wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-27 09:12:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

RipeMd and Sha224 added to unit test.

Browse Source
This commit is contained in:
David Garske
2016-12-19 12:15:10 -08:00
committed by jrblixt
parent a40a3cb142
commit 4edcbc79c1
215 changed files with 58563 additions and 21354 deletions
Download Patch File Download Diff File Expand all files Collapse all files

446
src/bio.c Normal file
View File

@@ -0,0 +1,446 @@
/* bio.c
*
* Copyright (C) 2006-2016 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/*** TBD ***/
WOLFSSL_API long wolfSSL_BIO_ctrl(WOLFSSL_BIO *bio, int cmd, long larg, void *parg)
{
(void)bio;
(void)cmd;
(void)larg;
(void)parg;
WOLFSSL_ENTER("BIO_ctrl");
return 1;
}
/* Return the number of pending bytes in read and write buffers */
size_t wolfSSL_BIO_ctrl_pending(WOLFSSL_BIO *bio)
{
WOLFSSL_ENTER("BIO_ctrl_pending");
if (bio == NULL) {
return 0;
}
if (bio->ssl != NULL) {
return (long)wolfSSL_pending(bio->ssl);
}
if (bio->type == BIO_MEMORY) {
return bio->memLen;
}
/* type BIO_BIO then check paired buffer */
if (bio->type == BIO_BIO && bio->pair != NULL) {
WOLFSSL_BIO* pair = bio->pair;
if (pair->wrIdx > 0 && pair->wrIdx <= pair->rdIdx) {
/* in wrap around state where begining of buffer is being
* overwritten */
return pair->wrSz - pair->rdIdx + pair->wrIdx;
}
else {
/* simple case where has not wrapped around */
return pair->wrIdx - pair->rdIdx;
}
}
return 0;
}
long wolfSSL_BIO_get_mem_ptr(WOLFSSL_BIO *bio, WOLFSSL_BUF_MEM **ptr)
{
WOLFSSL_ENTER("BIO_get_mem_ptr");
if (bio == NULL || ptr == NULL) {
return SSL_FAILURE;
}
*ptr = (WOLFSSL_BUF_MEM*)(bio->mem);
return SSL_SUCCESS;
}
/*** TBD ***/
WOLFSSL_API long wolfSSL_BIO_int_ctrl(WOLFSSL_BIO *bp, int cmd, long larg, int iarg)
{
(void) bp;
(void) cmd;
(void) larg;
(void) iarg;
WOLFSSL_ENTER("BIO_int_ctrl");
return 0;
}
int wolfSSL_BIO_set_write_buf_size(WOLFSSL_BIO *bio, long size)
{
WOLFSSL_ENTER("wolfSSL_BIO_set_write_buf_size");
if (bio == NULL || bio->type != BIO_BIO || size < 0) {
return SSL_FAILURE;
}
/* if already in pair then do not change size */
if (bio->pair != NULL) {
WOLFSSL_MSG("WOLFSSL_BIO is paired, free from pair before changing");
return SSL_FAILURE;
}
bio->wrSz = (int)size;
if (bio->wrSz < 0) {
WOLFSSL_MSG("Unexpected negative size value");
return SSL_FAILURE;
}
if (bio->mem != NULL) {
XFREE(bio->mem, bio->heap, DYNAMIC_TYPE_OPENSSL);
}
bio->mem = (byte*)XMALLOC(bio->wrSz, bio->heap, DYNAMIC_TYPE_OPENSSL);
if (bio->mem == NULL) {
WOLFSSL_MSG("Memory allocation error");
return SSL_FAILURE;
}
bio->wrIdx = 0;
bio->rdIdx = 0;
return SSL_SUCCESS;
}
/* Joins two BIO_BIO types. The write of b1 goes to the read of b2 and vise
* versa. Creating something similar to a two way pipe.
* Reading and writing between the two BIOs is not thread safe, they are
* expected to be used by the same thread. */
int wolfSSL_BIO_make_bio_pair(WOLFSSL_BIO *b1, WOLFSSL_BIO *b2)
{
WOLFSSL_ENTER("wolfSSL_BIO_make_bio_pair");
if (b1 == NULL || b2 == NULL) {
WOLFSSL_LEAVE("wolfSSL_BIO_make_bio_pair", BAD_FUNC_ARG);
return SSL_FAILURE;
}
/* both are expected to be of type BIO and not already paired */
if (b1->type != BIO_BIO || b2->type != BIO_BIO ||
b1->pair != NULL || b2->pair != NULL) {
WOLFSSL_MSG("Expected type BIO and not already paired");
return SSL_FAILURE;
}
/* set default write size if not already set */
if (b1->mem == NULL && wolfSSL_BIO_set_write_buf_size(b1,
WOLFSSL_BIO_SIZE) != SSL_SUCCESS) {
return SSL_FAILURE;
}
if (b2->mem == NULL && wolfSSL_BIO_set_write_buf_size(b2,
WOLFSSL_BIO_SIZE) != SSL_SUCCESS) {
return SSL_FAILURE;
}
b1->pair = b2;
b2->pair = b1;
return SSL_SUCCESS;
}
int wolfSSL_BIO_ctrl_reset_read_request(WOLFSSL_BIO *b)
{
WOLFSSL_ENTER("wolfSSL_BIO_ctrl_reset_read_request");
if (b == NULL) {
return SSL_FAILURE;
}
b->readRq = 0;
return SSL_SUCCESS;
}
/* Does not advance read index pointer */
int wolfSSL_BIO_nread0(WOLFSSL_BIO *bio, char **buf)
{
WOLFSSL_ENTER("wolfSSL_BIO_nread0");
if (bio == NULL || buf == NULL) {
WOLFSSL_MSG("NULL argument passed in");
return 0;
}
/* if paired read from pair */
if (bio->pair != NULL) {
WOLFSSL_BIO* pair = bio->pair;
/* case where have wrapped around write buffer */
*buf = (char*)pair->mem + pair->rdIdx;
if (pair->wrIdx > 0 && pair->rdIdx >= pair->wrIdx) {
return pair->wrSz - pair->rdIdx;
}
else {
return pair->wrIdx - pair->rdIdx;
}
}
return 0;
}
/* similar to wolfSSL_BIO_nread0 but advances the read index */
int wolfSSL_BIO_nread(WOLFSSL_BIO *bio, char **buf, int num)
{
int sz = WOLFSSL_BIO_UNSET;
WOLFSSL_ENTER("wolfSSL_BIO_nread");
if (bio == NULL || buf == NULL) {
WOLFSSL_MSG("NULL argument passed in");
return SSL_FAILURE;
}
if (bio->pair != NULL) {
/* special case if asking to read 0 bytes */
if (num == 0) {
*buf = (char*)bio->pair->mem + bio->pair->rdIdx;
return 0;
}
/* get amount able to read and set buffer pointer */
sz = wolfSSL_BIO_nread0(bio, buf);
if (sz == 0) {
return WOLFSSL_BIO_ERROR;
}
if (num < sz) {
sz = num;
}
bio->pair->rdIdx += sz;
/* check if have read to the end of the buffer and need to reset */
if (bio->pair->rdIdx == bio->pair->wrSz) {
bio->pair->rdIdx = 0;
if (bio->pair->wrIdx == bio->pair->wrSz) {
bio->pair->wrIdx = 0;
}
}
/* check if read up to write index, if so then reset indexs */
if (bio->pair->rdIdx == bio->pair->wrIdx) {
bio->pair->rdIdx = 0;
bio->pair->wrIdx = 0;
}
}
return sz;
}
int wolfSSL_BIO_nwrite(WOLFSSL_BIO *bio, char **buf, int num)
{
int sz = WOLFSSL_BIO_UNSET;
WOLFSSL_ENTER("wolfSSL_BIO_nwrite");
if (bio == NULL || buf == NULL) {
WOLFSSL_MSG("NULL argument passed in");
return 0;
}
if (bio->pair != NULL) {
if (num == 0) {
*buf = (char*)bio->mem + bio->wrIdx;
return 0;
}
if (bio->wrIdx < bio->rdIdx) {
/* if wrapped around only write up to read index. In this case
* rdIdx is always greater then wrIdx so sz will not be negative. */
sz = bio->rdIdx - bio->wrIdx;
}
else if (bio->rdIdx > 0 && bio->wrIdx == bio->rdIdx) {
return WOLFSSL_BIO_ERROR; /* no more room to write */
}
else {
/* write index is past read index so write to end of buffer */
sz = bio->wrSz - bio->wrIdx;
if (sz <= 0) {
/* either an error has occured with write index or it is at the
* end of the write buffer. */
if (bio->rdIdx == 0) {
/* no more room, nothing has been read */
return WOLFSSL_BIO_ERROR;
}
bio->wrIdx = 0;
/* check case where read index is not at 0 */
if (bio->rdIdx > 0) {
sz = bio->rdIdx; /* can write up to the read index */
}
else {
sz = bio->wrSz; /* no restriction other then buffer size */
}
}
}
if (num < sz) {
sz = num;
}
*buf = (char*)bio->mem + bio->wrIdx;
bio->wrIdx += sz;
/* if at the end of the buffer and space for wrap around then set
* write index back to 0 */
if (bio->wrIdx == bio->wrSz && bio->rdIdx > 0) {
bio->wrIdx = 0;
}
}
return sz;
}
/* Reset BIO to initial state */
int wolfSSL_BIO_reset(WOLFSSL_BIO *bio)
{
WOLFSSL_ENTER("wolfSSL_BIO_reset");
if (bio == NULL) {
WOLFSSL_MSG("NULL argument passed in");
/* -1 is consistent failure even for FILE type */
return WOLFSSL_BIO_ERROR;
}
switch (bio->type) {
#ifndef NO_FILESYSTEM
case BIO_FILE:
XREWIND(bio->file);
return 0;
#endif
case BIO_BIO:
bio->rdIdx = 0;
bio->wrIdx = 0;
return 0;
default:
WOLFSSL_MSG("Unknown BIO type needs added to reset function");
}
return WOLFSSL_BIO_ERROR;
}
#ifndef NO_FILESYSTEM
long wolfSSL_BIO_set_fp(WOLFSSL_BIO *bio, XFILE fp, int c)
{
WOLFSSL_ENTER("wolfSSL_BIO_set_fp");
if (bio == NULL || fp == NULL) {
WOLFSSL_LEAVE("wolfSSL_BIO_set_fp", BAD_FUNC_ARG);
return SSL_FAILURE;
}
if (bio->type != BIO_FILE) {
return SSL_FAILURE;
}
bio->close = (byte)c;
bio->file = fp;
return SSL_SUCCESS;
}
long wolfSSL_BIO_get_fp(WOLFSSL_BIO *bio, XFILE* fp)
{
WOLFSSL_ENTER("wolfSSL_BIO_get_fp");
if (bio == NULL || fp == NULL) {
return SSL_FAILURE;
}
if (bio->type != BIO_FILE) {
return SSL_FAILURE;
}
*fp = bio->file;
return SSL_SUCCESS;
}
/* overwrites file */
int wolfSSL_BIO_write_filename(WOLFSSL_BIO *bio, char *name)
{
WOLFSSL_ENTER("wolfSSL_BIO_write_filename");
if (bio == NULL || name == NULL) {
return SSL_FAILURE;
}
if (bio->type == BIO_FILE) {
if (bio->file != NULL && bio->close == BIO_CLOSE) {
XFCLOSE(bio->file);
}
bio->file = XFOPEN(name, "w");
if (bio->file == NULL) {
return SSL_FAILURE;
}
bio->close = BIO_CLOSE;
return SSL_SUCCESS;
}
return SSL_FAILURE;
}
int wolfSSL_BIO_seek(WOLFSSL_BIO *bio, int ofs)
{
WOLFSSL_ENTER("wolfSSL_BIO_seek");
if (bio == NULL) {
return -1;
}
/* offset ofs from begining of file */
if (bio->type == BIO_FILE && XFSEEK(bio->file, ofs, SEEK_SET) < 0) {
return -1;
}
return 0;
}
#endif /* NO_FILESYSTEM */
long wolfSSL_BIO_set_mem_eof_return(WOLFSSL_BIO *bio, int v)
{
WOLFSSL_ENTER("wolfSSL_BIO_set_mem_eof_return");
if (bio != NULL) {
bio->eof = v;
}
return 0;
}

