 @@ Jun 15 14:27:01 2021: [DEBUG] Connection: : keep-alive Jun 15 14:27:01 2021: [DEBUG] Accept-Encoding: : gzip, deflate, br Jun 15 14:27:01 2021: [DEBUG] User-Agent: : Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Safari/605.1.15 -ETSI Key Cached (valid for 3585 sec) +ETS Key Cached (valid for 3585 sec) ``` ### Middle-Box Decryption of TLS traffic @@ -269,9 +269,9 @@ Aug 03 15:05:21 2021: [INFO] Item Count: 0 Aug 03 15:05:21 2021: [INFO] Total Size: 0 Aug 03 15:05:21 2021: [WARN] Generating new SECP256R1 key Aug 03 15:05:21 2021: [INFO] Binding listener :::8119 -Aug 03 15:05:21 2021: [INFO] Setting up new ETSI conn item pool -Aug 03 15:05:21 2021: [INFO] Growing ETSI service conn pool -Aug 03 15:05:21 2021: [INFO] Growing ETSI service conn pool +Aug 03 15:05:21 2021: [INFO] Setting up new ETS conn item pool +Aug 03 15:05:21 2021: [INFO] Growing ETS service conn pool +Aug 03 15:05:21 2021: [INFO] Growing ETS service conn pool Aug 03 15:05:21 2021: [INFO] SECP256R1: E24EF332747DF70CD4E5 Aug 03 15:05:21 2021: [WARN] Vault Auth: Setting up new encryption key Aug 03 15:05:21 2021: [INFO] Next key renewal 3600 seconds @@ -280,7 +280,7 @@ Aug 03 15:05:21 2021: [INFO] Next key renewal 3600 seconds ``` % ./examples/https/server HTTPS Server: Port 443 -Aug 03 15:09:50 2021: [INFO] Connected to ETSI service +Aug 03 15:09:50 2021: [INFO] Connected to ETS service ``` ``` @@ -293,10 +293,10 @@ server = ::1 server = fe80::1 Enter the port to scan [default: 443]: Enter the server key [default: https://localhost:8119]: -Aug 03 15:07:33 2021: [INFO] Connected to ETSI service +Aug 03 15:07:33 2021: [INFO] Connected to ETS service ... -Got ETSI static ephemeral key (121 bytes) +Got ETS static ephemeral key (121 bytes) Aug 03 15:07:33 2021: [INFO] SECP256R1: E24EF332747DF70CD4E5 Loaded key for fe80::1:443 SSL App Data(30:323):GET / HTTP/1.1 diff --git a/docs/ETSI-Components.png b/docs/ETS-Components.png similarity index 100% rename from docs/ETSI-Components.png rename to docs/ETS-Components.png diff --git a/docs/README.md b/docs/README.md index eca7368..4edfa75 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,10 +1,10 @@ -# wolf Key Manager ETSI Reference +# wolf Key Manager ETS Reference Based on [ETSI TS 103 523-3 V1.3.1](https://www.etsi.org/deliver/etsi_ts/103500_103599/10352303/01.03.01_60/ts_10352303v010301p.pdf) ## Components -![ETSI Components](ETSI-Components.png) +![ETS Components](ETS-Components.png) * Key Manager (`src/wolfkeymgr`) * Enterprise Transport Security Server (`examples/https/server` or Apache httpd, nginx, etc...) @@ -12,9 +12,9 @@ Based on [ETSI TS 103 523-3 V1.3.1](https://www.etsi.org/deliver/etsi_ts/103500_ * TLS v1.3 client (browser or `examples/https/client`) * Asymmetric Key Package (RFC 5958 - PKCS8) -## ETSI Security +## ETS Security -All communication between consumer and ETSI Key Manager will use TLS v1.3 with mutual authentication. +All communication between consumer and ETS Key Manager will use TLS v1.3 with mutual authentication. The Enterprise Transport Security profile does not provide per-session forward secrecy. Knowledge of a given static private key can be used to decrypt all sessions encrypted with that key, and forward secrecy for all of those sessions begins when all copies of that static private key have been destroyed. @@ -22,11 +22,11 @@ Typically an organization will use standard TLS 1.3 to connect with external cli An organization can rotate their keys as frequently as they choose. -The use of X.509 Visibility Information in the TLS server certificate should be used, but is not required for private internal use. The visibility information OID 0.4.0.3523.3.1 provides a public way to indicate the ETSI security profile is being used. +The use of X.509 Visibility Information in the TLS server certificate should be used, but is not required for private internal use. The visibility information OID 0.4.0.3523.3.1 provides a public way to indicate the ETS security profile is being used. -## ETSI (Enterprise Transport Security) +## ETS (Enterprise Transport Security) -### ETSI Request Case (HTTPS GET) +### ETS Request Case (HTTPS GET) `GET /.well-known/enterprise-transport-security/keys?fingerprints=[fingerprints]`, where: @@ -43,7 +43,7 @@ GET /.well-known/enterprise-transport-security/keys?fingerprints=000102030405060 Accept: application/pkcs8, application/cms ``` -### ETSI Request with Groups (key type) +### ETS Request with Groups (key type) `GET /.well-known/enterprise-transport- security/keys?groups=[groups]&certs=[sigalgs]&context=contextstr`, where: @@ -64,7 +64,7 @@ GET /.well-known/enterprise-transport-security/keys?groups=0x0018,0x001d&certs=0 Accept: application/pkcs8 ``` -### ETSI Push (HTTPS PUT) +### ETS Push (HTTPS PUT) The key consumer shall support receiving a key package via an HTTP PUT request to a request-target, given here in origin-form, of: `/enterprise-transport-security/keys` @@ -88,7 +88,7 @@ in the Asymmetric Key Package shall have the following fields set as follows: ### Server Certificate Visibility -The ETSI specification part 3 section 4.3.3 requires the TLS server to present a "visibility" information field indicating "Enterprise Transport Security" is being used. +The ETSI ETS specification part 3 section 4.3.3 requires the TLS server to present a "visibility" information field indicating "Enterprise Transport Security" is being used. ``` VisibilityInformation ::= SEQUENCE { diff --git a/docs/include.am b/docs/include.am index 50f8da3..b9b0e6e 100644 --- a/docs/include.am +++ b/docs/include.am @@ -4,4 +4,4 @@ EXTRA_DIST += docs/README.md -EXTRA_DIST += docs/ETSI-Components.png +EXTRA_DIST += docs/ETS-Components.png diff --git a/examples/etsi_test/etsi_test.c b/examples/ets_test/ets_test.c similarity index 80% rename from examples/etsi_test/etsi_test.c rename to examples/ets_test/ets_test.c index 67bcba1..d923db6 100644 --- a/examples/etsi_test/etsi_test.c +++ b/examples/ets_test/ets_test.c @@ -1,4 +1,4 @@ -/* etsi_test.c +/* ets_test.c * * Copyright (C) 2006-2021 wolfSSL Inc. * @@ -19,8 +19,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -#include "wolfkeymgr/mod_etsi.h" -#include "examples/etsi_test/etsi_test.h" +#include "wolfkeymgr/mod_ets.h" +#include "examples/ets_test/ets_test.h" #include "examples/test_config.h" #define WOLFKM_ETST_CLIENT_DEF_REQUESTS 1 /* per thread */ @@ -43,13 +43,13 @@ typedef struct WorkThreadInfo { const char* keyPass; const char* clientCertFile; const char* caFile; - EtsiKeyType keyType; + EtsKeyType keyType; } WorkThreadInfo; typedef struct WorkThreadCtx { WorkThreadInfo* info; /* shared */ - EtsiKey key; + EtsKey key; WOLFSSL_CTX* ctx; } WorkThreadCtx; @@ -62,7 +62,7 @@ static int DoErrorMode(void) return 0; } -static int keyCb(EtsiClientCtx* client, EtsiKey* key, void* userCtx) +static int keyCb(EtsClientCtx* client, EtsKey* key, void* userCtx) { int ret = 0; WorkThreadCtx* tctx = (WorkThreadCtx*)userCtx; @@ -71,7 +71,7 @@ static int keyCb(EtsiClientCtx* client, EtsiKey* key, void* userCtx) /* test use-case setting static ephemeral key */ if (tctx->ctx) { #ifdef WOLFSSL_STATIC_EPHEMERAL - int keyAlgo = wolfEtsiKeyGetPkType(key); + int keyAlgo = wolfEtsKeyGetPkType(key); ret = wolfSSL_CTX_set_ephemeral_key(tctx->ctx, keyAlgo, (char*)key->response, key->responseSz, @@ -82,7 +82,7 @@ static int keyCb(EtsiClientCtx* client, EtsiKey* key, void* userCtx) #endif } if (ret == 0) { - wolfEtsiKeyPrint(key); + wolfEtsKeyPrint(key); if (info->saveResp != NULL) { wolfSaveFile(info->saveResp, (byte*)key->response, key->responseSz); @@ -97,8 +97,8 @@ static int keyCb(EtsiClientCtx* client, EtsiKey* key, void* userCtx) return ret; /* non-zero will close client */ } -/* ETSI Asymmetric Key Request */ -static int DoKeyRequest(EtsiClientCtx* client, WorkThreadCtx* tctx) +/* ETS Asymmetric Key Request */ +static int DoKeyRequest(EtsClientCtx* client, WorkThreadCtx* tctx) { int ret = WOLFKM_BAD_ARGS; WorkThreadInfo* info = tctx->info; @@ -106,7 +106,7 @@ static int DoKeyRequest(EtsiClientCtx* client, WorkThreadCtx* tctx) /* push: will wait for server to push new keys */ /* get: will ask server for key and return */ if (info->requestType == REQ_TYPE_GET) { - ret = wolfEtsiClientGet(client, &tctx->key, info->keyType, NULL, + ret = wolfEtsClientGet(client, &tctx->key, info->keyType, NULL, info->contextStr, info->timeoutSec); /* positive return means new key returned */ /* zero means, same key is used */ @@ -117,18 +117,18 @@ static int DoKeyRequest(EtsiClientCtx* client, WorkThreadCtx* tctx) ret = 0; } else if (ret == 0) { - XLOG(WOLFKM_LOG_INFO, "ETSI Key Cached (valid for %lu sec)\n", + XLOG(WOLFKM_LOG_INFO, "ETS Key Cached (valid for %lu sec)\n", tctx->key.expires - wolfGetCurrentTimeT()); sleep(1); /* wait 1 second */ } } else if (info->requestType == REQ_TYPE_PUSH) { /* blocking call and new keys from server will issue callback */ - ret = wolfEtsiClientPush(client, info->keyType, NULL, NULL, keyCb, tctx); + ret = wolfEtsClientPush(client, info->keyType, NULL, NULL, keyCb, tctx); } else if (info->requestType == REQ_TYPE_FIND) { /* find key from server call and new keys from server will issue callback */ - ret = wolfEtsiClientFind(client, &tctx->key, info->keyType, + ret = wolfEtsClientFind(client, &tctx->key, info->keyType, info->fingerprint, info->contextStr, info->timeoutSec); if (ret > 0) { /* use same "push" callback to test key use / print */ @@ -138,7 +138,7 @@ static int DoKeyRequest(EtsiClientCtx* client, WorkThreadCtx* tctx) } if (ret != 0) { - XLOG(WOLFKM_LOG_INFO, "ETSI Key Request Failed! %d\n", ret); + XLOG(WOLFKM_LOG_INFO, "ETS Key Request Failed! %d\n", ret); } return ret; } @@ -151,21 +151,21 @@ static void* DoRequests(void* arg) WorkThreadCtx* tctx = (WorkThreadCtx*)arg; WorkThreadInfo* info = (WorkThreadInfo*)tctx->info; - EtsiClientCtx* client = wolfEtsiClientNew(); + EtsClientCtx* client = wolfEtsClientNew(); if (client == NULL) { - XLOG(WOLFKM_LOG_ERROR, "Error creating ETSI client %d!\n", ret); + XLOG(WOLFKM_LOG_ERROR, "Error creating ETS client %d!\n", ret); return NULL; } - ret = wolfEtsiClientAddCA(client, info->caFile); + ret = wolfEtsClientAddCA(client, info->caFile); if (ret != 0) { - XLOG(WOLFKM_LOG_ERROR, "Error loading ETSI server CA %d!\n", ret); + XLOG(WOLFKM_LOG_ERROR, "Error loading ETS server CA %d!\n", ret); } - ret = wolfEtsiClientSetKey(client, info->keyFile, info->keyPass, + ret = wolfEtsClientSetKey(client, info->keyFile, info->keyPass, info->clientCertFile, WOLFSSL_FILETYPE_PEM); if (ret != 0) { - XLOG(WOLFKM_LOG_ERROR, "Error loading ETSI client key/cert %d!\n", ret); + XLOG(WOLFKM_LOG_ERROR, "Error loading ETS client key/cert %d!\n", ret); } - ret = wolfEtsiClientConnect(client, info->host, info->port, + ret = wolfEtsClientConnect(client, info->host, info->port, info->timeoutSec); if (ret == 0) { /* setup test CTX to demonstrate loading static ephemeral */ @@ -183,7 +183,7 @@ static void* DoRequests(void* arg) tctx->ctx = NULL; } - wolfEtsiClientFree(client); + wolfEtsClientFree(client); return NULL; } @@ -193,29 +193,29 @@ static void* DoRequests(void* arg) /* usage help */ static void Usage(void) { - printf("%s %s\n", "etsi_test", PACKAGE_VERSION); + printf("%s %s\n", "ets_test", PACKAGE_VERSION); printf("-? Help, print this usage\n"); printf("-e Error mode, force error response\n"); - printf("-h Host to connect to, default %s\n", ETSI_TEST_HOST); - printf("-p Port to connect to, default %s\n", ETSI_TEST_PORT_STR); + printf("-h Host to connect to, default %s\n", ETS_TEST_HOST); + printf("-p Port to connect to, default %s\n", ETS_TEST_PORT_STR); printf("-t Thread pool size (stress test), default %d\n", 0); printf("-l Log Level (1=Error to 4=Debug), default %d\n", WOLFKM_DEFAULT_LOG_LEVEL); printf("-r Requests per thread, default %d\n", WOLFKM_ETST_CLIENT_DEF_REQUESTS); - printf("-f to store ETSI response\n"); - printf("-u Use ETSI Push (default is get)\n"); + printf("-f to store ETS response\n"); + printf("-u Use ETS Push (default is get)\n"); printf("-s Timeout seconds (default %d)\n", WOLFKM_ETST_CLIENT_DEF_TIMEOUT_SEC); - printf("-k TLS Client TLS Key, default %s\n", ETSI_TEST_CLIENT_KEY); - printf("-w TLS Client Key Password, default %s\n", ETSI_TEST_CLIENT_PASS); - printf("-c TLS Client Certificate, default %s\n", ETSI_TEST_CLIENT_CERT); - printf("-A TLS CA Certificate, default %s\n", ETSI_TEST_CLIENT_CA); + printf("-k TLS Client TLS Key, default %s\n", ETS_TEST_CLIENT_KEY); + printf("-w TLS Client Key Password, default %s\n", ETS_TEST_CLIENT_PASS); + printf("-c TLS Client Certificate, default %s\n", ETS_TEST_CLIENT_CERT); + printf("-A TLS CA Certificate, default %s\n", ETS_TEST_CLIENT_CA); printf("-K Key Type: SECP256R1, FFDHE_2048, X25519 or X448 (default %s)\n", - wolfEtsiKeyGetTypeStr(ETSI_TEST_KEY_TYPE)); + wolfEtsKeyGetTypeStr(ETS_TEST_KEY_TYPE)); printf("-F Fingerprint to find (first 80-bit of pkey hash as hex string)\n"); printf("-C Unique key name (used for multiple servers)\n"); } -int etsi_test(int argc, char** argv) +int ets_test(int argc, char** argv) { int ch, i; int ret; @@ -226,15 +226,15 @@ int etsi_test(int argc, char** argv) memset(&info, 0, sizeof(info)); info.requests = WOLFKM_ETST_CLIENT_DEF_REQUESTS; - info.host = ETSI_TEST_HOST; + info.host = ETS_TEST_HOST; info.timeoutSec = WOLFKM_ETST_CLIENT_DEF_TIMEOUT_SEC; - info.port = atoi(ETSI_TEST_PORT_STR); - info.keyFile = ETSI_TEST_CLIENT_KEY; - info.keyPass = ETSI_TEST_CLIENT_PASS; - info.clientCertFile = ETSI_TEST_CLIENT_CERT; - info.caFile = ETSI_TEST_CLIENT_CA; + info.port = atoi(ETS_TEST_PORT_STR); + info.keyFile = ETS_TEST_CLIENT_KEY; + info.keyPass = ETS_TEST_CLIENT_PASS; + info.clientCertFile = ETS_TEST_CLIENT_CERT; + info.caFile = ETS_TEST_CLIENT_CA; info.requestType = REQ_TYPE_GET; - info.keyType = ETSI_TEST_KEY_TYPE; + info.keyType = ETS_TEST_KEY_TYPE; /* argument processing */ while ((ch = getopt(argc, argv, "?eh:p:t:l:r:f:gus:k:w:c:A:K:F:C:")) != -1) { @@ -291,11 +291,11 @@ int etsi_test(int argc, char** argv) case 'K': { /* find key type */ - for (i=(int)ETSI_KEY_TYPE_MIN; i<=(int)ETSI_KEY_TYPE_FFDHE_8192; i++) { - const char* keyStr = wolfEtsiKeyGetTypeStr((EtsiKeyType)i); + for (i=(int)ETS_KEY_TYPE_MIN; i<=(int)ETS_KEY_TYPE_FFDHE_8192; i++) { + const char* keyStr = wolfEtsKeyGetTypeStr((EtsKeyType)i); if (keyStr != NULL) { if (strncmp(optarg, keyStr, strlen(keyStr)) == 0) { - info.keyType = (EtsiKeyType)i; + info.keyType = (EtsKeyType)i; break; } } @@ -324,7 +324,7 @@ int etsi_test(int argc, char** argv) if (errorMode) return DoErrorMode(); - wolfEtsiClientInit(); + wolfEtsClientInit(); if (poolSize == 0) { WorkThreadCtx tctx; @@ -369,7 +369,7 @@ int etsi_test(int argc, char** argv) free(tids); free(tctx); } - wolfEtsiClientCleanup(); + wolfEtsClientCleanup(); return 0; } @@ -377,6 +377,6 @@ int etsi_test(int argc, char** argv) #ifndef NO_MAIN_DRIVER int main(int argc, char** argv) { - return etsi_test(argc, argv); + return ets_test(argc, argv); } #endif diff --git a/examples/etsi_test/etsi_test.h b/examples/ets_test/ets_test.h similarity index 85% rename from examples/etsi_test/etsi_test.h rename to examples/ets_test/ets_test.h index 4756759..09c9f99 100644 --- a/examples/etsi_test/etsi_test.h +++ b/examples/ets_test/ets_test.h @@ -1,4 +1,4 @@ -/* etsi_test.h +/* ets_test.h * * Copyright (C) 2006-2021 wolfSSL Inc. * @@ -19,11 +19,11 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -#ifndef WOLFKM_ETSI_TEST_H -#define WOLFKM_ETSI_TEST_H +#ifndef WOLFKM_ETS_TEST_H +#define WOLFKM_ETS_TEST_H -int etsi_test(int argc, char** argv); +int ets_test(int argc, char** argv); -#endif /* WOLFKM_ETSI_TEST_H */ +#endif /* WOLFKM_ETS_TEST_H */ diff --git a/examples/ets_test/include.am b/examples/ets_test/include.am new file mode 100644 index 0000000..92309e3 --- /dev/null +++ b/examples/ets_test/include.am @@ -0,0 +1,10 @@ +# vim:ft=automake +# included from Top Level Makefile.am +# All paths should be given relative to the root + + +noinst_PROGRAMS += examples/ets_test/ets_test +noinst_HEADERS += examples/ets_test/ets_test.h +examples_ets_test_ets_test_SOURCES = examples/ets_test/ets_test.c +examples_ets_test_ets_test_LDADD = src/libwolfkeymgr.la $(LIB_STATIC_ADD) +examples_ets_test_ets_test_DEPENDENCIES = src/libwolfkeymgr.la diff --git a/examples/etsi_test/include.am b/examples/etsi_test/include.am deleted file mode 100644 index d50dcf9..0000000 --- a/examples/etsi_test/include.am +++ /dev/null @@ -1,10 +0,0 @@ -# vim:ft=automake -# included from Top Level Makefile.am -# All paths should be given relative to the root - - -noinst_PROGRAMS += examples/etsi_test/etsi_test -noinst_HEADERS += examples/etsi_test/etsi_test.h -examples_etsi_test_etsi_test_SOURCES = examples/etsi_test/etsi_test.c -examples_etsi_test_etsi_test_LDADD = src/libwolfkeymgr.la $(LIB_STATIC_ADD) -examples_etsi_test_etsi_test_DEPENDENCIES = src/libwolfkeymgr.la diff --git a/examples/https/README.md b/examples/https/README.md index d6f9ff0..06b0347 100644 --- a/examples/https/README.md +++ b/examples/https/README.md @@ -1,6 +1,6 @@ # HTTPS (TLS) Examples -These examples demonstrate a basic HTTPS server and client for testing the ETSI middle-box decryption with the wolf Key Manager tool. +These examples demonstrate a basic HTTPS server and client for testing the ETS middle-box decryption with the wolf Key Manager tool. ## TlS Server diff --git a/examples/https/server.c b/examples/https/server.c index 0f3f03c..fd87c35 100644 --- a/examples/https/server.c +++ b/examples/https/server.c @@ -21,7 +21,7 @@ #include "wolfkeymgr/mod_tls.h" #include "wolfkeymgr/mod_http.h" -#include "wolfkeymgr/mod_etsi.h" +#include "wolfkeymgr/mod_ets.h" #include "examples/test_config.h" #include /* signal */ @@ -37,10 +37,10 @@ static void sig_handler(const int sig) mStop = 1; } -static int etsi_key_cb(EtsiKey* key, void* cbCtx) +static int ets_key_cb(EtsKey* key, void* cbCtx) { WOLFSSL_CTX* ctx = (WOLFSSL_CTX*)cbCtx; - int ret = wolfEtsiKeyLoadCTX(key, ctx); + int ret = wolfEtsKeyLoadCTX(key, ctx); if (ret == NOT_COMPILED_IN) { ret = 0; /* this is okay - if feature is not compiled in */ } @@ -52,11 +52,11 @@ static void Usage(void) { printf("%s %s\n", "https/server", PACKAGE_VERSION); printf("-? Help, print this usage\n"); - printf("-d Disable ETSI Key Manager loading\n"); + printf("-d Disable ETS Key Manager loading\n"); printf("-p Port to listen, default %d\n", HTTPS_TEST_PORT); printf("-l Log Level (1=Error to 4=Debug), default %d\n", WOLFKM_DEFAULT_LOG_LEVEL); - printf("-h Key Manager URL (default %s)\n", ETSI_TEST_URL); + printf("-h Key Manager URL (default %s)\n", ETS_TEST_URL); } int https_server_test(int argc, char** argv) @@ -72,7 +72,7 @@ int https_server_test(int argc, char** argv) SOCKADDR_IN_T clientAddr; int port = HTTPS_TEST_PORT; enum log_level_t logLevel = WOLFKM_DEFAULT_LOG_LEVEL; - const char* etsiServer = ETSI_TEST_URL; + const char* etsServer = ETS_TEST_URL; int ch, useKeyMgr = 1; signal(SIGINT, sig_handler); @@ -97,7 +97,7 @@ int https_server_test(int argc, char** argv) useKeyMgr = 0; break; case 'h': - etsiServer = optarg; + etsServer = optarg; break; default: Usage(); @@ -129,7 +129,7 @@ int https_server_test(int argc, char** argv) do { if (useKeyMgr) { - ret = etsi_client_get_all(etsiServer, etsi_key_cb, ctx); + ret = ets_client_get_all(etsServer, ets_key_cb, ctx); if (ret != 0) { printf("\nFailure connecting to key manager\n"); printf("Make sure ./src/wolfkeymgr is running\n"); diff --git a/examples/include.am b/examples/include.am index f576556..a922f4e 100644 --- a/examples/include.am +++ b/examples/include.am @@ -2,7 +2,7 @@ # included from Top Level Makefile.am # All paths should be given relative to the root -include examples/etsi_test/include.am +include examples/ets_test/include.am include examples/middlebox/include.am include examples/https/include.am diff --git a/examples/middlebox/decrypt.c b/examples/middlebox/decrypt.c index 4208f1d..8f0967a 100644 --- a/examples/middlebox/decrypt.c +++ b/examples/middlebox/decrypt.c @@ -19,9 +19,9 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -/* Support for ETSI Key Manager Middle-box Decryption */ +/* Support for ETS Key Manager Middle-box Decryption */ -#include "wolfkeymgr/mod_etsi.h" +#include "wolfkeymgr/mod_ets.h" #include "examples/middlebox/decrypt.h" #include "examples/test_config.h" @@ -71,19 +71,19 @@ static int myKeyCb(void* vSniffer, int namedGroup, { int ret; int keyType; - EtsiKey* key = NULL; + EtsKey* key = NULL; #ifdef HAVE_ECC - static EtsiKey keyEcc; + static EtsKey keyEcc; #endif #ifndef NO_DH - static EtsiKey keyDh; + static EtsKey keyDh; #endif #ifdef HAVE_CURVE25519 - static EtsiKey keyX25519; + static EtsKey keyX25519; #endif /* lookup based on key type */ - keyType = wolfEtsiGetPkType(namedGroup); + keyType = wolfEtsGetPkType(namedGroup); switch (keyType) { case WC_PK_TYPE_ECDH: #ifdef HAVE_ECC @@ -111,11 +111,11 @@ static int myKeyCb(void* vSniffer, int namedGroup, return 0; /* return, but do not fail */ } - ret = etsi_client_find(NULL, key, namedGroup, srvPub, srvPubSz); + ret = ets_client_find(NULL, key, namedGroup, srvPub, srvPubSz); if (ret >= 0) { byte* keyBuf = NULL; word32 keySz = 0; - wolfEtsiKeyGetPtr(key, &keyBuf, &keySz); + wolfEtsKeyGetPtr(key, &keyBuf, &keySz); if (privKey->length <= keySz) { memcpy(privKey->buffer, keyBuf, keySz); @@ -233,14 +233,14 @@ typedef struct { int port; } LoadKeyInfo_t; -static int etsi_key_cb(EtsiKey* key, void* cbCtx) +static int ets_key_cb(EtsKey* key, void* cbCtx) { int ret; byte* keyBuf = NULL; word32 keySz = 0; LoadKeyInfo_t* info = (LoadKeyInfo_t*)cbCtx; - wolfEtsiKeyGetPtr(key, &keyBuf, &keySz); + wolfEtsKeyGetPtr(key, &keyBuf, &keySz); #ifdef HAVE_SNI ret = ssl_SetNamedEphemeralKeyBuffer(info->name, info->server, info->port, (char*)keyBuf, keySz, FILETYPE_DER, info->passwd, info->err); @@ -252,7 +252,7 @@ static int etsi_key_cb(EtsiKey* key, void* cbCtx) if (ret != 0) { /* log error, but do not fail */ fprintf(stderr, "Error loading private key %s: ret %d\n", - wolfEtsiKeyGetTypeStr(key->type), ret); + wolfEtsKeyGetTypeStr(key->type), ret); ret = 0; /* this is okay */ } return ret; @@ -280,9 +280,9 @@ static int load_key(const char* name, const char* server, int port, info.passwd = passwd; info.err = err; /* setup connection */ - ret = etsi_client_get_all(keyFile, etsi_key_cb, &info); + ret = ets_client_get_all(keyFile, ets_key_cb, &info); if (ret < 0) { - fprintf(stderr, "Error connecting to ETSI server: %s\n", keyFile); + fprintf(stderr, "Error connecting to ETS server: %s\n", keyFile); } } else { @@ -335,7 +335,7 @@ static void Usage(void) printf("-? Help, print this usage\n"); printf("pcapFile A previously saved pcap file\n"); printf("keyServerURL Key Manager URL or private key as PEM (default %s)\n", - ETSI_TEST_URL); + ETS_TEST_URL); printf("server The server’s IP address (v4 or v6) (default %s)\n", DEFAULT_SERVER_ADDR_FILTER); printf("port The server port to sniff (default %d)\n", @@ -353,7 +353,7 @@ int middlebox_decrypt_test(int argc, char** argv) int frame = ETHER_IF_FRAME_LEN; char err[PCAP_ERRBUF_SIZE]; char filter[32]; - const char *keyFilesSrc = ETSI_TEST_URL; + const char *keyFilesSrc = ETS_TEST_URL; char keyFilesBuf[MAX_FILENAME_SZ]; char keyFilesUser[MAX_FILENAME_SZ]; const char *server = NULL; @@ -492,7 +492,7 @@ int middlebox_decrypt_test(int argc, char** argv) fprintf(stderr, "pcap_setfilter failed %s\n", pcap_geterr(gPcap)); } - /* specify the key file or URL for ETSI key manager */ + /* specify the key file or URL for ETS key manager */ printf("Enter the server key [default: %s]: ", keyFilesSrc); memset(keyFilesBuf, 0, sizeof(keyFilesBuf)); memset(keyFilesUser, 0, sizeof(keyFilesUser)); diff --git a/examples/test_config.c b/examples/test_config.c index 2977863..9d83244 100644 --- a/examples/test_config.c +++ b/examples/test_config.c @@ -21,25 +21,25 @@ #include "examples/test_config.h" -static EtsiClientCtx* gEtsiClient = NULL; +static EtsClientCtx* gEtsClient = NULL; -/* ETSI Client Helpers */ -int etsi_client_connect(const char* urlStr) +/* ETS Client Helpers */ +int ets_client_connect(const char* urlStr) { int ret = 0; static char urlStrCopy[HTTP_MAX_URI]; static HttpUrl url; /* setup key manager connection */ - if (gEtsiClient == NULL) { - wolfEtsiClientInit(); + if (gEtsClient == NULL) { + wolfEtsClientInit(); - gEtsiClient = wolfEtsiClientNew(); - if (gEtsiClient) { - wolfEtsiClientAddCA(gEtsiClient, ETSI_TEST_CLIENT_CA); - wolfEtsiClientSetKey(gEtsiClient, - ETSI_TEST_CLIENT_KEY, ETSI_TEST_CLIENT_PASS, - ETSI_TEST_CLIENT_CERT, WOLFSSL_FILETYPE_PEM); + gEtsClient = wolfEtsClientNew(); + if (gEtsClient) { + wolfEtsClientAddCA(gEtsClient, ETS_TEST_CLIENT_CA); + wolfEtsClientSetKey(gEtsClient, + ETS_TEST_CLIENT_KEY, ETS_TEST_CLIENT_PASS, + ETS_TEST_CLIENT_CERT, WOLFSSL_FILETYPE_PEM); if (urlStr) { strncpy(urlStrCopy, urlStr, (HTTP_MAX_URI - 1)); @@ -47,11 +47,11 @@ int etsi_client_connect(const char* urlStr) wolfHttpUrlDecode(&url, urlStrCopy); } - ret = wolfEtsiClientConnect(gEtsiClient, url.domain, url.port, - ETSI_TEST_TIMEOUT_MS); + ret = wolfEtsClientConnect(gEtsClient, url.domain, url.port, + ETS_TEST_TIMEOUT_MS); if (ret != 0) { - printf("Error connecting to ETSI server %s! %d\n", urlStr, ret); - etsi_client_cleanup(); + printf("Error connecting to ETS server %s! %d\n", urlStr, ret); + ets_client_cleanup(); } } else { @@ -61,60 +61,60 @@ int etsi_client_connect(const char* urlStr) return ret; } -int etsi_client_get(const char* urlStr, EtsiKey* key, int keyType) +int ets_client_get(const char* urlStr, EtsKey* key, int keyType) { int ret; - const char* keyStr = wolfEtsiKeyGetTypeStr(keyType); + const char* keyStr = wolfEtsKeyGetTypeStr(keyType); if (keyStr == NULL) { return WOLFKM_NOT_COMPILED_IN; } - ret = etsi_client_connect(urlStr); + ret = ets_client_connect(urlStr); if (ret == 0 && key != NULL) { /* Get and set a static ephemeral for each supported key type */ - ret = wolfEtsiClientGet(gEtsiClient, key, keyType, NULL, NULL, - ETSI_TEST_TIMEOUT_MS); + ret = wolfEtsClientGet(gEtsClient, key, keyType, NULL, NULL, + ETS_TEST_TIMEOUT_MS); /* negative means error */ if (ret < 0) { - printf("Error getting ETSI %s static ephemeral key! %d\n", keyStr, ret); - etsi_client_cleanup(); + printf("Error getting ETS %s static ephemeral key! %d\n", keyStr, ret); + ets_client_cleanup(); } /* positive return means new key returned */ else if (ret > 0) { - printf("Got ETSI %s static ephemeral key (%d bytes)\n", keyStr, key->responseSz); - wolfEtsiKeyPrint(key); + printf("Got ETS %s static ephemeral key (%d bytes)\n", keyStr, key->responseSz); + wolfEtsKeyPrint(key); } /* zero means, same key is used - key has not changed */ else { - printf("ETSI %s Key