From be402277e01740fc96e33efebbbf26b6f4c870f1 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 2 Jul 2014 12:07:25 -0700 Subject: [PATCH 1/3] add override cert date example for bad clock testing --- certs/test/expired-cert.pem | 39 +++++++++++++++++++++++++++++++++++++ certs/test/expired-key.pem | 9 +++++++++ cyassl/test.h | 20 +++++++++++++++++++ examples/client/client.c | 10 +++++++++- 4 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 certs/test/expired-cert.pem create mode 100644 certs/test/expired-key.pem diff --git a/certs/test/expired-cert.pem b/certs/test/expired-cert.pem new file mode 100644 index 000000000..1ec53c026 --- /dev/null +++ b/certs/test/expired-cert.pem @@ -0,0 +1,39 @@ +Certificate: + Data: + Version: 1 (0x0) + Serial Number: 1 (0x1) + Signature Algorithm: md5WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, O=sawtooth, OU=consulting, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + Validity + Not Before: Jun 30 18:52:17 2010 GMT + Not After : Mar 26 18:52:17 2013 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=yaSSL, OU=support, CN=www.yassl.com/emailAddress=info@yassl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (512 bit) + Modulus (512 bit): + 00:c6:7b:c0:68:81:2f:de:82:3f:f9:ac:c3:86:4a: + 66:b7:ec:d4:f1:f6:64:21:ff:f5:a2:34:42:d0:38: + 9f:c6:dd:3b:6e:26:65:6a:54:96:dd:d2:7b:eb:36: + a2:ae:7e:2a:9e:7e:56:a5:b6:87:9f:15:c7:18:66: + 7e:16:77:e2:a7 + Exponent: 65537 (0x10001) + Signature Algorithm: md5WithRSAEncryption + 58:a9:98:e7:16:52:4c:40:e7:e1:47:92:19:1b:3a:8f:97:6c: + 7b:b7:b0:cb:20:6d:ad:b5:d3:47:58:d8:e4:f2:3e:32:e9:ef: + 87:77:e5:54:36:f4:8d:50:8d:07:b4:77:45:ea:9d:a4:33:36: + 9b:0b:e0:74:58:11:c5:01:7b:4d +-----BEGIN CERTIFICATE----- +MIICFDCCAb4CAQEwDQYJKoZIhvcNAQEEBQAwgZ4xCzAJBgNVBAYTAlVTMRAwDgYD +VQQIEwdNb250YW5hMRAwDgYDVQQHEwdCb3plbWFuMREwDwYDVQQKEwhzYXd0b290 +aDETMBEGA1UECxMKY29uc3VsdGluZzEkMCIGA1UEAxMbd3d3LnNhd3Rvb3RoLWNv +bnN1bHRpbmcuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0x +MDA2MzAxODUyMTdaFw0xMzAzMjYxODUyMTdaMIGKMQswCQYDVQQGEwJVUzEQMA4G +A1UECBMHTW9udGFuYTEQMA4GA1UEBxMHQm96ZW1hbjEOMAwGA1UEChMFeWFTU0wx +EDAOBgNVBAsTB3N1cHBvcnQxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkq +hkiG9w0BCQEWDmluZm9AeWFzc2wuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB +AMZ7wGiBL96CP/msw4ZKZrfs1PH2ZCH/9aI0QtA4n8bdO24mZWpUlt3Se+s2oq5+ +Kp5+VqW2h58VxxhmfhZ34qcCAwEAATANBgkqhkiG9w0BAQQFAANBAFipmOcWUkxA +5+FHkhkbOo+XbHu3sMsgba2100dY2OTyPjLp74d35VQ29I1QjQe0d0XqnaQzNpsL +4HRYEcUBe00= +-----END CERTIFICATE----- diff --git a/certs/test/expired-key.pem b/certs/test/expired-key.pem new file mode 100644 index 000000000..154d661b1 --- /dev/null +++ b/certs/test/expired-key.pem @@ -0,0 +1,9 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBOwIBAAJBAMZ7wGiBL96CP/msw4ZKZrfs1PH2ZCH/9aI0QtA4n8bdO24mZWpU +lt3Se+s2oq5+Kp5+VqW2h58VxxhmfhZ34qcCAwEAAQJBAJSbGxgjgV+rTZL2Ev58 +viN/IoB25cm/Bn4Heu7DNn2A2kpdGX2cCaf7rEQoIKCiHxvopvxOcd/7nLS/gNli +dCECIQD/cX/9fvB1Uajw0fmvwNON9+3P9uJSqpig90zL32pwjQIhAMbqee9TBMN4 +TxXbgWqA92PrCXe8WDZ3PwoJqdR6MRUDAiEAny+TDF1z6hiWiGTCDgXDkKBlwgjf +p5aKgR077XzwLu0CICVpWEGg1ZaF/CnaPP7w/pZ2UDOK4vRrfRnAM4bY7H5NAiBS +1eXJ/MCZ2uPfpl7XK2BU9P69KdKUk5WHxdRchVvcDg== +-----END RSA PRIVATE KEY----- diff --git a/cyassl/test.h b/cyassl/test.h index 667476ed2..1026b2f9b 100644 --- a/cyassl/test.h +++ b/cyassl/test.h @@ -9,6 +9,7 @@ #include #include #include +#include #ifdef ATOMIC_USER #include @@ -894,6 +895,25 @@ static INLINE int myVerify(int