298
src/crl.c Normal file → Executable file
View File

@@ -34,11 +34,6 @@
#include <wolfssl/internal.h>
#include <wolfssl/error-ssl.h>
#ifndef NO_FILESYSTEM
#include <dirent.h>
#include <sys/stat.h>
#endif
#include <string.h>
#ifdef HAVE_CRL_MONITOR
@@ -79,7 +74,8 @@ int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm)
/* Initialize CRL Entry */
static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl)
static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
int verified, void* heap)
{
WOLFSSL_ENTER("InitCRL_Entry");
@@ -94,6 +90,34 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl)
crle->certs = dcrl->certs; /* take ownsership */
dcrl->certs = NULL;
crle->totalCerts = dcrl->totalCerts;
crle->verified = verified;
if (!verified) {
crle->tbsSz = dcrl->sigIndex - dcrl->certBegin;
crle->signatureSz = dcrl->sigLength;
crle->signatureOID = dcrl->signatureOID;
crle->toBeSigned = XMALLOC(crle->tbsSz, heap, DYNAMIC_TYPE_CRL_ENTRY);
if (crle->toBeSigned == NULL)
return -1;
crle->signature = XMALLOC(crle->signatureSz, heap,
DYNAMIC_TYPE_CRL_ENTRY);
if (crle->signature == NULL) {
XFREE(crle->toBeSigned, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
return -1;
}
XMEMCPY(crle->toBeSigned, buff + dcrl->certBegin, crle->tbsSz);
XMEMCPY(crle->signature, dcrl->signature, crle->signatureSz);
#if !defined(NO_SKID) && defined(CRL_SKID_READY)
crle->extAuthKeyIdSet = dcrl->extAuthKeyIdSet;
if (crle->extAuthKeyIdSet)
XMEMCPY(crle->extAuthKeyId, dcrl->extAuthKeyId, KEYID_SIZE);
#endif
}
else {
crle->toBeSigned = NULL;
crle->signature = NULL;
}
(void)verified;
return 0;
}
@@ -111,6 +135,10 @@ static void FreeCRL_Entry(CRL_Entry* crle, void* heap)
XFREE(tmp, heap, DYNAMIC_TYPE_REVOKED);
tmp = next;
}
if (crle->signature != NULL)
XFREE(crle->signature, heap, DYNAMIC_TYPE_REVOKED);
if (crle->toBeSigned != NULL)
XFREE(crle->toBeSigned, heap, DYNAMIC_TYPE_REVOKED);
(void)heap;
}
@@ -154,15 +182,12 @@ void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
}
/* Is the cert ok with CRL, return 0 on success */
int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntry)
{
CRL_Entry* crle;
int foundEntry = 0;
int ret = 0;
WOLFSSL_ENTER("CheckCertCRL");
if (wc_LockMutex(&crl->crlLock) != 0) {
WOLFSSL_MSG("wc_LockMutex failed");
return BAD_MUTEX_E;
@@ -175,6 +200,95 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
int doNextDate = 1;
WOLFSSL_MSG("Found CRL Entry on list");
if (crle->verified == 0) {
Signer* ca;
#if !defined(NO_SKID) && defined(CRL_SKID_READY)
byte extAuthKeyId[KEYID_SIZE]
#endif
byte issuerHash[CRL_DIGEST_SIZE];
byte* tbs = NULL;
word32 tbsSz = crle->tbsSz;
byte* sig = NULL;
word32 sigSz = crle->signatureSz;
word32 sigOID = crle->signatureOID;
SignatureCtx sigCtx;
tbs = XMALLOC(tbsSz, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
if (tbs == NULL) {
wc_UnLockMutex(&crl->crlLock);
return MEMORY_E;
}
sig = XMALLOC(sigSz, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
if (sig == NULL) {
XFREE(tbs, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
wc_UnLockMutex(&crl->crlLock);
return MEMORY_E;
}
XMEMCPY(tbs, crle->toBeSigned, tbsSz);
XMEMCPY(sig, crle->signature, sigSz);
#if !defined(NO_SKID) && defined(CRL_SKID_READY)
XMEMCMPY(extAuthKeyId, crle->extAuthKeyId,
sizeof(extAuthKeyId));
#endif
XMEMCPY(issuerHash, crle->issuerHash, sizeof(issuerHash));
wc_UnLockMutex(&crl->crlLock);
#if !defined(NO_SKID) && defined(CRL_SKID_READY)
if (crle->extAuthKeyIdSet)
ca = GetCA(crl->cm, extAuthKeyId);
if (ca == NULL)
ca = GetCAByName(crl->cm, issuerHash);
#else /* NO_SKID */
ca = GetCA(crl->cm, issuerHash);
#endif /* NO_SKID */
if (ca == NULL) {
WOLFSSL_MSG("Did NOT find CRL issuer CA");
return ASN_CRL_NO_SIGNER_E;
}
ret = VerifyCRL_Signature(&sigCtx, tbs, tbsSz, sig, sigSz,
sigOID, ca, crl->heap);
XFREE(sig, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
XFREE(tbs, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
if (wc_LockMutex(&crl->crlLock) != 0) {
WOLFSSL_MSG("wc_LockMutex failed");
return BAD_MUTEX_E;
}
crle = crl->crlList;
while (crle) {
if (XMEMCMP(crle->issuerHash, cert->issuerHash,
CRL_DIGEST_SIZE) == 0) {
if (ret == 0)
crle->verified = 1;
else
crle->verified = ret;
XFREE(crle->toBeSigned, crl->heap,
DYNAMIC_TYPE_CRL_ENTRY);
crle->toBeSigned = NULL;
XFREE(crle->signature, crl->heap,
DYNAMIC_TYPE_CRL_ENTRY);
crle->signature = NULL;
break;
}
crle = crle->next;
}
if (crle == NULL || crle->verified < 0)
break;
}
else if (crle->verified < 0) {
WOLFSSL_MSG("Cannot use CRL as it didn't verify");
ret = crle->verified;
break;
}
WOLFSSL_MSG("Checking next date validity");
#ifdef WOLFSSL_NO_CRL_NEXT_DATE
@@ -182,13 +296,17 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
doNextDate = 0; /* skip */
#endif
if (doNextDate && !ValidateDate(crle->nextDate,
crle->nextDateFormat, AFTER)) {
WOLFSSL_MSG("CRL next date is no longer valid");
ret = ASN_AFTER_DATE_E;
if (doNextDate) {
#ifndef NO_ASN_TIME
if (!ValidateDate(crle->nextDate,crle->nextDateFormat, AFTER)) {
WOLFSSL_MSG("CRL next date is no longer valid");
ret = ASN_AFTER_DATE_E;
}
#endif
}
else
if (ret == 0) {
foundEntry = 1;
}
break;
}
crle = crle->next;
@@ -209,9 +327,39 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
wc_UnLockMutex(&crl->crlLock);
*pFoundEntry = foundEntry;
return ret;
}
/* Is the cert ok with CRL, return 0 on success */
int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
{
int foundEntry = 0;
int ret = 0;
WOLFSSL_ENTER("CheckCertCRL");
ret = CheckCertCRLList(crl, cert, &foundEntry);
#ifdef HAVE_CRL_IO
if (foundEntry == 0) {
/* perform embedded lookup */
if (crl->crlIOCb) {
ret = crl->crlIOCb(crl, (const char*)cert->extCrlInfo,
cert->extCrlInfoSz);
if (ret >= 0) {
/* try again */
