feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge branch 'master' of https://github.com/cyassl/cyassl into MDK5

Browse Source
This commit is contained in:
Takashi Kojo
2013-11-06 10:22:21 +09:00
parent 31891942b9 fb8c3e0c75
commit f26cf50ff2
25 changed files with 1309 additions and 193 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README
View File

@@ -683,8 +683,8 @@ Release Candidate 2 for CyaSSL 1.0.0 adds bug fixes and adds two new stream
ciphers along with their respective cipher suites. CyaSSL adds support for
HC-128 and RABBIT stream ciphers. The new suites are:
TLS_RSA_WITH_HC_128_CBC_SHA
TLS_RSA_WITH_RABBIT_CBC_SHA
TLS_RSA_WITH_HC_128_SHA
TLS_RSA_WITH_RABBIT_SHA
And the corresponding cipher names are

14
configure.ac
View File

@@ -6,7 +6,7 @@
#
#
AC_INIT([cyassl],[2.8.2],[https://github.com/cyassl/cyassl/issues],[cyassl],[http://www.yassl.com])
AC_INIT([cyassl],[2.8.3],[https://github.com/cyassl/cyassl/issues],[cyassl],[http://www.yassl.com])
AC_CONFIG_AUX_DIR([build-aux])
@@ -538,6 +538,18 @@ then
fi
# HKDF
AC_ARG_ENABLE([hkdf],
[ --enable-hkdf Enable HKDF (HMAC-KDF) support (default: disabled)],
[ ENABLED_HKDF=$enableval ],
[ ENABLED_HKDF=no ]
)
if test "$ENABLED_HKDF" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_HKDF"
fi
# DSA
AC_ARG_ENABLE([dsa],
[ --enable-dsa Enable DSA (default: disabled)],

38
ctaocrypt/benchmark/benchmark.c
View File

@@ -791,7 +791,7 @@ static const char *certDHname = "certs/dh2048.der" ;
void bench_dh(void)
{
int i;
int i, ret;
byte tmp[1024];
size_t bytes;
word32 idx = 0, pubSz, privSz, pubSz2, privSz2, agreeSz;
@@ -822,6 +822,11 @@ void bench_dh(void)
return;
}
ret = InitRng(&rng);
if (ret < 0) {
printf("InitRNG failed\n");
return;
}
bytes = fread(tmp, 1, sizeof(tmp), file);
#endif /* USE_CERT_BUFFERS */
@@ -914,9 +919,14 @@ void bench_eccKeyGen(void)
{
ecc_key genKey;
double start, total, each, milliEach;
int i;
int i, ret;
const int genTimes = 5;
ret = InitRng(&rng);
if (ret < 0) {
printf("InitRNG failed\n");
return;
}
/* 256 bit */
start = current_time(1);
@@ -948,6 +958,12 @@ void bench_eccKeyAgree(void)
ecc_init(&genKey);
ecc_init(&genKey2);
ret = InitRng(&rng);
if (ret < 0) {
printf("InitRNG failed\n");
return;
}
ret = ecc_make_key(&rng, 32, &genKey);
if (ret != 0) {
printf("ecc_make_key failed\n");
@@ -964,7 +980,11 @@ void bench_eccKeyAgree(void)
for(i = 0; i < agreeTimes; i++) {
x = sizeof(shared);
ecc_shared_secret(&genKey, &genKey2, shared, &x);
ret = ecc_shared_secret(&genKey, &genKey2, shared, &x);
if (ret != 0) {
printf("ecc_shared_secret failed\n");
return;
}
}
total = current_time(0) - start;
@@ -982,7 +1002,11 @@ void bench_eccKeyAgree(void)
for(i = 0; i < agreeTimes; i++) {
x = sizeof(sig);
ecc_sign_hash(digest, sizeof(digest), sig, &x, &rng, &genKey);
ret = ecc_sign_hash(digest, sizeof(digest), sig, &x, &rng, &genKey);
if (ret != 0) {
printf("ecc_sign_hash failed\n");
return;
}
}
total = current_time(0) - start;
@@ -995,7 +1019,11 @@ void bench_eccKeyAgree(void)
for(i = 0; i < agreeTimes; i++) {
int verify = 0;
ecc_verify_hash(sig, x, digest, sizeof(digest), &verify, &genKey);
ret = ecc_verify_hash(sig, x, digest, sizeof(digest), &verify, &genKey);
if (ret != 0) {
printf("ecc_verify_hash failed\n");
return;
}
}
total = current_time(0) - start;

