diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index 5b7e903ae..410fef876 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -1282,6 +1282,8 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) cert->extAuthKeyIdSet = 0; cert->extKeyUsageSet = 0; cert->extKeyUsage = 0; + cert->extExtKeyUsageSet = 0; + cert->extExtKeyUsage = 0; cert->isCA = 0; #ifdef HAVE_PKCS7 cert->issuerRaw = NULL; @@ -1319,6 +1321,10 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) cert->extAuthKeyIdCrit = 0; cert->extSubjKeyIdCrit = 0; cert->extKeyUsageCrit = 0; + cert->extExtKeyUsageCrit = 0; + cert->extExtKeyUsageSrc = NULL; + cert->extExtKeyUsageSz = 0; + cert->extExtKeyUsageCount = 0; cert->extAuthKeyIdSrc = NULL; cert->extAuthKeyIdSz = 0; cert->extSubjKeyIdSrc = NULL; @@ -3247,6 +3253,51 @@ static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert) } +static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert) +{ + word32 idx = 0, oid; + int length; + + CYASSL_ENTER("DecodeExtKeyUsage"); + + if (GetSequence(input, &idx, &length, sz) < 0) { + CYASSL_MSG("\tfail: should be a SEQUENCE\n"); + return ASN_PARSE_E; + } + + #ifdef OPENSSL_EXTRA + cert->extExtKeyUsageSrc = input + idx; + cert->extExtKeyUsageSz = length; + #endif + + while (idx < (word32)sz) { + if (GetObjectId(input, &idx, &oid, sz) < 0) + return ASN_PARSE_E; + + switch (oid) { + case EKU_ANY_OID: + cert->extExtKeyUsage |= EXTKEYUSE_ANY; + break; + case EKU_SERVER_AUTH_OID: + cert->extExtKeyUsage |= EXTKEYUSE_SERVER_AUTH; + break; + case EKU_CLIENT_AUTH_OID: + cert->extExtKeyUsage |= EXTKEYUSE_CLIENT_AUTH; + break; + case EKU_OCSP_SIGN_OID: + cert->extExtKeyUsage |= EXTKEYUSE_OCSP_SIGN; + break; + } + + #ifdef OPENSSL_EXTRA + cert->extExtKeyUsageCount++; + #endif + } + + return 0; +} + + #ifdef CYASSL_SEP static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert) { @@ -3425,7 +3476,12 @@ static int DecodeCertExtensions(DecodedCert* cert) break; case EXT_KEY_USAGE_OID: - CYASSL_MSG("Extended Key Usage extension not supported yet."); + cert->extExtKeyUsageSet = 1; + #ifdef OPENSSL_EXTRA + cert->extExtKeyUsageCrit = critical; + #endif + if (DecodeExtKeyUsage(&input[idx], length, cert) < 0) + return ASN_PARSE_E; break; case INHIBIT_ANY_OID: diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index 9e8f43dda..fe961afdb 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -234,6 +234,13 @@ enum AuthInfo_Sum { AIA_CA_ISSUER_OID = 117 /* 1.3.6.1.5.5.7.48.2 */ }; +enum ExtKeyUsage_Sum { /* From RFC 5280 */ + EKU_ANY_OID = 151, /* 2.5.29.37.0, anyExtendedKeyUsage */ + EKU_SERVER_AUTH_OID = 71, /* 1.3.6.1.5.5.7.3.1, id-kp-serverAuth */ + EKU_CLIENT_AUTH_OID = 72, /* 1.3.6.1.5.5.7.3.2, id-kp-clientAuth */ + EKU_OCSP_SIGN_OID = 79, /* 1.3.6.1.5.5.7.3.9, OCSPSigning */ +}; + enum VerifyType { NO_VERIFY = 0, @@ -252,6 +259,10 @@ enum VerifyType { #define KEYUSE_ENCIPHER_ONLY 0x0002 #define KEYUSE_DECIPHER_ONLY 0x0001 +#define EXTKEYUSE_ANY 0x08 +#define EXTKEYUSE_OCSP_SIGN 0x04 +#define EXTKEYUSE_CLIENT_AUTH 0x02 +#define EXTKEYUSE_SERVER_AUTH 0x01 typedef struct DNS_entry DNS_entry; @@ -336,6 +347,8 @@ struct DecodedCert { byte isCA; /* CA basic constraint true */ byte extKeyUsageSet; word16 extKeyUsage; /* Key usage bitfield */ + byte extExtKeyUsageSet; /* Extended Key Usage */ + byte extExtKeyUsage; /* Extended Key usage bitfield */ #ifdef OPENSSL_EXTRA byte extBasicConstSet; byte extBasicConstCrit; @@ -346,6 +359,10 @@ struct DecodedCert { byte extAuthKeyIdCrit; byte extSubjKeyIdCrit; byte extKeyUsageCrit; + byte extExtKeyUsageCrit; + byte* extExtKeyUsageSrc; + word32 extExtKeyUsageSz; + word32 extExtKeyUsageCount; byte* extAuthKeyIdSrc; word32 extAuthKeyIdSz; byte* extSubjKeyIdSrc; diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c index 2570a65bc..5e990c7a5 100755 --- a/sslSniffer/sslSnifferTest/snifftest.c +++ b/sslSniffer/sslSnifferTest/snifftest.c @@ -273,7 +273,7 @@ int main(int argc, char** argv) packetNumber++; if (packet) { - byte data[65535]; + byte data[65535+16384]; /* may have a partial 16k record cached */ if (header.caplen > 40) { /* min ip(20) + min tcp(20) */ packet += frame;