ret = CheckCertCRLList(crl, cert, &foundEntry);
}
}
}
#endif
if (foundEntry == 0) {
WOLFSSL_MSG("Couldn't find CRL for status check");
ret = CRL_MISSING;
if (crl->cm->cbMissingCRL) {
char url[256];
@@ -224,17 +372,18 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
else {
WOLFSSL_MSG("CRL url too long");
}
crl->cm->cbMissingCRL(url);
}
}
return ret;
}
/* Add Decoded CRL, 0 on success */
static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl)
static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,
int verified)
{
CRL_Entry* crle;
@@ -246,7 +395,7 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl)
return -1;
}
if (InitCRL_Entry(crle, dcrl) < 0) {
if (InitCRL_Entry(crle, dcrl, buff, verified, crl->heap) < 0) {
WOLFSSL_MSG("Init CRL Entry failed");
XFREE(crle, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
return -1;
@@ -267,7 +416,8 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl)
/* Load CRL File of type, SSL_SUCCESS on ok */
int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type)
int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type,
int noVerify)
{
int ret = SSL_SUCCESS;
const byte* myBuffer = buff; /* if DER ok, otherwise switch */
@@ -310,11 +460,11 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type)
InitDecodedCRL(dcrl, crl->heap);
ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm);
if (ret != 0) {
if (ret != 0 && !(ret == ASN_CRL_NO_SIGNER_E && noVerify)) {
WOLFSSL_MSG("ParseCRL error");
}
else {
ret = AddCRL(crl, dcrl);
ret = AddCRL(crl, dcrl, myBuffer, ret != ASN_CRL_NO_SIGNER_E);
if (ret != 0) {
WOLFSSL_MSG("AddCRL error");
}
@@ -790,74 +940,61 @@ static int StartMonitorCRL(WOLFSSL_CRL* crl)
#endif /* HAVE_CRL_MONITOR */
#ifndef NO_FILESYSTEM
#if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
/* Load CRL path files of type, SSL_SUCCESS on ok */
int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor)
{
struct dirent* entry;
DIR* dir;
int ret = SSL_SUCCESS;
int ret = SSL_SUCCESS;
char* name = NULL;
#ifdef WOLFSSL_SMALL_STACK
char* name;
ReadDirCtx* readCtx = NULL;
#else
char name[MAX_FILENAME_SZ];
ReadDirCtx readCtx[1];
#endif
WOLFSSL_ENTER("LoadCRL");
if (crl == NULL)
return BAD_FUNC_ARG;
dir = opendir(path);
if (dir == NULL) {
WOLFSSL_MSG("opendir path crl load failed");
return BAD_PATH_ERROR;
}
#ifdef WOLFSSL_SMALL_STACK
name = (char*)XMALLOC(MAX_FILENAME_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (name == NULL)
readCtx = (ReadDirCtx*)XMALLOC(sizeof(ReadDirCtx), crl->heap,
DYNAMIC_TYPE_TMP_BUFFER);
if (readCtx == NULL)
return MEMORY_E;
#endif
while ( (entry = readdir(dir)) != NULL) {
struct stat s;
XMEMSET(name, 0, MAX_FILENAME_SZ);
XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2);
XSTRNCAT(name, "/", 1);
XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2);
if (stat(name, &s) != 0) {
WOLFSSL_MSG("stat on name failed");
continue;
}
if (s.st_mode & S_IFREG) {
if (type == SSL_FILETYPE_PEM) {
if (XSTRSTR(entry->d_name, ".pem") == NULL) {
WOLFSSL_MSG("not .pem file, skipping");
continue;
}
}
else {
if (XSTRSTR(entry->d_name, ".der") == NULL &&
XSTRSTR(entry->d_name, ".crl") == NULL) {
WOLFSSL_MSG("not .der or .crl file, skipping");
continue;
}
}
if (ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl)
!= SSL_SUCCESS) {
WOLFSSL_MSG("CRL file load failed, continuing");
/* try to load each regular file in path */
ret = wc_ReadDirFirst(readCtx, path, &name);
while (ret == 0 && name) {
int skip = 0;
if (type == SSL_FILETYPE_PEM) {
if (XSTRSTR(name, ".pem") == NULL) {
WOLFSSL_MSG("not .pem file, skipping");
skip = 1;
}
}
else {
if (XSTRSTR(name, ".der") == NULL &&
XSTRSTR(name, ".crl") == NULL)
{
WOLFSSL_MSG("not .der or .crl file, skipping");
skip = 1;
}
}
if (!skip && ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl)
!= SSL_SUCCESS) {
WOLFSSL_MSG("CRL file load failed, continuing");
}
ret = wc_ReadDirNext(readCtx, path, &name);
}
wc_ReadDirClose(readCtx);
ret = SSL_SUCCESS; /* load failures not reported, for backwards compat */
#ifdef WOLFSSL_SMALL_STACK
XFREE(name, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(readCtx, crl->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
if (monitor & WOLFSSL_CRL_MONITOR) {
@@ -873,9 +1010,19 @@ int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor)
pathBuf[pathLen] = '\0'; /* Null Terminate */
if (type == SSL_FILETYPE_PEM) {
/* free old path before setting a new one */
if (crl->monitors[0].path) {
XFREE(crl->monitors[0].path, crl->heap,
DYNAMIC_TYPE_CRL_MONITOR);
}
crl->monitors[0].path = pathBuf;
crl->monitors[0].type = SSL_FILETYPE_PEM;
} else {
/* free old path before setting a new one */
if (crl->monitors[1].path) {
XFREE(crl->monitors[1].path, crl->heap,
DYNAMIC_TYPE_CRL_MONITOR);
}
crl->monitors[1].path = pathBuf;
crl->monitors[1].type = SSL_FILETYPE_ASN1;
}
@@ -891,12 +1038,21 @@ int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor)
}
}
closedir(dir);
return ret;
}
#endif /* NO_FILESYSTEM */
#else
int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor)
{
(void)crl;
(void)path;
(void)type;
(void)monitor;
/* stub for scenario where file system is not supported */
return NOT_COMPILED_IN;
}
#endif /* !NO_FILESYSTEM && !NO_WOLFSSL_DIR */
#endif /* HAVE_CRL */
#endif /* !WOLFCRYPT_ONLY */

6
src/include.am
View File

@@ -120,7 +120,8 @@ src_libwolfssl_la_SOURCES += \
wolfcrypt/src/wc_encrypt.c \
wolfcrypt/src/wc_port.c \
wolfcrypt/src/error.c \
wolfcrypt/src/signature.c
wolfcrypt/src/signature.c \
wolfcrypt/src/wolfmath.c
if BUILD_MEMORY
src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c
@@ -261,7 +262,8 @@ src_libwolfssl_la_SOURCES += \
src/io.c \
src/keys.c \
src/ssl.c \
src/tls.c
src/tls.c \
src/tls13.c
if BUILD_OCSP
src_libwolfssl_la_SOURCES += src/ocsp.c

