feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

NO_RSA build, cipher suite tests need work for this build optoin, ssn2

Browse Source
This commit is contained in:
toddouska
2013-03-07 17:44:40 -08:00
parent 23d6c70d3e
commit 85b3346bbf
20 changed files with 522 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
ctaocrypt/src/asn.c
View File

@@ -92,12 +92,33 @@ enum {
#define NO_TIME_H #define NO_TIME_H
/* since Micrium not defining XTIME or XGMTIME, CERT_GEN not available */ /* since Micrium not defining XTIME or XGMTIME, CERT_GEN not available */
#elif defined(USER_TIME) #elif defined(USER_TIME)
/* no <time.h> structures used */
#define NO_TIME_H
/* user time, and gmtime compatible functions, there is a gmtime /* user time, and gmtime compatible functions, there is a gmtime
implementation here that WINCE uses, so really just need some ticks implementation here that WINCE uses, so really just need some ticks
since the EPOCH since the EPOCH
*/ */
struct tm {
int tm_sec; /* seconds after the minute [0-60] */
int tm_min; /* minutes after the hour [0-59] */
int tm_hour; /* hours since midnight [0-23] */
int tm_mday; /* day of the month [1-31] */
int tm_mon; /* months since January [0-11] */
int tm_year; /* years since 1900 */
int tm_wday; /* days since Sunday [0-6] */
int tm_yday; /* days since January 1 [0-365] */
int tm_isdst; /* Daylight Savings Time flag */
long tm_gmtoff; /* offset from CUT in seconds */
char *tm_zone; /* timezone abbreviation */
};
typedef long time_t;
/* forward declaration */
struct tm* gmtime(const time_t* timer);
extern time_t XTIME(time_t * timer);
#define XGMTIME(c) gmtime((c))
#define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
#else #else
/* default */ /* default */
/* uses complete <time.h> facility */ /* uses complete <time.h> facility */
@@ -137,7 +158,8 @@ time_t time(time_t* timer)
return *timer; return *timer;
} }
#endif /* _WIN32_WCE */
#if defined( _WIN32_WCE ) || defined( USER_TIME )
struct tm* gmtime(const time_t* timer) struct tm* gmtime(const time_t* timer)
{ {
@@ -155,12 +177,12 @@ struct tm* gmtime(const time_t* timer)
static struct tm st_time; static struct tm st_time;
struct tm* ret = &st_time; struct tm* ret = &st_time;
time_t time = *timer; time_t secs = *timer;
unsigned long dayclock, dayno; unsigned long dayclock, dayno;
int year = EPOCH_YEAR; int year = EPOCH_YEAR;
dayclock = (unsigned long)time % SECS_DAY; dayclock = (unsigned long)secs % SECS_DAY;
dayno = (unsigned long)time / SECS_DAY; dayno = (unsigned long)secs / SECS_DAY;
ret->tm_sec = dayclock % 60; ret->tm_sec = dayclock % 60;
ret->tm_min = (dayclock % 3600) / 60; ret->tm_min = (dayclock % 3600) / 60;
@@ -187,7 +209,7 @@ struct tm* gmtime(const time_t* timer)
return ret; return ret;
} }
#endif /* _WIN32_WCE */ #endif /* _WIN32_WCE || USER_TIME */
#ifdef THREADX #ifdef THREADX
@@ -386,6 +408,7 @@ static int GetMyVersion(const byte* input, word32* inOutIdx, int* version)
} }
#ifndef NO_PWDBASED
/* Get small count integer, 32 bits or less */ /* Get small count integer, 32 bits or less */
static int GetShortInt(const byte* input, word32* inOutIdx, int* number) static int GetShortInt(const byte* input, word32* inOutIdx, int* number)
{ {
@@ -409,7 +432,7 @@ static int GetShortInt(const byte* input, word32* inOutIdx, int* number)
return *number; return *number;
} }
#endif
/* May not have one, not an error */ /* May not have one, not an error */
static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version) static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version)
@@ -1413,7 +1436,9 @@ static int GetKey(DecodedCert* cert)
/* process NAME, either issuer or subject */ /* process NAME, either issuer or subject */
static int GetName(DecodedCert* cert, int nameType) static int GetName(DecodedCert* cert, int nameType)
{ {
#ifndef NO_SHA
Sha sha; Sha sha;
#endif
int length; /* length of all distinguished names */ int length; /* length of all distinguished names */
int dummy; int dummy;
char* full = (nameType == ISSUER) ? cert->issuer : cert->subject; char* full = (nameType == ISSUER) ? cert->issuer : cert->subject;
@@ -1438,12 +1463,14 @@ static int GetName(DecodedCert* cert, int nameType)
if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
#ifndef NO_SHA
InitSha(&sha); InitSha(&sha);
ShaUpdate(&sha, &cert->source[idx], length + cert->srcIdx - idx); ShaUpdate(&sha, &cert->source[idx], length + cert->srcIdx - idx);
if (nameType == ISSUER) if (nameType == ISSUER)
ShaFinal(&sha, cert->issuerHash); ShaFinal(&sha, cert->issuerHash);
else else
ShaFinal(&sha, cert->subjectHash); ShaFinal(&sha, cert->subjectHash);
#endif
length += cert->srcIdx; length += cert->srcIdx;
idx = 0; idx = 0;
@@ -2101,8 +2128,10 @@ static int ConfirmSignature(const byte* buf, word32 bufSz,
(void)sig; (void)sig;
(void)sigSz; (void)sigSz;
(void)heap; (void)heap;
(void)ret;
switch (sigOID) { switch (sigOID) {
#ifndef NO_MD5
case CTC_MD5wRSA: case CTC_MD5wRSA:
{ {
Md5 md5; Md5 md5;
@@ -2113,6 +2142,7 @@ static int ConfirmSignature(const byte* buf, word32 bufSz,
digestSz = MD5_DIGEST_SIZE; digestSz = MD5_DIGEST_SIZE;
} }
break; break;
#endif
#if defined(CYASSL_MD2) #if defined(CYASSL_MD2)
case CTC_MD2wRSA: case CTC_MD2wRSA:
{ {
@@ -2125,6 +2155,7 @@ static int ConfirmSignature(const byte* buf, word32 bufSz,
} }
break; break;
#endif #endif
#ifndef NO_SHA
case CTC_SHAwRSA: case CTC_SHAwRSA:
case CTC_SHAwDSA: case CTC_SHAwDSA:
case CTC_SHAwECDSA: case CTC_SHAwECDSA:
@@ -2137,6 +2168,7 @@ static int ConfirmSignature(const byte* buf, word32 bufSz,
digestSz = SHA_DIGEST_SIZE; digestSz = SHA_DIGEST_SIZE;
} }
break; break;
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
case CTC_SHA256wRSA: case CTC_SHA256wRSA:
case CTC_SHA256wECDSA: case CTC_SHA256wECDSA:

13
ctaocrypt/src/hmac.c
View File

@@ -52,9 +52,11 @@ static int InitHmac(Hmac* hmac, int type)
break; break;
#endif #endif
#ifndef NO_SHA
case SHA: case SHA:
InitSha(&hmac->hash.sha); InitSha(&hmac->hash.sha);
break; break;
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
case SHA256: case SHA256:
@@ -80,7 +82,7 @@ void HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
{ {
byte* ip = (byte*) hmac->ipad; byte* ip = (byte*) hmac->ipad;
byte* op = (byte*) hmac->opad; byte* op = (byte*) hmac->opad;
word32 i, hmac_block_size = SHA_BLOCK_SIZE; word32 i, hmac_block_size = 0;
#ifdef HAVE_CAVIUM #ifdef HAVE_CAVIUM
if (hmac->magic == CYASSL_HMAC_CAVIUM_MAGIC) if (hmac->magic == CYASSL_HMAC_CAVIUM_MAGIC)
@@ -106,8 +108,10 @@ void HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
break; break;
#endif #endif
#ifndef NO_SHA
case SHA: case SHA:
{ {
hmac_block_size = SHA_BLOCK_SIZE;
if (length <= SHA_BLOCK_SIZE) { if (length <= SHA_BLOCK_SIZE) {
XMEMCPY(ip, key, length); XMEMCPY(ip, key, length);
} }
@@ -118,6 +122,7 @@ void HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
} }
} }
break; break;
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
case SHA256: case SHA256:
@@ -173,9 +178,11 @@ static void HmacKeyInnerHash(Hmac* hmac)
break; break;
#endif #endif
#ifndef NO_SHA
case SHA: case SHA:
ShaUpdate(&hmac->hash.sha, (byte*) hmac->ipad, SHA_BLOCK_SIZE); ShaUpdate(&hmac->hash.sha, (byte*) hmac->ipad, SHA_BLOCK_SIZE);
break; break;
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
case SHA256: case SHA256:
@@ -216,9 +223,11 @@ void HmacUpdate(Hmac* hmac, const byte* msg, word32 length)
break; break;
#endif #endif
#ifndef NO_SHA
case SHA: case SHA:
ShaUpdate(&hmac->hash.sha, msg, length); ShaUpdate(&hmac->hash.sha, msg, length);
break; break;
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
case SHA256: case SHA256:
@@ -264,6 +273,7 @@ void HmacFinal(Hmac* hmac, byte* hash)
break; break;
#endif #endif
#ifndef NO_SHA
case SHA: case SHA:
{ {
ShaFinal(&hmac->hash.sha, (byte*) hmac->innerHash); ShaFinal(&hmac->hash.sha, (byte*) hmac->innerHash);
@@ -275,6 +285,7 @@ void HmacFinal(Hmac* hmac, byte* hash)
ShaFinal(&hmac->hash.sha, hash); ShaFinal(&hmac->hash.sha, hash);
} }
break; break;
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
case SHA256: case SHA256:

5
ctaocrypt/src/integer.c
View File

@@ -33,6 +33,8 @@
/* in case user set USE_FAST_MATH there */ /* in case user set USE_FAST_MATH there */
#include <cyassl/ctaocrypt/settings.h> #include <cyassl/ctaocrypt/settings.h>
#ifndef NO_BIG_INT
#ifndef USE_FAST_MATH #ifndef USE_FAST_MATH
#include <cyassl/ctaocrypt/integer.h> #include <cyassl/ctaocrypt/integer.h>
@@ -43,6 +45,8 @@
#endif #endif
#endif #endif
static void bn_reverse (unsigned char *s, int len);
/* math settings check */ /* math settings check */
word32 CheckRunTimeSettings(void) word32 CheckRunTimeSettings(void)
{ {
@@ -4452,3 +4456,4 @@ int mp_read_radix (mp_int * a, const char *str, int radix)
#endif /* USE_FAST_MATH */ #endif /* USE_FAST_MATH */
#endif /* NO_BIG_INT */

3
ctaocrypt/src/md5.c
View File

@@ -24,6 +24,8 @@
#include <config.h> #include <config.h>
#endif #endif
#ifndef NO_MD5
#include <cyassl/ctaocrypt/md5.h> #include <cyassl/ctaocrypt/md5.h>
#ifdef NO_INLINE #ifdef NO_INLINE
@@ -340,3 +342,4 @@ void Md5Final(Md5* md5, byte* hash)
#endif /* STM32F2_CRYPTO */ #endif /* STM32F2_CRYPTO */
#endif /* NO_MD5 */

4
ctaocrypt/src/random.c
View File

@@ -58,6 +58,7 @@
#endif #endif
#endif /* USE_WINDOWS_API */ #endif /* USE_WINDOWS_API */
#if !defined( NO_CYASSL_RANDOM )
#ifdef NO_RC4 #ifdef NO_RC4
@@ -568,7 +569,7 @@ int GenerateSeed(OS_Seed* os, byte* output, word32 sz)
#elif defined(NO_DEV_RANDOM) #elif defined(NO_DEV_RANDOM)
#error "you need to write an os specific GenerateSeed() here" #warning "you need to write an os specific GenerateSeed() here"
#else /* !USE_WINDOWS_API && !THREADX && !MICRIUM && !NO_DEV_RANDOM */ #else /* !USE_WINDOWS_API && !THREADX && !MICRIUM && !NO_DEV_RANDOM */
@@ -613,3 +614,4 @@ int GenerateSeed(OS_Seed* os, byte* output, word32 sz)
#endif /* USE_WINDOWS_API */ #endif /* USE_WINDOWS_API */
#endif /* NO_CYASSL_RANDOM */

4
ctaocrypt/src/sha.c
View File

@@ -19,10 +19,13 @@
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
*/ */
#ifdef HAVE_CONFIG_H #ifdef HAVE_CONFIG_H
#include <config.h> #include <config.h>
#endif #endif
#ifndef NO_SHA
#include <cyassl/ctaocrypt/sha.h> #include <cyassl/ctaocrypt/sha.h>
#ifdef NO_INLINE #ifdef NO_INLINE
#include <cyassl/ctaocrypt/misc.h> #include <cyassl/ctaocrypt/misc.h>
@@ -345,3 +348,4 @@ void ShaFinal(Sha* sha, byte* hash)
#endif /* STM32F2_CRYPTO */ #endif /* STM32F2_CRYPTO */
#endif /* NO_SHA */

