From 1e041abf044094f9195960db04b310c366700bbe Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Thu, 20 Mar 2014 10:07:47 -0700
Subject: [PATCH 1/3] decode Extended Key Usage extension

---
 ctaocrypt/src/asn.c    | 45 +++++++++++++++++++++++++++++++++++++++++-
 cyassl/ctaocrypt/asn.h | 14 +++++++++++++
 2 files changed, 58 insertions(+), 1 deletion(-)

diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c
index 5b7e903ae..5977fafd3 100644
--- a/ctaocrypt/src/asn.c
+++ b/ctaocrypt/src/asn.c
@@ -1282,6 +1282,8 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
     cert->extAuthKeyIdSet = 0;
     cert->extKeyUsageSet  = 0;
     cert->extKeyUsage     = 0;
+    cert->extExtKeyUsageSet = 0;
+    cert->extExtKeyUsage    = 0;
     cert->isCA            = 0;
 #ifdef HAVE_PKCS7
     cert->issuerRaw       = NULL;
@@ -3247,6 +3249,42 @@ static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert)
 }
 
 
+static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert)
+{
+    word32 idx = 0, oid;
+    int length;
+
+    CYASSL_ENTER("DecodeExtKeyUsage");
+
+    if (GetSequence(input, &idx, &length, sz) < 0) {
+        CYASSL_MSG("\tfail: should be a SEQUENCE\n");
+        return ASN_PARSE_E;
+    }
+
+    while (idx < (word32)sz) {
+        if (GetObjectId(input, &idx, &oid, sz) < 0)
+            return ASN_PARSE_E;
+
+        switch (oid) {
+            case EKU_ANY_OID:
+                cert->extExtKeyUsage = EXTKEYUSE_ANY;
+                break;
+            case EKU_SERVER_AUTH_OID:
+                cert->extExtKeyUsage |= EXTKEYUSE_SERVER_AUTH;
+                break;
+            case EKU_CLIENT_AUTH_OID:
+                cert->extExtKeyUsage |= EXTKEYUSE_CLIENT_AUTH;
+                break;
+            case EKU_OCSP_SIGN_OID:
+                cert->extExtKeyUsage |= EXTKEYUSE_OCSP_SIGN;
+                break;
+        }
+    }
+
+    return 0;
+}
+
+
 #ifdef CYASSL_SEP
     static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert)
     {
@@ -3425,7 +3463,12 @@ static int DecodeCertExtensions(DecodedCert* cert)
                 break;
 
             case EXT_KEY_USAGE_OID:
-                CYASSL_MSG("Extended Key Usage extension not supported yet.");
+                cert->extExtKeyUsageSet = 1;
+                #ifdef OPENSSL_EXTRA
+                    cert->extExtKeyUsageCrit = critical;
+                #endif
+                if (DecodeExtKeyUsage(&input[idx], length, cert) < 0)
+                    return ASN_PARSE_E;
                 break;
 
             case INHIBIT_ANY_OID:
diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h
index 9e8f43dda..264d4dd91 100644
--- a/cyassl/ctaocrypt/asn.h
+++ b/cyassl/ctaocrypt/asn.h
@@ -234,6 +234,13 @@ enum AuthInfo_Sum {
     AIA_CA_ISSUER_OID = 117  /* 1.3.6.1.5.5.7.48.2 */
 };
 
+enum ExtKeyUsage_Sum { /* From RFC 5280 */
+    EKU_ANY_OID         = 151, /* 2.5.29.37.0, anyExtendedKeyUsage         */
+    EKU_SERVER_AUTH_OID = 71,  /* 1.3.6.1.5.5.7.3.1, id-kp-serverAuth      */
+    EKU_CLIENT_AUTH_OID = 72,  /* 1.3.6.1.5.5.7.3.2, id-kp-clientAuth      */
+    EKU_OCSP_SIGN_OID   = 79,  /* 1.3.6.1.5.5.7.3.9, OCSPSigning           */
+};
+
 
 enum VerifyType {
     NO_VERIFY = 0,
@@ -252,6 +259,10 @@ enum VerifyType {
 #define KEYUSE_ENCIPHER_ONLY  0x0002
 #define KEYUSE_DECIPHER_ONLY  0x0001
 
+#define EXTKEYUSE_OCSP_SIGN   0x04
+#define EXTKEYUSE_CLIENT_AUTH 0x02
+#define EXTKEYUSE_SERVER_AUTH 0x01
+#define EXTKEYUSE_ANY         0xFF
 
 typedef struct DNS_entry   DNS_entry;
 