8776
src/internal.c Normal file → Executable file
View File

File diff suppressed because it is too large Load Diff

1176
src/io.c
View File

File diff suppressed because it is too large Load Diff

460
src/keys.c
View File

@@ -1053,8 +1053,109 @@ int SetCipherSpecs(WOLFSSL* ssl)
return UNSUPPORTED_SUITE;
} /* switch */
} /* if */
if (ssl->options.cipherSuite0 != ECC_BYTE &&
ssl->options.cipherSuite0 != CHACHA_BYTE) { /* normal suites */
/* TLSi v1.3 cipher suites, 0x13 */
if (ssl->options.cipherSuite0 == TLS13_BYTE) {
switch (ssl->options.cipherSuite) {
#ifdef WOLFSSL_TLS13
#ifdef BUILD_TLS_AES_128_GCM_SHA256
case TLS_AES_128_GCM_SHA256 :
ssl->specs.bulk_cipher_algorithm = wolfssl_aes_gcm;
ssl->specs.cipher_type = aead;
ssl->specs.mac_algorithm = sha256_mac;
ssl->specs.kea = 0;
ssl->specs.sig_algo = 0;
ssl->specs.hash_size = SHA256_DIGEST_SIZE;
ssl->specs.pad_size = PAD_SHA;
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AESGCM_NONCE_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break;
#endif
#ifdef BUILD_TLS_AES_256_GCM_SHA384
case TLS_AES_256_GCM_SHA384 :
ssl->specs.bulk_cipher_algorithm = wolfssl_aes_gcm;
ssl->specs.cipher_type = aead;
ssl->specs.mac_algorithm = sha384_mac;
ssl->specs.kea = 0;
ssl->specs.sig_algo = 0;
ssl->specs.hash_size = SHA384_DIGEST_SIZE;
ssl->specs.pad_size = PAD_SHA;
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AESGCM_NONCE_SZ;
ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ;
break;
#endif
#ifdef BUILD_TLS_CHACHA20_POLY1305_SHA256
case TLS_CHACHA20_POLY1305_SHA256 :
ssl->specs.bulk_cipher_algorithm = wolfssl_chacha;
ssl->specs.cipher_type = aead;
ssl->specs.mac_algorithm = sha256_mac;
ssl->specs.kea = 0;
ssl->specs.sig_algo = 0;
ssl->specs.hash_size = SHA256_DIGEST_SIZE;
ssl->specs.pad_size = PAD_SHA;
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = CHACHA20_256_KEY_SIZE;
ssl->specs.block_size = CHACHA20_BLOCK_SIZE;
ssl->specs.iv_size = CHACHA20_IV_SIZE;
ssl->specs.aead_mac_size = POLY1305_AUTH_SZ;
ssl->options.oldPoly = 0; /* use recent padding RFC */
break;
#endif
#ifdef BUILD_TLS_AES_128_CCM_SHA256
case TLS_AES_128_CCM_SHA256 :
ssl->specs.bulk_cipher_algorithm = wolfssl_aes_ccm;
ssl->specs.cipher_type = aead;
ssl->specs.mac_algorithm = sha256_mac;
ssl->specs.kea = 0;
ssl->specs.sig_algo = 0;
ssl->specs.hash_size = SHA256_DIGEST_SIZE;
ssl->specs.pad_size = PAD_SHA;
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AESGCM_NONCE_SZ;
ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ;
break;
#endif
#ifdef BUILD_TLS_AES_128_CCM_8_SHA256
case TLS_AES_128_CCM_8_SHA256 :
ssl->specs.bulk_cipher_algorithm = wolfssl_aes_ccm;
ssl->specs.cipher_type = aead;
ssl->specs.mac_algorithm = sha256_mac;
ssl->specs.kea = 0;
ssl->specs.sig_algo = 0;
ssl->specs.hash_size = SHA256_DIGEST_SIZE;
ssl->specs.pad_size = PAD_SHA;
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AESGCM_NONCE_SZ;
ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ;
break;
#endif
#endif /* WOLFSSL_TLS13 */
}
}
if (ssl->options.cipherSuite0 != ECC_BYTE &&
ssl->options.cipherSuite0 != CHACHA_BYTE &&
ssl->options.cipherSuite0 != TLS13_BYTE) { /* normal suites */
switch (ssl->options.cipherSuite) {
#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
@@ -1653,7 +1754,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
break;
#endif
#ifdef BUILD_TLS_RSA_WITH_HC_128_SHA
case TLS_RSA_WITH_HC_128_SHA :
ssl->specs.bulk_cipher_algorithm = wolfssl_hc128;
@@ -1667,7 +1768,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.key_size = HC_128_KEY_SIZE;
ssl->specs.block_size = 0;
ssl->specs.iv_size = HC_128_IV_SIZE;
break;
#endif
@@ -1684,7 +1785,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.key_size = HC_128_KEY_SIZE;
ssl->specs.block_size = 0;
ssl->specs.iv_size = HC_128_IV_SIZE;
break;
#endif
@@ -1701,7 +1802,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.iv_size = AES_IV_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
break;
#endif
@@ -1718,7 +1819,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.iv_size = AES_IV_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
break;
#endif
@@ -1827,7 +1928,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
break;
#endif
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA :
ssl->specs.bulk_cipher_algorithm = wolfssl_camellia;
@@ -1978,7 +2079,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
ssl->specs.key_size = IDEA_KEY_SIZE;
ssl->specs.block_size = IDEA_BLOCK_SIZE;
ssl->specs.iv_size = IDEA_IV_SIZE;
break;
#endif
@@ -1993,8 +2094,11 @@ int SetCipherSpecs(WOLFSSL* ssl)
#ifndef NO_TLS
ssl->options.tls = 1;
ssl->hmac = TLS_hmac;
if (ssl->version.minor >= 2)
if (ssl->version.minor >= 2) {
ssl->options.tls1_1 = 1;
if (ssl->version.minor >= 4)
ssl->options.tls1_3 = 1;
}
#endif
}
@@ -2049,7 +2153,7 @@ static int SetPrefix(byte* sha_input, int idx)
break;
default:
WOLFSSL_MSG("Set Prefix error, bad input");
return 0;
return 0;
}
return 1;
}
@@ -2070,22 +2174,20 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
dec->arc4 = (Arc4*)XMALLOC(sizeof(Arc4), heap, DYNAMIC_TYPE_CIPHER);
if (dec && dec->arc4 == NULL)
return MEMORY_E;
#ifdef WOLFSSL_ASYNC_CRYPT
if (devId != INVALID_DEVID) {
if (enc) {
if (wc_Arc4AsyncInit(enc->arc4, devId) != 0) {
WOLFSSL_MSG("Arc4AsyncInit failed in SetKeys");
return ASYNC_INIT_E;
}
}
if (dec) {
if (wc_Arc4AsyncInit(dec->arc4, devId) != 0) {
WOLFSSL_MSG("Arc4AsyncInit failed in SetKeys");
return ASYNC_INIT_E;
}
if (enc) {
if (wc_Arc4Init(enc->arc4, heap, devId) != 0) {
WOLFSSL_MSG("Arc4Init failed in SetKeys");
return ASYNC_INIT_E;
}
}
#endif
if (dec) {
if (wc_Arc4Init(dec->arc4, heap, devId) != 0) {
WOLFSSL_MSG("Arc4Init failed in SetKeys");
return ASYNC_INIT_E;
}
}
if (side == WOLFSSL_CLIENT_END) {
if (enc)
wc_Arc4SetKey(enc->arc4, keys->client_write_key, sz);
@@ -2103,9 +2205,9 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (dec)
dec->setup = 1;
}
#endif
#endif /* BUILD_ARC4 */
#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
/* Check that the max implicit iv size is suffecient */
#if (AEAD_MAX_IMP_SZ < 12) /* CHACHA20_IMP_IV_SZ */
@@ -2165,7 +2267,8 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (dec)
dec->setup = 1;
}
#endif
#endif /* HAVE_CHACHA && HAVE_POLY1305 */
#ifdef HAVE_HC128
/* check that buffer sizes are sufficient */
@@ -2214,8 +2317,8 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (dec)
dec->setup = 1;
}
#endif
#endif /* HAVE_HC128 */
#ifdef BUILD_RABBIT
/* check that buffer sizes are sufficient */
