From f19541ffe5d47a4f4fd43f15d168bdc62c3e48d5 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 27 Apr 2016 11:29:42 -0600 Subject: [PATCH 1/9] update to MYSQL compatibility --- IDE/MYSQL/CMakeLists_wolfCrypt.txt | 3 +- src/ssl.c | 204 +++++++++++++++++++++++++++-- tests/api.c | 54 ++++++++ wolfssl/internal.h | 4 + wolfssl/openssl/des.h | 33 ++--- wolfssl/openssl/ssl.h | 14 +- wolfssl/ssl.h | 19 ++- 7 files changed, 289 insertions(+), 42 deletions(-) diff --git a/IDE/MYSQL/CMakeLists_wolfCrypt.txt b/IDE/MYSQL/CMakeLists_wolfCrypt.txt index 62184780b..49953507a 100644 --- a/IDE/MYSQL/CMakeLists_wolfCrypt.txt +++ b/IDE/MYSQL/CMakeLists_wolfCrypt.txt @@ -27,7 +27,7 @@ SET(WOLFCRYPT_SOURCES src/aes.c src/arc4.c src/asn.c src/blake2b.c src/camellia.c src/chacha.c src/coding.c src/compress.c src/des3.c src/dh.c src/dsa.c src/ecc.c src/error.c src/hc128.c src/hmac.c src/integer.c src/logging.c src/md2.c src/md4.c src/md5.c src/memory.c - src/misc.c src/pkcs7.c src/poly1305.c src/pwdbased.c src/rabbit.c + src/pkcs7.c src/poly1305.c src/pwdbased.c src/rabbit.c src/random.c src/ripemd.c src/rsa.c src/sha.c src/sha256.c src/sha512.c src/tfm.c src/wc_port.c src/wc_encrypt.c src/hash.c ../wolfssl/wolfcrypt/aes.h ../wolfssl/wolfcrypt/arc4.h ../wolfssl/wolfcrypt/asn.h ../wolfssl/wolfcrypt/blake2.h @@ -39,6 +39,7 @@ SET(WOLFCRYPT_SOURCES src/aes.c src/arc4.c src/asn.c src/blake2b.c ../wolfssl/wolfcrypt/tfm.h ../wolfssl/wolfcrypt/wc_port.h ../wolfssl/wolfcrypt/wc_encrypt.h ../wolfssl/wolfcrypt/hash.h ) +# misc.c is not compiled in since using INLINE ADD_CONVENIENCE_LIBRARY(wolfcrypt ${WOLFCRYPT_SOURCES}) RESTRICT_SYMBOL_EXPORTS(wolfcrypt) diff --git a/src/ssl.c b/src/ssl.c index 3e58df848..411cea572 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -81,6 +81,7 @@ #include #include #include + #include #ifdef HAVE_STUNNEL #include #endif /* WITH_STUNNEL */ @@ -9760,6 +9761,35 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } + /* WOLFSSL_DES_key_schedule is a unsigned char array of size 8 */ + void wolfSSL_DES_ede3_cbc_encrypt(const unsigned char* input, + unsigned char* output, long sz, + WOLFSSL_DES_key_schedule* ks1, + WOLFSSL_DES_key_schedule* ks2, + WOLFSSL_DES_key_schedule* ks3, + WOLFSSL_DES_cblock* ivec, int enc) + { + Des3 des; + byte key[24];/* EDE uses 24 size key */ + + WOLFSSL_ENTER("wolfSSL_DES_ede3_cbc_encrypt"); + + XMEMSET(key, 0, sizeof(key)); + XMEMCPY(key, *ks1, DES_BLOCK_SIZE); + XMEMCPY(&key[DES_BLOCK_SIZE], *ks2, DES_BLOCK_SIZE); + XMEMCPY(&key[DES_BLOCK_SIZE * 2], *ks3, DES_BLOCK_SIZE); + + if (enc) { + wc_Des3_SetKey(&des, key, (const byte*)ivec, DES_ENCRYPTION); + wc_Des3_CbcEncrypt(&des, output, input, (word32)sz); + } + else { + wc_Des3_SetKey(&des, key, (const byte*)ivec, DES_DECRYPTION); + wc_Des3_CbcDecrypt(&des, output, input, (word32)sz); + } + } + + /* correctly sets ivec for next call */ void wolfSSL_DES_ncbc_encrypt(const unsigned char* input, unsigned char* output, long length, @@ -10216,6 +10246,71 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) WOLFSSL_LEAVE("wolfSSL_X509_NAME_get_text_by_NID", textSz); return textSz; } + + int wolfSSL_X509_NAME_get_index_by_NID(WOLFSSL_X509_NAME* name, + int nid, int pos) + { + int ret = -1; + + WOLFSSL_ENTER("wolfSSL_X509_NAME_get_index_by_NID"); + + if (name == NULL) { + return BAD_FUNC_ARG; + } + + /* these index values are already stored in DecodedName + use those when available */ + if (name->fullName.fullName && name->fullName.fullNameLen > 0) { + switch (nid) { + case ASN_COMMON_NAME: + ret = name->fullName.cnIdx; + break; + default: + WOLFSSL_MSG("NID not yet implemented"); + break; + } + } + + WOLFSSL_LEAVE("wolfSSL_X509_NAME_get_index_by_NID", ret); + + (void)pos; + (void)nid; + + return ret; + } + + + WOLFSSL_ASN1_STRING* wolfSSL_X509_NAME_ENTRY_get_data(WOLFSSL_X509_NAME_ENTRY* in) + { + WOLFSSL_ENTER("wolfSSL_X509_NAME_ENTRY_get_data"); + return in->value; + } + + + char* wolfSSL_ASN1_STRING_data(WOLFSSL_ASN1_STRING* asn) + { + WOLFSSL_ENTER("wolfSSL_ASN1_STRING_data"); + + if (asn) { + return asn->data; + } + else { + return NULL; + } + } + + + int wolfSSL_ASN1_STRING_length(WOLFSSL_ASN1_STRING* asn) + { + WOLFSSL_ENTER("wolfSSL_ASN1_STRING_length"); + + if (asn) { + return asn->length; + } + else { + return 0; + } + } #endif @@ -10636,6 +10731,14 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format) #endif /* NO_FILESYSTEM */ #endif /* KEEP_PEER_CERT || SESSION_CERTS */ + +#ifdef OPENSSL_EXTRA /* needed for wolfSSL_X509_d21 function */ +WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl) +{ + DerBuffer* cert = ssl->buffers.certificate; + return wolfSSL_X509_d2i(NULL, cert->buffer, cert->length); +} +#endif /* OPENSSL_EXTRA */ #endif /* NO_CERTS */ @@ -11656,7 +11759,6 @@ int wolfSSL_ASN1_TIME_print(WOLFSSL_BIO* bio, const WOLFSSL_ASN1_TIME* asnTime) } - int wolfSSL_ASN1_INTEGER_cmp(const WOLFSSL_ASN1_INTEGER* a, const WOLFSSL_ASN1_INTEGER* b) { @@ -11835,14 +11937,16 @@ long wolfSSL_CTX_sess_number(WOLFSSL_CTX* ctx) void wolfSSL_DES_set_key_unchecked(WOLFSSL_const_DES_cblock* myDes, WOLFSSL_DES_key_schedule* key) { - (void)myDes; - (void)key; + if (myDes != NULL && key != NULL) { + XMEMCPY(key, myDes, sizeof(WOLFSSL_const_DES_cblock)); + } } void wolfSSL_DES_set_odd_parity(WOLFSSL_DES_cblock* myDes) { (void)myDes; + WOLFSSL_STUB("wolfSSL_DES_set_odd_parity"); } @@ -11853,6 +11957,7 @@ void wolfSSL_DES_ecb_encrypt(WOLFSSL_DES_cblock* desa, (void)desb; (void)key; (void)len; + WOLFSSL_STUB("wolfSSL_DES_ecb_encrypt"); } #endif /* NO_DES3 */ @@ -16882,7 +16987,7 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) #ifdef OPENSSL_EXTRA /*Lighttp compatibility*/ -#ifdef HAVE_LIGHTY +#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) unsigned char *wolfSSL_SHA1(const unsigned char *d, size_t n, unsigned char *md) { @@ -16998,12 +17103,90 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) } WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry(WOLFSSL_X509_NAME *name, int loc) { + + int maxLoc = name->fullName.fullNameLen; + char* data = NULL; + int length; + int type; + + WOLFSSL_ASN1_STRING* asnStr; + WOLFSSL_X509_NAME_ENTRY* ret; + + WOLFSSL_ENTER("wolfSSL_X509_NAME_get_entry"); + + if (loc < 0 || loc > maxLoc) { + WOLFSSL_MSG("Bad argument"); + return NULL; + } + + ret = XMALLOC(sizeof(WOLFSSL_X509_NAME_ENTRY), NULL, DYNAMIC_TYPE_X509); + if (ret == NULL) { + return ret; + } + asnStr = XMALLOC(sizeof(WOLFSSL_ASN1_STRING), NULL, + DYNAMIC_TYPE_X509); + if (asnStr == NULL) { + XFREE(ret, NULL, DYNAMIC_TYPE_X509); + ret = NULL; + } + + /* initialize both structures */ + XMEMSET(ret, 0, sizeof(WOLFSSL_X509_NAME_ENTRY)); + XMEMSET(asnStr, 0, sizeof(WOLFSSL_ASN1_STRING)); + + /* common name index case */ + if (loc == name->fullName.cnIdx) { + length = name->fullName.cnLen; + data = name->fullName.fullName + loc; + type = ASN_COMMON_NAME; + } + + /* additionall cases to check for go here */ + + + if (data == NULL) { + WOLFSSL_MSG("Index not found"); + XFREE(asnStr, NULL, DYNAMIC_TYPE_X509); + XFREE(ret, NULL, DYNAMIC_TYPE_X509); + ret = NULL; + } + else { + asnStr->data = XMALLOC(length + 1, NULL, DYNAMIC_TYPE_X509); + if (asnStr->data == NULL) { + XFREE(asnStr, NULL, DYNAMIC_TYPE_X509); + XFREE(ret, NULL, DYNAMIC_TYPE_X509); + ret = NULL; + } + + /* check bounds before copying from fullName */ + if (loc + length > maxLoc) { + XFREE(asnStr, NULL, DYNAMIC_TYPE_X509); + XFREE(ret, NULL, DYNAMIC_TYPE_X509); + ret = NULL; + } + + if (ret != NULL) { + XMEMCPY(asnStr->data, data, length); + asnStr->data[length] = 0; + asnStr->length = length; + asnStr->type = type; + asnStr->flags = 0; + + ret->object = NULL; + ret->value = asnStr; + ret->set = 1; + ret->size = asnStr->length + sizeof(WOLFSSL_ASN1_STRING) + + sizeof(WOLFSSL_X509_NAME_ENTRY); + } + } + (void)name; (void)loc; - WOLFSSL_ENTER("wolfSSL_X509_NAME_get_entry"); - WOLFSSL_STUB("wolfSSL_X509_NAME_get_entry"); + (void)data; + (void)type; + (void)length; - return NULL; + return ret; } #ifndef NO_CERTS @@ -17038,7 +17221,7 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) return NULL; } -#endif +#endif /* HAVE_LIGHTY || WOLFSSL_MYSQL_COMPATIBLE */ #endif @@ -17135,7 +17318,8 @@ void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx) #endif /* OPENSSL_EXTRA */ -#if defined(HAVE_LIGHTY) || defined(HAVE_STUNNEL) +#if defined(HAVE_LIGHTY) || defined(HAVE_STUNNEL) \ + || defined(WOLFSSL_MYSQL_COMPATIBLE) char * wolf_OBJ_nid2ln(int n) { (void)n; WOLFSSL_ENTER("wolf_OBJ_nid2ln"); @@ -17228,7 +17412,7 @@ long wolfSSL_CTX_set_tmp_dh(WOLFSSL_CTX* ctx, WOLFSSL_DH* dh) return pSz > 0 && gSz > 0 ? ret : SSL_FATAL_ERROR; } #endif /* NO_DH */ -#endif /* HAVE_LIGHTY || HAVE_STUNNEL */ +#endif /* HAVE_LIGHTY || HAVE_STUNNEL || WOLFSSL_MYSQL_COMPATIBLE */ /* stunnel compatibility functions*/ diff --git a/tests/api.c b/tests/api.c index da2273c53..630588d75 100644 --- a/tests/api.c +++ b/tests/api.c @@ -39,6 +39,10 @@ #include #include +#ifdef OPENSSL_EXTRA + #include +#endif + /* enable testing buffer load functions */ #ifndef USE_CERT_BUFFERS_2048 #define USE_CERT_BUFFERS_2048 @@ -1662,6 +1666,53 @@ static void test_wolfSSL_UseALPN(void) #endif } +/*----------------------------------------------------------------------------* + | X509 Tests + *----------------------------------------------------------------------------*/ +static void test_wolfSSL_X509_NAME_get_entry(void) +{ +#ifndef NO_CERTS +#if defined(OPENSSL_EXTRA) && (defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)) \ + && (defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE)) + printf(testingFmt, "wolfSSL_X509_NAME_get_entry()"); + + { + /* use openssl like name to test mapping */ + X509_NAME_ENTRY* ne = NULL; + X509_NAME* name = NULL; + char* subCN = NULL; + X509* x509; + ASN1_STRING* asn; + int idx; + + #ifndef NO_FILESYSTEM + x509 = wolfSSL_X509_load_certificate_file(cliCert, SSL_FILETYPE_PEM); + AssertNotNull(x509); + + name = X509_get_subject_name(x509); + + idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1); + AssertIntGE(idx, 0); + + ne = X509_NAME_get_entry(name, idx); + AssertNotNull(ne); + + asn = X509_NAME_ENTRY_get_data(ne); + AssertNotNull(asn); + + subCN = (char*)ASN1_STRING_data(asn); + AssertNotNull(subCN); + + #endif + + } + + printf(resultFmt, passed); +#endif /* OPENSSL_EXTRA */ +#endif /* !NO_CERTS */ +} + + /*----------------------------------------------------------------------------* | Main *----------------------------------------------------------------------------*/ @@ -1692,6 +1743,9 @@ void ApiTest(void) test_wolfSSL_UseSupportedCurve(); test_wolfSSL_UseALPN(); + /* X509 tests */ + test_wolfSSL_X509_NAME_get_entry(); + test_wolfSSL_Cleanup(); printf(" End API Tests\n"); } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index cf101366a..507f152e1 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -873,7 +873,11 @@ enum Misc { ZLIB_COMPRESSION = 221, /* wolfSSL zlib compression */ HELLO_EXT_SIG_ALGO = 13, /* ID for the sig_algo hello extension */ SECRET_LEN = 48, /* pre RSA and all master */ +#if defined(WOLFSSL_MYSQL_COMPATIBLE) + ENCRYPT_LEN = 1024, /* allow larger static buffer with mysql */ +#else ENCRYPT_LEN = 512, /* allow 4096 bit static buffer */ +#endif SIZEOF_SENDER = 4, /* clnt or srvr */ FINISHED_SZ = 36, /* MD5_DIGEST_SIZE + SHA_DIGEST_SIZE */ MAX_RECORD_SIZE = 16384, /* 2^14, max size by standard */ diff --git a/wolfssl/openssl/des.h b/wolfssl/openssl/des.h index e8c2ac42b..14b843b0b 100644 --- a/wolfssl/openssl/des.h +++ b/wolfssl/openssl/des.h @@ -61,6 +61,12 @@ WOLFSSL_API void wolfSSL_DES_cbc_encrypt(const unsigned char* input, unsigned char* output, long length, WOLFSSL_DES_key_schedule* schedule, WOLFSSL_DES_cblock* ivec, int enc); +WOLFSSL_API void wolfSSL_DES_ede3_cbc_encrypt(const unsigned char* input, + unsigned char* output, long sz, + WOLFSSL_DES_key_schedule* ks1, + WOLFSSL_DES_key_schedule* ks2, + WOLFSSL_DES_key_schedule* ks3, + WOLFSSL_DES_cblock* ivec, int enc); WOLFSSL_API void wolfSSL_DES_ncbc_encrypt(const unsigned char* input, unsigned char* output, long length, WOLFSSL_DES_key_schedule* schedule, @@ -76,27 +82,12 @@ typedef WOLFSSL_const_DES_cblock const_DES_cblock; typedef WOLFSSL_DES_key_schedule DES_key_schedule; #define DES_set_key_unchecked wolfSSL_DES_set_key_unchecked -#define DES_key_sched wolfSSL_DES_key_sched -#define DES_cbc_encrypt wolfSSL_DES_cbc_encrypt -#define DES_ncbc_encrypt wolfSSL_DES_ncbc_encrypt -#define DES_set_odd_parity wolfSSL_DES_set_odd_parity -#define DES_ecb_encrypt wolfSSL_DES_ecb_encrypt -#define DES_ede3_cbc_encrypt(input, output, sz, ks1, ks2, ks3, ivec, enc) \ -do { \ - Des3 des; \ - byte key[24];/* EDE uses 24 size key */ \ - memcpy(key, (ks1), DES_BLOCK_SIZE); \ - memcpy(&key[DES_BLOCK_SIZE], (ks2), DES_BLOCK_SIZE); \ - memcpy(&key[DES_BLOCK_SIZE * 2], (ks3), DES_BLOCK_SIZE); \ - if (enc) { \ - wc_Des3_SetKey(&des, key, (const byte*)(ivec), DES_ENCRYPTION); \ - wc_Des3_CbcEncrypt(&des, (output), (input), (sz)); \ - } \ - else { \ - wc_Des3_SetKey(&des, key, (const byte*)(ivec), DES_ENCRYPTION); \ - wc_Des3_CbcDecrypt(&des, (output), (input), (sz)); \ - } \ -} while(0) +#define DES_key_sched wolfSSL_DES_key_sched +#define DES_cbc_encrypt wolfSSL_DES_cbc_encrypt +#define DES_ncbc_encrypt wolfSSL_DES_ncbc_encrypt +#define DES_set_odd_parity wolfSSL_DES_set_odd_parity +#define DES_ecb_encrypt wolfSSL_DES_ecb_encrypt +#define DES_ede3_cbc_encrypt wolfSSL_DES_ede3_cbc_encrypt #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 67902a679..ce6865909 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -104,7 +104,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define SSL_get_verify_depth wolfSSL_get_verify_depth #define SSL_CTX_get_verify_mode wolfSSL_CTX_get_verify_mode #define SSL_CTX_get_verify_depth wolfSSL_CTX_get_verify_depth -#define SSL_get_certificate(ctx) 0 /* used to pass to get_privatekey */ +#define SSL_get_certificate wolfSSL_get_certificate #define SSLv3_server_method wolfSSLv3_server_method #define SSLv3_client_method wolfSSLv3_client_method @@ -409,7 +409,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; /* Lighthttp compatibility */ -#ifdef HAVE_LIGHTY +#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define SSL_CB_HANDSHAKE_START 0x10 @@ -428,14 +428,20 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define X509_NAME_entry_count wolfSSL_X509_NAME_entry_count #define X509_NAME_ENTRY_get_object wolfSSL_X509_NAME_ENTRY_get_object #define X509_NAME_get_entry wolfSSL_X509_NAME_get_entry +#define ASN1_STRING_data wolfSSL_ASN1_STRING_data +#define ASN1_STRING_length wolfSSL_ASN1_STRING_length +#define X509_NAME_get_index_by_NID wolfSSL_X509_NAME_get_index_by_NID +#define X509_NAME_ENTRY_get_data wolfSSL_X509_NAME_ENTRY_get_data #define sk_X509_NAME_pop_free wolfSSL_sk_X509_NAME_pop_free #define SHA1 wolfSSL_SHA1 #define X509_check_private_key wolfSSL_X509_check_private_key #define SSL_dup_CA_list wolfSSL_dup_CA_list +#define NID_commonName 0x03 /* matchs ASN_COMMON_NAME in asn.h */ #endif -#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) +#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) \ + || defined(WOLFSSL_MYSQL_COMPATIBLE) #define OBJ_nid2ln wolf_OBJ_nid2ln #define OBJ_txt2nid wolf_OBJ_txt2nid @@ -445,7 +451,7 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define BIO_new_file wolfSSL_BIO_new_file -#endif /* HAVE_STUNNEL || HAVE_LIGHTY */ +#endif /* HAVE_STUNNEL || HAVE_LIGHTY || WOLFSSL_MYSQL_COMPATIBLE */ #ifdef HAVE_STUNNEL #include diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 34fd8536a..2c20f4238 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -70,6 +70,7 @@ typedef struct WOLFSSL_CTX WOLFSSL_CTX; typedef struct WOLFSSL_X509 WOLFSSL_X509; typedef struct WOLFSSL_X509_NAME WOLFSSL_X509_NAME; +typedef struct WOLFSSL_X509_NAME_ENTRY WOLFSSL_X509_NAME_ENTRY; typedef struct WOLFSSL_X509_CHAIN WOLFSSL_X509_CHAIN; typedef struct WOLFSSL_CERT_MANAGER WOLFSSL_CERT_MANAGER; @@ -474,6 +475,11 @@ WOLFSSL_API unsigned char* wolfSSL_X509_get_subjectKeyID( WOLFSSL_API int wolfSSL_X509_NAME_entry_count(WOLFSSL_X509_NAME*); WOLFSSL_API int wolfSSL_X509_NAME_get_text_by_NID( WOLFSSL_X509_NAME*, int, char*, int); +WOLFSSL_API int wolfSSL_X509_NAME_get_index_by_NID( + WOLFSSL_X509_NAME*, int, int); +WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_X509_NAME_ENTRY_get_data(WOLFSSL_X509_NAME_ENTRY*); +WOLFSSL_API char* wolfSSL_ASN1_STRING_data(WOLFSSL_ASN1_STRING*); +WOLFSSL_API int wolfSSL_ASN1_STRING_length(WOLFSSL_ASN1_STRING*); WOLFSSL_API int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX*); WOLFSSL_API const char* wolfSSL_X509_verify_cert_error_string(long); WOLFSSL_API int wolfSSL_X509_get_signature_type(WOLFSSL_X509*); @@ -1004,6 +1010,10 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len, WOLFSSL_API int wolfSSL_use_certificate_chain_buffer(WOLFSSL*, const unsigned char*, long); WOLFSSL_API int wolfSSL_UnloadCertsKeys(WOLFSSL*); + + #ifdef OPENSSL_EXTRA + WOLFSSL_API WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl); + #endif #endif WOLFSSL_API int wolfSSL_CTX_set_group_messages(WOLFSSL_CTX*); @@ -1635,7 +1645,6 @@ WOLFSSL_API int wolfSSL_accept_ex(WOLFSSL*, HandShakeCallBack, TimeoutCallBack, #ifdef OPENSSL_EXTRA /*lighttp compatibility */ -#ifdef HAVE_LIGHTY typedef struct WOLFSSL_X509_NAME_ENTRY { WOLFSSL_ASN1_OBJECT* object; @@ -1644,10 +1653,7 @@ typedef struct WOLFSSL_X509_NAME_ENTRY { int size; } WOLFSSL_X509_NAME_ENTRY; - -#include -#include - +#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) WOLFSSL_API void wolfSSL_X509_NAME_free(WOLFSSL_X509_NAME *name); WOLFSSL_API char wolfSSL_CTX_use_certificate(WOLFSSL_CTX *ctx, WOLFSSL_X509 *x); WOLFSSL_API int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey); @@ -1672,7 +1678,8 @@ WOLFSSL_API STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list( STACK_OF(WOLFSSL_X #endif #endif -#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) +#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) \ + || defined(WOLFSSL_MYSQL_COMPATIBLE) WOLFSSL_API char * wolf_OBJ_nid2ln(int n); WOLFSSL_API int wolf_OBJ_txt2nid(const char *sn); From f88d82375e2dfd32b50a8ccb7f68d41f354d971a Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 28 Apr 2016 09:41:49 -0600 Subject: [PATCH 2/9] add function wolfSSL_ASN1_TIME_to_string --- src/ssl.c | 69 ++++++++++++++++++++++++++++++++++++++- wolfcrypt/src/asn.c | 51 ++++++++++++++++++----------- wolfssl/ssl.h | 4 +++ wolfssl/wolfcrypt/asn.h | 2 ++ wolfssl/wolfcrypt/types.h | 8 +++++ 5 files changed, 114 insertions(+), 20 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 411cea572..ead0271f2 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10735,7 +10735,13 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format) #ifdef OPENSSL_EXTRA /* needed for wolfSSL_X509_d21 function */ WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl) { - DerBuffer* cert = ssl->buffers.certificate; + DerBuffer* cert; + + if (ssl == NULL) { + return NULL; + } + + cert = ssl->buffers.certificate; return wolfSSL_X509_d2i(NULL, cert->buffer, cert->length); } #endif /* OPENSSL_EXTRA */ @@ -11759,6 +11765,67 @@ int wolfSSL_ASN1_TIME_print(WOLFSSL_BIO* bio, const WOLFSSL_ASN1_TIME* asnTime) } +#if defined(WOLFSSL_MYSQL_COMPATIBLE) +char* wolfSSL_ASN1_TIME_to_string(WOLFSSL_ASN1_TIME* time, char* buf, int len) +{ + struct tm t; + int idx = 0; + int format; + int dateLen; + byte* date = (byte*)time; + + WOLFSSL_ENTER("wolfSSL_ASN1_TIME_to_string"); + + if (time == NULL || buf == NULL || len < 5) { + WOLFSSL_MSG("Bad argument"); + return NULL; + } + + format = *date; date++; + dateLen = *date; date++; + if (dateLen > len) { + return "error"; + } + + if (!ExtractDate(date, format, &t, &idx)) { + return "error"; + } + + if (date[idx] != 'Z') { + WOLFSSL_MSG("UTCtime, not Zulu") ; + return "Not Zulu"; + } + + /* place month in buffer */ + buf[0] = '\0'; + switch(t.tm_mon) { + case 0: XSTRNCAT(buf, "Jan ", 4); break; + case 1: XSTRNCAT(buf, "Feb ", 4); break; + case 2: XSTRNCAT(buf, "Mar ", 4); break; + case 3: XSTRNCAT(buf, "Apr ", 4); break; + case 4: XSTRNCAT(buf, "May ", 4); break; + case 5: XSTRNCAT(buf, "Jun ", 4); break; + case 6: XSTRNCAT(buf, "Jul ", 4); break; + case 7: XSTRNCAT(buf, "Aug ", 4); break; + case 8: XSTRNCAT(buf, "Sep ", 4); break; + case 9: XSTRNCAT(buf, "Oct ", 4); break; + case 10: XSTRNCAT(buf, "Nov ", 4); break; + case 11: XSTRNCAT(buf, "Dec ", 4); break; + default: + return "error"; + + } + idx = 4; /* use idx now for char buffer */ + buf[idx] = ' '; + + XSNPRINTF(buf + idx, len - idx, "%2d %02d:%02d:%02d %d GMT", + t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec, t.tm_year + 1900); + + return buf; +} +#endif /* WOLFSSL_MYSQL_COMPATIBLE */ + + int wolfSSL_ASN1_INTEGER_cmp(const WOLFSSL_ASN1_INTEGER* a, const WOLFSSL_ASN1_INTEGER* b) { diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 915776b1c..e5fc798e0 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -3000,6 +3000,35 @@ static INLINE int DateLessThan(const struct tm* a, const struct tm* b) return DateGreaterThan(b,a); } + +int ExtractDate(const unsigned char* date, unsigned char format, + struct tm* certTime, int* idx) +{ + XMEMSET(certTime, 0, sizeof(struct tm)); + + if (format == ASN_UTC_TIME) { + if (btoi(date[0]) >= 5) + certTime->tm_year = 1900; + else + certTime->tm_year = 2000; + } + else { /* format == GENERALIZED_TIME */ + certTime->tm_year += btoi(date[*idx++]) * 1000; + certTime->tm_year += btoi(date[*idx++]) * 100; + } + + /* adjust tm_year, tm_mon */ + GetTime((int*)&certTime->tm_year, date, idx); certTime->tm_year -= 1900; + GetTime((int*)&certTime->tm_mon, date, idx); certTime->tm_mon -= 1; + GetTime((int*)&certTime->tm_mday, date, idx); + GetTime((int*)&certTime->tm_hour, date, idx); + GetTime((int*)&certTime->tm_min, date, idx); + GetTime((int*)&certTime->tm_sec, date, idx); + + return 1; +} + + /* like atoi but only use first byte */ /* Make sure before and after dates are valid */ int ValidateDate(const byte* date, byte format, int dateType) @@ -3021,26 +3050,10 @@ int ValidateDate(const byte* date, byte format, int dateType) #endif ltime = XTIME(0); - XMEMSET(&certTime, 0, sizeof(certTime)); - - if (format == ASN_UTC_TIME) { - if (btoi(date[0]) >= 5) - certTime.tm_year = 1900; - else - certTime.tm_year = 2000; + if (!ExtractDate(date, format, &certTime, &i)) { + WOLFSSL_MSG("Error extracting the date"); + return 0; } - else { /* format == GENERALIZED_TIME */ - certTime.tm_year += btoi(date[i++]) * 1000; - certTime.tm_year += btoi(date[i++]) * 100; - } - - /* adjust tm_year, tm_mon */ - GetTime((int*)&certTime.tm_year, date, &i); certTime.tm_year -= 1900; - GetTime((int*)&certTime.tm_mon, date, &i); certTime.tm_mon -= 1; - GetTime((int*)&certTime.tm_mday, date, &i); - GetTime((int*)&certTime.tm_hour, date, &i); - GetTime((int*)&certTime.tm_min, date, &i); - GetTime((int*)&certTime.tm_sec, date, &i); if ((date[i] == '+') || (date[i] == '-')) { WOLFSSL_MSG("Using time differential, not Zulu") ; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 2c20f4238..30e33fcea 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1643,6 +1643,10 @@ WOLFSSL_API int wolfSSL_accept_ex(WOLFSSL*, HandShakeCallBack, TimeoutCallBack, WOLFSSL_API void wolfSSL_cert_service(void); #endif +#if defined(WOLFSSL_MYSQL_COMPATIBLE) +WOLFSSL_API char* wolfSSL_ASN1_TIME_to_string(WOLFSSL_ASN1_TIME* time, + char* buf, int len); +#endif /* WOLFSSL_MYSQL_COMPATIBLE */ #ifdef OPENSSL_EXTRA /*lighttp compatibility */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index dd54ffb5b..de105ab30 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -610,6 +610,8 @@ WOLFSSL_LOCAL void FreeTrustedPeerTable(TrustedPeerCert**, int, void*); WOLFSSL_LOCAL int ToTraditional(byte* buffer, word32 length); WOLFSSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*,int); +WOLFSSL_LOCAL int ExtractDate(const unsigned char* date, unsigned char format, + struct tm* certTime, int* idx); WOLFSSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType); /* ASN.1 helper functions */ diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index db9897a1d..2c134d542 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -217,6 +217,14 @@ #define XSTRNCASECMP(s1,s2,n) _strnicmp((s1),(s2),(n)) #endif + #if defined(WOLFSSL_MYSQL_COMPATIBLE) + #ifndef USE_WINDOWS_API + #define XSNPRINTF snprintf + #else + #define XSNPRINTF _snprintf + #endif + #endif /* WOLFSSL_MYSQL_COMPATIBLE */ + #if defined(WOLFSSL_CERT_EXT) || defined(HAVE_ALPN) /* use only Thread Safe version of strtok */ #ifndef USE_WINDOWS_API From 6613ebb642387f0cd58c4bbacbba8709c4c61678 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 28 Apr 2016 13:35:43 -0600 Subject: [PATCH 3/9] persistant X509 struct with ssl session --- src/internal.c | 9 ++++ src/ssl.c | 121 ++++++++++++++++++--------------------------- wolfssl/internal.h | 23 +++++++++ wolfssl/ssl.h | 8 --- 4 files changed, 81 insertions(+), 80 deletions(-) diff --git a/src/internal.c b/src/internal.c index 8694c2329..3eff4849f 100755 --- a/src/internal.c +++ b/src/internal.c @@ -643,6 +643,11 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) #ifndef NO_CERTS FreeDer(&ctx->privateKey); FreeDer(&ctx->certificate); + #ifdef OPENSSL_EXTRA + if (ctx->ourCert) { + XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); + } + #endif FreeDer(&ctx->certChain); wolfSSL_CertManagerFree(ctx->cm); #endif @@ -1692,6 +1697,8 @@ void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag) name->dynamicName = 0; #ifdef OPENSSL_EXTRA XMEMSET(&name->fullName, 0, sizeof(DecodedName)); + XMEMSET(&name->cnEntry, 0, sizeof(WOLFSSL_X509_NAME_ENTRY)); + name->x509 = NULL; #endif /* OPENSSL_EXTRA */ } } @@ -4846,6 +4853,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) XMEMCPY(x509->issuer.fullName.fullName, dCert->issuerName.fullName, dCert->issuerName.fullNameLen); } + x509->issuer.x509 = x509; #endif /* OPENSSL_EXTRA */ XSTRNCPY(x509->subject.name, dCert->subject, ASN_NAME_MAX); @@ -4861,6 +4869,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) XMEMCPY(x509->subject.fullName.fullName, dCert->subjectName.fullName, dCert->subjectName.fullNameLen); } + x509->subject.x509 = x509; #endif /* OPENSSL_EXTRA */ XMEMCPY(x509->serial, dCert->serial, EXTERNAL_SERIAL_SIZE); diff --git a/src/ssl.c b/src/ssl.c index ead0271f2..0a16cf123 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3469,13 +3469,33 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, /* Make sure previous is free'd */ if (ssl->buffers.weOwnCert) { FreeDer(&ssl->buffers.certificate); + #ifdef OPENSSL_EXTRA + if (ssl->ourCert) { + XFREE(ssl->ourCert, ssl->heap, DYNAMIC_TYPE_X509); + } + #endif } XMEMCPY(&ssl->buffers.certificate, &der, sizeof(der)); + #ifdef OPENSSL_EXTRA + ssl->ourCert = wolfSSL_X509_d2i(NULL, + ssl->buffers.certificate->buffer, + ssl->buffers.certificate->length); + #endif ssl->buffers.weOwnCert = 1; } else if (ctx) { FreeDer(&ctx->certificate); /* Make sure previous is free'd */ + #ifdef OPENSSL_EXTRA + if (ctx->ourCert) { + XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); + } + #endif XMEMCPY(&ctx->certificate, &der, sizeof(der)); + #ifdef OPENSSL_EXTRA + ctx->ourCert = wolfSSL_X509_d2i(NULL, + ctx->certificate->buffer, + ctx->certificate->length); + #endif } } else if (type == PRIVATEKEY_TYPE) { @@ -8021,6 +8041,11 @@ int wolfSSL_set_compression(WOLFSSL* ssl) if (ssl->buffers.weOwnCert) { WOLFSSL_MSG("Unloading cert"); FreeDer(&ssl->buffers.certificate); + #ifdef OPENSSL_EXTRA + if (ssl->ourCert) { + XFREE(ssl->ourCert, ssl->heap, DYNAMIC_TYPE_X509); + } + #endif ssl->buffers.weOwnCert = 0; } @@ -10280,10 +10305,11 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) } - WOLFSSL_ASN1_STRING* wolfSSL_X509_NAME_ENTRY_get_data(WOLFSSL_X509_NAME_ENTRY* in) + WOLFSSL_ASN1_STRING* wolfSSL_X509_NAME_ENTRY_get_data( + WOLFSSL_X509_NAME_ENTRY* in) { WOLFSSL_ENTER("wolfSSL_X509_NAME_ENTRY_get_data"); - return in->value; + return &in->value; } @@ -10735,14 +10761,21 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format) #ifdef OPENSSL_EXTRA /* needed for wolfSSL_X509_d21 function */ WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl) { - DerBuffer* cert; - if (ssl == NULL) { return NULL; } - cert = ssl->buffers.certificate; - return wolfSSL_X509_d2i(NULL, cert->buffer, cert->length); + if (ssl->buffers.weOwnCert) { + return ssl->ourCert; + } + else { /* if cert not owned get parent ctx cert or return null */ + if (ssl->ctx) { + return ssl->ctx->ourCert; + } + else { + return NULL; + } + } } #endif /* OPENSSL_EXTRA */ #endif /* NO_CERTS */ @@ -17169,15 +17202,10 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) return NULL; } - WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry(WOLFSSL_X509_NAME *name, int loc) { + WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry( + WOLFSSL_X509_NAME *name, int loc) { int maxLoc = name->fullName.fullNameLen; - char* data = NULL; - int length; - int type; - - WOLFSSL_ASN1_STRING* asnStr; - WOLFSSL_X509_NAME_ENTRY* ret; WOLFSSL_ENTER("wolfSSL_X509_NAME_get_entry"); @@ -17186,74 +17214,23 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) return NULL; } - ret = XMALLOC(sizeof(WOLFSSL_X509_NAME_ENTRY), NULL, DYNAMIC_TYPE_X509); - if (ret == NULL) { - return ret; - } - asnStr = XMALLOC(sizeof(WOLFSSL_ASN1_STRING), NULL, - DYNAMIC_TYPE_X509); - if (asnStr == NULL) { - XFREE(ret, NULL, DYNAMIC_TYPE_X509); - ret = NULL; - } - - /* initialize both structures */ - XMEMSET(ret, 0, sizeof(WOLFSSL_X509_NAME_ENTRY)); - XMEMSET(asnStr, 0, sizeof(WOLFSSL_ASN1_STRING)); - /* common name index case */ if (loc == name->fullName.cnIdx) { - length = name->fullName.cnLen; - data = name->fullName.fullName + loc; - type = ASN_COMMON_NAME; + /* get CN shortcut from x509 since it has null terminator */ + name->cnEntry.value.data = name->x509->subjectCN; + name->cnEntry.value.length = name->fullName.cnLen; + name->cnEntry.value.type = ASN_COMMON_NAME; + name->cnEntry.set = 1; + return &(name->cnEntry); } /* additionall cases to check for go here */ - - if (data == NULL) { - WOLFSSL_MSG("Index not found"); - XFREE(asnStr, NULL, DYNAMIC_TYPE_X509); - XFREE(ret, NULL, DYNAMIC_TYPE_X509); - ret = NULL; - } - else { - asnStr->data = XMALLOC(length + 1, NULL, DYNAMIC_TYPE_X509); - if (asnStr->data == NULL) { - XFREE(asnStr, NULL, DYNAMIC_TYPE_X509); - XFREE(ret, NULL, DYNAMIC_TYPE_X509); - ret = NULL; - } - - /* check bounds before copying from fullName */ - if (loc + length > maxLoc) { - XFREE(asnStr, NULL, DYNAMIC_TYPE_X509); - XFREE(ret, NULL, DYNAMIC_TYPE_X509); - ret = NULL; - } - - if (ret != NULL) { - XMEMCPY(asnStr->data, data, length); - asnStr->data[length] = 0; - asnStr->length = length; - asnStr->type = type; - asnStr->flags = 0; - - ret->object = NULL; - ret->value = asnStr; - ret->set = 1; - ret->size = asnStr->length + sizeof(WOLFSSL_ASN1_STRING) + - sizeof(WOLFSSL_X509_NAME_ENTRY); - } - } - + WOLFSSL_MSG("Entry not found or implemented"); (void)name; (void)loc; - (void)data; - (void)type; - (void)length; - return ret; + return NULL; } #ifndef NO_CERTS diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 507f152e1..77a070a0e 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -45,6 +45,9 @@ #endif #ifndef NO_ASN #include + #ifdef OPENSSL_EXTRA + #include /* for asn1 string and bit struct */ + #endif #endif #ifndef NO_MD5 #include @@ -1898,6 +1901,9 @@ struct WOLFSSL_CTX { /* chain after self, in DER, with leading size for each cert */ DerBuffer* privateKey; WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */ +#endif +#ifdef OPENSSL_EXTRA + WOLFSSL_X509* ourCert; /* keep alive a X509 struct of cert */ #endif Suites* suites; /* make dynamic, user may not need/set */ void* heap; /* for user memory overrides */ @@ -2432,6 +2438,16 @@ typedef struct Arrays { #define MAX_DATE_SZ 32 #endif +#ifdef OPENSSL_EXTRA +struct WOLFSSL_X509_NAME_ENTRY { + WOLFSSL_ASN1_OBJECT* object; /* not defined yet */ + WOLFSSL_ASN1_STRING value; + int set; + int size; +}; +#endif /* OPENSSL_EXTRA */ + + struct WOLFSSL_X509_NAME { char *name; char staticName[ASN_NAME_MAX]; @@ -2439,6 +2455,8 @@ struct WOLFSSL_X509_NAME { int sz; #if defined(OPENSSL_EXTRA) && !defined(NO_ASN) DecodedName fullName; + WOLFSSL_X509_NAME_ENTRY cnEntry; + WOLFSSL_X509* x509; /* x509 that struct belongs to */ #endif /* OPENSSL_EXTRA */ }; @@ -2717,6 +2735,11 @@ struct WOLFSSL { #ifdef KEEP_PEER_CERT WOLFSSL_X509 peerCert; /* X509 peer cert */ #endif +#ifdef OPENSSL_EXTRA + WOLFSSL_X509* ourCert; /* keep alive a X509 struct of cert. + points to ctx if not owned (owned + flag found in buffers.weOwnCert) */ +#endif #if defined(FORTRESS) || defined(HAVE_STUNNEL) void* ex_data[MAX_EX_DATA]; /* external data, for Fortress */ #endif diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 30e33fcea..ee45e6224 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1649,14 +1649,6 @@ WOLFSSL_API char* wolfSSL_ASN1_TIME_to_string(WOLFSSL_ASN1_TIME* time, #endif /* WOLFSSL_MYSQL_COMPATIBLE */ #ifdef OPENSSL_EXTRA /*lighttp compatibility */ - -typedef struct WOLFSSL_X509_NAME_ENTRY { - WOLFSSL_ASN1_OBJECT* object; - WOLFSSL_ASN1_STRING* value; - int set; - int size; -} WOLFSSL_X509_NAME_ENTRY; - #if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) WOLFSSL_API void wolfSSL_X509_NAME_free(WOLFSSL_X509_NAME *name); WOLFSSL_API char wolfSSL_CTX_use_certificate(WOLFSSL_CTX *ctx, WOLFSSL_X509 *x); From bd4e8ac71490beecb1f9fa912a39a0618cca4d28 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 28 Apr 2016 22:45:54 -0600 Subject: [PATCH 4/9] cipher name string format --- src/internal.c | 40 ++++++++++++++++++++++++++++++++++++++++ src/ssl.c | 6 ++++++ wolfssl/internal.h | 1 + wolfssl/openssl/ssl.h | 10 ++++++---- wolfssl/ssl.h | 1 + 5 files changed, 54 insertions(+), 4 deletions(-) diff --git a/src/internal.c b/src/internal.c index 3eff4849f..f9ba832af 100755 --- a/src/internal.c +++ b/src/internal.c @@ -11121,6 +11121,46 @@ int GetCipherNamesSize(void) return (int)(sizeof(cipher_names) / sizeof(char*)); } +/* gets cipher name in the format DHE-RSA-... rather then TLS_DHE... */ +const char* wolfSSL_get_cipher_name_internal(WOLFSSL* ssl) +{ + const char* fullName; + const char* first; + WOLFSSL_CIPHER* cipher; + word32 i; + + if (ssl == NULL) { + WOLFSSL_MSG("Bad argument"); + return NULL; + } + + cipher = wolfSSL_get_current_cipher(ssl); + fullName = wolfSSL_CIPHER_get_name(cipher); + if (fullName) { + first = (XSTRSTR(fullName, "CHACHA")) ? "CHACHA" + : (XSTRSTR(fullName, "EC")) ? "EC" + : (XSTRSTR(fullName, "CCM")) ? "CCM" + : NULL; /* normal */ + + for (i = 0; i < sizeof(cipher_name_idx); i++) { + if (cipher_name_idx[i] == ssl->options.cipherSuite) { + const char* nameFound = cipher_names[i]; + + /* if first is null then not any */ + if (first == NULL && !XSTRSTR(nameFound, "CHACHA") && + !XSTRSTR(nameFound, "EC") && !XSTRSTR(nameFound, "CCM")) { + return cipher_names[i]; + } + else if (XSTRSTR(nameFound, first)) { + return cipher_names[i]; + } + } + } + } + + return NULL; /* error or not found */ +} + /** Set the enabled cipher suites. diff --git a/src/ssl.c b/src/ssl.c index 0a16cf123..ab0a958b1 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -11272,6 +11272,12 @@ const char* wolfSSL_get_cipher(WOLFSSL* ssl) return wolfSSL_CIPHER_get_name(wolfSSL_get_current_cipher(ssl)); } +/* gets cipher name in the format DHE-RSA-... rather then TLS_DHE... */ +const char* wolfSSL_get_cipher_name(WOLFSSL* ssl) +{ + /* get access to cipher_name_idx in internal.c */ + return wolfSSL_get_cipher_name_internal(ssl); +} #ifdef OPENSSL_EXTRA diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 77a070a0e..20791338b 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3064,6 +3064,7 @@ WOLFSSL_LOCAL void c32to24(word32 in, word24 out); WOLFSSL_LOCAL const char* const* GetCipherNames(void); WOLFSSL_LOCAL int GetCipherNamesSize(void); +WOLFSSL_LOCAL const