feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge branch 'master' into blake2

Browse Source
This commit is contained in:
toddouska
2013-02-28 16:50:45 -08:00
parent e947c86e67 b4584e0a93
commit 3319ed9921
5 changed files with 42 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cyassl/error.h
View File

@@ -110,6 +110,7 @@ enum CyaSSL_ErrorCodes {
SANITY_CIPHER_E = -275, /* sanity check on cipher error */ SANITY_CIPHER_E = -275, /* sanity check on cipher error */
RECV_OVERFLOW_E = -276, /* RXCB returned more than rqed */ RECV_OVERFLOW_E = -276, /* RXCB returned more than rqed */
GEN_COOKIE_E = -277, /* Generate Cookie Error */ GEN_COOKIE_E = -277, /* Generate Cookie Error */
NO_PEER_VERIFY = -278, /* Need peer cert verify Error */
/* add strings to SetErrorString !!!!! */ /* add strings to SetErrorString !!!!! */
/* begin negotiation parameter errors */ /* begin negotiation parameter errors */

1
cyassl/internal.h
View File

@@ -1317,6 +1317,7 @@ typedef struct Options {
byte haveECDSAsig; /* server ECDSA signed cert */ byte haveECDSAsig; /* server ECDSA signed cert */
byte haveStaticECC; /* static server ECC private key */ byte haveStaticECC; /* static server ECC private key */
byte havePeerCert; /* do we have peer's cert */ byte havePeerCert; /* do we have peer's cert */
byte havePeerVerify; /* and peer's cert verify */
byte usingPSK_cipher; /* whether we're using psk as cipher */ byte usingPSK_cipher; /* whether we're using psk as cipher */
byte sendAlertState; /* nonblocking resume */ byte sendAlertState; /* nonblocking resume */
byte processReply; /* nonblocking resume */ byte processReply; /* nonblocking resume */

34
src/internal.c
View File

@@ -1192,6 +1192,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
ssl->options.haveECDSAsig = ctx->haveECDSAsig; ssl->options.haveECDSAsig = ctx->haveECDSAsig;
ssl->options.haveStaticECC = ctx->haveStaticECC; ssl->options.haveStaticECC = ctx->haveStaticECC;
ssl->options.havePeerCert = 0; ssl->options.havePeerCert = 0;
ssl->options.havePeerVerify = 0;
ssl->options.usingPSK_cipher = 0; ssl->options.usingPSK_cipher = 0;
ssl->options.sendAlertState = 0; ssl->options.sendAlertState = 0;
#ifndef NO_PSK #ifndef NO_PSK
@@ -1221,6 +1222,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
ssl->dtls_pool = NULL; ssl->dtls_pool = NULL;
ssl->dtls_msg_list = NULL; ssl->dtls_msg_list = NULL;
#endif #endif
ssl->keys.encryptSz = 0;
ssl->keys.encryptionOn = 0; /* initially off */ ssl->keys.encryptionOn = 0; /* initially off */
ssl->keys.decryptedCur = 0; /* initially off */ ssl->keys.decryptedCur = 0; /* initially off */
ssl->options.sessionCacheOff = ctx->sessionCacheOff; ssl->options.sessionCacheOff = ctx->sessionCacheOff;
@@ -1301,6 +1303,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
ssl->rng = NULL; ssl->rng = NULL;
ssl->arrays = NULL; ssl->arrays = NULL;
InitCiphers(ssl); InitCiphers(ssl);
InitCipherSpecs(&ssl->specs);
/* all done with init, now can return errors, call other stuff */ /* all done with init, now can return errors, call other stuff */
/* increment CTX reference count */ /* increment CTX reference count */
@@ -1340,8 +1343,10 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
return MEMORY_E; return MEMORY_E;
} }
if ( (ret = InitRng(ssl->rng)) != 0) if ( (ret = InitRng(ssl->rng)) != 0) {
CYASSL_MSG("RNG Init error");
return ret; return ret;
}
/* suites */ /* suites */
ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap, ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap,
@@ -4279,6 +4284,17 @@ int ProcessReply(CYASSL* ssl)
CYASSL_MSG("Malicious or corrupted ChangeCipher msg"); CYASSL_MSG("Malicious or corrupted ChangeCipher msg");
return LENGTH_ERROR; return LENGTH_ERROR;
} }
#ifndef NO_CERTS
if (ssl->options.side == SERVER_END &&
ssl->options.verifyPeer &&
ssl->options.havePeerCert)
if (!ssl->options.havePeerVerify) {
CYASSL_MSG("client didn't send cert verify");
return NO_PEER_VERIFY;
}
#endif
ssl->buffers.inputBuffer.idx++; ssl->buffers.inputBuffer.idx++;
ssl->keys.encryptionOn = 1; ssl->keys.encryptionOn = 1;
@@ -5433,6 +5449,10 @@ void SetErrorString(int error, char* str)
XSTRNCPY(str, "Generate Cookie Error", max); XSTRNCPY(str, "Generate Cookie Error", max);
break; break;
case NO_PEER_VERIFY:
XSTRNCPY(str, "Need peer certificate verify Error", max);
break;
default : default :
XSTRNCPY(str, "unknown error number", max); XSTRNCPY(str, "unknown error number", max);
} }
@@ -8772,7 +8792,7 @@ int SetCipherList(Suites* s, const char* list)
byte* out; byte* out;
int outLen; int outLen;
byte hashAlgo = sha_mac; byte hashAlgo = sha_mac;
byte sigAlgo; byte sigAlgo = anonymous_sa_algo;
#ifdef CYASSL_CALLBACKS #ifdef CYASSL_CALLBACKS
if (ssl->hsInfoOn) if (ssl->hsInfoOn)
@@ -8813,6 +8833,10 @@ int SetCipherList(Suites* s, const char* list)
int typeH = SHAh; int typeH = SHAh;
int digestSz = SHA_DIGEST_SIZE; int digestSz = SHA_DIGEST_SIZE;
if (sigAlgo != rsa_sa_algo) {
CYASSL_MSG("Oops, peer sent RSA key but not in verify");
}
if (hashAlgo == sha256_mac) { if (hashAlgo == sha256_mac) {
#ifndef NO_SHA256 #ifndef NO_SHA256
digest = ssl->certHashes.sha256; digest = ssl->certHashes.sha256;
@@ -8851,6 +8875,9 @@ int SetCipherList(Suites* s, const char* list)
CYASSL_MSG("Doing ECC peer cert verify"); CYASSL_MSG("Doing ECC peer cert verify");
if (IsAtLeastTLSv1_2(ssl)) { if (IsAtLeastTLSv1_2(ssl)) {
if (sigAlgo != ecc_dsa_sa_algo) {
CYASSL_MSG("Oops, peer sent ECC key but not in verify");
}
if (hashAlgo == sha256_mac) { if (hashAlgo == sha256_mac) {
#ifndef NO_SHA256 #ifndef NO_SHA256
digest = ssl->certHashes.sha256; digest = ssl->certHashes.sha256;
@@ -8871,6 +8898,9 @@ int SetCipherList(Suites* s, const char* list)
ret = 0; /* verified */ ret = 0; /* verified */
} }
#endif #endif
if (ret == 0)
ssl->options.havePeerVerify = 1;
return ret; return ret;
} }
#endif /* !NO_RSA || HAVE_ECC */ #endif /* !NO_RSA || HAVE_ECC */