#if (MAX_WRITE_IV_SZ < 8) /* RABBIT_IV_SIZE */
@@ -2263,8 +2366,8 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (dec)
dec->setup = 1;
}
#endif
#endif /* BUILD_RABBIT */
#ifdef BUILD_DES3
/* check that buffer sizes are sufficient */
#if (MAX_WRITE_IV_SZ < 8) /* DES_IV_SIZE */
@@ -2274,30 +2377,34 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (specs->bulk_cipher_algorithm == wolfssl_triple_des) {
int desRet = 0;
if (enc && enc->des3 == NULL)
enc->des3 = (Des3*)XMALLOC(sizeof(Des3), heap, DYNAMIC_TYPE_CIPHER);
if (enc && enc->des3 == NULL)
return MEMORY_E;
if (dec && dec->des3 == NULL)
dec->des3 = (Des3*)XMALLOC(sizeof(Des3), heap, DYNAMIC_TYPE_CIPHER);
if (dec && dec->des3 == NULL)
return MEMORY_E;
#ifdef WOLFSSL_ASYNC_CRYPT
if (devId != INVALID_DEVID) {
if (enc) {
if (wc_Des3AsyncInit(enc->des3, devId) != 0) {
WOLFSSL_MSG("Des3AsyncInit failed in SetKeys");
return ASYNC_INIT_E;
}
}
if (dec) {
if (wc_Des3AsyncInit(dec->des3, devId) != 0) {
WOLFSSL_MSG("Des3AsyncInit failed in SetKeys");
return ASYNC_INIT_E;
}
if (enc) {
if (enc->des3 == NULL)
enc->des3 = (Des3*)XMALLOC(sizeof(Des3), heap, DYNAMIC_TYPE_CIPHER);
if (enc->des3 == NULL)
return MEMORY_E;
XMEMSET(enc->des3, 0, sizeof(Des3));
}
if (dec) {
if (dec->des3 == NULL)
dec->des3 = (Des3*)XMALLOC(sizeof(Des3), heap, DYNAMIC_TYPE_CIPHER);
if (dec->des3 == NULL)
return MEMORY_E;
XMEMSET(dec->des3, 0, sizeof(Des3));
}
if (enc) {
if (wc_Des3Init(enc->des3, heap, devId) != 0) {
WOLFSSL_MSG("Des3Init failed in SetKeys");
return ASYNC_INIT_E;
}
}
#endif
if (dec) {
if (wc_Des3Init(dec->des3, heap, devId) != 0) {
WOLFSSL_MSG("Des3Init failed in SetKeys");
return ASYNC_INIT_E;
}
}
if (side == WOLFSSL_CLIENT_END) {
if (enc) {
desRet = wc_Des3_SetKey(enc->des3, keys->client_write_key,
@@ -2327,7 +2434,7 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (dec)
dec->setup = 1;
}
#endif
#endif /* BUILD_DES3 */
#ifdef BUILD_AES
/* check that buffer sizes are sufficient */
@@ -2338,30 +2445,33 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (specs->bulk_cipher_algorithm == wolfssl_aes) {
int aesRet = 0;
if (enc && enc->aes == NULL)
enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (enc && enc->aes == NULL)
return MEMORY_E;
if (dec && dec->aes == NULL)
dec->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (dec && dec->aes == NULL)
return MEMORY_E;
#ifdef WOLFSSL_ASYNC_CRYPT
if (devId != INVALID_DEVID) {
if (enc) {
if (wc_AesAsyncInit(enc->aes, devId) != 0) {
WOLFSSL_MSG("AesAsyncInit failed in SetKeys");
return ASYNC_INIT_E;
}
}
if (dec) {
if (wc_AesAsyncInit(dec->aes, devId) != 0) {
WOLFSSL_MSG("AesAsyncInit failed in SetKeys");
return ASYNC_INIT_E;
}
if (enc) {
if (enc->aes == NULL)
enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (enc->aes == NULL)
return MEMORY_E;
XMEMSET(enc->aes, 0, sizeof(Aes));
}
if (dec) {
if (dec->aes == NULL)
dec->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (dec->aes == NULL)
return MEMORY_E;
XMEMSET(dec->aes, 0, sizeof(Aes));
}
if (enc) {
if (wc_AesInit(enc->aes, heap, devId) != 0) {
WOLFSSL_MSG("AesInit failed in SetKeys");
return ASYNC_INIT_E;
}
}
#endif
if (dec) {
if (wc_AesInit(dec->aes, heap, devId) != 0) {
WOLFSSL_MSG("AesInit failed in SetKeys");
return ASYNC_INIT_E;
}
}
if (side == WOLFSSL_CLIENT_END) {
if (enc) {
aesRet = wc_AesSetKey(enc->aes, keys->client_write_key,
@@ -2395,7 +2505,7 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (dec)
dec->setup = 1;
}
#endif
#endif /* BUILD_AES */
#ifdef BUILD_AESGCM
/* check that buffer sizes are sufficient */
@@ -2412,14 +2522,33 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (specs->bulk_cipher_algorithm == wolfssl_aes_gcm) {
int gcmRet;
if (enc && enc->aes == NULL)
enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (enc && enc->aes == NULL)
return MEMORY_E;
if (dec && dec->aes == NULL)
dec->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (dec && dec->aes == NULL)
return MEMORY_E;
if (enc) {
if (enc->aes == NULL)
enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (enc->aes == NULL)
return MEMORY_E;
XMEMSET(enc->aes, 0, sizeof(Aes));
}
if (dec) {
if (dec->aes == NULL)
dec->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (dec->aes == NULL)
return MEMORY_E;
XMEMSET(dec->aes, 0, sizeof(Aes));
}
if (enc) {
if (wc_AesInit(enc->aes, heap, devId) != 0) {
WOLFSSL_MSG("AesInit failed in SetKeys");
return ASYNC_INIT_E;
}
}
if (dec) {
if (wc_AesInit(dec->aes, heap, devId) != 0) {
WOLFSSL_MSG("AesInit failed in SetKeys");
return ASYNC_INIT_E;
}
}
if (side == WOLFSSL_CLIENT_END) {
if (enc) {
@@ -2427,14 +2556,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
specs->key_size);
if (gcmRet != 0) return gcmRet;
XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
AESGCM_IMP_IV_SZ);
AEAD_MAX_IMP_SZ);
}
if (dec) {
gcmRet = wc_AesGcmSetKey(dec->aes, keys->server_write_key,
specs->key_size);
if (gcmRet != 0) return gcmRet;
XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
AESGCM_IMP_IV_SZ);
AEAD_MAX_IMP_SZ);
}
}
else {
@@ -2443,14 +2572,14 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
specs->key_size);
if (gcmRet != 0) return gcmRet;
XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
AESGCM_IMP_IV_SZ);
AEAD_MAX_IMP_SZ);
}
if (dec) {
gcmRet = wc_AesGcmSetKey(dec->aes, keys->client_write_key,
specs->key_size);
if (gcmRet != 0) return gcmRet;
XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
AESGCM_IMP_IV_SZ);
AEAD_MAX_IMP_SZ);
}
}
if (enc)
@@ -2458,7 +2587,7 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (dec)
dec->setup = 1;
}
#endif
#endif /* BUILD_AESGCM */
#ifdef HAVE_AESCCM
/* check that buffer sizes are sufficient (CCM is same size as GCM) */
@@ -2475,14 +2604,33 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (specs->bulk_cipher_algorithm == wolfssl_aes_ccm) {
int CcmRet;
if (enc && enc->aes == NULL)
enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (enc && enc->aes == NULL)
return MEMORY_E;
if (dec && dec->aes == NULL)
dec->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (dec && dec->aes == NULL)
return MEMORY_E;
if (enc) {
if (enc->aes == NULL)
enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (enc->aes == NULL)
return MEMORY_E;
XMEMSET(enc->aes, 0, sizeof(Aes));
}
if (dec) {
if (dec->aes == NULL)
dec->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (dec->aes == NULL)
return MEMORY_E;
XMEMSET(dec->aes, 0, sizeof(Aes));
}
if (enc) {
if (wc_AesInit(enc->aes, heap, devId) != 0) {
WOLFSSL_MSG("AesInit failed in SetKeys");
return ASYNC_INIT_E;
