diff --git a/examples/client/client.c b/examples/client/client.c index 7d5b43e2a..f2984ca93 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -1445,13 +1445,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifdef OPENSSL_EXTRA { - byte* rnd; - byte* pt; - int size; + byte* rnd; + byte* pt; + size_t size; /* get size of buffer then print */ size = wolfSSL_get_client_random(NULL, NULL, 0); - if (size < 0) { + if (size == 0) { err_sys("error getting client random buffer size"); } @@ -1461,7 +1461,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } size = wolfSSL_get_client_random(ssl, rnd, size); - if (size < 0) { + if (size == 0) { XFREE(rnd, NULL, DYNAMIC_TYPE_TMP_BUFFER); err_sys("error getting client random buffer"); } diff --git a/examples/server/server.c b/examples/server/server.c index f1893e45e..626f96c5e 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -882,6 +882,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) ssl = SSL_new(ctx); if (ssl == NULL) err_sys("unable to get SSL"); + #ifdef OPENSSL_EXTRA + wolfSSL_KeepArrays(ssl); + #endif #if defined(WOLFSSL_STATIC_MEMORY) && defined(DEBUG_WOLFSSL) { @@ -1026,6 +1029,36 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) err_sys("SSL in error state"); } +#ifdef OPENSSL_EXTRA + { + byte* rnd; + byte* pt; + size_t size; + + /* get size of buffer then print */ + size = wolfSSL_get_server_random(NULL, NULL, 0); + if (size == 0) { + err_sys("error getting server random buffer size"); + } + + rnd = (byte*)XMALLOC(size, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (rnd == NULL) { + err_sys("error creating server random buffer"); + } + + size = wolfSSL_get_client_random(ssl, rnd, size); + if (size == 0) { + XFREE(rnd, NULL, DYNAMIC_TYPE_TMP_BUFFER); + err_sys("error getting server random buffer"); + } + + printf("Server Random : "); + for (pt = rnd; pt < rnd + size; pt++) printf("%02X", *pt); + printf("\n"); + XFREE(rnd, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } +#endif + #ifdef HAVE_ALPN if (alpnList != NULL) { char *protocol_name = NULL, *list = NULL; diff --git a/rpm/spec.in b/rpm/spec.in index e7871d05b..ae8fc8ad8 100644 --- a/rpm/spec.in +++ b/rpm/spec.in @@ -231,6 +231,7 @@ mkdir -p $RPM_BUILD_ROOT/ %{_includedir}/wolfssl/wolfcrypt/wolfevent.h %{_includedir}/wolfssl/error-ssl.h %{_includedir}/wolfssl/ocsp.h +%{_includedir}/wolfssl/openssl/aes.h %{_includedir}/wolfssl/openssl/asn1.h %{_includedir}/wolfssl/openssl/bio.h %{_includedir}/wolfssl/openssl/bn.h @@ -275,6 +276,8 @@ mkdir -p $RPM_BUILD_ROOT/ %{_libdir}/pkgconfig/wolfssl.pc %changelog +* Fri Nov 11 2016 Jacob Barthelmeh +- Added header for wolfssl/openssl/aes.h * Fri Oct 28 2016 Jacob Barthelmeh - Added header for pkcs12 * Fri Sep 23 2016 John Safranek diff --git a/src/ssl.c b/src/ssl.c index 4fb02383e..5107bddd9 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5685,6 +5685,33 @@ int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX* ctx, const char* fname, int format) /* put SSL type in extra for now, not very common */ #ifndef NO_CERTS +int wolfSSL_check_private_key(const WOLFSSL* ssl) +{ + DecodedCert der; + word32 size; + byte* buff; + int ret; + + if (ssl == NULL) { + return SSL_FAILURE; + } + + size = ssl->buffers.certificate->length; + buff = ssl->buffers.certificate->buffer; + InitDecodedCert(&der, buff, size, ssl->heap); + if (ParseCertRelative(&der, CERT_TYPE, NO_VERIFY, NULL) != 0) { + FreeDecodedCert(&der); + return SSL_FAILURE; + } + + size = ssl->buffers.key->length; + buff = ssl->buffers.key->buffer; + ret = wc_CheckPrivateKey(buff, size, &der); + FreeDecodedCert(&der); + return ret; +} + + void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c, int* idx) { @@ -5808,6 +5835,39 @@ int wolfSSL_use_certificate_chain_file(WOLFSSL* ssl, const char* file) +#if !defined(NO_WOLFSSL_SERVER) +size_t wolfSSL_get_server_random(const WOLFSSL *ssl, unsigned char *out, + size_t outSz) +{ + size_t size; + + /* return max size of buffer */ + if (outSz == 0) { + return RAN_LEN; + } + + if (ssl == NULL || out == NULL) { + return 0; + } + + if (ssl->options.saveArrays == 0 || ssl->arrays == NULL) { + WOLFSSL_MSG("Arrays struct not saved after handshake"); + return 0; + } + + if (outSz > RAN_LEN) { + size = RAN_LEN; + } + else { + size = outSz; + } + + XMEMCPY(out, ssl->arrays->serverRandom, size); + return 0; +} +#endif /* !defined(NO_WOLFSSL_SERVER) */ + + #if !defined(NO_WOLFSSL_CLIENT) /* Return the amount of random bytes copied over or error case. * ssl : ssl struct after handshake @@ -5816,22 +5876,23 @@ int wolfSSL_use_certificate_chain_file(WOLFSSL* ssl, const char* file) * * NOTE: wolfSSL_KeepArrays(ssl) must be called to retain handshake information. */ -int wolfSSL_get_client_random(WOLFSSL* ssl, unsigned char* out, int outSz) +size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, + size_t outSz) { - int size; + size_t size; /* return max size of buffer */ if (outSz == 0) { return RAN_LEN; } - if (ssl == NULL || out == NULL || outSz < 0) { - return BAD_FUNC_ARG; + if (ssl == NULL || out == NULL) { + return 0; } if (ssl->options.saveArrays == 0 || ssl->arrays == NULL) { WOLFSSL_MSG("Arrays struct not saved after handshake"); - return BAD_FUNC_ARG; + return 0; } if (outSz > RAN_LEN) { @@ -13524,15 +13585,6 @@ WOLFSSL_API long wolfSSL_SSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned ch return 0; } -WOLFSSL_API unsigned long wolfSSL_SSL_get_server_random(const WOLFSSL *ssl, unsigned char *out, - unsigned long outlen) -{ - (void)ssl; - (void)out; - (void)outlen; - return 0; -} - /*** TBD ***/ WOLFSSL_API unsigned long wolfSSL_SSL_get_verify_result(const WOLFSSL *ssl) { diff --git a/tests/api.c b/tests/api.c index 469d67329..6036d6e54 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2261,12 +2261,16 @@ static void test_wolfSSL_certs(void) AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKey, SSL_FILETYPE_PEM)); AssertNotNull(ssl = SSL_new(ctx)); + AssertIntEQ(wolfSSL_check_private_key(ssl), SSL_SUCCESS); /* create and use x509 */ - x509 = wolfSSL_X509_load_certificate_file(svrCert, SSL_FILETYPE_PEM); + x509 = wolfSSL_X509_load_certificate_file(cliCert, SSL_FILETYPE_PEM); AssertNotNull(x509); AssertIntEQ(SSL_use_certificate(ssl, x509), SSL_SUCCESS); + /* with loading in a new cert the check on private key should now fail */ + AssertIntNE(wolfSSL_check_private_key(ssl), SSL_SUCCESS); + #if defined(USE_CERT_BUFFERS_2048) AssertIntEQ(SSL_use_certificate_ASN1(ssl, diff --git a/wolfcrypt/src/include.am b/wolfcrypt/src/include.am index e4d1985d1..81aa797db 100644 --- a/wolfcrypt/src/include.am +++ b/wolfcrypt/src/include.am @@ -1,6 +1,7 @@ # vim:ft=automake # All paths should be given relative to the root +EXTRA_DIST += src/bio.c EXTRA_DIST += wolfcrypt/src/misc.c EXTRA_DIST += wolfcrypt/src/evp.c EXTRA_DIST += wolfcrypt/src/asm.c diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 7a8c93c8a..a47d00ec0 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -535,9 +535,8 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define SSL_CTX_set_tlsext_status_arg wolfSSL_SSL_CTX_set_tlsext_status_arg #define SSL_CTX_set_tlsext_opaque_prf_input_callback_arg \ wolfSSL_SSL_CTX_set_tlsext_opaque_prf_input_callback_arg -#define SSL_get_server_random wolfSSL_SSL_get_server_random +#define SSL_get_server_random wolfSSL_get_server_random -#define SSL_get_server_random wolfSSL_SSL_get_server_random #define SSL_get_tlsext_status_exts wolfSSL_SSL_get_tlsext_status_exts #define BIO_C_SET_FILE_PTR 106 diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 1481ca3c1..42ba737a0 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -715,8 +715,6 @@ WOLFSSL_API long wolfSSL_SSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned ch WOLFSSL_API long wolfSSL_SSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *resp, int len); WOLFSSL_API void wolfSSL_CONF_modules_unload(int all); -WOLFSSL_API unsigned long wolfSSL_SSL_get_server_random(const WOLFSSL *ssl, unsigned char *out, - unsigned long outlen); WOLFSSL_API long wolfSSL_SSL_get_tlsext_status_exts(WOLFSSL *s, void *arg); WOLFSSL_API unsigned long wolfSSL_SSL_get_verify_result(const WOLFSSL *ssl); WOLFSSL_API void wolfSSL_SSL_set_accept_state(WOLFSSL *s); @@ -1896,6 +1894,7 @@ WOLFSSL_API char* wolfSSL_ASN1_TIME_to_string(WOLFSSL_ASN1_TIME* time, #ifdef OPENSSL_EXTRA #ifndef NO_CERTS +WOLFSSL_API int wolfSSL_check_private_key(const WOLFSSL* ssl); WOLFSSL_API void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c, int* idx); WOLFSSL_API int wolfSSL_X509_digest(const WOLFSSL_X509* x509, @@ -1922,8 +1921,10 @@ WOLFSSL_API void wolfSSL_CTX_set_cert_store(WOLFSSL_CTX* ctx, WOLFSSL_X509* wolfSSL_d2i_X509_bio(WOLFSSL_BIO* bio, WOLFSSL_X509** x509); WOLFSSL_API WOLFSSL_X509_STORE* wolfSSL_CTX_get_cert_store(WOLFSSL_CTX* ctx); -WOLFSSL_API int wolfSSL_get_client_random(WOLFSSL* ssl, unsigned char* out, - int outSz); +WOLFSSL_API size_t wolfSSL_get_server_random(const WOLFSSL *ssl, + unsigned char *out, size_t outlen); +WOLFSSL_API size_t wolfSSL_get_client_random(const WOLFSSL* ssl, + unsigned char* out, size_t outSz); WOLFSSL_API pem_password_cb *wolfSSL_SSL_CTX_get_default_passwd_cb(WOLFSSL_CTX *ctx); WOLFSSL_API void *wolfSSL_SSL_CTX_get_default_passwd_cb_userdata(WOLFSSL_CTX *ctx);