From 3f35c86520c135ecdb5b7424f45601258f964605 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 24 May 2012 15:49:38 -0700 Subject: [PATCH 1/8] crl signature check, be sure to load CAs first --- ctaocrypt/src/asn.c | 28 ++++++++++++++++++++++++---- cyassl/ctaocrypt/asn.h | 2 +- src/crl.c | 2 +- 3 files changed, 26 insertions(+), 6 deletions(-) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index 18d27cdad..c675cfe51 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -4782,11 +4782,12 @@ static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl, /* prase crl buffer into decoded state, 0 on success */ -int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz) +int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz, void* cm) { - int version, len; - word32 oid, idx = 0; - Md5 md5; + int version, len; + word32 oid, idx = 0; + Md5 md5; + Signer* ca; CYASSL_MSG("ParseCRL"); @@ -4848,6 +4849,25 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz) if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0) return ASN_PARSE_E; + ca = GetCA(cm, dcrl->issuerHash); + CYASSL_MSG("About to verify CRL signature"); + + if (ca) { + CYASSL_MSG("Found CRL issuer CA"); + /* try to confirm/verify signature */ + if (!ConfirmSignature(buff + dcrl->certBegin, + dcrl->sigIndex - dcrl->certBegin, + ca->publicKey, ca->pubKeySize, ca->keyOID, + dcrl->signature, dcrl->sigLength, dcrl->signatureOID, NULL)) { + CYASSL_MSG("CRL Confirm signature failed"); + return ASN_SIG_CONFIRM_E; + } + } + else { + CYASSL_MSG("Did NOT find CRL issuer CA"); + return ASN_SIG_CONFIRM_E; + } + return 0; } diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index c0efa7506..2b6e9ac34 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -444,7 +444,7 @@ struct DecodedCRL { }; CYASSL_LOCAL void InitDecodedCRL(DecodedCRL*); -CYASSL_LOCAL int ParseCRL(DecodedCRL*, const byte* buff, long sz); +CYASSL_LOCAL int ParseCRL(DecodedCRL*, const byte* buff, long sz, void* cm); CYASSL_LOCAL void FreeDecodedCRL(DecodedCRL*); diff --git a/src/crl.c b/src/crl.c index 46e53a3f0..4947ae405 100644 --- a/src/crl.c +++ b/src/crl.c @@ -256,7 +256,7 @@ int BufferLoadCRL(CYASSL_CRL* crl, const byte* buff, long sz, int type) } InitDecodedCRL(&dcrl); - ret = ParseCRL(&dcrl, myBuffer, sz); + ret = ParseCRL(&dcrl, myBuffer, sz, crl->cm); if (ret != 0) { CYASSL_MSG("ParseCRL error"); } From 7332b4843c7c0d6a0eadf2f659ca41338609a0d3 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 24 May 2012 20:10:38 -0700 Subject: [PATCH 2/8] remove hard tabs, bad sublime setting --- src/crl.c | 302 +++++++++++++++++++++++++++--------------------------- 1 file changed, 151 insertions(+), 151 deletions(-) diff --git a/src/crl.c b/src/crl.c index 4947ae405..8b82261c6 100644 --- a/src/crl.c +++ b/src/crl.c @@ -36,48 +36,48 @@ /* Initialze CRL members */ int InitCRL(CYASSL_CRL* crl, CYASSL_CERT_MANAGER* cm) { - CYASSL_ENTER("InitCRL"); + CYASSL_ENTER("InitCRL"); - crl->cm = cm; - crl->crlList = NULL; + crl->cm = cm; + crl->crlList = NULL; crl->monitors[0].path = NULL; crl->monitors[1].path = NULL; #ifdef HAVE_CRL_MONITOR crl->tid = 0; #endif - if (InitMutex(&crl->crlLock) != 0) - return BAD_MUTEX_ERROR; + if (InitMutex(&crl->crlLock) != 0) + return BAD_MUTEX_ERROR; - return 0; + return 0; } /* Initialze CRL Entry */ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl) { - CYASSL_ENTER("FreeCRL_Entry"); + CYASSL_ENTER("FreeCRL_Entry"); - XMEMCPY(crle->issuerHash, dcrl->issuerHash, SHA_DIGEST_SIZE); - XMEMCPY(crle->crlHash, dcrl->crlHash, MD5_DIGEST_SIZE); - XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE); - XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE); + XMEMCPY(crle->issuerHash, dcrl->issuerHash, SHA_DIGEST_SIZE); + XMEMCPY(crle->crlHash, dcrl->crlHash, MD5_DIGEST_SIZE); + XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE); + XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE); crle->lastDateFormat = dcrl->lastDateFormat; crle->nextDateFormat = dcrl->nextDateFormat; - crle->certs = dcrl->certs; /* take ownsership */ - dcrl->certs = NULL; - crle->totalCerts = dcrl->totalCerts; + crle->certs = dcrl->certs; /* take ownsership */ + dcrl->certs = NULL; + crle->totalCerts = dcrl->totalCerts; - return 0; + return 0; } /* Free all CRL Entry resources */ static void FreeCRL_Entry(CRL_Entry* crle) { - RevokedCert* tmp = crle->certs; + RevokedCert* tmp = crle->certs; - CYASSL_ENTER("FreeCRL_Entry"); + CYASSL_ENTER("FreeCRL_Entry"); while(tmp) { RevokedCert* next = tmp->next; @@ -91,9 +91,9 @@ static void FreeCRL_Entry(CRL_Entry* crle) /* Free all CRL resources */ void FreeCRL(CYASSL_CRL* crl) { - CRL_Entry* tmp = crl->crlList; + CRL_Entry* tmp = crl->crlList; - CYASSL_ENTER("FreeCRL"); + CYASSL_ENTER("FreeCRL"); if (crl->monitors[0].path) XFREE(crl->monitors[0].path, NULL, DYNAMIC_TYPE_CRL_MONITOR); @@ -135,9 +135,9 @@ int CheckCertCRL(CYASSL_CRL* crl, DecodedCert* cert) crle = crl->crlList; - while (crle) { - if (XMEMCMP(crle->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0) { - CYASSL_MSG("Found CRL Entry on list"); + while (crle) { + if (XMEMCMP(crle->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0) { + CYASSL_MSG("Found