288
ctaocrypt/src/asn.c
View File

@@ -289,7 +289,11 @@ time_t pic32_time(time_t* timer)
if (timer == NULL)
timer = &localTime;
#ifdef MICROCHIP_MPLAB_HARMONY
sec = TCPIP_SNTP_UTCSecondsGet();
#else
sec = SNTPGetUTCSeconds();
#endif
*timer = (time_t) sec;
return *timer;
@@ -1250,6 +1254,7 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
cert->publicKey = 0;
cert->pubKeySize = 0;
cert->pubKeyStored = 0;
cert->version = 0;
cert->signature = 0;
cert->subjectCN = 0;
cert->subjectCNLen = 0;
@@ -1290,11 +1295,15 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
cert->subjectOULen = 0;
cert->subjectEmail = 0;
cert->subjectEmailLen = 0;
cert->beforeDate = 0;
cert->beforeDateLen = 0;
cert->afterDate = 0;
cert->afterDateLen = 0;
#endif /* CYASSL_CERT_GEN */
cert->beforeDate = NULL;
cert->beforeDateLen = 0;
cert->afterDate = NULL;
cert->afterDateLen = 0;
#ifdef OPENSSL_EXTRA
XMEMSET(&cert->issuerName, 0, sizeof(DecodedName));
XMEMSET(&cert->subjectName, 0, sizeof(DecodedName));
#endif /* OPENSSL_EXTRA */
#ifdef CYASSL_SEP
cert->deviceTypeSz = 0;
cert->deviceType = NULL;
@@ -1333,12 +1342,18 @@ void FreeDecodedCert(DecodedCert* cert)
XFREE(cert->hwType, cert->heap, 0);
XFREE(cert->hwSerialNum, cert->heap, 0);
#endif /* CYASSL_SEP */
#ifdef OPENSSL_EXTRA
if (cert->issuerName.fullName != NULL)
XFREE(cert->issuerName.fullName, NULL, DYNAMIC_TYPE_X509);
if (cert->subjectName.fullName != NULL)
XFREE(cert->subjectName.fullName, NULL, DYNAMIC_TYPE_X509);
#endif /* OPENSSL_EXTRA */
}
static int GetCertHeader(DecodedCert* cert)
{
int ret = 0, version, len;
int ret = 0, len;
byte serialTmp[EXTERNAL_SERIAL_SIZE];
mp_int mpi;
@@ -1351,7 +1366,7 @@ static int GetCertHeader(DecodedCert* cert)
return ASN_PARSE_E;
cert->sigIndex = len + cert->srcIdx;
if (GetExplicitVersion(cert->source, &cert->srcIdx, &version) < 0)
if (GetExplicitVersion(cert->source, &cert->srcIdx, &cert->version) < 0)
return ASN_PARSE_E;
if (GetInt(&mpi, cert->source, &cert->srcIdx, cert->maxIdx) < 0)
@@ -1359,7 +1374,7 @@ static int GetCertHeader(DecodedCert* cert)
len = mp_unsigned_bin_size(&mpi);
if (len < (int)sizeof(serialTmp)) {
if (mp_to_unsigned_bin(&mpi, serialTmp) == MP_OKAY) {
if ( (ret = mp_to_unsigned_bin(&mpi, serialTmp)) == MP_OKAY) {
if (len > EXTERNAL_SERIAL_SIZE)
len = EXTERNAL_SERIAL_SIZE;
XMEMCPY(cert->serial, serialTmp, len);
@@ -1537,6 +1552,10 @@ static int GetName(DecodedCert* cert, int nameType)
int dummy;
char* full = (nameType == ISSUER) ? cert->issuer : cert->subject;
word32 idx;
#ifdef OPENSSL_EXTRA
DecodedName* dName =
(nameType == ISSUER) ? &cert->issuerName : &cert->subjectName;
#endif /* OPENSSL_EXTRA */
CYASSL_MSG("Getting Cert Name");
@@ -1621,6 +1640,10 @@ static int GetName(DecodedCert* cert, int nameType)
idx += 4;
copy = TRUE;
}
#ifdef OPENSSL_EXTRA
dName->cnIdx = cert->srcIdx;
dName->cnLen = strLen;
#endif /* OPENSSL_EXTRA */
}
else if (id == ASN_SUR_NAME) {
if (!tooBig) {
@@ -1628,12 +1651,16 @@ static int GetName(DecodedCert* cert, int nameType)
idx += 4;
copy = TRUE;
}
#ifdef CYASSL_CERT_GEN
if (nameType == SUBJECT) {
cert->subjectSN = (char*)&cert->source[cert->srcIdx];
cert->subjectSNLen = strLen;
}
#endif /* CYASSL_CERT_GEN */
#ifdef CYASSL_CERT_GEN
if (nameType == SUBJECT) {
cert->subjectSN = (char*)&cert->source[cert->srcIdx];
cert->subjectSNLen = strLen;
}
#endif /* CYASSL_CERT_GEN */
#ifdef OPENSSL_EXTRA
dName->snIdx = cert->srcIdx;
dName->snLen = strLen;
#endif /* OPENSSL_EXTRA */
}
else if (id == ASN_COUNTRY_NAME) {
if (!tooBig) {
@@ -1641,12 +1668,16 @@ static int GetName(DecodedCert* cert, int nameType)
idx += 3;
copy = TRUE;
}
#ifdef CYASSL_CERT_GEN
if (nameType == SUBJECT) {
cert->subjectC = (char*)&cert->source[cert->srcIdx];
cert->subjectCLen = strLen;
}
#endif /* CYASSL_CERT_GEN */
#ifdef CYASSL_CERT_GEN
if (nameType == SUBJECT) {
cert->subjectC = (char*)&cert->source[cert->srcIdx];
cert->subjectCLen = strLen;
}
#endif /* CYASSL_CERT_GEN */
#ifdef OPENSSL_EXTRA
dName->cIdx = cert->srcIdx;
dName->cLen = strLen;
#endif /* OPENSSL_EXTRA */
}
else if (id == ASN_LOCALITY_NAME) {
if (!tooBig) {
@@ -1654,12 +1685,16 @@ static int GetName(DecodedCert* cert, int nameType)
idx += 3;
copy = TRUE;
}
#ifdef CYASSL_CERT_GEN
if (nameType == SUBJECT) {
cert->subjectL = (char*)&cert->source[cert->srcIdx];
cert->subjectLLen = strLen;
}
#endif /* CYASSL_CERT_GEN */
#ifdef CYASSL_CERT_GEN
if (nameType == SUBJECT) {
cert->subjectL = (char*)&cert->source[cert->srcIdx];
cert->subjectLLen = strLen;
}
#endif /* CYASSL_CERT_GEN */
#ifdef OPENSSL_EXTRA
dName->lIdx = cert->srcIdx;
dName->lLen = strLen;
#endif /* OPENSSL_EXTRA */
}
else if (id == ASN_STATE_NAME) {
if (!tooBig) {
@@ -1667,12 +1702,16 @@ static int GetName(DecodedCert* cert, int nameType)
idx += 4;
copy = TRUE;
}
#ifdef CYASSL_CERT_GEN
if (nameType == SUBJECT) {
cert->subjectST = (char*)&cert->source[cert->srcIdx];
cert->subjectSTLen = strLen;
}
#endif /* CYASSL_CERT_GEN */
#ifdef CYASSL_CERT_GEN
if (nameType == SUBJECT) {
cert->subjectST = (char*)&cert->source[cert->srcIdx];
cert->subjectSTLen = strLen;
}
#endif /* CYASSL_CERT_GEN */
#ifdef OPENSSL_EXTRA
dName->stIdx = cert->srcIdx;
dName->stLen = strLen;
#endif /* OPENSSL_EXTRA */
}
else if (id == ASN_ORG_NAME) {
if (!tooBig) {
@@ -1680,12 +1719,16 @@ static int GetName(DecodedCert* cert, int nameType)
idx += 3;
copy = TRUE;
}
#ifdef CYASSL_CERT_GEN
if (nameType == SUBJECT) {
cert->subjectO = (char*)&cert->source[cert->srcIdx];
cert->subjectOLen = strLen;
}
#endif /* CYASSL_CERT_GEN */
#ifdef CYASSL_CERT_GEN
if (nameType == SUBJECT) {
cert->subjectO = (char*)&cert->source[cert->srcIdx];
cert->subjectOLen = strLen;
}
#endif /* CYASSL_CERT_GEN */
#ifdef OPENSSL_EXTRA
dName->oIdx = cert->srcIdx;
dName->oLen = strLen;
#endif /* OPENSSL_EXTRA */
}
else if (id == ASN_ORGUNIT_NAME) {
if (!tooBig) {
@@ -1693,12 +1736,16 @@ static int GetName(DecodedCert* cert, int nameType)
idx += 4;
copy = TRUE;
}
#ifdef CYASSL_CERT_GEN
if (nameType == SUBJECT) {
cert->subjectOU = (char*)&cert->source[cert->srcIdx];
cert->subjectOULen = strLen;
}
#endif /* CYASSL_CERT_GEN */
#ifdef CYASSL_CERT_GEN
if (nameType == SUBJECT) {
cert->subjectOU = (char*)&cert->source[cert->srcIdx];
cert->subjectOULen = strLen;
}
#endif /* CYASSL_CERT_GEN */
#ifdef OPENSSL_EXTRA
dName->ouIdx = cert->srcIdx;
dName->ouLen = strLen;
#endif /* OPENSSL_EXTRA */
}
else if (id == ASN_SERIAL_NUMBER) {
if (!tooBig) {
@@ -1706,6 +1753,10 @@ static int GetName(DecodedCert* cert, int nameType)
idx += 14;
copy = TRUE;
}
#ifdef OPENSSL_EXTRA
dName->snIdx = cert->srcIdx;
dName->snLen = strLen;
#endif /* OPENSSL_EXTRA */
}
if (copy && !tooBig) {
@@ -1747,12 +1798,16 @@ static int GetName(DecodedCert* cert, int nameType)
idx += 14;
}
#ifdef CYASSL_CERT_GEN
if (nameType == SUBJECT) {
cert->subjectEmail = (char*)&cert->source[cert->srcIdx];
cert->subjectEmailLen = adv;
}
#endif /* CYASSL_CERT_GEN */
#ifdef CYASSL_CERT_GEN
if (nameType == SUBJECT) {
cert->subjectEmail = (char*)&cert->source[cert->srcIdx];
cert->subjectEmailLen = adv;
}
#endif /* CYASSL_CERT_GEN */
#ifdef OPENSSL_EXTRA
dName->emailIdx = cert->srcIdx;
dName->emailLen = adv;
#endif /* OPENSSL_EXTRA */
if (!tooBig) {
XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
@@ -1772,6 +1827,10 @@ static int GetName(DecodedCert* cert, int nameType)
XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
idx += adv;
}
#ifdef OPENSSL_EXTRA
dName->uidIdx = cert->srcIdx;
dName->uidLen = adv;
#endif /* OPENSSL_EXTRA */
}
cert->srcIdx += adv;
@@ -1779,6 +1838,131 @@ static int GetName(DecodedCert* cert, int nameType)
}
full[idx++] = 0;
#ifdef OPENSSL_EXTRA
{
int totalLen = 0;
if (dName->cnLen != 0)
totalLen += dName->cnLen + 4;
if (dName->snLen != 0)
totalLen += dName->snLen + 4;
if (dName->cLen != 0)
totalLen += dName->cLen + 3;
if (dName->lLen != 0)
totalLen += dName->lLen + 3;
if (dName->stLen != 0)
totalLen += dName->stLen + 4;
if (dName->oLen != 0)
totalLen += dName->oLen + 3;
if (dName->ouLen != 0)
totalLen += dName->ouLen + 4;
if (dName->emailLen != 0)
totalLen += dName->emailLen + 14;
if (dName->uidLen != 0)
totalLen += dName->uidLen + 5;
if (dName->serialLen != 0)
totalLen += dName->serialLen + 14;
dName->fullName = (char*)XMALLOC(totalLen + 1, NULL, DYNAMIC_TYPE_X509);
if (dName->fullName != NULL) {
idx = 0;
if (dName->cnLen != 0) {
dName->entryCount++;
XMEMCPY(&dName->fullName[idx], "/CN=", 4);
idx += 4;
XMEMCPY(&dName->fullName[idx],
&cert->source[dName->cnIdx], dName->cnLen);
dName->cnIdx = idx;
idx += dName->cnLen;
}
if (dName->snLen != 0) {
dName->entryCount++;
XMEMCPY(&dName->fullName[idx], "/SN=", 4);
idx += 4;
XMEMCPY(&dName->fullName[idx],
&cert->source[dName->snIdx], dName->snLen);
dName->snIdx = idx;
idx += dName->snLen;
}
if (dName->cLen != 0) {
dName->entryCount++;
XMEMCPY(&dName->fullName[idx], "/C=", 3);
idx += 3;
XMEMCPY(&dName->fullName[idx],
&cert->source[dName->cIdx], dName->cLen);
dName->cIdx = idx;
idx += dName->cLen;
}
if (dName->lLen != 0) {
dName->entryCount++;
XMEMCPY(&dName->fullName[idx], "/L=", 3);
idx += 3;
XMEMCPY(&dName->fullName[idx],
&cert->source[dName->lIdx], dName->lLen);
dName->lIdx = idx;
idx += dName->lLen;
}
if (dName->stLen != 0) {
dName->entryCount++;
XMEMCPY(&dName->fullName[idx], "/ST=", 4);
idx += 4;
XMEMCPY(&dName->fullName[idx],
&cert->source[dName->stIdx], dName->stLen);
dName->stIdx = idx;
idx += dName->stLen;
}
if (dName->oLen != 0) {
dName->entryCount++;
XMEMCPY(&dName->fullName[idx], "/O=", 3);
idx += 3;
XMEMCPY(&dName->fullName[idx],
&cert->source[dName->oIdx], dName->oLen);
dName->oIdx = idx;
idx += dName->oLen;
}
if (dName->ouLen != 0) {
dName->entryCount++;
XMEMCPY(&dName->fullName[idx], "/OU=", 4);
idx += 4;
XMEMCPY(&dName->fullName[idx],
&cert->source[dName->ouIdx], dName->ouLen);
dName->ouIdx = idx;
idx += dName->ouLen;
}
if (dName->emailLen != 0) {
dName->entryCount++;
XMEMCPY(&dName->fullName[idx], "/emailAddress=", 14);
idx += 14;
XMEMCPY(&dName->fullName[idx],
&cert->source[dName->emailIdx], dName->emailLen);
dName->emailIdx = idx;
idx += dName->emailLen;
}
if (dName->uidLen != 0) {
dName->entryCount++;
XMEMCPY(&dName->fullName[idx], "/UID=", 5);
idx += 5;
XMEMCPY(&dName->fullName[idx],
&cert->source[dName->uidIdx], dName->uidLen);
dName->uidIdx = idx;
idx += dName->uidLen;
}
if (dName->serialLen != 0) {
dName->entryCount++;
XMEMCPY(&dName->fullName[idx], "/serialNumber=", 14);
idx += 14;
XMEMCPY(&dName->fullName[idx],
&cert->source[dName->serialIdx], dName->serialLen);
dName->serialIdx = idx;
idx += dName->serialLen;
}
dName->fullName[idx] = '\0';
dName->fullNameLen = totalLen;
}
}
#endif /* OPENSSL_EXTRA */
return 0;
}
@@ -1878,15 +2062,13 @@ static int GetDate(DecodedCert* cert, int dateType)
int length;
byte date[MAX_DATE_SIZE];
byte b;
#ifdef CYASSL_CERT_GEN
word32 startIdx = 0;
if (dateType == BEFORE)
cert->beforeDate = &cert->source[cert->srcIdx];
else
cert->afterDate = &cert->source[cert->srcIdx];
startIdx = cert->srcIdx;
#endif
b = cert->source[cert->srcIdx++];
if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME)
@@ -1901,12 +2083,10 @@ static int GetDate(DecodedCert* cert, int dateType)
XMEMCPY(date, &cert->source[cert->srcIdx], length);
cert->srcIdx += length;
#ifdef CYASSL_CERT_GEN
if (dateType == BEFORE)
cert->beforeDateLen = cert->srcIdx - startIdx;
else
cert->afterDateLen = cert->srcIdx - startIdx;
#endif
if (!XVALIDATE_DATE(date, b, dateType)) {
if (dateType == BEFORE)