7
src/ssl.c
View File

@@ -147,6 +147,7 @@ void CyaSSL_CTX_free(CYASSL_CTX* ctx)
CYASSL* CyaSSL_new(CYASSL_CTX* ctx) CYASSL* CyaSSL_new(CYASSL_CTX* ctx)
{ {
CYASSL* ssl = NULL; CYASSL* ssl = NULL;
int ret = 0;
CYASSL_ENTER("SSL_new"); CYASSL_ENTER("SSL_new");
@@ -155,12 +156,12 @@ CYASSL* CyaSSL_new(CYASSL_CTX* ctx)
ssl = (CYASSL*) XMALLOC(sizeof(CYASSL), ctx->heap,DYNAMIC_TYPE_SSL); ssl = (CYASSL*) XMALLOC(sizeof(CYASSL), ctx->heap,DYNAMIC_TYPE_SSL);
if (ssl) if (ssl)
if (InitSSL(ssl, ctx) < 0) { if ( (ret = InitSSL(ssl, ctx)) < 0) {
FreeSSL(ssl); FreeSSL(ssl);
ssl = 0; ssl = 0;
} }
CYASSL_LEAVE("SSL_new", 0); CYASSL_LEAVE("SSL_new", ret);
return ssl; return ssl;
} }
@@ -2714,7 +2715,7 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl)
CYASSL_MSG("connect state: FIRST_REPLY_SECOND"); CYASSL_MSG("connect state: FIRST_REPLY_SECOND");
case FIRST_REPLY_SECOND : case FIRST_REPLY_SECOND :
#ifndef NO_RSA #ifndef NO_CERTS
if (ssl->options.sendVerify) if (ssl->options.sendVerify)
if ( (ssl->error = SendCertificateVerify(ssl)) != 0) { if ( (ssl->error = SendCertificateVerify(ssl)) != 0) {
CYASSL_ERROR(ssl->error); CYASSL_ERROR(ssl->error);

3
tests/include.am
View File

@@ -28,6 +28,9 @@ EXTRA_DIST += tests/test.conf \
tests/test-aesgcm-ecc.conf \ tests/test-aesgcm-ecc.conf \
tests/test-aesgcm-openssl.conf \ tests/test-aesgcm-openssl.conf \
tests/test-aesccm.conf \ tests/test-aesccm.conf \
tests/test-aesccm-ecc.conf \
tests/test-camellia.conf \
tests/test-camellia-openssl.conf \
tests/test-dtls.conf \ tests/test-dtls.conf \
tests/test-rabbit.conf \ tests/test-rabbit.conf \
tests/test-null.conf \ tests/test-null.conf \