CRL Entry on list"); CYASSL_MSG("Checking next date validity"); if (!ValidateDate(crle->nextDate, crle->nextDateFormat, AFTER)) { @@ -147,133 +147,133 @@ int CheckCertCRL(CYASSL_CRL* crl, DecodedCert* cert) else foundEntry = 1; break; - } + } crle = crle->next; - } + } - if (foundEntry) { - RevokedCert* rc = crle->certs; + if (foundEntry) { + RevokedCert* rc = crle->certs; - while (rc) { - if (XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) { - CYASSL_MSG("Cert revoked"); - revoked = 1; - ret = CRL_CERT_REVOKED; - break; - } - rc = rc->next; - } - } - - UnLockMutex(&crl->crlLock); - - if (foundEntry == 0) { - CYASSL_MSG("Couldn't find CRL for status check"); - ret = CRL_MISSING; - if (crl->cm->cbMissingCRL) { - char url[256]; - - CYASSL_MSG("Issuing missing CRL callback"); - url[0] = '\0'; - if (cert->extCrlInfoSz < (int)sizeof(url) -1 ) { - XMEMCPY(url, cert->extCrlInfo, cert->extCrlInfoSz); - url[cert->extCrlInfoSz] = '\0'; - } - else { - CYASSL_MSG("CRL url too long"); + while (rc) { + if (XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) { + CYASSL_MSG("Cert revoked"); + revoked = 1; + ret = CRL_CERT_REVOKED; + break; } - crl->cm->cbMissingCRL(url); - } - } + rc = rc->next; + } + } + + UnLockMutex(&crl->crlLock); + + if (foundEntry == 0) { + CYASSL_MSG("Couldn't find CRL for status check"); + ret = CRL_MISSING; + if (crl->cm->cbMissingCRL) { + char url[256]; + + CYASSL_MSG("Issuing missing CRL callback"); + url[0] = '\0'; + if (cert->extCrlInfoSz < (int)sizeof(url) -1 ) { + XMEMCPY(url, cert->extCrlInfo, cert->extCrlInfoSz); + url[cert->extCrlInfoSz] = '\0'; + } + else { + CYASSL_MSG("CRL url too long"); + } + crl->cm->cbMissingCRL(url); + } + } - return ret; + return ret; } /* Add Decoded CRL, 0 on success */ static int AddCRL(CYASSL_CRL* crl, DecodedCRL* dcrl) { - CRL_Entry* crle; + CRL_Entry* crle; - CYASSL_ENTER("AddCRL"); + CYASSL_ENTER("AddCRL"); - crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), NULL, DYNAMIC_TYPE_CRL_ENTRY); - if (crle == NULL) { - CYASSL_MSG("alloc CRL Entry failed"); - return -1; - } + crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), NULL, DYNAMIC_TYPE_CRL_ENTRY); + if (crle == NULL) { + CYASSL_MSG("alloc CRL Entry failed"); + return -1; + } - if (InitCRL_Entry(crle, dcrl) < 0) { - CYASSL_MSG("Init CRL Entry failed"); + if (InitCRL_Entry(crle, dcrl) < 0) { + CYASSL_MSG("Init CRL Entry failed"); XFREE(crle, NULL, DYNAMIC_TYPE_CRL_ENTRY); - return -1; - } + return -1; + } - if (LockMutex(&crl->crlLock) != 0) { - CYASSL_MSG("LockMutex failed"); - FreeCRL_Entry(crle); + if (LockMutex(&crl->crlLock) != 0) { + CYASSL_MSG("LockMutex failed"); + FreeCRL_Entry(crle); XFREE(crle, NULL, DYNAMIC_TYPE_CRL_ENTRY); - return BAD_MUTEX_ERROR; - } - crle->next = crl->crlList; - crl->crlList = crle; - UnLockMutex(&crl->crlLock); + return BAD_MUTEX_ERROR; + } + crle->next = crl->crlList; + crl->crlList = crle; + UnLockMutex(&crl->crlLock); - return 0; + return 0; } /* Load CRL File of type, SSL_SUCCESS on ok */ int BufferLoadCRL(CYASSL_CRL* crl, const byte* buff, long sz, int type) { - int ret = SSL_SUCCESS; - const byte* myBuffer = buff; /* if DER ok, otherwise switch */ - buffer der; - DecodedCRL dcrl; + int ret = SSL_SUCCESS; + const byte* myBuffer = buff; /* if DER ok, otherwise switch */ + buffer der; + DecodedCRL dcrl; - der.buffer = NULL; + der.buffer = NULL; - CYASSL_ENTER("BufferLoadCRL"); + CYASSL_ENTER("BufferLoadCRL"); - if (crl == NULL || buff == NULL || sz == 0) - return BAD_FUNC_ARG; + if (crl == NULL || buff == NULL || sz == 0) + return BAD_FUNC_ARG; - if (type == SSL_FILETYPE_PEM) { - int eccKey = 0; /* not used */ - EncryptedInfo info; - info.ctx = NULL; + if (type == SSL_FILETYPE_PEM) { + int eccKey = 0; /* not used */ + EncryptedInfo info; + info.ctx = NULL; - ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, &info, &eccKey); - if (ret == 0) { - myBuffer = der.buffer; - sz = der.length; - } - else { - CYASSL_MSG("Pem to Der failed"); - return -1; - } - } - - InitDecodedCRL(&dcrl); - ret = ParseCRL(&dcrl, myBuffer, sz, crl->cm); - if (ret != 0) { - CYASSL_MSG("ParseCRL error"); - } - else { - ret = AddCRL(crl, &dcrl); - if (ret != 0) { - CYASSL_MSG("AddCRL error"); + ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, &info, &eccKey); + if (ret == 0) { + myBuffer = der.buffer; + sz = der.length; } - } - FreeDecodedCRL(&dcrl); + else { + CYASSL_MSG("Pem to Der failed"); + return -1; + } + } - if (der.buffer) - XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL); + InitDecodedCRL(&dcrl); + ret = ParseCRL(&dcrl, myBuffer, sz, crl->cm); + if (ret != 0) { + CYASSL_MSG("ParseCRL error"); + } + else { + ret = AddCRL(crl, &dcrl); + if (ret != 0) { + CYASSL_MSG("AddCRL error"); + } + } + FreeDecodedCRL(&dcrl); - if (ret == 0) - return SSL_SUCCESS; /* convert */ - return ret; + if (der.buffer) + XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL); + + if (ret == 0) + return SSL_SUCCESS; /* convert */ + return ret; } @@ -501,49 +501,49 @@ int StartMonitorCRL(CYASSL_CRL* crl) /* Load CRL path files of type, SSL_SUCCESS on ok */ int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor) { - struct dirent* entry; - DIR* dir; - int ret = SSL_SUCCESS; + struct dirent* entry; + DIR* dir; + int ret = SSL_SUCCESS; - CYASSL_ENTER("LoadCRL"); - if (crl == NULL) - return BAD_FUNC_ARG; + CYASSL_ENTER("LoadCRL"); + if (crl == NULL) + return BAD_FUNC_ARG; - dir = opendir(path); - if (dir == NULL) { - CYASSL_MSG("opendir path crl load failed"); - return BAD_PATH_ERROR; - } - while ( (entry = readdir(dir)) != NULL) { - if (entry->d_type & DT_REG) { - char name[MAX_FILENAME_SZ]; + dir = opendir(path); + if (dir == NULL) { + CYASSL_MSG("opendir path crl load failed"); + return BAD_PATH_ERROR; + } + while ( (entry = readdir(dir)) != NULL) { + if (entry->d_type & DT_REG) { + char name[MAX_FILENAME_SZ]; - if (type == SSL_FILETYPE_PEM) { - if (strstr(entry->d_name, ".pem") == NULL) { - CYASSL_MSG("not .pem file, skipping"); - continue; - } - } - else { - if (strstr(entry->d_name, ".der") == NULL && - strstr(entry->d_name, ".crl") == NULL) { + if (type == SSL_FILETYPE_PEM) { + if (strstr(entry->d_name, ".pem") == NULL) { + CYASSL_MSG("not .pem file, skipping"); + continue; + } + } + else { + if (strstr(entry->d_name, ".der") == NULL && + strstr(entry->d_name, ".crl") == NULL) { - CYASSL_MSG("not .der or .crl file, skipping"); - continue; - } - } + CYASSL_MSG("not .der or .crl file, skipping"); + continue; + } + } - XMEMSET(name, 0, sizeof(name)); - XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2); - XSTRNCAT(name, "/", 1); - XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2); + XMEMSET(name, 0, sizeof(name)); + XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2); + XSTRNCAT(name, "/", 1); + XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2); - if (ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl) + if (ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl) != SSL_SUCCESS) { CYASSL_MSG("CRL file load failed, continuing"); } - } - } + } + } if (monitor & CYASSL_CRL_MONITOR) { CYASSL_MSG("monitor path requested"); @@ -567,7 +567,7 @@ int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor) } } - return ret; + return ret; } #endif /* HAVE_CRL */ From 6a62623c6472514692a982adb4c5eeafb82a72a1 Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 25 May 2012 12:18:18 -0700 Subject: [PATCH 3/8] verify suite validity before server picks --- configure.ac | 2 +- cyassl/internal.h | 11 +- src/internal.c | 311 +++++++++++++++++++++++++++++++++++++++++++++- src/ssl.c | 8 +- 4 files changed, 319 insertions(+), 13 deletions(-) diff --git a/configure.ac b/configure.ac index 7a99cb230..0cfb4b52d 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([cyassl],[2.2.1],[http://www.yassl.com]) +AC_INIT([cyassl],[2.2.2],[http://www.yassl.com]) AC_CONFIG_AUX_DIR(config) diff --git a/cyassl/internal.h b/cyassl/internal.h index 4a37329e8..99baa3c0d 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -760,7 +760,7 @@ typedef struct CipherSpecs { /* Supported Ciphers from page 43 */ enum BulkCipherAlgorithm { - cipher_null, + cipher_null = 0, rc4, rc2, des, @@ -775,7 +775,7 @@ enum BulkCipherAlgorithm { /* Supported Message Authentication Codes from page 43 */ enum MACAlgorithm { - no_mac = 0, + no_mac = 10, md5_mac, sha_mac, sha224_mac, @@ -788,19 +788,20 @@ enum MACAlgorithm { /* Supported Key Exchange Protocols */ enum KeyExchangeAlgorithm { - no_kea = 0, + no_kea = 20, rsa_kea, diffie_hellman_kea, fortezza_kea, psk_kea, ntru_kea, - ecc_diffie_hellman_kea + ecc_diffie_hellman_kea, + ecc_static_diffie_hellman_kea /* for verify suite only */ }; /* Supported Authentication Schemes */ enum SignatureAlgorithm { - anonymous_sa_algo = 0, + anonymous_sa_algo = 30, rsa_sa_algo, dsa_sa_algo, ecc_dsa_sa_algo diff --git a/src/internal.c b/src/internal.c index 685e4df3f..446c069ab 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5457,10 +5457,309 @@ int SetCipherList(Suites* s, const char* list) } + + /* Does this cipher suite (first, second) have the requirement + an ephemeral key exchange will still require the key for signing + the key exchange so ECHDE_RSA requires an rsa key thus rsa_kea */ + static int CipherRequires(byte first, byte second, int requirement) + { + /* ECC extensions */ + if (first == ECC_BYTE) { + + switch (second) { + + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA : + if (requirement == rsa_kea) + return 1; + break; + + case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA : + if (requirement == ecc_static_diffie_hellman_kea) + return 1; + break; + + case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA : + if (requirement == rsa_kea) + return 1; + break; + + case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA : + if (requirement == ecc_static_diffie_hellman_kea) + return 1; + break; + + case TLS_ECDHE_RSA_WITH_RC4_128_SHA : + if (requirement == rsa_kea) + return 1; + break; + + case TLS_ECDH_RSA_WITH_RC4_128_SHA : + if (requirement == ecc_static_diffie_hellman_kea) + return 1; + break; + + case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA : + if (requirement == ecc_dsa_sa_algo) + return 1; + break; + + case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA : + if (requirement == ecc_static_diffie_hellman_kea) + return 1; + break; + + case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : + if (requirement == ecc_dsa_sa_algo) + return 1; + break; + + case TLS_ECDH_ECDSA_WITH_RC4_128_SHA : + if (requirement == ecc_static_diffie_hellman_kea) + return 1; + break; + + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA : + if (requirement == rsa_kea) + return 1; + break; + + case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA : + if (requirement == ecc_static_diffie_hellman_kea) + return 1; + break; + + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA : + if (requirement == ecc_dsa_sa_algo) + return 1; + break; + + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA : + if (requirement == ecc_static_diffie_hellman_kea) + return 1; + break; + + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA : + if (requirement == ecc_dsa_sa_algo) + return 1; + break; + + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA : + if (requirement == ecc_static_diffie_hellman_kea) + return 1; + break; + + default: + CYASSL_MSG("Unsupported cipher suite, CipherRequires ECC"); + return 0; + } /* switch */ + } /* if */ + if (first != ECC_BYTE) { /* normal suites */ + switch (second) { + + case SSL_RSA_WITH_RC4_128_SHA : + if (requirement == rsa_kea) + return 1; + break; + + case TLS_NTRU_RSA_WITH_RC4_128_SHA : + if (requirement == ntru_kea) + return 1; + break; + + case SSL_RSA_WITH_RC4_128_MD5 : + if (requirement == rsa_kea) + return 1; + break; + + case SSL_RSA_WITH_3DES_EDE_CBC_SHA : + if (requirement == rsa_kea) + return 1; + break; + + case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA : + if (requirement == ntru_kea) + return 1; + break; + + case TLS_RSA_WITH_AES_128_CBC_SHA : + if (requirement == rsa_kea) + return 1; + break; + + case TLS_RSA_WITH_AES_128_CBC_SHA256 : + if (requirement == rsa_kea) + return 1; + break; + + case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA : + if (requirement == ntru_kea) + return 1; + break; + + case TLS_RSA_WITH_AES_256_CBC_SHA : + if (requirement == rsa_kea) + return 1; + break; + + case TLS_RSA_WITH_AES_256_CBC_SHA256 : + if (requirement == rsa_kea) + return 1; + break; + + case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA : + if (requirement == ntru_kea) + return 1; + break; + + case TLS_PSK_WITH_AES_128_CBC_SHA : + if (requirement == psk_kea) + return 1; + break; + + case TLS_PSK_WITH_AES_256_CBC_SHA : + if (requirement == psk_kea) + return 1; + break; + + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 : + if (requirement == rsa_kea) + return 1; + if (requirement == diffie_hellman_kea) + return 1; + break; + + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 : + if (requirement == rsa_kea) + return 1; + if (requirement == diffie_hellman_kea) + return 1; + break; + + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA : + if (requirement == rsa_kea) + return 1; + if (requirement == diffie_hellman_kea) + return 1; + break; + + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA : + if (requirement == rsa_kea) + return 1; + if (requirement == diffie_hellman_kea) + return 1; + break; + + case TLS_RSA_WITH_HC_128_CBC_MD5 : + if (requirement == rsa_kea) + return 1; + break; + + case TLS_RSA_WITH_HC_128_CBC_SHA : + if (requirement == rsa_kea) + return 1; + break; + + case TLS_RSA_WITH_RABBIT_CBC_SHA : + if (requirement == rsa_kea) + return 1; + break; + + default: + CYASSL_MSG("Unsupported cipher suite, CipherRequires"); + return 0; + } /* switch */ + } /* if ECC / Normal suites else */ + + return 0; + } + + + + + + /* Make sure cert/key are valid for this suite, true on success */ + static int VerifySuite(CYASSL* ssl, word16 idx) + { + int haveRSA = !ssl->options.haveECDSA; + int havePSK = 0; + byte first = ssl->suites.suites[idx]; + byte second = ssl->suites.suites[idx+1]; + + CYASSL_ENTER("VerifySuite"); + + #ifndef NO_PSK + havePSK = ssl->options.havePSK; + #endif + + if (ssl->options.haveNTRU) + haveRSA = 0; + + if (CipherRequires(first, second, rsa_kea)) { + CYASSL_MSG("Requires RSA"); + if (haveRSA == 0) { + CYASSL_MSG("Don't have RSA"); + return 0; + } + return 1; + } + + if (CipherRequires(first, second, diffie_hellman_kea)) { + CYASSL_MSG("Requires DHE"); + if (ssl->options.haveDH == 0) { + CYASSL_MSG("Don't have DHE"); + return 0; + } + return 1; + } + + if (CipherRequires(first, second, ecc_dsa_sa_algo)) { + CYASSL_MSG("Requires ECCDSA"); + if (ssl->options.haveECDSA == 0) { + CYASSL_MSG("Don't have ECCDSA"); + return 0; + } + return 1; + } + + if (CipherRequires(first, second, ecc_static_diffie_hellman_kea)) { + CYASSL_MSG("Requires static ECC"); + if (ssl->options.haveStaticECC == 0) { + CYASSL_MSG("Don't have static ECC"); + return 0; + } + return 1; + } + + if (CipherRequires(first, second, psk_kea)) { + CYASSL_MSG("Requires PSK"); + if (havePSK == 0) { + CYASSL_MSG("Don't have PSK"); + return 0; + } + return 1; + } + + if (CipherRequires(first, second, ntru_kea)) { + CYASSL_MSG("Requires NTRU"); + if (ssl->options.haveNTRU == 0) { + CYASSL_MSG("Don't have NTRU"); + return 0; + } + return 1; + } + + /* ECCDHE