7
cyassl/ctaocrypt/asn.h
View File

@@ -273,6 +273,11 @@ struct DecodedCert {
#endif /* CYASSL_CERT_GEN */ #endif /* CYASSL_CERT_GEN */
}; };
#ifdef SHA_DIGEST_SIZE
#define SIGNER_DIGEST_SIZE SHA_DIGEST_SIZE
#else
#define SIGNER_DIGEST_SIZE 160
#endif
/* CA Signers */ /* CA Signers */
struct Signer { struct Signer {
@@ -280,7 +285,7 @@ struct Signer {
word32 pubKeySize; word32 pubKeySize;
word32 keyOID; /* key type */ word32 keyOID; /* key type */
char* name; /* common name */ char* name; /* common name */
byte hash[SHA_DIGEST_SIZE]; /* sha hash of names in certificate */ byte hash[SIGNER_DIGEST_SIZE];/* sha hash of names in certificate */
Signer* next; Signer* next;
}; };

4
cyassl/ctaocrypt/hmac.h
View File

@@ -78,7 +78,9 @@ typedef union {
#ifndef NO_MD5 #ifndef NO_MD5
Md5 md5; Md5 md5;
#endif #endif
Sha sha; #ifndef NO_SHA
Sha sha;
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
Sha256 sha256; Sha256 sha256;
#endif #endif

1
cyassl/ctaocrypt/integer.h
View File

@@ -238,7 +238,6 @@ int mp_count_bits (mp_int * a);
int mp_init_copy (mp_int * a, mp_int * b); int mp_init_copy (mp_int * a, mp_int * b);
int mp_copy (mp_int * a, mp_int * b); int mp_copy (mp_int * a, mp_int * b);
int mp_grow (mp_int * a, int size); int mp_grow (mp_int * a, int size);
void bn_reverse (unsigned char *s, int len);
int mp_div_2d (mp_int * a, int b, mp_int * c, mp_int * d); int mp_div_2d (mp_int * a, int b, mp_int * c, mp_int * d);
void mp_zero (mp_int * a); void mp_zero (mp_int * a);
void mp_clamp (mp_int * a); void mp_clamp (mp_int * a);

11
cyassl/ctaocrypt/settings.h
View File

@@ -115,13 +115,22 @@
#endif #endif
#ifdef CYASSL_LEANPSK #if defined(CYASSL_LEANPSK) && !defined(XMALLOC_USER)
#include <stdlib.h> #include <stdlib.h>
#define XMALLOC(s, h, type) malloc((s)) #define XMALLOC(s, h, type) malloc((s))
#define XFREE(p, h, type) free((p)) #define XFREE(p, h, type) free((p))
#define XREALLOC(p, n, h, t) realloc((p), (n)) #define XREALLOC(p, n, h, t) realloc((p), (n))
#endif #endif
#if defined(XMALLOC_USER) && defined(SSN_BUILDING_LIBYASSL)
#undef XMALLOC
#define XMALLOC yaXMALLOC
#undef XFREE
#define XFREE yaXFREE
#undef XREALLOC
#define XREALLOC yaXREALLOC
#endif
#ifdef FREERTOS #ifdef FREERTOS
#define NO_WRITEV #define NO_WRITEV

4
cyassl/ctaocrypt/types.h
View File

@@ -74,6 +74,10 @@
#define WORD64_AVAILABLE #define WORD64_AVAILABLE
#define W64LIT(x) x##LL #define W64LIT(x) x##LL
typedef unsigned long long word64; typedef unsigned long long word64;
#elif defined(__SIZEOF_LONG_LONG__) && __SIZEOF_LONG_LONG__ == 8
#define WORD64_AVAILABLE
#define W64LIT(x) x##LL
typedef unsigned long long word64;
#else #else
#define MP_16BIT /* for mp_int, mp_word needs to be twice as big as #define MP_16BIT /* for mp_int, mp_word needs to be twice as big as
mp_digit, no 64 bit type so make mp_digit 16 bit */ mp_digit, no 64 bit type so make mp_digit 16 bit */

135
cyassl/internal.h
View File

@@ -33,6 +33,7 @@
#include <cyassl/ctaocrypt/rabbit.h> #include <cyassl/ctaocrypt/rabbit.h>
#include <cyassl/ctaocrypt/asn.h> #include <cyassl/ctaocrypt/asn.h>
#include <cyassl/ctaocrypt/md5.h> #include <cyassl/ctaocrypt/md5.h>
#include <cyassl/ctaocrypt/sha.h>
#include <cyassl/ctaocrypt/aes.h> #include <cyassl/ctaocrypt/aes.h>
#include <cyassl/ctaocrypt/camellia.h> #include <cyassl/ctaocrypt/camellia.h>
#include <cyassl/ctaocrypt/logging.h> #include <cyassl/ctaocrypt/logging.h>
@@ -134,7 +135,9 @@ void c32to24(word32 in, word24 out);
When adding cipher suites, add name to cipher_names, idx to cipher_name_idx When adding cipher suites, add name to cipher_names, idx to cipher_name_idx
*/ */
#if !defined(NO_RSA) && !defined(NO_RC4) #if !defined(NO_RSA) && !defined(NO_RC4)
#if !defined(NO_SHA)
#define BUILD_SSL_RSA_WITH_RC4_128_SHA #define BUILD_SSL_RSA_WITH_RC4_128_SHA
#endif
#define BUILD_SSL_RSA_WITH_RC4_128_MD5 #define BUILD_SSL_RSA_WITH_RC4_128_MD5
#if !defined(NO_TLS) && defined(HAVE_NTRU) #if !defined(NO_TLS) && defined(HAVE_NTRU)
#define BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA #define BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA
@@ -142,19 +145,23 @@ void c32to24(word32 in, word24 out);
#endif #endif
#if !defined(NO_RSA) && !defined(NO_DES3) #if !defined(NO_RSA) && !defined(NO_DES3)
#if !defined(NO_SHA)
#define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
#if !defined(NO_TLS) && defined(HAVE_NTRU) #if !defined(NO_TLS) && defined(HAVE_NTRU)
#define BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA #define BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA
#endif #endif
#endif
#endif #endif
#if !defined(NO_RSA) && !defined(NO_AES) && !defined(NO_TLS) #if !defined(NO_RSA) && !defined(NO_AES) && !defined(NO_TLS)
#if !defined(NO_SHA)
#define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
#if defined(HAVE_NTRU) #if defined(HAVE_NTRU)
#define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA #define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA
#endif #endif
#endif
#if !defined (NO_SHA256) #if !defined (NO_SHA256)
#define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
#define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256
@@ -171,15 +178,19 @@ void c32to24(word32 in, word24 out);
#if defined(HAVE_CAMELLIA) && !defined(NO_TLS) #if defined(HAVE_CAMELLIA) && !defined(NO_TLS)
#ifndef NO_RSA #ifndef NO_RSA
#if !defined(NO_SHA)
#define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
#define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
#define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
#define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
#endif #endif
#if !defined(NO_DH) && defined(OPENSSL_EXTRA) #if !defined(NO_DH) && defined(OPENSSL_EXTRA)
#if !defined(NO_SHA)
#define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
#define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
#define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
#define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
@@ -189,8 +200,10 @@ void c32to24(word32 in, word24 out);
#endif #endif
#if !defined(NO_PSK) && !defined(NO_AES) && !defined(NO_TLS) #if !defined(NO_PSK) && !defined(NO_AES) && !defined(NO_TLS)
#if !defined(NO_SHA)
#define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
#define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
#define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
#endif #endif
@@ -198,11 +211,17 @@ void c32to24(word32 in, word24 out);
#if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER) #if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER)
#if !defined(NO_RSA) #if !defined(NO_RSA)
#if !defined(NO_SHA)
#define BUILD_TLS_RSA_WITH_NULL_SHA #define BUILD_TLS_RSA_WITH_NULL_SHA
#endif
#ifndef NO_SHA256
#define BUILD_TLS_RSA_WITH_NULL_SHA256 #define BUILD_TLS_RSA_WITH_NULL_SHA256
#endif
#endif #endif
#if !defined(NO_PSK) #if !defined(NO_PSK)
#if !defined(NO_SHA)
#define BUILD_TLS_PSK_WITH_NULL_SHA #define BUILD_TLS_PSK_WITH_NULL_SHA
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
#define BUILD_TLS_PSK_WITH_NULL_SHA256 #define BUILD_TLS_PSK_WITH_NULL_SHA256
#endif #endif
@@ -211,17 +230,23 @@ void c32to24(word32 in, word24 out);
#if !defined(NO_HC128) && !defined(NO_RSA) && !defined(NO_TLS) #if !defined(NO_HC128) && !defined(NO_RSA) && !defined(NO_TLS)
#define BUILD_TLS_RSA_WITH_HC_128_CBC_MD5 #define BUILD_TLS_RSA_WITH_HC_128_CBC_MD5
#if !defined(NO_SHA)
#define BUILD_TLS_RSA_WITH_HC_128_CBC_SHA #define BUILD_TLS_RSA_WITH_HC_128_CBC_SHA
#endif
#endif #endif
#if !defined(NO_RABBIT) && !defined(NO_TLS) && !defined(NO_RSA) #if !defined(NO_RABBIT) && !defined(NO_TLS) && !defined(NO_RSA)
#if !defined(NO_SHA)
#define BUILD_TLS_RSA_WITH_RABBIT_CBC_SHA #define BUILD_TLS_RSA_WITH_RABBIT_CBC_SHA
#endif
#endif #endif
#if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \
!defined(NO_RSA) && defined(OPENSSL_EXTRA) !defined(NO_RSA) && defined(OPENSSL_EXTRA)
#if !defined(NO_SHA)
#define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
#endif
#if !defined (NO_SHA256) #if !defined (NO_SHA256)
#define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
#define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
@@ -234,39 +259,50 @@ void c32to24(word32 in, word24 out);
#if defined(HAVE_ECC) && !defined(NO_TLS) #if defined(HAVE_ECC) && !defined(NO_TLS)
#if !defined(NO_AES) #if !defined(NO_AES)
#define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA #if !defined(NO_SHA)
#define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA #if !defined(NO_RSA)
#define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
#define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
#endif
#define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
#define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
#define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
#ifndef NO_SHA256 #ifndef NO_SHA256
#define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 #if !defined(NO_RSA)
#define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
#define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
#endif
#define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
#define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
#define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
#endif #endif
#ifdef CYASSL_SHA384 #ifdef CYASSL_SHA384
#define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 #if !defined(NO_RSA)
#define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
#define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
#endif
#define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
#define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
#define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
#endif #endif
#if defined (HAVE_AESGCM) #if defined (HAVE_AESGCM)
#define BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 #if !defined(NO_RSA)
#define BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
#define BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
#define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
#endif
#define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
#define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
#define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
#define BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
#define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
#define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
#define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
#endif #endif
#if defined (HAVE_AESCCM) #if defined (HAVE_AESCCM)
@@ -275,19 +311,26 @@ void c32to24(word32 in, word24 out);
#endif #endif
#endif #endif
#if !defined(NO_RC4) #if !defined(NO_RC4)
#define BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA #if !defined(NO_SHA)
#define BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA #if !defined(NO_RSA)
#define BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
#define BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA
#endif
#define BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA #define BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
#define BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA #define BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
#endif
#endif #endif
#if !defined(NO_DES3) #if !defined(NO_DES3)
#define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA #if !defined(NO_RSA)
#define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA #define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
#define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
#endif
#define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA #define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
#define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA #define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
#endif #endif
#endif
#endif #endif
@@ -301,11 +344,14 @@ void c32to24(word32 in, word24 out);
#endif #endif
#if defined(BUILD_TLS_RSA_WITH_AES_128_CBC_SHA) || \ #if defined(BUILD_TLS_RSA_WITH_AES_128_CBC_SHA) || \
defined(BUILD_TLS_RSA_WITH_AES_256_CBC_SHA) defined(BUILD_TLS_RSA_WITH_AES_256_CBC_SHA) || \
defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
#undef BUILD_AES
#define BUILD_AES #define BUILD_AES
#endif #endif
#if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) #if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) || \
defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
#define BUILD_AESGCM #define BUILD_AESGCM
#endif #endif
@@ -640,12 +686,17 @@ enum states {
}; };
#if defined(__GNUC__)
#define CYASSL_PACK __attribute__ ((packed))
#else
#define CYASSL_PACK
#endif
/* SSL Version */ /* SSL Version */
typedef struct ProtocolVersion { typedef struct ProtocolVersion {
byte major; byte major;
byte minor; byte minor;
} ProtocolVersion; } CYASSL_PACK ProtocolVersion;
CYASSL_LOCAL ProtocolVersion MakeSSLv3(void); CYASSL_LOCAL ProtocolVersion MakeSSLv3(void);
@@ -869,14 +920,18 @@ CYASSL_LOCAL int FreeMutex(CyaSSL_Mutex*);
CYASSL_LOCAL int LockMutex(CyaSSL_Mutex*); CYASSL_LOCAL int LockMutex(CyaSSL_Mutex*);
CYASSL_LOCAL int UnLockMutex(CyaSSL_Mutex*); CYASSL_LOCAL int UnLockMutex(CyaSSL_Mutex*);
typedef struct OCSP_Entry OCSP_Entry; typedef struct OCSP_Entry OCSP_Entry;
#ifdef SHA_DIGEST_SIZE
#define OCSP_DIGEST_SIZE SHA_DIGEST_SIZE
#else
#define OCSP_DIGEST_SIZE 160
#endif
struct OCSP_Entry { struct OCSP_Entry {
OCSP_Entry* next; /* next entry */ OCSP_Entry* next; /* next entry */
byte issuerHash[SHA_DIGEST_SIZE]; /* issuer hash */ byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */
byte issuerKeyHash[SHA_DIGEST_SIZE]; /* issuer public key hash */ byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */
CertStatus* status; /* OCSP response list */ CertStatus* status; /* OCSP response list */
int totalStatus; /* number on list */ int totalStatus; /* number on list */
}; };
@@ -894,14 +949,23 @@ struct CYASSL_OCSP {
CallbackIOOcspRespFree CBIOOcspRespFree; CallbackIOOcspRespFree CBIOOcspRespFree;
}; };
#ifndef MAX_DATE_SIZE
#define MAX_DATE_SIZE 32
#endif
typedef struct CRL_Entry CRL_Entry; typedef struct CRL_Entry CRL_Entry;
#ifdef SHA_DIGEST_SIZE
#define CRL_DIGEST_SIZE SHA_DIGEST_SIZE
#else
#define CRL_DIGEST_SIZE 160
#endif
/* Complete CRL */ /* Complete CRL */
struct CRL_Entry { struct CRL_Entry {
CRL_Entry* next; /* next entry */ CRL_Entry* next; /* next entry */
byte issuerHash[SHA_DIGEST_SIZE]; /* issuer hash */ byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */
/* byte crlHash[SHA_DIGEST_SIZE]; raw crl data hash */ /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */
/* restore the hash here if needed for optimized comparisons */ /* restore the hash here if needed for optimized comparisons */
byte lastDate[MAX_DATE_SIZE]; /* last date updated */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */
byte nextDate[MAX_DATE_SIZE]; /* next update date */ byte nextDate[MAX_DATE_SIZE]; /* next update date */
@@ -1203,7 +1267,7 @@ CYASSL_LOCAL void FreeCiphers(CYASSL* ssl);
/* hashes type */ /* hashes type */
typedef struct Hashes { typedef struct Hashes {
#ifndef NO_MD5 #ifndef NO_OLD_TLS
byte md5[MD5_DIGEST_SIZE]; byte md5[MD5_DIGEST_SIZE];
#endif #endif
byte sha[SHA_DIGEST_SIZE]; byte sha[SHA_DIGEST_SIZE];
@@ -1314,7 +1378,6 @@ typedef struct Buffers {
#endif #endif
} Buffers; } Buffers;
typedef struct Options { typedef struct Options {
byte sessionCacheOff; byte sessionCacheOff;
byte sessionCacheFlushOff; byte sessionCacheFlushOff;
@@ -1365,7 +1428,6 @@ typedef struct Options {
#endif /* NO_PSK */ #endif /* NO_PSK */
} Options; } Options;
typedef struct Arrays { typedef struct Arrays {
byte clientRandom[RAN_LEN]; byte clientRandom[RAN_LEN];
byte serverRandom[RAN_LEN]; byte serverRandom[RAN_LEN];
@@ -1385,12 +1447,18 @@ typedef struct Arrays {
word32 preMasterSz; /* differs for DH, actual size */ word32 preMasterSz; /* differs for DH, actual size */
} Arrays; } Arrays;
#ifndef ASN_NAME_MAX
#define ASN_NAME_MAX 256
#endif
struct CYASSL_X509_NAME { struct CYASSL_X509_NAME {
char name[ASN_NAME_MAX]; char name[ASN_NAME_MAX];
int sz; int sz;
}; };
#ifndef EXTERNAL_SERIAL_SIZE
#define EXTERNAL_SERIAL_SIZE 32
#endif
struct CYASSL_X509 { struct CYASSL_X509 {
CYASSL_X509_NAME issuer; CYASSL_X509_NAME issuer;
@@ -1460,10 +1528,14 @@ struct CYASSL {
void* IOCB_ReadCtx; void* IOCB_ReadCtx;
void* IOCB_WriteCtx; void* IOCB_WriteCtx;
RNG* rng; RNG* rng;
#ifndef NO_OLD_TLS
#ifndef NO_SHA
Sha hashSha; /* sha hash of handshake msgs */ Sha hashSha; /* sha hash of handshake msgs */
#endif
#ifndef NO_MD5 #ifndef NO_MD5
Md5 hashMd5; /* md5 hash of handshake msgs */ Md5 hashMd5; /* md5 hash of handshake msgs */
#endif #endif
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
Sha256 hashSha256; /* sha256 hash of handshake msgs */ Sha256 hashSha256; /* sha256 hash of handshake msgs */
#endif #endif
@@ -1528,6 +1600,7 @@ struct CYASSL {
#ifdef HAVE_CAVIUM #ifdef HAVE_CAVIUM
int devId; /* cavium device id to use */ int devId; /* cavium device id to use */
#endif #endif
CYASSL_ALERT_HISTORY alert_history;
}; };