107
ctaocrypt/src/ecc.c
View File

@@ -159,8 +159,10 @@ int ecc_projective_dbl_point(ecc_point* P, ecc_point* R, mp_int* modulus,
mp_digit* mp);
static int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
int map);
#ifdef ECC_SHAMIR
static int ecc_mul2add(ecc_point* A, mp_int* kA, ecc_point* B, mp_int* kB,
ecc_point* C, mp_int* modulus);
#endif
/* helper for either lib */
@@ -1514,14 +1516,14 @@ void ecc_free(ecc_key* key)
}
#ifdef ECC_SHAMIR
#ifdef USE_FAST_MATH
#define GEN_MEM_ERR FP_MEM
#else
#define GEN_MEM_ERR MP_MEM
#endif
#ifdef ECC_SHAMIR
/** Computes kA*A + kB*B = C using Shamir's Trick
A First point to multiply
kA What to multiple A by
@@ -1582,20 +1584,23 @@ static int ecc_mul2add(ecc_point* A, mp_int* kA,
if (err == MP_OKAY) {
/* extract and justify kA */
mp_to_unsigned_bin(kA, (len - lenA) + tA);
err = mp_to_unsigned_bin(kA, (len - lenA) + tA);
/* extract and justify kB */
mp_to_unsigned_bin(kB, (len - lenB) + tB);
if (err == MP_OKAY)
err = mp_to_unsigned_bin(kB, (len - lenB) + tB);
/* allocate the table */
for (x = 0; x < 16; x++) {
precomp[x] = ecc_new_point();
if (precomp[x] == NULL) {
for (y = 0; y < x; ++y) {
ecc_del_point(precomp[y]);
if (err == MP_OKAY) {
for (x = 0; x < 16; x++) {
precomp[x] = ecc_new_point();
if (precomp[x] == NULL) {
for (y = 0; y < x; ++y) {
ecc_del_point(precomp[y]);
}
err = GEN_MEM_ERR;
break;
}
err = GEN_MEM_ERR;
break;
}
}
}
@@ -1943,6 +1948,7 @@ int ecc_export_x963(ecc_key* key, byte* out, word32* outLen)
{
byte buf[ECC_BUFSIZE];
word32 numlen;
int ret = MP_OKAY;
if (key == NULL || out == NULL || outLen == NULL)
return ECC_BAD_ARG_E;
@@ -1962,14 +1968,18 @@ int ecc_export_x963(ecc_key* key, byte* out, word32* outLen)
/* pad and store x */
XMEMSET(buf, 0, sizeof(buf));
mp_to_unsigned_bin(&key->pubkey.x,
ret = mp_to_unsigned_bin(&key->pubkey.x,
buf + (numlen - mp_unsigned_bin_size(&key->pubkey.x)));
if (ret != MP_OKAY)
return ret;
XMEMCPY(out+1, buf, numlen);
/* pad and store y */
XMEMSET(buf, 0, sizeof(buf));
mp_to_unsigned_bin(&key->pubkey.y,
ret = mp_to_unsigned_bin(&key->pubkey.y,
buf + (numlen - mp_unsigned_bin_size(&key->pubkey.y)));
if (ret != MP_OKAY)
return ret;
XMEMCPY(out+1+numlen, buf, numlen);
*outLen = 1 + 2*numlen;
@@ -2043,6 +2053,31 @@ int ecc_import_x963(const byte* in, word32 inLen, ecc_key* key)
}
/* export ecc private key only raw, outLen is in/out size
return MP_OKAY on success */
int ecc_export_private_only(ecc_key* key, byte* out, word32* outLen)
{
word32 numlen;
if (key == NULL || out == NULL || outLen == NULL)
return ECC_BAD_ARG_E;
if (ecc_is_valid_idx(key->idx) == 0) {
return ECC_BAD_ARG_E;
}
numlen = key->dp->size;
if (*outLen < numlen) {
*outLen = numlen;
return BUFFER_E;
}
*outLen = numlen;
XMEMSET(out, 0, *outLen);
return mp_to_unsigned_bin(&key->k, out + (numlen -
mp_unsigned_bin_size(&key->k)));
}
/* ecc private key import, public key in ANSI X9.63 format, private raw */
int ecc_import_private_key(const byte* priv, word32 privSz, const byte* pub,
word32 pubSz, ecc_key* key)
@@ -2066,14 +2101,15 @@ int ecc_size(ecc_key* key)
}
/* signature size in octets */
/* worst case estimate, check actual return from ecc_sign_hash for actual value
of signature size in octets */
int ecc_sig_size(ecc_key* key)
{
int sz = ecc_size(key);
if (sz < 0)
return sz;
return sz * 2 + SIG_HEADER_SZ;
return sz * 2 + SIG_HEADER_SZ + 4; /* (4) worst case estimate */
}
@@ -2090,9 +2126,17 @@ int ecc_sig_size(ecc_key* key)
#define FP_LUT 8U
#endif
#if (FP_LUT > 12) || (FP_LUT < 2)
#error FP_LUT must be between 2 and 12 inclusively
#endif
#ifdef ECC_SHAMIR
/* Sharmir requires a bigger LUT, TAO */
#if (FP_LUT > 12) || (FP_LUT < 4)
#error FP_LUT must be between 4 and 12 inclusively
#endif
#else
#if (FP_LUT > 12) || (FP_LUT < 2)
#error FP_LUT must be between 2 and 12 inclusively
#endif
#endif
/** Our FP cache */
static struct {
@@ -3223,6 +3267,10 @@ int ecc_mul2add(ecc_point* A, mp_int* kA,
initMutex = 1;
}
err = mp_init(&mu);
if (err != MP_OKAY)
return err;
if (LockMutex(&ecc_fp_lock) != 0)
return BAD_MUTEX_E;
@@ -3267,17 +3315,8 @@ int ecc_mul2add(ecc_point* A, mp_int* kA,
if (err == MP_OKAY) {
mpInit = 1;
err = mp_init(&mu);
err = mp_montgomery_calc_normalization(&mu, modulus);
}
if (err == MP_OKAY)
err = mp_montgomery_calc_normalization(&mu, modulus);
if (err == MP_OKAY)
/* compute mu */
err = mp_init(&mu);
if (err == MP_OKAY)
err = mp_montgomery_calc_normalization(&mu, modulus);
if (err == MP_OKAY)
/* build the LUT */
@@ -3289,17 +3328,13 @@ int ecc_mul2add(ecc_point* A, mp_int* kA,
/* if it's 2 build the LUT, if it's higher just use the LUT */
if (idx2 >= 0 && fp_cache[idx2].lru_count == 2) {
if (mpInit == 0) {
/* compute mp */
/* compute mp */
err = mp_montgomery_setup(modulus, &mp);
if (err == MP_OKAY)
if (err == MP_OKAY) {
mpInit = 1;
err = mp_montgomery_calc_normalization(&mu, modulus);
}
}
if (err == MP_OKAY)
/* compute mu */
err = mp_init(&mu);
if (err == MP_OKAY)
err = mp_montgomery_calc_normalization(&mu, modulus);
if (err == MP_OKAY)
/* build the LUT */

127
ctaocrypt/src/hmac.c
View File

@@ -85,6 +85,7 @@ static int InitHmac(Hmac* hmac, int type)
#endif
default:
return BAD_FUNC_ARG;
break;
}
@@ -92,18 +93,21 @@ static int InitHmac(Hmac* hmac, int type)
}
void HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
int HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
{
byte* ip = (byte*) hmac->ipad;
byte* op = (byte*) hmac->opad;
word32 i, hmac_block_size = 0;
int ret;
#ifdef HAVE_CAVIUM
if (hmac->magic == CYASSL_HMAC_CAVIUM_MAGIC)
return HmacCaviumSetKey(hmac, type, key, length);
#endif
InitHmac(hmac, type);
ret = InitHmac(hmac, type);
if (ret != 0)
return ret;
switch (hmac->macType) {
#ifndef NO_MD5
@@ -203,7 +207,7 @@ void HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
#endif
default:
break;
return BAD_FUNC_ARG;
}
if (length < hmac_block_size)
XMEMSET(ip + length, 0, hmac_block_size - length);
@@ -212,6 +216,7 @@ void HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
op[i] = ip[i] ^ OPAD;
ip[i] ^= IPAD;
}
return 0;
}
@@ -541,5 +546,121 @@ int CyaSSL_GetHmacMaxSize(void)
return MAX_DIGEST_SIZE;
}
#ifdef HAVE_HKDF
#ifndef min
static INLINE word32 min(word32 a, word32 b)
{
return a > b ? b : a;
}
#endif /* min */
static INLINE int GetHashSizeByType(int type)
{
if (!(type == MD5 || type == SHA || type == SHA256 || type == SHA384
|| type == SHA512 || type == BLAKE2B_ID))
return BAD_FUNC_ARG;
switch (type) {
#ifndef NO_MD5
case MD5:
return MD5_DIGEST_SIZE;
break;
#endif
#ifndef NO_SHA
case SHA:
return SHA_DIGEST_SIZE;
break;
#endif
#ifndef NO_SHA256
case SHA256:
return SHA256_DIGEST_SIZE;
break;
#endif
#ifdef CYASSL_SHA384
case SHA384:
return SHA384_DIGEST_SIZE;
break;
#endif
#ifdef CYASSL_SHA512
case SHA512:
return SHA512_DIGEST_SIZE;
break;
#endif
#ifdef HAVE_BLAKE2
case BLAKE2B_ID:
return BLAKE2B_OUTBYTES;
break;
#endif
default:
return BAD_FUNC_ARG;
break;
}
}
/* HMAC-KDF with hash type, optional salt and info, return 0 on success */
int HKDF(int type, const byte* inKey, word32 inKeySz,
const byte* salt, word32 saltSz,
const byte* info, word32 infoSz,
byte* out, word32 outSz)
{
Hmac myHmac;
byte tmp[MAX_DIGEST_SIZE]; /* localSalt helper and T */
byte prk[MAX_DIGEST_SIZE];
const byte* localSalt; /* either points to user input or tmp */
int hashSz = GetHashSizeByType(type);
word32 outIdx = 0;
byte n = 0x1;
if (hashSz < 0)
return BAD_FUNC_ARG;
localSalt = salt;
if (localSalt == NULL) {
XMEMSET(tmp, 0, hashSz);
localSalt = tmp;
saltSz = hashSz;
}
if (HmacSetKey(&myHmac, type, localSalt, saltSz) != 0)
return BAD_FUNC_ARG;
HmacUpdate(&myHmac, inKey, inKeySz);
HmacFinal(&myHmac, prk);
while (outIdx < outSz) {
int tmpSz = (n == 1) ? 0 : hashSz;
word32 left = outSz - outIdx;
if (HmacSetKey(&myHmac, type, prk, hashSz) != 0)
return BAD_FUNC_ARG;
HmacUpdate(&myHmac, tmp, tmpSz);
HmacUpdate(&myHmac, info, infoSz);
HmacUpdate(&myHmac, &n, 1);
HmacFinal(&myHmac, tmp);
left = min(left, (word32)hashSz);
XMEMCPY(out+outIdx, tmp, left);
outIdx += hashSz;
n++;
}
return 0;
}
#endif /* HAVE_HKDF */
#endif /* NO_HMAC */

6
ctaocrypt/src/pwdbased.c
View File

@@ -325,15 +325,15 @@ int PKCS12_PBKDF(byte* output, const byte* passwd, int passLen,const byte* salt,
if (outSz > (int)v) {
/* take off MSB */
byte tmp[129];
mp_to_unsigned_bin(&res, tmp);
ret = mp_to_unsigned_bin(&res, tmp);
XMEMCPY(I + i, tmp + 1, v);
}
else if (outSz < (int)v) {
XMEMSET(I + i, 0, v - outSz);
mp_to_unsigned_bin(&res, I + i + v - outSz);
ret = mp_to_unsigned_bin(&res, I + i + v - outSz);
}
else
mp_to_unsigned_bin(&res, I + i);
ret = mp_to_unsigned_bin(&res, I + i);
}
mp_clear(&i1);

