diff --git a/configure.ac b/configure.ac index 7b36adfed..842b83e0d 100644 --- a/configure.ac +++ b/configure.ac @@ -341,6 +341,26 @@ fi AM_CONDITIONAL([BUILD_AESNI], [test "x$ENABLED_AESNI" = "xyes"]) +# MD2 +AC_ARG_ENABLE(md2, + [ --enable-md2 Enable CyaSSL MD2 support (default: disabled)], + [ ENABLED_MD2=$enableval ], + [ ENABLED_MD2=no ] + ) + +if test "$ENABLED_BUMP" = "yes" +then + ENABLED_MD2="yes" +fi + +if test "$ENABLED_MD2" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DCYASSL_MD2" +fi + +AM_CONDITIONAL([BUILD_MD2], [test "x$ENABLED_MD2" = "xyes"]) + + # RIPEMD AC_ARG_ENABLE(ripemd, [ --enable-ripemd Enable CyaSSL RIPEMD-160 support (default: disabled)], diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index bcfd5bfc3..9643f1030 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -32,6 +32,7 @@ #include #include #include +#include #include #include #include @@ -1058,6 +1059,7 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) cert->signature = 0; cert->subjectCN = 0; cert->subjectCNLen = 0; + cert->subjectCNStored = 0; cert->issuer[0] = '\0'; cert->subject[0] = '\0'; cert->source = source; /* don't own */ @@ -1099,7 +1101,7 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) void FreeDecodedCert(DecodedCert* cert) { - if (cert->subjectCNLen == 0) /* 0 means no longer pointer to raw, we own */ + if (cert->subjectCNStored == 1) XFREE(cert->subjectCN, cert->heap, DYNAMIC_TYPE_SUBJECT_CN); if (cert->pubKeyStored == 1) XFREE(cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); @@ -1362,10 +1364,6 @@ static int GetName(DecodedCert* cert, int nameType) cert->maxIdx) < 0) return ASN_PARSE_E; - if (strLen == 0) { - CYASSL_MSG("Zero length name"); - return ASN_PARSE_E; - } if (strLen > (int)(ASN_NAME_MAX - idx)) return ASN_PARSE_E; @@ -1950,6 +1948,16 @@ static int ConfirmSignature(const byte* buf, word32 bufSz, typeH = MD5h; digestSz = MD5_DIGEST_SIZE; } +#ifdef CYASSL_MD2 + else if (sigOID == CTC_MD2wRSA) { + Md2 md2; + InitMd2(&md2); + Md2Update(&md2, buf, bufSz); + Md2Final(&md2, digest); + typeH = MD2h; + digestSz = MD2_DIGEST_SIZE; + } +#endif else if (sigOID == CTC_SHAwRSA || sigOID == CTC_SHAwDSA || sigOID == CTC_SHAwECDSA) { @@ -2331,7 +2339,7 @@ int ParseCert(DecodedCert* cert, int type, int verify, void* cm) XMEMCPY(ptr, cert->subjectCN, cert->subjectCNLen); ptr[cert->subjectCNLen] = '\0'; cert->subjectCN = ptr; - cert->subjectCNLen = 0; + cert->subjectCNStored = 1; } if (cert->keyOID == RSAk && cert->pubKeySize > 0) { diff --git a/ctaocrypt/src/md2.c b/ctaocrypt/src/md2.c new file mode 100644 index 000000000..0c1bb9c38 --- /dev/null +++ b/ctaocrypt/src/md2.c @@ -0,0 +1,129 @@ +/* md2.c + * + * Copyright (C) 2006-2012 Sawtooth Consulting Ltd. + * + * This file is part of CyaSSL. + * + * CyaSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * CyaSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + + +#ifdef HAVE_CONFIG_H + #include +#endif + +#ifdef CYASSL_MD2 + +#include +#ifdef NO_INLINE + #include +#else + #include +#endif + + +void InitMd2(Md2* md2) +{ + XMEMSET(md2->X, 0, MD2_X_SIZE); + XMEMSET(md2->C, 0, MD2_BLOCK_SIZE); + XMEMSET(md2->buffer, 