preverify, CYASSL_X509_STORE_CTX* store) #endif /* VERIFY_CALLBACK */ +static INLINE int myDateCb(int preverify, CYASSL_X509_STORE_CTX* store) +{ + (void)preverify; + char buffer[CYASSL_MAX_ERROR_SZ]; + + printf("In verification callback, error = %d, %s\n", store->error, + CyaSSL_ERR_error_string(store->error, buffer)); + printf("Subject's domain name is %s\n", store->domain); + + if (store->error == ASN_BEFORE_DATE_E || store->error == ASN_AFTER_DATE_E) { + printf("Overriding cert date error as example for bad clock testing\n"); + return 1; + } + printf("Cert error is not date error, not overriding\n"); + + return 0; +} + + #ifdef HAVE_CRL static INLINE void CRL_CallBack(const char* url) diff --git a/examples/client/client.c b/examples/client/client.c index 1c4041850..6c268e65d 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -128,6 +128,7 @@ static void Usage(void) printf("-s Use pre Shared keys\n"); printf("-t Track CyaSSL memory use\n"); printf("-d Disable peer checks\n"); + printf("-D Override Date Errors example\n"); printf("-g Send server HTTP GET\n"); printf("-u Use UDP DTLS," " add -v 2 for DTLSv1 (default), -v 3 for DTLSv1.2\n"); @@ -197,6 +198,7 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) int fewerPackets = 0; int atomicUser = 0; int pkCallbacks = 0; + int overrideDateErrors = 0; char* cipherList = NULL; const char* verifyCert = caCert; const char* ourCert = cliCert; @@ -238,7 +240,7 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) StackTrap(); while ((ch = mygetopt(argc, argv, - "?gdusmNrtfxUPh:p:v:l:A:c:k:b:zS:L:ToO:")) != -1) { + "?gdDusmNrtfxUPh:p:v:l:A:c:k:b:zS:L:ToO:")) != -1) { switch (ch) { case '?' : Usage(); @@ -252,6 +254,10 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) doPeerCheck = 0; break; + case 'D' : + overrideDateErrors = 1; + break; + case 'u' : doDTLS = 1; break; @@ -545,6 +551,8 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) #if !defined(NO_CERTS) if (!usePsk && doPeerCheck == 0) CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); + if (!usePsk && overrideDateErrors == 1) + CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myDateCb); #endif #ifdef HAVE_CAVIUM From 0272d51ce40c515c8e9913d442a5abe6e55ca5ed Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 2 Jul 2014 12:11:01 -0700 Subject: [PATCH 2/3] remove C++ comments from cyassl proper --- ctaocrypt/src/des3.c | 8 ++++---- src/ssl.c | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ctaocrypt/src/des3.c b/ctaocrypt/src/des3.c index b2bd74c3c..4cd2a63ca 100644 --- a/ctaocrypt/src/des3.c +++ b/ctaocrypt/src/des3.c @@ -787,9 +787,9 @@ int Des3_SetIV(Des3* des, const byte* iv); bd_p->BD_CTRL.LAST_BD = 1; bd_p->BD_CTRL.DESC_EN = 1; - bd_p->SA_ADDR = (unsigned int)KVA_TO_PA(&sa) ; // (unsigned int)sa_p ; - bd_p->SRCADDR = (unsigned int)KVA_TO_PA(in) ; // (unsigned int)in_p ; - bd_p->DSTADDR = (unsigned int)KVA_TO_PA(out); // (unsigned int)out_p ; + bd_p->SA_ADDR = (unsigned int)KVA_TO_PA(&sa) ; /* (unsigned int)sa_p; */ + bd_p->SRCADDR = (unsigned int)KVA_TO_PA(in) ; /* (unsigned int)in_p; */ + bd_p->DSTADDR = (unsigned int)KVA_TO_PA(out); /* (unsigned int)out_p; */ bd_p->NXTPTR = (unsigned int)KVA_TO_PA(&bd); bd_p->MSGLEN = sz ; @@ -798,7 +798,7 @@ int Des3_SetIV(Des3* des, const byte* iv); while (CECON); /* Run the engine */ - CEBDPADDR = (unsigned int)KVA_TO_PA(&bd) ; // (unsigned int)bd_p ; + CEBDPADDR = (unsigned int)KVA_TO_PA(&bd) ; /* (unsigned int)bd_p ; */ CEINTEN = 0x07; CECON = 0x27; diff --git a/src/ssl.c b/src/ssl.c index 