From 85e8f1988a8aad3eaaa5c8f081afcbd2f9c0f174 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 1 Nov 2012 12:36:47 -0700 Subject: [PATCH 1/3] leanpsk build removes cert code, moved ctaocrypt error strings to own file --- configure.ac | 2 +- ctaocrypt/src/asn.c | 251 ---------------------------- ctaocrypt/src/error.c | 276 +++++++++++++++++++++++++++++++ cyassl/internal.h | 35 ++-- cyassl/ssl.h | 93 ++++++----- cyassl/test.h | 6 +- examples/echoclient/echoclient.c | 2 +- examples/echoserver/echoserver.c | 4 +- examples/server/server.c | 2 +- src/include.am | 43 ++--- src/internal.c | 44 ++++- src/ssl.c | 80 ++++++--- tests/include.am | 12 +- 13 files changed, 479 insertions(+), 371 deletions(-) create mode 100644 ctaocrypt/src/error.c diff --git a/configure.ac b/configure.ac index 3fc1d959e..4a718845f 100644 --- a/configure.ac +++ b/configure.ac @@ -216,7 +216,7 @@ AC_ARG_ENABLE(leanpsk, if test "$ENABLED_LEANPSK" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DCYASSL_LEANPSK -DHAVE_NULL_CIPHER -DNO_AES -DNO_FILESYSTEM -DNO_RSA -DNO_DSA -DNO_DH" + AM_CFLAGS="$AM_CFLAGS -DCYASSL_LEANPSK -DHAVE_NULL_CIPHER -DNO_AES -DNO_FILESYSTEM -DNO_RSA -DNO_DSA -DNO_DH -DNO_CERTS" fi AM_CONDITIONAL([BUILD_LEANPSK], [test "x$ENABLED_LEANPSK" = "xyes"]) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index 07e83c459..5c03ad80d 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -2625,257 +2625,6 @@ void FreeSigners(Signer* signer, void* heap) } -void CTaoCryptErrorString(int error, char* buffer) -{ - const int max = MAX_ERROR_SZ; /* shorthand */ - -#ifdef NO_ERROR_STRINGS - - XSTRNCPY(buffer, "no support for error strings built in", max); - -#else - - switch (error) { - - case OPEN_RAN_E : - XSTRNCPY(buffer, "opening random device error", max); - break; - - case READ_RAN_E : - XSTRNCPY(buffer, "reading random device error", max); - break; - - case WINCRYPT_E : - XSTRNCPY(buffer, "windows crypt init error", max); - break; - - case CRYPTGEN_E : - XSTRNCPY(buffer, "windows crypt generation error", max); - break; - - case RAN_BLOCK_E : - XSTRNCPY(buffer, "random device read would block error", max); - break; - - case MP_INIT_E : - XSTRNCPY(buffer, "mp_init error state", max); - break; - - case MP_READ_E : - XSTRNCPY(buffer, "mp_read error state", max); - break; - - case MP_EXPTMOD_E : - XSTRNCPY(buffer, "mp_exptmod error state", max); - break; - - case MP_TO_E : - XSTRNCPY(buffer, "mp_to_xxx error state, can't convert", max); - break; - - case MP_SUB_E : - XSTRNCPY(buffer, "mp_sub error state, can't subtract", max); - break; - - case MP_ADD_E : - XSTRNCPY(buffer, "mp_add error state, can't add", max); - break; - - case MP_MUL_E : - XSTRNCPY(buffer, "mp_mul error state, can't multiply", max); - break; - - case MP_MULMOD_E : - XSTRNCPY(buffer, "mp_mulmod error state, can't multiply mod", max); - break; - - case MP_MOD_E : - XSTRNCPY(buffer, "mp_mod error state, can't mod", max); - break; - - case MP_INVMOD_E : - XSTRNCPY(buffer, "mp_invmod error state, can't inv mod", max); - break; - - case MP_CMP_E : - XSTRNCPY(buffer, "mp_cmp error state", max); - break; - - case MP_ZERO_E : - XSTRNCPY(buffer, "mp zero result, not expected", max); - break; - - case MEMORY_E : - XSTRNCPY(buffer, "out of memory error", max); - break; - - case RSA_WRONG_TYPE_E : - XSTRNCPY(buffer, "RSA wrong block type for RSA function", max); - break; - - case RSA_BUFFER_E : - XSTRNCPY(buffer, "RSA buffer error, output too small or input too big", - max); - break; - - case BUFFER_E : - XSTRNCPY(buffer, "Buffer error, output too small or input too big",max); - break; - - case ALGO_ID_E : - XSTRNCPY(buffer, "Setting Cert AlogID error", max); - break; - - case PUBLIC_KEY_E : - XSTRNCPY(buffer, "Setting Cert Public Key error", max); - break; - - case DATE_E : - XSTRNCPY(buffer, "Setting Cert Date validity error", max); - break; - - case SUBJECT_E : - XSTRNCPY(buffer, "Setting Cert Subject name error", max); - break; - - case ISSUER_E : - XSTRNCPY(buffer, "Setting Cert Issuer name error", max); - break; - - case CA_TRUE_E : - XSTRNCPY(buffer, "Setting basic constraint CA true error", max); - break; - - case EXTENSIONS_E : - XSTRNCPY(buffer, "Setting extensions error", max); - break; - - case ASN_PARSE_E : - XSTRNCPY(buffer, "ASN parsing error, invalid input", max); - break; - - case ASN_VERSION_E : - XSTRNCPY(buffer, "ASN version error, invalid number", max); - break; - - case ASN_GETINT_E : - XSTRNCPY(buffer, "ASN get big int error, invalid data", max); - break; - - case ASN_RSA_KEY_E : - XSTRNCPY(buffer, "ASN key init error, invalid input", max); - break; - - case ASN_OBJECT_ID_E : - XSTRNCPY(buffer, "ASN object id error, invalid id", max); - break; - - case ASN_TAG_NULL_E : - XSTRNCPY(buffer, "ASN tag error, not null", max); - break; - - case ASN_EXPECT_0_E : - XSTRNCPY(buffer, "ASN expect error, not zero", max); - break; - - case ASN_BITSTR_E : - XSTRNCPY(buffer, "ASN bit string error, wrong id", max); - break; - - case ASN_UNKNOWN_OID_E : - XSTRNCPY(buffer, "ASN oid error, unknown sum id", max); - break; - - case ASN_DATE_SZ_E : - XSTRNCPY(buffer, "ASN date error, bad size", max); - break; - - case ASN_BEFORE_DATE_E : - XSTRNCPY(buffer, "ASN date error, current date before", max); - break; - - case ASN_AFTER_DATE_E : - XSTRNCPY(buffer, "ASN date error, current date after", max); - break; - - case ASN_SIG_OID_E : - XSTRNCPY(buffer, "ASN signature error, mismatched oid", max); - break; - - case ASN_TIME_E : - XSTRNCPY(buffer, "ASN time error, unkown time type", max); - break; - - case ASN_INPUT_E : - XSTRNCPY(buffer, "ASN input error, not enough data", max); - break; - - case ASN_SIG_CONFIRM_E : - XSTRNCPY(buffer, "ASN sig error, confirm failure", max); - break; - - case ASN_SIG_HASH_E : - XSTRNCPY(buffer, "ASN sig error, unsupported hash type", max); - break; - - case ASN_SIG_KEY_E : - XSTRNCPY(buffer, "ASN sig error, unsupported key type", max); - break; - - case ASN_DH_KEY_E : - XSTRNCPY(buffer, "ASN key init error, invalid input", max); - break; - - case ASN_NTRU_KEY_E : - XSTRNCPY(buffer, "ASN NTRU key decode error, invalid input", max); - break; - - case ECC_BAD_ARG_E : - XSTRNCPY(buffer, "ECC input argument wrong type, invalid input", max); - break; - - case ASN_ECC_KEY_E : - XSTRNCPY(buffer, "ECC ASN1 bad key data, invalid input", max); - break; - - case ECC_CURVE_OID_E : - XSTRNCPY(buffer, "ECC curve sum OID unsupported, invalid input", max); - break; - - case