From 4f9e915bc18e57003e895f954d32f3ffcf569afd Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 19 Mar 2013 12:18:52 -0700 Subject: [PATCH] add KEEP_PEER_CERT flag for non opensslextra peer cert storage, ssn3 --- cyassl/ctaocrypt/settings.h | 7 +++++++ cyassl/internal.h | 5 ++--- cyassl/test.h | 8 ++++++-- src/internal.c | 12 +++++++----- src/ssl.c | 12 ++++++------ 5 files changed, 28 insertions(+), 16 deletions(-) diff --git a/cyassl/ctaocrypt/settings.h b/cyassl/ctaocrypt/settings.h index d070aaa5c..9b42b6e1f 100644 --- a/cyassl/ctaocrypt/settings.h +++ b/cyassl/ctaocrypt/settings.h @@ -471,6 +471,13 @@ #define USE_CYASSL_MEMORY #endif + +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) + #undef KEEP_PEER_CERT + #define KEEP_PEER_CERT +#endif + + /* Place any other flags or defines here */ diff --git a/cyassl/internal.h b/cyassl/internal.h index 1ece4556f..60ba02e8f 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -112,6 +112,7 @@ #define SHA256_DIGEST_SIZE 32 #endif + #ifdef __cplusplus extern "C" { #endif @@ -1634,7 +1635,7 @@ struct CYASSL { byte hsInfoOn; /* track handshake info */ byte toInfoOn; /* track timeout info */ #endif -#ifdef OPENSSL_EXTRA +#ifdef KEEP_PEER_CERT CYASSL_X509 peerCert; /* X509 peer cert */ #endif #ifdef FORTRESS @@ -1868,8 +1869,6 @@ CYASSL_LOCAL int GrowInputBuffer(CYASSL* ssl, int size, int usedLength); #endif /* NO_TLS */ - - typedef double timer_d; CYASSL_LOCAL timer_d Timer(void); diff --git a/cyassl/test.h b/cyassl/test.h index bc93e7ace..b3fa3823e 100644 --- a/cyassl/test.h +++ b/cyassl/test.h @@ -253,11 +253,12 @@ static INLINE int PasswordCallBack(char* passwd, int sz, int rw, void* userdata) static INLINE void showPeer(CYASSL* ssl) { -#ifdef OPENSSL_EXTRA CYASSL_CIPHER* cipher; +#ifdef KEEP_PEER_CERT CYASSL_X509* peer = CyaSSL_get_peer_certificate(ssl); if (peer) { +#ifdef OPENSSL_EXTRA char* altName; char* issuer = CyaSSL_X509_NAME_oneline( CyaSSL_X509_get_issuer_name(peer), 0, 0); @@ -289,14 +290,17 @@ static INLINE void showPeer(CYASSL* ssl) XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL); XFREE(issuer, 0, DYNAMIC_TYPE_OPENSSL); +#else + printf("peer has a cert!\n"); +#endif } else printf("peer has no cert!\n"); +#endif printf("SSL version is %s\n", CyaSSL_get_version(ssl)); cipher = CyaSSL_get_current_cipher(ssl); printf("SSL cipher suite is %s\n", CyaSSL_CIPHER_get_name(cipher)); -#endif #if defined(SESSION_CERTS) && defined(SHOW_CERTS) { diff --git a/src/internal.c b/src/internal.c index bb3825acd..8e245b4f4 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1203,7 +1203,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->buffers.prevSent = 0; ssl->buffers.plainSz = 0; -#ifdef OPENSSL_EXTRA +#ifdef KEEP_PEER_CERT ssl->peerCert.derCert.buffer = NULL; ssl->peerCert.altNames = NULL; ssl->peerCert.altNamesNext = NULL; @@ -1353,7 +1353,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->buffers.dtlsCtx.peer.sz = 0; #endif -#ifdef OPENSSL_EXTRA +#ifdef KEEP_PEER_CERT ssl->peerCert.issuer.sz = 0; ssl->peerCert.subject.sz = 0; #endif @@ -1565,10 +1565,12 @@ void SSL_ResourceFree(CYASSL* ssl) XFREE(ssl->buffers.dtlsCtx.peer.sa, ssl->heap, DYNAMIC_TYPE_SOCKADDR); ssl->buffers.dtlsCtx.peer.sa = NULL; #endif -#if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS) +#if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS) XFREE(ssl->peerCert.derCert.buffer, ssl->heap, DYNAMIC_TYPE_CERT); if (ssl->peerCert.altNames) FreeAltNames(ssl->peerCert.altNames, ssl->heap); +#endif +#if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS) CyaSSL_BIO_free(ssl->biord); if (ssl->biord != ssl->biowr) /* in case same as write */ CyaSSL_BIO_free(ssl->biowr); @@ -2831,7 +2833,7 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) #endif /* HAVE_CRL */ -#ifdef OPENSSL_EXTRA +#ifdef KEEP_PEER_CERT /* set X509 format for peer cert even if fatal */ XSTRNCPY(ssl->peerCert.issuer.name, dCert.issuer, ASN_NAME_MAX); ssl->peerCert.issuer.name[ASN_NAME_MAX - 1] = '\0'; @@ -2955,7 +2957,7 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) store.error = ret; store.error_depth = totalCerts; store.domain = domain; -#ifdef OPENSSL_EXTRA +#ifdef KEEP_PEER_CERT store.current_cert = &ssl->peerCert; #else store.current_cert = NULL; diff --git a/src/ssl.c b/src/ssl.c index d8ece703d..7a337f7ab 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3960,8 +3960,8 @@ int CyaSSL_set_compression(CYASSL* ssl) ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); } +#endif - /* return true if connection established */ int CyaSSL_is_init_finished(CYASSL* ssl) { @@ -3974,7 +3974,7 @@ int CyaSSL_set_compression(CYASSL* ssl) return 0; } - +#if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS) void CyaSSL_CTX_set_tmp_rsa_callback(CYASSL_CTX* ctx, CYASSL_RSA*(*f)(CYASSL*, int, int)) { @@ -5452,8 +5452,8 @@ int CyaSSL_set_compression(CYASSL* ssl) (void)flags; return 0; } - - +#endif +#ifdef KEEP_PEER_CERT CYASSL_X509* CyaSSL_get_peer_certificate(CYASSL* ssl) { CYASSL_ENTER("SSL_get_peer_certificate"); @@ -5462,9 +5462,9 @@ int CyaSSL_set_compression(CYASSL* ssl) else return 0; } +#endif - - +#ifdef OPENSSL_EXTRA int CyaSSL_set_ex_data(CYASSL* ssl, int idx, void* data) { #ifdef FORTRESS