13
cyassl/ssl.h
View File

@@ -59,7 +59,6 @@
extern "C" { extern "C" {
#endif #endif
typedef struct CYASSL CYASSL; typedef struct CYASSL CYASSL;
typedef struct CYASSL_SESSION CYASSL_SESSION; typedef struct CYASSL_SESSION CYASSL_SESSION;
typedef struct CYASSL_METHOD CYASSL_METHOD; typedef struct CYASSL_METHOD CYASSL_METHOD;
@@ -112,6 +111,15 @@ typedef struct CYASSL_X509_STORE {
int cache; /* stunnel dereference */ int cache; /* stunnel dereference */
} CYASSL_X509_STORE; } CYASSL_X509_STORE;
typedef struct CYASSL_ALERT {
int code;
int level;
} CYASSL_ALERT;
typedef struct CYASSL_ALERT_HISTORY {
CYASSL_ALERT last_rx;
CYASSL_ALERT last_tx;
} CYASSL_ALERT_HISTORY;
typedef struct CYASSL_X509_REVOKED { typedef struct CYASSL_X509_REVOKED {
CYASSL_ASN1_INTEGER* serialNumber; /* stunnel dereference */ CYASSL_ASN1_INTEGER* serialNumber; /* stunnel dereference */
@@ -202,6 +210,7 @@ CYASSL_API void CyaSSL_CTX_set_quiet_shutdown(CYASSL_CTX*, int);
CYASSL_API void CyaSSL_set_quiet_shutdown(CYASSL*, int); CYASSL_API void CyaSSL_set_quiet_shutdown(CYASSL*, int);
CYASSL_API int CyaSSL_get_error(CYASSL*, int); CYASSL_API int CyaSSL_get_error(CYASSL*, int);
CYASSL_API int CyaSSL_get_alert_history(CYASSL*, CYASSL_ALERT_HISTORY *);
CYASSL_API int CyaSSL_set_session(CYASSL* ssl,CYASSL_SESSION* session); CYASSL_API int CyaSSL_set_session(CYASSL* ssl,CYASSL_SESSION* session);
CYASSL_API CYASSL_SESSION* CyaSSL_get_session(CYASSL* ssl); CYASSL_API CYASSL_SESSION* CyaSSL_get_session(CYASSL* ssl);
@@ -256,6 +265,7 @@ CYASSL_API void CyaSSL_SESSION_free(CYASSL_SESSION* session);
CYASSL_API int CyaSSL_is_init_finished(CYASSL*); CYASSL_API int CyaSSL_is_init_finished(CYASSL*);
CYASSL_API const char* CyaSSL_get_version(CYASSL*); CYASSL_API const char* CyaSSL_get_version(CYASSL*);
CYASSL_API int CyaSSL_get_current_cipher_suite(CYASSL* ssl);
CYASSL_API CYASSL_CIPHER* CyaSSL_get_current_cipher(CYASSL*); CYASSL_API CYASSL_CIPHER* CyaSSL_get_current_cipher(CYASSL*);
CYASSL_API char* CyaSSL_CIPHER_description(CYASSL_CIPHER*, char*, int); CYASSL_API char* CyaSSL_CIPHER_description(CYASSL_CIPHER*, char*, int);
CYASSL_API const char* CyaSSL_CIPHER_get_name(const CYASSL_CIPHER* cipher); CYASSL_API const char* CyaSSL_CIPHER_get_name(const CYASSL_CIPHER* cipher);
@@ -423,7 +433,6 @@ CYASSL_API long CyaSSL_CTX_sess_timeouts(CYASSL_CTX*);
CYASSL_API long CyaSSL_CTX_sess_number(CYASSL_CTX*); CYASSL_API long CyaSSL_CTX_sess_number(CYASSL_CTX*);
CYASSL_API long CyaSSL_CTX_sess_get_cache_size(CYASSL_CTX*); CYASSL_API long CyaSSL_CTX_sess_get_cache_size(CYASSL_CTX*);
#define CYASSL_DEFAULT_CIPHER_LIST "" /* default all */ #define CYASSL_DEFAULT_CIPHER_LIST "" /* default all */
#define CYASSL_RSA_F4 0x10001L #define CYASSL_RSA_F4 0x10001L

4
cyassl/test.h
View File

@@ -20,6 +20,8 @@
#define SOCKET_T unsigned int #define SOCKET_T unsigned int
#else #else
#include <string.h> #include <string.h>
#include <sys/types.h>
#ifndef CYASSL_LEANPSK
#include <unistd.h> #include <unistd.h>
#include <netdb.h> #include <netdb.h>
#include <netinet/in.h> #include <netinet/in.h>
@@ -27,13 +29,13 @@
#include <arpa/inet.h> #include <arpa/inet.h>
#include <sys/ioctl.h> #include <sys/ioctl.h>
#include <sys/time.h> #include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h> #include <sys/socket.h>
#include <pthread.h> #include <pthread.h>
#include <fcntl.h> #include <fcntl.h>
#ifdef TEST_IPV6 #ifdef TEST_IPV6
#include <netdb.h> #include <netdb.h>
#endif #endif
#endif
#define SOCKET_T int #define SOCKET_T int
#ifndef SO_NOSIGPIPE #ifndef SO_NOSIGPIPE
#include <signal.h> /* ignore SIGPIPE */ #include <signal.h> /* ignore SIGPIPE */

12
examples/client/client.c
View File

@@ -284,9 +284,9 @@ void client_test(void* args)
if (cipherList == NULL) { if (cipherList == NULL) {
const char *defaultCipherList; const char *defaultCipherList;
#ifdef HAVE_NULL_CIPHER #ifdef HAVE_NULL_CIPHER
defaultCipherList = "PSK-NULL-SHA"; defaultCipherList = "PSK-NULL-SHA256";
#else #else
defaultCipherList = "PSK-AES256-CBC-SHA"; defaultCipherList = "PSK-AES256-CBC-SHA256";
#endif #endif
if (CyaSSL_CTX_set_cipher_list(ctx,defaultCipherList) !=SSL_SUCCESS) if (CyaSSL_CTX_set_cipher_list(ctx,defaultCipherList) !=SSL_SUCCESS)
err_sys("client can't set cipher list 2"); err_sys("client can't set cipher list 2");
@@ -301,7 +301,7 @@ void client_test(void* args)
#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC) #if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC)
if (cipherList == NULL) { if (cipherList == NULL) {
/* don't use EDH, can't sniff tmp keys */ /* don't use EDH, can't sniff tmp keys */
if (CyaSSL_CTX_set_cipher_list(ctx, "AES256-SHA") != SSL_SUCCESS) { if (CyaSSL_CTX_set_cipher_list(ctx, "AES256-SHA256") != SSL_SUCCESS) {
err_sys("client can't set cipher list 3"); err_sys("client can't set cipher list 3");
} }
} }
@@ -323,7 +323,7 @@ void client_test(void* args)
if (CyaSSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM) if (CyaSSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM)
!= SSL_SUCCESS) != SSL_SUCCESS)
err_sys("can't load client cert file, check file and run from" err_sys("can't load client private key file, check file and run from"
" CyaSSL home dir"); " CyaSSL home dir");
if (CyaSSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS) if (CyaSSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
@@ -492,13 +492,11 @@ void client_test(void* args)
NonBlockingSSL_Connect(ssl); /* will keep retrying on timeout */ NonBlockingSSL_Connect(ssl); /* will keep retrying on timeout */
#endif #endif
#ifdef OPENSSL_EXTRA
if (CyaSSL_session_reused(sslResume)) if (CyaSSL_session_reused(sslResume))
printf("reused session id\n"); printf("reused session id\n");
else else
printf("didn't reuse session id!!!\n"); printf("didn't reuse session id!!!\n");
#endif
if (CyaSSL_write(sslResume, resumeMsg, resumeSz) != resumeSz) if (CyaSSL_write(sslResume, resumeMsg, resumeSz) != resumeSz)
err_sys("SSL_write failed"); err_sys("SSL_write failed");