BAD_FUNC_ARG : - XSTRNCPY(buffer, "Bad function argument", max); - break; - - case NOT_COMPILED_IN : - XSTRNCPY(buffer, "Feature not compiled in", max); - break; - - case UNICODE_SIZE_E : - XSTRNCPY(buffer, "Unicode password too big", max); - break; - - case NO_PASSWORD : - XSTRNCPY(buffer, "No password provided by user", max); - break; - - case ALT_NAME_E : - XSTRNCPY(buffer, "Alt Name problem, too big", max); - break; - - case AES_GCM_AUTH_E: - XSTRNCPY(buffer, "AES-GCM Authentication check fail", max); - break; - - default: - XSTRNCPY(buffer, "unknown error number", max); - - } - -#endif /* NO_ERROR_STRINGS */ - -} - - #if defined(CYASSL_KEY_GEN) || defined(CYASSL_CERT_GEN) static int SetMyVersion(word32 version, byte* output, int header) diff --git a/ctaocrypt/src/error.c b/ctaocrypt/src/error.c new file mode 100644 index 000000000..314e22312 --- /dev/null +++ b/ctaocrypt/src/error.c @@ -0,0 +1,276 @@ +/* error.c + * + * Copyright (C) 2006-2012 Sawtooth Consulting Ltd. + * + * This file is part of CyaSSL. + * + * CyaSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * CyaSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + +#ifdef HAVE_CONFIG_H + #include +#endif + +#include + +void CTaoCryptErrorString(int error, char* buffer) +{ + const int max = MAX_ERROR_SZ; /* shorthand */ + +#ifdef NO_ERROR_STRINGS + + XSTRNCPY(buffer, "no support for error strings built in", max); + +#else + + switch (error) { + + case OPEN_RAN_E : + XSTRNCPY(buffer, "opening random device error", max); + break; + + case READ_RAN_E : + XSTRNCPY(buffer, "reading random device error", max); + break; + + case WINCRYPT_E : + XSTRNCPY(buffer, "windows crypt init error", max); + break; + + case CRYPTGEN_E : + XSTRNCPY(buffer, "windows crypt generation error", max); + break; + + case RAN_BLOCK_E : + XSTRNCPY(buffer, "random device read would block error", max); + break; + + case MP_INIT_E : + XSTRNCPY(buffer, "mp_init error state", max); + break; + + case MP_READ_E : + XSTRNCPY(buffer, "mp_read error state", max); + break; + + case MP_EXPTMOD_E : + XSTRNCPY(buffer, "mp_exptmod error state", max); + break; + + case MP_TO_E : + XSTRNCPY(buffer, "mp_to_xxx error state, can't convert", max); + break; + + case MP_SUB_E : + XSTRNCPY(buffer, "mp_sub error state, can't subtract", max); + break; + + case MP_ADD_E : + XSTRNCPY(buffer, "mp_add error state, can't add", max); + break; + + case MP_MUL_E : + XSTRNCPY(buffer, "mp_mul error state, can't multiply", max); + break; + + case MP_MULMOD_E : + XSTRNCPY(buffer, "mp_mulmod error state, can't multiply mod", max); + break; + + case MP_MOD_E : + XSTRNCPY(buffer, "mp_mod error state, can't mod", max); + break; + + case MP_INVMOD_E : + XSTRNCPY(buffer, "mp_invmod error state, can't inv mod", max); + break; + + case MP_CMP_E : + XSTRNCPY(buffer, "mp_cmp error state", max); + break; + + case MP_ZERO_E : + XSTRNCPY(buffer, "mp zero result, not expected", max); + break; + + case MEMORY_E : + XSTRNCPY(buffer, "out of memory error", max); + break; + + case RSA_WRONG_TYPE_E : + XSTRNCPY(buffer, "RSA wrong block type for RSA function", max); + break; + + case RSA_BUFFER_E : + XSTRNCPY(buffer, "RSA buffer error, output too small or input too big", + max); + break; + + case BUFFER_E : + XSTRNCPY(buffer, "Buffer error, output too small or input too big",max); + break; + + case ALGO_ID_E : + XSTRNCPY(buffer, "Setting Cert AlogID error", max); + break; + + case PUBLIC_KEY_E : + XSTRNCPY(buffer, "Setting Cert Public Key error", max); + break; + + case DATE_E : + XSTRNCPY(buffer, "Setting Cert Date validity error", max); + break; + + case SUBJECT_E : + XSTRNCPY(buffer, "Setting Cert Subject name error", max); + break; + + case ISSUER_E : + XSTRNCPY(buffer, "Setting Cert Issuer name error", max); + break; + + case CA_TRUE_E : + XSTRNCPY(buffer, "Setting basic constraint CA true error", max); + break; + + case EXTENSIONS_E : + XSTRNCPY(buffer, "Setting extensions error", max); + break; + + case ASN_PARSE_E : + XSTRNCPY(buffer, "ASN parsing error, invalid input", max); + break; + + case ASN_VERSION_E : + XSTRNCPY(buffer, "ASN version error, invalid number", max); + break; + + case ASN_GETINT_E : + XSTRNCPY(buffer, "ASN get big int error, invalid data", max); + break; + + case ASN_RSA_KEY_E : + XSTRNCPY(buffer, "ASN key init error, invalid input", max); + break; + + case ASN_OBJECT_ID_E : + XSTRNCPY(buffer, "ASN object id error, invalid id", max); + break; + + case ASN_TAG_NULL_E : + XSTRNCPY(buffer, "ASN tag error, not null", max); + break; + + case ASN_EXPECT_0_E : + XSTRNCPY(buffer, "ASN expect error, not zero", max); + break; + + case ASN_BITSTR_E : + XSTRNCPY(buffer, "ASN bit string error, wrong id", max); + break; + + case ASN_UNKNOWN_OID_E : + XSTRNCPY(buffer, "ASN oid error, unknown sum id", max); + break; + + case ASN_DATE_SZ_E : + XSTRNCPY(buffer, "ASN date error, bad size", max); + break; + + case ASN_BEFORE_DATE_E : + XSTRNCPY(buffer, "ASN date error, current date before", max); + break; + + case ASN_AFTER_DATE_E : + XSTRNCPY(buffer, "ASN date error, current date after", max); + break; + + case ASN_SIG_OID_E : + XSTRNCPY(buffer, "ASN signature error, mismatched oid", max); + break; + + case ASN_TIME_E : + XSTRNCPY(buffer, "ASN time error, unkown time type", max); + break; + + case ASN_INPUT_E : + XSTRNCPY(buffer, "ASN input error, not enough data", max); + break; + + case ASN_SIG_CONFIRM_E : + XSTRNCPY(buffer, "ASN sig error, confirm failure", max); + break; + + case ASN_SIG_HASH_E : + XSTRNCPY(buffer, "ASN sig error, unsupported hash type", max); + break; + + case ASN_SIG_KEY_E : + XSTRNCPY(buffer, "ASN sig error, unsupported key type", max); + break; + + case ASN_DH_KEY_E : + XSTRNCPY(buffer, "ASN key init error, invalid input", max); + break; + + case ASN_NTRU_KEY_E : + XSTRNCPY(buffer, "ASN NTRU key decode error, invalid input", max); + break; + + case ECC_BAD_ARG_E : + XSTRNCPY(buffer, "ECC input argument wrong type, invalid input", max); + break; + + case ASN_ECC_KEY_E : + XSTRNCPY(buffer, "ECC ASN1 bad key data, invalid input", max); + break; + + case ECC_CURVE_OID_E : + XSTRNCPY(buffer, "ECC curve sum OID unsupported, invalid input", max); + break; + + case BAD_FUNC_ARG : + XSTRNCPY(buffer, "Bad function argument", max); + break; + + case NOT_COMPILED_IN : + XSTRNCPY(buffer, "Feature not compiled in", max); + break; + + case UNICODE_SIZE_E : + XSTRNCPY(buffer, "Unicode password too big", max); + break; + + case