diff --git a/README b/README index 6ad169e03..20fe9e40f 100644 --- a/README +++ b/README @@ -34,7 +34,26 @@ before calling SSL_new(); Though it's not recommended. *** end Note *** -CyaSSL Release 2.0.8 (2/24/2012) +CyaSSL Release 2.2.0 (5/18/2012) + +Release 2.2.0 CyaSSL has bug fixes and a few new features including: +- Initial CRL support (--enable-crl) +- Initial OCSP support (--enable-ocsp) +- Add static ECDH suites +- SHA-384 support +- ECC client certificate support +- Add medium session cache size (1055 sessions) +- Updated unit tests +- Protection against mutex reinitialization + + +The CyaSSL manual is available at: +http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions +and comments about the new features please check the manual. + + + +***************CyaSSL Release 2.0.8 (2/24/2012) Release 2.0.8 CyaSSL has bug fixes and a few new features including: - A fix for malicious certificates pointed out by Remi Gacogne (thanks) diff --git a/configure.ac b/configure.ac index 63a47696e..6bb2c4da6 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([cyassl],[2.1.7],[http://www.yassl.com]) +AC_INIT([cyassl],[2.2.0],[http://www.yassl.com]) AC_CONFIG_AUX_DIR(config) @@ -25,7 +25,7 @@ AC_CONFIG_HEADERS([config.h:config.in])dnl Keep filename to 8.3 for MS-DOS. #shared library versioning -CYASSL_LIBRARY_VERSION=3:0:0 +CYASSL_LIBRARY_VERSION=3:1:0 # | | | # +------+ | +---+ # | | | diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index c981dea73..e55c8f1e3 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -4821,8 +4821,7 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz) if (GetBasicDate(buff, &idx, dcrl->nextDate, sz) < 0) return ASN_PARSE_E; - - if (idx != dcrl->sigIndex) { + if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) { if (GetSequence(buff, &idx, &len, sz) < 0) return ASN_PARSE_E; diff --git a/ctaocrypt/test/test.c b/ctaocrypt/test/test.c index bed8088ff..065de670e 100644 --- a/ctaocrypt/test/test.c +++ b/ctaocrypt/test/test.c @@ -1685,6 +1685,9 @@ int openssl_test() testVector a, b, c, d, e, f; byte hash[SHA_DIGEST_SIZE*4]; /* max size */ + (void)e; + (void)f; + a.input = "1234567890123456789012345678901234567890123456789012345678" "9012345678901234567890"; a.output = "\x57\xed\xf4\xa2\x2b\xe3\xc9\x55\xac\x49\xda\x2e\x21\x07\xb6" @@ -1758,7 +1761,7 @@ int openssl_test() #endif /* CYASSL_SHA384 */ -#ifdef CYASSL_SHA384 +#ifdef CYASSL_SHA512 f.input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi" "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"; @@ -1779,7 +1782,7 @@ int openssl_test() if (memcmp(hash, f.output, SHA512_DIGEST_SIZE) != 0) return -80; -#endif /* CYASSL_SHA384 */ +#endif /* CYASSL_SHA512 */ if (RAND_bytes(hash, sizeof(hash)) != 1) diff --git a/cyassl/crl.h b/cyassl/crl.h index 918927cc2..5e2fa62b2 100644 --- a/cyassl/crl.h +++ b/cyassl/crl.h @@ -35,7 +35,7 @@ typedef struct CYASSL_CRL CYASSL_CRL; CYASSL_LOCAL int InitCRL(CYASSL_CRL*, CYASSL_CERT_MANAGER*); CYASSL_LOCAL void FreeCRL(CYASSL_CRL*); -CYASSL_LOCAL int LoadCRL(CYASSL_CRL* crl, const char* path, int type); +CYASSL_LOCAL int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int mon); CYASSL_LOCAL int BufferLoadCRL(CYASSL_CRL*, const byte*, long, int); CYASSL_LOCAL int CheckCertCRL(CYASSL_CRL*, DecodedCert*); diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index 5ed0bf55e..68a60d831 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -62,6 +62,7 @@ enum ASN_Tags { ASN_SET = 0x11, ASN_UTC_TIME = 0x17, ASN_GENERALIZED_TIME = 0x18, + CRL_EXTENSIONS = 0xa0, ASN_EXTENSIONS = 0xa3, ASN_LONG_LENGTH = 0x80 }; diff --git a/cyassl/openssl/ssl.h b/cyassl/openssl/ssl.h index 22dac6700..2440b0d58 