}
}
if (dec) {
if (wc_AesInit(dec->aes, heap, devId) != 0) {
WOLFSSL_MSG("AesInit failed in SetKeys");
return ASYNC_INIT_E;
}
}
if (side == WOLFSSL_CLIENT_END) {
if (enc) {
@@ -2529,7 +2677,7 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (dec)
dec->setup = 1;
}
#endif
#endif /* HAVE_AESCCM */
#ifdef HAVE_CAMELLIA
/* check that buffer sizes are sufficient */
@@ -2581,7 +2729,7 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (dec)
dec->setup = 1;
}
#endif
#endif /* HAVE_CAMELLIA */
#ifdef HAVE_IDEA
/* check that buffer sizes are sufficient */
@@ -2635,7 +2783,7 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (dec)
dec->setup = 1;
}
#endif
#endif /* HAVE_IDEA */
#ifdef HAVE_NULL_CIPHER
if (specs->bulk_cipher_algorithm == wolfssl_cipher_null) {
@@ -2681,6 +2829,7 @@ static int SetAuthKeys(OneTimeAuth* authentication, Keys* keys,
if (authentication)
authentication->setup = 1;
#endif
(void)authentication;
(void)heap;
(void)keys;
(void)specs;
@@ -2690,6 +2839,40 @@ static int SetAuthKeys(OneTimeAuth* authentication, Keys* keys,
}
#endif /* HAVE_ONE_TIME_AUTH */
#ifdef HAVE_SECURE_RENEGOTIATION
/* function name is for cache_status++
* This function was added because of error incrementing enum type when
* compiling with a C++ compiler.
*/
static void CacheStatusPP(SecureRenegotiation* cache)
{
switch (cache->cache_status) {
case SCR_CACHE_NULL:
cache->cache_status = SCR_CACHE_NEEDED;
break;
case SCR_CACHE_NEEDED:
cache->cache_status = SCR_CACHE_COPY;
break;
case SCR_CACHE_COPY:
cache->cache_status = SCR_CACHE_PARTIAL;
break;
case SCR_CACHE_PARTIAL:
cache->cache_status = SCR_CACHE_COMPLETE;
break;
case SCR_CACHE_COMPLETE:
WOLFSSL_MSG("SCR Cache state Complete");
break;
default:
WOLFSSL_MSG("Unknown cache state!!");
}
}
#endif /* HAVE_SECURE_RENEGOTIATION */
/* Set wc_encrypt/wc_decrypt or both sides of key setup
* note: use wc_encrypt to avoid shadowing global encrypt
@@ -2804,7 +2987,7 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side)
}
#endif
}
ssl->secure_renegotiation->cache_status++;
CacheStatusPP(ssl->secure_renegotiation);
}
#endif /* HAVE_SECURE_RENEGOTIATION */
@@ -2822,7 +3005,7 @@ int StoreKeys(WOLFSSL* ssl, const byte* keyData)
if (ssl->secure_renegotiation && ssl->secure_renegotiation->cache_status ==
SCR_CACHE_NEEDED) {
keys = &ssl->secure_renegotiation->tmp_keys;
ssl->secure_renegotiation->cache_status++;
CacheStatusPP(ssl->secure_renegotiation);
}
#endif /* HAVE_SECURE_RENEGOTIATION */
@@ -2857,12 +3040,12 @@ int StoreKeys(WOLFSSL* ssl, const byte* keyData)
#ifndef NO_OLD_TLS
int DeriveKeys(WOLFSSL* ssl)
{
int length = 2 * ssl->specs.hash_size +
int length = 2 * ssl->specs.hash_size +
2 * ssl->specs.key_size +
2 * ssl->specs.iv_size;
int rounds = (length + MD5_DIGEST_SIZE - 1 ) / MD5_DIGEST_SIZE, i;
int ret = 0;
#ifdef WOLFSSL_SMALL_STACK
byte* shaOutput;
byte* md5Input;
@@ -2878,9 +3061,9 @@ int DeriveKeys(WOLFSSL* ssl)
Md5 md5[1];
Sha sha[1];
#endif
#ifdef WOLFSSL_SMALL_STACK
shaOutput = (byte*)XMALLOC(SHA_DIGEST_SIZE,
shaOutput = (byte*)XMALLOC(SHA_DIGEST_SIZE,
NULL, DYNAMIC_TYPE_TMP_BUFFER);
md5Input = (byte*)XMALLOC(SECRET_LEN + SHA_DIGEST_SIZE,
NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -2890,7 +3073,7 @@ int DeriveKeys(WOLFSSL* ssl)
NULL, DYNAMIC_TYPE_TMP_BUFFER);
md5 = (Md5*)XMALLOC(sizeof(Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER);
sha = (Sha*)XMALLOC(sizeof(Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (shaOutput == NULL || md5Input == NULL || shaInput == NULL ||
keyData == NULL || md5 == NULL || sha == NULL) {
if (shaOutput) XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -2899,15 +3082,15 @@ int DeriveKeys(WOLFSSL* ssl)
if (keyData) XFREE(keyData, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (md5) XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (sha) XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return MEMORY_E;
}
#endif
wc_InitMd5(md5);
ret = wc_InitSha(sha);
ret = wc_InitMd5(md5);
if (ret == 0) {
ret = wc_InitSha(sha);
}
if (ret == 0) {
XMEMCPY(md5Input, ssl->arrays->masterSecret, SECRET_LEN);
@@ -2925,14 +3108,21 @@ int DeriveKeys(WOLFSSL* ssl)
XMEMCPY(shaInput + idx, ssl->arrays->serverRandom, RAN_LEN);
idx += RAN_LEN;
XMEMCPY(shaInput + idx, ssl->arrays->clientRandom, RAN_LEN);
wc_ShaUpdate(sha, shaInput, (KEY_PREFIX + SECRET_LEN + 2 * RAN_LEN)
- KEY_PREFIX + j);
wc_ShaFinal(sha, shaOutput);
if (ret == 0) {
ret = wc_ShaUpdate(sha, shaInput,
(KEY_PREFIX + SECRET_LEN + 2 * RAN_LEN) - KEY_PREFIX + j);
}
if (ret == 0) {
ret = wc_ShaFinal(sha, shaOutput);
}
XMEMCPY(md5Input + SECRET_LEN, shaOutput, SHA_DIGEST_SIZE);
wc_Md5Update(md5, md5Input, SECRET_LEN + SHA_DIGEST_SIZE);
wc_Md5Final(md5, keyData + i * MD5_DIGEST_SIZE);
if (ret == 0) {
ret = wc_Md5Update(md5, md5Input, SECRET_LEN + SHA_DIGEST_SIZE);
}
if (ret == 0) {
ret = wc_Md5Final(md5, keyData + i * MD5_DIGEST_SIZE);
}
}
if (ret == 0)
@@ -3010,7 +3200,7 @@ static int MakeSslMasterSecret(WOLFSSL* ssl)
NULL, DYNAMIC_TYPE_TMP_BUFFER);
md5 = (Md5*)XMALLOC(sizeof(Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER);
sha = (Sha*)XMALLOC(sizeof(Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (shaOutput == NULL || md5Input == NULL || shaInput == NULL ||
md5 == NULL || sha == NULL) {
if (shaOutput) XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -3018,15 +3208,15 @@ static int MakeSslMasterSecret(WOLFSSL* ssl)
if (shaInput) XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (md5) XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (sha) XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return MEMORY_E;
}
#endif
wc_InitMd5(md5);
ret = wc_InitSha(sha);
ret = wc_InitMd5(md5);
if (ret == 0) {
ret = wc_InitSha(sha);
}
if (ret == 0) {
XMEMCPY(md5Input, ssl->arrays->preMasterSecret, pmsSz);
@@ -3047,14 +3237,22 @@ static int MakeSslMasterSecret(WOLFSSL* ssl)
idx += RAN_LEN;
XMEMCPY(shaInput + idx, ssl->arrays->serverRandom, RAN_LEN);
idx += RAN_LEN;
wc_ShaUpdate(sha, shaInput, idx);
wc_ShaFinal(sha, shaOutput);
if (ret == 0) {
ret = wc_ShaUpdate(sha, shaInput, idx);
}
if (ret == 0) {
ret = wc_ShaFinal(sha, shaOutput);
}
idx = pmsSz; /* preSz */
XMEMCPY(md5Input + idx, shaOutput, SHA_DIGEST_SIZE);
idx += SHA_DIGEST_SIZE;
wc_Md5Update(md5, md5Input, idx);
wc_Md5Final(md5, &ssl->arrays->masterSecret[i * MD5_DIGEST_SIZE]);
if (ret == 0) {
ret = wc_Md5Update(md5, md5Input, idx);
}
if (ret == 0) {
ret = wc_Md5Final(md5,
&ssl->arrays->masterSecret[i * MD5_DIGEST_SIZE]);
}
}
#ifdef SHOW_SECRETS