6
examples/server/server.c
View File

@@ -280,9 +280,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
if (cipherList == NULL) { if (cipherList == NULL) {
const char *defaultCipherList; const char *defaultCipherList;
#ifdef HAVE_NULL_CIPHER #ifdef HAVE_NULL_CIPHER
defaultCipherList = "PSK-NULL-SHA"; defaultCipherList = "PSK-NULL-SHA256";
#else #else
defaultCipherList = "PSK-AES256-CBC-SHA"; defaultCipherList = "PSK-AES256-CBC-SHA256";
#endif #endif
if (SSL_CTX_set_cipher_list(ctx, defaultCipherList) != SSL_SUCCESS) if (SSL_CTX_set_cipher_list(ctx, defaultCipherList) != SSL_SUCCESS)
err_sys("server can't set cipher list 2"); err_sys("server can't set cipher list 2");
@@ -307,7 +307,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC) #if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC)
/* don't use EDH, can't sniff tmp keys */ /* don't use EDH, can't sniff tmp keys */
if (cipherList == NULL) { if (cipherList == NULL) {
if (SSL_CTX_set_cipher_list(ctx, "AES256-SHA") != SSL_SUCCESS) if (SSL_CTX_set_cipher_list(ctx, "AES256-SHA256") != SSL_SUCCESS)
err_sys("server can't set cipher list 3"); err_sys("server can't set cipher list 3");
} }
#endif #endif