NO_PASSWORD : + XSTRNCPY(buffer, "No password provided by user", max); + break; + + case ALT_NAME_E : + XSTRNCPY(buffer, "Alt Name problem, too big", max); + break; + + case AES_GCM_AUTH_E: + XSTRNCPY(buffer, "AES-GCM Authentication check fail", max); + break; + + default: + XSTRNCPY(buffer, "unknown error number", max); + + } + +#endif /* NO_ERROR_STRINGS */ + +} diff --git a/cyassl/internal.h b/cyassl/internal.h index 3eff23e3d..21f0230c7 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -825,6 +825,7 @@ struct CYASSL_CTX { CYASSL_METHOD* method; CyaSSL_Mutex countMutex; /* reference count mutex */ int refCount; /* reference count */ +#ifndef NO_CERTS buffer certificate; buffer certChain; /* chain after self, in DER, with leading size for each cert */ @@ -832,6 +833,7 @@ struct CYASSL_CTX { buffer serverDH_P; buffer serverDH_G; CYASSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */ +#endif Suites suites; void* heap; /* for user memory overrides */ byte verifyPeer; @@ -883,10 +885,12 @@ int DeriveTlsKeys(CYASSL* ssl); CYASSL_LOCAL int ProcessOldClientHello(CYASSL* ssl, const byte* input, word32* inOutIdx, word32 inSz, word16 sz); -CYASSL_LOCAL -int AddCA(CYASSL_CERT_MANAGER* ctx, buffer der, int type, int verify); -CYASSL_LOCAL -int AlreadySigner(CYASSL_CERT_MANAGER* cm, byte* hash); +#ifndef NO_CERTS + CYASSL_LOCAL + int AddCA(CYASSL_CERT_MANAGER* ctx, buffer der, int type, int verify); + CYASSL_LOCAL + int AlreadySigner(CYASSL_CERT_MANAGER* cm, byte* hash); +#endif /* All cipher suite related info */ typedef struct CipherSpecs { @@ -1125,15 +1129,17 @@ enum AcceptState { typedef struct Buffers { +#ifndef NO_CERTS buffer certificate; /* CYASSL_CTX owns, unless we own */ buffer key; /* CYASSL_CTX owns, unless we own */ buffer certChain; /* CYASSL_CTX owns */ /* chain after self, in DER, with leading size for each cert */ - buffer domainName; /* for client check */ buffer serverDH_P; /* CYASSL_CTX owns, unless we own */ buffer serverDH_G; /* CYASSL_CTX owns, unless we own */ buffer serverDH_Pub; buffer serverDH_Priv; +#endif + buffer domainName; /* for client check */ bufferStatic inputBuffer; bufferStatic outputBuffer; buffer clearOutputBuffer; @@ -1372,13 +1378,16 @@ typedef struct EncryptedInfo { CYASSL_CTX* ctx; /* CTX owner */ } EncryptedInfo; -CYASSL_LOCAL int PemToDer(const unsigned char* buff, long sz, int type, - buffer* der, void* heap, EncryptedInfo* info, - int* eccKey); -CYASSL_LOCAL int ProcessFile(CYASSL_CTX* ctx, const char* fname, int format, - int type, CYASSL* ssl, int userChain, - CYASSL_CRL* crl); +#ifndef NO_CERTS + CYASSL_LOCAL int PemToDer(const unsigned char* buff, long sz, int type, + buffer* der, void* heap, EncryptedInfo* info, + int* eccKey); + + CYASSL_LOCAL int ProcessFile(CYASSL_CTX* ctx, const char* fname, int format, + int type, CYASSL* ssl, int userChain, + CYASSL_CRL* crl); +#endif #ifdef CYASSL_CALLBACKS @@ -1516,7 +1525,9 @@ CYASSL_LOCAL int IsAtLeastTLSv1_2(const CYASSL* ssl); CYASSL_LOCAL void FreeHandshakeResources(CYASSL* ssl); CYASSL_LOCAL void ShrinkInputBuffer(CYASSL* ssl, int forcedFree); CYASSL_LOCAL void ShrinkOutputBuffer(CYASSL* ssl); -CYASSL_LOCAL Signer* GetCA(void* cm, byte* hash); +#ifndef NO_CERTS + CYASSL_LOCAL Signer* GetCA(void* cm, byte* hash); +#endif CYASSL_LOCAL void BuildTlsFinished(CYASSL* ssl, Hashes* hashes, const byte* sender); CYASSL_LOCAL void FreeArrays(CYASSL* ssl, int keep); diff --git a/cyassl/ssl.h b/cyassl/ssl.h index e29bcc79f..e2f79af1f 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -147,7 +147,7 @@ CYASSL_API CYASSL_METHOD *CyaTLSv1_2_client_method(void); CYASSL_API CYASSL_METHOD *CyaDTLSv1_server_method(void); #endif -#ifndef NO_FILESYSTEM +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) CYASSL_API int CyaSSL_CTX_use_certificate_file(CYASSL_CTX*, const char*, int); CYASSL_API int CyaSSL_CTX_use_PrivateKey_file(CYASSL_CTX*, const char*, int); @@ -174,7 +174,7 @@ CYASSL_API int CyaSSL_use_RSAPrivateKey_file(CYASSL*, const char*, int); CYASSL_API int CyaSSL_PemCertToDer(const char*, unsigned char*, int); -#endif /* NO_FILESYSTEM */ +#endif /* !NO_FILESYSTEM && !NO_CERTS */ CYASSL_API CYASSL_CTX* CyaSSL_CTX_new(CYASSL_METHOD*); CYASSL_API CYASSL* CyaSSL_new(CYASSL_CTX*); @@ -614,8 +614,9 @@ CYASSL_API int CyaSSL_RAND_status(void); CYASSL_API int CyaSSL_RAND_bytes(unsigned char* buf, int num); CYASSL_API CYASSL_METHOD *CyaSSLv23_server_method(void); CYASSL_API long CyaSSL_CTX_set_options(CYASSL_CTX*, long); -CYASSL_API int CyaSSL_CTX_check_private_key(CYASSL_CTX*); - +#ifndef NO_CERTS + CYASSL_API int CyaSSL_CTX_check_private_key(CYASSL_CTX*); +#endif /* !NO_CERTS */ CYASSL_API void CyaSSL_ERR_free_strings(void); CYASSL_API void CyaSSL_ERR_remove_state(unsigned long); @@ -710,6 +711,8 @@ CYASSL_API char* CyaSSL_X509_get_next_altname(CYASSL_X509*); /* connect enough to get peer cert */ CYASSL_API int CyaSSL_connect_cert(CYASSL* ssl); +/* XXX This should be #ifndef NO_DH */ +#ifndef NO_CERTS /* server Diffie-Hellman parameters */ CYASSL_API int CyaSSL_SetTmpDH(CYASSL*, const unsigned char* p, int pSz, const unsigned char* g, int gSz); @@ -730,6 +733,7 @@ CYASSL_API int CyaSSL_CTX_SetTmpEC_DHE_Sz(CYASSL_CTX*, unsigned short); CYASSL_API int CyaSSL_CTX_SetTmpDH_file(CYASSL_CTX*, const char* f, int format); #endif +#endif /* keyblock size in bytes or -1 */ /* need to call CyaSSL_KeepArrays before handshake to save keys */ @@ -753,24 +757,27 @@ CYASSL_API int CyaSSL_get_keys(CYASSL*,unsigned char** ms, unsigned int* msLen, #endif -/* SSL_CTX versions */ -CYASSL_API int CyaSSL_CTX_load_verify_buffer(CYASSL_CTX*, const unsigned char*, - long, int); -CYASSL_API int CyaSSL_CTX_use_certificate_buffer(CYASSL_CTX*, +#ifndef NO_CERTS + /* SSL_CTX versions */ + CYASSL_API int CyaSSL_CTX_load_verify_buffer(CYASSL_CTX*, const unsigned char*, long, int); -CYASSL_API int CyaSSL_CTX_use_PrivateKey_buffer(CYASSL_CTX*, + CYASSL_API int CyaSSL_CTX_use_certificate_buffer(CYASSL_CTX*, const unsigned char*, long, int); -CYASSL_API int CyaSSL_CTX_use_certificate_chain_buffer(CYASSL_CTX*, + CYASSL_API int CyaSSL_CTX_use_PrivateKey_buffer(CYASSL_CTX*, + const unsigned char*, long, int); + CYASSL_API int CyaSSL_CTX_use_certificate_chain_buffer(CYASSL_CTX*, const unsigned char*, long); -CYASSL_API int CyaSSL_CTX_set_group_messages(CYASSL_CTX*); -/* SSL versions */ -CYASSL_API int CyaSSL_use_certificate_buffer(CYASSL*, const unsigned