627
src/ocsp.c
View File

@@ -110,9 +110,9 @@ void FreeOCSP(WOLFSSL_OCSP* ocsp, int dynamic)
}
static int xstat2err(int stat)
static int xstat2err(int st)
{
switch (stat) {
switch (st) {
case CERT_GOOD:
return 0;
case CERT_REVOKED:
@@ -219,9 +219,11 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request,
ret = OCSP_INVALID_STATUS;
}
else if (*status) {
#ifndef NO_ASN_TIME
if (ValidateDate((*status)->thisDate, (*status)->thisDateFormat, BEFORE)
&& ((*status)->nextDate[0] != 0)
&& ValidateDate((*status)->nextDate, (*status)->nextDateFormat, AFTER))
#endif
{
ret = xstat2err((*status)->status);
@@ -244,6 +246,134 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request,
return ret;
}
/* Check that the response for validity. Store result in status.
*
* ocsp Context object for OCSP status.
* response OCSP response message data.
* responseSz Length of OCSP response message data.
* reponseBuffer Buffer object to return the response with.
* status The certificate status object.
* entry The OCSP entry for this certificate.
* returns OCSP_LOOKUP_FAIL when the response is bad and 0 otherwise.
*/
static int CheckResponse(WOLFSSL_OCSP* ocsp, byte* response, int responseSz,
buffer* responseBuffer, CertStatus* status,
OcspEntry* entry, OcspRequest* ocspRequest)
{
#ifdef WOLFSSL_SMALL_STACK
CertStatus* newStatus;
OcspResponse* ocspResponse;
#else
CertStatus newStatus[1];
OcspResponse ocspResponse[1];
#endif
int ret;
int validated = 0; /* ocsp validation flag */
#ifdef WOLFSSL_SMALL_STACK
newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (newStatus == NULL || ocspResponse == NULL) {
if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER);
WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
return MEMORY_E;
}
#endif
XMEMSET(newStatus, 0, sizeof(CertStatus));
InitOcspResponse(ocspResponse, newStatus, response, responseSz);
ret = OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap, 0);
if (ret != 0) {
WOLFSSL_MSG("OcspResponseDecode failed");
goto end;
}
if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) {
WOLFSSL_MSG("OcspResponse status bad");
goto end;
}
if (ocspRequest != NULL) {
ret = CompareOcspReqResp(ocspRequest, ocspResponse);
if (ret != 0) {
goto end;
}
}
if (responseBuffer) {
responseBuffer->buffer = (byte*)XMALLOC(responseSz, ocsp->cm->heap,
DYNAMIC_TYPE_TMP_BUFFER);
if (responseBuffer->buffer) {
responseBuffer->length = responseSz;
XMEMCPY(responseBuffer->buffer, response, responseSz);
}
}
ret = xstat2err(ocspResponse->status->status);
if (ret == 0) {
validated = 1;
}
if (wc_LockMutex(&ocsp->ocspLock) != 0) {
ret = BAD_MUTEX_E;
goto end;
}
if (status != NULL) {
if (status->rawOcspResponse) {
XFREE(status->rawOcspResponse, ocsp->cm->heap,
DYNAMIC_TYPE_OCSP_STATUS);
}
/* Replace existing certificate entry with updated */
XMEMCPY(status, newStatus, sizeof(CertStatus));
}
else {
/* Save new certificate entry */
status = (CertStatus*)XMALLOC(sizeof(CertStatus),
ocsp->cm->heap, DYNAMIC_TYPE_OCSP_STATUS);
if (status != NULL) {
XMEMCPY(status, newStatus, sizeof(CertStatus));
status->next = entry->status;
entry->status = status;
entry->totalStatus++;
}
}
if (status && responseBuffer && responseBuffer->buffer) {
status->rawOcspResponse = (byte*)XMALLOC(responseBuffer->length,
ocsp->cm->heap,
DYNAMIC_TYPE_OCSP_STATUS);
if (status->rawOcspResponse) {
status->rawOcspResponseSz = responseBuffer->length;
XMEMCPY(status->rawOcspResponse, responseBuffer->buffer,
responseBuffer->length);
}
}
wc_UnLockMutex(&ocsp->ocspLock);
end:
if (ret == 0 && validated == 1) {
WOLFSSL_MSG("New OcspResponse validated");
} else if (ret != OCSP_CERT_REVOKED) {
ret = OCSP_LOOKUP_FAIL;
}
#ifdef WOLFSSL_SMALL_STACK
XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return ret;
}
/* 0 on success */
int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
buffer* responseBuffer)
{
@@ -251,19 +381,12 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
CertStatus* status = NULL;
byte* request = NULL;
int requestSz = 2048;
int responseSz = 0;
byte* response = NULL;
const char* url = NULL;
int urlSz = 0;
int ret = -1;
#ifdef WOLFSSL_SMALL_STACK
CertStatus* newStatus;
OcspResponse* ocspResponse;
#else
CertStatus newStatus[1];
OcspResponse ocspResponse[1];
#endif
WOLFSSL_ENTER("CheckOcspRequest");
if (responseBuffer) {
@@ -279,6 +402,22 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
if (ret != OCSP_INVALID_STATUS)
return ret;
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
if (ocsp->statusCb != NULL && ocspRequest->ssl != NULL) {
ret = ocsp->statusCb((WOLFSSL*)ocspRequest->ssl, ocsp->cm->ocspIOCtx);
if (ret == 0) {
ret = wolfSSL_get_ocsp_response((WOLFSSL*)ocspRequest->ssl,
&response);
ret = CheckResponse(ocsp, response, ret, responseBuffer, status,
entry, NULL);
if (response != NULL)
XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL);
return ret;
}
return OCSP_LOOKUP_FAIL;
}
#endif
if (ocsp->cm->ocspUseOverrideURL) {
url = ocsp->cm->ocspOverrideURL;
if (url != NULL && url[0] != '\0')
@@ -301,102 +440,18 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
return MEMORY_ERROR;
}
#ifdef WOLFSSL_SMALL_STACK
newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (newStatus == NULL || ocspResponse == NULL) {
if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(request, NULL, DYNAMIC_TYPE_OCSP);
WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
return MEMORY_E;
}
#endif
requestSz = EncodeOcspRequest(ocspRequest, request, requestSz);
if (ocsp->cm->ocspIOCb)
ret = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz,
request, requestSz, &response);
if (ret >= 0 && response) {
XMEMSET(newStatus, 0, sizeof(CertStatus));
InitOcspResponse(ocspResponse, newStatus, response, ret);
OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap);
if (ocspResponse->responseStatus != OCSP_SUCCESSFUL)
ret = OCSP_LOOKUP_FAIL;
else {
if (CompareOcspReqResp(ocspRequest, ocspResponse) == 0) {
if (responseBuffer) {
responseBuffer->buffer = (byte*)XMALLOC(ret, ocsp->cm->heap,
DYNAMIC_TYPE_TMP_BUFFER);
if (responseBuffer->buffer) {
responseBuffer->length = ret;
XMEMCPY(responseBuffer->buffer, response, ret);
}
}
ret = xstat2err(ocspResponse->status->status);
if (wc_LockMutex(&ocsp->ocspLock) != 0)
ret = BAD_MUTEX_E;
else {
if (status != NULL) {
if (status->rawOcspResponse)
XFREE(status->rawOcspResponse, ocsp->cm->heap,
DYNAMIC_TYPE_OCSP_STATUS);
/* Replace existing certificate entry with updated */
XMEMCPY(status, newStatus, sizeof(CertStatus));
}
else {
/* Save new certificate entry */
status = (CertStatus*)XMALLOC(sizeof(CertStatus),
ocsp->cm->heap, DYNAMIC_TYPE_OCSP_STATUS);
if (status != NULL) {
XMEMCPY(status, newStatus, sizeof(CertStatus));
status->next = entry->status;
entry->status = status;
entry->totalStatus++;
}
}
if (status && responseBuffer && responseBuffer->buffer) {
status->rawOcspResponse = (byte*)XMALLOC(
responseBuffer->length,
ocsp->cm->heap,
DYNAMIC_TYPE_OCSP_STATUS);
if (status->rawOcspResponse) {
status->rawOcspResponseSz = responseBuffer->length;
XMEMCPY(status->rawOcspResponse,
responseBuffer->buffer,
responseBuffer->length);
}
}
wc_UnLockMutex(&ocsp->ocspLock);
}
}
else
ret = OCSP_LOOKUP_FAIL;
}
if (requestSz > 0 && ocsp->cm->ocspIOCb) {
responseSz = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz,
request, requestSz, &response);
}
else
ret = OCSP_LOOKUP_FAIL;
#ifdef WOLFSSL_SMALL_STACK
XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
XFREE(request, ocsp->cm->heap, DYNAMIC_TYPE_OCSP);
if (responseSz >= 0 && response) {
ret = CheckResponse(ocsp, response, responseSz, responseBuffer, status,
entry, ocspRequest);
}
if (response != NULL && ocsp->cm->ocspRespFreeCb)
ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, response);
@@ -405,6 +460,372 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
return ret;
}
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs,
WOLFSSL_OCSP_CERTID* id, int* status, int* reason,
WOLFSSL_ASN1_TIME** revtime, WOLFSSL_ASN1_TIME** thisupd,
WOLFSSL_ASN1_TIME** nextupd)
{
if (bs == NULL || id == NULL)
return SSL_FAILURE;
/* Only supporting one certificate status in asn.c. */
if (CompareOcspReqResp(id, bs) != 0)