242
src/internal.c
View File

@@ -90,7 +90,7 @@ typedef enum {
runProcessingOneMessage runProcessingOneMessage
} processReply; } processReply;
#ifndef NO_MD5 #ifndef NO_OLD_TLS
static void Hmac(CYASSL* ssl, byte* digest, const byte* buffer, word32 sz, static void Hmac(CYASSL* ssl, byte* digest, const byte* buffer, word32 sz,
int content, int verify); int content, int verify);
@@ -1217,10 +1217,14 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
ssl->IOCB_ReadCtx = &ssl->rfd; /* prevent invalid pointer access if not */ ssl->IOCB_ReadCtx = &ssl->rfd; /* prevent invalid pointer access if not */
ssl->IOCB_WriteCtx = &ssl->wfd; /* correctly set */ ssl->IOCB_WriteCtx = &ssl->wfd; /* correctly set */
#ifndef NO_OLD_TLS
#ifndef NO_MD5 #ifndef NO_MD5
InitMd5(&ssl->hashMd5); InitMd5(&ssl->hashMd5);
#endif #endif
#ifndef NO_SHA
InitSha(&ssl->hashSha); InitSha(&ssl->hashSha);
#endif
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
InitSha256(&ssl->hashSha256); InitSha256(&ssl->hashSha256);
#endif #endif
@@ -2004,7 +2008,7 @@ ProtocolVersion MakeDTLSv1(void)
} }
#elif defined(USER_TICKS) #elif defined(USER_TICKS)
#if 0
word32 LowResTimer(void) word32 LowResTimer(void)
{ {
/* /*
@@ -2012,7 +2016,7 @@ ProtocolVersion MakeDTLSv1(void)
needs second accuracy but doesn't have to correlated to EPOCH needs second accuracy but doesn't have to correlated to EPOCH
*/ */
} }
#endif
#else /* !USE_WINDOWS_API && !THREADX && !MICRIUM && !USER_TICKS */ #else /* !USE_WINDOWS_API && !THREADX && !MICRIUM && !USER_TICKS */
#include <time.h> #include <time.h>
@@ -2038,10 +2042,13 @@ static void HashOutput(CYASSL* ssl, const byte* output, int sz, int ivSz)
sz -= DTLS_RECORD_EXTRA; sz -= DTLS_RECORD_EXTRA;
} }
#endif #endif
#ifndef NO_OLD_TLS
#ifndef NO_SHA
ShaUpdate(&ssl->hashSha, adj, sz); ShaUpdate(&ssl->hashSha, adj, sz);
#endif
#ifndef NO_MD5 #ifndef NO_MD5
Md5Update(&ssl->hashMd5, adj, sz); Md5Update(&ssl->hashMd5, adj, sz);
#endif
#endif #endif
if (IsAtLeastTLSv1_2(ssl)) { if (IsAtLeastTLSv1_2(ssl)) {
@@ -2068,9 +2075,13 @@ static void HashInput(CYASSL* ssl, const byte* input, int sz)
} }
#endif #endif
#ifndef NO_OLD_TLS
#ifndef NO_SHA
ShaUpdate(&ssl->hashSha, adj, sz); ShaUpdate(&ssl->hashSha, adj, sz);
#endif
#ifndef NO_MD5 #ifndef NO_MD5
Md5Update(&ssl->hashMd5, adj, sz); Md5Update(&ssl->hashMd5, adj, sz);
#endif
#endif #endif
if (IsAtLeastTLSv1_2(ssl)) { if (IsAtLeastTLSv1_2(ssl)) {
@@ -2197,13 +2208,13 @@ retry:
ssl->options.isClosed = 1; ssl->options.isClosed = 1;
return -1; return -1;
#ifdef CYASSL_DTLS
case IO_ERR_TIMEOUT: case IO_ERR_TIMEOUT:
#ifdef CYASSL_DTLS
if (DtlsPoolTimeout(ssl) == 0 && DtlsPoolSend(ssl) == 0) if (DtlsPoolTimeout(ssl) == 0 && DtlsPoolSend(ssl) == 0)
goto retry; goto retry;
else else
return -1;
#endif #endif
return -1;
default: default:
return recvd; return recvd;
@@ -2491,7 +2502,7 @@ static int GetDtlsHandShakeHeader(CYASSL* ssl, const byte* input,
#endif #endif
#ifndef NO_MD5 #ifndef NO_OLD_TLS
/* fill with MD5 pad size since biggest required */ /* fill with MD5 pad size since biggest required */
static const byte PAD1[PAD_MD5] = static const byte PAD1[PAD_MD5] =
{ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
@@ -2554,10 +2565,14 @@ static void BuildSHA(CYASSL* ssl, Hashes* hashes, const byte* sender)
static void BuildFinished(CYASSL* ssl, Hashes* hashes, const byte* sender) static void BuildFinished(CYASSL* ssl, Hashes* hashes, const byte* sender)
{ {
/* store current states, building requires get_digest which resets state */ /* store current states, building requires get_digest which resets state */
#ifndef NO_OLD_TLS
#ifndef NO_MD5 #ifndef NO_MD5
Md5 md5 = ssl->hashMd5; Md5 md5 = ssl->hashMd5;
#endif #endif
#ifndef NO_SHA
Sha sha = ssl->hashSha; Sha sha = ssl->hashSha;
#endif
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
Sha256 sha256 = ssl->hashSha256; Sha256 sha256 = ssl->hashSha256;
#endif #endif
@@ -2567,7 +2582,7 @@ static void BuildFinished(CYASSL* ssl, Hashes* hashes, const byte* sender)
if (ssl->options.tls) if (ssl->options.tls)
BuildTlsFinished(ssl, hashes, sender); BuildTlsFinished(ssl, hashes, sender);
#ifndef NO_MD5 #ifndef NO_OLD_TLS
else { else {
BuildMD5(ssl, hashes, sender); BuildMD5(ssl, hashes, sender);
BuildSHA(ssl, hashes, sender); BuildSHA(ssl, hashes, sender);
@@ -2575,10 +2590,14 @@ static void BuildFinished(CYASSL* ssl, Hashes* hashes, const byte* sender)
#endif #endif
/* restore */ /* restore */
#ifndef NO_OLD_TLS
#ifndef NO_MD5 #ifndef NO_MD5
ssl->hashMd5 = md5; ssl->hashMd5 = md5;
#endif #endif
#ifndef NO_SHA
ssl->hashSha = sha; ssl->hashSha = sha;
#endif
#endif
if (IsAtLeastTLSv1_2(ssl)) { if (IsAtLeastTLSv1_2(ssl)) {
#ifndef NO_SHA256 #ifndef NO_SHA256
ssl->hashSha256 = sha256; ssl->hashSha256 = sha256;
@@ -3681,7 +3700,7 @@ static int DecryptMessage(CYASSL* ssl, byte* input, word32 sz, word32* idx)
} }
#ifndef NO_MD5 #ifndef NO_OLD_TLS
static INLINE void Md5Rounds(int rounds, const byte* data, int sz) static INLINE void Md5Rounds(int rounds, const byte* data, int sz)
{ {
@@ -3694,7 +3713,6 @@ static INLINE void Md5Rounds(int rounds, const byte* data, int sz)
Md5Update(&md5, data, sz); Md5Update(&md5, data, sz);
} }
#endif
static INLINE void ShaRounds(int rounds, const byte* data, int sz) static INLINE void ShaRounds(int rounds, const byte* data, int sz)
@@ -3707,6 +3725,7 @@ static INLINE void ShaRounds(int rounds, const byte* data, int sz)
for (i = 0; i < rounds; i++) for (i = 0; i < rounds; i++)
ShaUpdate(&sha, data, sz); ShaUpdate(&sha, data, sz);
} }
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
@@ -3780,15 +3799,19 @@ static INLINE void DoRounds(int type, int rounds, const byte* data, int sz)
case no_mac : case no_mac :
break; break;
#ifndef NO_OLD_TLS
#ifndef NO_MD5 #ifndef NO_MD5
case md5_mac : case md5_mac :
Md5Rounds(rounds, data, sz); Md5Rounds(rounds, data, sz);
break; break;
#endif #endif
#ifndef NO_SHA
case sha_mac : case sha_mac :
ShaRounds(rounds, data, sz); ShaRounds(rounds, data, sz);
break; break;
#endif
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
case sha256_mac : case sha256_mac :
@@ -4033,6 +4056,7 @@ int DoApplicationData(CYASSL* ssl, byte* input, word32* inOutIdx)
static int DoAlert(CYASSL* ssl, byte* input, word32* inOutIdx, int* type) static int DoAlert(CYASSL* ssl, byte* input, word32* inOutIdx, int* type)
{ {
byte level; byte level;
byte code;
#ifdef CYASSL_CALLBACKS #ifdef CYASSL_CALLBACKS
if (ssl->hsInfoOn) if (ssl->hsInfoOn)
@@ -4043,7 +4067,10 @@ static int DoAlert(CYASSL* ssl, byte* input, word32* inOutIdx, int* type)
RECORD_HEADER_SZ, 2 + RECORD_HEADER_SZ, ssl->heap); RECORD_HEADER_SZ, 2 + RECORD_HEADER_SZ, ssl->heap);
#endif #endif
level = input[(*inOutIdx)++]; level = input[(*inOutIdx)++];
*type = (int)input[(*inOutIdx)++]; code = (int)input[(*inOutIdx)++];
ssl->alert_history.last_rx.code = code;
ssl->alert_history.last_rx.level = level;
*type = code;
CYASSL_MSG("Got alert"); CYASSL_MSG("Got alert");
if (*type == close_notify) { if (*type == close_notify) {
@@ -4576,13 +4603,18 @@ static void BuildSHA_CertVerify(CYASSL* ssl, byte* digest)
ShaFinal(&ssl->hashSha, digest); ShaFinal(&ssl->hashSha, digest);
} }
#endif
#ifndef CYASSL_LEANPSK
static void BuildCertHashes(CYASSL* ssl, Hashes* hashes) static void BuildCertHashes(CYASSL* ssl, Hashes* hashes)
{ {
/* store current states, building requires get_digest which resets state */ /* store current states, building requires get_digest which resets state */
#ifndef NO_OLD_TLS
Md5 md5 = ssl->hashMd5; Md5 md5 = ssl->hashMd5;
Sha sha = ssl->hashSha; Sha sha = ssl->hashSha;
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
Sha256 sha256 = ssl->hashSha256; Sha256 sha256 = ssl->hashSha256;
#endif #endif
@@ -4591,8 +4623,10 @@ static void BuildCertHashes(CYASSL* ssl, Hashes* hashes)
#endif #endif
if (ssl->options.tls) { if (ssl->options.tls) {
#if ! defined( NO_OLD_TLS )
Md5Final(&ssl->hashMd5, hashes->md5); Md5Final(&ssl->hashMd5, hashes->md5);
ShaFinal(&ssl->hashSha, hashes->sha); ShaFinal(&ssl->hashSha, hashes->sha);
#endif
if (IsAtLeastTLSv1_2(ssl)) { if (IsAtLeastTLSv1_2(ssl)) {
#ifndef NO_SHA256 #ifndef NO_SHA256
Sha256Final(&ssl->hashSha256, hashes->sha256); Sha256Final(&ssl->hashSha256, hashes->sha256);
@@ -4602,6 +4636,7 @@ static void BuildCertHashes(CYASSL* ssl, Hashes* hashes)
#endif #endif
} }
} }
#if ! defined( NO_OLD_TLS )
else { else {
BuildMD5_CertVerify(ssl, hashes->md5); BuildMD5_CertVerify(ssl, hashes->md5);
BuildSHA_CertVerify(ssl, hashes->sha); BuildSHA_CertVerify(ssl, hashes->sha);
@@ -4610,6 +4645,7 @@ static void BuildCertHashes(CYASSL* ssl, Hashes* hashes)
/* restore */ /* restore */
ssl->hashMd5 = md5; ssl->hashMd5 = md5;
ssl->hashSha = sha; ssl->hashSha = sha;
#endif
if (IsAtLeastTLSv1_2(ssl)) { if (IsAtLeastTLSv1_2(ssl)) {
#ifndef NO_SHA256 #ifndef NO_SHA256
ssl->hashSha256 = sha256; ssl->hashSha256 = sha256;
@@ -4619,7 +4655,8 @@ static void BuildCertHashes(CYASSL* ssl, Hashes* hashes)
#endif #endif
} }
} }
#endif
#endif /* CYASSL_LEANPSK */
/* Build SSL Message, encrypted */ /* Build SSL Message, encrypted */
static int BuildMessage(CYASSL* ssl, byte* output, const byte* input, int inSz, static int BuildMessage(CYASSL* ssl, byte* output, const byte* input, int inSz,
@@ -5114,6 +5151,8 @@ int SendAlert(CYASSL* ssl, int severity, int type)
input[0] = (byte)severity; input[0] = (byte)severity;
input[1] = (byte)type; input[1] = (byte)type;
ssl->alert_history.last_tx.code = type;
ssl->alert_history.last_tx.level = severity;
/* only send encrypted alert if handshake actually complete, otherwise /* only send encrypted alert if handshake actually complete, otherwise
other side may not be able to handle it */ other side may not be able to handle it */
@@ -6782,8 +6821,10 @@ int SetCipherList(Suites* s, const char* list)
#if defined(OPENSSL_EXTRA) || defined(HAVE_ECC) #if defined(OPENSSL_EXTRA) || defined(HAVE_ECC)
{ {
#ifndef NO_OLD_TLS
Md5 md5; Md5 md5;
Sha sha; Sha sha;
#endif
byte hash[FINISHED_SZ]; byte hash[FINISHED_SZ];
#ifndef NO_SHA256 #ifndef NO_SHA256
Sha256 sha256; Sha256 sha256;
@@ -6821,7 +6862,7 @@ int SetCipherList(Suites* s, const char* list)
sigLen = length; sigLen = length;
/* verify signature */ /* verify signature */