11
ctaocrypt/src/random.c
View File

@@ -458,18 +458,23 @@ int GenerateSeed(OS_Seed* os, byte* output, word32 sz)
#elif defined(MICROCHIP_PIC32)
#include <peripheral/timer.h>
#ifdef MICROCHIP_MPLAB_HARMONY
#define PIC32_SEED_COUNT _CP0_GET_COUNT
#else
#include <peripheral/timer.h>
#define PIC32_SEED_COUNT ReadCoreTimer
#endif
/* uses the core timer, in nanoseconds to seed srand */
int GenerateSeed(OS_Seed* os, byte* output, word32 sz)
{
int i;
srand(ReadCoreTimer() * 25);
srand(PIC32_SEED_COUNT() * 25);
for (i = 0; i < sz; i++ ) {
output[i] = rand() % 256;
if ( (i % 8) == 7)
srand(ReadCoreTimer() * 25);
srand(PIC32_SEED_COUNT() * 25);
}
return 0;

94
ctaocrypt/test/test.c
View File

@@ -141,6 +141,7 @@ int hmac_sha256_test(void);
int hmac_sha384_test(void);
int hmac_sha512_test(void);
int hmac_blake2b_test(void);
int hkdf_test(void);
int arc4_test(void);
int hc128_test(void);
int rabbit_test(void);
@@ -315,6 +316,13 @@ void ctaocrypt_test(void* args)
printf( "HMAC-BLAKE2 test passed!\n");
#endif
#ifdef HAVE_HKDF
if ( (ret = hkdf_test()) != 0)
err_sys("HMAC-KDF test failed!\n", ret);
else
printf( "HMAC-KDF test passed!\n");
#endif
#endif
#ifdef HAVE_AESGCM
@@ -3409,6 +3417,87 @@ int pwdbased_test(void)
#endif /* NO_PWDBASED */
#if defined(HAVE_HKDF) && (!defined(NO_SHA) || !defined(NO_SHA256))
int hkdf_test(void)
{
int ret;
int L = 42;
byte okm1[42];
byte ikm1[22] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
byte salt1[13] ={ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c };
byte info1[10] ={ 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
0xf8, 0xf9 };
byte res1[42] = { 0x0a, 0xc1, 0xaf, 0x70, 0x02, 0xb3, 0xd7, 0x61,
0xd1, 0xe5, 0x52, 0x98, 0xda, 0x9d, 0x05, 0x06,
0xb9, 0xae, 0x52, 0x05, 0x72, 0x20, 0xa3, 0x06,
0xe0, 0x7b, 0x6b, 0x87, 0xe8, 0xdf, 0x21, 0xd0,
0xea, 0x00, 0x03, 0x3d, 0xe0, 0x39, 0x84, 0xd3,
0x49, 0x18 };
byte res2[42] = { 0x08, 0x5a, 0x01, 0xea, 0x1b, 0x10, 0xf3, 0x69,
0x33, 0x06, 0x8b, 0x56, 0xef, 0xa5, 0xad, 0x81,
0xa4, 0xf1, 0x4b, 0x82, 0x2f, 0x5b, 0x09, 0x15,
0x68, 0xa9, 0xcd, 0xd4, 0xf1, 0x55, 0xfd, 0xa2,
0xc2, 0x2e, 0x42, 0x24, 0x78, 0xd3, 0x05, 0xf3,
0xf8, 0x96 };
byte res3[42] = { 0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f,
0x71, 0x5f, 0x80, 0x2a, 0x06, 0x3c, 0x5a, 0x31,
0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, 0x87, 0x9e,
0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d,
0x9d, 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a,
0x96, 0xc8 };
byte res4[42] = { 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a,
0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a,
0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf,
0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18,
0x58, 0x65 };
(void)res1;
(void)res2;
(void)res3;
(void)res4;
#ifndef NO_SHA
ret = HKDF(SHA, ikm1, 22, NULL, 0, NULL, 0, okm1, L);
if (ret != 0)
return -2001;
if (memcmp(okm1, res1, L) != 0)
return -2002;
ret = HKDF(SHA, ikm1, 11, salt1, 13, info1, 10, okm1, L);
if (ret != 0)
return -2003;
if (memcmp(okm1, res2, L) != 0)
return -2004;
#endif /* NO_SHA */
#ifndef NO_SHA256
ret = HKDF(SHA256, ikm1, 22, NULL, 0, NULL, 0, okm1, L);
if (ret != 0)
return -2005;
if (memcmp(okm1, res3, L) != 0)
return -2006;
ret = HKDF(SHA256, ikm1, 22, salt1, 13, info1, 10, okm1, L);
if (ret != 0)
return -2007;
if (memcmp(okm1, res4, L) != 0)
return -2007;
#endif /* NO_SHA256 */
return 0;
}
#endif /* HAVE_HKDF */
#ifdef HAVE_ECC
@@ -3488,6 +3577,11 @@ int ecc_test(void)
if (verify != 1)
return -1012;
x = sizeof(exportBuf);
ret = ecc_export_private_only(&userA, exportBuf, &x);
if (ret != 0)
return -1013;
ecc_free(&pubKey);
ecc_free(&userB);
ecc_free(&userA);

45
cyassl/ctaocrypt/asn.h
View File

@@ -223,7 +223,36 @@ struct DNS_entry {
char* name; /* actual DNS name */
};
struct DecodedName {
char* fullName;
int fullNameLen;
int entryCount;
int cnIdx;
int cnLen;
int snIdx;
int snLen;
int cIdx;
int cLen;
int lIdx;
int lLen;
int stIdx;
int stLen;
int oIdx;
int oLen;
int ouIdx;
int ouLen;
int emailIdx;
int emailLen;
int uidIdx;
int uidLen;
int serialIdx;
int serialLen;
};
typedef struct DecodedCert DecodedCert;
typedef struct DecodedName DecodedName;
typedef struct Signer Signer;
@@ -236,6 +265,7 @@ struct DecodedCert {
word32 sigLength; /* length of signature */
word32 signatureOID; /* sum of algorithm object id */
word32 keyOID; /* sum of key algo object id */
int version; /* cert version, 1 or 3 */
DNS_entry* altNames; /* alt names list of dns entries */
byte subjectHash[SHA_SIZE]; /* hash of all Names */
byte issuerHash[SHA_SIZE]; /* hash of all Names */
@@ -267,7 +297,11 @@ struct DecodedCert {
byte extAuthKeyId[SHA_SIZE]; /* Authority Key ID */
byte extAuthKeyIdSet; /* Set when the AKID was read from cert */
byte isCA; /* CA basic constraint true */
#ifdef CYASSL_CERT_GEN
byte* beforeDate;
int beforeDateLen;
byte* afterDate;
int afterDateLen;
#if defined(CYASSL_CERT_GEN)
/* easy access to subject info for other sign */
char* subjectSN;
int subjectSNLen;
@@ -283,11 +317,11 @@ struct DecodedCert {
int subjectOULen;
char* subjectEmail;
int subjectEmailLen;
byte* beforeDate;
int beforeDateLen;
byte* afterDate;
int afterDateLen;
#endif /* CYASSL_CERT_GEN */
#ifdef OPENSSL_EXTRA
DecodedName issuerName;
DecodedName subjectName;
#endif /* OPENSSL_EXTRA */
#ifdef CYASSL_SEP
int deviceTypeSz;
byte* deviceType;
@@ -298,6 +332,7 @@ struct DecodedCert {
#endif /* CYASSL_SEP */
};
#ifdef SHA_DIGEST_SIZE
#define SIGNER_DIGEST_SIZE SHA_DIGEST_SIZE
#else

2
cyassl/ctaocrypt/ecc.h
View File

@@ -109,6 +109,8 @@ int ecc_import_x963(const byte* in, word32 inLen, ecc_key* key);
CYASSL_API
int ecc_import_private_key(const byte* priv, word32 privSz, const byte* pub,
word32 pubSz, ecc_key* key);
CYASSL_API
int ecc_export_private_only(ecc_key* key, byte* out, word32* outLen);
/* size helper */
CYASSL_API

12
cyassl/ctaocrypt/hmac.h
View File

@@ -151,7 +151,7 @@ typedef struct Hmac {
/* does init */
CYASSL_API void HmacSetKey(Hmac*, int type, const byte* key, word32 keySz);
CYASSL_API int HmacSetKey(Hmac*, int type, const byte* key, word32 keySz);
CYASSL_API void HmacUpdate(Hmac*, const byte*, word32);
CYASSL_API void HmacFinal(Hmac*, byte*);
@@ -162,6 +162,16 @@ CYASSL_API void HmacFinal(Hmac*, byte*);
CYASSL_API int CyaSSL_GetHmacMaxSize(void);
#ifdef HAVE_HKDF
CYASSL_API int HKDF(int type, const byte* inKey, word32 inKeySz,
const byte* salt, word32 saltSz,
const byte* info, word32 infoSz,
byte* out, word32 outSz);
#endif /* HAVE_HKDF */
#ifdef __cplusplus
} /* extern "C" */
#endif

6
cyassl/ctaocrypt/settings.h
View File

@@ -130,7 +130,11 @@
#ifdef MICROCHIP_TCPIP
/* include timer, NTP functions */
#include "system/system_services.h"
#include "tcpip/sntp.h"
#ifdef MICROCHIP_MPLAB_HARMONY
#include "tcpip/tcpip.h"
#else
#include "tcpip/sntp.h"
#endif
#endif
#ifdef MBED