return SSL_FAILURE;
if (status != NULL)
*status = bs->status->status;
if (thisupd != NULL)
*thisupd = (WOLFSSL_ASN1_TIME*)bs->status->thisDateAsn;
if (nextupd != NULL)
*nextupd = (WOLFSSL_ASN1_TIME*)bs->status->nextDateAsn;
/* TODO: Not needed for Nginx. */
if (reason != NULL)
*reason = 0;
if (revtime != NULL)
*revtime = NULL;
return SSL_SUCCESS;
}
const char *wolfSSL_OCSP_cert_status_str(long s)
{
switch (s) {
case CERT_GOOD:
return "good";
case CERT_REVOKED:
return "revoked";
case CERT_UNKNOWN:
return "unknown";
default:
return "(UNKNOWN)";
}
}
int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME* thisupd,
WOLFSSL_ASN1_TIME* nextupd, long sec, long maxsec)
{
(void)thisupd;
(void)nextupd;
(void)sec;
(void)maxsec;
/* Dates validated in DecodeSingleResponse. */
return SSL_SUCCESS;
}
void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* certId)
{
FreeOcspRequest(certId);
XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL);
}
WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(
const WOLFSSL_EVP_MD *dgst, const WOLFSSL_X509 *subject,
const WOLFSSL_X509 *issuer)
{
WOLFSSL_OCSP_CERTID* certId;
DecodedCert cert;
WOLFSSL_CERT_MANAGER* cm;
int ret;
DerBuffer* derCert = NULL;
(void)dgst;
cm = wolfSSL_CertManagerNew();
if (cm == NULL)
return NULL;
ret = AllocDer(&derCert, issuer->derCert->length,
issuer->derCert->type, NULL);
if (ret == 0) {
/* AddCA() frees the buffer. */
XMEMCPY(derCert->buffer, issuer->derCert->buffer,
issuer->derCert->length);
AddCA(cm, &derCert, WOLFSSL_USER_CA, 1);
}
certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(WOLFSSL_OCSP_CERTID), NULL,
DYNAMIC_TYPE_OPENSSL);
if (certId != NULL) {
InitDecodedCert(&cert, subject->derCert->buffer,
subject->derCert->length, NULL);
if (ParseCertRelative(&cert, CERT_TYPE, VERIFY_OCSP, cm) != 0) {
XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL);
certId = NULL;
}
else {
ret = InitOcspRequest(certId, &cert, 0, NULL);
if (ret != 0) {
XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL);
certId = NULL;
}
}
FreeDecodedCert(&cert);
}
wolfSSL_CertManagerFree(cm);
return certId;
}
void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse)
{
wolfSSL_OCSP_RESPONSE_free(basicResponse);
}
/* Signature verified in DecodeBasicOcspResponse.
* But no store available to verify certificate. */
int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs,
STACK_OF(WOLFSSL_X509) *certs, WOLFSSL_X509_STORE *st, unsigned long flags)
{
DecodedCert cert;
int ret = SSL_SUCCESS;
(void)certs;
if (flags & OCSP_NOVERIFY)
return SSL_SUCCESS;
InitDecodedCert(&cert, bs->cert, bs->certSz, NULL);
if (ParseCertRelative(&cert, CERT_TYPE, VERIFY, st->cm) < 0)
ret = SSL_FAILURE;
FreeDecodedCert(&cert);
return ret;
}
void wolfSSL_OCSP_RESPONSE_free(OcspResponse* response)
{
if (response->status != NULL)
XFREE(response->status, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (response->source != NULL)
XFREE(response->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL);
}
OcspResponse* wolfSSL_d2i_OCSP_RESPONSE_bio(WOLFSSL_BIO* bio,
OcspResponse** response)
{
byte* data;
byte* p;
int len;
int dataAlloced = 0;
OcspResponse* ret = NULL;
if (bio == NULL)
return NULL;
if (bio->type == BIO_MEMORY) {
len = wolfSSL_BIO_get_mem_data(bio, &data);
if (len <= 0 || data == NULL) {
return NULL;
}
}
else if (bio->type == BIO_FILE) {
long i;
long l;
i = XFTELL(bio->file);
if (i < 0)
return NULL;
XFSEEK(bio->file, 0, SEEK_END);
l = XFTELL(bio->file);
if (l < 0)
return NULL;
XFSEEK(bio->file, i, SEEK_SET);
/* check calulated length */
if (l - i <= 0)
return NULL;
data = (byte*)XMALLOC(l - i, 0, DYNAMIC_TYPE_TMP_BUFFER);
if (data == NULL)
return NULL;
dataAlloced = 1;
len = wolfSSL_BIO_read(bio, (char *)data, (int)l);
}
else
return NULL;
if (len > 0) {
p = data;
ret = wolfSSL_d2i_OCSP_RESPONSE(response, (const unsigned char **)&p, len);
}
if (dataAlloced)
XFREE(data, 0, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
}
OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
const unsigned char** data, int len)
{
OcspResponse *resp = NULL;
word32 idx = 0;
int length = 0;
if (data == NULL)
return NULL;
if (response != NULL)
resp = *response;
if (resp == NULL) {
resp = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
DYNAMIC_TYPE_OPENSSL);
if (resp == NULL)
return NULL;
XMEMSET(resp, 0, sizeof(OcspResponse));
}
resp->source = (byte*)XMALLOC(len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (resp->source == NULL) {
XFREE(resp, NULL, DYNAMIC_TYPE_OPENSSL);
return NULL;
}
resp->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (resp->status == NULL) {
XFREE(resp->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(resp, NULL, DYNAMIC_TYPE_OPENSSL);
return NULL;
}
XMEMCPY(resp->source, *data, len);
resp->maxIdx = len;
if (OcspResponseDecode(resp, NULL, NULL, 1) != 0) {
wolfSSL_OCSP_RESPONSE_free(resp);
return NULL;
}
if (GetSequence(*data, &idx, &length, len) >= 0)
(*data) += idx + length;
return resp;
}
int wolfSSL_i2d_OCSP_RESPONSE(OcspResponse* response,
unsigned char** data)
{
if (data == NULL)
return response->maxIdx;
XMEMCPY(*data, response->source, response->maxIdx);
return response->maxIdx;
}
int wolfSSL_OCSP_response_status(OcspResponse *response)
{
return response->responseStatus;
}
const char *wolfSSL_OCSP_response_status_str(long s)
{
switch (s) {
case OCSP_SUCCESSFUL:
return "successful";
case OCSP_MALFORMED_REQUEST:
return "malformedrequest";
case OCSP_INTERNAL_ERROR:
return "internalerror";
case OCSP_TRY_LATER:
return "trylater";
case OCSP_SIG_REQUIRED:
return "sigrequired";
case OCSP_UNAUTHROIZED:
return "unauthorized";
default:
return "(UNKNOWN)";
}
}
WOLFSSL_OCSP_BASICRESP* wolfSSL_OCSP_response_get1_basic(OcspResponse* response)
{
WOLFSSL_OCSP_BASICRESP* bs;
bs = (WOLFSSL_OCSP_BASICRESP*)XMALLOC(sizeof(WOLFSSL_OCSP_BASICRESP), NULL,
DYNAMIC_TYPE_OPENSSL);
if (bs == NULL)
return NULL;
XMEMCPY(bs, response, sizeof(OcspResponse));
bs->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
bs->source = (byte*)XMALLOC(bs->maxIdx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (bs->status == NULL || bs->source == NULL) {
if (bs->status) XFREE(bs->status, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (bs->source) XFREE(bs->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL_OCSP_RESPONSE_free(bs);
bs = NULL;
}
else {
XMEMCPY(bs->status, response->status, sizeof(CertStatus));
XMEMCPY(bs->source, response->source, response->maxIdx);
}
return bs;
}
OcspRequest* wolfSSL_OCSP_REQUEST_new(void)
{
OcspRequest* request;
request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL,
DYNAMIC_TYPE_OPENSSL);
if (request != NULL)
XMEMSET(request, 0, sizeof(OcspRequest));
return request;
}
void wolfSSL_OCSP_REQUEST_free(OcspRequest* request)
{
FreeOcspRequest(request);
XFREE(request, NULL, DYNAMIC_TYPE_OPENSSL);
}
int wolfSSL_i2d_OCSP_REQUEST(OcspRequest* request, unsigned char** data)
{
word32 size;
size = EncodeOcspRequest(request, NULL, 0);
if (size <= 0 || data == NULL)
return size;
return EncodeOcspRequest(request, *data, size);
}
WOLFSSL_OCSP_ONEREQ* wolfSSL_OCSP_request_add0_id(OcspRequest *req,
WOLFSSL_OCSP_CERTID *cid)
{
if (req == NULL || cid == NULL)
return NULL;
FreeOcspRequest(req);
XMEMCPY(req, cid, sizeof(OcspRequest));
if (cid->serial != NULL) {
req->serial = (byte*)XMALLOC(cid->serialSz, NULL,
DYNAMIC_TYPE_OCSP_REQUEST);
req->url = (byte*)XMALLOC(cid->urlSz, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
if (req->serial == NULL || req->url == NULL) {
FreeOcspRequest(req);
return NULL;
}
XMEMCPY(req->serial, cid->serial, cid->serialSz);
XMEMCPY(req->url, cid->url, cid->urlSz);
}
wolfSSL_OCSP_REQUEST_free(cid);
return req;
}
#endif
#else /* HAVE_OCSP */

332
src/sniffer.c
View File

File diff suppressed because it is too large Load Diff

6751
src/ssl.c Normal file → Executable file
View File

File diff suppressed because it is too large Load Diff

3579
src/tls.c Normal file → Executable file
View File

File diff suppressed because it is too large Load Diff

5557
src/tls13.c Normal file
View File

File diff suppressed because it is too large Load Diff