#ifndef NO_OLD_TLS
/* md5 */ /* md5 */
InitMd5(&md5); InitMd5(&md5);
Md5Update(&md5, ssl->arrays->clientRandom, RAN_LEN); Md5Update(&md5, ssl->arrays->clientRandom, RAN_LEN);
@@ -6835,7 +6876,7 @@ int SetCipherList(Suites* s, const char* list)
ShaUpdate(&sha, ssl->arrays->serverRandom, RAN_LEN); ShaUpdate(&sha, ssl->arrays->serverRandom, RAN_LEN);
ShaUpdate(&sha, messageVerify, verifySz); ShaUpdate(&sha, messageVerify, verifySz);
ShaFinal(&sha, &hash[MD5_DIGEST_SIZE]); ShaFinal(&sha, &hash[MD5_DIGEST_SIZE]);
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
InitSha256(&sha256); InitSha256(&sha256);
Sha256Update(&sha256, ssl->arrays->clientRandom, RAN_LEN); Sha256Update(&sha256, ssl->arrays->clientRandom, RAN_LEN);
@@ -6851,7 +6892,7 @@ int SetCipherList(Suites* s, const char* list)
Sha384Update(&sha384, messageVerify, verifySz); Sha384Update(&sha384, messageVerify, verifySz);
Sha384Final(&sha384, hash384); Sha384Final(&sha384, hash384);
#endif #endif
#ifndef NO_RSA
/* rsa */ /* rsa */
if (sigAlgo == rsa_sa_algo) if (sigAlgo == rsa_sa_algo)
{ {
@@ -6866,11 +6907,24 @@ int SetCipherList(Suites* s, const char* list)
if (IsAtLeastTLSv1_2(ssl)) { if (IsAtLeastTLSv1_2(ssl)) {
byte encodedSig[MAX_ENCODED_SIG_SZ]; byte encodedSig[MAX_ENCODED_SIG_SZ];
word32 encSigSz; word32 encSigSz;
#ifndef NO_OLD_TLS
byte* digest = &hash[MD5_DIGEST_SIZE]; byte* digest = &hash[MD5_DIGEST_SIZE];
int typeH = SHAh; int typeH = SHAh;
int digestSz = SHA_DIGEST_SIZE; int digestSz = SHA_DIGEST_SIZE;
#else
byte* digest = hash256;
int typeH = SHA256h;
int digestSz = SHA256_DIGEST_SIZE;
#endif
if (hashAlgo == sha256_mac) { if (hashAlgo == sha_mac) {
#ifndef NO_SHA
digest = &hash[MD5_DIGEST_SIZE];
typeH = SHAh;
digestSz = SHA_DIGEST_SIZE;
#endif
}
else if (hashAlgo == sha256_mac) {
#ifndef NO_SHA256 #ifndef NO_SHA256
digest = hash256; digest = hash256;
typeH = SHA256h; typeH = SHA256h;
@@ -6895,18 +6949,30 @@ int SetCipherList(Suites* s, const char* list)
if (ret != sizeof(hash) || XMEMCMP(out, hash,sizeof(hash)) != 0) if (ret != sizeof(hash) || XMEMCMP(out, hash,sizeof(hash)) != 0)
return VERIFY_SIGN_ERROR; return VERIFY_SIGN_ERROR;
} }
} } else
#endif
#ifdef HAVE_ECC #ifdef HAVE_ECC
/* ecdsa */ /* ecdsa */
else if (sigAlgo == ecc_dsa_sa_algo) { if (sigAlgo == ecc_dsa_sa_algo) {
int verify = 0, ret; int verify = 0, ret;
#ifndef NO_OLD_TLS
byte* digest = &hash[MD5_DIGEST_SIZE]; byte* digest = &hash[MD5_DIGEST_SIZE];
word32 digestSz = SHA_DIGEST_SIZE; word32 digestSz = SHA_DIGEST_SIZE;
#else
byte* digest = hash256;
word32 digestSz = SHA256_DIGEST_SIZE;
#endif
if (!ssl->peerEccDsaKeyPresent) if (!ssl->peerEccDsaKeyPresent)
return NO_PEER_KEY; return NO_PEER_KEY;
if (IsAtLeastTLSv1_2(ssl)) { if (IsAtLeastTLSv1_2(ssl)) {
if (hashAlgo == sha256_mac) { if (hashAlgo == sha_mac) {
#ifndef NO_SHA
digest = &hash[MD5_DIGEST_SIZE];
digestSz = SHA_DIGEST_SIZE;
#endif
}
else if (hashAlgo == sha256_mac) {
#ifndef NO_SHA256 #ifndef NO_SHA256
digest = hash256; digest = hash256;
digestSz = SHA256_DIGEST_SIZE; digestSz = SHA256_DIGEST_SIZE;
@@ -6925,8 +6991,8 @@ int SetCipherList(Suites* s, const char* list)
if (ret != 0 || verify == 0) if (ret != 0 || verify == 0)
return VERIFY_SIGN_ERROR; return VERIFY_SIGN_ERROR;
} }
#endif /* HAVE_ECC */
else else
#endif /* HAVE_ECC */
return ALGO_ID_E; return ALGO_ID_E;
ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE; ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
@@ -7182,19 +7248,23 @@ int SetCipherList(Suites* s, const char* list)
return ret; return ret;
} }
#ifndef NO_RSA #ifndef NO_CERTS
int SendCertificateVerify(CYASSL* ssl) int SendCertificateVerify(CYASSL* ssl)
{ {
byte *output; byte *output;
int sendSz = 0, length, ret; int sendSz = 0, length, ret;
word32 idx = 0; word32 idx = 0;
word32 sigOutSz = 0; word32 sigOutSz = 0;
#ifndef NO_RSA
RsaKey key; RsaKey key;
#endif
int usingEcc = 0; int usingEcc = 0;
#ifdef HAVE_ECC #ifdef HAVE_ECC
ecc_key eccKey; ecc_key eccKey;
#endif #endif
(void)idx;
if (ssl->options.sendVerify == SEND_BLANK_CERT) if (ssl->options.sendVerify == SEND_BLANK_CERT)
return 0; /* sent blank cert, can't verify */ return 0; /* sent blank cert, can't verify */
@@ -7211,12 +7281,15 @@ int SetCipherList(Suites* s, const char* list)
#ifdef HAVE_ECC #ifdef HAVE_ECC
ecc_init(&eccKey); ecc_init(&eccKey);
#endif #endif
#ifndef NO_RSA
InitRsaKey(&key, ssl->heap); InitRsaKey(&key, ssl->heap);
ret = RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx, &key, ret = RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx, &key,
ssl->buffers.key.length); ssl->buffers.key.length);
if (ret == 0) if (ret == 0)
sigOutSz = RsaEncryptSize(&key); sigOutSz = RsaEncryptSize(&key);
else { else
#endif
{
#ifdef HAVE_ECC #ifdef HAVE_ECC
CYASSL_MSG("Trying ECC client cert, RSA didn't work"); CYASSL_MSG("Trying ECC client cert, RSA didn't work");
@@ -7236,11 +7309,19 @@ int SetCipherList(Suites* s, const char* list)
if (ret == 0) { if (ret == 0) {
byte* verify = (byte*)&output[RECORD_HEADER_SZ + byte* verify = (byte*)&output[RECORD_HEADER_SZ +
HANDSHAKE_HEADER_SZ]; HANDSHAKE_HEADER_SZ];
#ifndef NO_OLD_TLS
byte* signBuffer = ssl->certHashes.md5; byte* signBuffer = ssl->certHashes.md5;
#else
byte* signBuffer = NULL;
#endif
word32 signSz = FINISHED_SZ; word32 signSz = FINISHED_SZ;
byte encodedSig[MAX_ENCODED_SIG_SZ]; byte encodedSig[MAX_ENCODED_SIG_SZ];
word32 extraSz = 0; /* tls 1.2 hash/sig */ word32 extraSz = 0; /* tls 1.2 hash/sig */
(void)encodedSig;
(void)signSz;
(void)signBuffer;
#ifdef CYASSL_DTLS #ifdef CYASSL_DTLS
if (ssl->options.dtls) if (ssl->options.dtls)
verify += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; verify += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
@@ -7255,11 +7336,26 @@ int SetCipherList(Suites* s, const char* list)
if (usingEcc) { if (usingEcc) {
#ifdef HAVE_ECC #ifdef HAVE_ECC
word32 localSz = MAX_ENCODED_SIG_SZ; word32 localSz = MAX_ENCODED_SIG_SZ;
word32 digestSz = SHA_DIGEST_SIZE; word32 digestSz;
byte* digest = ssl->certHashes.sha; byte* digest;
#ifndef NO_OLD_TLS
/* old tls default */
digestSz = SHA_DIGEST_SIZE;
digest = ssl->certHashes.sha;
#else
/* new tls default */
digestSz = SHA256_DIGEST_SIZE;
digest = ssl->certHashes.sha256;
#endif
if (IsAtLeastTLSv1_2(ssl)) { if (IsAtLeastTLSv1_2(ssl)) {
if (ssl->suites->hashAlgo == sha256_mac) { if (ssl->suites->hashAlgo == sha_mac) {
#ifndef NO_SHA
digest = ssl->certHashes.sha;
digestSz = SHA_DIGEST_SIZE;
#endif
}
else if (ssl->suites->hashAlgo == sha256_mac) {
#ifndef NO_SHA256 #ifndef NO_SHA256
digest = ssl->certHashes.sha256; digest = ssl->certHashes.sha256;
digestSz = SHA256_DIGEST_SIZE; digestSz = SHA256_DIGEST_SIZE;
@@ -7282,13 +7378,27 @@ int SetCipherList(Suites* s, const char* list)
} }
#endif #endif
} }
#ifndef NO_RSA
else { else {
if (IsAtLeastTLSv1_2(ssl)) { if (IsAtLeastTLSv1_2(ssl)) {
#ifndef NO_OLD_TLS
byte* digest = ssl->certHashes.sha; byte* digest = ssl->certHashes.sha;
int digestSz = SHA_DIGEST_SIZE; int digestSz = SHA_DIGEST_SIZE;
int typeH = SHAh; int typeH = SHAh;
#else
byte* digest = ssl->certHashes.sha256;
int digestSz = SHA256_DIGEST_SIZE;
int typeH = SHA256h;
#endif
if (ssl->suites->hashAlgo == sha256_mac) { if (ssl->suites->hashAlgo == sha_mac) {
#ifndef NO_SHA
digest = ssl->certHashes.sha;
typeH = SHAh;
digestSz = SHA_DIGEST_SIZE;
#endif
}
else if (ssl->suites->hashAlgo == sha256_mac) {
#ifndef NO_SHA256 #ifndef NO_SHA256
digest = ssl->certHashes.sha256; digest = ssl->certHashes.sha256;
typeH = SHA256h; typeH = SHA256h;
@@ -7314,7 +7424,7 @@ int SetCipherList(Suites* s, const char* list)
if (ret > 0) if (ret > 0)
ret = 0; /* RSA reset */ ret = 0; /* RSA reset */
} }
#endif
if (ret == 0) { if (ret == 0) {
AddHeaders(output, length + extraSz + VERIFY_HEADER, AddHeaders(output, length + extraSz + VERIFY_HEADER,
certificate_verify, ssl); certificate_verify, ssl);
@@ -7331,8 +7441,9 @@ int SetCipherList(Suites* s, const char* list)
HashOutput(ssl, output, sendSz, 0); HashOutput(ssl, output, sendSz, 0);
} }
} }
#ifndef NO_RSA
FreeRsaKey(&key); FreeRsaKey(&key);
#endif
#ifdef HAVE_ECC #ifdef HAVE_ECC
ecc_free(&eccKey); ecc_free(&eccKey);
#endif #endif
@@ -7354,7 +7465,7 @@ int SetCipherList(Suites* s, const char* list)
else else
return ret; return ret;
} }
#endif /* NO_RSA */ #endif /* NO_CERTS */
#endif /* NO_CYASSL_CLIENT */ #endif /* NO_CYASSL_CLIENT */
@@ -7554,7 +7665,9 @@ int SetCipherList(Suites* s, const char* list)
word32 expSz = sizeof(exportBuf); word32 expSz = sizeof(exportBuf);
word32 sigSz; word32 sigSz;
word32 preSigSz, preSigIdx; word32 preSigSz, preSigIdx;
#ifndef NO_RSA
RsaKey rsaKey; RsaKey rsaKey;
#endif
ecc_key dsaKey; ecc_key dsaKey;
if (ssl->specs.static_ecdh) { if (ssl->specs.static_ecdh) {
@@ -7573,18 +7686,23 @@ int SetCipherList(Suites* s, const char* list)
preSigSz = length; preSigSz = length;
preSigIdx = idx; preSigIdx = idx;
#ifndef NO_RSA
InitRsaKey(&rsaKey, ssl->heap); InitRsaKey(&rsaKey, ssl->heap);
#endif
ecc_init(&dsaKey); ecc_init(&dsaKey);
/* sig length */ /* sig length */
length += LENGTH_SZ; length += LENGTH_SZ;
if (!ssl->buffers.key.buffer) { if (!ssl->buffers.key.buffer) {
#ifndef NO_RSA
FreeRsaKey(&rsaKey); FreeRsaKey(&rsaKey);
#endif
ecc_free(&dsaKey); ecc_free(&dsaKey);
return NO_PRIVATE_KEY; return NO_PRIVATE_KEY;
} }
#ifndef NO_RSA
if (ssl->specs.sig_algo == rsa_sa_algo) { if (ssl->specs.sig_algo == rsa_sa_algo) {
/* rsa sig size */ /* rsa sig size */
word32 i = 0; word32 i = 0;
@@ -7592,8 +7710,9 @@ int SetCipherList(Suites* s, const char* list)
&rsaKey, ssl->buffers.key.length); &rsaKey, ssl->buffers.key.length);
if (ret != 0) return ret; if (ret != 0) return ret;
sigSz = RsaEncryptSize(&rsaKey); sigSz = RsaEncryptSize(&rsaKey);
} } else
else if (ssl->specs.sig_algo == ecc_dsa_sa_algo) { #endif
if (ssl->specs.sig_algo == ecc_dsa_sa_algo) {
/* ecdsa sig size */ /* ecdsa sig size */
word32 i = 0; word32 i = 0;
ret = EccPrivateKeyDecode(ssl->buffers.key.buffer, &i, ret = EccPrivateKeyDecode(ssl->buffers.key.buffer, &i,
@@ -7602,7 +7721,9 @@ int SetCipherList(Suites* s, const char* list)
sigSz = ecc_sig_size(&dsaKey) + 2; /* worst case estimate */ sigSz = ecc_sig_size(&dsaKey) + 2; /* worst case estimate */
} }
else { else {