0, MD2_BLOCK_SIZE); + md2->count = 0; +} + + +void Md2Update(Md2* md2, const byte* data, word32 len) +{ + static const byte S[256] = + { + 41, 46, 67, 201, 162, 216, 124, 1, 61, 54, 84, 161, 236, 240, 6, + 19, 98, 167, 5, 243, 192, 199, 115, 140, 152, 147, 43, 217, 188, + 76, 130, 202, 30, 155, 87, 60, 253, 212, 224, 22, 103, 66, 111, 24, + 138, 23, 229, 18, 190, 78, 196, 214, 218, 158, 222, 73, 160, 251, + 245, 142, 187, 47, 238, 122, 169, 104, 121, 145, 21, 178, 7, 63, + 148, 194, 16, 137, 11, 34, 95, 33, 128, 127, 93, 154, 90, 144, 50, + 39, 53, 62, 204, 231, 191, 247, 151, 3, 255, 25, 48, 179, 72, 165, + 181, 209, 215, 94, 146, 42, 172, 86, 170, 198, 79, 184, 56, 210, + 150, 164, 125, 182, 118, 252, 107, 226, 156, 116, 4, 241, 69, 157, + 112, 89, 100, 113, 135, 32, 134, 91, 207, 101, 230, 45, 168, 2, 27, + 96, 37, 173, 174, 176, 185, 246, 28, 70, 97, 105, 52, 64, 126, 15, + 85, 71, 163, 35, 221, 81, 175, 58, 195, 92, 249, 206, 186, 197, + 234, 38, 44, 83, 13, 110, 133, 40, 132, 9, 211, 223, 205, 244, 65, + 129, 77, 82, 106, 220, 55, 200, 108, 193, 171, 250, 36, 225, 123, + 8, 12, 189, 177, 74, 120, 136, 149, 139, 227, 99, 232, 109, 233, + 203, 213, 254, 59, 0, 29, 57, 242, 239, 183, 14, 102, 88, 208, 228, + 166, 119, 114, 248, 235, 117, 75, 10, 49, 68, 80, 180, 143, 237, + 31, 26, 219, 153, 141, 51, 159, 17, 131, 20 + }; + + while (len) { + word32 L = (MD2_PAD_SIZE - md2->count) < len ? + (MD2_PAD_SIZE - md2->count) : len; + XMEMCPY(md2->buffer + md2->count, data, L); + md2->count += L; + data += L; + len -= L; + + if (md2->count == MD2_PAD_SIZE) { + int i; + byte t; + + md2->count = 0; + XMEMCPY(md2->X + MD2_PAD_SIZE, md2->buffer, MD2_PAD_SIZE); + t = md2->C[15]; + + for(i = 0; i < MD2_PAD_SIZE; i++) { + md2->X[32 + i] = md2->X[MD2_PAD_SIZE + i] ^ md2->X[i]; + t = md2->C[i] ^= S[md2->buffer[i] ^ t]; + } + + t=0; + for(i = 0; i < 18; i++) { + int j; + for(j = 0; j < MD2_X_SIZE; j += 8) { + t = md2->X[j+0] ^= S[t]; + t = md2->X[j+1] ^= S[t]; + t = md2->X[j+2] ^= S[t]; + t = md2->X[j+3] ^= S[t]; + t = md2->X[j+4] ^= S[t]; + t = md2->X[j+5] ^= S[t]; + t = md2->X[j+6] ^= S[t]; + t = md2->X[j+7] ^= S[t]; + } + t = (t + i) & 0xFF; + } + } + } +} + + +void Md2Final(Md2* md2, byte* hash) +{ + byte padding[MD2_BLOCK_SIZE]; + word32 padLen = MD2_PAD_SIZE - md2->count; + word32 i; + + for (i = 0; i < padLen; i++) + padding[i] = (byte)padLen; + + Md2Update(md2, padding, padLen); + Md2Update(md2, md2->C, MD2_BLOCK_SIZE); + + XMEMCPY(hash, md2->X, MD2_DIGEST_SIZE); + + InitMd2(md2); +} + + +#endif /* CYASSL_MD2 */ diff --git a/ctaocrypt/test/test.c b/ctaocrypt/test/test.c index 4f1f28716..ddb3e0149 100644 --- a/ctaocrypt/test/test.c +++ b/ctaocrypt/test/test.c @@ -32,6 +32,7 @@ #else #include #endif +#include #include #include #include @@ -86,6 +87,7 @@ typedef struct testVector { size_t outLen; } testVector; +int md2_test(); int md5_test(); int md4_test(); int sha_test(); @@ -149,6 +151,13 @@ void ctaocrypt_test(void* args) else printf( "MD5 test passed!\n"); +#ifdef CYASSL_MD2 + if ( (ret = md2_test()) ) + err_sys("MD2 test failed!\n", ret); + else + printf( "MD2 test passed!