52
cyassl/internal.h
View File

@@ -196,6 +196,10 @@ void c32to24(word32 in, word24 out);
#define BUILD_TLS_RSA_WITH_AES_128_CCM_8
#define BUILD_TLS_RSA_WITH_AES_256_CCM_8
#endif
#if defined(HAVE_BLAKE2)
#define BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256
#define BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256
#endif
#endif
#if defined(HAVE_CAMELLIA) && !defined(NO_TLS)
@@ -255,18 +259,18 @@ void c32to24(word32 in, word24 out);
#endif
#if !defined(NO_HC128) && !defined(NO_RSA) && !defined(NO_TLS)
#define BUILD_TLS_RSA_WITH_HC_128_CBC_MD5
#define BUILD_TLS_RSA_WITH_HC_128_MD5
#if !defined(NO_SHA)
#define BUILD_TLS_RSA_WITH_HC_128_CBC_SHA
#define BUILD_TLS_RSA_WITH_HC_128_SHA
#endif
#if defined(HAVE_BLAKE2)
#define BUILD_TLS_RSA_WITH_HC_128_CBC_B2B256
#define BUILD_TLS_RSA_WITH_HC_128_B2B256
#endif
#endif
#if !defined(NO_RABBIT) && !defined(NO_TLS) && !defined(NO_RSA)
#if !defined(NO_SHA)
#define BUILD_TLS_RSA_WITH_RABBIT_CBC_SHA
#define BUILD_TLS_RSA_WITH_RABBIT_SHA
#endif
#endif
@@ -389,13 +393,13 @@ void c32to24(word32 in, word24 out);
#define BUILD_AESGCM
#endif
#if defined(BUILD_TLS_RSA_WITH_HC_128_CBC_SHA) || \
defined(BUILD_TLS_RSA_WITH_HC_128_CBC_MD5) || \
defined(BUILD_TLS_RSA_WITH_HC_128_CBC_B2B256)
#if defined(BUILD_TLS_RSA_WITH_HC_128_SHA) || \
defined(BUILD_TLS_RSA_WITH_HC_128_MD5) || \
defined(BUILD_TLS_RSA_WITH_HC_128_B2B256)
#define BUILD_HC128
#endif
#if defined(BUILD_TLS_RSA_WITH_RABBIT_CBC_SHA)
#if defined(BUILD_TLS_RSA_WITH_RABBIT_SHA)
#define BUILD_RABBIT
#endif
@@ -470,10 +474,15 @@ enum {
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0x26,
/* CyaSSL extension - eSTREAM */
TLS_RSA_WITH_HC_128_CBC_B2B256 = 0xFA,
TLS_RSA_WITH_HC_128_CBC_MD5 = 0xFB,
TLS_RSA_WITH_HC_128_CBC_SHA = 0xFC,
TLS_RSA_WITH_RABBIT_CBC_SHA = 0xFD,
TLS_RSA_WITH_HC_128_MD5 = 0xFB,
TLS_RSA_WITH_HC_128_SHA = 0xFC,
TLS_RSA_WITH_RABBIT_SHA = 0xFD,
/* CyaSSL extension - Blake2b 256 */
TLS_RSA_WITH_AES_128_CBC_B2B256 = 0xF8,
TLS_RSA_WITH_AES_256_CBC_B2B256 = 0xF9,
TLS_RSA_WITH_HC_128_B2B256 = 0xFA, /* eSTREAM too */
/* CyaSSL extension - NTRU */
TLS_NTRU_RSA_WITH_RC4_128_SHA = 0xe5,
@@ -1616,9 +1625,18 @@ typedef struct Arrays {
#define ASN_NAME_MAX 256
#endif
#ifndef MAX_DATE_SZ
#define MAX_DATE_SZ 32
#endif
struct CYASSL_X509_NAME {
char name[ASN_NAME_MAX];
char *name;
char staticName[ASN_NAME_MAX];
int dynamicName;
int sz;
#ifdef OPENSSL_EXTRA
DecodedName fullName;
#endif /* OPENSSL_EXTRA */
};
#ifndef EXTERNAL_SERIAL_SIZE
@@ -1630,6 +1648,7 @@ struct CYASSL_X509_NAME {
#endif
struct CYASSL_X509 {
int version;
CYASSL_X509_NAME issuer;
CYASSL_X509_NAME subject;
int serialSz;
@@ -1643,6 +1662,11 @@ struct CYASSL_X509 {
int hwSerialNumSz;
byte hwSerialNum[EXTERNAL_SERIAL_SIZE];
#endif
int notBeforeSz;
byte notBefore[MAX_DATE_SZ];
int notAfterSz;
byte notAfter[MAX_DATE_SZ];
buffer pubKey;
buffer derCert; /* may need */
DNS_entry* altNames; /* alt names list */
DNS_entry* altNamesNext; /* hint for retrieval */
@@ -2020,6 +2044,8 @@ CYASSL_LOCAL int GrowInputBuffer(CYASSL* ssl, int size, int usedLength);
CYASSL_LOCAL word32 LowResTimer(void);
CYASSL_LOCAL void InitX509Name(CYASSL_X509_NAME*, int);
CYASSL_LOCAL void FreeX509Name(CYASSL_X509_NAME* name);
CYASSL_LOCAL void InitX509(CYASSL_X509*, int);
CYASSL_LOCAL void FreeX509(CYASSL_X509*);
#ifndef NO_CERTS

30
cyassl/ssl.h
View File

@@ -95,6 +95,10 @@ typedef struct CYASSL_dynlock_value CYASSL_dynlock_value;
typedef struct CYASSL_EVP_PKEY {
int type; /* openssh dereference */
int save_type; /* openssh dereference */
int pkey_sz;
union {
char* ptr;
} pkey;
} CYASSL_EVP_PKEY;
typedef struct CYASSL_MD4_CTX {
@@ -108,7 +112,8 @@ typedef struct CYASSL_COMP_METHOD {
typedef struct CYASSL_X509_STORE {
int cache; /* stunnel dereference */
int cache; /* stunnel dereference */
CYASSL_CERT_MANAGER* cm;
} CYASSL_X509_STORE;
typedef struct CYASSL_ALERT {
@@ -135,6 +140,7 @@ typedef struct CYASSL_X509_OBJECT {
typedef struct CYASSL_X509_STORE_CTX {
CYASSL_X509_STORE* store; /* Store full of a CA cert chain */
CYASSL_X509* current_cert; /* stunnel dereference */
char* domain; /* subject CN domain name */
void* ex_data; /* external data, for fortress build */
@@ -407,6 +413,10 @@ CYASSL_API int CyaSSL_X509_STORE_CTX_get_error_depth(CYASSL_X509_STORE_CTX*);
CYASSL_API char* CyaSSL_X509_NAME_oneline(CYASSL_X509_NAME*, char*, int);
CYASSL_API CYASSL_X509_NAME* CyaSSL_X509_get_issuer_name(CYASSL_X509*);
CYASSL_API CYASSL_X509_NAME* CyaSSL_X509_get_subject_name(CYASSL_X509*);
CYASSL_API int CyaSSL_X509_NAME_entry_count(CYASSL_X509_NAME*);
CYASSL_API int CyaSSL_X509_NAME_get_text_by_NID(
CYASSL_X509_NAME*, int, char*, int);
CYASSL_API int CyaSSL_X509_verify_cert(CYASSL_X509_STORE_CTX*);
CYASSL_API const char* CyaSSL_X509_verify_cert_error_string(long);
CYASSL_API int CyaSSL_X509_LOOKUP_add_dir(CYASSL_X509_LOOKUP*,const char*,long);
@@ -418,10 +428,16 @@ CYASSL_API CYASSL_X509_LOOKUP_METHOD* CyaSSL_X509_LOOKUP_file(void);
CYASSL_API CYASSL_X509_LOOKUP* CyaSSL_X509_STORE_add_lookup(CYASSL_X509_STORE*,
CYASSL_X509_LOOKUP_METHOD*);
CYASSL_API CYASSL_X509_STORE* CyaSSL_X509_STORE_new(void);
CYASSL_API void CyaSSL_X509_STORE_free(CYASSL_X509_STORE*);
CYASSL_API int CyaSSL_X509_STORE_add_cert(
CYASSL_X509_STORE*, CYASSL_X509*);
CYASSL_API int CyaSSL_X509_STORE_set_default_paths(CYASSL_X509_STORE*);
CYASSL_API int CyaSSL_X509_STORE_get_by_subject(CYASSL_X509_STORE_CTX*,
int, CYASSL_X509_NAME*, CYASSL_X509_OBJECT*);
CYASSL_API CYASSL_X509_STORE_CTX* CyaSSL_X509_STORE_CTX_new(void);
CYASSL_API int CyaSSL_X509_STORE_CTX_init(CYASSL_X509_STORE_CTX*,
CYASSL_X509_STORE*, CYASSL_X509*, STACK_OF(CYASSL_X509)*);
CYASSL_API void CyaSSL_X509_STORE_CTX_free(CYASSL_X509_STORE_CTX*);
CYASSL_API void CyaSSL_X509_STORE_CTX_cleanup(CYASSL_X509_STORE_CTX*);
CYASSL_API CYASSL_ASN1_TIME* CyaSSL_X509_CRL_get_lastUpdate(CYASSL_X509_CRL*);
@@ -778,13 +794,21 @@ CYASSL_API const unsigned char* CyaSSL_get_sessionID(const CYASSL_SESSION* s);
CYASSL_API int CyaSSL_X509_get_serial_number(CYASSL_X509*,unsigned char*,int*);
CYASSL_API char* CyaSSL_X509_get_subjectCN(CYASSL_X509*);
CYASSL_API const unsigned char* CyaSSL_X509_get_der(CYASSL_X509*, int*);
CYASSL_API const unsigned char* CyaSSL_X509_notBefore(CYASSL_X509*);
CYASSL_API const unsigned char* CyaSSL_X509_notAfter(CYASSL_X509*);
CYASSL_API int CyaSSL_X509_version(CYASSL_X509*);
CYASSL_API
CYASSL_API int CyaSSL_cmp_peer_cert_to_file(CYASSL*, const char*);
CYASSL_API char* CyaSSL_X509_get_next_altname(CYASSL_X509*);
CYASSL_API
CYASSL_X509* CyaSSL_X509_load_certificate_file(const char* fname, int format);
CYASSL_API CYASSL_X509*
CyaSSL_X509_d2i(CYASSL_X509** x509, const unsigned char* in, int len);
CYASSL_API CYASSL_X509*
CyaSSL_X509_d2i_fp(CYASSL_X509** x509, FILE* file);
CYASSL_API CYASSL_X509*
CyaSSL_X509_load_certificate_file(const char* fname, int format);
#ifdef CYASSL_SEP
CYASSL_API unsigned char*

4
cyassl/version.h
View File

@@ -26,8 +26,8 @@
extern "C" {
#endif
#define LIBCYASSL_VERSION_STRING "2.8.2"
#define LIBCYASSL_VERSION_HEX 0x02008002
#define LIBCYASSL_VERSION_STRING "2.8.3"
#define LIBCYASSL_VERSION_HEX 0x02008003
#ifdef __cplusplus
}

9
m4/ax_pthread.m4
View File

@@ -160,11 +160,10 @@ case ${host_os} in
;;
darwin*)
if test "$CC" = "clang"; then
ax_pthread_flags="$ax_pthread_flags"
else
ax_pthread_flags="-pthread $ax_pthread_flags"
fi
AC_REQUIRE([WOLFSSL_DARWIN_USING_CLANG])
AS_IF([test x"$wolfssl_darwin_clang" = x"yes"],
[ax_pthread_flags="$ax_pthread_flags"],
[ax_pthread_flags="-pthread $ax_pthread_flags"])
;;
esac