is always supported if ECC on */ + + return 1; + } + + static int MatchSuite(CYASSL* ssl, Suites* peerSuites) { word16 i, j; + CYASSL_ENTER("MatchSuite"); + /* & 0x1 equivalent % 2 */ if (peerSuites->suiteSz == 0 || peerSuites->suiteSz & 0x1) return MATCH_SUITE_ERROR; @@ -5471,9 +5770,15 @@ int SetCipherList(Suites* s, const char* list) if (ssl->suites.suites[i] == peerSuites->suites[j] && ssl->suites.suites[i+1] == peerSuites->suites[j+1] ) { - ssl->options.cipherSuite0 = ssl->suites.suites[i]; - ssl->options.cipherSuite = ssl->suites.suites[i+1]; - return SetCipherSpecs(ssl); + if (VerifySuite(ssl, i)) { + CYASSL_MSG("Verified suite validity"); + ssl->options.cipherSuite0 = ssl->suites.suites[i]; + ssl->options.cipherSuite = ssl->suites.suites[i+1]; + return SetCipherSpecs(ssl); + } + else { + CYASSL_MSG("Coult not verify suite validity, continue"); + } } return MATCH_SUITE_ERROR; diff --git a/src/ssl.c b/src/ssl.c index f61ab880a..207e55cda 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -7706,8 +7706,8 @@ long CyaSSL_CTX_OCSP_set_options(CYASSL_CTX* ctx, long options) } return 0; #else - (void*)ctx; - (void*)options; + (void)ctx; + (void)options; return NOT_COMPILED_IN; #endif } @@ -7719,8 +7719,8 @@ int CyaSSL_CTX_OCSP_set_override_url(CYASSL_CTX* ctx, const char* url) #ifdef HAVE_OCSP return CyaSSL_OCSP_set_override_url(&ctx->ocsp, url); #else - (void*)ctx; - (void*)url; + (void)ctx; + (void)url; return NOT_COMPILED_IN; #endif } From a1bb4e3f93170ce747f08c7b8f104fb9dafc0261 Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 25 May 2012 13:09:27 -0700 Subject: [PATCH 4/8] gcc-lots-o-warnings fixes --- ctaocrypt/src/asn.c | 190 +++++++++++++++++++++++--------------------- src/crl.c | 4 +- src/ocsp.c | 9 ++- 3 files changed, 106 insertions(+), 97 deletions(-) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index c675cfe51..73e3065f6 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -4105,94 +4105,94 @@ static int GetEnumerated(const byte* input, word32* inOutIdx, int *value) static int DecodeSingleResponse(byte* source, word32* ioIndex, OcspResponse* resp, word32 size) { - word32 index = *ioIndex, prevIndex, oid; + word32 idx = *ioIndex, prevIndex, oid; int length, remainder, qty = 0; /* Outer wrapper of the SEQUENCE OF Single Responses. */ - if (GetSequence(source, &index, &length, size) < 0) + if (GetSequence(source, &idx, &length, size) < 0) return ASN_PARSE_E; remainder = length; /* First Single Response */ while (remainder != 0 && qty < STATUS_LIST_SIZE) { - prevIndex = index; + prevIndex = idx; /* Wrapper around the Single Response */ - if (GetSequence(source, &index, &length, size) < 0) + if (GetSequence(source, &idx, &length, size) < 0) return ASN_PARSE_E; /* Wrapper around the CertID */ - if (GetSequence(source, &index, &length, size) < 0) + if (GetSequence(source, &idx, &length, size) < 0) return ASN_PARSE_E; /* Skip the hash algorithm */ - if (GetAlgoId(source, &index, &oid, size) < 0) + if (GetAlgoId(source, &idx, &oid, size) < 0) return ASN_PARSE_E; /* Skip the hash of CN */ - if (source[index++] != ASN_OCTET_STRING) + if (source[idx++] != ASN_OCTET_STRING) return ASN_PARSE_E; - if (GetLength(source, &index, &length, size) < 0) + if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; - index += length; + idx += length; /* Skip the hash of the issuer public key */ - if (source[index++] != ASN_OCTET_STRING) + if (source[idx++] != ASN_OCTET_STRING) return ASN_PARSE_E; - if (GetLength(source, &index, &length, size) < 0) + if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; - index += length; + idx += length; /* Read the serial number, it is handled as a string, not as a * proper number. Just XMEMCPY the data over, rather than load it * as an mp_int. */ - if (source[index++] != ASN_INTEGER) + if (source[idx++] != ASN_INTEGER) return ASN_PARSE_E; - if (GetLength(source, &index, &length, size) < 0) + if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; if (length <= EXTERNAL_SERIAL_SIZE) { - if (source[index] == 0) { - index++; + if (source[idx] == 0) { + idx++; length--; } - XMEMCPY(resp->certSN[qty], source + index, length); + XMEMCPY(resp->certSN[qty], source + idx, length); resp->certSNsz[qty] = length; } else { return ASN_GETINT_E; } - index += length; + idx += length; /* CertStatus */ - switch (source[index++]) + switch (source[idx++]) { case (ASN_CONTEXT_SPECIFIC | CERT_GOOD): resp->certStatus[qty] = CERT_GOOD; - index++; + idx++; break; case (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CERT_REVOKED): resp->certStatus[qty] = CERT_REVOKED; - GetLength(source, &index, &length, size); - index += length; + GetLength(source, &idx, &length, size); + idx += length; break; case (ASN_CONTEXT_SPECIFIC | CERT_UNKNOWN): resp->certStatus[qty] = CERT_UNKNOWN; - index++; + idx++; break; default: return ASN_PARSE_E; } - if (source[index++] != ASN_GENERALIZED_TIME) + if (source[idx++] != ASN_GENERALIZED_TIME) return ASN_PARSE_E; - if (GetLength(source, &index, &length, size) < 0) + if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; - resp->thisUpdate = source + index; - index += length; + resp->thisUpdate = source + idx; + idx += length; - remainder = remainder + prevIndex - index; + remainder = remainder + prevIndex - idx; qty++; } resp->certStatusCount = qty; - *ioIndex = index; + *ioIndex = idx; return 0; } @@ -4200,60 +4200,60 @@ static int DecodeSingleResponse(byte* source, static int DecodeOcspRespExtensions(byte* source, word32* ioIndex, OcspResponse* resp, word32 sz) { - word32 index = *ioIndex; + word32 idx = *ioIndex; int length; int ext_bound; /* boundary index for the sequence of extensions */ word32 oid; CYASSL_ENTER("DecodeOcspRespExtensions"); - if (source[index++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) + if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) return ASN_PARSE_E; - if (GetLength(source, &index, &length, sz) < 0) return ASN_PARSE_E; + if (GetLength(source, &idx, &length, sz) < 0) return ASN_PARSE_E; - if (GetSequence(source, &index, &length, sz) < 0) return ASN_PARSE_E; + if (GetSequence(source, &idx, &length, sz) < 0) return ASN_PARSE_E; - ext_bound = index + length; + ext_bound = idx + length; - while (index < ext_bound) { - if (GetSequence(source, &index, &length, sz) < 0) { + while (idx < (word32)ext_bound) { + if (GetSequence(source, &idx, &length, sz) < 0) { CYASSL_MSG("\tfail: should be a SEQUENCE"); return ASN_PARSE_E; } oid = 0; - if (GetObjectId(source, &index, &oid, sz) < 0) { + if (GetObjectId(source, &idx, &oid, sz) < 0) { CYASSL_MSG("\tfail: OBJECT ID"); return ASN_PARSE_E; } /* check for critical flag */ - if (source[index] == ASN_BOOLEAN) { + if (source[idx] == ASN_BOOLEAN) { CYASSL_MSG("\tfound optional critical flag, moving past"); - index += (ASN_BOOL_SIZE + 1); + idx += (ASN_BOOL_SIZE + 1); } /* process the extension based on the OID */ - if (source[index++] != ASN_OCTET_STRING) { + if (source[idx++] != ASN_OCTET_STRING) { CYASSL_MSG("\tfail: should be an OCTET STRING"); return ASN_PARSE_E; } - if (GetLength(source, &index, &length, sz) < 0) { + if (GetLength(source, &idx, &length, sz) < 0) { CYASSL_MSG("\tfail: extension data length"); return ASN_PARSE_E; } if (oid == OCSP_NONCE_OID) { - resp->nonce = source + index; + resp->nonce = source + idx; resp->nonceSz = length; } - index += length; + idx += length; } - *ioIndex = index; + *ioIndex = idx; return 0; } @@ -4261,54 +4261,54 @@ static int DecodeOcspRespExtensions(byte* source, static int DecodeResponseData(byte* source, word32* ioIndex, OcspResponse* resp, word32 size) { - word32 index = *ioIndex; - int length, result; + word32 idx = *ioIndex; + int length; int version; word32 responderId = 0; - if (GetSequence(source, &index, &length, size) < 0) + if (GetSequence(source, &idx, &length, size) < 0) return ASN_PARSE_E; - resp->respBegin = index; + resp->respBegin = idx; resp->respLength = length; /* Get version. It is an EXPLICIT[0] DEFAULT(0) value. If this * item isn't an EXPLICIT[0], then set version to zero and move * onto the next item. */ - if (source[index] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) + if (source[idx] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) { - index += 2; /* Eat the value and length */ - if (GetMyVersion(source, &index, &version) < 0) + idx += 2; /* Eat the value and length */ + if (GetMyVersion(source, &idx, &version) < 0) return ASN_PARSE_E; } else version = 0; - responderId = source[index++]; + responderId = source[idx++]; if ((responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) || (responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2))) { - if (GetLength(source, &index, &length, size) < 0) + if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; - index += length; + idx += length; } else return ASN_PARSE_E; /* save pointer to the producedAt time */ - if (source[index++] != ASN_GENERALIZED_TIME) + if (source[idx++] != ASN_GENERALIZED_TIME) return ASN_PARSE_E; - if (GetLength(source, &index, &length, size) < 0) + if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; - resp->producedAt = source + index; - index += length; + resp->producedAt = source + idx; + idx += length; - if (DecodeSingleResponse(source, &index, resp, size) < 0) + if (DecodeSingleResponse(source, &idx, resp, size) < 0) return ASN_PARSE_E; - if (DecodeOcspRespExtensions(source, &index, resp, size) < 0) + if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0) return ASN_PARSE_E; - *ioIndex = index; + *ioIndex = idx; return 0; } @@ -4316,16 +4316,19 @@ static int DecodeResponseData(byte* source, static int DecodeCerts(byte* source, word32* ioIndex, OcspResponse* resp, word32 size) { - word32 index = *ioIndex; - if (source[index++] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) + word32 idx = *ioIndex; + + (void)resp; + + if (source[idx++] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) { int length; - if (GetLength(source, &index, &length, size) < 0) + if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; - index += length; + idx += length; } - *ioIndex = index; + *ioIndex = idx; return 0; } @@ -4333,42 +4336,42 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, OcspResponse* resp, word32 size) { int length; - word32 index = *ioIndex; + word32 idx = *ioIndex; word32 end_index; - if (GetSequence(source, &index, &length, size) < 0) + if (GetSequence(source, &idx, &length, size) < 0) return ASN_PARSE_E; - if (index + length > size) + if (idx + length > size) return ASN_INPUT_E; - end_index = index + length; + end_index = idx + length; - if (DecodeResponseData(source, &index, resp, size) < 0) + if (DecodeResponseData(source, &idx, resp, size) < 0) return ASN_PARSE_E; /* Get the signature algorithm */ - if (GetAlgoId(source, &index, &resp->sigOID, size) < 0) + if (GetAlgoId(source, &idx, &resp->sigOID, size) < 0) return ASN_PARSE_E; /* Obtain pointer to the start of the signature, and save the size */ - if (source[index++] == ASN_BIT_STRING) + if (source[idx++] == ASN_BIT_STRING) { int sigLength = 0; - if (GetLength(source, &index, &sigLength, size) < 0) + if (GetLength(source, &idx, &sigLength, size) < 0) return ASN_PARSE_E; resp->sigLength = sigLength; - resp->sigIndex = index; - index += sigLength; + resp->sigIndex = idx; + idx += sigLength; } /* * Check the length of the BasicOcspResponse against the current index to * see if there are certificates, they are optional. */ - if (index < end_index) - return DecodeCerts(source, &index, resp, size); + if (idx < end_index) + return DecodeCerts(source, &idx, resp, size); - *ioIndex = index; + *ioIndex = idx; return 0; } @@ -4382,52 +4385,55 @@ void InitOcspResponse(OcspResponse* resp, byte* source, word32 inSz, void* heap) } -void FreeOcspResponse(OcspResponse* resp) {} +void FreeOcspResponse(OcspResponse* resp) +{ + (void)resp; +} int OcspResponseDecode(OcspResponse* resp) { int length = 0; - word32 index = 0; + word32 idx = 0; byte* source = resp->source; word32 size = resp->maxIdx; word32 oid; /* peel the outer SEQUENCE wrapper */ - if (GetSequence(source, &index, &length, size) < 0) + if (GetSequence(source, &idx, &length, size) < 0) return ASN_PARSE_E; /* First get the responseStatus, an ENUMERATED */ - if (GetEnumerated(source, &index, &resp->responseStatus) < 0) + if (GetEnumerated(source, &idx, &resp->responseStatus) < 0) return ASN_PARSE_E; if (resp->responseStatus != OCSP_SUCCESSFUL) return 0; /* Next is an EXPLICIT record called ResponseBytes, OPTIONAL */ - if (index >= size) + if (idx >= size) return ASN_INPUT_E; - if (source[index++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) + if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) return ASN_PARSE_E; - if (GetLength(source, &index, &length, size) < 0) + if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; /* Get the responseBytes SEQUENCE */ - if (GetSequence(source, &index, &length, size) < 0) + if (GetSequence(source, &idx, &length, size) < 0) return ASN_PARSE_E; /* Check ObjectID for the resposeBytes */ - if (GetObjectId(source, &index, &oid, size) < 0) + if (GetObjectId(source, &idx, &oid, size) < 0) return ASN_PARSE_E; if (oid != OCSP_BASIC_OID) return ASN_PARSE_E; - if (source[index++] != ASN_OCTET_STRING) + if (source[idx++] != ASN_OCTET_STRING) return ASN_PARSE_E; - if (GetLength(source, &index, &length, size) < 0) + if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; - if (DecodeBasicOcspResponse(source, &index, resp, size) < 0) + if (DecodeBasicOcspResponse(source, &idx, resp, size) < 0) return ASN_PARSE_E; return 0; @@ -4515,6 +4521,8 @@ int EncodeOcspRequest(DecodedCert* cert, byte* output, word32 outputSz) extSz, totalSz; int i; + (void)outputSz; + CYASSL_ENTER("EncodeOcspRequest"); algoSz = SetAlgoID(SHAh, algoArray, hashType); issuerSz = SetDigest(cert->issuerHash, SHA_SIZE, issuerArray); diff --git a/src/crl.c b/src/crl.c index 8b82261c6..56e84f8c9 100644 --- a/src/crl.c +++ b/src/crl.c @@ -463,7 +463,7 @@ static void* DoMonitor(void* arg) /* Start Monitoring the CRL path(s) in a thread */ -int StartMonitorCRL(CYASSL_CRL* crl) +static int StartMonitorCRL(CYASSL_CRL* crl) { pthread_attr_t attr; @@ -490,7 +490,7 @@ int StartMonitorCRL(CYASSL_CRL* crl) #else /* HAVE_CRL_MONITOR */ -int StartMonitorCRL(CYASSL_CRL* crl) +static int StartMonitorCRL(CYASSL_CRL* crl) { return NOT_COMPILED_IN; } diff --git a/src/ocsp.c b/src/ocsp.c index 4f5370ad3..acba2b3c5 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -104,7 +104,7 @@ static int decode_url(const char* url, int urlSz, } else { - int i, cur, hostname; + int i, cur; /* need to break the url down into scheme, address, and port */ /* "http://example.com:8080/" */ @@ -185,8 +185,9 @@ static INLINE void tcp_socket(SOCKET_T* sockfd, SOCKADDR_IN_T* addr, entry->h_length); host = inet_ntoa(tmp.sin_addr); } - else + else { CYASSL_MSG("no entry for host"); + } } *sockfd = socket(AF_INET_V, SOCK_STREAM, 0); @@ -206,8 +207,9 @@ static INLINE void tcp_connect(SOCKET_T* sockfd, const char* ip, word16 port) SOCKADDR_IN_T addr; tcp_socket(sockfd, &addr, ip, port); - if (connect(*sockfd, (const struct sockaddr*)&addr, sizeof(addr)) != 0) + if (connect(*sockfd, (const struct sockaddr*)&addr, sizeof(addr)) != 0) { CYASSL_MSG("tcp connect failed"); + } } @@ -230,7 +232,6 @@ static byte* decode_http_response(byte* httpBuf, int httpBufSz, int* ocspRespSz) int stop = 0; byte* contentType = NULL; byte* contentLength = NULL; - byte* content = NULL; char* buf = (char*)httpBuf; /* kludge so I'm not constantly casting */ if (strncasecmp(buf, "HTTP/1", 6) != 0) From 82a56daaaf91880b713855c5aa6d293126d351e8 Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 25 May 2012 13:26:28 -0700 Subject: [PATCH 5/8] ecc crls --- certs/crl/eccCliCRL.pem | 24 ++++++++++++++++++++++++ certs/crl/eccSrvCRL.pem | 24 ++++++++++++++++++++++++ certs/crl/include.am | 4 +++- 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 certs/crl/eccCliCRL.pem create mode 100644 certs/crl/eccSrvCRL.pem diff --git a/certs/crl/eccCliCRL.pem b/certs/crl/eccCliCRL.pem new file mode 100644 index 000000000..82c61b40c --- /dev/null +++ b/certs/crl/eccCliCRL.pem @@ -0,0 +1,24 @@ +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: ecdsa-with-SHA1 + Issuer: /C=US/ST=Oregon/L=Salem/O=Client ECC/OU=Fast/CN=www.yassl.com/emailAddress=info@yassl.com + Last Update: May 25 20:21:43 2012 GMT + Next Update: Jun 24 20:21:43 2012 GMT + CRL extensions: + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: ecdsa-with-SHA1 + 30:45:02:21:00:c8:82:17:00:62:02:ae:73:f8:80:57:3d:19: + df:f3:36:5a:4c:12:89:d5:d6:b4:aa:29:b6:c8:7d:f2:1d:2f: + 55:02:20:18:f4:ad:18:1a:c5:df:39:81:ad:0d:3e:45:14:3d: + 07:44:31:21:bd:ed:13:32:7b:32:03:41:a1:0f:fd:1a:67 +-----BEGIN X509 CRL----- +MIIBIDCByAIBATAJBgcqhkjOPQQBMIGJMQswCQYDVQQGEwJVUzEPMA0GA1UECBMG +T3JlZ29uMQ4wDAYDVQQHEwVTYWxlbTETMBEGA1UEChMKQ2xpZW50IEVDQzENMAsG +A1UECxMERmFzdDEWMBQGA1UEAxMNd3d3Lnlhc3NsLmNvbTEdMBsGCSqGSIb3DQEJ +ARYOaW5mb0B5YXNzbC5jb20XDTEyMDUyNTIwMjE0M1oXDTEyMDYyNDIwMjE0M1qg +DjAMMAoGA1UdFAQDAgEBMAkGByqGSM49BAEDSAAwRQIhAMiCFwBiAq5z+IBXPRnf +8zZaTBKJ1da0qim2yH3yHS9VAiAY9K0YGsXfOYGtDT5FFD0HRDEhve0TMnsyA0Gh +D/0aZw== +-----END X509 CRL----- diff --git a/certs/crl/eccSrvCRL.pem b/certs/crl/eccSrvCRL.pem new file mode 100644 index 000000000..4351892c8 --- /dev/null +++ b/certs/crl/eccSrvCRL.pem @@ -0,0 +1,24 @@ +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: ecdsa-with-SHA1 + Issuer: /C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.yassl.com/emailAddress=info@yassl.com + Last Update: May 25 20:15:31 2012 GMT + Next Update: Jun 24 20:15:31 2012 GMT + CRL extensions: + X509v3 CRL Number: + 1 +No Revoked Certificates. + Signature Algorithm: ecdsa-with-SHA1 + 30:46:02:21:00:d3:e3:d6:58:f7:92:c6:93:e3:c2:b9:81:dd: + b2:3f:e8:c9:4d:61:b1:ed:25:d2:1d:49:da:bd:15:ab:c7:21: + 9f:02:21:00:e6:8f:20:2a:10:e7:85:26:6b:31:6e:c4:c2:08: + b5:c3:fa:d0:fa:ca:34:8c:2a:85:6c:18:94:84:18:46:96:a7 +-----BEGIN X509 CRL----- +MIIBIzCBygIBATAJBgcqhkjOPQQBMIGLMQswCQYDVQQGEwJVUzETMBEGA1UECBMK +V2FzaGluZ3RvbjEQMA4GA1UEBxMHU2VhdHRsZTEQMA4GA1UEChMHRWxpcHRpYzEM +MAoGA1UECxMDRUNDMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJKoZIhvcN +AQkBFg5pbmZvQHlhc3NsLmNvbRcNMTIwNTI1MjAxNTMxWhcNMTIwNjI0MjAxNTMx +WqAOMAwwCgYDVR0UBAMCAQEwCQYHKoZIzj0EAQNJADBGAiEA0+PWWPeSxpPjwrmB +3bI/6MlNYbHtJdIdSdq9FavHIZ8CIQDmjyAqEOeFJmsxbsTCCLXD+tD6yjSMKoVs +GJSEGEaWpw== +-----END X509 CRL----- diff --git a/certs/crl/include.am b/certs/crl/include.am index 2f4a20ba9..7adca3225 100644 --- a/certs/crl/include.am +++ b/certs/crl/include.am @@ -4,7 +4,9 @@ EXTRA_DIST += \ certs/crl/crl.pem \ - certs/crl/cliCrl.pem + certs/crl/cliCrl.pem \ + certs/crl/eccSrvCRL.pem \ + certs/crl/eccCliCRL.pem EXTRA_DIST += \ certs/crl/crl.revoked From 02079a2f796f2803493c73340cfcf6eef06d864f Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 25 May 2012 13:38:44 -0700 Subject: [PATCH 6/8] c++ cast fix --- ctaocrypt/src/asn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index 73e3065f6..be6aa75a8 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -4718,7 +4718,7 @@ static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl, return ASN_PARSE_E; } - rc = XMALLOC(sizeof(RevokedCert), NULL, DYNAMIC_TYPE_CRL); + rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), NULL, DYNAMIC_TYPE_CRL); if (rc == NULL) { CYASSL_MSG("Alloc Revoked Cert failed"); return MEMORY_E; From 28fb9fb0f7b0d170870bd5e5d1ed2366610eef52 Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 25 May 2012 14:43:36 -0700 Subject: [PATCH 7/8] new dev version --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 0cfb4b52d..5df68075c 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([cyassl],[2.2.2],[http://www.yassl.com]) +AC_INIT([cyassl],[2.2.3],[http://www.yassl.com]) AC_CONFIG_AUX_DIR(config) From c2292c31b02e30b5ac7be08cf44e5ca1da965768 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 25 May 2012 16:32:10 -0700 Subject: [PATCH 8/8] fixed ASN.1 decoding bug in the basic ca constraint certificate extension --- ctaocrypt/src/asn.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index be6aa75a8..5ff6741c2 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -2078,6 +2078,10 @@ static void DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert) CYASSL_ENTER("DecodeBasicCaConstraint"); if (GetSequence(input, &idx, &length, sz) < 0) return; + if (length == 0) return; + /* If the basic ca constraint is false, this extension may be named, but + * left empty. So, if the length is 0, just return. */ + if (input[idx++] != ASN_BOOLEAN) { CYASSL_MSG("\tfail: constraint not BOOLEAN");