char*, - long, int); -CYASSL_API int CyaSSL_use_PrivateKey_buffer(CYASSL*, const unsigned char*, long, - int); -CYASSL_API int CyaSSL_use_certificate_chain_buffer(CYASSL*, - const unsigned char*, long); + /* SSL versions */ + CYASSL_API int CyaSSL_use_certificate_buffer(CYASSL*, const unsigned char*, + long, int); + CYASSL_API int CyaSSL_use_PrivateKey_buffer(CYASSL*, const unsigned char*, + long, int); + CYASSL_API int CyaSSL_use_certificate_chain_buffer(CYASSL*, + const unsigned char*, long); +#endif + +CYASSL_API int CyaSSL_CTX_set_group_messages(CYASSL_CTX*); CYASSL_API int CyaSSL_set_group_messages(CYASSL*); /* I/O callbacks */ @@ -804,35 +811,39 @@ CYASSL_API int CyaSSL_KeyPemToDer(const unsigned char*, int sz, unsigned char*, typedef void (*CallbackCACache)(unsigned char* der, int sz, int type); typedef void (*CbMissingCRL)(const char* url); -CYASSL_API void CyaSSL_CTX_SetCACb(CYASSL_CTX*, CallbackCACache); +#ifndef NO_CERTS + CYASSL_API void CyaSSL_CTX_SetCACb(CYASSL_CTX*, CallbackCACache); -CYASSL_API CYASSL_CERT_MANAGER* CyaSSL_CertManagerNew(void); -CYASSL_API void CyaSSL_CertManagerFree(CYASSL_CERT_MANAGER*); + CYASSL_API CYASSL_CERT_MANAGER* CyaSSL_CertManagerNew(void); + CYASSL_API void CyaSSL_CertManagerFree(CYASSL_CERT_MANAGER*); -CYASSL_API int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER*, const char* f, - const char* d); -CYASSL_API int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER*, const char* f, - int format); -CYASSL_API int CyaSSL_CertManagerVerifyBuffer(CYASSL_CERT_MANAGER* cm, + CYASSL_API int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER*, const char* f, + const char* d); + CYASSL_API int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER*, const char* f, + int format); + CYASSL_API int CyaSSL_CertManagerVerifyBuffer(CYASSL_CERT_MANAGER* cm, const unsigned char* buff, int sz, int format); -CYASSL_API int CyaSSL_CertManagerCheckCRL(CYASSL_CERT_MANAGER*, unsigned char*, - int sz); -CYASSL_API int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER*, int options); -CYASSL_API int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER*); -CYASSL_API int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER*, const char*, int, - int); -CYASSL_API int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER*, CbMissingCRL); + CYASSL_API int CyaSSL_CertManagerCheckCRL(CYASSL_CERT_MANAGER*, + unsigned char*, int sz); + CYASSL_API int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER*, + int options); + CYASSL_API int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER*); + CYASSL_API int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER*, const char*, + int, int); + CYASSL_API int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER*, + CbMissingCRL); -CYASSL_API int CyaSSL_EnableCRL(CYASSL* ssl, int options); -CYASSL_API int CyaSSL_DisableCRL(CYASSL* ssl); -CYASSL_API int CyaSSL_LoadCRL(CYASSL*, const char*, int, int); -CYASSL_API int CyaSSL_SetCRL_Cb(CYASSL*, CbMissingCRL); + CYASSL_API int CyaSSL_EnableCRL(CYASSL* ssl, int options); + CYASSL_API int CyaSSL_DisableCRL(CYASSL* ssl); + CYASSL_API int CyaSSL_LoadCRL(CYASSL*, const char*, int, int); + CYASSL_API int CyaSSL_SetCRL_Cb(CYASSL*, CbMissingCRL); -CYASSL_API int CyaSSL_CTX_EnableCRL(CYASSL_CTX* ctx, int options); -CYASSL_API int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx); -CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int, int); -CYASSL_API int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX*, CbMissingCRL); + CYASSL_API int CyaSSL_CTX_EnableCRL(CYASSL_CTX* ctx, int options); + CYASSL_API int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx); + CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int, int); + CYASSL_API int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX*, CbMissingCRL); +#endif /* !NO_CERTS */ /* end of handshake frees temporary arrays, if user needs for get_keys or psk hints, call KeepArrays before handshake and then FreeArrays when done diff --git a/cyassl/test.h b/cyassl/test.h index 8d9d341b8..9235abc9d 100644 --- a/cyassl/test.h +++ b/cyassl/test.h @@ -643,7 +643,7 @@ static INLINE unsigned int my_psk_server_cb(CYASSL* ssl, const char* identity, #endif /* USE_WINDOWS_API */ -#ifdef NO_FILESYSTEM +#if defined(NO_FILESYSTEM) && !defined(NO_CERTS) enum { CYASSL_CA = 1, @@ -731,6 +731,8 @@ static void INLINE CRL_CallBack(const char* url) #endif +#ifndef NO_CERTS + static INLINE void CaCb(unsigned char* der, int sz, int type) { (void)der; @@ -792,6 +794,8 @@ static INLINE void SetDHCtx(CYASSL_CTX* ctx) CyaSSL_CTX_SetTmpDH(ctx, p, sizeof(p), g, sizeof(g)); } +#endif /* !NO_CERTS */ + #ifdef USE_WINDOWS_API /* do back x number of directories */ diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c index fac5a7140..d61cebb59 100644 --- a/examples/echoclient/echoclient.c +++ b/examples/echoclient/echoclient.c @@ -91,7 +91,7 @@ void echoclient_test(void* args) if (SSL_CTX_load_verify_locations(ctx, eccCert, 0) != SSL_SUCCESS) err_sys("can't load ca file, Please run from CyaSSL home dir"); #endif -#else +#elif !defined(NO_CERTS) if (!doLeanPSK) load_buffer(ctx, caCert, CYASSL_CA); #endif diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 959116e88..4cd5ba266 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -140,7 +140,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) err_sys("can't load server key file, " "Please run from CyaSSL home dir"); #endif -#else +#elif !defined(NO_CERTS) if (!doLeanPSK) { load_buffer(ctx, svrCert, CYASSL_CERT); load_buffer(ctx, svrKey, CYASSL_KEY); @@ -184,7 +184,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) CyaSSL_set_fd(ssl, clientfd); #if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM); - #else + #elif !defined(NO_CERTS) SetDH(ssl); /* will repick suites with DHE, higher than PSK */ #endif if (CyaSSL_accept(ssl) != SSL_SUCCESS) { diff --git a/examples/server/server.c b/examples/server/server.c index 6746db61f..56b2d4711 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -330,7 +330,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) if (usePsk == 0) { #if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM); - #else + #elif !defined(NO_CERTS) SetDH(ssl); /* repick suites with DHE, higher priority than PSK */ #endif } diff --git a/src/include.am b/src/include.am index f19507270..b1f4c547e 100644 --- a/src/include.am +++ b/src/include.am @@ -4,24 +4,24 @@ lib_LTLIBRARIES+= src/libcyassl.la