@@ -336,6 +347,8 @@ struct DecodedCert {
     byte    isCA;                    /* CA basic constraint true         */
     byte    extKeyUsageSet;
     word16  extKeyUsage;             /* Key usage bitfield               */
+    byte    extExtKeyUsageSet;       /* Extended Key Usage               */
+    byte    extExtKeyUsage;          /* Extended Key usage bitfield      */
 #ifdef OPENSSL_EXTRA
     byte    extBasicConstSet;
     byte    extBasicConstCrit;
@@ -346,6 +359,7 @@ struct DecodedCert {
     byte    extAuthKeyIdCrit;
     byte    extSubjKeyIdCrit;
     byte    extKeyUsageCrit;
+    byte    extExtKeyUsageCrit;
     byte*   extAuthKeyIdSrc;
     word32  extAuthKeyIdSz;
     byte*   extSubjKeyIdSrc;

From a0d4c349008c4a7ae5cbf43111cc4e4c3aae1bcc Mon Sep 17 00:00:00 2001
From: toddouska <todd@wolfssl.com>
Date: Thu, 20 Mar 2014 15:34:20 -0700
Subject: [PATCH 2/3] allow snifftest to handle jumbo frames + potential
 partial 16k record from previous data packet on the stack

---
 sslSniffer/sslSnifferTest/snifftest.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c
index 2570a65bc..5e990c7a5 100755
--- a/sslSniffer/sslSnifferTest/snifftest.c
+++ b/sslSniffer/sslSnifferTest/snifftest.c
@@ -273,7 +273,7 @@ int main(int argc, char** argv)
         packetNumber++;
         if (packet) {
 
-            byte data[65535];
+            byte data[65535+16384];  /* may have a partial 16k record cached */
 
             if (header.caplen > 40)  { /* min ip(20) + min tcp(20) */
 				packet        += frame;

From e19e2a801d89db421d6a2cec8d4e3fa6d25c016c Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Fri, 21 Mar 2014 09:37:10 -0700
Subject: [PATCH 3/3] Ext Key Usage 1. Store reference to raw EKU OIDs in the
 DecodedCert. 2. Fixed usage of the anyEKU.

---
 ctaocrypt/src/asn.c    | 15 ++++++++++++++-
 cyassl/ctaocrypt/asn.h |  5 ++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c
index 5977fafd3..410fef876 100644
--- a/ctaocrypt/src/asn.c
+++ b/ctaocrypt/src/asn.c
@@ -1321,6 +1321,10 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
     cert->extAuthKeyIdCrit = 0;
     cert->extSubjKeyIdCrit = 0;
     cert->extKeyUsageCrit = 0;
+    cert->extExtKeyUsageCrit = 0;
+    cert->extExtKeyUsageSrc = NULL;
+    cert->extExtKeyUsageSz = 0;
+    cert->extExtKeyUsageCount = 0;
     cert->extAuthKeyIdSrc = NULL;
     cert->extAuthKeyIdSz = 0;
     cert->extSubjKeyIdSrc = NULL;
@@ -3261,13 +3265,18 @@ static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert)
         return ASN_PARSE_E;
     }
 
+    #ifdef OPENSSL_EXTRA
+        cert->extExtKeyUsageSrc = input + idx;
+        cert->extExtKeyUsageSz = length;
+    #endif
+
     while (idx < (word32)sz) {
         if (GetObjectId(input, &idx, &oid, sz) < 0)
             return ASN_PARSE_E;
 
         switch (oid) {
             case EKU_ANY_OID:
-                cert->extExtKeyUsage = EXTKEYUSE_ANY;
+                cert->extExtKeyUsage |= EXTKEYUSE_ANY;
                 break;
             case EKU_SERVER_AUTH_OID:
                 cert->extExtKeyUsage |= EXTKEYUSE_SERVER_AUTH;
@@ -3279,6 +3288,10 @@ static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert)
                 cert->extExtKeyUsage |= EXTKEYUSE_OCSP_SIGN;
                 break;
         }
+
+        #ifdef OPENSSL_EXTRA
+            cert->extExtKeyUsageCount++;
+        #endif
     }
 
     return 0;
diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h
index 264d4dd91..fe961afdb 100644
--- a/cyassl/ctaocrypt/asn.h
+++ b/cyassl/ctaocrypt/asn.h
@@ -259,10 +259,10 @@ enum VerifyType {
 #define KEYUSE_ENCIPHER_ONLY  0x0002
 #define KEYUSE_DECIPHER_ONLY  0x0001
 
+#define EXTKEYUSE_ANY         0x08
 #define EXTKEYUSE_OCSP_SIGN   0x04
 #define EXTKEYUSE_CLIENT_AUTH 0x02
 #define EXTKEYUSE_SERVER_AUTH 0x01
-#define EXTKEYUSE_ANY         0xFF
 
 typedef struct DNS_entry   DNS_entry;
 
@@ -360,6 +360,9 @@ struct DecodedCert {
     byte    extSubjKeyIdCrit;
     byte    extKeyUsageCrit;
     byte    extExtKeyUsageCrit;
+    byte*   extExtKeyUsageSrc;
+    word32  extExtKeyUsageSz;
+    word32  extExtKeyUsageCount;
     byte*   extAuthKeyIdSrc;
     word32  extAuthKeyIdSz;
     byte*   extSubjKeyIdSrc;