100644 --- a/cyassl/openssl/ssl.h +++ b/cyassl/openssl/ssl.h @@ -34,6 +34,13 @@ extern "C" { #endif +#ifdef _WIN32 + /* wincrypt.h clashes */ + #undef X509_NAME + #undef OCSP_REQUEST + #undef OCSP_RESPONSE +#endif + typedef CYASSL SSL; typedef CYASSL_SESSION SSL_SESSION; diff --git a/cyassl/ssl.h b/cyassl/ssl.h index c30a9ac52..88f4838ea 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -43,12 +43,6 @@ #define CYASSL_VERSION LIBCYASSL_VERSION_STRING #endif -#ifdef _WIN32 - /* wincrypt.h clashes */ - #undef X509_NAME - #undef OCSP_REQUEST - #undef OCSP_RESPONSE -#endif #ifdef __cplusplus @@ -789,19 +783,22 @@ CYASSL_API int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER*, const char* f, const char* d); CYASSL_API int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER*, const char* f, int format); +CYASSL_API int CyaSSL_CertManagerCheckCRL(CYASSL_CERT_MANAGER*, unsigned char*, + int sz); CYASSL_API int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER*, int options); CYASSL_API int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER*); -CYASSL_API int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER*, const char*,int); +CYASSL_API int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER*, const char*, int, + int); CYASSL_API int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER*, CbMissingCRL); CYASSL_API int CyaSSL_EnableCRL(CYASSL* ssl, int options); CYASSL_API int CyaSSL_DisableCRL(CYASSL* ssl); -CYASSL_API int CyaSSL_LoadCRL(CYASSL*, const char*, int); +CYASSL_API int CyaSSL_LoadCRL(CYASSL*, const char*, int, int); CYASSL_API int CyaSSL_SetCRL_Cb(CYASSL*, CbMissingCRL); CYASSL_API int CyaSSL_CTX_EnableCRL(CYASSL_CTX* ctx, int options); CYASSL_API int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx); -CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int); +CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int, int); CYASSL_API int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX*, CbMissingCRL); diff --git a/examples/client/client.c b/examples/client/client.c index d09ec8cd3..7e5abcdb9 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -209,7 +209,7 @@ void client_test(void* args) CyaSSL_set_fd(ssl, sockfd); #ifdef HAVE_CRL CyaSSL_EnableCRL(ssl, 0); - CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM); + CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, 0); CyaSSL_SetCRL_Cb(ssl, CRL_CallBack); #endif if (argc != 3) diff --git a/src/crl.c b/src/crl.c index b3211d274..561d573bf 100644 --- a/src/crl.c +++ b/src/crl.c @@ -250,7 +250,7 @@ int BufferLoadCRL(CYASSL_CRL* crl, const byte* buff, long sz, int type) /* Load CRL path files of type, SSL_SUCCESS on ok */ -int LoadCRL(CYASSL_CRL* crl, const char* path, int type) +int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor) { struct dirent* entry; DIR* dir; @@ -293,6 +293,10 @@ int LoadCRL(CYASSL_CRL* crl, const char* path, int type) } } + if (monitor) { + CYASSL_MSG("monitor path requested"); + } + return SSL_SUCCESS; } diff --git a/src/ssl.c b/src/ssl.c index b478e2d7a..143c413da 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1332,6 +1332,10 @@ int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER* cm, const char* fname, if (ret == 0) ret = ParseCertRelative(&cert, CERT_TYPE, 1, cm); +#ifdef HAVE_CRL + if (ret == 0 && cm->crlEnabled) + ret = CheckCertCRL(cm->crl, &cert); +#endif } FreeDecodedCert(&cert); @@ -1379,18 +1383,19 @@ int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER* cm, const char* file, } + /* turn on CRL if off and compiled in, set options */ int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER* cm, int options) { + int ret = SSL_SUCCESS; + (void)options; CYASSL_ENTER("CyaSSL_CertManagerEnableCRL"); if (cm == NULL) return BAD_FUNC_ARG; - #ifndef HAVE_CRL - return NOT_COMPILED_IN; - #else + #ifdef HAVE_CRL if (cm->crl == NULL) { cm->crl = (CYASSL_CRL*)XMALLOC(sizeof(CYASSL_CRL), cm->heap, DYNAMIC_TYPE_CRL); @@ -1407,9 +1412,11 @@ int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER* cm, int options) cm->crlEnabled = 1; if (options & CYASSL_CRL_CHECKALL) cm->crlCheckAll = 1; + #else + ret = NOT_COMPILED_IN; #endif - return SSL_SUCCESS; + return ret; } @@ -1428,6 +1435,43 @@ int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER* cm) #ifdef HAVE_CRL +/* check CRL if enabled, SSL_SUCCESS */ +int CyaSSL_CertManagerCheckCRL(CYASSL_CERT_MANAGER* cm, byte* der, int sz) +{ + int ret; + DecodedCert cert; + + CYASSL_ENTER("CyaSSL_CertManagerCheckCRL"); + + if (cm == NULL) + return BAD_FUNC_ARG; + + if (cm->crlEnabled == 0) + return SSL_SUCCESS; + + InitDecodedCert(&cert, der, sz, NULL); + + ret = ParseCertRelative(&cert, CERT_TYPE, NO_VERIFY, cm); + if (ret != 0) { + CYASSL_MSG("ParseCert failed"); + return ret; + } + else { + ret = CheckCertCRL(cm->crl, &cert); + if (ret != 0) { + CYASSL_MSG("CheckCertCRL failed"); + } + } + + FreeDecodedCert(&cert); + + if (ret == 0) + return SSL_SUCCESS; /* convert */ + + return ret; +} + + int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER* cm, CbMissingCRL cb) { CYASSL_ENTER("CyaSSL_CertManagerLoadCRL"); @@ -1441,7 +1485,7 @@ int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER* cm, CbMissingCRL cb) int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER* cm, const char* path, - int type) + int type, int monitor) { CYASSL_ENTER("CyaSSL_CertManagerLoadCRL"); if (cm == NULL) @@ -1454,7 +1498,7 @@ int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER* cm, const char* path, } } - return LoadCRL(cm->crl, path, type); + return LoadCRL(cm->crl, path, type, monitor); } @@ -1478,11 +1522,11 @@ int CyaSSL_DisableCRL(CYASSL* ssl) } -int CyaSSL_LoadCRL(CYASSL* ssl, const char* path, int type) +int CyaSSL_LoadCRL(CYASSL* ssl, const char* path, int type, int monitor) { CYASSL_ENTER("CyaSSL_LoadCRL"); if (ssl) - return CyaSSL_CertManagerLoadCRL(ssl->ctx->cm, path, type); + return CyaSSL_CertManagerLoadCRL(ssl->ctx->cm, path, type, monitor); else return BAD_FUNC_ARG; } @@ -1518,11 +1562,11 @@ int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx) } -int CyaSSL_CTX_LoadCRL(CYASSL_CTX* ctx, const char* path, int type) +int CyaSSL_CTX_LoadCRL(CYASSL_CTX* ctx, const char* path, int type, int monitor) { CYASSL_ENTER("CyaSSL_CTX_LoadCRL"); if (ctx) - return CyaSSL_CertManagerLoadCRL(ctx->cm, path, type); + return CyaSSL_CertManagerLoadCRL(ctx->cm, path, type, monitor); else return BAD_FUNC_ARG; } @@ -5947,7 +5991,7 @@ static int initGlobalRNG = 0; { CYASSL_MSG("CyaSSL_BN_clear_free"); - return CyaSSL_BN_free(bn); + CyaSSL_BN_free(bn); } @@ -6822,6 +6866,8 @@ static int initGlobalRNG = 0; CYASSL_MSG("CyaSSL_RSA_generate_key_ex"); + (void)rsa; + (void)bits; (void)cb; (void)bn; @@ -6835,10 +6881,6 @@ static int initGlobalRNG = 0; CYASSL_MSG("MakeRsaKey failed"); return -1; } -#else - CYASSL_MSG("No Key Gen built in"); - return -1; -#endif if (SetRsaExternal(rsa) < 0) { CYASSL_MSG("SetRsaExternal failed"); @@ -6848,6 +6890,11 @@ static int initGlobalRNG = 0; rsa->inSet = 1; return 1; /* success */ +#else + CYASSL_MSG("No Key Gen built in"); + return -1; +#endif + } @@ -7176,7 +7223,6 @@ static int initGlobalRNG = 0; default: CYASSL_MSG("Bad digest id value"); - return NULL; } return NULL; @@ -7367,7 +7413,6 @@ static int initGlobalRNG = 0; default: { CYASSL_MSG("bad type"); - return 0; } } return 0;