src_libcyassl_la_SOURCES = \ - src/internal.c \ - src/io.c \ - src/keys.c \ - src/ssl.c \ - src/tls.c \ - ctaocrypt/src/asn.c \ - ctaocrypt/src/coding.c \ - ctaocrypt/src/des3.c \ - ctaocrypt/src/hmac.c \ - ctaocrypt/src/md5.c \ - ctaocrypt/src/md4.c \ - ctaocrypt/src/random.c \ - ctaocrypt/src/sha.c \ - ctaocrypt/src/sha256.c \ - ctaocrypt/src/arc4.c \ - ctaocrypt/src/pwdbased.c \ - ctaocrypt/src/logging.c \ - ctaocrypt/src/memory.c + src/internal.c \ + src/io.c \ + src/keys.c \ + src/ssl.c \ + src/tls.c \ + ctaocrypt/src/coding.c \ + ctaocrypt/src/des3.c \ + ctaocrypt/src/hmac.c \ + ctaocrypt/src/md5.c \ + ctaocrypt/src/md4.c \ + ctaocrypt/src/random.c \ + ctaocrypt/src/sha.c \ + ctaocrypt/src/sha256.c \ + ctaocrypt/src/arc4.c \ + ctaocrypt/src/pwdbased.c \ + ctaocrypt/src/logging.c \ + ctaocrypt/src/error.c \ + ctaocrypt/src/memory.c src_libcyassl_la_LDFLAGS = ${AM_LDFLAGS} -no-undefined -version-info ${CYASSL_LIBRARY_VERSION} src_libcyassl_la_LIBADD = $(LIBM) src_libcyassl_la_CFLAGS = -DBUILDING_CYASSL $(AM_CFLAGS) @@ -29,9 +29,10 @@ src_libcyassl_la_CPPFLAGS = -DBUILDING_CYASSL $(AM_CPPFLAGS) if !BUILD_LEANPSK src_libcyassl_la_SOURCES += ctaocrypt/src/rsa.c \ - ctaocrypt/src/dh.c \ - ctaocrypt/src/dsa.c \ - ctaocrypt/src/aes.c + ctaocrypt/src/asn.c \ + ctaocrypt/src/dh.c \ + ctaocrypt/src/dsa.c \ + ctaocrypt/src/aes.c endif if BUILD_AESNI diff --git a/src/internal.c b/src/internal.c index 786916c89..db3bb6ceb 100644 --- a/src/internal.c +++ b/src/internal.c @@ -56,8 +56,10 @@ #ifndef NO_CYASSL_CLIENT static int DoHelloVerifyRequest(CYASSL* ssl, const byte* input, word32*); static int DoServerHello(CYASSL* ssl, const byte* input, word32*, word32); - static int DoCertificateRequest(CYASSL* ssl, const byte* input, word32*); static int DoServerKeyExchange(CYASSL* ssl, const byte* input, word32*); + #ifndef NO_CERTS + static int DoCertificateRequest(CYASSL* ssl, const byte* input,word32*); + #endif #endif @@ -316,11 +318,13 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method) { ctx->method = method; ctx->refCount = 1; /* so either CTX_free or SSL_free can release */ +#ifndef NO_CERTS ctx->certificate.buffer = 0; ctx->certChain.buffer = 0; ctx->privateKey.buffer = 0; ctx->serverDH_P.buffer = 0; ctx->serverDH_G.buffer = 0; +#endif ctx->haveDH = 0; ctx->haveNTRU = 0; /* start off */ ctx->haveECDSAsig = 0; /* start off */ @@ -361,7 +365,9 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method) ctx->partialWrite = 0; ctx->verifyCallback = 0; +#ifndef NO_CERTS ctx->cm = CyaSSL_CertManagerNew(); +#endif #ifdef HAVE_NTRU if (method->side == CLIENT_END) ctx->haveNTRU = 1; /* always on cliet side */ @@ -393,10 +399,12 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method) CYASSL_MSG("Mutex error on CTX init"); return BAD_MUTEX_ERROR; } +#ifndef NO_CERTS if (ctx->cm == NULL) { CYASSL_MSG("Bad Cert Manager New"); return BAD_CERT_MANAGER_ERROR; } +#endif return 0; } @@ -404,15 +412,16 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method) /* In case contexts are held in array and don't want to free actual ctx */ void SSL_CtxResourceFree(CYASSL_CTX* ctx) { + XFREE(ctx->method, ctx->heap, DYNAMIC_TYPE_METHOD); + +#ifndef NO_CERTS XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH); XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); XFREE(ctx->privateKey.buffer, ctx->heap, DYNAMIC_TYPE_KEY); XFREE(ctx->certificate.buffer, ctx->heap, DYNAMIC_TYPE_CERT); XFREE(ctx->certChain.buffer, ctx->heap, DYNAMIC_TYPE_CERT); - XFREE(ctx->method, ctx->heap, DYNAMIC_TYPE_METHOD); - CyaSSL_CertManagerFree(ctx->cm); - +#endif #ifdef HAVE_OCSP CyaSSL_OCSP_Cleanup(&ctx->ocsp); #endif @@ -932,9 +941,11 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) haveRSA = 1; #endif +#ifndef NO_CERTS ssl->buffers.certificate.buffer = 0; ssl->buffers.key.buffer = 0; ssl->buffers.certChain.buffer = 0; +#endif ssl->buffers.inputBuffer.length = 0; ssl->buffers.inputBuffer.idx = 0; ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer; @@ -946,10 +957,12 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->buffers.outputBuffer.bufferSize = STATIC_BUFFER_LEN; ssl->buffers.outputBuffer.dynamicFlag = 0; ssl->buffers.domainName.buffer = 0; +#ifndef NO_CERTS ssl->buffers.serverDH_P.buffer = 0; ssl->buffers.serverDH_G.buffer = 0; ssl->buffers.serverDH_Pub.buffer = 0; ssl->buffers.serverDH_Priv.buffer = 0; +#endif ssl->buffers.clearOutputBuffer.buffer = 0; ssl->buffers.clearOutputBuffer.length = 0; ssl->buffers.prevSent = 0; @@ -1068,6 +1081,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->options.usingNonblock = 0; ssl->options.saveArrays = 0; +#ifndef NO_CERTS /* ctx still owns certificate, certChain, key, dh, and cm */ ssl->buffers.certificate = ctx->certificate; ssl->buffers.certChain = ctx->certChain; @@ -1076,6 +1090,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->buffers.serverDH_P = ctx->serverDH_P; ssl->buffers.serverDH_G = ctx->serverDH_G; } +#endif ssl->buffers.weOwnCert = 0; ssl->buffers.weOwnKey = 0; ssl->buffers.weOwnDH = 0; @@ -1175,12 +1190,14 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) } InitRsaKey(ssl->peerRsaKey, ctx->heap); #endif +#ifndef NO_CERTS /* make sure server has cert and key unless using PSK */ if (ssl->options.side == SERVER_END && !havePSK) if (!ssl->buffers.certificate.buffer || !ssl->buffers.key.buffer) { CYASSL_MSG("Server missing certificate and/or private key"); return NO_PRIVATE_KEY; } +#endif /* make sure server has DH parms, and add PSK if there, add NTRU too */ if (ssl->options.side == SERVER_END) @@ -1216,6 +1233,9 @@ void SSL_ResourceFree(CYASSL* ssl) FreeArrays(ssl, 0); XFREE(ssl->rng, ssl->heap, DYNAMIC_TYPE_RNG); XFREE(ssl->suites, ssl->heap, DYNAMIC_TYPE_SUITES); + XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN); + +#ifndef NO_CERTS XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH); /* parameters (p,g) may be owned by ctx */ @@ -1223,14 +1243,13 @@ void SSL_ResourceFree(CYASSL* ssl) XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_DH); } - XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN); /* CYASSL_CTX always owns certChain */ if (ssl->buffers.weOwnCert) XFREE(ssl->buffers.certificate.buffer, ssl->heap, DYNAMIC_TYPE_CERT); if (ssl->buffers.weOwnKey) XFREE(ssl->buffers.key.buffer, ssl->heap, DYNAMIC_TYPE_KEY); - +#endif #ifndef NO_RSA if (ssl->peerRsaKey) { FreeRsaKey(ssl->peerRsaKey); @@ -2085,6 +2104,8 @@ static void