Force WolfSSL side-channel resistance

There seems to be some build-bug in WolfSSL, such that even though
--enable-harden (HARDEN) is default, it's not set correctly in options.h .

So we define it correctly just after parsing all other config options
BUT BEFORE we load the rest of WolfSSL headers.

These will be defined no matter what options are given to wolfssl ./configure:

ECC_TIMING_RESISTANT
TFM_TIMING_RESISTANT

src/hush/tlsmanager.cpp

@@ -5,10 +5,8 @@
 #include <wolfssl/ssl.h>
 #include <wolfssl/openssl/dh.h>
 #include <wolfssl/wolfcrypt/asn.h>
-
 #include <boost/filesystem.hpp>
 #include <boost/thread.hpp>
-
 #include "tlsmanager.h"
 #include "utiltls.h"
 
@@ -70,18 +68,15 @@ static WOLFSSL_DH *get_dh2048(void)
     return dh;
 }
 
-DH *tmp_dh_callback(WOLFSSL *ssl, int is_export, int keylength)
+DH *tmp_dh_callback(WOLFSSL *ssl, int is_export, int keylength) {
-{
+    LogPrint("tls", "TLS: %s: %s():%d - Using Diffie-Hellman param for PFS: is_export=%d, keylength=%d\n", __FILE__, __func__, __LINE__, is_export, keylength);
-    LogPrint("tls", "TLS: %s: %s():%d - Using Diffie-Hellman param for PFS: is_export=%d, keylength=%d\n",
-        __FILE__, __func__, __LINE__, is_export, keylength);
 
     return get_dh2048();
 }
 
-int TLSManager::waitFor(SSLConnectionRoutine eRoutine, SOCKET hSocket, WOLFSSL* ssl, int timeoutSec, unsigned long& err_code)
+int TLSManager::waitFor(SSLConnectionRoutine eRoutine, SOCKET hSocket, WOLFSSL* ssl, int timeoutSec, unsigned long& err_code) {
-{
     int retOp = 0;
-    err_code = 0;
+    err_code  = 0;
     char err_buffer[1024];
 
     while (true)
@@ -231,26 +226,23 @@ WOLFSSL* TLSManager::connect(SOCKET hSocket, const CAddress& addrConnect, unsign
     if ((ssl = wolfSSL_new(tls_ctx_client))) {
         if (wolfSSL_set_fd(ssl, hSocket)) {
             int ret = TLSManager::waitFor(SSL_CONNECT, hSocket, ssl, (DEFAULT_CONNECT_TIMEOUT / 1000), err_code);
-            if (ret == 1)
+            if (ret == 1) {
-            {
                 bConnectedTLS = true;
+            } else {
+                LogPrint("tls", "%s: timed out waiting for %s\n", __func__, addrConnect.ToString());
             }
         }
-    }
+    } else {
-    else
-    {
         err_code = wolfSSL_ERR_get_error();
         const char* error_str = wolfSSL_ERR_error_string(err_code, err_buffer);
-        LogPrint("tls", "TLS: %s: %s():%d - SSL_new failed err: %s\n",
+        LogPrint("tls", "TLS: %s: %s():%d - SSL_new failed err: %s\n", __FILE__, __func__, __LINE__, err_buffer);
-            __FILE__, __func__, __LINE__, err_buffer);
     }
 
     if (bConnectedTLS) {
         LogPrintf("TLS: connection to %s has been established (tlsv = %s 0x%04x / ssl = %s 0x%x ). Using cipher: %s\n",
             addrConnect.ToString(), wolfSSL_get_version(ssl), wolfSSL_version(ssl), wolfSSL_OpenSSL_version(), wolfSSL_lib_version_hex(), wolfSSL_get_cipher_name(ssl));
     } else {
-        LogPrintf("TLS: %s: %s():%d - TLS connection to %s failed (err_code 0x%X)\n",
+        LogPrintf("TLS: %s: %s():%d - TLS connection to %s timed out\n", __FILE__, __func__, __LINE__, addrConnect.ToString(), err_code);
-            __FILE__, __func__, __LINE__, addrConnect.ToString(), err_code);
 
         if (ssl) {
             wolfSSL_free(ssl);
@@ -444,13 +436,10 @@ WOLFSSL* TLSManager::accept(SOCKET hSocket, const CAddress& addr, unsigned long&
                 bAcceptedTLS = true;
             }
         }
-    }
+    } else {
-    else
-    {
         err_code = wolfSSL_ERR_get_error();
         const char* error_str = wolfSSL_ERR_error_string(err_code, err_buffer);
-        LogPrint("tls", "TLS: %s: %s():%d - SSL_new failed err: %s\n",
+        LogPrint("tls", "TLS: %s: %s():%d - SSL_new failed err: %s\n", __FILE__, __func__, __LINE__, err_buffer);
-            __FILE__, __func__, __LINE__, err_buffer);
     }
 
     if (bAcceptedTLS) {
@@ -463,8 +452,7 @@ WOLFSSL* TLSManager::accept(SOCKET hSocket, const CAddress& addr, unsigned long&
             LogPrint("tls", "TLS: supporting cipher: %s\n", wolfSSL_CIPHER_get_name(c));
         }
     } else {
-        LogPrintf("TLS: %s: %s():%d - TLS connection from %s failed (err_code 0x%X)\n",
+        LogPrintf("TLS: %s: %s():%d - TLS connection from %s failed (err_code 0x%X)\n", __FILE__, __func__, __LINE__, addr.ToString(), err_code);
-            __FILE__, __func__, __LINE__, addr.ToString(), err_code);
 
         if (ssl) {
             SSL_free(ssl);

src/hush/tlsmanager.h

@@ -33,10 +33,7 @@ bool operator==(const _NODE_ADDR b) const
 }
 } NODE_ADDR, *PNODE_ADDR;
 
-/**
+// A class to wrap some of hush specific TLS functionalities used in the net.cpp
- * @brief A class to wrap some of hush specific TLS functionalities used in the net.cpp
- * 
- */
 class TLSManager
 {
 public:

src/net.h

@@ -42,9 +42,13 @@
 #include <boost/filesystem/path.hpp>
 #include <boost/foreach.hpp>
 #include <boost/signals2/signal.hpp>
-// Enable side-channel resistant WolfSSL Support for Hush
+// Enable WolfSSL Support for Hush
-#define ECC_TIMING_RESISTANT 420
 #include <wolfssl/options.h>
+// TODO: these are not set correctly by wolfssl for some reason. Ja bless.
+#undef ECC_TIMING_RESISTANT
+#undef TFM_TIMING_RESISTANT
+#define ECC_TIMING_RESISTANT 420
+#define TFM_TIMING_RESISTANT 420
 #include <wolfssl/ssl.h>
 
 class CAddrMan;