Cached (valid for %lu sec)\n", + printf("ETS %s Key Cached (valid for %lu sec)\n", keyStr, key->expires - wolfGetCurrentTimeT()); } } return ret; } -int etsi_client_get_all(const char* urlStr, etsi_client_key_cb cb, +int ets_client_get_all(const char* urlStr, ets_client_key_cb cb, void* cbCtx) { int ret = WOLFKM_NOT_COMPILED_IN; #ifdef HAVE_ECC - static EtsiKey keyEcc; + static EtsKey keyEcc; #endif #ifndef NO_DH - static EtsiKey keyDh; + static EtsKey keyDh; #endif #ifdef HAVE_CURVE25519 - static EtsiKey keyX25519; + static EtsKey keyX25519; #endif #ifdef HAVE_CURVE448 - static EtsiKey keyX448; + static EtsKey keyX448; #endif /* Get static ephemeral for each supported key type */ #ifdef HAVE_ECC if (ret == 0 || ret == WOLFKM_NOT_COMPILED_IN) { - ret = etsi_client_get(urlStr, &keyEcc, ETSI_KEY_TYPE_SECP256R1); + ret = ets_client_get(urlStr, &keyEcc, ETS_KEY_TYPE_SECP256R1); if (ret >= 0 && cb != NULL) { ret = cb(&keyEcc, cbCtx); } @@ -122,7 +122,7 @@ int etsi_client_get_all(const char* urlStr, etsi_client_key_cb cb, #endif #ifndef NO_DH if (ret == 0 || ret == WOLFKM_NOT_COMPILED_IN) { - ret = etsi_client_get(urlStr, &keyDh, ETSI_KEY_TYPE_FFDHE_2048); + ret = ets_client_get(urlStr, &keyDh, ETS_KEY_TYPE_FFDHE_2048); if (ret >= 0 && cb != NULL) { ret = cb(&keyDh, cbCtx); } @@ -130,7 +130,7 @@ int etsi_client_get_all(const char* urlStr, etsi_client_key_cb cb, #endif #ifdef HAVE_CURVE25519 if (ret == 0 || ret == WOLFKM_NOT_COMPILED_IN) { - ret = etsi_client_get(urlStr, &keyX25519, ETSI_KEY_TYPE_X25519); + ret = ets_client_get(urlStr, &keyX25519, ETS_KEY_TYPE_X25519); if (ret >= 0 && cb != NULL) { ret = cb(&keyX25519, cbCtx); } @@ -138,7 +138,7 @@ int etsi_client_get_all(const char* urlStr, etsi_client_key_cb cb, #endif #ifdef HAVE_CURVE448 if (ret == 0 || ret == WOLFKM_NOT_COMPILED_IN) { - ret = etsi_client_get(urlStr, &keyX448, ETSI_KEY_TYPE_X448); + ret = ets_client_get(urlStr, &keyX448, ETS_KEY_TYPE_X448); if (ret >= 0 && cb != NULL) { ret = cb(&keyX448, cbCtx); } @@ -151,7 +151,7 @@ int etsi_client_get_all(const char* urlStr, etsi_client_key_cb cb, return ret; } -int etsi_client_find(const char* urlStr, EtsiKey* key, int namedGroup, +int ets_client_find(const char* urlStr, EtsKey* key, int namedGroup, const byte* pub, word32 pubSz) { int ret; @@ -159,36 +159,36 @@ int etsi_client_find(const char* urlStr, EtsiKey* key, int namedGroup, if (key == NULL) return BAD_FUNC_ARG; - ret = etsi_client_connect(urlStr); + ret = ets_client_connect(urlStr); if (ret == 0) { - char fpStr[ETSI_MAX_FINGERPRINT_STR]; + char fpStr[ETS_MAX_FINGERPRINT_STR]; word32 fpStrSz = (word32)sizeof(fpStr); - ret = wolfEtsiCalcTlsFingerprint((EtsiKeyType)namedGroup, pub, pubSz, + ret = wolfEtsCalcTlsFingerprint((EtsKeyType)namedGroup, pub, pubSz, fpStr, &fpStrSz); if (ret == 0) { - ret = wolfEtsiClientFind(gEtsiClient, key, namedGroup, fpStr, - NULL, ETSI_TEST_TIMEOUT_MS); + ret = wolfEtsClientFind(gEtsClient, key, namedGroup, fpStr, + NULL, ETS_TEST_TIMEOUT_MS); } if (ret < 0) { - printf("Error finding ETSI static ephemeral key! %d\n", ret); - etsi_client_cleanup(); + printf("Error finding ETS static ephemeral key! %d\n", ret); + ets_client_cleanup(); } else { - printf("Found ETSI static ephemeral key (%d bytes)\n", + printf("Found ETS static ephemeral key (%d bytes)\n", key->responseSz); - wolfEtsiKeyPrint(key); + wolfEtsKeyPrint(key); } } return ret; } -void etsi_client_cleanup(void) +void ets_client_cleanup(void) { - if (gEtsiClient) { - wolfEtsiClientFree(gEtsiClient); - gEtsiClient = NULL; + if (gEtsClient) { + wolfEtsClientFree(gEtsClient); + gEtsClient = NULL; - wolfEtsiClientCleanup(); + wolfEtsClientCleanup(); } } diff --git a/examples/test_config.h b/examples/test_config.h index 193850a..1480a94 100644 --- a/examples/test_config.h +++ b/examples/test_config.h @@ -22,26 +22,26 @@ #ifndef WKM_TEST_CONFIG_G #define WKM_TEST_CONFIG_G -#include "wolfkeymgr/mod_etsi.h" +#include "wolfkeymgr/mod_ets.h" #ifdef __cplusplus extern "C" { #endif -/* ETSI client testing configuration */ -#define ETSI_TEST_HOST "localhost" -#define ETSI_TEST_PORT 8119 -#define ETSI_TEST_PORT_STR "8119" -#define ETSI_TEST_TIMEOUT_MS 2 -#define ETSI_TEST_KEY_TYPE ETSI_KEY_TYPE_SECP256R1 -#define ETSI_TEST_URL "https://" ETSI_TEST_HOST ":" ETSI_TEST_PORT_STR +/* ETS client testing configuration */ +#define ETS_TEST_HOST "localhost" +#define ETS_TEST_PORT 8119 +#define ETS_TEST_PORT_STR "8119" +#define ETS_TEST_TIMEOUT_MS 2 +#define ETS_TEST_KEY_TYPE ETS_KEY_TYPE_SECP256R1 +#define ETS_TEST_URL "https://" ETS_TEST_HOST ":" ETS_TEST_PORT_STR /* Example certificate and key for mutual authentication to key manager. * See ./certs/test-cert.sh for generation and signing. */ -#define ETSI_TEST_CLIENT_CA "certs/ca-cert.pem" -#define ETSI_TEST_CLIENT_KEY "certs/client-key.pem" -#define ETSI_TEST_CLIENT_PASS "wolfssl" -#define ETSI_TEST_CLIENT_CERT "certs/client-cert.pem" +#define ETS_TEST_CLIENT_CA "certs/ca-cert.pem" +#define ETS_TEST_CLIENT_KEY "certs/client-key.pem" +#define ETS_TEST_CLIENT_PASS "wolfssl" +#define ETS_TEST_CLIENT_CERT "certs/client-cert.pem" /* HTTPS testing configuration */ #define HTTPS_TEST_HOST "localhost" @@ -59,13 +59,13 @@ extern "C" { #define HTTPS_TEST_REQUEST "/index.html" #define HTTPS_TEST_RESPONSE "

It works!

" -/* ETSI Client Helper Functions */ -typedef int (*etsi_client_key_cb)(EtsiKey* key, void* cbCtx); -int etsi_client_connect(const char* urlStr); -int etsi_client_get(const char* urlStr, EtsiKey* key, int keyType); -int etsi_client_get_all(const char* urlStr, etsi_client_key_cb cb, void* cbCtx); -int etsi_client_find(const char* urlStr, EtsiKey* key, int namedGroup, const byte* pub, word32 pubSz); -void etsi_client_cleanup(void); +/* ETS Client Helper Functions */ +typedef int (*ets_client_key_cb)(EtsKey* key, void* cbCtx); +int ets_client_connect(const char* urlStr); +int ets_client_get(const char* urlStr, EtsKey* key, int keyType); +int ets_client_get_all(const char* urlStr, ets_client_key_cb cb, void* cbCtx); +int ets_client_find(const char* urlStr, EtsKey* key, int namedGroup, const byte* pub, word32 pubSz); +void ets_client_cleanup(void); #ifndef EX_USAGE diff --git a/src/include.am b/src/include.am index da1c6ca..1d37995 100644 --- a/src/include.am +++ b/src/include.am @@ -4,14 +4,14 @@ lib_LTLIBRARIES += src/libwolfkeymgr.la -src_libwolfkeymgr_la_SOURCES = src/mod_http.c src/mod_etsi.c src/mod_socket.c src/mod_tls.c src/mod_vault.c src/wkm_utils.c +src_libwolfkeymgr_la_SOURCES = src/mod_http.c src/mod_ets.c src/mod_socket.c src/mod_tls.c src/mod_vault.c src/wkm_utils.c src_libwolfkeymgr_la_CFLAGS = -DBUILDING_WKM $(AM_CFLAGS) src_libwolfkeymgr_la_CPPFLAGS = -DBUILDING_WKM $(AM_CPPFLAGS) src_libwolfkeymgr_la_LDFLAGS = ${AM_LDFLAGS} -no-undefined -version-info ${WOLFKM_LIBRARY_VERSION} bin_PROGRAMS += src/wolfkeymgr -src_wolfkeymgr_SOURCES = src/keymanager.c src/sock_mgr.c src/svc_etsi.c +src_wolfkeymgr_SOURCES = src/keymanager.c src/sock_mgr.c src/svc_ets.c src_wolfkeymgr_CFLAGS = src_wolfkeymgr_LDFLAGS = -Lsrc src_wolfkeymgr_LDADD = src/libwolfkeymgr.la $(LTLIBEVENT) $(LIB_STATIC_ADD) @@ -19,9 +19,9 @@ src_wolfkeymgr_DEPENDENCIES = src/libwolfkeymgr.la noinst_HEADERS += wolfkeymgr/keymanager.h \ wolfkeymgr/sock_mgr.h \ - wolfkeymgr/svc_etsi.h + wolfkeymgr/svc_ets.h -nobase_include_HEADERS += wolfkeymgr/mod_etsi.h \ +nobase_include_HEADERS += wolfkeymgr/mod_ets.h \ wolfkeymgr/mod_http.h \ wolfkeymgr/mod_socket.h \ wolfkeymgr/mod_tls.h \ diff --git a/src/keymanager.c b/src/keymanager.c index a630dea..c612b4f 100644 --- a/src/keymanager.c +++ b/src/keymanager.c @@ -32,7 +32,7 @@ static void Usage(void) printf("-i Do not chdir / in daemon mode\n"); printf("-b Daemon mode, run in background\n"); printf("-p Pid File name, default %s\n", WOLFKM_DEFAULT_PID); - printf("-P Listener port, default %s\n", WOLFKM_ETSISVC_PORT); + printf("-P Listener port, default %s\n", WOLFKM_ETSSVC_PORT); printf("-l Log Level (1=Error to 4=Debug), default %d\n", WOLFKM_DEFAULT_LOG_LEVEL); printf("-f Log file name, default %s\n", WOLFKM_DEFAULT_LOG_NAME ? WOLFKM_DEFAULT_LOG_NAME : "None"); @@ -42,13 +42,13 @@ static void Usage(void) printf("-u Key renewal max use count, default %d\n", WOLFKM_KEY_RENEW_MAX_USES); printf("-t Thread pool size, default %ld\n", sysconf(_SC_NPROCESSORS_CONF)); - printf("-k TLS Server TLS Key, default %s\n", WOLFKM_ETSISVC_KEY); - printf("-w TLS Server Key Password, default %s\n", WOLFKM_ETSISVC_KEY_PASSWORD); - printf("-c TLS Server Certificate, default %s\n", WOLFKM_ETSISVC_CERT); - printf("-A TLS CA Certificate, default %s\n", WOLFKM_ETSISVC_CA); + printf("-k TLS Server TLS Key, default %s\n", WOLFKM_ETSSVC_KEY); + printf("-w TLS Server Key Password, default %s\n", WOLFKM_ETSSVC_KEY_PASSWORD); + printf("-c TLS Server Certificate, default %s\n", WOLFKM_ETSSVC_CERT); + printf("-A TLS CA Certificate, default %s\n", WOLFKM_ETSSVC_CA); printf("-K Key Type: SECP256R1, FFDHE_2048, X25519 or X448 (default %s)\n", - wolfEtsiKeyGetTypeStr(WOLFKM_ETSISVC_DEF_KEY_TYPE)); - printf("-v Vault file for key storage, default %s\n", WOLFKM_ETSISVC_VAULT); + wolfEtsKeyGetTypeStr(WOLFKM_ETSSVC_DEF_KEY_TYPE)); + printf("-v Vault file for key storage, default %s\n", WOLFKM_ETSSVC_VAULT); } static int wolfKeyMgr_AddSigHandler(struct event_base* mainBase, @@ -74,19 +74,19 @@ int main(int argc, char** argv) char* pidName = WOLFKM_DEFAULT_PID; struct event_base* mainBase = NULL; /* main thread's base */ FILE* pidF = 0; - SvcInfo* etsiSvc = NULL; + SvcInfo* etsSvc = NULL; word32 timeoutSec = WOLFKM_DEFAULT_TIMEOUT; - const char* serverKey = WOLFKM_ETSISVC_KEY; - const char* serverKeyPass = WOLFKM_ETSISVC_KEY_PASSWORD; - const char* serverCert = WOLFKM_ETSISVC_CERT; - const char* caCert = WOLFKM_ETSISVC_CA; + const char* serverKey = WOLFKM_ETSSVC_KEY; + const char* serverKeyPass = WOLFKM_ETSSVC_KEY_PASSWORD; + const char* serverCert = WOLFKM_ETSSVC_CERT; + const char* caCert = WOLFKM_ETSSVC_CA; SignalArg sigArgInt, sigArgTerm; - const char* vaultFile = WOLFKM_ETSISVC_VAULT; - const char* listenPort = WOLFKM_ETSISVC_PORT; - EtsiSvcConfig config; + const char* vaultFile = WOLFKM_ETSSVC_VAULT; + const char* listenPort = WOLFKM_ETSSVC_PORT; + EtsSvcConfig config; memset(&config, 0, sizeof(config)); - config.keyTypeDef = WOLFKM_ETSISVC_DEF_KEY_TYPE; + config.keyTypeDef = WOLFKM_ETSSVC_DEF_KEY_TYPE; config.renewSec = WOLFKM_KEY_RENEW_TIMEOUT; config.maxUseCount = WOLFKM_KEY_RENEW_MAX_USES; @@ -170,11 +170,11 @@ int main(int argc, char** argv) { /* find key type */ int i; - for (i=(int)ETSI_KEY_TYPE_MIN; i<=(int)ETSI_KEY_TYPE_FFDHE_8192; i++) { - const char* keyStr = wolfEtsiKeyGetTypeStr((EtsiKeyType)i); + for (i=(int)ETS_KEY_TYPE_MIN; i<=(int)ETS_KEY_TYPE_FFDHE_8192; i++) { + const char* keyStr = wolfEtsKeyGetTypeStr((EtsKeyType)i); if (keyStr != NULL) { if (strncmp(optarg, keyStr, strlen(keyStr)) == 0) { - config.keyTypeDef = (EtsiKeyType)i; + config.keyTypeDef = (EtsKeyType)i; break; } } @@ -254,47 +254,47 @@ int main(int argc, char** argv) /* set max files */ wolfKeyMgr_SetMaxFiles(maxFiles); - /********** ETSI Service **********/ - etsiSvc = wolfEtsiSvc_Init(&config); - if (etsiSvc) { + /********** ETS Service **********/ + etsSvc = wolfEtsSvc_Init(&config); + if (etsSvc) { /* set socket timeout */ - wolfKeyMgr_SetTimeout(etsiSvc, timeoutSec); + wolfKeyMgr_SetTimeout(etsSvc, timeoutSec); - ret = wolfKeyMgr_LoadCAFile(etsiSvc, caCert, WOLFSSL_FILETYPE_PEM); + ret = wolfKeyMgr_LoadCAFile(etsSvc, caCert, WOLFSSL_FILETYPE_PEM); if (ret != 0) { - XLOG(WOLFKM_LOG_ERROR, "Error %d loading ETSI TLS CA cert\n", ret); + XLOG(WOLFKM_LOG_ERROR, "Error %d loading ETS TLS CA cert\n", ret); goto exit; } - ret = wolfKeyMgr_LoadKeyFile(etsiSvc, serverKey, + ret = wolfKeyMgr_LoadKeyFile(etsSvc, serverKey, WOLFSSL_FILETYPE_PEM, serverKeyPass); if (ret != 0) { - XLOG(WOLFKM_LOG_ERROR, "Error %d loading ETSI TLS key\n", ret); + XLOG(WOLFKM_LOG_ERROR, "Error %d loading ETS TLS key\n", ret); goto exit; } - ret = wolfKeyMgr_LoadCertFile(etsiSvc, serverCert, + ret = wolfKeyMgr_LoadCertFile(etsSvc, serverCert, WOLFSSL_FILETYPE_PEM); if (ret != 0) { - XLOG(WOLFKM_LOG_ERROR, "Error %d loading ETSI TLS certificate\n", ret); + XLOG(WOLFKM_LOG_ERROR, "Error %d loading ETS TLS certificate\n", ret); goto exit; } /* open vault and use server key for encryption */ - ret = wolfEtsiSvc_SetVaultFile(etsiSvc, vaultFile); + ret = wolfEtsSvc_SetVaultFile(etsSvc, vaultFile); if (ret != 0) { XLOG(WOLFKM_LOG_ERROR, "Error opening vault: %d\n", ret); goto exit; } - wolfEtsiSvc_Start(etsiSvc, mainBase, listenPort); + wolfEtsSvc_Start(etsSvc, mainBase, listenPort); /* thread setup - cleanup handled in sigint handler */ - wolfKeyMgr_ServiceInit(etsiSvc, poolSize); + wolfKeyMgr_ServiceInit(etsSvc, poolSize); } - sigArgInt.svc[0] = etsiSvc; - sigArgTerm.svc[0] = etsiSvc; + sigArgInt.svc[0] = etsSvc; + sigArgTerm.svc[0] = etsSvc; ret = wolfKeyMgr_AddSigHandler(mainBase, &sigArgInt, SIGINT); if (ret == 0) { @@ -311,7 +311,7 @@ int main(int argc, char** argv) /* we're done with loop */ ret = EXIT_SUCCESS; XLOG(WOLFKM_LOG_INFO, "Done with main thread dispatching\n"); - wolfKeyMgr_ShowStats(etsiSvc); + wolfKeyMgr_ShowStats(etsSvc); exit: /* Cleanup pid file */ @@ -322,7 +322,7 @@ int main(int argc, char** argv) wolfKeyMgr_FreeListeners(); - wolfEtsiSvc_Cleanup(etsiSvc); + wolfEtsSvc_Cleanup(etsSvc); if (sigArgInt.ev) event_del(sigArgInt.ev); if (sigArgTerm.ev) event_del(sigArgTerm.ev); if (mainBase) event_base_free(mainBase); diff --git a/src/mod_etsi.c b/src/mod_ets.c similarity index 79% rename from src/mod_etsi.c rename to src/mod_ets.c index d4b9ce3..d653c28 100644 --- a/src/mod_etsi.c +++ b/src/mod_ets.c @@ -1,4 +1,4 @@ -/* mod_etsi.c +/* mod_ets.c * * Copyright (C) 2006-2021 wolfSSL Inc. * @@ -19,21 +19,21 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -#include "wolfkeymgr/mod_etsi.h" +#include "wolfkeymgr/mod_ets.h" #include -struct EtsiClientCtx { +struct EtsClientCtx { WOLFSSL_CTX* sslCtx; WOLFSSL* ssl; wolfSSL_Mutex lock; }; -EtsiClientCtx* wolfEtsiClientNew(void) +EtsClientCtx* wolfEtsClientNew(void) { - EtsiClientCtx* client = (EtsiClientCtx*)malloc(sizeof(EtsiClientCtx)); + EtsClientCtx* client = (EtsClientCtx*)malloc(sizeof(EtsClientCtx)); if (client) { - memset(client, 0, sizeof(EtsiClientCtx)); + memset(client, 0, sizeof(EtsClientCtx)); wc_InitMutex(&client->lock); client->sslCtx = wolfTlsClientNew(); if (client->sslCtx == NULL) { @@ -45,7 +45,7 @@ EtsiClientCtx* wolfEtsiClientNew(void) return client; } -int wolfEtsiClientSetKey(EtsiClientCtx* client, const char* keyFile, +int wolfEtsClientSetKey(EtsClientCtx* client, const char* keyFile, const char* keyPassword, const char* certFile, int fileType) { int ret; @@ -58,7 +58,7 @@ int wolfEtsiClientSetKey(EtsiClientCtx* client, const char* keyFile, return ret; } -int wolfEtsiClientAddCA(EtsiClientCtx* client, const char* caFile) +int wolfEtsClientAddCA(EtsClientCtx* client, const char* caFile) { int ret; if (client == NULL) { @@ -71,7 +71,7 @@ int wolfEtsiClientAddCA(EtsiClientCtx* client, const char* caFile) return ret; } -int wolfEtsiClientConnect(EtsiClientCtx* client, const char* host, +int wolfEtsClientConnect(EtsClientCtx* client, const char* host, word16 port, int timeoutSec) { int ret; @@ -83,10 +83,10 @@ int wolfEtsiClientConnect(EtsiClientCtx* client, const char* host, wc_LockMutex(&client->lock); ret = wolfTlsConnect(client->sslCtx, &client->ssl, host, port, timeoutSec); if (ret == 0) { - XLOG(WOLFKM_LOG_INFO, "Connected to ETSI service\n"); + XLOG(WOLFKM_LOG_INFO, "Connected to ETS service\n"); } else { - XLOG(WOLFKM_LOG_ERROR, "Failure connecting to ETSI service %d\n", ret); + XLOG(WOLFKM_LOG_ERROR, "Failure connecting to ETS service %d\n", ret); ret = WOLFKM_BAD_HOST; } wc_UnLockMutex(&client->lock); @@ -94,38 +94,38 @@ int wolfEtsiClientConnect(EtsiClientCtx* client, const char* host, return ret; } -const char* wolfEtsiKeyNamedGroupStr(EtsiKey* key) +const char* wolfEtsKeyNamedGroupStr(EtsKey* key) { if (key == NULL) return NULL; switch (key->type) { - case ETSI_KEY_TYPE_SECP160K1: return "0x000F"; /* 15 */ - case ETSI_KEY_TYPE_SECP160R1: return "0x0010"; /* 16 */ - case ETSI_KEY_TYPE_SECP160R2: return "0x0011"; /* 17 */ - case ETSI_KEY_TYPE_SECP192K1: return "0x0012"; /* 18 */ - case ETSI_KEY_TYPE_SECP192R1: return "0x0013"; /* 19 */ - case ETSI_KEY_TYPE_SECP224K1: return "0x0014"; /* 20 */ - case ETSI_KEY_TYPE_SECP224R1: return "0x0015"; /* 21 */ - case ETSI_KEY_TYPE_SECP256K1: return "0x0016"; /* 22 */ - case ETSI_KEY_TYPE_SECP256R1: return "0x0017"; /* 23 */ - case ETSI_KEY_TYPE_SECP384R1: return "0x0018"; /* 24 */ - case ETSI_KEY_TYPE_SECP521R1: return "0x0019"; /* 25 */ - case ETSI_KEY_TYPE_BRAINPOOLP256R1: return "0x001A"; /* 26 */ - case ETSI_KEY_TYPE_BRAINPOOLP384R1: return "0x001B"; /* 27 */ - case ETSI_KEY_TYPE_BRAINPOOLP512R1: return "0x001C"; /* 28 */ - case ETSI_KEY_TYPE_X25519: return "0x001D"; /* 29 */ - case ETSI_KEY_TYPE_X448: return "0x001E"; /* 30 */ - case ETSI_KEY_TYPE_FFDHE_2048: return "0x0100"; /* 256 */ - case ETSI_KEY_TYPE_FFDHE_3072: return "0x0101"; /* 257 */ - case ETSI_KEY_TYPE_FFDHE_4096: return "0x0102"; /* 258 */ - case ETSI_KEY_TYPE_FFDHE_6144: return "0x0103"; /* 259 */ - case ETSI_KEY_TYPE_FFDHE_8192: return "0x0104"; /* 260 */ + case ETS_KEY_TYPE_SECP160K1: return "0x000F"; /* 15 */ + case ETS_KEY_TYPE_SECP160R1: return "0x0010"; /* 16 */ + case ETS_KEY_TYPE_SECP160R2: return "0x0011"; /* 17 */ + case ETS_KEY_TYPE_SECP192K1: return "0x0012"; /* 18 */ + case ETS_KEY_TYPE_SECP192R1: return "0x0013"; /* 19 */ + case ETS_KEY_TYPE_SECP224K1: return "0x0014"; /* 20 */ + case ETS_KEY_TYPE_SECP224R1: return "0x0015"; /* 21 */ + case ETS_KEY_TYPE_SECP256K1: return "0x0016"; /* 22 */ + case ETS_KEY_TYPE_SECP256R1: return "0x0017"; /* 23 */ + case ETS_KEY_TYPE_SECP384R1: return "0x0018"; /* 24 */ + case ETS_KEY_TYPE_SECP521R1: return "0x0019"; /* 25 */ + case ETS_KEY_TYPE_BRAINPOOLP256R1: return "0x001A"; /* 26 */ + case ETS_KEY_TYPE_BRAINPOOLP384R1: return "0x001B"; /* 27 */ + case ETS_KEY_TYPE_BRAINPOOLP512R1: return "0x001C"; /* 28 */ + case ETS_KEY_TYPE_X25519: return "0x001D"; /* 29 */ + case ETS_KEY_TYPE_X448: return "0x001E"; /* 30 */ + case ETS_KEY_TYPE_FFDHE_2048: return "0x0100"; /* 256 */ + case ETS_KEY_TYPE_FFDHE_3072: return "0x0101"; /* 257 */ + case ETS_KEY_TYPE_FFDHE_4096: return "0x0102"; /* 258 */ + case ETS_KEY_TYPE_FFDHE_6144: return "0x0103"; /* 259 */ + case ETS_KEY_TYPE_FFDHE_8192: return "0x0104"; /* 260 */ default: break; } return NULL; } -int wolfEtsiClientMakeRequest(EtsiClientType type, const char* fingerprint, +int wolfEtsClientMakeRequest(EtsClientType type, const char* fingerprint, const char* groups, const char* contextstr, byte* request, word32* requestSz) { int ret; @@ -136,8 +136,8 @@ int wolfEtsiClientMakeRequest(EtsiClientType type, const char* fingerprint, headers[0].type = HTTP_HDR_ACCEPT; headers[0].string = "application/pkcs8"; - /* Build HTTP ETSI request */ - if (type == ETSI_CLIENT_PUSH) { + /* Build HTTP ETS request */ + if (type == ETS_CLIENT_PUSH) { /* PUT for distributed push of keys */ httpType = HTTP_METHOD_PUT; snprintf(uri, sizeof(uri), "/enterprise-transport-security/keys"); @@ -183,7 +183,7 @@ int wolfEtsiClientMakeRequest(EtsiClientType type, const char* fingerprint, return ret; } -static void ParseHttpResponseExpires(HttpRsp* rsp, EtsiKey* key, time_t now) +static void ParseHttpResponseExpires(HttpRsp* rsp, EtsKey* key, time_t now) { int i; @@ -212,13 +212,13 @@ static void ParseHttpResponseExpires(HttpRsp* rsp, EtsiKey* key, time_t now) } } -static int EtsiClientGet(EtsiClientCtx* client, EtsiKey* key, - EtsiKeyType keyType, const char* fingerprint, const char* contextStr, +static int EtsClientGet(EtsClientCtx* client, EtsKey* key, + EtsKeyType keyType, const char* fingerprint, const char* contextStr, int timeoutSec, HttpRsp* rsp) { int ret; - byte request[ETSI_MAX_REQUEST_SZ]; - word32 requestSz = ETSI_MAX_REQUEST_SZ; + byte request[ETS_MAX_REQUEST_SZ]; + word32 requestSz = ETS_MAX_REQUEST_SZ; int pos; const char* group; @@ -228,11 +228,11 @@ static int EtsiClientGet(EtsiClientCtx* client, EtsiKey* key, /* build GET request for key */ key->type = keyType; - group = wolfEtsiKeyNamedGroupStr(key); - ret = wolfEtsiClientMakeRequest(ETSI_CLIENT_GET, fingerprint, group, + group = wolfEtsKeyNamedGroupStr(key); + ret = wolfEtsClientMakeRequest(ETS_CLIENT_GET, fingerprint, group, contextStr, request, &requestSz); if (ret != 0) { - XLOG(WOLFKM_LOG_INFO, "EtsiClientMakeRequest failed: %d\n", ret); + XLOG(WOLFKM_LOG_INFO, "EtsClientMakeRequest failed: %d\n", ret); return ret; } XLOG(WOLFKM_LOG_DEBUG, "HTTP Sending: %s\n", (char*)request); @@ -288,7 +288,7 @@ static int EtsiClientGet(EtsiClientCtx* client, EtsiKey* key, if (ret == 0) { /* asymmetric key package response */ - XLOG(WOLFKM_LOG_INFO, "Got ETSI response (%d bytes)\n", + XLOG(WOLFKM_LOG_INFO, "Got ETS response (%d bytes)\n", key->responseSz); ret = key->responseSz; /* return key size */ } @@ -296,8 +296,8 @@ static int EtsiClientGet(EtsiClientCtx* client, EtsiKey* key, return ret; } -int wolfEtsiClientGet(EtsiClientCtx* client, EtsiKey* key, - EtsiKeyType keyType, const char* fingerprint, const char* contextStr, +int wolfEtsClientGet(EtsClientCtx* client, EtsKey* key, + EtsKeyType keyType, const char* fingerprint, const char* contextStr, int timeoutSec) { int ret; @@ -317,7 +317,7 @@ int wolfEtsiClientGet(EtsiClientCtx* client, EtsiKey* key, return 0; } - ret = EtsiClientGet(client, key, keyType, fingerprint, contextStr, + ret = EtsClientGet(client, key, keyType, fingerprint, contextStr, timeoutSec, &rsp); if (ret == 0) { ParseHttpResponseExpires(&rsp, key, now); @@ -325,18 +325,18 @@ int wolfEtsiClientGet(EtsiClientCtx* client, EtsiKey* key, return ret; } -int wolfEtsiClientPush(EtsiClientCtx* client, EtsiKeyType keyType, +int wolfEtsClientPush(EtsClientCtx* client, EtsKeyType keyType, const char* fingerprint, const char* contextStr, - EtsiKeyCallbackFunc cb, void* cbCtx) + EtsKeyCallbackFunc cb, void* cbCtx) { int ret; - byte request[ETSI_MAX_REQUEST_SZ]; - word32 requestSz = ETSI_MAX_REQUEST_SZ; + byte request[ETS_MAX_REQUEST_SZ]; + word32 requestSz = ETS_MAX_REQUEST_SZ; int pos; HttpRsp rsp; const char* group; time_t now; - EtsiKey key; + EtsKey key; if (client == NULL || cb == NULL) { return WOLFKM_BAD_ARGS; @@ -345,11 +345,11 @@ int wolfEtsiClientPush(EtsiClientCtx* client, EtsiKeyType keyType, /* Request PUSH for new keys */ memset(&key, 0, sizeof(key)); key.type = keyType; - group = wolfEtsiKeyNamedGroupStr(&key); - ret = wolfEtsiClientMakeRequest(ETSI_CLIENT_PUSH, fingerprint, group, + group = wolfEtsKeyNamedGroupStr(&key); + ret = wolfEtsClientMakeRequest(ETS_CLIENT_PUSH, fingerprint, group, contextStr, request, &requestSz); if (ret != 0) { - XLOG(WOLFKM_LOG_INFO, "EtsiClientMakeRequest failed: %d\n", ret); + XLOG(WOLFKM_LOG_INFO, "EtsClientMakeRequest failed: %d\n", ret); return ret; } @@ -381,7 +381,7 @@ int wolfEtsiClientPush(EtsiClientCtx* client, EtsiKeyType keyType, } if (ret > 0) { /* asymmetric key package response */ - XLOG(WOLFKM_LOG_INFO, "Got ETSI response (%d bytes)\n", + XLOG(WOLFKM_LOG_INFO, "Got ETS response (%d bytes)\n", key.responseSz); /* parse HTTP server response */ @@ -418,17 +418,17 @@ int wolfEtsiClientPush(EtsiClientCtx* client, EtsiKeyType keyType, return ret; } -int wolfEtsiClientFind(EtsiClientCtx* client, EtsiKey* key, - EtsiKeyType keyType, const char* fingerprint, const char* contextStr, +int wolfEtsClientFind(EtsClientCtx* client, EtsKey* key, + EtsKeyType keyType, const char* fingerprint, const char* contextStr, int timeoutSec) { HttpRsp rsp; /* fingerprint is previously generated ephemeral public key name */ - return EtsiClientGet(client, key, keyType, fingerprint, contextStr, + return EtsClientGet(client, key, keyType, fingerprint, contextStr, timeoutSec, &rsp); } -int wolfEtsiKeyGetPtr(EtsiKey* key, byte** response, word32* responseSz) +int wolfEtsKeyGetPtr(EtsKey* key, byte** response, word32* responseSz) { if (key == NULL) return WOLFKM_BAD_ARGS; @@ -439,86 +439,86 @@ int wolfEtsiKeyGetPtr(EtsiKey* key, byte** response, word32* responseSz) return 0; } -EtsiKey* wolfEtsiKeyNew(void) +EtsKey* wolfEtsKeyNew(void) { - EtsiKey* key = (EtsiKey*)malloc(sizeof(EtsiKey)); + EtsKey* key = (EtsKey*)malloc(sizeof(EtsKey)); if (key) { - memset(key, 0, sizeof(EtsiKey)); + memset(key, 0, sizeof(EtsKey)); key->isDynamic = 1; } return key; } -int wolfEtsiGetPkType(EtsiKeyType type) +int wolfEtsGetPkType(EtsKeyType type) { - if (type >= ETSI_KEY_TYPE_SECP160K1 && - type <= ETSI_KEY_TYPE_BRAINPOOLP512R1) { + if (type >= ETS_KEY_TYPE_SECP160K1 && + type <= ETS_KEY_TYPE_BRAINPOOLP512R1) { return WC_PK_TYPE_ECDH; } - if (type >= ETSI_KEY_TYPE_FFDHE_2048 && - type <= ETSI_KEY_TYPE_FFDHE_8192) { + if (type >= ETS_KEY_TYPE_FFDHE_2048 && + type <= ETS_KEY_TYPE_FFDHE_8192) { return WC_PK_TYPE_DH; } - if (type == ETSI_KEY_TYPE_X25519) { + if (type == ETS_KEY_TYPE_X25519) { return WC_PK_TYPE_CURVE25519; } - if (type == ETSI_KEY_TYPE_X448) { + if (type == ETS_KEY_TYPE_X448) { return WC_PK_TYPE_CURVE448; } return WC_PK_TYPE_NONE; } -int wolfEtsiKeyGetPkType(EtsiKey* key) +int wolfEtsKeyGetPkType(EtsKey* key) { if (key == NULL) return WOLFKM_BAD_ARGS; - return wolfEtsiGetPkType(key->type); + return wolfEtsGetPkType(key->type); } -const char* wolfEtsiKeyGetTypeStr(EtsiKeyType type) +const char* wolfEtsKeyGetTypeStr(EtsKeyType type) { switch (type) { - case ETSI_KEY_TYPE_SECP160K1: + case ETS_KEY_TYPE_SECP160K1: return "SECP160K1"; - case ETSI_KEY_TYPE_SECP160R1: + case ETS_KEY_TYPE_SECP160R1: return "SECP160R1"; - case ETSI_KEY_TYPE_SECP160R2: + case ETS_KEY_TYPE_SECP160R2: return "SECP160R2"; - case ETSI_KEY_TYPE_SECP192K1: + case ETS_KEY_TYPE_SECP192K1: return "SECP192K1"; - case ETSI_KEY_TYPE_SECP192R1: + case ETS_KEY_TYPE_SECP192R1: return "SECP192R1"; - case ETSI_KEY_TYPE_SECP224K1: + case ETS_KEY_TYPE_SECP224K1: return "SECP224K1"; - case ETSI_KEY_TYPE_SECP224R1: + case ETS_KEY_TYPE_SECP224R1: return "SECP224R1"; - case ETSI_KEY_TYPE_SECP256K1: + case ETS_KEY_TYPE_SECP256K1: return "SECP256K1"; - case ETSI_KEY_TYPE_SECP256R1: + case ETS_KEY_TYPE_SECP256R1: return "SECP256R1"; - case ETSI_KEY_TYPE_SECP384R1: + case ETS_KEY_TYPE_SECP384R1: return "SECP384R1"; - case ETSI_KEY_TYPE_SECP521R1: + case ETS_KEY_TYPE_SECP521R1: return "SECP521R1"; - case ETSI_KEY_TYPE_BRAINPOOLP256R1: + case ETS_KEY_TYPE_BRAINPOOLP256R1: return "BRAINPOOLP256R1"; - case ETSI_KEY_TYPE_BRAINPOOLP384R1: + case ETS_KEY_TYPE_BRAINPOOLP384R1: return "BRAINPOOLP384R1"; - case ETSI_KEY_TYPE_BRAINPOOLP512R1: + case ETS_KEY_TYPE_BRAINPOOLP512R1: return "BRAINPOOLP512R1"; - case