\n"); +#endif + #ifndef NO_MD4 if ( (ret = md4_test()) ) err_sys("MD4 test failed!\n", ret); @@ -309,6 +318,83 @@ void ctaocrypt_test(void* args) #endif /* NO_MAIN_DRIVER */ +#ifdef CYASSL_MD2 +int md2_test() +{ + Md2 md2; + byte hash[MD2_DIGEST_SIZE]; + + testVector a, b, c, d, e, f, g; + testVector test_md2[7]; + int times = sizeof(test_md2) / sizeof(testVector), i; + + a.input = ""; + a.output = "\x83\x50\xe5\xa3\xe2\x4c\x15\x3d\xf2\x27\x5c\x9f\x80\x69" + "\x27\x73"; + a.inLen = strlen(a.input); + a.outLen = strlen(a.output); + + b.input = "a"; + b.output = "\x32\xec\x01\xec\x4a\x6d\xac\x72\xc0\xab\x96\xfb\x34\xc0" + "\xb5\xd1"; + b.inLen = strlen(b.input); + b.outLen = strlen(b.output); + + c.input = "abc"; + c.output = "\xda\x85\x3b\x0d\x3f\x88\xd9\x9b\x30\x28\x3a\x69\xe6\xde" + "\xd6\xbb"; + c.inLen = strlen(c.input); + c.outLen = strlen(c.output); + + d.input = "message digest"; + d.output = "\xab\x4f\x49\x6b\xfb\x2a\x53\x0b\x21\x9f\xf3\x30\x31\xfe" + "\x06\xb0"; + d.inLen = strlen(d.input); + d.outLen = strlen(d.output); + + e.input = "abcdefghijklmnopqrstuvwxyz"; + e.output = "\x4e\x8d\xdf\xf3\x65\x02\x92\xab\x5a\x41\x08\xc3\xaa\x47" + "\x94\x0b"; + e.inLen = strlen(e.input); + e.outLen = strlen(e.output); + + f.input = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345" + "6789"; + f.output = "\xda\x33\xde\xf2\xa4\x2d\xf1\x39\x75\x35\x28\x46\xc3\x03" + "\x38\xcd"; + f.inLen = strlen(f.input); + f.outLen = strlen(f.output); + + g.input = "1234567890123456789012345678901234567890123456789012345678" + "9012345678901234567890"; + g.output = "\xd5\x97\x6f\x79\xd8\x3d\x3a\x0d\xc9\x80\x6c\x3c\x66\xf3" + "\xef\xd8"; + g.inLen = strlen(g.input); + g.outLen = strlen(g.output); + + test_md2[0] = a; + test_md2[1] = b; + test_md2[2] = c; + test_md2[3] = d; + test_md2[4] = e; + test_md2[5] = f; + test_md2[6] = g; + + InitMd2(&md2); + + for (i = 0; i < times; ++i) { + Md2Update(&md2, (byte*)test_md2[i].input, (word32)test_md2[i].inLen); + Md2Final(&md2, hash); + + if (memcmp(hash, test_md2[i].output, MD2_DIGEST_SIZE) != 0) + return -155 - i; + } + + return 0; +} +#endif + + int md5_test() { Md5 md5; diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index 0e574a418..7dbd59f8d 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -221,6 +221,7 @@ struct DecodedCert { byte* signature; /* not owned, points into raw cert */ char* subjectCN; /* CommonName */ int subjectCNLen; + int subjectCNStored; /* have we saved a copy we own */ char issuer[ASN_NAME_MAX]; /* full name including common name */ char subject[ASN_NAME_MAX]; /* full name including common name */ int verify; /* Default to yes, but could be off */ diff --git a/cyassl/ctaocrypt/include.am b/cyassl/ctaocrypt/include.am index a268bb95f..6b27ff13b 100644 --- a/cyassl/ctaocrypt/include.am +++ b/cyassl/ctaocrypt/include.am @@ -15,6 +15,7 @@ nobase_include_HEADERS+= \ cyassl/ctaocrypt/hc128.h \ cyassl/ctaocrypt/hmac.h \ cyassl/ctaocrypt/integer.h \ + cyassl/ctaocrypt/md2.h \ cyassl/ctaocrypt/md4.h \ cyassl/ctaocrypt/md5.h \ cyassl/ctaocrypt/misc.h \ diff --git a/cyassl/ctaocrypt/md2.h b/cyassl/ctaocrypt/md2.h