37
m4/wolfssl_darwin_clang.m4 Normal file
View File

@@ -0,0 +1,37 @@
# ===========================================================================
#
# SYNOPSIS
#
# WOLFSSL_DARWIN_USING_CLANG
#
# DESCRIPTION
#
# With the advent of Apple Xcode v5.0, the old tool sets are missing from
# the distribution. The provided "gcc" executable wrapper accepts the
# "-pthread" flag, and passes it to the underlying "clang" which chokes
# on it. This script checks the version of the gcc executable to see if
# it reports it is really "clang".
#
# The value is placed in the wolfssl_darwin_clang variable.
#
# LICENSE
#
# Copyright (c) 2013 John Safranek <john@wolfssl.com>
#
# Copying and distribution of this file, with or without modification, are
# permitted in any medium without royalty provided the copyright notice
# and this notice are preserved. This file is offered as-is, without any
# warranty.
#serial 1
AC_DEFUN([WOLFSSL_DARWIN_USING_CLANG],
[
if test x"$CC" = xclang; then
wolfssl_darwin_clang=yes
elif test x"$CC" = x || test x"$CC" = xgcc; then
if /usr/bin/gcc -v 2>&1 | grep 'clang' >/dev/null 2>&1; then
wolfssl_darwin_clang=yes
fi
fi
])

175
src/internal.c
View File

@@ -1091,31 +1091,45 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK,
}
#endif
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_MD5
#ifdef BUILD_TLS_RSA_WITH_HC_128_MD5
if (tls && haveRSA) {
suites->suites[idx++] = 0;
suites->suites[idx++] = TLS_RSA_WITH_HC_128_CBC_MD5;
suites->suites[idx++] = TLS_RSA_WITH_HC_128_MD5;
}
#endif
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_SHA
#ifdef BUILD_TLS_RSA_WITH_HC_128_SHA
if (tls && haveRSA) {
suites->suites[idx++] = 0;
suites->suites[idx++] = TLS_RSA_WITH_HC_128_CBC_SHA;
suites->suites[idx++] = TLS_RSA_WITH_HC_128_SHA;
}
#endif
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_B2B256
#ifdef BUILD_TLS_RSA_WITH_HC_128_B2B256
if (tls && haveRSA) {
suites->suites[idx++] = 0;
suites->suites[idx++] = TLS_RSA_WITH_HC_128_CBC_B2B256;
suites->suites[idx++] = TLS_RSA_WITH_HC_128_B2B256;
}
#endif
#ifdef BUILD_TLS_RSA_WITH_RABBIT_CBC_SHA
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256
if (tls && haveRSA) {
suites->suites[idx++] = 0;
suites->suites[idx++] = TLS_RSA_WITH_RABBIT_CBC_SHA;
suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_B2B256;
}
#endif
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256
if (tls && haveRSA) {
suites->suites[idx++] = 0;
suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_B2B256;
}
#endif
#ifdef BUILD_TLS_RSA_WITH_RABBIT_SHA
if (tls && haveRSA) {
suites->suites[idx++] = 0;
suites->suites[idx++] = TLS_RSA_WITH_RABBIT_SHA;
}
#endif
@@ -1217,9 +1231,41 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK,
#ifndef NO_CERTS
void InitX509Name(CYASSL_X509_NAME* name, int dynamicFlag)
{
(void)dynamicFlag;
if (name != NULL) {
name->name = name->staticName;
name->dynamicName = 0;
#ifdef OPENSSL_EXTRA
XMEMSET(&name->fullName, 0, sizeof(DecodedName));
#endif /* OPENSSL_EXTRA */
}
}
void FreeX509Name(CYASSL_X509_NAME* name)
{
if (name != NULL) {
if (name->dynamicName)
XFREE(name->name, NULL, DYNAMIC_TYPE_SUBJECT_CN);
#ifdef OPENSSL_EXTRA
if (name->fullName.fullName != NULL)
XFREE(name->fullName.fullName, NULL, DYNAMIC_TYPE_X509);
#endif /* OPENSSL_EXTRA */
}
}
/* Initialize CyaSSL X509 type */
void InitX509(CYASSL_X509* x509, int dynamicFlag)
{
InitX509Name(&x509->issuer, 0);
InitX509Name(&x509->subject, 0);
x509->version = 0;
x509->pubKey.buffer = NULL;
x509->derCert.buffer = NULL;
x509->altNames = NULL;
x509->altNamesNext = NULL;
@@ -1233,7 +1279,11 @@ void FreeX509(CYASSL_X509* x509)
if (x509 == NULL)
return;
XFREE(x509->derCert.buffer, NULL, DYNAMIC_TYPE_CERT);
FreeX509Name(&x509->issuer);
FreeX509Name(&x509->subject);
if (x509->pubKey.buffer)
XFREE(x509->pubKey.buffer, NULL, DYNAMIC_TYPE_PUBLIC_KEY);
XFREE(x509->derCert.buffer, NULL, DYNAMIC_TYPE_SUBJECT_CN);
if (x509->altNames)
FreeAltNames(x509->altNames, NULL);
if (x509->dynamicMemory)
@@ -2984,13 +3034,37 @@ int CopyDecodedToX509(CYASSL_X509* x509, DecodedCert* dCert)
if (x509 == NULL || dCert == NULL)
return BAD_FUNC_ARG;
x509->version = dCert->version + 1;
XSTRNCPY(x509->issuer.name, dCert->issuer, ASN_NAME_MAX);
x509->issuer.name[ASN_NAME_MAX - 1] = '\0';
x509->issuer.sz = (int)XSTRLEN(x509->issuer.name) + 1;
#ifdef OPENSSL_EXTRA
if (dCert->issuerName.fullName != NULL) {
XMEMCPY(&x509->issuer.fullName,
&dCert->issuerName, sizeof(DecodedName));
x509->issuer.fullName.fullName = (char*)XMALLOC(
dCert->issuerName.fullNameLen, NULL, DYNAMIC_TYPE_X509);
if (x509->issuer.fullName.fullName != NULL)
XMEMCPY(x509->issuer.fullName.fullName,
dCert->issuerName.fullName, dCert->issuerName.fullNameLen);
}
#endif /* OPENSSL_EXTRA */
XSTRNCPY(x509->subject.name, dCert->subject, ASN_NAME_MAX);
x509->subject.name[ASN_NAME_MAX - 1] = '\0';
x509->subject.sz = (int)XSTRLEN(x509->subject.name) + 1;
#ifdef OPENSSL_EXTRA
if (dCert->subjectName.fullName != NULL) {
XMEMCPY(&x509->subject.fullName,
&dCert->subjectName, sizeof(DecodedName));
x509->subject.fullName.fullName = (char*)XMALLOC(
dCert->subjectName.fullNameLen, NULL, DYNAMIC_TYPE_X509);
if (x509->subject.fullName.fullName != NULL)
XMEMCPY(x509->subject.fullName.fullName,
dCert->subjectName.fullName, dCert->subjectName.fullNameLen);
}
#endif /* OPENSSL_EXTRA */
XMEMCPY(x509->serial, dCert->serial, EXTERNAL_SERIAL_SIZE);
x509->serialSz = dCert->serialSz;
@@ -3026,6 +3100,33 @@ int CopyDecodedToX509(CYASSL_X509* x509, DecodedCert* dCert)
x509->hwSerialNumSz = 0;
}
#endif /* CYASSL_SEP */
{
int minSz = min(dCert->beforeDateLen, MAX_DATE_SZ);
if (minSz != 0) {
x509->notBeforeSz = minSz;
XMEMCPY(x509->notBefore, dCert->beforeDate, minSz);
}
else
x509->notBeforeSz = 0;
minSz = min(dCert->afterDateLen, MAX_DATE_SZ);
if (minSz != 0) {
x509->notAfterSz = minSz;
XMEMCPY(x509->notAfter, dCert->afterDate, minSz);
}
else
x509->notAfterSz = 0;
}
if (dCert->publicKey != NULL && dCert->pubKeySize != 0) {
x509->pubKey.buffer = (byte*)XMALLOC(
dCert->pubKeySize, NULL, DYNAMIC_TYPE_PUBLIC_KEY);
if (x509->pubKey.buffer != NULL) {
x509->pubKey.length = dCert->pubKeySize;
XMEMCPY(x509->pubKey.buffer, dCert->publicKey, dCert->pubKeySize);
}
else
ret = MEMORY_E;
}
/* store cert for potential retrieval */
x509->derCert.buffer = (byte*)XMALLOC(dCert->maxIdx, NULL,
@@ -6137,19 +6238,27 @@ const char* const cipher_names[] =
"PSK-NULL-SHA",
#endif
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_MD5
#ifdef BUILD_TLS_RSA_WITH_HC_128_MD5
"HC128-MD5",
#endif
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_SHA
#ifdef BUILD_TLS_RSA_WITH_HC_128_SHA
"HC128-SHA",
#endif
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_B2B256
#ifdef BUILD_TLS_RSA_WITH_HC_128_B2B256
"HC128-B2B256",
#endif
#ifdef BUILD_TLS_RSA_WITH_RABBIT_CBC_SHA
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256
"AES128-B2B256",
#endif
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256
"AES256-B2B256",
#endif
#ifdef BUILD_TLS_RSA_WITH_RABBIT_SHA
"RABBIT-SHA",
#endif
@@ -6449,20 +6558,28 @@ int cipher_name_idx[] =
TLS_PSK_WITH_NULL_SHA,
#endif
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_MD5
TLS_RSA_WITH_HC_128_CBC_MD5,
#ifdef BUILD_TLS_RSA_WITH_HC_128_MD5
TLS_RSA_WITH_HC_128_MD5,
#endif
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_SHA
TLS_RSA_WITH_HC_128_CBC_SHA,
#ifdef BUILD_TLS_RSA_WITH_HC_128_SHA
TLS_RSA_WITH_HC_128_SHA,
#endif
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_B2B256
TLS_RSA_WITH_HC_128_CBC_B2B256,
#ifdef BUILD_TLS_RSA_WITH_HC_128_B2B256
TLS_RSA_WITH_HC_128_B2B256,
#endif
#ifdef BUILD_TLS_RSA_WITH_RABBIT_CBC_SHA
TLS_RSA_WITH_RABBIT_CBC_SHA,
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256
TLS_RSA_WITH_AES_128_CBC_B2B256,
#endif
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256
TLS_RSA_WITH_AES_256_CBC_B2B256,
#endif
#ifdef BUILD_TLS_RSA_WITH_RABBIT_SHA
TLS_RSA_WITH_RABBIT_SHA,
#endif
#ifdef BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA
@@ -8452,7 +8569,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
ret = EccPrivateKeyDecode(ssl->buffers.key.buffer, &i,
&dsaKey, ssl->buffers.key.length);
if (ret != 0) return ret;
sigSz = ecc_sig_size(&dsaKey) + 4; /* worst case estimate */
sigSz = ecc_sig_size(&dsaKey); /* worst case estimate */
}
else {
#ifndef NO_RSA
@@ -9300,22 +9417,28 @@ static void PickHashSigAlgo(CYASSL* ssl,
return 1;
break;
case TLS_RSA_WITH_HC_128_CBC_MD5 :
case TLS_RSA_WITH_HC_128_MD5 :
if (requirement == REQUIRES_RSA)
return 1;
break;
case TLS_RSA_WITH_HC_128_CBC_SHA :
case TLS_RSA_WITH_HC_128_SHA :
if (requirement == REQUIRES_RSA)
return 1;
break;
case TLS_RSA_WITH_HC_128_CBC_B2B256:
case TLS_RSA_WITH_HC_128_B2B256:
if (requirement == REQUIRES_RSA)
return 1;
break;
case TLS_RSA_WITH_RABBIT_CBC_SHA :
case TLS_RSA_WITH_AES_128_CBC_B2B256:
case TLS_RSA_WITH_AES_256_CBC_B2B256:
if (requirement == REQUIRES_RSA)
return 1;
break;
case TLS_RSA_WITH_RABBIT_SHA :
if (requirement == REQUIRES_RSA)
return 1;
break;