BuildFinished(CYASSL* ssl, Hashes* hashes, const byte* sender) } +#ifndef NO_CERTS + static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) { word32 listSz, i = *inOutIdx; @@ -2419,6 +2440,8 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) return ret; } +#endif /* !NO_CERTS */ + static int DoHelloRequest(CYASSL* ssl, const byte* input, word32* inOutIdx) { @@ -2575,10 +2598,12 @@ static int DoHandShakeMsgType(CYASSL* ssl, byte* input, word32* inOutIdx, ret = DoServerHello(ssl, input, inOutIdx, size); break; +#ifndef NO_CERTS case certificate_request: CYASSL_MSG("processing certificate request"); ret = DoCertificateRequest(ssl, input, inOutIdx); break; +#endif case server_key_exchange: CYASSL_MSG("processing server key exchange"); @@ -2586,10 +2611,12 @@ static int DoHandShakeMsgType(CYASSL* ssl, byte* input, word32* inOutIdx, break; #endif +#ifndef NO_CERTS case certificate: CYASSL_MSG("processing certificate"); ret = DoCertificate(ssl, input, inOutIdx); break; +#endif case server_hello_done: CYASSL_MSG("processing server hello done"); @@ -3769,7 +3796,7 @@ int SendFinished(CYASSL* ssl) return SendBuffered(ssl); } - +#ifndef NO_CERTS int SendCertificate(CYASSL* ssl) { int sendSz, length, ret = 0; @@ -3930,6 +3957,7 @@ int SendCertificateRequest(CYASSL* ssl) else return SendBuffered(ssl); } +#endif /* !NO_CERTS */ int SendData(CYASSL* ssl, const void* data, int sz) @@ -5372,6 +5400,7 @@ int SetCipherList(Suites* s, const char* list) } +#ifndef NO_CERTS /* just read in and ignore for now TODO: */ static int DoCertificateRequest(CYASSL* ssl, const byte* input, word32* inOutIdx) @@ -5416,6 +5445,7 @@ int SetCipherList(Suites* s, const char* list) return 0; } +#endif /* !NO_CERTS */ static int DoServerKeyExchange(CYASSL* ssl, const byte* input, diff --git a/src/ssl.c b/src/ssl.c index 86fce8767..0cbba8d1d 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -303,7 +303,8 @@ int CyaSSL_GetObjectSize(void) return sizeof(CYASSL); } - +/* XXX should be NO_DH */ +#ifndef NO_CERTS /* server Diffie-Hellman parameters */ int CyaSSL_SetTmpDH(CYASSL* ssl, const unsigned char* p, int pSz, const unsigned char* g, int gSz) @@ -355,6 +356,7 @@ int CyaSSL_SetTmpDH(CYASSL* ssl, const unsigned char* p, int pSz, CYASSL_LEAVE("CyaSSL_SetTmpDH", 0); return 0; } +#endif /* !NO_CERTS */ int CyaSSL_write(CYASSL* ssl, const void* data, int sz) @@ -537,6 +539,8 @@ void CyaSSL_FreeArrays(CYASSL* ssl) } +#ifndef NO_CERTS + CYASSL_CERT_MANAGER* CyaSSL_CertManagerNew(void) { CYASSL_CERT_MANAGER* cm = NULL; @@ -581,6 +585,7 @@ void CyaSSL_CertManagerFree(CYASSL_CERT_MANAGER* cm) } +#endif /* !NO_CERTS */ @@ -697,6 +702,7 @@ int CyaSSL_SetVersion(CYASSL* ssl, int version) return SSL_SUCCESS; } +#ifndef NO_CERTS /* does CA already exist on signer list */ int AlreadySigner(CYASSL_CERT_MANAGER* cm, byte* hash) @@ -811,6 +817,8 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify) return ret; } +#endif /* !NO_CERTS */ + #ifndef NO_SESSION_CACHE @@ -859,6 +867,7 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify) #endif /* NO_SESSION_CACHE */ +#ifndef NO_CERTS /* Remove PEM header/footer, convert to ASN1, store any encrypted data info->consumed tracks of PEM bytes consumed in case multiple parts */ @@ -2180,7 +2189,7 @@ int CyaSSL_CTX_use_NTRUPrivateKey_file(CYASSL_CTX* ctx, const char* file) -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) int CyaSSL_CTX_use_RSAPrivateKey_file(CYASSL_CTX* ctx,const char* file, int format) @@ -2207,6 +2216,7 @@ int CyaSSL_CTX_use_NTRUPrivateKey_file(CYASSL_CTX* ctx, const char* file) #endif /* NO_FILESYSTEM */ +#endif /* !NO_CERTS */ void CyaSSL_CTX_set_verify(CYASSL_CTX* ctx, int mode, VerifyCallback vc) { @@ -2248,6 +2258,8 @@ void CyaSSL_set_verify(CYASSL* ssl, int mode, VerifyCallback vc) } +#ifndef NO_CERTS + /* store context CA Cache addition callback */ void CyaSSL_CTX_SetCACb(CYASSL_CTX* ctx, CallbackCACache cb) { @@ -2255,6 +2267,8 @@ void CyaSSL_CTX_SetCACb(CYASSL_CTX* ctx, CallbackCACache cb) ctx->cm->caCacheCallback = cb; } +#endif /* !NO_CERTS */ + #ifndef NO_SESSION_CACHE @@ -2532,12 +2546,13 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) CYASSL_MSG("connect state: FIRST_REPLY_DONE"); case FIRST_REPLY_DONE : - if (ssl->options.sendVerify) - if ( (ssl->error = SendCertificate(ssl)) != 0) { - CYASSL_ERROR(ssl->error); - return SSL_FATAL_ERROR; - } - + #ifndef NO_CERTS + if (ssl->options.sendVerify) + if ( (ssl->error = SendCertificate(ssl)) != 0) { + CYASSL_ERROR(ssl->error); + return SSL_FATAL_ERROR; + } + #endif ssl->options.connectState = FIRST_REPLY_FIRST; CYASSL_MSG("connect state: FIRST_REPLY_FIRST"); @@ -2655,14 +2670,16 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) return SSL_FATAL_ERROR; } - /* in case used set_accept_state after init */ - if (!havePSK && (ssl->buffers.certificate.buffer == NULL || - ssl->buffers.key.buffer == NULL)) { - CYASSL_MSG("accept error: don't have server cert and key"); - ssl->error = NO_PRIVATE_KEY; - CYASSL_ERROR(ssl->error); - return SSL_FATAL_ERROR; - } + #ifndef NO_CERTS + /* in case used set_accept_state after init */ + if (!havePSK && (ssl->buffers.certificate.buffer == NULL || + ssl->buffers.key.buffer == NULL)) { + CYASSL_MSG("accept error: don't have server cert and key"); + ssl->error = NO_PRIVATE_KEY; + CYASSL_ERROR(ssl->error); + return SSL_FATAL_ERROR; + } + #endif #ifdef HAVE_ECC /* in case used set_accept_state after init */ @@ -2757,11 +2774,13 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) CYASSL_MSG("accept state SERVER_HELLO_SENT"); case SERVER_HELLO_SENT : - if (!ssl->options.resuming) - if ( (ssl->error = SendCertificate(ssl)) != 0) { - CYASSL_ERROR(ssl->error); - return SSL_FATAL_ERROR; - } + #ifndef NO_CERTS + if (!ssl->options.resuming) + if ( (ssl->error = SendCertificate(ssl)) != 0) { + CYASSL_ERROR(ssl->error); + return SSL_FATAL_ERROR; + } + #endif ssl->options.acceptState = CERT_SENT; CYASSL_MSG("accept state CERT_SENT"); @@ -2775,12 +2794,14 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) CYASSL_MSG("accept state KEY_EXCHANGE_SENT"); case KEY_EXCHANGE_SENT : - if (!ssl->options.resuming) - if (ssl->options.verifyPeer) - if ( (ssl->error = SendCertificateRequest(ssl)) != 0) { - CYASSL_ERROR(ssl->error); - return SSL_FATAL_ERROR; - } + #ifndef NO_CERTS + if (!ssl->options.resuming) + if (ssl->options.verifyPeer) + if ( (ssl->error = SendCertificateRequest(ssl)) != 0) { + CYASSL_ERROR(ssl->error); + return