new file mode 100644 index 000000000..a57a92fb0 --- /dev/null +++ b/cyassl/ctaocrypt/md2.h @@ -0,0 +1,64 @@ +/* md2.h + * + * Copyright (C) 2006-2012 Sawtooth Consulting Ltd. + * + * This file is part of CyaSSL. + * + * CyaSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * CyaSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + + +#ifdef CYASSL_MD2 + +#ifndef CTAO_CRYPT_MD2_H +#define CTAO_CRYPT_MD2_H + +#include + +#ifdef __cplusplus + extern "C" { +#endif + + +/* in bytes */ +enum { + MD2 = 6, /* hash type unique */ + MD2_BLOCK_SIZE = 16, + MD2_DIGEST_SIZE = 16, + MD2_PAD_SIZE = 16, + MD2_X_SIZE = 48 +}; + + +/* Md2 digest */ +typedef struct Md2 { + word32 count; /* bytes % PAD_SIZE */ + byte X[MD2_X_SIZE]; + byte C[MD2_BLOCK_SIZE]; + byte buffer[MD2_BLOCK_SIZE]; +} Md2; + + +CYASSL_API void InitMd2(Md2*); +CYASSL_API void Md2Update(Md2*, const byte*, word32); +CYASSL_API void Md2Final(Md2*, byte*); + + +#ifdef __cplusplus + } /* extern "C" */ +#endif + +#endif /* CTAO_CRYPT_MD2_H */ +#endif /* CYASSL_MD2 */ diff --git a/cyassl/error.h b/cyassl/error.h index 8909df6a3..c3b79d0ce 100644 --- a/cyassl/error.h +++ b/cyassl/error.h @@ -100,6 +100,7 @@ enum CyaSSL_ErrorCodes { OCSP_NEED_URL = -265, /* OCSP need an URL for lookup */ OCSP_CERT_UNKNOWN = -266, /* OCSP responder doesn't know */ OCSP_LOOKUP_FAIL = -267, /* OCSP lookup not successful */ + MAX_CHAIN_ERROR = -268, /* max chain depth exceeded */ /* add strings to SetErrorString !!!!! */ /* begin negotiation parameter errors */ diff --git a/cyassl/internal.h b/cyassl/internal.h index a89cbde8c..4431f6550 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -446,7 +446,7 @@ enum Misc { MAX_EX_DATA = 3, /* allow for three items of ex_data */ MAX_CHAIN_DEPTH = 9, /* max cert chain peer depth, FORTRESS option */ #else - MAX_CHAIN_DEPTH = 4, /* max cert chain peer depth */ + MAX_CHAIN_DEPTH = 6, /* max cert chain peer depth */ #endif MAX_X509_SIZE = 2048, /* max static x509 buffer size */ CERT_MIN_SIZE = 256, /* min PEM cert size with header/footer */ diff --git a/cyassl/test.h b/cyassl/test.h index 8e682fb71..c13ec8caa 100644 --- a/cyassl/test.h +++ b/cyassl/test.h @@ -96,6 +96,8 @@ #endif +#define SERVER_DEFAULT_VERSION 3 + /* all certs relative to CyaSSL home directory now */ static const char* caCert = "./certs/ca-cert.pem"; static const char* eccCert = "./certs/server-ecc.pem"; @@ -298,17 +300,16 @@ static INLINE void tcp_connect(SOCKET_T* sockfd, const char* ip, word16 port) } -static INLINE void tcp_listen(SOCKET_T* sockfd) +static INLINE void tcp_listen(SOCKET_T* sockfd, int port, int useAnyAddr) { SOCKADDR_IN_T addr; /* don't use INADDR_ANY by default, firewall may block, make user switch on */ -#ifdef USE_ANY_ADDR - tcp_socket(sockfd, &addr, INADDR_ANY, yasslPort); -#else - tcp_socket(sockfd, &addr, yasslIP, yasslPort); -#endif + if (useAnyAddr) + tcp_socket(sockfd, &addr, INADDR_ANY, port); + else + tcp_socket(sockfd, &addr, yasslIP, port); #ifndef USE_WINDOWS_API { @@ -379,7 +380,8 @@ static INLINE void udp_accept(SOCKET_T* sockfd, int* clientfd, func_args* args) *clientfd = udp_read_connect(*sockfd); } -static