2
src/io.c
View File

@@ -774,7 +774,7 @@ int EmbedOcspLookup(void* ctx, const char* url, int urlSz,
{
char domainName[80], path[80];
int httpBufSz;
SOCKET_T sfd;
SOCKET_T sfd = 0;
word16 port;
int ocspRespSz = 0;
byte* httpBuf = NULL;

50
src/keys.c
View File

@@ -1088,8 +1088,8 @@ int SetCipherSpecs(CYASSL* ssl)
break;
#endif
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_MD5
case TLS_RSA_WITH_HC_128_CBC_MD5 :
#ifdef BUILD_TLS_RSA_WITH_HC_128_MD5
case TLS_RSA_WITH_HC_128_MD5 :
ssl->specs.bulk_cipher_algorithm = cyassl_hc128;
ssl->specs.cipher_type = stream;
ssl->specs.mac_algorithm = md5_mac;
@@ -1105,8 +1105,8 @@ int SetCipherSpecs(CYASSL* ssl)
break;
#endif
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_SHA
case TLS_RSA_WITH_HC_128_CBC_SHA :
#ifdef BUILD_TLS_RSA_WITH_HC_128_SHA
case TLS_RSA_WITH_HC_128_SHA :
ssl->specs.bulk_cipher_algorithm = cyassl_hc128;
ssl->specs.cipher_type = stream;
ssl->specs.mac_algorithm = sha_mac;
@@ -1122,8 +1122,8 @@ int SetCipherSpecs(CYASSL* ssl)
break;
#endif
#ifdef BUILD_TLS_RSA_WITH_HC_128_CBC_B2B256
case TLS_RSA_WITH_HC_128_CBC_B2B256:
#ifdef BUILD_TLS_RSA_WITH_HC_128_B2B256
case TLS_RSA_WITH_HC_128_B2B256:
ssl->specs.bulk_cipher_algorithm = cyassl_hc128;
ssl->specs.cipher_type = stream;
ssl->specs.mac_algorithm = blake2b_mac;
@@ -1139,8 +1139,42 @@ int SetCipherSpecs(CYASSL* ssl)
break;
#endif
#ifdef BUILD_TLS_RSA_WITH_RABBIT_CBC_SHA
case TLS_RSA_WITH_RABBIT_CBC_SHA :
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256
case TLS_RSA_WITH_AES_128_CBC_B2B256:
ssl->specs.bulk_cipher_algorithm = cyassl_aes;
ssl->specs.cipher_type = block;
ssl->specs.mac_algorithm = blake2b_mac;
ssl->specs.kea = rsa_kea;
ssl->specs.sig_algo = rsa_sa_algo;
ssl->specs.hash_size = BLAKE2B_256;
ssl->specs.pad_size = PAD_SHA;
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.iv_size = AES_IV_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
break;
#endif
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256
case TLS_RSA_WITH_AES_256_CBC_B2B256:
ssl->specs.bulk_cipher_algorithm = cyassl_aes;
ssl->specs.cipher_type = block;
ssl->specs.mac_algorithm = blake2b_mac;
ssl->specs.kea = rsa_kea;
ssl->specs.sig_algo = rsa_sa_algo;
ssl->specs.hash_size = BLAKE2B_256;
ssl->specs.pad_size = PAD_SHA;
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.iv_size = AES_IV_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
break;
#endif
#ifdef BUILD_TLS_RSA_WITH_RABBIT_SHA
case TLS_RSA_WITH_RABBIT_SHA :
ssl->specs.bulk_cipher_algorithm = cyassl_rabbit;
ssl->specs.cipher_type = stream;
ssl->specs.mac_algorithm = sha_mac;

13
src/sniffer.c
View File

@@ -1593,10 +1593,19 @@ static void Decrypt(SSL* ssl, byte* output, const byte* input, word32 sz)
static const byte* DecryptMessage(SSL* ssl, const byte* input, word32 sz,
byte* output)
{
int ivExtra = 0;
Decrypt(ssl, output, input, sz);
ssl->keys.encryptSz = sz;
if (ssl->options.tls1_1 && ssl->specs.cipher_type == block)
return output + ssl->specs.block_size; /* go past TLSv1.1 IV */
if (ssl->options.tls1_1 && ssl->specs.cipher_type == block) {
output += ssl->specs.block_size; /* go past TLSv1.1 IV */
ivExtra = ssl->specs.block_size;
}
ssl->keys.padSz = ssl->specs.hash_size;
if (ssl->specs.cipher_type == block)
ssl->keys.padSz += *(output + sz - ivExtra - 1) + 1;
return output;
}