SSL_FATAL_ERROR; + } + #endif ssl->options.acceptState = CERT_REQ_SENT; CYASSL_MSG("accept state CERT_REQ_SENT"); @@ -3501,6 +3522,7 @@ int CyaSSL_set_compression(CYASSL* ssl) #endif /* NO_PSK */ +#ifndef NO_CERTS /* used to be defined on NO_FILESYSTEM only, but are generally useful */ /* CyaSSL extension allows DER files to be loaded from buffers as well */ @@ -3565,6 +3587,7 @@ int CyaSSL_set_compression(CYASSL* ssl) } /* old NO_FILESYSTEM end */ +#endif /* !NO_CERTS */ #if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS) @@ -5413,6 +5436,8 @@ int CyaSSL_set_compression(CYASSL* ssl) } +/* XXX shuld be NO_DH */ +#ifndef NO_CERTS /* server ctx Diffie-Hellman parameters */ int CyaSSL_CTX_SetTmpDH(CYASSL_CTX* ctx, const unsigned char* p, int pSz, const unsigned char* g, int gSz) @@ -5444,6 +5469,7 @@ int CyaSSL_set_compression(CYASSL* ssl) CYASSL_LEAVE("CyaSSL_CTX_SetTmpDH", 0); return 0; } +#endif /* !NO_CERTS */ char* CyaSSL_CIPHER_description(CYASSL_CIPHER* cipher, char* in, int len) diff --git a/tests/include.am b/tests/include.am index 013075f78..94e000f82 100644 --- a/tests/include.am +++ b/tests/include.am @@ -6,12 +6,12 @@ check_PROGRAMS += tests/unit noinst_PROGRAMS += tests/unit tests_unit_SOURCES = \ - tests/unit.c \ - tests/api.c \ - tests/suites.c \ + tests/unit.c \ + tests/api.c \ + tests/suites.c \ tests/hash.c \ - examples/client/client.c \ - examples/server/server.c + examples/client/client.c \ + examples/server/server.c tests_unit_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) $(PTHREAD_CFLAGS) tests_unit_LDADD = src/libcyassl.la $(PTHREAD_LIBS) tests_unit_DEPENDENCIES = src/libcyassl.la @@ -26,4 +26,4 @@ EXTRA_DIST += tests/test.conf \ tests/test-aesgcm-ecc.conf \ tests/test-aesgcm-openssl.conf \ tests/test-dtls.conf \ - tests/test-psk-null.conf + tests/test-psk-null.conf From 134c6b8b1bd7c0491b30b6ad0c7bae2b8d4501a2 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 1 Nov 2012 15:03:29 -0700 Subject: [PATCH 2/3] cleaning warnings in OCSP build --- ctaocrypt/src/asn.c | 87 +++++++++++++++++++++--------------------- cyassl/ctaocrypt/asn.h | 4 +- cyassl/ctaocrypt/rsa.h | 2 +- cyassl/internal.h | 3 +- cyassl/ssl.h | 4 +- src/ocsp.c | 12 +++--- 6 files changed, 56 insertions(+), 56 deletions(-) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index 5c03ad80d..b225e4b6d 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -1230,7 +1230,7 @@ static int GetKey(DecodedCert* cert) if (b != ASN_BIT_STRING) return ASN_BITSTR_E; - if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) + if (GetLength(cert->source,&cert->srcIdx,&length,cert->maxIdx) < 0) return ASN_PARSE_E; b = cert->source[cert->srcIdx++]; if (b != 0x00) @@ -2127,9 +2127,9 @@ static int ConfirmSignature(const byte* buf, word32 bufSz, else { /* make sure we're right justified */ encodedSigSz = - EncodeSignature(encodedSig, digest, digestSz, typeH); + EncodeSignature(encodedSig, digest, digestSz, typeH); if (encodedSigSz != verifySz || - XMEMCMP(out, encodedSig, encodedSigSz) != 0) { + XMEMCMP(out, encodedSig, encodedSigSz) != 0) { CYASSL_MSG("Rsa SSL verify match encode error"); ret = 0; } @@ -2173,7 +2173,7 @@ static int ConfirmSignature(const byte* buf, word32 bufSz, return 0; } - ret = ecc_verify_hash(sig, sigSz, digest, digestSz, &verify, &pubKey); + ret = ecc_verify_hash(sig,sigSz,digest,digestSz,&verify,&pubKey); ecc_free(&pubKey); if (ret == 0 && verify == 1) return 1; /* match */ @@ -4135,90 +4135,90 @@ static int GetEnumerated(const byte* input, word32* inOutIdx, int *value) static int DecodeSingleResponse(byte* source, word32* ioIndex, OcspResponse* resp, word32 size) { - word32 index = *ioIndex, prevIndex, oid; + word32 idx = *ioIndex, prevIndex, oid; int length, wrapperSz; CertStatus* cs = resp->status; CYASSL_ENTER("DecodeSingleResponse"); /* Outer wrapper of the SEQUENCE OF Single Responses. */ - if (GetSequence(source, &index, &wrapperSz, size) < 0) + if (GetSequence(source, &idx, &wrapperSz, size) < 0) return ASN_PARSE_E; - prevIndex = index; + prevIndex = idx; /* When making a request, we only request one status on one certificate * at a time. There should only be one SingleResponse */ /* Wrapper around the Single Response */ - if (GetSequence(source, &index, &length, size) < 0) + if (GetSequence(source, &idx, &length, size) < 0) return ASN_PARSE_E; /* Wrapper around the CertID */ - if (GetSequence(source, &index, &length, size) < 0) + if (GetSequence(source, &idx, &length, size) < 0) return ASN_PARSE_E; /* Skip the hash algorithm */ - if (GetAlgoId(source, &index, &oid, size) < 0) + if (GetAlgoId(source, &idx, &oid, size) < 0) return ASN_PARSE_E; /* Save reference to the hash of CN */ - if (source[index++] != ASN_OCTET_STRING) + if (source[idx++] != ASN_OCTET_STRING) return ASN_PARSE_E; - if (GetLength(source, &index, &length, size) < 0) + if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; - resp->issuerHash = source + index; - index += length; + resp->issuerHash = source + idx; + idx += length; /* Save reference to the hash of the issuer public key */ - if (source[index++] != ASN_OCTET_STRING) + if (source[idx++] != ASN_OCTET_STRING) return ASN_PARSE_E; - if (GetLength(source, &index, &length, size) < 0) + if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; - resp->issuerKeyHash = source + index; - index += length; + resp->issuerKeyHash = source + idx; + idx += length; /* Read the serial number, it is handled as a string, not as a * proper number. Just XMEMCPY the data over, rather than load it * as an mp_int. */ - if (source[index++] != ASN_INTEGER) + if (source[idx++] != ASN_INTEGER) return ASN_PARSE_E; - if (GetLength(source, &index, &length, size) < 0) + if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; if (length <= EXTERNAL_SERIAL_SIZE) { - if (source[index] == 0) + if (source[idx] == 0) { - index++; + idx++; length--; } - XMEMCPY(cs->serial, source + index, length); + XMEMCPY(cs->serial, source + idx, length); cs->serialSz = length; } else { return ASN_GETINT_E; } - index += length; + idx += length; /* CertStatus */ - switch (source[index++]) + switch (source[idx++]) { case (ASN_CONTEXT_SPECIFIC | CERT_GOOD): cs->status = CERT_GOOD; - index++; + idx++; break; case (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CERT_REVOKED): cs->status = CERT_REVOKED; - GetLength(source, &index, &length, size); - index += length; + GetLength(source, &idx, &length, size); + idx += length; break; case (ASN_CONTEXT_SPECIFIC | CERT_UNKNOWN): cs->status = CERT_UNKNOWN; - index++; + idx++; break; default: return ASN_PARSE_E; } - if (GetBasicDate(source, &index, cs->thisDate, + if (GetBasicDate(source, &idx, cs->thisDate, &cs->thisDateFormat, size) < 0) return ASN_PARSE_E; if (!ValidateDate(cs->thisDate, cs->thisDateFormat, BEFORE)) @@ -4227,26 +4227,26 @@ static int DecodeSingleResponse(byte* source, /* The following items are optional. Only check for them if there is more * unprocessed data in the singleResponse wrapper. */ - if ((index - prevIndex < wrapperSz) && - (source[index] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))) + if (((int)(idx - prevIndex) < wrapperSz) && + (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))) { - index++; - if (GetLength(source, &index, &length, size) < 0) + idx++; + if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; - if (GetBasicDate(source, &index, cs->nextDate, + if (GetBasicDate(source, &idx, cs->nextDate, &cs->nextDateFormat, size) < 0) return ASN_PARSE_E; } - if ((index - prevIndex < wrapperSz) && - (source[index] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))) + if (((int)(idx - prevIndex) < wrapperSz) && + (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))) { - index++; - if (GetLength(source, &index, &length, size) < 0) + idx++; + if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; - index += length; + idx += length; } - *ioIndex = index; + *ioIndex = idx; return 0; } @@ -4572,7 +4572,7 @@ static word32 SetOcspReqExtensions(word32 extSz, byte* output, seqArray[1][0] = ASN_OBJECT_ID; seqSz[1] = 1 + SetLength(sizeof(NonceObjId), &seqArray[1][1]); - totalSz = seqSz[0] + seqSz[1] + nonceSz + sizeof(NonceObjId); + totalSz = seqSz[0] + seqSz[1] + nonceSz + (word32)sizeof(NonceObjId); seqSz[2] = SetSequence(totalSz, seqArray[2]); totalSz += seqSz[2]; @@ -4596,7 +4596,7 @@ static word32 SetOcspReqExtensions(word32 extSz, byte* output, XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); totalSz += seqSz[1]; XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId)); - totalSz += sizeof(NonceObjId); + totalSz += (word32)sizeof(NonceObjId); XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); totalSz += seqSz[0]; XMEMCPY(output + totalSz, nonce, nonceSz); @@ -4617,7 +4617,6 @@ int EncodeOcspRequest(OcspRequest* req) byte snArray[MAX_SN_SZ]; byte extArray[MAX_OCSP_EXT_SZ]; byte* output = req->dest; - word32 outputSz = req->destSz; RNG rng; word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz; int i; diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index 0b9e2f67a..71f9d8e33 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -19,7 +19,7 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -//#ifndef NO_ASN +#ifndef NO_ASN #ifndef CTAO_CRYPT_ASN_H #define CTAO_CRYPT_ASN_H @@ -485,4 +485,4 @@ CYASSL_LOCAL void FreeDecodedCRL(DecodedCRL*); #endif /* CTAO_CRYPT_ASN_H */ -//#endif /* NO_ASN */ +#endif /* !NO_ASN */ diff --git a/cyassl/ctaocrypt/rsa.h b/cyassl/ctaocrypt/rsa.h index 5071aa8b0..c029e4b09 100644 --- a/cyassl/ctaocrypt/rsa.h +++ b/cyassl/ctaocrypt/rsa.h @@ -80,4 +80,4 @@ CYASSL_API int RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey*, #endif /* CTAO_CRYPT_RSA_H */ -#endif /* NO_RSA */ \ No newline at end of file +#endif /* NO_RSA */ diff --git a/cyassl/internal.h b/cyassl/internal.h index 21f0230c7..60705d789 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -180,7 +180,8 @@ void c32to24(word32 in, word24 out); #define BUILD_TLS_RSA_WITH_RABBIT_CBC_SHA #endif -#if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && !defined(NO_RSA) && defined(OPENSSL_EXTRA) +#if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ + !defined(NO_RSA) && defined(OPENSSL_EXTRA) #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA #if !defined (NO_SHA256) diff --git a/cyassl/ssl.h b/cyassl/ssl.h index e2f79af1f..cfacdb1a4 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -654,8 +654,8 @@ CYASSL_API void CyaSSL_CTX_sess_set_remove_cb(CYASSL_CTX*, void (*f)(CYASSL_CTX*, CYASSL_SESSION*)); CYASSL_API int CyaSSL_i2d_SSL_SESSION(CYASSL_SESSION*,unsigned char**); -CYASSL_API CYASSL_SESSION* CyaSSL_d2i_SSL_SESSION(CYASSL_SESSION**,const unsigned char**, - long); +CYASSL_API CYASSL_SESSION* CyaSSL_d2i_SSL_SESSION(CYASSL_SESSION**, + const unsigned char**, long); CYASSL_API long CyaSSL_SESSION_get_timeout(const CYASSL_SESSION*); CYASSL_API long CyaSSL_SESSION_get_time(const CYASSL_SESSION*); diff --git a/src/ocsp.c b/src/ocsp.c index b64bee736..af1e422fc 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -167,7 +167,7 @@ static int decode_url(const char* url, int urlSz, int CyaSSL_OCSP_set_override_url(CYASSL_OCSP* ocsp, const char* url) { if (ocsp != NULL) { - int urlSz = strlen(url); + int urlSz = (int)XSTRLEN(url); decode_url(url, urlSz, ocsp->overrideName, ocsp->overridePath, &ocsp->overridePort); return 1; @@ -278,8 +278,8 @@ static int decode_http_response(byte* httpBuf, int httpBufSz, byte** dst) idx += 2; /* skip the crlf */ } else { /* Advance idx past the next \r\n */ - char* end = strstr(&buf[idx], "\r\n"); - idx = end - buf + 2; + char* end = XSTRSTR(&buf[idx], "\r\n"); + idx = (int)(end - buf + 2); stop = 1; } } @@ -411,11 +411,11 @@ static int http_ocsp_transaction(CYASSL_OCSP* ocsp, DecodedCert* cert, tcp_connect(&sfd, domainName, port); if (sfd > 0) { int written; - written = write(sfd, httpBuf, httpBufSz); + written = (int)write(sfd, httpBuf, httpBufSz); if (written == httpBufSz) { - written = write(sfd, ocspReqBuf, ocspReqSz); + written = (int)write(sfd, ocspReqBuf, ocspReqSz); if (written == ocspReqSz) { - httpBufSz = read(sfd, httpBuf, SCRATCH_BUFFER_SIZE); + httpBufSz = (int)read(sfd, httpBuf, SCRATCH_BUFFER_SIZE); if (httpBufSz > 0) { ocspRespSz = decode_http_response(httpBuf, httpBufSz, ocspRespBuf); From 90e6a4dd8c444c9a6da5e125c114c932ae1c19cc Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 1 Nov 2012 15:27:05 -0700 Subject: [PATCH 3/3] linux build warnings fix --- src/ocsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ocsp.c b/src/ocsp.c index af1e422fc..7a21ea24c 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -457,7 +457,7 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert) byte ocspReqBuf[SCRATCH_BUFFER_SIZE]; int ocspReqSz = SCRATCH_BUFFER_SIZE; byte* ocspRespBuf = NULL; - int ocspRespSz; + int ocspRespSz = 0; OcspRequest ocspRequest; OcspResponse ocspResponse; int result = 0;