#ifndef NO_RSA
FreeRsaKey(&rsaKey); FreeRsaKey(&rsaKey);
#endif
ecc_free(&dsaKey); ecc_free(&dsaKey);
return ALGO_ID_E; /* unsupported type */ return ALGO_ID_E; /* unsupported type */
} }
@@ -7622,7 +7743,9 @@ int SetCipherList(Suites* s, const char* list)
#endif #endif
/* check for avalaible size */ /* check for avalaible size */
if ((ret = CheckAvalaibleSize(ssl, sendSz)) != 0) { if ((ret = CheckAvalaibleSize(ssl, sendSz)) != 0) {
#ifndef NO_RSA
FreeRsaKey(&rsaKey); FreeRsaKey(&rsaKey);
#endif
ecc_free(&dsaKey); ecc_free(&dsaKey);
return ret; return ret;
} }
@@ -7651,8 +7774,10 @@ int SetCipherList(Suites* s, const char* list)
/* do signature */ /* do signature */
{ {
#ifndef NO_OLD_TLS
Md5 md5; Md5 md5;
Sha sha; Sha sha;
#endif
byte hash[FINISHED_SZ]; byte hash[FINISHED_SZ];
#ifndef NO_SHA256 #ifndef NO_SHA256
Sha256 sha256; Sha256 sha256;
@@ -7663,6 +7788,7 @@ int SetCipherList(Suites* s, const char* list)
byte hash384[SHA384_DIGEST_SIZE]; byte hash384[SHA384_DIGEST_SIZE];
#endif #endif
#ifndef NO_OLD_TLS
/* md5 */ /* md5 */
InitMd5(&md5); InitMd5(&md5);
Md5Update(&md5, ssl->arrays->clientRandom, RAN_LEN); Md5Update(&md5, ssl->arrays->clientRandom, RAN_LEN);
@@ -7676,6 +7802,7 @@ int SetCipherList(Suites* s, const char* list)
ShaUpdate(&sha, ssl->arrays->serverRandom, RAN_LEN); ShaUpdate(&sha, ssl->arrays->serverRandom, RAN_LEN);
ShaUpdate(&sha, output + preSigIdx, preSigSz); ShaUpdate(&sha, output + preSigIdx, preSigSz);
ShaFinal(&sha, &hash[MD5_DIGEST_SIZE]); ShaFinal(&sha, &hash[MD5_DIGEST_SIZE]);
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
InitSha256(&sha256); InitSha256(&sha256);
@@ -7692,7 +7819,7 @@ int SetCipherList(Suites* s, const char* list)
Sha384Update(&sha384, output + preSigIdx, preSigSz); Sha384Update(&sha384, output + preSigIdx, preSigSz);
Sha384Final(&sha384, hash384); Sha384Final(&sha384, hash384);
#endif #endif
#ifndef NO_RSA
if (ssl->suites->sigAlgo == rsa_sa_algo) { if (ssl->suites->sigAlgo == rsa_sa_algo) {
byte* signBuffer = hash; byte* signBuffer = hash;
word32 signSz = sizeof(hash); word32 signSz = sizeof(hash);
@@ -7733,14 +7860,26 @@ int SetCipherList(Suites* s, const char* list)
ret = 0; /* reset on success */ ret = 0; /* reset on success */
else else
return ret; return ret;
} } else
else if (ssl->suites->sigAlgo == ecc_dsa_sa_algo) { #endif
if (ssl->suites->sigAlgo == ecc_dsa_sa_algo) {
#ifndef NO_OLD_TLS
byte* digest = &hash[MD5_DIGEST_SIZE]; byte* digest = &hash[MD5_DIGEST_SIZE];
word32 digestSz = SHA_DIGEST_SIZE; word32 digestSz = SHA_DIGEST_SIZE;
#else
byte* digest = hash256;
word32 digestSz = SHA256_DIGEST_SIZE;
#endif
word32 sz = sigSz; word32 sz = sigSz;
if (IsAtLeastTLSv1_2(ssl)) { if (IsAtLeastTLSv1_2(ssl)) {
if (ssl->suites->hashAlgo == sha256_mac) { if (ssl->suites->hashAlgo == sha_mac) {
#ifndef NO_SHA
digest = &hash[MD5_DIGEST_SIZE];
digestSz = SHA_DIGEST_SIZE;
#endif
}
else if (ssl->suites->hashAlgo == sha256_mac) {
#ifndef NO_SHA256 #ifndef NO_SHA256
digest = hash256; digest = hash256;
digestSz = SHA256_DIGEST_SIZE; digestSz = SHA256_DIGEST_SIZE;
@@ -7756,7 +7895,9 @@ int SetCipherList(Suites* s, const char* list)
ret = ecc_sign_hash(digest, digestSz, ret = ecc_sign_hash(digest, digestSz,
output + LENGTH_SZ + idx, &sz, ssl->rng, &dsaKey); output + LENGTH_SZ + idx, &sz, ssl->rng, &dsaKey);
#ifndef NO_RSA
FreeRsaKey(&rsaKey); FreeRsaKey(&rsaKey);
#endif
ecc_free(&dsaKey); ecc_free(&dsaKey);
if (ret < 0) return ret; if (ret < 0) return ret;
@@ -7916,8 +8057,10 @@ int SetCipherList(Suites* s, const char* list)
/* do signature */ /* do signature */
{ {
#ifndef NO_OLD_TLS
Md5 md5; Md5 md5;
Sha sha; Sha sha;
#endif
byte hash[FINISHED_SZ]; byte hash[FINISHED_SZ];
#ifndef NO_SHA256 #ifndef NO_SHA256
Sha256 sha256; Sha256 sha256;
@@ -7928,6 +8071,7 @@ int SetCipherList(Suites* s, const char* list)
byte hash384[SHA384_DIGEST_SIZE]; byte hash384[SHA384_DIGEST_SIZE];
#endif #endif
#ifndef NO_OLD_TLS
/* md5 */ /* md5 */
InitMd5(&md5); InitMd5(&md5);
Md5Update(&md5, ssl->arrays->clientRandom, RAN_LEN); Md5Update(&md5, ssl->arrays->clientRandom, RAN_LEN);
@@ -7941,6 +8085,7 @@ int SetCipherList(Suites* s, const char* list)
ShaUpdate(&sha, ssl->arrays->serverRandom, RAN_LEN); ShaUpdate(&sha, ssl->arrays->serverRandom, RAN_LEN);
ShaUpdate(&sha, output + preSigIdx, preSigSz); ShaUpdate(&sha, output + preSigIdx, preSigSz);
ShaFinal(&sha, &hash[MD5_DIGEST_SIZE]); ShaFinal(&sha, &hash[MD5_DIGEST_SIZE]);
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
InitSha256(&sha256); InitSha256(&sha256);
@@ -7957,7 +8102,7 @@ int SetCipherList(Suites* s, const char* list)
Sha384Update(&sha384, output + preSigIdx, preSigSz); Sha384Update(&sha384, output + preSigIdx, preSigSz);
Sha384Final(&sha384, hash384); Sha384Final(&sha384, hash384);
#endif #endif
#ifndef NO_RSA
if (ssl->suites->sigAlgo == rsa_sa_algo) { if (ssl->suites->sigAlgo == rsa_sa_algo) {
byte* signBuffer = hash; byte* signBuffer = hash;
word32 signSz = sizeof(hash); word32 signSz = sizeof(hash);
@@ -7992,6 +8137,7 @@ int SetCipherList(Suites* s, const char* list)
if (ret <= 0) if (ret <= 0)
return ret; return ret;
} }
#endif
} }
#ifdef CYASSL_DTLS #ifdef CYASSL_DTLS
@@ -8046,6 +8192,7 @@ int SetCipherList(Suites* s, const char* list)
switch (second) { switch (second) {
#ifndef NO_RSA
case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA : case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA :
if (requirement == REQUIRES_RSA) if (requirement == REQUIRES_RSA)
return 1; return 1;
@@ -8058,6 +8205,7 @@ int SetCipherList(Suites* s, const char* list)
return 1; return 1;
break; break;
#ifndef NO_3DES
case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA : case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA :
if (requirement == REQUIRES_RSA) if (requirement == REQUIRES_RSA)
return 1; return 1;
@@ -8069,7 +8217,9 @@ int SetCipherList(Suites* s, const char* list)
if (requirement == REQUIRES_RSA_SIG) if (requirement == REQUIRES_RSA_SIG)
return 1; return 1;
break; break;
#endif
#ifndef NO_RC4
case TLS_ECDHE_RSA_WITH_RC4_128_SHA : case TLS_ECDHE_RSA_WITH_RC4_128_SHA :
if (requirement == REQUIRES_RSA) if (requirement == REQUIRES_RSA)
return 1; return 1;
@@ -8081,7 +8231,10 @@ int SetCipherList(Suites* s, const char* list)
if (requirement == REQUIRES_RSA_SIG) if (requirement == REQUIRES_RSA_SIG)
return 1; return 1;
break; break;
#endif
#endif /* NO_RSA */
#ifndef NO_3DES
case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA :
if (requirement == REQUIRES_ECC_DSA) if (requirement == REQUIRES_ECC_DSA)
return 1; return 1;
@@ -8091,7 +8244,8 @@ int SetCipherList(Suites* s, const char* list)
if (requirement == REQUIRES_ECC_STATIC) if (requirement == REQUIRES_ECC_STATIC)
return 1; return 1;
break; break;
#endif
#ifndef NO_RC4
case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA :
if (requirement == REQUIRES_ECC_DSA) if (requirement == REQUIRES_ECC_DSA)
return 1; return 1;
@@ -8101,7 +8255,8 @@ int SetCipherList(Suites* s, const char* list)
if (requirement == REQUIRES_ECC_STATIC) if (requirement == REQUIRES_ECC_STATIC)
return 1; return 1;
break; break;
#endif
#ifndef NO_RSA
case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA : case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA :
if (requirement == REQUIRES_RSA) if (requirement == REQUIRES_RSA)
return 1; return 1;
@@ -8113,6 +8268,7 @@ int SetCipherList(Suites* s, const char* list)
if (requirement == REQUIRES_RSA_SIG) if (requirement == REQUIRES_RSA_SIG)
return 1; return 1;
break; break;
#endif
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA :
if (requirement == REQUIRES_ECC_DSA) if (requirement == REQUIRES_ECC_DSA)
@@ -8154,6 +8310,7 @@ int SetCipherList(Suites* s, const char* list)
return 1; return 1;
break; break;
#ifndef NO_RSA
case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 :
if (requirement == REQUIRES_RSA) if (requirement == REQUIRES_RSA)
return 1; return 1;
@@ -8221,6 +8378,7 @@ int SetCipherList(Suites* s, const char* list)
if (requirement == REQUIRES_ECC_STATIC) if (requirement == REQUIRES_ECC_STATIC)
return 1; return 1;
break; break;
#endif
default: default:
CYASSL_MSG("Unsupported cipher suite, CipherRequires ECC"); CYASSL_MSG("Unsupported cipher suite, CipherRequires ECC");
@@ -8230,6 +8388,7 @@ int SetCipherList(Suites* s, const char* list)
if (first != ECC_BYTE) { /* normal suites */ if (first != ECC_BYTE) { /* normal suites */
switch (second) { switch (second) {
#ifndef NO_RSA
case SSL_RSA_WITH_RC4_128_SHA : case SSL_RSA_WITH_RC4_128_SHA :
if (requirement == REQUIRES_RSA) if (requirement == REQUIRES_RSA)
return 1; return 1;
@@ -8290,6 +8449,7 @@ int SetCipherList(Suites* s, const char* list)
if (requirement == REQUIRES_NTRU) if (requirement == REQUIRES_NTRU)
return 1; return 1;
break; break;
#endif
case TLS_PSK_WITH_AES_128_CBC_SHA256 : case TLS_PSK_WITH_AES_128_CBC_SHA256 :
if (requirement == REQUIRES_PSK) if (requirement == REQUIRES_PSK)
@@ -8316,6 +8476,7 @@ int SetCipherList(Suites* s, const char* list)
return 1; return 1;
break; break;
#ifndef NO_RSA
case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 : case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 :
if (requirement == REQUIRES_RSA) if (requirement == REQUIRES_RSA)
return 1; return 1;
@@ -8392,6 +8553,7 @@ int SetCipherList(Suites* s, const char* list)
if (requirement == REQUIRES_DHE) if (requirement == REQUIRES_DHE)
return 1; return 1;
break; break;
#endif
default: default:
CYASSL_MSG("Unsupported cipher suite, CipherRequires"); CYASSL_MSG("Unsupported cipher suite, CipherRequires");
@@ -8582,10 +8744,14 @@ int SetCipherList(Suites* s, const char* list)
#endif #endif
/* manually hash input since different format */ /* manually hash input since different format */
#ifndef NO_OLD_TLS
#ifndef NO_MD5 #ifndef NO_MD5
Md5Update(&ssl->hashMd5, input + idx, sz); Md5Update(&ssl->hashMd5, input + idx, sz);
#endif #endif
#ifndef NO_SHA
ShaUpdate(&ssl->hashSha, input + idx, sz); ShaUpdate(&ssl->hashSha, input + idx, sz);
#endif
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
if (IsAtLeastTLSv1_2(ssl)) if (IsAtLeastTLSv1_2(ssl))
Sha256Update(&ssl->hashSha256, input + idx, sz); Sha256Update(&ssl->hashSha256, input + idx, sz);