char* wolfSSL_get_cipher_name_internal(WOLFSSL* ssl); enum encrypt_side { diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index ce6865909..c4672ef0b 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -185,12 +185,14 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define SSL_SESSION_free wolfSSL_SESSION_free #define SSL_is_init_finished wolfSSL_is_init_finished -#define SSL_get_version wolfSSL_get_version +#define SSL_get_version wolfSSL_get_version #define SSL_get_current_cipher wolfSSL_get_current_cipher -#define SSL_get_cipher wolfSSL_get_cipher + +/* use wolfSSL_get_cipher_name for its return format */ +#define SSL_get_cipher wolfSSL_get_cipher_name #define SSL_CIPHER_description wolfSSL_CIPHER_description -#define SSL_CIPHER_get_name wolfSSL_CIPHER_get_name -#define SSL_get1_session wolfSSL_get1_session +#define SSL_CIPHER_get_name wolfSSL_CIPHER_get_name +#define SSL_get1_session wolfSSL_get1_session #define SSL_get_keyblock_size wolfSSL_get_keyblock_size #define SSL_get_keys wolfSSL_get_keys diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index ee45e6224..54ab02125 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -267,6 +267,7 @@ WOLFSSL_API WOLFSSL* wolfSSL_new(WOLFSSL_CTX*); WOLFSSL_API int wolfSSL_set_fd (WOLFSSL*, int); WOLFSSL_API char* wolfSSL_get_cipher_list(int priority); WOLFSSL_API int wolfSSL_get_ciphers(char*, int); +WOLFSSL_API const char* wolfSSL_get_cipher_name(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_get_fd(const WOLFSSL*); WOLFSSL_API void wolfSSL_set_using_nonblock(WOLFSSL*, int); WOLFSSL_API int wolfSSL_get_using_nonblock(WOLFSSL*); From 38bbd41f992b7d496ea1deda8c6711ccf13bd2ec Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 29 Apr 2016 09:17:12 -0600 Subject: [PATCH 5/9] add EDH-RSA-AES256-SHA, used in one mysql test --- src/internal.c | 24 ++++++++++++++++++++++++ src/keys.c | 17 +++++++++++++++++ tests/test.conf | 16 ++++++++++++++++ wolfssl/internal.h | 4 ++++ 4 files changed, 61 insertions(+) diff --git a/src/internal.c b/src/internal.c index f9ba832af..d3543883e 100755 --- a/src/internal.c +++ b/src/internal.c @@ -1300,6 +1300,13 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, } #endif +#ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA + if (tls && haveDH && haveRSA) { + suites->suites[idx++] = 0; + suites->suites[idx++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA; + } +#endif + #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 if (tls1_2 && haveDH && haveRSA) { suites->suites[idx++] = 0; @@ -4731,6 +4738,15 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) if (requirement == REQUIRES_DHE) return 1; break; + + case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: + if (requirement == REQUIRES_RSA) + return 1; + if (requirement == REQUIRES_RSA_SIG) + return 1; + if (requirement == REQUIRES_DHE) + return 1; + break; #endif #ifdef HAVE_ANON case TLS_DH_anon_WITH_AES_128_CBC_SHA : @@ -10667,6 +10683,10 @@ static const char* const cipher_names[] = #ifdef BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 "DHE-PSK-CHACHA20-POLY1305", #endif + +#ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA + "EDH-RSA-DES-CBC3-SHA", +#endif }; @@ -11105,6 +11125,10 @@ static int cipher_name_idx[] = #ifdef BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256, #endif + +#ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, +#endif }; diff --git a/src/keys.c b/src/keys.c index 4fe8ef68d..849636ee1 100644 --- a/src/keys.c +++ b/src/keys.c @@ -1551,6 +1551,23 @@ int SetCipherSpecs(WOLFSSL* ssl) break; #endif +#ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA + case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA : + ssl->specs.bulk_cipher_algorithm = wolfssl_triple_des; + ssl->specs.cipher_type = block; + ssl->specs.mac_algorithm = sha_mac; + ssl->specs.kea = diffie_hellman_kea; + ssl->specs.sig_algo = rsa_sa_algo; + ssl->specs.hash_size = SHA_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 0; + ssl->specs.key_size = DES3_KEY_SIZE; + ssl->specs.block_size = DES_BLOCK_SIZE; + ssl->specs.iv_size = DES_IV_SIZE; + + break; +#endif + #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 : ssl->specs.bulk_cipher_algorithm = wolfssl_aes; diff --git a/tests/test.conf b/tests/test.conf index 1bd560de9..40beed1cc 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -1126,6 +1126,22 @@ -v 2 -l DHE-RSA-AES256-SHA256 +# server TLSv1.1 DHE 3DES +-v 2 +-l EDH-RSA-DES-CBC3-SHA + +# client TLSv1.1 DHE 3DES +-v 2 +-l EDH-RSA-DES-CBC3-SHA + +# server TLSv1.2 DHE 3DES +-v 3 +-l EDH-RSA-DES-CBC3-SHA + +# client TLSv1.2 DHE 3DES +-v 3 +-l EDH-RSA-DES-CBC3-SHA + # server TLSv1.2 DHE AES128 -v 3 -l DHE-RSA-AES128-SHA diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 20791338b..1de9c874f 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -398,6 +398,9 @@ typedef byte word24[3]; #if !defined(NO_SHA) #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA + #if !defined(NO_DES3) + #define BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA + #endif #endif #if !defined(NO_SHA256) #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 @@ -703,6 +706,7 @@ typedef byte word24[3]; /* actual cipher values, 2nd byte */ enum { + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x16, TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x39, TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x33, TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x34, From 05e56b75f68e32ddda843620f63dd22f5930d4c6 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 29 Apr 2016 11:39:09 -0600 Subject: [PATCH 6/9] scan-build, valgrind issues and fix issue with ExtractDate, struct tm --- src/internal.c | 12 ++++++++++-- src/ssl.c | 3 +++ tests/api.c | 1 + wolfcrypt/src/asn.c | 4 ++-- wolfssl/wolfcrypt/asn.h | 5 +++-- 5 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/internal.c b/src/internal.c index d3543883e..0201261ef 100755 --- a/src/internal.c +++ b/src/internal.c @@ -644,6 +644,7 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) FreeDer(&ctx->privateKey); FreeDer(&ctx->certificate); #ifdef OPENSSL_EXTRA + FreeX509(ctx->ourCert); if (ctx->ourCert) { XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); } @@ -11170,10 +11171,17 @@ const char* wolfSSL_get_cipher_name_internal(WOLFSSL* ssl) if (cipher_name_idx[i] == ssl->options.cipherSuite) { const char* nameFound = cipher_names[i]; + /* extra sanity check on returned cipher name */ + if (nameFound == NULL) { + continue; + } + /* if first is null then not any */ - if (first == NULL && !XSTRSTR(nameFound, "CHACHA") && + if (first == NULL) { + if (!XSTRSTR(nameFound, "CHACHA") && !XSTRSTR(nameFound, "EC") && !XSTRSTR(nameFound, "CCM")) { - return cipher_names[i]; + return cipher_names[i]; + } } else if (XSTRSTR(nameFound, first)) { return cipher_names[i]; diff --git a/src/ssl.c b/src/ssl.c index ab0a958b1..84aba0757 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3470,6 +3470,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, if (ssl->buffers.weOwnCert) { FreeDer(&ssl->buffers.certificate); #ifdef OPENSSL_EXTRA + FreeX509(ssl->ourCert); if (ssl->ourCert) { XFREE(ssl->ourCert, ssl->heap, DYNAMIC_TYPE_X509); } @@ -3486,6 +3487,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, else if (ctx) { FreeDer(&ctx->certificate); /* Make sure previous is free'd */ #ifdef OPENSSL_EXTRA + FreeX509(ctx->ourCert); if (ctx->ourCert) { XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); } @@ -8042,6 +8044,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) WOLFSSL_MSG("Unloading cert"); FreeDer(&ssl->buffers.certificate); #ifdef OPENSSL_EXTRA + FreeX509(ssl->ourCert); if (ssl->ourCert) { XFREE(ssl->ourCert, ssl->heap, DYNAMIC_TYPE_X509); } diff --git a/tests/api.c b/tests/api.c index 630588d75..9e6932941 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1703,6 +1703,7 @@ static void test_wolfSSL_X509_NAME_get_entry(void) subCN = (char*)ASN1_STRING_data(asn); AssertNotNull(subCN); + wolfSSL_FreeX509(x509); #endif } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e5fc798e0..17d3aa7eb 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -3013,8 +3013,8 @@ int ExtractDate(const unsigned char* date, unsigned char format, certTime->tm_year = 2000; } else { /* format == GENERALIZED_TIME */ - certTime->tm_year += btoi(date[*idx++]) * 1000; - certTime->tm_year += btoi(date[*idx++]) * 100; + certTime->tm_year += btoi(date[*idx]) * 1000; *idx = *idx + 1; + certTime->tm_year += btoi(date[*idx]) * 100; *idx = *idx + 1; } /* adjust tm_year, tm_mon */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index de105ab30..f581f27a9 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -59,7 +59,6 @@ extern "C" { #endif - enum { ISSUER = 0, SUBJECT = 1, @@ -610,8 +609,10 @@ WOLFSSL_LOCAL void FreeTrustedPeerTable(TrustedPeerCert**, int, void*); WOLFSSL_LOCAL int ToTraditional(byte* buffer, word32 length); WOLFSSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*,int); +typedef struct tm wolfssl_tm; + WOLFSSL_LOCAL int ExtractDate(const unsigned char* date, unsigned char format, - struct tm* certTime, int* idx); + wolfssl_tm* certTime, int* idx); WOLFSSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType); /* ASN.1 helper functions */ From d1ab51e10f05c61f574eaab79052b87d3bbfb0e0 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 29 Apr 2016 16:47:10 -0600 Subject: [PATCH 7/9] maintain lighttpd port --- src/internal.c | 1 + src/ssl.c | 8 ++++---- wolfssl/internal.h | 13 ------------- wolfssl/ssl.h | 10 ++++++++++ 4 files changed, 15 insertions(+), 17 deletions(-) diff --git a/src/internal.c b/src/internal.c index 0201261ef..6cb32e43c 100755 --- a/src/internal.c +++ b/src/internal.c @@ -1706,6 +1706,7 @@ void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag) #ifdef OPENSSL_EXTRA XMEMSET(&name->fullName, 0, sizeof(DecodedName)); XMEMSET(&name->cnEntry, 0, sizeof(WOLFSSL_X509_NAME_ENTRY)); + name->cnEntry.value = &(name->cnEntry.data); /* point to internal data*/ name->x509 = NULL; #endif /* OPENSSL_EXTRA */ } diff --git a/src/ssl.c b/src/ssl.c index 84aba0757..ce35375c3 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10312,7 +10312,7 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) WOLFSSL_X509_NAME_ENTRY* in) { WOLFSSL_ENTER("wolfSSL_X509_NAME_ENTRY_get_data"); - return &in->value; + return in->value; } @@ -17226,9 +17226,9 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) /* common name index case */ if (loc == name->fullName.cnIdx) { /* get CN shortcut from x509 since it has null terminator */ - name->cnEntry.value.data = name->x509->subjectCN; - name->cnEntry.value.length = name->fullName.cnLen; - name->cnEntry.value.type = ASN_COMMON_NAME; + name->cnEntry.data.data = name->x509->subjectCN; + name->cnEntry.data.length = name->fullName.cnLen; + name->cnEntry.data.type = ASN_COMMON_NAME; name->cnEntry.set = 1; return &(name->cnEntry); } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 1de9c874f..ed05d313e 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -45,9 +45,6 @@ #endif #ifndef NO_ASN #include - #ifdef OPENSSL_EXTRA - #include /* for asn1 string and bit struct */ - #endif #endif #ifndef NO_MD5 #include @@ -2442,16 +2439,6 @@ typedef struct Arrays { #define MAX_DATE_SZ 32 #endif -#ifdef OPENSSL_EXTRA -struct WOLFSSL_X509_NAME_ENTRY { - WOLFSSL_ASN1_OBJECT* object; /* not defined yet */ - WOLFSSL_ASN1_STRING value; - int set; - int size; -}; -#endif /* OPENSSL_EXTRA */ - - struct WOLFSSL_X509_NAME { char *name; char staticName[ASN_NAME_MAX]; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 54ab02125..ceea78c31 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1650,6 +1650,16 @@ WOLFSSL_API char* wolfSSL_ASN1_TIME_to_string(WOLFSSL_ASN1_TIME* time, #endif /* WOLFSSL_MYSQL_COMPATIBLE */ #ifdef OPENSSL_EXTRA /*lighttp compatibility */ + +#include +struct WOLFSSL_X509_NAME_ENTRY { + WOLFSSL_ASN1_OBJECT* object; /* not defined yet */ + WOLFSSL_ASN1_STRING data; + WOLFSSL_ASN1_STRING* value; /* points to data, for lighttpd port */ + int set; + int size; +}; + #if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) WOLFSSL_API void wolfSSL_X509_NAME_free(WOLFSSL_X509_NAME *name); WOLFSSL_API char wolfSSL_CTX_use_certificate(WOLFSSL_CTX *ctx, WOLFSSL_X509 *x); From b2325aad6d0b4269351e84252bec05ccb4fce2dc Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Mon, 2 May 2016 17:19:25 -0600 Subject: [PATCH 8/9] option to keepCert for ssl lifetime, refactor of ourCert process --- src/internal.c | 1 + src/ssl.c | 25 +++++++++++++++---------- wolfssl/internal.h | 1 + wolfssl/test.h | 19 +++++++++++++++---- 4 files changed, 32 insertions(+), 14 deletions(-) diff --git a/src/internal.c b/src/internal.c index 6cb32e43c..bf78a27a3 100755 --- a/src/internal.c +++ b/src/internal.c @@ -2592,6 +2592,7 @@ void SSL_ResourceFree(WOLFSSL* ssl) } #endif #ifndef NO_CERTS + ssl->keepCert = 0; /* make sure certificate is free'd */ wolfSSL_UnloadCertsKeys(ssl); #endif #ifndef NO_RSA diff --git a/src/ssl.c b/src/ssl.c index ce35375c3..f4c7eb628 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -81,7 +81,6 @@ #include #include #include - #include #ifdef HAVE_STUNNEL #include #endif /* WITH_STUNNEL */ @@ -3473,14 +3472,13 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, FreeX509(ssl->ourCert); if (ssl->ourCert) { XFREE(ssl->ourCert, ssl->heap, DYNAMIC_TYPE_X509); + ssl->ourCert = NULL; } #endif } XMEMCPY(&ssl->buffers.certificate, &der, sizeof(der)); #ifdef OPENSSL_EXTRA - ssl->ourCert = wolfSSL_X509_d2i(NULL, - ssl->buffers.certificate->buffer, - ssl->buffers.certificate->length); + ssl->keepCert = 1; /* hold cert for ssl lifetime */ #endif ssl->buffers.weOwnCert = 1; } @@ -3490,14 +3488,10 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, FreeX509(ctx->ourCert); if (ctx->ourCert) { XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); + ctx->ourCert = NULL; } #endif XMEMCPY(&ctx->certificate, &der, sizeof(der)); - #ifdef OPENSSL_EXTRA - ctx->ourCert = wolfSSL_X509_d2i(NULL, - ctx->certificate->buffer, - ctx->certificate->length); - #endif } } else if (type == PRIVATEKEY_TYPE) { @@ -8040,13 +8034,14 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return BAD_FUNC_ARG; } - if (ssl->buffers.weOwnCert) { + if (ssl->buffers.weOwnCert && !ssl->keepCert) { WOLFSSL_MSG("Unloading cert"); FreeDer(&ssl->buffers.certificate); #ifdef OPENSSL_EXTRA FreeX509(ssl->ourCert); if (ssl->ourCert) { XFREE(ssl->ourCert, ssl->heap, DYNAMIC_TYPE_X509); + ssl->ourCert = NULL; } #endif ssl->buffers.weOwnCert = 0; @@ -10769,10 +10764,20 @@ WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl) } if (ssl->buffers.weOwnCert) { + if (ssl->ourCert == NULL) { + ssl->ourCert = wolfSSL_X509_d2i(NULL, + ssl->buffers.certificate->buffer, + ssl->buffers.certificate->length); + } return ssl->ourCert; } else { /* if cert not owned get parent ctx cert or return null */ if (ssl->ctx) { + if (ssl->ctx->ourCert == NULL) { + ssl->ctx->ourCert = wolfSSL_X509_d2i(NULL, + ssl->ctx->certificate->buffer, + ssl->ctx->certificate->length); + } return ssl->ctx->ourCert; } else { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index ed05d313e..d24f3fce7 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2731,6 +2731,7 @@ struct WOLFSSL { points to ctx if not owned (owned flag found in buffers.weOwnCert) */ #endif + byte keepCert; /* keep certificate after handshake */ #if defined(FORTRESS) || defined(HAVE_STUNNEL) void* ex_data[MAX_EX_DATA]; /* external data, for Fortress */ #endif diff --git a/wolfssl/test.h b/wolfssl/test.h index 055222254..8c0468660 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -441,14 +441,22 @@ static INLINE int PasswordCallBack(char* passwd, int sz, int rw, void* userdata) static INLINE void ShowX509(WOLFSSL_X509* x509, const char* hdr) { char* altName; - char* issuer = wolfSSL_X509_NAME_oneline( - wolfSSL_X509_get_issuer_name(x509), 0, 0); - char* subject = wolfSSL_X509_NAME_oneline( - wolfSSL_X509_get_subject_name(x509), 0, 0); + char* issuer; + char* subject; byte serial[32]; int ret; int sz = sizeof(serial); + if (x509 == NULL) { + printf("%s No Cert\n", hdr); + return; + } + + issuer = wolfSSL_X509_NAME_oneline( + wolfSSL_X509_get_issuer_name(x509), 0, 0); + subject = wolfSSL_X509_NAME_oneline( + wolfSSL_X509_get_subject_name(x509), 0, 0); + printf("%s\n issuer : %s\n subject: %s\n", hdr, issuer, subject); while ( (altName = wolfSSL_X509_get_next_altname(x509)) != NULL) @@ -487,6 +495,9 @@ static INLINE void showPeer(WOLFSSL* ssl) printf("peer has no cert!\n"); wolfSSL_FreeX509(peer); #endif +#if defined(SHOW_CERTS) && defined(OPENSSL_EXTRA) + ShowX509(wolfSSL_get_certificate(ssl), "our cert info:"); +#endif /* SHOW_CERTS */ printf("SSL version is %s\n", wolfSSL_get_version(ssl)); cipher = wolfSSL_get_current_cipher(ssl); From 197672d4fc9956950c3adb2cffcc393d9c5a7bda Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 4 May 2016 09:05:11 -0600 Subject: [PATCH 9/9] define KEEP_OUR_CERT to set keeping ssl certificate --- src/internal.c | 2 +- src/ssl.c | 18 ++++++++++++------ wolfssl/internal.h | 4 ++-- wolfssl/ssl.h | 2 +- wolfssl/test.h | 2 +- 5 files changed, 17 insertions(+), 11 deletions(-) diff --git a/src/internal.c b/src/internal.c index bf78a27a3..39af8da3d 100755 --- a/src/internal.c +++ b/src/internal.c @@ -643,7 +643,7 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) #ifndef NO_CERTS FreeDer(&ctx->privateKey); FreeDer(&ctx->certificate); - #ifdef OPENSSL_EXTRA + #ifdef KEEP_OUR_CERT FreeX509(ctx->ourCert); if (ctx->ourCert) { XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); diff --git a/src/ssl.c b/src/ssl.c index f4c7eb628..21a801259 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3468,7 +3468,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, /* Make sure previous is free'd */ if (ssl->buffers.weOwnCert) { FreeDer(&ssl->buffers.certificate); - #ifdef OPENSSL_EXTRA + #ifdef KEEP_OUR_CERT FreeX509(ssl->ourCert); if (ssl->ourCert) { XFREE(ssl->ourCert, ssl->heap, DYNAMIC_TYPE_X509); @@ -3477,14 +3477,14 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, #endif } XMEMCPY(&ssl->buffers.certificate, &der, sizeof(der)); - #ifdef OPENSSL_EXTRA + #ifdef KEEP_OUR_CERT ssl->keepCert = 1; /* hold cert for ssl lifetime */ #endif ssl->buffers.weOwnCert = 1; } else if (ctx) { FreeDer(&ctx->certificate); /* Make sure previous is free'd */ - #ifdef OPENSSL_EXTRA + #ifdef KEEP_OUR_CERT FreeX509(ctx->ourCert); if (ctx->ourCert) { XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); @@ -8037,7 +8037,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) if (ssl->buffers.weOwnCert && !ssl->keepCert) { WOLFSSL_MSG("Unloading cert"); FreeDer(&ssl->buffers.certificate); - #ifdef OPENSSL_EXTRA + #ifdef KEEP_OUR_CERT FreeX509(ssl->ourCert); if (ssl->ourCert) { XFREE(ssl->ourCert, ssl->heap, DYNAMIC_TYPE_X509); @@ -10756,7 +10756,9 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format) #endif /* KEEP_PEER_CERT || SESSION_CERTS */ -#ifdef OPENSSL_EXTRA /* needed for wolfSSL_X509_d21 function */ +/* OPENSSL_EXTRA is needed for wolfSSL_X509_d21 function + KEEP_OUR_CERT is to insure ability for returning ssl certificate */ +#if defined(OPENSSL_EXTRA) && defined(KEEP_OUR_CERT) WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl) { if (ssl == NULL) { @@ -10785,7 +10787,7 @@ WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl) } } } -#endif /* OPENSSL_EXTRA */ +#endif /* OPENSSL_EXTRA && KEEP_OUR_CERT */ #endif /* NO_CERTS */ @@ -11192,6 +11194,10 @@ const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher) return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"; case TLS_DHE_RSA_WITH_AES_256_CBC_SHA : return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"; + #ifndef NO_DES3 + case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: + return "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"; + #endif #endif #ifndef NO_HC128 #ifndef NO_MD5 diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d24f3fce7..7047b4567 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1903,7 +1903,7 @@ struct WOLFSSL_CTX { DerBuffer* privateKey; WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */ #endif -#ifdef OPENSSL_EXTRA +#ifdef KEEP_OUR_CERT WOLFSSL_X509* ourCert; /* keep alive a X509 struct of cert */ #endif Suites* suites; /* make dynamic, user may not need/set */ @@ -2726,7 +2726,7 @@ struct WOLFSSL { #ifdef KEEP_PEER_CERT WOLFSSL_X509 peerCert; /* X509 peer cert */ #endif -#ifdef OPENSSL_EXTRA +#ifdef KEEP_OUR_CERT WOLFSSL_X509* ourCert; /* keep alive a X509 struct of cert. points to ctx if not owned (owned flag found in buffers.weOwnCert) */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index ceea78c31..92d783976 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1012,7 +1012,7 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len, const unsigned char*, long); WOLFSSL_API int wolfSSL_UnloadCertsKeys(WOLFSSL*); - #ifdef OPENSSL_EXTRA + #if defined(OPENSSL_EXTRA) && defined(KEEP_OUR_CERT) WOLFSSL_API WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl); #endif #endif diff --git a/wolfssl/test.h b/wolfssl/test.h index 8c0468660..d979872ca 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -495,7 +495,7 @@ static INLINE void showPeer(WOLFSSL* ssl) printf("peer has no cert!\n"); wolfSSL_FreeX509(peer); #endif -#if defined(SHOW_CERTS) && defined(OPENSSL_EXTRA) +#if defined(SHOW_CERTS) && defined(OPENSSL_EXTRA) && defined(KEEP_OUR_CERT) ShowX509(wolfSSL_get_certificate(ssl), "our cert info:"); #endif /* SHOW_CERTS */ printf("SSL version is %s\n", wolfSSL_get_version(ssl));