INLINE void tcp_accept(SOCKET_T* sockfd, int* clientfd, func_args* args) +static INLINE void tcp_accept(SOCKET_T* sockfd, int* clientfd, func_args* args, + int port, int useAnyAddr) { SOCKADDR_IN_T client; socklen_t client_len = sizeof(client); @@ -389,7 +391,7 @@ static INLINE void tcp_accept(SOCKET_T* sockfd, int* clientfd, func_args* args) return; #endif - tcp_listen(sockfd); + tcp_listen(sockfd, port, useAnyAddr); #if defined(_POSIX_THREADS) && defined(NO_MAIN_DRIVER) /* signal ready to tcp_accept */ diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index e726f4a8f..2abe64a87 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -58,6 +58,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) int outCreated = 0; int shutdown = 0; + int useAnyAddr = 0; int argc = ((func_args*)args)->argc; char** argv = ((func_args*)args)->argv; @@ -72,7 +73,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) ((func_args*)args)->return_code = -1; /* error state */ - tcp_listen(&sockfd); + tcp_listen(&sockfd, yasslPort, useAnyAddr); #if defined(CYASSL_DTLS) method = CyaDTLSv1_server_method(); @@ -236,7 +237,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) CyaSSL_free(ssl); CloseSocket(clientfd); #ifdef CYASSL_DTLS - tcp_listen(&sockfd); + tcp_listen(&sockfd, yasslPort, useAnyAddr); SignalReady(args); #endif } diff --git a/examples/server/server.c b/examples/server/server.c index 1403a109f..a403b1878 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -25,6 +25,7 @@ #include #include +#include #ifdef CYASSL_CALLBACKS @@ -63,6 +64,24 @@ #endif +static void Usage(void) +{ + printf("server " VERSION " NOTE: All files relative to CyaSSL home dir" + "\n"); + printf("-? Help, print this usage\n"); + printf("-p Port to listen on, default %d\n", yasslPort); + printf("-v SSL version [0-3], SSLv3(0) - TLS1.2(3)), default %d\n", + SERVER_DEFAULT_VERSION); + printf("-l Cipher list\n"); + printf("-c Certificate file, default %s\n", svrCert); + printf("-k Key file, default %s\n", svrKey); + printf("-A Certificate Authority file, default %s\n", cliCert); + printf("-d Disable client cert check\n"); + printf("-b Bind to any interface instead of localhost only\n"); + printf("-s Use pre Shared keys\n"); +} + + THREAD_RETURN CYASSL_THREAD server_test(void* args) { SOCKET_T sockfd = 0; @@ -72,93 +91,160 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) SSL_CTX* ctx = 0; SSL* ssl = 0; - char msg[] = "I hear you fa shizzle!"; - char input[1024]; - int idx; - + char msg[] = "I hear you fa shizzle!"; + char input[1024]; + int idx; + int ch; + int version = SERVER_DEFAULT_VERSION; + int doCliCertCheck = 1; + int useAnyAddr = 0; + int port = yasslPort; + int usePsk = 0; + char* cipherList = NULL; + char* verifyCert = (char*)cliCert; + char* ourCert = (char*)svrCert; + char* ourKey = (char*)svrKey; + int argc = ((func_args*)args)->argc; + char** argv = ((func_args*)args)->argv; + ((func_args*)args)->return_code = -1; /* error state */ -#if defined(CYASSL_DTLS) - method = DTLSv1_server_method(); -#elif !defined(NO_TLS) - method = SSLv23_server_method(); -#else - method = SSLv3_server_method(); -#endif - ctx = SSL_CTX_new(method); + + while ((ch = getopt(argc, argv, "?dbsp:v:l:A:c:k:")) != -1) { + switch (ch) { + case '?' : + Usage(); + exit(EXIT_SUCCESS); + + case 'd' : + doCliCertCheck = 0; + break; + + case 'b' : + useAnyAddr = 1; + break; + + case 's' : + usePsk = 1; + break; + + case 'p' : + port = atoi(optarg); + break; + + case 'v' : + version = atoi(optarg); + if (version < 0 || version > 3) { + Usage(); + exit(EX_USAGE); + } + break; + + case 'l' : + cipherList = optarg; + break; + + case 'A' : + verifyCert = optarg; + break; + + case 'c' : + ourCert = optarg; + break; + + case 'k' : + ourKey = optarg; + break; + + default: + Usage(); + exit(EX_USAGE); + } + } + + argc -= optind; + argv += optind; + + switch (version) { + case 0: + method = SSLv3_server_method(); + break; + + case 1: + method = TLSv1_server_method(); + break; + + case 2: + method = TLSv1_1_server_method(); + break; + + case 3: + method = TLSv1_2_server_method(); + break; + + default: + err_sys("Bad SSL version"); + } + + if (method == NULL) + err_sys("unable to get method"); + + ctx = SSL_CTX_new(method); + if (ctx == NULL) + err_sys("unable to get ctx"); + + if (cipherList) + if (SSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS) + err_sys("can't set cipher list"); + + if (SSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM) + != SSL_SUCCESS) + err_sys("can't load server cert file, check file and run from" + " CyaSSL home dir"); + + if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM) + != SSL_SUCCESS) + err_sys("can't load server cert file, check file and run from" + " CyaSSL home dir"); #ifndef NO_PSK - /* do PSK */ - SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb); - SSL_CTX_use_psk_identity_hint(ctx, "cyassl server"); - SSL_CTX_set_cipher_list(ctx, "PSK-AES256-CBC-SHA"); -#else - /* not using PSK, verify peer with certs */ - SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0); + if (usePsk) { + SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb); + SSL_CTX_use_psk_identity_hint(ctx, "cyassl server"); + if (cipherList == NULL) + if (SSL_CTX_set_cipher_list(ctx,"PSK-AES256-CBC-SHA") !=SSL_SUCCESS) + err_sys("can't set cipher list"); + } #endif + /* if not using PSK, verify peer with certs */ + if (doCliCertCheck && usePsk == 0) { + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | + SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0); + if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS) + err_sys("can't load ca file, Please run from CyaSSL home dir"); + } + #ifdef OPENSSL_EXTRA SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); #endif -#ifndef NO_FILESYSTEM - /* for client auth */ - if (SSL_CTX_load_verify_locations(ctx, cliCert, 0) != SSL_SUCCESS) - err_sys("can't load ca file, Please run from CyaSSL home dir"); - - #ifdef HAVE_ECC - if (SSL_CTX_use_certificate_file(ctx, eccCert, SSL_FILETYPE_PEM) - != SSL_SUCCESS) - err_sys("can't load server ecc cert file, " - "Please run from CyaSSL home dir"); - - if (SSL_CTX_use_PrivateKey_file(ctx, eccKey, SSL_FILETYPE_PEM) - != SSL_SUCCESS) - err_sys("can't load server