104
src/ssl.c
View File

@@ -175,7 +175,6 @@ void CyaSSL_free(CYASSL* ssl)
} }
#ifndef CYASSL_LEANPSK
int CyaSSL_set_fd(CYASSL* ssl, int fd) int CyaSSL_set_fd(CYASSL* ssl, int fd)
{ {
CYASSL_ENTER("SSL_set_fd"); CYASSL_ENTER("SSL_set_fd");
@@ -204,7 +203,6 @@ int CyaSSL_get_fd(const CYASSL* ssl)
CYASSL_LEAVE("SSL_get_fd", ssl->rfd); CYASSL_LEAVE("SSL_get_fd", ssl->rfd);
return ssl->rfd; return ssl->rfd;
} }
#endif
#ifndef CYASSL_LEANPSK #ifndef CYASSL_LEANPSK
@@ -545,6 +543,13 @@ int CyaSSL_get_error(CYASSL* ssl, int ret)
return ssl->error; return ssl->error;
} }
int CyaSSL_get_alert_history(CYASSL* ssl, CYASSL_ALERT_HISTORY *h)
{
if (ssl && h) {
*h = ssl->alert_history;
}
return 0;
}
int CyaSSL_want_read(CYASSL* ssl) int CyaSSL_want_read(CYASSL* ssl)
{ {
@@ -910,6 +915,8 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
SMALL_SESSION_CACHE only stores 6 sessions, good for embedded clients SMALL_SESSION_CACHE only stores 6 sessions, good for embedded clients
or systems where the default of nearly 3kB is too much RAM, this define or systems where the default of nearly 3kB is too much RAM, this define
uses less than 500 bytes RAM uses less than 500 bytes RAM
default SESSION_CACHE stores 33 sessions (no XXX_SESSION_CACHE defined)
*/ */
#ifdef HUGE_SESSION_CACHE #ifdef HUGE_SESSION_CACHE
#define SESSIONS_PER_ROW 11 #define SESSIONS_PER_ROW 11
@@ -1786,7 +1793,13 @@ int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER* cm, const char* file,
CYASSL_MSG("No CertManager error"); CYASSL_MSG("No CertManager error");
return ret; return ret;
} }
tmp = CyaSSL_CTX_new(CyaSSLv3_client_method()); tmp = CyaSSL_CTX_new(
#ifdef NO_OLD_TLS
CyaTLSv1_2_client_method()
#else
CyaSSLv3_client_method()
#endif
);
if (tmp == NULL) { if (tmp == NULL) {
CYASSL_MSG("CTX new failed"); CYASSL_MSG("CTX new failed");
@@ -2654,8 +2667,10 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl)
#ifdef CYASSL_DTLS #ifdef CYASSL_DTLS
if (ssl->options.dtls) { if (ssl->options.dtls) {
/* re-init hashes, exclude first hello and verify request */ /* re-init hashes, exclude first hello and verify request */
#ifndef NO_OLD_TLS
InitMd5(&ssl->hashMd5); InitMd5(&ssl->hashMd5);
InitSha(&ssl->hashSha); InitSha(&ssl->hashSha);
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
if (IsAtLeastTLSv1_2(ssl)) if (IsAtLeastTLSv1_2(ssl))
InitSha256(&ssl->hashSha256); InitSha256(&ssl->hashSha256);
@@ -2695,31 +2710,38 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl)
case FIRST_REPLY_DONE : case FIRST_REPLY_DONE :
#ifndef NO_CERTS #ifndef NO_CERTS
if (ssl->options.sendVerify) if (ssl->options.sendVerify) {
if ( (ssl->error = SendCertificate(ssl)) != 0) { if ( (ssl->error = SendCertificate(ssl)) != 0) {
CYASSL_ERROR(ssl->error); CYASSL_ERROR(ssl->error);
return SSL_FATAL_ERROR; return SSL_FATAL_ERROR;
} }
CYASSL_MSG("sent: certificate");
}
#endif #endif
ssl->options.connectState = FIRST_REPLY_FIRST; ssl->options.connectState = FIRST_REPLY_FIRST;
CYASSL_MSG("connect state: FIRST_REPLY_FIRST"); CYASSL_MSG("connect state: FIRST_REPLY_FIRST");
case FIRST_REPLY_FIRST : case FIRST_REPLY_FIRST :
if (!ssl->options.resuming) if (!ssl->options.resuming) {
if ( (ssl->error = SendClientKeyExchange(ssl)) != 0) { if ( (ssl->error = SendClientKeyExchange(ssl)) != 0) {
CYASSL_ERROR(ssl->error); CYASSL_ERROR(ssl->error);
return SSL_FATAL_ERROR; return SSL_FATAL_ERROR;
} }
CYASSL_MSG("sent: client key exchange");
}
ssl->options.connectState = FIRST_REPLY_SECOND; ssl->options.connectState = FIRST_REPLY_SECOND;
CYASSL_MSG("connect state: FIRST_REPLY_SECOND"); CYASSL_MSG("connect state: FIRST_REPLY_SECOND");
case FIRST_REPLY_SECOND : case FIRST_REPLY_SECOND :
#ifndef NO_CERTS #ifndef NO_CERTS
if (ssl->options.sendVerify) if (ssl->options.sendVerify) {
if ( (ssl->error = SendCertificateVerify(ssl)) != 0) { if ( (ssl->error = SendCertificateVerify(ssl)) != 0) {
CYASSL_ERROR(ssl->error); CYASSL_ERROR(ssl->error);
return SSL_FATAL_ERROR; return SSL_FATAL_ERROR;
}
CYASSL_MSG("sent: certificate verify");
} }
#endif #endif
ssl->options.connectState = FIRST_REPLY_THIRD; ssl->options.connectState = FIRST_REPLY_THIRD;
@@ -2730,6 +2752,7 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl)
CYASSL_ERROR(ssl->error); CYASSL_ERROR(ssl->error);
return SSL_FATAL_ERROR; return SSL_FATAL_ERROR;
} }
CYASSL_MSG("sent: change cipher spec");
ssl->options.connectState = FIRST_REPLY_FOURTH; ssl->options.connectState = FIRST_REPLY_FOURTH;
CYASSL_MSG("connect state: FIRST_REPLY_FOURTH"); CYASSL_MSG("connect state: FIRST_REPLY_FOURTH");
@@ -2738,7 +2761,7 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl)
CYASSL_ERROR(ssl->error); CYASSL_ERROR(ssl->error);
return SSL_FATAL_ERROR; return SSL_FATAL_ERROR;
} }
CYASSL_MSG("sent: finished");
ssl->options.connectState = FINISHED_DONE; ssl->options.connectState = FINISHED_DONE;
CYASSL_MSG("connect state: FINISHED_DONE"); CYASSL_MSG("connect state: FINISHED_DONE");
@@ -2898,8 +2921,10 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl)
if (ssl->options.dtls) { if (ssl->options.dtls) {
ssl->options.clientState = NULL_STATE; /* get again */ ssl->options.clientState = NULL_STATE; /* get again */
/* re-init hashes, exclude first hello and verify request */ /* re-init hashes, exclude first hello and verify request */
#ifndef NO_OLD_TLS
InitMd5(&ssl->hashMd5); InitMd5(&ssl->hashMd5);
InitSha(&ssl->hashSha); InitSha(&ssl->hashSha);
#endif
#ifndef NO_SHA256 #ifndef NO_SHA256
if (IsAtLeastTLSv1_2(ssl)) if (IsAtLeastTLSv1_2(ssl))
InitSha256(&ssl->hashSha256); InitSha256(&ssl->hashSha256);
@@ -5384,19 +5409,19 @@ int CyaSSL_set_compression(CYASSL* ssl)
(void)ssl; (void)ssl;
/* client by default */ /* client by default */
} }
#endif
int CyaSSL_session_reused(CYASSL* ssl) int CyaSSL_session_reused(CYASSL* ssl)
{ {
return ssl->options.resuming; return ssl->options.resuming;
} }
#ifdef OPENSSL_EXTRA
void CyaSSL_SESSION_free(CYASSL_SESSION* session) void CyaSSL_SESSION_free(CYASSL_SESSION* session)
{ {
(void)session; (void)session;
} }
#endif
const char* CyaSSL_get_version(CYASSL* ssl) const char* CyaSSL_get_version(CYASSL* ssl)
{ {
@@ -5420,6 +5445,13 @@ int CyaSSL_set_compression(CYASSL* ssl)
return "unknown"; return "unknown";
} }
int CyaSSL_get_current_cipher_suite(CYASSL* ssl)
{
CYASSL_ENTER("SSL_get_current_cipher_suite");
if (ssl)
return (ssl->options.cipherSuite0 << 8) | ssl->options.cipherSuite;
return 0;
}
CYASSL_CIPHER* CyaSSL_get_current_cipher(CYASSL* ssl) CYASSL_CIPHER* CyaSSL_get_current_cipher(CYASSL* ssl)
{ {
@@ -5433,7 +5465,10 @@ int CyaSSL_set_compression(CYASSL* ssl)
const char* CyaSSL_CIPHER_get_name(const CYASSL_CIPHER* cipher) const char* CyaSSL_CIPHER_get_name(const CYASSL_CIPHER* cipher)
{ {
(void)cipher;
CYASSL_ENTER("SSL_CIPHER_get_name"); CYASSL_ENTER("SSL_CIPHER_get_name");
#ifndef NO_ERROR_STRINGS
if (cipher) { if (cipher) {
#ifdef HAVE_ECC #ifdef HAVE_ECC
if (cipher->ssl->options.cipherSuite0 == ECC_BYTE) { if (cipher->ssl->options.cipherSuite0 == ECC_BYTE) {
@@ -5519,60 +5554,99 @@ int CyaSSL_set_compression(CYASSL* ssl)
return "NONE"; return "NONE";
} }
} }
#endif #endif /* ECC */
if (cipher->ssl->options.cipherSuite0 != ECC_BYTE) { if (cipher->ssl->options.cipherSuite0 != ECC_BYTE) {
/* normal suites */ /* normal suites */
switch (cipher->ssl->options.cipherSuite) { switch (cipher->ssl->options.cipherSuite) {
#ifndef NO_RSA
#ifndef NO_RC4
#ifndef NO_SHA
case SSL_RSA_WITH_RC4_128_SHA : case SSL_RSA_WITH_RC4_128_SHA :
return "SSL_RSA_WITH_RC4_128_SHA"; return "SSL_RSA_WITH_RC4_128_SHA";
#endif
#ifndef NO_MD5
case SSL_RSA_WITH_RC4_128_MD5 : case SSL_RSA_WITH_RC4_128_MD5 :
return "SSL_RSA_WITH_RC4_128_MD5"; return "SSL_RSA_WITH_RC4_128_MD5";
#endif
#endif
#ifndef NO_SHA
#ifndef NO_DES3
case SSL_RSA_WITH_3DES_EDE_CBC_SHA : case SSL_RSA_WITH_3DES_EDE_CBC_SHA :
return "SSL_RSA_WITH_3DES_EDE_CBC_SHA"; return "SSL_RSA_WITH_3DES_EDE_CBC_SHA";
#endif
case TLS_RSA_WITH_AES_128_CBC_SHA : case TLS_RSA_WITH_AES_128_CBC_SHA :
return "TLS_RSA_WITH_AES_128_CBC_SHA"; return "TLS_RSA_WITH_AES_128_CBC_SHA";
case TLS_RSA_WITH_AES_256_CBC_SHA : case TLS_RSA_WITH_AES_256_CBC_SHA :
return "TLS_RSA_WITH_AES_256_CBC_SHA"; return "TLS_RSA_WITH_AES_256_CBC_SHA";
#endif
case TLS_RSA_WITH_AES_128_CBC_SHA256 : case TLS_RSA_WITH_AES_128_CBC_SHA256 :
return "TLS_RSA_WITH_AES_128_CBC_SHA256"; return "TLS_RSA_WITH_AES_128_CBC_SHA256";
case TLS_RSA_WITH_AES_256_CBC_SHA256 : case TLS_RSA_WITH_AES_256_CBC_SHA256 :
return "TLS_RSA_WITH_AES_256_CBC_SHA256"; return "TLS_RSA_WITH_AES_256_CBC_SHA256";
#ifndef NO_SHA
case TLS_RSA_WITH_NULL_SHA : case TLS_RSA_WITH_NULL_SHA :
return "TLS_RSA_WITH_NULL_SHA"; return "TLS_RSA_WITH_NULL_SHA";
#endif
case TLS_RSA_WITH_NULL_SHA256 : case TLS_RSA_WITH_NULL_SHA256 :
return "TLS_RSA_WITH_NULL_SHA256"; return "TLS_RSA_WITH_NULL_SHA256";
#endif /* NO_RSA */
#ifndef NO_PSK
case TLS_PSK_WITH_AES_128_CBC_SHA256 : case TLS_PSK_WITH_AES_128_CBC_SHA256 :
return "TLS_PSK_WITH_AES_128_CBC_SHA256"; return "TLS_PSK_WITH_AES_128_CBC_SHA256";
#ifndef NO_SHA
case TLS_PSK_WITH_AES_128_CBC_SHA : case TLS_PSK_WITH_AES_128_CBC_SHA :
return "TLS_PSK_WITH_AES_128_CBC_SHA"; return "TLS_PSK_WITH_AES_128_CBC_SHA";
case TLS_PSK_WITH_AES_256_CBC_SHA : case TLS_PSK_WITH_AES_256_CBC_SHA :
return "TLS_PSK_WITH_AES_256_CBC_SHA"; return "TLS_PSK_WITH_AES_256_CBC_SHA";
#endif
case TLS_PSK_WITH_NULL_SHA256 : case TLS_PSK_WITH_NULL_SHA256 :
return "TLS_PSK_WITH_NULL_SHA256"; return "TLS_PSK_WITH_NULL_SHA256";
#ifndef NO_SHA
case TLS_PSK_WITH_NULL_SHA : case TLS_PSK_WITH_NULL_SHA :
return "TLS_PSK_WITH_NULL_SHA"; return "TLS_PSK_WITH_NULL_SHA";
#endif
#endif /* NO_PSK */
#ifndef NO_RSA
case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 : case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 :
return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"; return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 : case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 :
return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"; return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256";
#ifndef NO_SHA
case TLS_DHE_RSA_WITH_AES_128_CBC_SHA : case TLS_DHE_RSA_WITH_AES_128_CBC_SHA :
return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"; return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
case TLS_DHE_RSA_WITH_AES_256_CBC_SHA : case TLS_DHE_RSA_WITH_AES_256_CBC_SHA :
return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"; return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
#endif
#ifndef NO_HC128
#ifndef NO_MD5
case TLS_RSA_WITH_HC_128_CBC_MD5 : case TLS_RSA_WITH_HC_128_CBC_MD5 :
return "TLS_RSA_WITH_HC_128_CBC_MD5"; return "TLS_RSA_WITH_HC_128_CBC_MD5";
#endif
#ifndef NO_SHA
case TLS_RSA_WITH_HC_128_CBC_SHA : case TLS_RSA_WITH_HC_128_CBC_SHA :
return "TLS_RSA_WITH_HC_128_CBC_SHA"; return "TLS_RSA_WITH_HC_128_CBC_SHA";
#endif
#endif /* NO_HC128 */
#ifndef NO_SHA
#ifndef NO_RABBIT
case TLS_RSA_WITH_RABBIT_CBC_SHA : case TLS_RSA_WITH_RABBIT_CBC_SHA :
return "TLS_RSA_WITH_RABBIT_CBC_SHA"; return "TLS_RSA_WITH_RABBIT_CBC_SHA";
#endif
#ifdef HAVE_NTRU
#ifndef NO_RC4
case TLS_NTRU_RSA_WITH_RC4_128_SHA : case TLS_NTRU_RSA_WITH_RC4_128_SHA :
return "TLS_NTRU_RSA_WITH_RC4_128_SHA"; return "TLS_NTRU_RSA_WITH_RC4_128_SHA";
#endif
#ifndef NO_DES3
case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA : case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA :
return "TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA"; return "TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA";
#endif
case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA : case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA :
return "TLS_NTRU_RSA_WITH_AES_128_CBC_SHA"; return "TLS_NTRU_RSA_WITH_AES_128_CBC_SHA";
case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA : case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA :
return "TLS_NTRU_RSA_WITH_AES_256_CBC_SHA"; return "TLS_NTRU_RSA_WITH_AES_256_CBC_SHA";
#endif /* HAVE_NTRU */
#endif /* NO_SHA */
case TLS_RSA_WITH_AES_128_GCM_SHA256 : case TLS_RSA_WITH_AES_128_GCM_SHA256 :
return "TLS_RSA_WITH_AES_128_GCM_SHA256"; return "TLS_RSA_WITH_AES_128_GCM_SHA256";
case TLS_RSA_WITH_AES_256_GCM_SHA384 : case TLS_RSA_WITH_AES_256_GCM_SHA384 :
@@ -5581,28 +5655,33 @@ int CyaSSL_set_compression(CYASSL* ssl)
return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"; return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 : case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 :
return "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"; return "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384";
#ifndef NO_SHA
case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA : case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA :
return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"; return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA";
case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA : case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA :
return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"; return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA";
#endif
case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 : case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 :
return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256"; return "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256";
case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 : case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 :
return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"; return "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256";
#ifndef NO_SHA
case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA : case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA :
return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA"; return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA";
case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA : case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA :
return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA"; return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA";
#endif
case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 : case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 :
return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"; return "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256";
case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 : case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 :
return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"; return "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256";
#endif /* NO_RSA */
default: default:
return "NONE"; return "NONE";
} /* switch */ } /* switch */
} /* normal / ECC */ } /* normal / ECC */
} }
#endif /* NO_ERROR_STRINGS */
return "NONE"; return "NONE";
} }
@@ -5613,6 +5692,7 @@ int CyaSSL_set_compression(CYASSL* ssl)
return CyaSSL_CIPHER_get_name(CyaSSL_get_current_cipher(ssl)); return CyaSSL_CIPHER_get_name(CyaSSL_get_current_cipher(ssl));
} }
#ifdef OPENSSL_EXTRA
/* XXX shuld be NO_DH */ /* XXX shuld be NO_DH */
#ifndef NO_CERTS #ifndef NO_CERTS

12
src/tls.c
View File

@@ -53,7 +53,7 @@
static void p_hash(byte* result, word32 resLen, const byte* secret, static void p_hash(byte* result, word32 resLen, const byte* secret,
word32 secLen, const byte* seed, word32 seedLen, int hash) word32 secLen, const byte* seed, word32 seedLen, int hash)
{ {
word32 len = SHA_DIGEST_SIZE; word32 len = PHASH_MAX_DIGEST_SIZE;
word32 times; word32 times;
word32 lastLen; word32 lastLen;
word32 lastTime; word32 lastTime;
@@ -89,6 +89,7 @@ static void p_hash(byte* result, word32 resLen, const byte* secret,
} }
break; break;
#endif #endif
#ifndef NO_SHA
case sha_mac: case sha_mac:
default: default:
{ {
@@ -96,6 +97,7 @@ static void p_hash(byte* result, word32 resLen, const byte* secret,
hash = SHA; hash = SHA;
} }
break; break;
#endif
} }
times = resLen / len; times = resLen / len;
@@ -125,7 +127,7 @@ static void p_hash(byte* result, word32 resLen, const byte* secret,
#ifndef NO_MD5 #ifndef NO_OLD_TLS
/* calculate XOR for TLSv1 PRF */ /* calculate XOR for TLSv1 PRF */
static INLINE void get_xor(byte *digest, word32 digLen, byte* md5, byte* sha) static INLINE void get_xor(byte *digest, word32 digLen, byte* md5, byte* sha)
@@ -194,7 +196,7 @@ static void PRF(byte* digest, word32 digLen, const byte* secret, word32 secLen,
p_hash(digest, digLen, secret, secLen, labelSeed, labLen + seedLen, p_hash(digest, digLen, secret, secLen, labelSeed, labLen + seedLen,
hash_type); hash_type);
} }
#ifndef NO_MD5 #ifndef NO_OLD_TLS
else else
doPRF(digest, digLen, secret, secLen, label, labLen, seed, seedLen); doPRF(digest, digLen, secret, secLen, label, labLen, seed, seedLen);
#endif #endif
@@ -214,7 +216,7 @@ void BuildTlsFinished(CYASSL* ssl, Hashes* hashes, const byte* sender)
byte handshake_hash[HSHASH_SZ]; byte handshake_hash[HSHASH_SZ];
word32 hashSz = FINISHED_SZ; word32 hashSz = FINISHED_SZ;
#ifndef NO_MD5 #ifndef NO_OLD_TLS
Md5Final(&ssl->hashMd5, handshake_hash); Md5Final(&ssl->hashMd5, handshake_hash);
ShaFinal(&ssl->hashSha, &handshake_hash[MD5_DIGEST_SIZE]); ShaFinal(&ssl->hashSha, &handshake_hash[MD5_DIGEST_SIZE]);
#endif #endif
@@ -430,12 +432,14 @@ void TLS_hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz,
} }
break; break;
#endif #endif
#ifndef NO_SHA
case sha_mac: case sha_mac:
default: default:
{ {
type = SHA; type = SHA;
} }
break; break;
#endif
} }
HmacSetKey(&hmac, type, GetMacSecret(ssl, verify), ssl->specs.hash_size); HmacSetKey(&hmac, type, GetMacSecret(ssl, verify), ssl->specs.hash_size);

2
tests/suites.c
View File

@@ -248,6 +248,8 @@ int SuiteTest(void)
args.argv = myArgv; args.argv = myArgv;
strcpy(argv0[0], "SuiteTest"); strcpy(argv0[0], "SuiteTest");
(void)test_harness;
#if !defined(NO_RSA) #if !defined(NO_RSA)
/* default case */ /* default case */
args.argc = 1; args.argc = 1;