2ac78e979..5e916a47a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -8962,7 +8962,7 @@ CYASSL_X509* CyaSSL_X509_load_certificate_file(const char* fname, int format) NULL, DYNAMIC_TYPE_CERT); if (derCert.buffer != NULL) { derCert.length = x509->derCert.length; - // AddCA() frees the buffer. + /* AddCA() frees the buffer. */ XMEMCPY(derCert.buffer, x509->derCert.buffer, x509->derCert.length); result = AddCA(store->cm, derCert, CYASSL_USER_CA, 1); From b7baf024ab005224361f14bea7482c170cd39ebb Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 2 Jul 2014 12:21:52 -0700 Subject: [PATCH 3/3] add expired-ca for testing as well --- certs/test/expired-ca.pem | 56 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 certs/test/expired-ca.pem diff --git a/certs/test/expired-ca.pem b/certs/test/expired-ca.pem new file mode 100644 index 000000000..6a0cf898e --- /dev/null +++ b/certs/test/expired-ca.pem @@ -0,0 +1,56 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 8a:37:22:65:73:f5:aa:e8 + Signature Algorithm: md5WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, O=sawtooth, OU=consulting, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + Validity + Not Before: Jun 30 18:47:10 2010 GMT + Not After : Mar 26 18:47:10 2013 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=sawtooth, OU=consulting, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (512 bit) + Modulus (512 bit): + 00:97:30:b9:1a:92:ef:25:4f:ca:4c:11:31:95:1a: + e1:c0:10:19:0a:20:b9:37:80:1a:57:38:02:4e:1b: + c5:0f:28:4f:da:e3:c9:16:aa:50:bd:4a:fb:b7:71: + c7:35:cc:63:81:c1:dd:9d:33:f9:38:16:88:32:a0: + aa:56:23:03:a3 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 3B:66:FD:A0:40:C6:F4:E2:70:CF:21:1A:0C:4F:67:FE:B7:4B:42:09 + X509v3 Authority Key Identifier: + keyid:3B:66:FD:A0:40:C6:F4:E2:70:CF:21:1A:0C:4F:67:FE:B7:4B:42:09 + DirName:/C=US/ST=Montana/L=Bozeman/O=sawtooth/OU=consulting/CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + serial:8A:37:22:65:73:F5:AA:E8 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: md5WithRSAEncryption + 32:65:a2:b1:dc:6d:e0:8d:8b:c8:58:29:8e:b8:18:4b:62:88: + 13:67:f8:6c:75:46:75:8f:8a:19:a6:a3:d5:3c:fc:57:4e:7a: + 68:a9:fc:93:dc:ae:29:7d:bb:4e:ec:ea:55:fa:a4:e3:00:61: + f4:b0:34:6d:d1:d5:a4:64:24:f8 +-----BEGIN CERTIFICATE----- +MIIDQDCCAuqgAwIBAgIJAIo3ImVz9aroMA0GCSqGSIb3DQEBBAUAMIGeMQswCQYD +VQQGEwJVUzEQMA4GA1UECBMHTW9udGFuYTEQMA4GA1UEBxMHQm96ZW1hbjERMA8G +A1UEChMIc2F3dG9vdGgxEzARBgNVBAsTCmNvbnN1bHRpbmcxJDAiBgNVBAMTG3d3 +dy5zYXd0b290aC1jb25zdWx0aW5nLmNvbTEdMBsGCSqGSIb3DQEJARYOaW5mb0B5 +YXNzbC5jb20wHhcNMTAwNjMwMTg0NzEwWhcNMTMwMzI2MTg0NzEwWjCBnjELMAkG +A1UEBhMCVVMxEDAOBgNVBAgTB01vbnRhbmExEDAOBgNVBAcTB0JvemVtYW4xETAP +BgNVBAoTCHNhd3Rvb3RoMRMwEQYDVQQLEwpjb25zdWx0aW5nMSQwIgYDVQQDExt3 +d3cuc2F3dG9vdGgtY29uc3VsdGluZy5jb20xHTAbBgkqhkiG9w0BCQEWDmluZm9A +eWFzc2wuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJcwuRqS7yVPykwRMZUa +4cAQGQoguTeAGlc4Ak4bxQ8oT9rjyRaqUL1K+7dxxzXMY4HB3Z0z+TgWiDKgqlYj +A6MCAwEAAaOCAQcwggEDMB0GA1UdDgQWBBQ7Zv2gQMb04nDPIRoMT2f+t0tCCTCB +0wYDVR0jBIHLMIHIgBQ7Zv2gQMb04nDPIRoMT2f+t0tCCaGBpKSBoTCBnjELMAkG +A1UEBhMCVVMxEDAOBgNVBAgTB01vbnRhbmExEDAOBgNVBAcTB0JvemVtYW4xETAP +BgNVBAoTCHNhd3Rvb3RoMRMwEQYDVQQLEwpjb25zdWx0aW5nMSQwIgYDVQQDExt3 +d3cuc2F3dG9vdGgtY29uc3VsdGluZy5jb20xHTAbBgkqhkiG9w0BCQEWDmluZm9A +eWFzc2wuY29tggkAijciZXP1qugwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQF +AANBADJlorHcbeCNi8hYKY64GEtiiBNn+Gx1RnWPihmmo9U8/FdOemip/JPcril9 +u07s6lX6pOMAYfSwNG3R1aRkJPg= +-----END CERTIFICATE-----