feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge branch 'master' of https://github.com/wolfSSL/wolfssl into eccCaKeyFile-undefined

Browse Source
This commit is contained in:
kaleb-himes
2017-03-27 16:52:51 -06:00
parent 00ca1dcbb7 10bf955b70
commit 5cffae2e3f
3 changed files with 73 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
certs/external/ca-verisign-g5.pem vendored
View File

@@ -26,3 +26,17 @@ WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i
2JhucwNhkcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ
2HUw19JlYD1n1khVdWk/kfVIC0dpImmClr7JyDiGSnoscxlIaU5rfGW/D/xwzoiQ
-----END CERTIFICATE-----

6
src/internal.c
View File

@@ -1961,7 +1961,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
#endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
if (tls1_2 && haveRSAsig) {
if (tls1_2 && haveRSA) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256;
}
@@ -1989,7 +1989,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
#endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
if (tls1_2 && haveRSAsig) {
if (tls1_2 && haveRSA) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384;
}
@@ -5911,8 +5911,6 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 :
if (requirement == REQUIRES_RSA)
return 1;
if (requirement == REQUIRES_RSA_SIG)
return 1;
break;
case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 :

72
src/ssl.c
View File

@@ -4114,6 +4114,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
int ret = 0;
int eccKey = 0;
int rsaKey = 0;
int resetSuites = 0;
void* heap = ctx ? ctx->heap : ((ssl) ? ssl->heap : NULL);
#ifdef WOLFSSL_SMALL_STACK
EncryptedInfo* info = NULL;
@@ -4338,6 +4339,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
} else {
/* check that the size of the RSA key is enough */
int RsaSz = wc_RsaEncryptSize((RsaKey*)key);
if (ssl) {
if (RsaSz < ssl->options.minRsaKeySz) {
ret = RSA_KEY_SIZE_E;
@@ -4352,6 +4354,11 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
}
rsaKey = 1;
(void)rsaKey; /* for no ecc builds */
if (ssl && ssl->options.side == WOLFSSL_SERVER_END) {
ssl->options.haveStaticECC = 0;
resetSuites = 1;
}
}
}
@@ -4396,10 +4403,16 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
wc_ecc_free(&key);
eccKey = 1;
if (ctx)
ctx->haveStaticECC = 1;
if (ssl)
if (ssl) {
ssl->options.haveStaticECC = 1;
}
else if (ctx) {
ctx->haveStaticECC = 1;
}
if (ssl && ssl->options.side == WOLFSSL_SERVER_END) {
resetSuites = 1;
}
}
#endif /* HAVE_ECC */
}
@@ -4428,16 +4441,25 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#endif
return SSL_BAD_FILE;
}
if (ssl && ssl->options.side == WOLFSSL_SERVER_END) {
resetSuites = 1;
}
if (ssl && ssl->ctx->haveECDSAsig) {
WOLFSSL_MSG("SSL layer setting cert, CTX had ECDSA, turning off");
ssl->options.haveECDSAsig = 0; /* may turn back on next */
}
switch (cert->signatureOID) {
case CTC_SHAwECDSA:
case CTC_SHA256wECDSA:
case CTC_SHA384wECDSA:
case CTC_SHA512wECDSA:
WOLFSSL_MSG("ECDSA cert signature");
if (ctx)
ctx->haveECDSAsig = 1;
if (ssl)
ssl->options.haveECDSAsig = 1;
else if (ctx)
ctx->haveECDSAsig = 1;
break;
default:
WOLFSSL_MSG("Not ECDSA cert signature");
@@ -4445,16 +4467,6 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
}
#ifdef HAVE_ECC
if (ctx) {
ctx->pkCurveOID = cert->pkCurveOID;
#ifndef WC_STRICT_SIG
if (cert->keyOID == ECDSAk) {
ctx->haveECC = 1;
}
#else
ctx->haveECC = ctx->haveECDSAsig;
#endif
}
if (ssl) {
ssl->pkCurveOID = cert->pkCurveOID;
#ifndef WC_STRICT_SIG
@@ -4465,6 +4477,16 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
ssl->options.haveECC = ssl->options.haveECDSAsig;
#endif
}
else if (ctx) {
ctx->pkCurveOID = cert->pkCurveOID;
#ifndef WC_STRICT_SIG
if (cert->keyOID == ECDSAk) {
ctx->haveECC = 1;
}
#else
ctx->haveECC = ctx->haveECDSAsig;
#endif
}
#endif
/* check key size of cert unless specified not to */
@@ -4521,6 +4543,26 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
}
}
if (ssl && resetSuites) {
word16 havePSK = 0;
word16 haveRSA = 0;
#ifndef NO_PSK
if (ssl->options.havePSK) {
havePSK = 1;
}
#endif
#ifndef NO_RSA
haveRSA = 1;
#endif
/* let's reset suites */
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
}
return SSL_SUCCESS;
}