ETSI_KEY_TYPE_X25519: + case ETS_KEY_TYPE_X25519: return "X25519"; - case ETSI_KEY_TYPE_X448: + case ETS_KEY_TYPE_X448: return "X448"; - case ETSI_KEY_TYPE_FFDHE_2048: + case ETS_KEY_TYPE_FFDHE_2048: return "FFDHE_2048"; - case ETSI_KEY_TYPE_FFDHE_3072: + case ETS_KEY_TYPE_FFDHE_3072: return "FFDHE_3072"; - case ETSI_KEY_TYPE_FFDHE_4096: + case ETS_KEY_TYPE_FFDHE_4096: return "FFDHE_4096"; - case ETSI_KEY_TYPE_FFDHE_6144: + case ETS_KEY_TYPE_FFDHE_6144: return "FFDHE_6144"; - case ETSI_KEY_TYPE_FFDHE_8192: + case ETS_KEY_TYPE_FFDHE_8192: return "FFDHE_8192"; default: break; @@ -526,7 +526,7 @@ const char* wolfEtsiKeyGetTypeStr(EtsiKeyType type) return NULL; } -int wolfEtsiKeyLoadCTX(EtsiKey* key, WOLFSSL_CTX* ctx) +int wolfEtsKeyLoadCTX(EtsKey* key, WOLFSSL_CTX* ctx) { int ret; #ifdef WOLFSSL_STATIC_EPHEMERAL @@ -538,7 +538,7 @@ int wolfEtsiKeyLoadCTX(EtsiKey* key, WOLFSSL_CTX* ctx) #ifdef WOLFSSL_STATIC_EPHEMERAL /* determine key algo */ - keyAlgo = wolfEtsiKeyGetPkType(key); + keyAlgo = wolfEtsKeyGetPkType(key); ret = wolfSSL_CTX_set_ephemeral_key(ctx, keyAlgo, (char*)key->response, key->responseSz, WOLFSSL_FILETYPE_ASN1); @@ -548,7 +548,7 @@ int wolfEtsiKeyLoadCTX(EtsiKey* key, WOLFSSL_CTX* ctx) return ret; } -int wolfEtsiKeyLoadSSL(EtsiKey* key, WOLFSSL* ssl) +int wolfEtsKeyLoadSSL(EtsKey* key, WOLFSSL* ssl) { int ret; #ifdef WOLFSSL_STATIC_EPHEMERAL @@ -560,7 +560,7 @@ int wolfEtsiKeyLoadSSL(EtsiKey* key, WOLFSSL* ssl) #ifdef WOLFSSL_STATIC_EPHEMERAL /* determine key algo */ - keyAlgo = wolfEtsiKeyGetPkType(key); + keyAlgo = wolfEtsKeyGetPkType(key); ret = wolfSSL_set_ephemeral_key(ssl, keyAlgo, (char*)key->response, key->responseSz, WOLFSSL_FILETYPE_ASN1); @@ -575,37 +575,37 @@ int wolfEtsiKeyLoadSSL(EtsiKey* key, WOLFSSL* ssl) } #ifdef HAVE_ECC -static int NamedGroupToCurveInfo(EtsiKeyType keyType, int* curveId, int* keySize) +static int NamedGroupToCurveInfo(EtsKeyType keyType, int* curveId, int* keySize) { int ret = 0; switch (keyType) { - case ETSI_KEY_TYPE_SECP160K1: + case ETS_KEY_TYPE_SECP160K1: *curveId = ECC_SECP160K1; *keySize = 20; break; - case ETSI_KEY_TYPE_SECP160R1: + case ETS_KEY_TYPE_SECP160R1: *curveId = ECC_SECP160R1; *keySize = 20; break; - case ETSI_KEY_TYPE_SECP160R2: + case ETS_KEY_TYPE_SECP160R2: *curveId = ECC_SECP160R2; *keySize = 20; break; - case ETSI_KEY_TYPE_SECP192K1: + case ETS_KEY_TYPE_SECP192K1: *curveId = ECC_SECP192K1; *keySize = 24; break; - case ETSI_KEY_TYPE_SECP192R1: + case ETS_KEY_TYPE_SECP192R1: *curveId = ECC_SECP192R1; *keySize = 24; break; - case ETSI_KEY_TYPE_SECP224K1: + case ETS_KEY_TYPE_SECP224K1: *curveId = ECC_SECP224K1; *keySize = 28; break; - case ETSI_KEY_TYPE_SECP224R1: + case ETS_KEY_TYPE_SECP224R1: *curveId = ECC_SECP224R1; *keySize = 28; break; - case ETSI_KEY_TYPE_SECP256K1: + case ETS_KEY_TYPE_SECP256K1: *curveId = ECC_SECP256K1; *keySize = 32; break; - case ETSI_KEY_TYPE_SECP256R1: + case ETS_KEY_TYPE_SECP256R1: *curveId = ECC_SECP256R1; *keySize = 32; break; - case ETSI_KEY_TYPE_SECP384R1: + case ETS_KEY_TYPE_SECP384R1: *curveId = ECC_SECP384R1; *keySize = 48; break; - case ETSI_KEY_TYPE_SECP521R1: + case ETS_KEY_TYPE_SECP521R1: *curveId = ECC_SECP521R1; *keySize = 66; break; - case ETSI_KEY_TYPE_BRAINPOOLP256R1: + case ETS_KEY_TYPE_BRAINPOOLP256R1: *curveId = ECC_BRAINPOOLP256R1; *keySize = 32; break; - case ETSI_KEY_TYPE_BRAINPOOLP384R1: + case ETS_KEY_TYPE_BRAINPOOLP384R1: *curveId = ECC_BRAINPOOLP384R1; *keySize = 48; break; - case ETSI_KEY_TYPE_BRAINPOOLP512R1: + case ETS_KEY_TYPE_BRAINPOOLP512R1: *curveId = ECC_BRAINPOOLP512R1; *keySize = 64; break; default: ret = WOLFKM_BAD_ARGS; @@ -616,7 +616,7 @@ static int NamedGroupToCurveInfo(EtsiKeyType keyType, int* curveId, int* keySize #endif #if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) -static int NamedGroupToDhParams(EtsiKeyType keyType, +static int NamedGroupToDhParams(EtsKeyType keyType, const DhParams** pParams, word32* pPrivKeySz, word32* pPubKeySz) { int ret = 0; @@ -626,23 +626,23 @@ static int NamedGroupToDhParams(EtsiKeyType keyType, #ifdef HAVE_PUBLIC_FFDHE switch (keyType) { #ifdef HAVE_FFDHE_2048 - case ETSI_KEY_TYPE_FFDHE_2048: + case ETS_KEY_TYPE_FFDHE_2048: params = wc_Dh_ffdhe2048_Get(); privKeySz = 29; break; #endif #ifdef HAVE_FFDHE_3072 - case ETSI_KEY_TYPE_FFDHE_3072: + case ETS_KEY_TYPE_FFDHE_3072: params = wc_Dh_ffdhe3072_Get(); privKeySz = 34; break; #endif #ifdef HAVE_FFDHE_4096 - case ETSI_KEY_TYPE_FFDHE_4096: + case ETS_KEY_TYPE_FFDHE_4096: params = wc_Dh_ffdhe4096_Get(); privKeySz = 39; break; #endif #ifdef HAVE_FFDHE_6144 - case ETSI_KEY_TYPE_FFDHE_6144: + case ETS_KEY_TYPE_FFDHE_6144: params = wc_Dh_ffdhe6144_Get(); privKeySz = 46; break; #endif #ifdef HAVE_FFDHE_8192 - case ETSI_KEY_TYPE_FFDHE_8192: + case ETS_KEY_TYPE_FFDHE_8192: params = wc_Dh_ffdhe8192_Get(); privKeySz = 52; break; #endif default: @@ -667,7 +667,7 @@ static int NamedGroupToDhParams(EtsiKeyType keyType, #endif -static int wolfKeyCalcFingerprint(EtsiKeyType keyType, const byte* pub, word32 pubSz, +static int wolfKeyCalcFingerprint(EtsKeyType keyType, const byte* pub, word32 pubSz, byte* fp, word32* fpSz) { int ret = 0; @@ -696,7 +696,7 @@ static int wolfKeyCalcFingerprint(EtsiKeyType keyType, const byte* pub, word32 p } #ifdef HAVE_ECC -static int GenNewKeyEcc(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng) +static int GenNewKeyEcc(EtsKey* key, EtsKeyType keyType, WC_RNG* rng) { int ret; int curveId = ECC_CURVE_DEF, keySize = 32; @@ -751,7 +751,7 @@ static int GenNewKeyEcc(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng) #endif #ifdef HAVE_CURVE25519 -static int GenNewKeyCurve25519(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng) +static int GenNewKeyCurve25519(EtsKey* key, EtsKeyType keyType, WC_RNG* rng) { int ret; curve25519_key curveKey; @@ -796,7 +796,7 @@ static int GenNewKeyCurve25519(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng) #endif /* HAVE_CURVE25519 */ #ifdef HAVE_CURVE448 -static int GenNewKeyCurve448(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng) +static int GenNewKeyCurve448(EtsKey* key, EtsKeyType keyType, WC_RNG* rng) { int ret; curve448_key curveKey; @@ -841,7 +841,7 @@ static int GenNewKeyCurve448(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng) #endif /* HAVE_CURVE448 */ #if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) -static int GenNewKeyDh(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng) +static int GenNewKeyDh(EtsKey* key, EtsKeyType keyType, WC_RNG* rng) { int ret; DhKey dh; @@ -913,7 +913,7 @@ static int GenNewKeyDh(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng) } #endif /* !NO_DH && WOLFSSL_DH_EXTRA */ -int wolfEtsiKeyGen(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng) +int wolfEtsKeyGen(EtsKey* key, EtsKeyType keyType, WC_RNG* rng) { int ret = WOLFKM_NOT_COMPILED_IN; @@ -921,24 +921,24 @@ int wolfEtsiKeyGen(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng) return WOLFKM_BAD_ARGS; #ifdef HAVE_ECC - if (keyType >= ETSI_KEY_TYPE_SECP160K1 && - keyType <= ETSI_KEY_TYPE_BRAINPOOLP512R1) { + if (keyType >= ETS_KEY_TYPE_SECP160K1 && + keyType <= ETS_KEY_TYPE_BRAINPOOLP512R1) { ret = GenNewKeyEcc(key, keyType, rng); } #endif #if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) - if (keyType >= ETSI_KEY_TYPE_FFDHE_2048 && - keyType <= ETSI_KEY_TYPE_FFDHE_8192) { + if (keyType >= ETS_KEY_TYPE_FFDHE_2048 && + keyType <= ETS_KEY_TYPE_FFDHE_8192) { ret = GenNewKeyDh(key, keyType, rng); } #endif #ifdef HAVE_CURVE25519 - if (keyType == ETSI_KEY_TYPE_X25519) { + if (keyType == ETS_KEY_TYPE_X25519) { ret = GenNewKeyCurve25519(key, keyType, rng); } #endif #ifdef HAVE_CURVE448 - if (keyType == ETSI_KEY_TYPE_X448) { + if (keyType == ETS_KEY_TYPE_X448) { ret = GenNewKeyCurve448(key, keyType, rng); } #endif @@ -952,11 +952,11 @@ int wolfEtsiKeyGen(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng) } /* Public key format is same as over the wire via TLS */ -int wolfEtsiCalcTlsFingerprint(EtsiKeyType keyType, +int wolfEtsCalcTlsFingerprint(EtsKeyType keyType, const byte* pub, word32 pubSz, char* fpStr, word32* fpStrSz) { int ret = WOLFKM_NOT_COMPILED_IN; - byte fp[ETSI_MAX_FINGERPRINT]; + byte fp[ETS_MAX_FINGERPRINT]; word32 fpSz = (word32)sizeof(fp); if (pub == NULL || pubSz == 0 || fpStr == NULL || fpStrSz == NULL) @@ -965,8 +965,8 @@ int wolfEtsiCalcTlsFingerprint(EtsiKeyType keyType, memset(fp, 0, sizeof(fp)); #ifdef HAVE_ECC - if (keyType >= ETSI_KEY_TYPE_SECP160K1 && - keyType <= ETSI_KEY_TYPE_BRAINPOOLP512R1) + if (keyType >= ETS_KEY_TYPE_SECP160K1 && + keyType <= ETS_KEY_TYPE_BRAINPOOLP512R1) { /* For ECC it is x963 - 1 byte (point type), pub x, pub y */ int curveId = ECC_CURVE_DEF, keySize = 32; @@ -1000,8 +1000,8 @@ int wolfEtsiCalcTlsFingerprint(EtsiKeyType keyType, } #endif #if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) - if (keyType >= ETSI_KEY_TYPE_FFDHE_2048 && - keyType <= ETSI_KEY_TYPE_FFDHE_8192) + if (keyType >= ETS_KEY_TYPE_FFDHE_2048 && + keyType <= ETS_KEY_TYPE_FFDHE_8192) { /* For DH it is the DH public key as unsigned bin */ word32 pubKeySz = 0; @@ -1012,13 +1012,13 @@ int wolfEtsiCalcTlsFingerprint(EtsiKeyType keyType, } #endif #ifdef HAVE_CURVE25519 - if (keyType == ETSI_KEY_TYPE_X25519) { + if (keyType == ETS_KEY_TYPE_X25519) { /* For Curve25519 is 32 bytes as unsigned bin */ ret = wolfKeyCalcFingerprint(keyType, pub, pubSz, fp, &fpSz); } #endif #ifdef HAVE_CURVE448 - if (keyType == ETSI_KEY_TYPE_X448) { + if (keyType == ETS_KEY_TYPE_X448) { /* For Curve448 is 56 bytes as unsigned bin */ ret = wolfKeyCalcFingerprint(keyType, pub, pubSz, fp, &fpSz); } @@ -1035,7 +1035,7 @@ int wolfEtsiCalcTlsFingerprint(EtsiKeyType keyType, return ret; } -int wolfEtsiKeyComputeName(EtsiKey* key) +int wolfEtsKeyComputeName(EtsKey* key) { int ret = WOLFKM_NOT_COMPILED_IN; int keyAlgo; @@ -1055,7 +1055,7 @@ int wolfEtsiKeyComputeName(EtsiKey* key) fpSz = (int)sizeof(key->fingerprint); memset(fp, 0, fpSz); - keyAlgo = wolfEtsiKeyGetPkType(key); + keyAlgo = wolfEtsKeyGetPkType(key); #ifdef HAVE_ECC if (keyAlgo == WC_PK_TYPE_ECDH) { ecc_key ecKey; @@ -1158,25 +1158,25 @@ int wolfEtsiKeyComputeName(EtsiKey* key) return ret; } -void wolfEtsiKeyPrint(EtsiKey* key) +void wolfEtsKeyPrint(EtsKey* key) { int ret; const char* keyAlgoStr; - char pubName[ETSI_MAX_FINGERPRINT_STR]; + char pubName[ETS_MAX_FINGERPRINT_STR]; int pubSz = (int)sizeof(pubName); if (key == NULL) { return; } - keyAlgoStr = wolfEtsiKeyGetTypeStr(key->type); + keyAlgoStr = wolfEtsKeyGetTypeStr(key->type); if (keyAlgoStr == NULL) { XLOG(WOLFKM_LOG_INFO, "Unknown key type!\n"); return; } /* make sure public name is calculated */ - ret = wolfEtsiKeyComputeName(key); + ret = wolfEtsKeyComputeName(key); if (ret != 0) { XLOG(WOLFKM_LOG_ERROR, "Error %d computing key name\n", ret); } @@ -1189,7 +1189,7 @@ void wolfEtsiKeyPrint(EtsiKey* key) (void)pubSz; } -void wolfEtsiKeyFree(EtsiKey* key) +void wolfEtsKeyFree(EtsKey* key) { if (key) { if (key->isDynamic) { @@ -1198,7 +1198,7 @@ void wolfEtsiKeyFree(EtsiKey* key) } } -int wolfEtsiClientClose(EtsiClientCtx* client) +int wolfEtsClientClose(EtsClientCtx* client) { int ret = 0; if (client && client->ssl) { @@ -1211,7 +1211,7 @@ int wolfEtsiClientClose(EtsiClientCtx* client) return ret; } -void wolfEtsiClientFree(EtsiClientCtx* client) +void wolfEtsClientFree(EtsClientCtx* client) { if (client) { wc_LockMutex(&client->lock); @@ -1229,7 +1229,7 @@ void wolfEtsiClientFree(EtsiClientCtx* client) } } -int wolfEtsiClientInit(void) +int wolfEtsClientInit(void) { /* Ignore SIGPIPE */ wolfSigIgnore(SIGPIPE); @@ -1240,7 +1240,7 @@ int wolfEtsiClientInit(void) return wolfSSL_Init(); } -void wolfEtsiClientCleanup(void) +void wolfEtsClientCleanup(void) { wolfSSL_Cleanup(); } diff --git a/src/svc_etsi.c b/src/svc_ets.c similarity index 74% rename from src/svc_etsi.c rename to src/svc_ets.c index c43707d..13e5040 100644 --- a/src/svc_etsi.c +++ b/src/svc_ets.c @@ -1,4 +1,4 @@ -/* svc_etsi.c +/* svc_ets.c * * Copyright (C) 2006-2021 wolfSSL Inc. * @@ -21,24 +21,24 @@ #include "wolfkeymgr/keymanager.h" #include "wolfkeymgr/mod_http.h" -#include "wolfkeymgr/mod_etsi.h" +#include "wolfkeymgr/mod_ets.h" #include "wolfkeymgr/mod_vault.h" #include /* determine maximum concurrent server's (based on fingerprint) */ -#ifndef ETSI_SVC_MAX_SERVERS -#define ETSI_SVC_MAX_SERVERS 4 +#ifndef ETS_SVC_MAX_SERVERS +#define ETS_SVC_MAX_SERVERS 4 #endif /* determine maximum number of active keys */ -#ifndef ETSI_SVC_MAX_ACTIVE_KEYS -#define ETSI_SVC_MAX_ACTIVE_KEYS (ETSI_SVC_MAX_SERVERS * 4) +#ifndef ETS_SVC_MAX_ACTIVE_KEYS +#define ETS_SVC_MAX_ACTIVE_KEYS (ETS_SVC_MAX_SERVERS * 4) #endif /* shared context for worker threads */ -typedef struct EtsiSvcCtx { +typedef struct EtsSvcCtx { /* latest shared key data */ - EtsiKey keys[ETSI_SVC_MAX_ACTIVE_KEYS]; - EtsiSvcConfig config; + EtsKey keys[ETS_SVC_MAX_ACTIVE_KEYS]; + EtsSvcConfig config; WC_RNG rng; pthread_mutex_t lock; /* shared lock */ @@ -53,18 +53,18 @@ typedef struct EtsiSvcCtx { #endif byte shutdown:1; /* signal to shutdown workers */ -} EtsiSvcCtx; -static EtsiSvcCtx gSvcCtx; +} EtsSvcCtx; +static EtsSvcCtx gSvcCtx; /* The top level service */ -static SvcInfo gEtsiService = { - .desc = "ETSI", +static SvcInfo gEtsService = { + .desc = "ETS", /* Callbacks */ - .requestCb = wolfEtsiSvc_DoRequest, - .timeoutCb = wolfEtsiSvc_HandleTimeout, - .notifyCb = wolfEtsiSvc_DoNotify, - .closeCb = wolfEtsiSvc_ConnClose, + .requestCb = wolfEtsSvc_DoRequest, + .timeoutCb = wolfEtsSvc_HandleTimeout, + .notifyCb = wolfEtsSvc_DoNotify, + .closeCb = wolfEtsSvc_ConnClose, /* TLS Certificate and Buffer */ .certBuffer = NULL, @@ -78,15 +78,15 @@ static SvcInfo gEtsiService = { }; /* connection object */ -typedef struct EtsiSvcConn { +typedef struct EtsSvcConn { HttpReq req; - char fingerprint[ETSI_MAX_FINGERPRINT_STR]; - char contextStr[ETSI_MAX_CONTEXT_STR]; - word32 groupNum; /* same as enum EtsiKeyType */ -} EtsiSvcConn; + char fingerprint[ETS_MAX_FINGERPRINT_STR]; + char contextStr[ETS_MAX_CONTEXT_STR]; + word32 groupNum; /* same as enum EtsKeyType */ +} EtsSvcConn; #ifdef WOLFKM_VAULT -static int AddKeyToVault(EtsiSvcCtx* svcCtx, EtsiKey* key) +static int AddKeyToVault(EtsSvcCtx* svcCtx, EtsKey* key) { if (svcCtx->vault == NULL) { XLOG(WOLFKM_LOG_WARN, "AddKey: vault not open\n"); @@ -99,10 +99,10 @@ static int AddKeyToVault(EtsiSvcCtx* svcCtx, EtsiKey* key) } #endif -static int EtsiSvcGenNewKey(EtsiSvcCtx* svcCtx, EtsiKeyType keyType, EtsiKey* key) +static int EtsSvcGenNewKey(EtsSvcCtx* svcCtx, EtsKeyType keyType, EtsKey* key) { int ret = WOLFKM_NOT_COMPILED_IN; - const char* keyTypeStr = wolfEtsiKeyGetTypeStr(keyType); + const char* keyTypeStr = wolfEtsKeyGetTypeStr(keyType); if (svcCtx == NULL || key == NULL || keyTypeStr == NULL) { return WOLFKM_BAD_ARGS; @@ -110,11 +110,11 @@ static int EtsiSvcGenNewKey(EtsiSvcCtx* svcCtx, EtsiKeyType keyType, EtsiKey* ke XLOG(WOLFKM_LOG_WARN, "Generating new %s key\n", keyTypeStr); - ret = wolfEtsiKeyGen(key, keyType, &svcCtx->rng); + ret = wolfEtsKeyGen(key, keyType, &svcCtx->rng); if (ret == 0) { key->expires = wolfGetCurrentTimeT() + svcCtx->config.renewSec; - wolfEtsiKeyPrint(key); + wolfEtsKeyPrint(key); #ifdef WOLFKM_VAULT ret = AddKeyToVault(svcCtx, key); @@ -132,7 +132,7 @@ static int EtsiSvcGenNewKey(EtsiSvcCtx* svcCtx, EtsiKeyType keyType, EtsiKey* ke return ret; } -static void WakeKeyGenWorker(EtsiSvcCtx* svcCtx) +static void WakeKeyGenWorker(EtsSvcCtx* svcCtx) { /* signal key generation thread to wake */ pthread_mutex_lock(&svcCtx->kgMutex); @@ -140,21 +140,21 @@ static void WakeKeyGenWorker(EtsiSvcCtx* svcCtx) pthread_mutex_unlock(&svcCtx->kgMutex); } -static int SetupKeyPackage(SvcConn* conn, EtsiSvcCtx* svcCtx) +static int SetupKeyPackage(SvcConn* conn, EtsSvcCtx* svcCtx) { int ret = 0, i; - EtsiSvcConn* etsiConn; + EtsSvcConn* etsConn; HttpHeader headers[3]; struct tm tm; char expiresStr[100]; - EtsiKey* key = NULL; + EtsKey* key = NULL; int wakeKg = 0; if (conn == NULL || conn->svcConnCtx == NULL || svcCtx == NULL) { return WOLFKM_BAD_ARGS; } - etsiConn = (EtsiSvcConn*)conn->svcConnCtx; + etsConn = (EtsSvcConn*)conn->svcConnCtx; headers[0].type = HTTP_HDR_CONTENT_TYPE; headers[0].string = "application/pkcs8"; @@ -166,11 +166,11 @@ static int SetupKeyPackage(SvcConn* conn, EtsiSvcCtx* svcCtx) /* find key based on group and optional contextStr */ pthread_mutex_lock(&svcCtx->lock); - for (i=0; ikeys[i].type == etsiConn->groupNum) { - word32 ctxStrSz = (word32)strlen(etsiConn->contextStr); + for (i=0; ikeys[i].type == etsConn->groupNum) { + word32 ctxStrSz = (word32)strlen(etsConn->contextStr); if (ctxStrSz == 0 || (ctxStrSz == (word32)strlen(svcCtx->keys[i].contextStr) && - strncmp(svcCtx->keys[i].contextStr, etsiConn->contextStr, ctxStrSz) == 0)) { + strncmp(svcCtx->keys[i].contextStr, etsConn->contextStr, ctxStrSz) == 0)) { key = &svcCtx->keys[i]; break; } @@ -179,7 +179,7 @@ static int SetupKeyPackage(SvcConn* conn, EtsiSvcCtx* svcCtx) /* if one doesn't exist for this group then trigger generation */ if (key == NULL) { /* assign free slot */ - for (i=0; ikeys[i].type == 0) { key = &svcCtx->keys[i]; break; @@ -188,18 +188,18 @@ static int SetupKeyPackage(SvcConn* conn, EtsiSvcCtx* svcCtx) /* if no free slots then find oldest key */ if (key == NULL) { time_t oldestTime = 0; - for (i=0; i svcCtx->keys[i].expires) oldestTime = svcCtx->keys[i].expires; } - for (i=0; ikeys[i].expires) { key = &svcCtx->keys[i]; break; } } } - ret = EtsiSvcGenNewKey(svcCtx, etsiConn->groupNum, key); + ret = EtsSvcGenNewKey(svcCtx, etsConn->groupNum, key); } if (ret == 0) { @@ -208,7 +208,7 @@ static int SetupKeyPackage(SvcConn* conn, EtsiSvcCtx* svcCtx) strftime(expiresStr, sizeof(expiresStr), HTTP_DATE_FMT, &tm); /* set contextStr */ - strncpy(key->contextStr, etsiConn->contextStr, sizeof(key->contextStr)); + strncpy(key->contextStr, etsConn->contextStr, sizeof(key->contextStr)); /* increment use count */ key->useCount++; @@ -263,8 +263,8 @@ static void* KeyPushWorker(void* arg) { int ret, i; SvcInfo* svc = (SvcInfo*)arg; - EtsiSvcCtx* svcCtx = (EtsiSvcCtx*)svc->svcCtx; - EtsiKey* key; + EtsSvcCtx* svcCtx = (EtsSvcCtx*)svc->svcCtx; + EtsKey* key; time_t now, nextExpires; int renewSec, keyGenCount; struct timespec max_wait = {0, 0}; @@ -272,7 +272,7 @@ static void* KeyPushWorker(void* arg) /* generate default key */ pthread_mutex_lock(&svcCtx->lock); key = &svcCtx->keys[0]; - (void)EtsiSvcGenNewKey(svcCtx, svcCtx->config.keyTypeDef, key); + (void)EtsSvcGenNewKey(svcCtx, svcCtx->config.keyTypeDef, key); pthread_mutex_unlock(&svcCtx->lock); do { @@ -282,8 +282,8 @@ static void* KeyPushWorker(void* arg) /* renew any expired keys */ pthread_mutex_lock(&svcCtx->lock); now = wolfGetCurrentTimeT(); - for (i=0; ikeys[i].type != ETSI_KEY_TYPE_UNKNOWN) { + for (i=0; ikeys[i].type != ETS_KEY_TYPE_UNKNOWN) { int expired, maxUses; expired = (svcCtx->keys[i].expires > 0 && now >= svcCtx->keys[i].expires); @@ -291,9 +291,9 @@ static void* KeyPushWorker(void* arg) svcCtx->config.maxUseCount); /* check if expired or use count exceeded */ if (expired || maxUses) { - ret = EtsiSvcGenNewKey(svcCtx, svcCtx->keys[i].type, + ret = EtsSvcGenNewKey(svcCtx, svcCtx->keys[i].type, &svcCtx->keys[i]); - (void)ret; /* ignore error, logged in EtsiSvcGenNewKey */ + (void)ret; /* ignore error, logged in EtsSvcGenNewKey */ keyGenCount++; now = wolfGetCurrentTimeT(); /* refresh time after key gen */ @@ -331,108 +331,108 @@ static void* KeyPushWorker(void* arg) return NULL; } -static int wolfEtsiSvc_DoResponse(SvcConn* conn) +static int wolfEtsSvc_DoResponse(SvcConn* conn) { int ret; if (conn == NULL || conn->stream == NULL) { - XLOG(WOLFKM_LOG_ERROR, "Bad ETSI response pointers\n"); + XLOG(WOLFKM_LOG_ERROR, "Bad ETS response pointers\n"); return WOLFKM_BAD_ARGS; } if (conn->responseSz == 0) { - XLOG(WOLFKM_LOG_ERROR, "ETSI HTTP Response / Key not found!\n"); + XLOG(WOLFKM_LOG_ERROR, "ETS HTTP Response / Key not found!\n"); return WOLFKM_BAD_KEY; } /* send response, which is in the reused request buffer */ ret = wolfKeyMgr_DoSend(conn, (byte*)conn->response, conn->responseSz); if (ret < 0) { - XLOG(WOLFKM_LOG_ERROR, "ETSI DoSend failed: %d\n", ret); + XLOG(WOLFKM_LOG_ERROR, "ETS DoSend failed: %d\n", ret); return WOLFKM_BAD_SEND; } - XLOG(WOLFKM_LOG_INFO, "Sent ETSI Response (%d bytes)\n", conn->responseSz); + XLOG(WOLFKM_LOG_INFO, "Sent ETS Response (%d bytes)\n", conn->responseSz); return ret; } /* The key request handler */ -int wolfEtsiSvc_DoRequest(SvcConn* conn) +int wolfEtsSvc_DoRequest(SvcConn* conn) { int ret = 0; SvcInfo* svc; - EtsiSvcCtx* svcCtx; - EtsiSvcConn* etsiConn;; + EtsSvcCtx* svcCtx; + EtsSvcConn* etsConn;; if (conn == NULL || conn->svc == NULL || conn->stream == NULL) { - XLOG(WOLFKM_LOG_ERROR, "Bad ETSI Request pointers\n"); + XLOG(WOLFKM_LOG_ERROR, "Bad ETS Request pointers\n"); return WOLFKM_BAD_ARGS; } - XLOG(WOLFKM_LOG_INFO, "Got ETSI Request (%d bytes)\n", conn->requestSz); + XLOG(WOLFKM_LOG_INFO, "Got ETS Request (%d bytes)\n", conn->requestSz); if (conn->svcConnCtx == NULL) { /* Creating connection context */ XLOG(WOLFKM_LOG_INFO, "Creating connection context\n"); - conn->svcConnCtx = malloc(sizeof(EtsiSvcConn)); + conn->svcConnCtx = malloc(sizeof(EtsSvcConn)); if (conn->svcConnCtx == NULL) { return WOLFKM_BAD_MEMORY; } - memset(conn->svcConnCtx, 0, sizeof(EtsiSvcConn)); + memset(conn->svcConnCtx, 0, sizeof(EtsSvcConn)); } svc = conn->svc; - svcCtx = (EtsiSvcCtx*)svc->svcCtx; - etsiConn = (EtsiSvcConn*)conn->svcConnCtx; + svcCtx = (EtsSvcCtx*)svc->svcCtx; + etsConn = (EtsSvcConn*)conn->svcConnCtx; - ret = wolfHttpServer_ParseRequest(&etsiConn->req, conn->request, + ret = wolfHttpServer_ParseRequest(&etsConn->req, conn->request, conn->requestSz); if (ret < 0) { - XLOG(WOLFKM_LOG_ERROR, "ETSI HTTP Server Parse failed: %d\n", ret); + XLOG(WOLFKM_LOG_ERROR, "ETS HTTP Server Parse failed: %d\n", ret); return WOLFKM_BAD_REQUEST_TYPE; } - wolfHttpRequestPrint(&etsiConn->req); + wolfHttpRequestPrint(&etsConn->req); /* Get fingerprint */ - if (wolfHttpUriGetItem(etsiConn->req.uri, "fingerprints=", - etsiConn->fingerprint, sizeof(etsiConn->fingerprint)) > 0) { - XLOG(WOLFKM_LOG_DEBUG, "Fingerprint: %s\n", etsiConn->fingerprint); + if (wolfHttpUriGetItem(etsConn->req.uri, "fingerprints=", + etsConn->fingerprint, sizeof(etsConn->fingerprint)) > 0) { + XLOG(WOLFKM_LOG_DEBUG, "Fingerprint: %s\n", etsConn->fingerprint); } /* Get groups - borrow contextStr variable */ - if (wolfHttpUriGetItem(etsiConn->req.uri, "groups=", - etsiConn->contextStr, sizeof(etsiConn->contextStr)) > 0) { + if (wolfHttpUriGetItem(etsConn->req.uri, "groups=", + etsConn->contextStr, sizeof(etsConn->contextStr)) > 0) { const char* groupName; - etsiConn->groupNum = (word32)strtol(etsiConn->contextStr, NULL, 16); - groupName = wolfEtsiKeyGetTypeStr((EtsiKeyType)etsiConn->groupNum); + etsConn->groupNum = (word32)strtol(etsConn->contextStr, NULL, 16); + groupName = wolfEtsKeyGetTypeStr((EtsKeyType)etsConn->groupNum); XLOG(WOLFKM_LOG_DEBUG, "Group: %s (%d)\n", - groupName, etsiConn->groupNum); + groupName, etsConn->groupNum); if (groupName == NULL) { - etsiConn->groupNum = 0; + etsConn->groupNum = 0; } /* clear borrowed contextStr */ - memset(etsiConn->contextStr, 0, sizeof(etsiConn->contextStr)); + memset(etsConn->contextStr, 0, sizeof(etsConn->contextStr)); } /* Get context string */ - if (wolfHttpUriGetItem(etsiConn->req.uri, "contextstr=", - etsiConn->contextStr, sizeof(etsiConn->contextStr)) > 0) { - XLOG(WOLFKM_LOG_DEBUG, "Context: %s\n", etsiConn->contextStr); + if (wolfHttpUriGetItem(etsConn->req.uri, "contextstr=", + etsConn->contextStr, sizeof(etsConn->contextStr)) > 0) { + XLOG(WOLFKM_LOG_DEBUG, "Context: %s\n", etsConn->contextStr); } #ifdef WOLFKM_VAULT /* find uses fingerprint only */ - if (etsiConn->groupNum > 0 && strlen(etsiConn->fingerprint) > 0) { + if (etsConn->groupNum > 0 && strlen(etsConn->fingerprint) > 0) { wolfVaultItem item; byte name[WOLFKM_VAULT_NAME_MAX_SZ]; word32 nameSz = (word32)sizeof(name); memset(&item, 0, sizeof(item)); - ret = wolfHexStringToByte(etsiConn->fingerprint, - strlen(etsiConn->fingerprint), name, nameSz); + ret = wolfHexStringToByte(etsConn->fingerprint, + strlen(etsConn->fingerprint), name, nameSz); if (ret > 0) { nameSz = ret; ret = 0; } if (ret == 0) { - ret = wolfVaultGet(svcCtx->vault, &item, etsiConn->groupNum, + ret = wolfVaultGet(svcCtx->vault, &item, etsConn->groupNum, name, nameSz); if (ret == 0) { ret = SetupKeyFindResponse(conn, &item); @@ -442,7 +442,7 @@ int wolfEtsiSvc_DoRequest(SvcConn* conn) } else #endif - if (etsiConn->groupNum > 0) { + if (etsConn->groupNum > 0) { ret = SetupKeyPackage(conn, svcCtx); } @@ -452,13 +452,13 @@ int wolfEtsiSvc_DoRequest(SvcConn* conn) /* Send Response */ if (ret == 0) { - ret = wolfEtsiSvc_DoResponse(conn); + ret = wolfEtsSvc_DoResponse(conn); } return ret; } -void wolfEtsiSvc_ConnClose(SvcConn* conn) +void wolfEtsSvc_ConnClose(SvcConn* conn) { if (conn && conn->svcConnCtx) { free(conn->svcConnCtx); @@ -466,60 +466,60 @@ void wolfEtsiSvc_ConnClose(SvcConn* conn) } } -int wolfEtsiSvc_DoNotify(SvcConn* conn) +int wolfEtsSvc_DoNotify(SvcConn* conn) { int ret = 0; SvcInfo* svc; - EtsiSvcCtx* svcCtx; - EtsiSvcConn* etsiConn; + EtsSvcCtx* svcCtx; + EtsSvcConn* etsConn; if (conn == NULL || conn->svc == NULL) { - XLOG(WOLFKM_LOG_ERROR, "Bad ETSI notify pointers\n"); + XLOG(WOLFKM_LOG_ERROR, "Bad ETS notify pointers\n"); return WOLFKM_BAD_ARGS; } svc = conn->svc; - svcCtx = (EtsiSvcCtx*)svc->svcCtx; - etsiConn = (EtsiSvcConn*)conn->svcConnCtx; + svcCtx = (EtsSvcCtx*)svc->svcCtx; + etsConn = (EtsSvcConn*)conn->svcConnCtx; - if (etsiConn != NULL && etsiConn->req.type == HTTP_METHOD_PUT) { + if (etsConn != NULL && etsConn->req.type == HTTP_METHOD_PUT) { /* update key */ ret = SetupKeyPackage(conn, svcCtx); /* push key to active push threads */ if (ret == 0) { /* send updated key */ - ret = wolfEtsiSvc_DoResponse(conn); + ret = wolfEtsSvc_DoResponse(conn); } } return ret; } -int wolfEtsiSvc_HandleTimeout(SvcConn* conn) +int wolfEtsSvc_HandleTimeout(SvcConn* conn) { - EtsiSvcConn* etsiConn; + EtsSvcConn* etsConn; if (conn == NULL || conn->svcConnCtx == NULL) { - XLOG(WOLFKM_LOG_ERROR, "Bad ETSI timeout pointers\n"); + XLOG(WOLFKM_LOG_ERROR, "Bad ETS timeout pointers\n"); return WOLFKM_BAD_ARGS; } - etsiConn = (EtsiSvcConn*)conn->svcConnCtx; + etsConn = (EtsSvcConn*)conn->svcConnCtx; /* if we received an HTTP request then keep open */ - if (etsiConn->req.type != HTTP_METHOD_UNKNOWN) { + if (etsConn->req.type != HTTP_METHOD_UNKNOWN) { return 0; /* keep open (return non-zero value to close connection) */ } return 1; /* close connection */ } -SvcInfo* wolfEtsiSvc_Init(const EtsiSvcConfig* config) +SvcInfo* wolfEtsSvc_Init(const EtsSvcConfig* config) { int ret; - SvcInfo* svc = &gEtsiService; - EtsiSvcCtx* svcCtx = (EtsiSvcCtx*)svc->svcCtx; + SvcInfo* svc = &gEtsService; + EtsSvcCtx* svcCtx = (EtsSvcCtx*)svc->svcCtx; /* capture configuration */ memcpy(&svcCtx->config, config, sizeof(*config)); @@ -535,16 +535,16 @@ SvcInfo* wolfEtsiSvc_Init(const EtsiSvcConfig* config) return svc; } -int wolfEtsiSvc_Start(SvcInfo* svc, struct event_base* mainBase, +int wolfEtsSvc_Start(SvcInfo* svc, struct event_base* mainBase, const char* listenPort) { int ret; - EtsiSvcCtx* svcCtx; + EtsSvcCtx* svcCtx; if (svc == NULL) return WOLFKM_BAD_ARGS; - svcCtx = (EtsiSvcCtx*)svc->svcCtx; + svcCtx = (EtsSvcCtx*)svc->svcCtx; /* setup key gen cond signal */ pthread_mutex_init(&svcCtx->kgMutex, NULL); @@ -568,10 +568,10 @@ int wolfEtsiSvc_Start(SvcInfo* svc, struct event_base* mainBase, return ret; } -void wolfEtsiSvc_Cleanup(SvcInfo* svc) +void wolfEtsSvc_Cleanup(SvcInfo* svc) { if (svc) { - EtsiSvcCtx* svcCtx = (EtsiSvcCtx*)svc->svcCtx; + EtsSvcCtx* svcCtx = (EtsSvcCtx*)svc->svcCtx; if (svc->keyBuffer) { free(svc->keyBuffer); @@ -603,7 +603,7 @@ void wolfEtsiSvc_Cleanup(SvcInfo* svc) #if defined(WOLFKM_VAULT) && defined(WOLFKM_VAULT_ENC) /* key: returned AES key */ /* keyEnc: key information stored in vault header */ -static int wolfEtsiSvcVaultAuthCb(wolfVaultCtx* ctx, byte* key, word32 keySz, +static int wolfEtsSvcVaultAuthCb(wolfVaultCtx* ctx, byte* key, word32 keySz, byte* keyEnc, word32 keyEncSz, void* cbCtx) { int ret; @@ -716,23 +716,23 @@ static int wolfEtsiSvcVaultAuthCb(wolfVaultCtx* ctx, byte* key, word32 keySz, } #endif -int wolfEtsiSvc_SetVaultFile(SvcInfo* svc, const char* vaultFile) +int wolfEtsSvc_SetVaultFile(SvcInfo* svc, const char* vaultFile) { int ret = 0; - EtsiSvcCtx* svcCtx; + EtsSvcCtx* svcCtx; if (svc == NULL || vaultFile == NULL) return WOLFKM_BAD_ARGS; - svcCtx = (EtsiSvcCtx*)svc->svcCtx; + svcCtx = (EtsSvcCtx*)svc->svcCtx; #ifdef WOLFKM_VAULT ret = wolfVaultOpen(&svcCtx->vault, vaultFile); if (ret == 0) { wolfVaultPrintInfo(svcCtx->vault); #ifdef WOLFKM_VAULT_ENC - ret = wolfVaultAuth(svcCtx->vault, wolfEtsiSvcVaultAuthCb, svc); + ret = wolfVaultAuth(svcCtx->vault, wolfEtsSvcVaultAuthCb, svc); #endif } #endif diff --git a/tests/unit_tests.c b/tests/unit_tests.c index 89a95f4..279d490 100644 --- a/tests/unit_tests.c +++ b/tests/unit_tests.c @@ -24,7 +24,7 @@ #if defined(WOLFKM_VAULT) && defined(WOLFKM_VAULT_ENC) /* key: returned AES key */ /* keyEnc: key information stored in vault header */ -static int wolfEtsiSvcVaultAuthCb(wolfVaultCtx* ctx, byte* key, word32 keySz, +static int wolfEtsSvcVaultAuthCb(wolfVaultCtx* ctx, byte* key, word32 keySz, byte* keyEnc, word32 keyEncSz, void* cbCtx) { int ret; @@ -77,7 +77,7 @@ static int vault_test(void) #ifdef WOLFKM_VAULT_ENC /* setup security callback */ - ret = wolfVaultAuth(ctx, wolfEtsiSvcVaultAuthCb, NULL); + ret = wolfVaultAuth(ctx, wolfEtsSvcVaultAuthCb, NULL); #endif /* add items */ diff --git a/wolfkeymgr/keymanager.h b/wolfkeymgr/keymanager.h index 69f1121..e1f7689 100644 --- a/wolfkeymgr/keymanager.h +++ b/wolfkeymgr/keymanager.h @@ -31,9 +31,9 @@ #include "wolfkeymgr/wkm_types.h" #include "wolfkeymgr/wkm_utils.h" #include "wolfkeymgr/mod_http.h" -#include "wolfkeymgr/mod_etsi.h" +#include "wolfkeymgr/mod_ets.h" #include "wolfkeymgr/sock_mgr.h" -#include "wolfkeymgr/svc_etsi.h" +#include "wolfkeymgr/svc_ets.h" /* wolfssl headers */ @@ -51,23 +51,23 @@ #ifndef WOLFKM_DEFAULT_PID #define WOLFKM_DEFAULT_PID "./wolfkeymgr.pid" #endif -#ifndef WOLFKM_ETSISVC_PORT -#define WOLFKM_ETSISVC_PORT "8119" +#ifndef WOLFKM_ETSSVC_PORT +#define WOLFKM_ETSSVC_PORT "8119" #endif -#ifndef WOLFKM_ETSISVC_KEY_PASSWORD -#define WOLFKM_ETSISVC_KEY_PASSWORD "wolfssl" +#ifndef WOLFKM_ETSSVC_KEY_PASSWORD +#define WOLFKM_ETSSVC_KEY_PASSWORD "wolfssl" #endif -#ifndef WOLFKM_ETSISVC_CA -#define WOLFKM_ETSISVC_CA "./certs/ca-cert.pem" +#ifndef WOLFKM_ETSSVC_CA +#define WOLFKM_ETSSVC_CA "./certs/ca-cert.pem" #endif -#ifndef WOLFKM_ETSISVC_KEY -#define WOLFKM_ETSISVC_KEY "./certs/server-rsa-key.pem" +#ifndef WOLFKM_ETSSVC_KEY +#define WOLFKM_ETSSVC_KEY "./certs/server-rsa-key.pem" #endif -#ifndef WOLFKM_ETSISVC_CERT -#define WOLFKM_ETSISVC_CERT "./certs/server-rsa-cert.pem" +#ifndef WOLFKM_ETSSVC_CERT +#define WOLFKM_ETSSVC_CERT "./certs/server-rsa-cert.pem" #endif -#ifndef WOLFKM_ETSISVC_VAULT -#define WOLFKM_ETSISVC_VAULT "./wolfkeymgr.vault" +#ifndef WOLFKM_ETSSVC_VAULT +#define WOLFKM_ETSSVC_VAULT "./wolfkeymgr.vault" #endif #ifndef WOLFKM_DEFAULT_FILES @@ -89,16 +89,16 @@ #define WOLFKM_BACKOFF_TIME 10000 /* in microseconds */ #endif -/* Determine default ETSI key type */ -#ifndef WOLFKM_ETSISVC_DEF_KEY_TYPE +/* Determine default ETS key type */ +#ifndef WOLFKM_ETSSVC_DEF_KEY_TYPE #ifdef HAVE_ECC - #define WOLFKM_ETSISVC_DEF_KEY_TYPE ETSI_KEY_TYPE_SECP256R1 + #define WOLFKM_ETSSVC_DEF_KEY_TYPE ETS_KEY_TYPE_SECP256R1 #elif !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) - #define WOLFKM_ETSISVC_DEF_KEY_TYPE ETSI_KEY_TYPE_FFDHE_2048 + #define WOLFKM_ETSSVC_DEF_KEY_TYPE ETS_KEY_TYPE_FFDHE_2048 #elif defined(HAVE_CURVE25519) - #define WOLFKM_ETSISVC_DEF_KEY_TYPE ETSI_KEY_TYPE_X25519 + #define WOLFKM_ETSSVC_DEF_KEY_TYPE ETS_KEY_TYPE_X25519 #elif defined(HAVE_CURVE448) - #define WOLFKM_ETSISVC_DEF_KEY_TYPE ETSI_KEY_TYPE_X448 + #define WOLFKM_ETSSVC_DEF_KEY_TYPE ETS_KEY_TYPE_X448 #endif #endif diff --git a/wolfkeymgr/mod_ets.h b/wolfkeymgr/mod_ets.h new file mode 100644 index 0000000..83cbeed --- /dev/null +++ b/wolfkeymgr/mod_ets.h @@ -0,0 +1,220 @@ +/* mod_ets.h + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolf Key Manager. + * + * wolfKeyMgr is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfKeyMgr is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFKM_ETS_H +#define WOLFKM_ETS_H + +#ifdef __cplusplus +extern "C" { +#endif + +#include "wolfkeymgr/wkm_types.h" +#include "wolfkeymgr/mod_http.h" +#include "wolfkeymgr/mod_socket.h" +#include "wolfkeymgr/mod_tls.h" + + +#ifndef ETS_MAX_REQUEST_SZ +#define ETS_MAX_REQUEST_SZ MAX_REQUEST_SIZE +#endif +#ifndef ETS_MAX_RESPONSE_SZ +#define ETS_MAX_RESPONSE_SZ MAX_RESPONSE_SIZE +#endif + +/* Determine max build-time DH key sizes */ +#if !defined(NO_DH) && !defined(MAX_DH_PRIV_SZ) && !defined(MAX_DH_PUB_SZ) +#if defined(HAVE_FFDHE_8192) + #define MAX_DH_PRIV_SZ 52 + #define MAX_DH_PUB_SZ 1024 +#elif defined(HAVE_FFDHE_6144) + #define MAX_DH_PRIV_SZ 46 + #define MAX_DH_PUB_SZ 768 +#elif defined(HAVE_FFDHE_4096) + #define MAX_DH_PRIV_SZ 39 + #define MAX_DH_PUB_SZ 512 +#elif defined(HAVE_FFDHE_3072) + #define MAX_DH_PRIV_SZ 34 + #define MAX_DH_PUB_SZ 384 +#elif defined(HAVE_FFDHE_2048) + #define MAX_DH_PRIV_SZ 29 + #define MAX_DH_PUB_SZ 256 +#else + #error No DH FFDHE parameters enabled! +#endif +#endif + +/* opaque type for EtsClientCtx (pointer reference only) */ +typedef struct EtsClientCtx EtsClientCtx; + +typedef enum EtsClientType { + ETS_CLIENT_UNKNOWN, + ETS_CLIENT_GET, /* ask for key if current one is expired */ + ETS_CLIENT_PUSH, /* remain connected and server will push new key */ +} EtsClientType; + +typedef enum EtsKeyType { + ETS_KEY_TYPE_UNKNOWN = 0, + /* Named Groups: defined in clause 4.2.7 in IETF RFC 8446 */ + ETS_KEY_TYPE_SECP160K1 = 15, + ETS_KEY_TYPE_SECP160R1 = 16, + ETS_KEY_TYPE_SECP160R2 = 17, + ETS_KEY_TYPE_SECP192K1 = 18, + ETS_KEY_TYPE_SECP192R1 = 19, + ETS_KEY_TYPE_SECP224K1 = 20, + ETS_KEY_TYPE_SECP224R1 = 21, + ETS_KEY_TYPE_SECP256K1 = 22, + ETS_KEY_TYPE_SECP256R1 = 23, + ETS_KEY_TYPE_SECP384R1 = 24, + ETS_KEY_TYPE_SECP521R1 = 25, + ETS_KEY_TYPE_BRAINPOOLP256R1 = 26, + ETS_KEY_TYPE_BRAINPOOLP384R1 = 27, + ETS_KEY_TYPE_BRAINPOOLP512R1 = 28, + ETS_KEY_TYPE_X25519 = 29, + ETS_KEY_TYPE_X448 = 30, + ETS_KEY_TYPE_FFDHE_2048 = 256, + ETS_KEY_TYPE_FFDHE_3072 = 257, + ETS_KEY_TYPE_FFDHE_4096 = 258, + ETS_KEY_TYPE_FFDHE_6144 = 259, + ETS_KEY_TYPE_FFDHE_8192 = 260, + + ETS_KEY_TYPE_MIN = ETS_KEY_TYPE_SECP160K1, + ETS_KEY_TYPE_MAX = ETS_KEY_TYPE_FFDHE_8192, +} EtsKeyType; + +/* max context string (can be adjusted at build-time if desired) */ +#ifndef ETS_MAX_CONTEXT_STR +#define ETS_MAX_CONTEXT_STR 32 +#endif + +#ifndef ETS_MAX_FINGERPRINT +#define ETS_MAX_FINGERPRINT 10 /* 80-bits - per ETS spec */ +#endif +#define ETS_MAX_FINGERPRINT_STR (ETS_MAX_FINGERPRINT*2+1) + +typedef struct EtsKey { + enum EtsKeyType type; + word32 fingerprintSz; + byte fingerprint[ETS_MAX_FINGERPRINT]; + char contextStr[ETS_MAX_CONTEXT_STR]; + word32 responseSz; + byte response[ETS_MAX_RESPONSE_SZ]; + time_t expires; /* from HTTP HTTP_HDR_EXPIRES */ + + /* Internal Variables */ + word32 useCount; /* times this key has been used */ + unsigned char isDynamic:1; /* key is dynamically allocated */ +} EtsKey; + +/* Key callback Function */ +/* If return code is not zero then socket will be closed */ +typedef int (*EtsKeyCallbackFunc)(EtsClientCtx* client, EtsKey* key, void* cbCtx); + +/* ETS Client API's */ +/* Allocate new ETS client context */ +WOLFKM_API EtsClientCtx* wolfEtsClientNew(void); + +/* Setup the TLS mutual authentication key/certificate for accessing the ETS Key Manager */ +WOLFKM_API int wolfEtsClientSetKey(EtsClientCtx* client, + const char* keyFile, const char* keyPassword, const char* certFile, + int fileType); + +/* Setup the trusted CA certificate to verify authentic ETS Key Manager */ +WOLFKM_API int wolfEtsClientAddCA(EtsClientCtx* client, + const char* caFile); + +/* Open TLS session to ETS Key Manager */ +WOLFKM_API int wolfEtsClientConnect(EtsClientCtx* client, + const char* host, word16 port, int timeoutSec); + +WOLFKM_API int wolfEtsClientMakeRequest(EtsClientType type, const char* fingerprint, + const char* groups, const char* contextstr, byte* request, word32* requestSz); + +/* Get will return current key for provided fingerprint + * fingerprint: a SHA256 hash of public key first 80 bits of digest in big- + * endian format as HEX string (10 characters max) + * contextStr: Optional server info (for multiple server system) + * keyType can be DHE/ECDHE/X25519/X448 + * return: + * - zero response means existing key is used, + * - negative is error + * - positive means new key retrieved */ +WOLFKM_API int wolfEtsClientGet(EtsClientCtx* client, EtsKey* key, + EtsKeyType keyType, const char* fingerprint, const char* contextStr, + int timeoutSec); + +/* This call will be blocking until socket failure or callback non-zero return + * when server pushes new keys the callback will trigger with EtsKey populated */ +WOLFKM_API int wolfEtsClientPush(EtsClientCtx* client, EtsKeyType keyType, + const char* fingerprint, const char* contextStr, + EtsKeyCallbackFunc cb, void* cbCtx); + +/* Retrieve key data for a fingerprint for replay (expired key is okay) */ +WOLFKM_API int wolfEtsClientFind(EtsClientCtx* client, EtsKey* key, + EtsKeyType keyType, const char* fingerprint, const char* contextStr, + int timeoutSec); + +/* Disconnect from ETS Key Manager */ +WOLFKM_API int wolfEtsClientClose(EtsClientCtx* client); + +/* Release ETS client context resources */ +WOLFKM_API void wolfEtsClientFree(EtsClientCtx* client); + +/* ETS Key API's */ +/* Allocate ETS key dynamically from heap. + * The EtsKey can come from stack, but must be memset to zero. */ +WOLFKM_API EtsKey* wolfEtsKeyNew(void); +/* Returns the wolf PK type (enum wc_PkType) */ +WOLFKM_API int wolfEtsKeyGetPkType(EtsKey* key); +/* Lookup the wolfSSL PK type (enum wc_PkType) from named group */ +WOLFKM_API int wolfEtsGetPkType(EtsKeyType type); +/* Load key to WOLFSSL_CTX directly */ +WOLFKM_API int wolfEtsKeyLoadCTX(EtsKey* key, WOLFSSL_CTX* ctx); +/* Load key to WOLFSSL session directly */ +WOLFKM_API int wolfEtsKeyLoadSSL(EtsKey* key, WOLFSSL* ssl); +/* Get pointer to PKCS8 key response */ +WOLFKM_API int wolfEtsKeyGetPtr(EtsKey* key, byte** response, word32* responseSz); +/* Generate a new key */ +WOLFKM_API int wolfEtsKeyGen(EtsKey* key, EtsKeyType keyType, WC_RNG* rng); +/* Print ETS key data - for debugging / testing */ +WOLFKM_API void wolfEtsKeyPrint(EtsKey* key); +/* Release ETS key resources */ +WOLFKM_API void wolfEtsKeyFree(EtsKey* key); + +WOLFKM_API const char* wolfEtsKeyNamedGroupStr(EtsKey* key); +WOLFKM_API const char* wolfEtsKeyGetTypeStr(EtsKeyType type); + +/* Compute name for public key based on TLS key share */ +WOLFKM_API int wolfEtsCalcTlsFingerprint(EtsKeyType keyType, + const byte* pub, word32 pubSz, char* fpStr, word32* fpStrSz); + +/* Build public name for key */ +WOLFKM_API int wolfEtsKeyComputeName(EtsKey* key); + +/* These are required if using multiple threads sharing the wolfSSL library + * for init mutex protection */ +WOLFKM_API int wolfEtsClientInit(void); +WOLFKM_API void wolfEtsClientCleanup(void); + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFKM_ETS_H */ diff --git a/wolfkeymgr/mod_etsi.h b/wolfkeymgr/mod_etsi.h deleted file mode 100644 index f45a9ef..0000000 --- a/wolfkeymgr/mod_etsi.h +++ /dev/null @@ -1,220 +0,0 @@ -/* mod_etsi.h - * - * Copyright (C) 2006-2021 wolfSSL Inc. - * - * This file is part of wolf Key Manager. - * - * wolfKeyMgr is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * wolfKeyMgr is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -#ifndef WOLFKM_ETSI_H -#define WOLFKM_ETSI_H - -#ifdef __cplusplus -extern "C" { -#endif - -#include "wolfkeymgr/wkm_types.h" -#include "wolfkeymgr/mod_http.h" -#include "wolfkeymgr/mod_socket.h" -#include "wolfkeymgr/mod_tls.h" - - -#ifndef ETSI_MAX_REQUEST_SZ -#define ETSI_MAX_REQUEST_SZ MAX_REQUEST_SIZE -#endif -#ifndef ETSI_MAX_RESPONSE_SZ -#define ETSI_MAX_RESPONSE_SZ MAX_RESPONSE_SIZE -#endif - -/* Determine max build-time DH key sizes */ -#if !defined(NO_DH) && !defined(MAX_DH_PRIV_SZ) && !defined(MAX_DH_PUB_SZ) -#if defined(HAVE_FFDHE_8192) - #define MAX_DH_PRIV_SZ 52 - #define MAX_DH_PUB_SZ 1024 -#elif defined(HAVE_FFDHE_6144) - #define MAX_DH_PRIV_SZ 46 - #define MAX_DH_PUB_SZ 768 -#elif defined(HAVE_FFDHE_4096) - #define MAX_DH_PRIV_SZ 39 - #define MAX_DH_PUB_SZ 512 -#elif defined(HAVE_FFDHE_3072) - #define MAX_DH_PRIV_SZ 34 - #define MAX_DH_PUB_SZ 384 -#elif defined(HAVE_FFDHE_2048) - #define MAX_DH_PRIV_SZ 29 - #define MAX_DH_PUB_SZ 256 -#else - #error No DH FFDHE parameters enabled! -#endif -#endif - -/* opaque type for EtsiClientCtx (pointer reference only) */ -typedef struct EtsiClientCtx EtsiClientCtx; - -typedef enum EtsiClientType { - ETSI_CLIENT_UNKNOWN, - ETSI_CLIENT_GET, /* ask for key if current one is expired */ - ETSI_CLIENT_PUSH, /* remain connected and server will push new key */ -} EtsiClientType; - -typedef enum EtsiKeyType { - ETSI_KEY_TYPE_UNKNOWN = 0, - /* Named Groups: defined in clause 4.2.7 in IETF RFC 8446 */ - ETSI_KEY_TYPE_SECP160K1 = 15, - ETSI_KEY_TYPE_SECP160R1 = 16, - ETSI_KEY_TYPE_SECP160R2 = 17, - ETSI_KEY_TYPE_SECP192K1 = 18, - ETSI_KEY_TYPE_SECP192R1 = 19, - ETSI_KEY_TYPE_SECP224K1 = 20, - ETSI_KEY_TYPE_SECP224R1 = 21, - ETSI_KEY_TYPE_SECP256K1 = 22, - ETSI_KEY_TYPE_SECP256R1 = 23, - ETSI_KEY_TYPE_SECP384R1 = 24, - ETSI_KEY_TYPE_SECP521R1 = 25, - ETSI_KEY_TYPE_BRAINPOOLP256R1 = 26, - ETSI_KEY_TYPE_BRAINPOOLP384R1 = 27, - ETSI_KEY_TYPE_BRAINPOOLP512R1 = 28, - ETSI_KEY_TYPE_X25519 = 29, - ETSI_KEY_TYPE_X448 = 30, - ETSI_KEY_TYPE_FFDHE_2048 = 256, - ETSI_KEY_TYPE_FFDHE_3072 = 257, - ETSI_KEY_TYPE_FFDHE_4096 = 258, - ETSI_KEY_TYPE_FFDHE_6144 = 259, - ETSI_KEY_TYPE_FFDHE_8192 = 260, - - ETSI_KEY_TYPE_MIN = ETSI_KEY_TYPE_SECP160K1, - ETSI_KEY_TYPE_MAX = ETSI_KEY_TYPE_FFDHE_8192, -} EtsiKeyType; - -/* max context string (can be adjusted at build-time if desired) */ -#ifndef ETSI_MAX_CONTEXT_STR -#define ETSI_MAX_CONTEXT_STR 32 -#endif - -#ifndef ETSI_MAX_FINGERPRINT -#define ETSI_MAX_FINGERPRINT 10 /* 80-bits - per ETSI spec */ -#endif -#define ETSI_MAX_FINGERPRINT_STR (ETSI_MAX_FINGERPRINT*2+1) - -typedef struct EtsiKey { - enum EtsiKeyType type; - word32 fingerprintSz; - byte fingerprint[ETSI_MAX_FINGERPRINT]; - char contextStr[ETSI_MAX_CONTEXT_STR]; - word32 responseSz; - byte response[ETSI_MAX_RESPONSE_SZ]; - time_t expires; /* from HTTP HTTP_HDR_EXPIRES */ - - /* Internal Variables */ - word32 useCount; /* times this key has been used */ - unsigned char isDynamic:1; /* key is dynamically allocated */ -} EtsiKey; - -/* Key callback Function */ -/* If return code is not zero then socket will be closed */ -typedef int (*EtsiKeyCallbackFunc)(EtsiClientCtx* client, EtsiKey* key, void* cbCtx); - -/* ETSI Client API's */ -/* Allocate new ETSI client context */ -WOLFKM_API EtsiClientCtx* wolfEtsiClientNew(void); - -/* Setup the TLS mutual authentication key/certificate for accessing the ETSI Key Manager */ -WOLFKM_API int wolfEtsiClientSetKey(EtsiClientCtx* client, - const char* keyFile, const char* keyPassword, const char* certFile, - int fileType); - -/* Setup the trusted CA certificate to verify authentic ETSI Key Manager */ -WOLFKM_API int wolfEtsiClientAddCA(EtsiClientCtx* client, - const char* caFile); - -/* Open TLS session to ETSI Key Manager */ -WOLFKM_API int wolfEtsiClientConnect(EtsiClientCtx* client, - const char* host, word16 port, int timeoutSec); - -WOLFKM_API int wolfEtsiClientMakeRequest(EtsiClientType type, const char* fingerprint, - const char* groups, const char* contextstr, byte* request, word32* requestSz); - -/* Get will return current key for provided fingerprint - * fingerprint: a SHA256 hash of public key first 80 bits of digest in big- - * endian format as HEX string (10 characters max) - * contextStr: Optional server info (for multiple server system) - * keyType can be DHE/ECDHE/X25519/X448 - * return: - * - zero response means existing key is used, - * - negative is error - * - positive means new key retrieved */ -WOLFKM_API int wolfEtsiClientGet(EtsiClientCtx* client, EtsiKey* key, - EtsiKeyType keyType, const char* fingerprint, const char* contextStr, - int timeoutSec); - -/* This call will be blocking until socket failure or callback non-zero return - * when server pushes new keys the callback will trigger with EtsiKey populated */ -WOLFKM_API int wolfEtsiClientPush(EtsiClientCtx* client, EtsiKeyType keyType, - const char* fingerprint, const char* contextStr, - EtsiKeyCallbackFunc cb, void* cbCtx); - -/* Retrieve key data for a fingerprint for replay (expired key is okay) */ -WOLFKM_API int wolfEtsiClientFind(EtsiClientCtx* client, EtsiKey* key, - EtsiKeyType keyType, const char* fingerprint, const char* contextStr, - int timeoutSec); - -/* Disconnect from ETSI Key Manager */ -WOLFKM_API int wolfEtsiClientClose(EtsiClientCtx* client); - -/* Release ETSI client context resources */ -WOLFKM_API void wolfEtsiClientFree(EtsiClientCtx* client); - -/* ETSI Key API's */ -/* Allocate ETSI key dynamically from heap. - * The EtsiKey can come from stack, but must be memset to zero. */ -WOLFKM_API EtsiKey* wolfEtsiKeyNew(void); -/* Returns the wolf PK type (enum wc_PkType) */ -WOLFKM_API int wolfEtsiKeyGetPkType(EtsiKey* key); -/* Lookup the wolfSSL PK type (enum wc_PkType) from named group */ -WOLFKM_API int wolfEtsiGetPkType(EtsiKeyType type); -/* Load key to WOLFSSL_CTX directly */ -WOLFKM_API int wolfEtsiKeyLoadCTX(EtsiKey* key, WOLFSSL_CTX* ctx); -/* Load key to WOLFSSL session directly */ -WOLFKM_API int wolfEtsiKeyLoadSSL(EtsiKey* key, WOLFSSL* ssl); -/* Get pointer to PKCS8 key response */ -WOLFKM_API int wolfEtsiKeyGetPtr(EtsiKey* key, byte** response, word32* responseSz); -/* Generate a new key */ -WOLFKM_API int wolfEtsiKeyGen(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng); -/* Print ETSI key data - for debugging / testing */ -WOLFKM_API void wolfEtsiKeyPrint(EtsiKey* key); -/* Release ETSI key resources */ -WOLFKM_API void wolfEtsiKeyFree(EtsiKey* key); - -WOLFKM_API const char* wolfEtsiKeyNamedGroupStr(EtsiKey* key); -WOLFKM_API const char* wolfEtsiKeyGetTypeStr(EtsiKeyType type); - -/* Compute name for public key based on TLS key share */ -WOLFKM_API int wolfEtsiCalcTlsFingerprint(EtsiKeyType keyType, - const byte* pub, word32 pubSz, char* fpStr, word32* fpStrSz); - -/* Build public name for key */ -WOLFKM_API int wolfEtsiKeyComputeName(EtsiKey* key); - -/* These are required if using multiple threads sharing the wolfSSL library - * for init mutex protection */ -WOLFKM_API int wolfEtsiClientInit(void); -WOLFKM_API void wolfEtsiClientCleanup(void); - -#ifdef __cplusplus -} -#endif - -#endif /* WOLFKM_ETSI_H */ diff --git a/wolfkeymgr/svc_etsi.h b/wolfkeymgr/svc_ets.h similarity index 56% rename from wolfkeymgr/svc_etsi.h rename to wolfkeymgr/svc_ets.h index be43f3e..b327f99 100644 --- a/wolfkeymgr/svc_etsi.h +++ b/wolfkeymgr/svc_ets.h @@ -1,4 +1,4 @@ -/* svc_etsi.h +/* svc_ets.h * * Copyright (C) 2006-2021 wolfSSL Inc. * @@ -19,33 +19,33 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -#ifndef WOLFKM_SVC_ETSI_H -#define WOLFKM_SVC_ETSI_H +#ifndef WOLFKM_SVC_ETS_H +#define WOLFKM_SVC_ETS_H #ifdef __cplusplus extern "C" { #endif -typedef struct EtsiSvcConfig { - EtsiKeyType keyTypeDef; /* default key type */ +typedef struct EtsSvcConfig { + EtsKeyType keyTypeDef; /* default key type */ word32 renewSec; word32 maxUseCount; -} EtsiSvcConfig; +} EtsSvcConfig; -WOLFKM_LOCAL SvcInfo* wolfEtsiSvc_Init(const EtsiSvcConfig* config); -WOLFKM_LOCAL int wolfEtsiSvc_Start(SvcInfo* svc, struct event_base* mainBase, const char* listenPort); -WOLFKM_LOCAL void wolfEtsiSvc_Cleanup(SvcInfo* svc); +WOLFKM_LOCAL SvcInfo* wolfEtsSvc_Init(const EtsSvcConfig* config); +WOLFKM_LOCAL int wolfEtsSvc_Start(SvcInfo* svc, struct event_base* mainBase, const char* listenPort); +WOLFKM_LOCAL void wolfEtsSvc_Cleanup(SvcInfo* svc); -WOLFKM_LOCAL int wolfEtsiSvc_DoRequest(SvcConn* conn); -WOLFKM_LOCAL int wolfEtsiSvc_HandleTimeout(SvcConn* conn); -WOLFKM_LOCAL int wolfEtsiSvc_DoNotify(SvcConn* conn); -WOLFKM_LOCAL void wolfEtsiSvc_ConnClose(SvcConn* conn); +WOLFKM_LOCAL int wolfEtsSvc_DoRequest(SvcConn* conn); +WOLFKM_LOCAL int wolfEtsSvc_HandleTimeout(SvcConn* conn); +WOLFKM_LOCAL int wolfEtsSvc_DoNotify(SvcConn* conn); +WOLFKM_LOCAL void wolfEtsSvc_ConnClose(SvcConn* conn); -WOLFKM_LOCAL int wolfEtsiSvc_SetVaultFile(SvcInfo* svc, const char* vaultFile); +WOLFKM_LOCAL int wolfEtsSvc_SetVaultFile(SvcInfo* svc, const char* vaultFile); #ifdef __cplusplus } #endif -#endif /* WOLFKM_SVC_ETSI_H */ +#endif /* WOLFKM_SVC_ETS_H */ From 738bf129b5df69950e5ba52a0a0c439a08d7edfc Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 5 Nov 2021 10:53:15 -0700 Subject: [PATCH 7/9] Add support for x448. --- examples/middlebox/decrypt.c | 8 +++++++- src/mod_tls.c | 5 +++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/examples/middlebox/decrypt.c b/examples/middlebox/decrypt.c index 8f0967a..b844797 100644 --- a/examples/middlebox/decrypt.c +++ b/examples/middlebox/decrypt.c @@ -81,6 +81,9 @@ static int myKeyCb(void* vSniffer, int namedGroup, #ifdef HAVE_CURVE25519 static EtsKey keyX25519; #endif +#ifdef HAVE_CURVE448 + static EtsKey keyX448; +#endif /* lookup based on key type */ keyType = wolfEtsGetPkType(namedGroup); @@ -101,7 +104,10 @@ static int myKeyCb(void* vSniffer, int namedGroup, #endif break; case WC_PK_TYPE_CURVE448: - /* curve448 not yet supported in sniffer */ + #ifdef HAVE_CURVE448 + key = &keyX448; + #endif + break; default: /* not supported */ key = NULL; diff --git a/src/mod_tls.c b/src/mod_tls.c index a8c1b06..4b032d1 100644 --- a/src/mod_tls.c +++ b/src/mod_tls.c @@ -233,6 +233,11 @@ static int wolfTlsInitSslDefaults(WOLFSSL_CTX* ctx, WOLFSSL** ssl) wolfSSL_SetIOReadCtx(tssl, cbCtx); wolfSSL_SetIOWriteCtx(tssl, cbCtx); + #if 0 + /* example for forcing a key share type (see ssl.h Named Groups enum) */ + wolfSSL_UseKeyShare(tssl, WOLFSSL_ECC_X448); + #endif + *ssl = tssl; } return 0; From 062c5c43a26361aec219f732c461b390319d222d Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 5 Nov 2021 14:09:03 -0700 Subject: [PATCH 8/9] Peer review cleanups. Not touching any of the license header issues. --- examples/ets_test/ets_test.c | 2 +- examples/https/README.md | 2 +- examples/https/server.c | 4 ++-- src/mod_tls.c | 5 +++-- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/examples/ets_test/ets_test.c b/examples/ets_test/ets_test.c index d923db6..706704a 100644 --- a/examples/ets_test/ets_test.c +++ b/examples/ets_test/ets_test.c @@ -57,7 +57,7 @@ typedef struct WorkThreadCtx { /* for error response in errorMode, 0 on success */ static int DoErrorMode(void) { - /* TODO: Add error case */ + /* TODO: Add code to test expected error cases */ return 0; } diff --git a/examples/https/README.md b/examples/https/README.md index 06b0347..3b1f611 100644 --- a/examples/https/README.md +++ b/examples/https/README.md @@ -2,7 +2,7 @@ These examples demonstrate a basic HTTPS server and client for testing the ETS middle-box decryption with the wolf Key Manager tool. -## TlS Server +## TLS Server Usage: `./examples/https/server` diff --git a/examples/https/server.c b/examples/https/server.c index fd87c35..20540e8 100644 --- a/examples/https/server.c +++ b/examples/https/server.c @@ -131,8 +131,8 @@ int https_server_test(int argc, char** argv) if (useKeyMgr) { ret = ets_client_get_all(etsServer, ets_key_cb, ctx); if (ret != 0) { - printf("\nFailure connecting to key manager\n"); - printf("Make sure ./src/wolfkeymgr is running\n"); + fprintf(stderr, "\nFailure connecting to key manager\n"); + fprintf(stderr, "Make sure ./src/wolfkeymgr is running\n"); mStop = 1; goto end_sess; } diff --git a/src/mod_tls.c b/src/mod_tls.c index 4b032d1..641fe4e 100644 --- a/src/mod_tls.c +++ b/src/mod_tls.c @@ -234,8 +234,9 @@ static int wolfTlsInitSslDefaults(WOLFSSL_CTX* ctx, WOLFSSL** ssl) wolfSSL_SetIOWriteCtx(tssl, cbCtx); #if 0 - /* example for forcing a key share type (see ssl.h Named Groups enum) */ - wolfSSL_UseKeyShare(tssl, WOLFSSL_ECC_X448); + /* Example for forcing a key share type (see ssl.h Named Groups enum). + * WOLFSSL_FFDHE_2048, WOLFSSL_ECC_X25519, WOLFSSL_ECC_X448, etc... */ + wolfSSL_UseKeyShare(tssl, WOLFSSL_ECC_SECP256R1); #endif *ssl = tssl; From 1da40af3fe317f3faa6e9f27ef46dba5059f2217 Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 8 Nov 2021 11:29:03 -0800 Subject: [PATCH 9/9] Disable wolfSSL logging by default in middle-box decrypt tool. --- examples/middlebox/decrypt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/middlebox/decrypt.c b/examples/middlebox/decrypt.c index b844797..9644edf 100644 --- a/examples/middlebox/decrypt.c +++ b/examples/middlebox/decrypt.c @@ -385,7 +385,7 @@ int middlebox_decrypt_test(int argc, char** argv) #endif #ifdef DEBUG_WOLFSSL /* log setup */ - wolfSSL_Debugging_ON(); + /* wolfSSL_Debugging_ON(); */ wolfKeyMgr_SetLogFile(NULL, 0, WOLFKM_LOG_DEBUG); #endif ssl_Trace("./tracefile.txt", err);