ecc key file, " - "Please run from CyaSSL home dir"); - /* for client auth */ - if (SSL_CTX_load_verify_locations(ctx, cliEccCert, 0) != SSL_SUCCESS) - err_sys("can't load ecc ca file, Please run from CyaSSL home dir"); - - #elif HAVE_NTRU - if (SSL_CTX_use_certificate_file(ctx, ntruCert, SSL_FILETYPE_PEM) - != SSL_SUCCESS) - err_sys("can't load ntru cert file, " - "Please run from CyaSSL home dir"); - - if (CyaSSL_CTX_use_NTRUPrivateKey_file(ctx, ntruKey) - != SSL_SUCCESS) - err_sys("can't load ntru key file, " - "Please run from CyaSSL home dir"); - #else /* normal */ - if (SSL_CTX_use_certificate_file(ctx, svrCert, SSL_FILETYPE_PEM) - != SSL_SUCCESS) - err_sys("can't load server cert chain file, " - "Please run from CyaSSL home dir"); - - if (SSL_CTX_use_PrivateKey_file(ctx, svrKey, SSL_FILETYPE_PEM) - != SSL_SUCCESS) - err_sys("can't load server key file, " - "Please run from CyaSSL home dir"); - #endif /* NTRU */ -#else - load_buffer(ctx, cliCert, CYASSL_CA); - load_buffer(ctx, svrCert, CYASSL_CERT); - load_buffer(ctx, svrKey, CYASSL_KEY); -#endif /* NO_FILESYSTEM */ - #if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC) /* don't use EDH, can't sniff tmp keys */ - SSL_CTX_set_cipher_list(ctx, "AES256-SHA"); + if (SSL_CTX_set_cipher_list(ctx, "AES256-SHA") != SSL_SUCCESS) + err_sys("can't set cipher list"); #endif ssl = SSL_new(ctx); + if (ssl == NULL) + err_sys("unable to get SSL"); + #ifdef HAVE_CRL CyaSSL_EnableCRL(ssl, 0); CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, CYASSL_CRL_MONITOR | CYASSL_CRL_START_MON); CyaSSL_SetCRL_Cb(ssl, CRL_CallBack); #endif - tcp_accept(&sockfd, &clientfd, (func_args*)args); + tcp_accept(&sockfd, &clientfd, (func_args*)args, port, useAnyAddr); #ifndef CYASSL_DTLS CloseSocket(sockfd); #endif diff --git a/src/include.am b/src/include.am index 60037f766..c6ce57491 100644 --- a/src/include.am +++ b/src/include.am @@ -36,6 +36,10 @@ if BUILD_AESNI src_libcyassl_la_SOURCES += ctaocrypt/src/aes_asm.s endif +if BUILD_MD2 +src_libcyassl_la_SOURCES += ctaocrypt/src/md2.c +endif + if BUILD_RIPEMD src_libcyassl_la_SOURCES += ctaocrypt/src/ripemd.c endif diff --git a/src/internal.c b/src/internal.c index 19af1581d..67beab96f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1686,7 +1686,7 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) word32 certSz; if (totalCerts >= MAX_CHAIN_DEPTH) - return BUFFER_E; + return MAX_CHAIN_ERROR; c24to32(&input[i], &certSz); i += CERT_HEADER_SZ; @@ -3747,6 +3747,10 @@ void SetErrorString(int error, char* str) XSTRNCPY(str, "OCSP Responder lookup fail", max); break; + case MAX_CHAIN_ERROR: + XSTRNCPY(str, "Maximum Chain Depth Exceeded", max); + break; + default : XSTRNCPY(str, "unknown error number", max); } diff --git a/tests/api.c b/tests/api.c index c0067b9f5..2862c5007 100644 --- a/tests/api.c +++ b/tests/api.c @@ -603,7 +603,7 @@ THREAD_RETURN CYASSL_THREAD test_server_nofail(void* args) return 0; } ssl = CyaSSL_new(ctx); - tcp_accept(&sockfd, &clientfd, (func_args*)args); + tcp_accept(&sockfd, &clientfd, (func_args*)args, yasslPort, 0); #ifndef CYASSL_DTLS CloseSocket(sockfd); #endif