322
src/ssl.c
View File

@@ -5618,7 +5618,8 @@ int CyaSSL_set_compression(CYASSL* ssl)
int CyaSSL_X509_STORE_CTX_get_error(CYASSL_X509_STORE_CTX* ctx)
{
(void)ctx;
if (ctx != NULL)
return ctx->error;
return 0;
}
@@ -7072,6 +7073,76 @@ int CyaSSL_set_compression(CYASSL* ssl)
}
int CyaSSL_X509_NAME_entry_count(CYASSL_X509_NAME* name)
{
int count = 0;
CYASSL_ENTER("CyaSSL_X509_NAME_entry_count");
if (name != NULL)
count = name->fullName.entryCount;
CYASSL_LEAVE("CyaSSL_X509_NAME_entry_count", count);
return count;
}
int CyaSSL_X509_NAME_get_text_by_NID(CYASSL_X509_NAME* name,
int nid, char* buf, int len)
{
char *text = NULL;
int textSz = 0;
CYASSL_ENTER("CyaSSL_X509_NAME_get_text_by_NID");
switch (nid) {
case ASN_COMMON_NAME:
text = name->fullName.fullName + name->fullName.cnIdx;
textSz = name->fullName.cnLen;
break;
case ASN_SUR_NAME:
text = name->fullName.fullName + name->fullName.snIdx;
textSz = name->fullName.snLen;
break;
case ASN_SERIAL_NUMBER:
text = name->fullName.fullName + name->fullName.serialIdx;
textSz = name->fullName.serialLen;
break;
case ASN_COUNTRY_NAME:
text = name->fullName.fullName + name->fullName.cIdx;
textSz = name->fullName.cLen;
break;
case ASN_LOCALITY_NAME:
text = name->fullName.fullName + name->fullName.lIdx;
textSz = name->fullName.lLen;
break;
case ASN_STATE_NAME:
text = name->fullName.fullName + name->fullName.stIdx;
textSz = name->fullName.stLen;
break;
case ASN_ORG_NAME:
text = name->fullName.fullName + name->fullName.oIdx;
textSz = name->fullName.oLen;
break;
case ASN_ORGUNIT_NAME:
text = name->fullName.fullName + name->fullName.ouIdx;
textSz = name->fullName.ouLen;
break;
default:
break;
}
if (buf != NULL) {
textSz = min(textSz, len);
XMEMCPY(buf, text, textSz);
buf[textSz] = '\0';
}
CYASSL_LEAVE("CyaSSL_X509_NAME_get_text_by_NID", textSz);
return textSz;
}
/* write X509 serial number in unsigned binary to buffer
buffer needs to be at least EXTERNAL_SERIAL_SIZE (32) for all cases
return SSL_SUCCESS on success */
@@ -7099,6 +7170,40 @@ int CyaSSL_set_compression(CYASSL* ssl)
return x509->derCert.buffer;
}
int CyaSSL_X509_version(CYASSL_X509* x509)
{
CYASSL_ENTER("CyaSSL_X509_version");
if (x509 == NULL)
return 0;
return x509->version;
}
const byte* CyaSSL_X509_notBefore(CYASSL_X509* x509)
{
CYASSL_ENTER("CyaSSL_X509_notBefore");
if (x509 == NULL)
return NULL;
return x509->notBefore;
}
const byte* CyaSSL_X509_notAfter(CYASSL_X509* x509)
{
CYASSL_ENTER("CyaSSL_X509_notAfter");
if (x509 == NULL)
return NULL;
return x509->notAfter;
}
#ifdef CYASSL_SEP
/* copy oid into in buffer, at most *inOutSz bytes, if buffer is null will
@@ -7175,6 +7280,66 @@ byte* CyaSSL_X509_get_hw_serial_number(CYASSL_X509* x509,byte* in,int* inOutSz)
#endif /* CYASSL_SEP */
CYASSL_X509* CyaSSL_X509_d2i(CYASSL_X509** x509, const byte* in, int len)
{
CYASSL_X509 *newX509 = NULL;
CYASSL_ENTER("CyaSSL_X509_d2i");
if (in != NULL && len != 0) {
DecodedCert cert;
InitDecodedCert(&cert, (byte*)in, len, NULL);
if (ParseCertRelative(&cert, CERT_TYPE, 0, NULL) == 0) {
newX509 = (CYASSL_X509*)XMALLOC(sizeof(CYASSL_X509),
NULL, DYNAMIC_TYPE_X509);
if (newX509 != NULL) {
InitX509(newX509, 1);
if (CopyDecodedToX509(newX509, &cert) != 0) {
XFREE(newX509, NULL, DYNAMIC_TYPE_X509);
newX509 = NULL;
}
}
}
FreeDecodedCert(&cert);
}
if (x509 != NULL)
*x509 = newX509;
return newX509;
}
CYASSL_X509* CyaSSL_X509_d2i_fp(CYASSL_X509** x509, XFILE file)
{
CYASSL_X509* newX509 = NULL;
CYASSL_ENTER("CyaSSL_X509_d2i_fp");
if (file != XBADFILE) {
byte* fileBuffer = NULL;
long sz = 0;
XFSEEK(file, 0, XSEEK_END);
sz = XFTELL(file);
XREWIND(file);
fileBuffer = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE);
if (fileBuffer != NULL) {
if ((int)XFREAD(fileBuffer, sz, 1, file) > 0) {
newX509 = CyaSSL_X509_d2i(NULL, fileBuffer, (int)sz);
}
XFREE(fileBuffer, NULL, DYNAMIC_TYPE_FILE);
}
}
if (x509 != NULL)
*x509 = newX509;
return newX509;
}
CYASSL_X509* CyaSSL_X509_load_certificate_file(const char* fname, int format)
{
byte staticBuffer[FILE_BUFFER_SIZE];
@@ -7536,6 +7701,12 @@ CYASSL_X509* CyaSSL_X509_load_certificate_file(const char* fname, int format)
return "TLS_RSA_WITH_AES_128_CBC_SHA256";
case TLS_RSA_WITH_AES_256_CBC_SHA256 :
return "TLS_RSA_WITH_AES_256_CBC_SHA256";
#ifdef HAVE_BLAKE2
case TLS_RSA_WITH_AES_128_CBC_B2B256:
return "TLS_RSA_WITH_AES_128_CBC_B2B256";
case TLS_RSA_WITH_AES_256_CBC_B2B256:
return "TLS_RSA_WITH_AES_256_CBC_B2B256";
#endif
#ifndef NO_SHA
case TLS_RSA_WITH_NULL_SHA :
return "TLS_RSA_WITH_NULL_SHA";
@@ -7580,22 +7751,22 @@ CYASSL_X509* CyaSSL_X509_load_certificate_file(const char* fname, int format)
#endif
#ifndef NO_HC128
#ifndef NO_MD5
case TLS_RSA_WITH_HC_128_CBC_MD5 :
return "TLS_RSA_WITH_HC_128_CBC_MD5";
case TLS_RSA_WITH_HC_128_MD5 :
return "TLS_RSA_WITH_HC_128_MD5";
#endif
#ifndef NO_SHA
case TLS_RSA_WITH_HC_128_CBC_SHA :
return "TLS_RSA_WITH_HC_128_CBC_SHA";
case TLS_RSA_WITH_HC_128_SHA :
return "TLS_RSA_WITH_HC_128_SHA";
#endif
#ifdef HAVE_BLAKE2
case TLS_RSA_WITH_HC_128_CBC_B2B256:
return "TLS_RSA_WITH_HC_128_CBC_B2B256";
case TLS_RSA_WITH_HC_128_B2B256:
return "TLS_RSA_WITH_HC_128_B2B256";
#endif
#endif /* NO_HC128 */
#ifndef NO_SHA
#ifndef NO_RABBIT
case TLS_RSA_WITH_RABBIT_CBC_SHA :
return "TLS_RSA_WITH_RABBIT_CBC_SHA";
case TLS_RSA_WITH_RABBIT_SHA :
return "TLS_RSA_WITH_RABBIT_SHA";
#endif
#ifdef HAVE_NTRU
#ifndef NO_RC4
@@ -7965,9 +8136,61 @@ CYASSL_X509* CyaSSL_X509_load_certificate_file(const char* fname, int format)
}
int CyaSSL_X509_STORE_add_cert(CYASSL_X509_STORE* store, CYASSL_X509* x509)
{
int result = SSL_FATAL_ERROR;
CYASSL_ENTER("CyaSSL_X509_STORE_add_cert");
if (store != NULL && store->cm != NULL && x509 != NULL) {
buffer derCert;
derCert.buffer = (byte*)XMALLOC(x509->derCert.length,
NULL, DYNAMIC_TYPE_CERT);
if (derCert.buffer != NULL) {
derCert.length = x509->derCert.length;
// AddCA() frees the buffer.
XMEMCPY(derCert.buffer,
x509->derCert.buffer, x509->derCert.length);
result = AddCA(store->cm, derCert, CYASSL_USER_CA, 1);
if (result != SSL_SUCCESS) result = SSL_FATAL_ERROR;
}
}
CYASSL_LEAVE("CyaSSL_X509_STORE_add_cert", result);
return result;
}
CYASSL_X509_STORE* CyaSSL_X509_STORE_new(void)
{
return 0;
CYASSL_X509_STORE* store = NULL;
store = (CYASSL_X509_STORE*)XMALLOC(sizeof(CYASSL_X509_STORE), NULL, 0);
if (store != NULL) {
store->cm = CyaSSL_CertManagerNew();
if (store->cm == NULL) {
XFREE(store, NULL, 0);
store = NULL;
}
}
return store;
}
void CyaSSL_X509_STORE_free(CYASSL_X509_STORE* store)
{
if (store != NULL) {
if (store->cm != NULL)
CyaSSL_CertManagerFree(store->cm);
XFREE(store, NULL, 0);
}
}
int CyaSSL_X509_STORE_set_default_paths(CYASSL_X509_STORE* store)
{
(void)store;
return SSL_SUCCESS;
}
@@ -7982,14 +8205,46 @@ CYASSL_X509* CyaSSL_X509_load_certificate_file(const char* fname, int format)
}
CYASSL_X509_STORE_CTX* CyaSSL_X509_STORE_CTX_new(void)
{
CYASSL_X509_STORE_CTX* ctx = (CYASSL_X509_STORE_CTX*)XMALLOC(
sizeof(CYASSL_X509_STORE_CTX), NULL, 0);
if (ctx != NULL)
CyaSSL_X509_STORE_CTX_init(ctx, NULL, NULL, NULL);
return ctx;
}
int CyaSSL_X509_STORE_CTX_init(CYASSL_X509_STORE_CTX* ctx,
CYASSL_X509_STORE* store, CYASSL_X509* x509, STACK_OF(CYASSL_X509)* sk)
{
(void)ctx;
(void)store;
(void)x509;
(void)sk;
return 0;
if (ctx != NULL) {
ctx->store = store;
ctx->current_cert = x509;
ctx->domain = NULL;
ctx->ex_data = NULL;
ctx->userCtx = NULL;
ctx->error = 0;
ctx->error_depth = 0;
ctx->discardSessionCerts = 0;
return SSL_SUCCESS;
}
return SSL_FATAL_ERROR;
}
void CyaSSL_X509_STORE_CTX_free(CYASSL_X509_STORE_CTX* ctx)
{
if (ctx != NULL) {
if (ctx->store != NULL)
CyaSSL_X509_STORE_free(ctx->store);
if (ctx->current_cert != NULL)
CyaSSL_FreeX509(ctx->current_cert);
XFREE(ctx, NULL, 0);
}
}
@@ -7999,6 +8254,18 @@ CYASSL_X509* CyaSSL_X509_load_certificate_file(const char* fname, int format)
}
int CyaSSL_X509_verify_cert(CYASSL_X509_STORE_CTX* ctx)
{
if (ctx != NULL && ctx->store != NULL && ctx->store->cm != NULL
&& ctx->current_cert != NULL) {
return CyaSSL_CertManagerVerifyBuffer(ctx->store->cm,
ctx->current_cert->derCert.buffer,
ctx->current_cert->derCert.length,
SSL_FILETYPE_ASN1);
}
return SSL_FATAL_ERROR;
}
CYASSL_ASN1_TIME* CyaSSL_X509_CRL_get_lastUpdate(CYASSL_X509_CRL* crl)
{
@@ -8017,8 +8284,25 @@ CYASSL_X509* CyaSSL_X509_load_certificate_file(const char* fname, int format)
CYASSL_EVP_PKEY* CyaSSL_X509_get_pubkey(CYASSL_X509* x509)
{
(void)x509;
return 0;
CYASSL_EVP_PKEY* key = NULL;
if (x509 != NULL) {
key = (CYASSL_EVP_PKEY*)XMALLOC(
sizeof(CYASSL_EVP_PKEY), NULL, DYNAMIC_TYPE_PUBLIC_KEY);
if (key != NULL) {
key->type = 0;
key->save_type = 0;
key->pkey.ptr = (char*)XMALLOC(
x509->pubKey.length, NULL, DYNAMIC_TYPE_PUBLIC_KEY);
if (key->pkey.ptr == NULL) {
XFREE(key, NULL, DYNAMIC_TYPE_PUBLIC_KEY);
return NULL;
}
XMEMCPY(key->pkey.ptr,
x509->pubKey.buffer, x509->pubKey.length);
key->pkey_sz = x509->pubKey.length;
}
}
return key;
}
@@ -8045,7 +8329,11 @@ CYASSL_X509* CyaSSL_X509_load_certificate_file(const char* fname, int format)
void CyaSSL_EVP_PKEY_free(CYASSL_EVP_PKEY* key)
{
(void)key;
if (key != NULL) {
if (key->pkey.ptr != NULL)
XFREE(key->pkey.ptr, NULL, 0);
XFREE(key, NULL, 0);
}
}

6
sslSniffer/sslSnifferTest/snifftest.c
View File

@@ -114,7 +114,7 @@ static char* iptos(unsigned int addr)
int main(int argc, char** argv)
{
int ret;
int ret = 0;
int inum;
int port;
int saveFile = 0;
@@ -260,8 +260,10 @@ int main(int argc, char** argv)
frame = NULL_IF_FRAME_LEN;
while (1) {
static int packetNumber = 0;
struct pcap_pkthdr header;
const unsigned char* packet = pcap_next(pcap, &header);
packetNumber++;
if (packet) {
byte data[65535];
@@ -278,7 +280,7 @@ int main(int argc, char** argv)
printf("ssl_Decode ret = %d, %s\n", ret, err);
if (ret > 0) {
data[ret] = 0;
printf("SSL App Data:%s\n", data);
printf("SSL App Data(%d:%d):%s\n", packetNumber, ret, data);
}
}
else if (saveFile)

48
tests/test.conf
View File

@@ -774,6 +774,22 @@
-v 1
-l HC128-B2B256
# server TLSv1 AES128-B2B256
-v 1
-l AES128-B2B256
# client TLSv1 AES128-B2B256
-v 1
-l AES128-B2B256
# server TLSv1 AES256-B2B256
-v 1
-l AES256-B2B256
# client TLSv1 AES256-B2B256
-v 1
-l AES256-B2B256
# server TLSv1.1 HC128-SHA
-v 2
-l HC128-SHA
@@ -798,6 +814,22 @@
-v 2
-l HC128-B2B256
# server TLSv1.1 AES128-B2B256
-v 2
-l AES128-B2B256
# client TLSv1.1 AES128-B2B256
-v 2
-l AES128-B2B256
# server TLSv1.1 AES256-B2B256
-v 2
-l AES256-B2B256
# client TLSv1.1 AES256-B2B256
-v 2
-l AES256-B2B256
# server TLSv1.2 HC128-SHA
-v 3
-l HC128-SHA
@@ -822,6 +854,22 @@
-v 3
-l HC128-B2B256
# server TLSv1.2 AES128-B2B256
-v 3
-l AES128-B2B256
# client TLSv1.2 AES128-B2B256
-v 3
-l AES128-B2B256
# server TLSv1.2 AES256-B2B256
-v 3
-l AES256-B2B256
# client TLSv1.2 AES256-B2B256
-v 3
-l AES256-B2B256
# server TLSv1 RABBIT-SHA
-v 1
-l RABBIT-SHA